As of late 2025, there is no finalized class action settlement for the Awakenings Counseling data breach. Instead, the incident is in the active investigation phase, with law firms including Lynch Carpenter, LLP and My Data Breach Attorney accepting inquiries from affected individuals to determine potential claims and compensation options. The breach itself is real and significant: over 17,000 individuals had their personal and health information potentially exposed when Loving and Living Center, PC (doing business as Awakenings Center), a North Carolina-based counseling services provider, experienced a data breach discovered on or about September 10, 2025.
Understanding the current status of this case matters because affected individuals often expect settlements to already exist when they search for information. In reality, most data breach cases go through a lengthy investigation period before any settlement is reached—sometimes taking years. The Awakenings Counseling breach is in this investigation phase, meaning law firms are still gathering evidence, determining the full scope of harm, and deciding whether to file formal legal action.
Table of Contents
- What Happened in the Awakenings Counseling Data Breach?
- What Types of Data Were Compromised?
- Who Is Investigating the Awakenings Counseling Breach?
- What Can Affected Individuals Do Right Now?
- Why Is There No Settlement Yet?
- HIPAA Violations and Regulatory Penalties
- What Comes Next for the Awakenings Case?
- Conclusion
- Frequently Asked Questions
What Happened in the Awakenings Counseling Data Breach?
Loving and Living Center, PC (Awakenings Center) discovered a data breach on or about September 10, 2025, affecting over 17,000 individuals who had sought counseling services from the organization. The breach exposed both personally identifiable information (PII)—such as names, addresses, social security numbers, and financial details—and protected health information (PHI), which includes sensitive mental health records and treatment notes. For a counseling center patient, this means that highly confidential therapy records, diagnoses, and personal disclosures made in confidence could have been accessed by unauthorized parties.
The breach is particularly concerning because counseling records are among the most sensitive health information a person can have. Unlike a typical medical breach involving general health data, a counseling data breach can expose intimate details about a person’s mental health struggles, family conflicts, trauma history, and personal vulnerabilities. This is why HIPAA violations involving behavioral health organizations often result in significant penalties and settlements—the harm extends beyond financial identity theft to emotional and psychological harm.
What Types of Data Were Compromised?
The Awakenings breach exposed both personally identifiable information and protected health information, creating what’s known as a dual-risk breach. On the PII side, affected individuals face potential identity theft and fraud if their social security numbers, financial account information, or addresses were accessed. On the PHI side, they face the risk of having sensitive mental health information sold, used for discrimination, or publicly exposed—a concern that extends far beyond typical data breach risks.
A key limitation in most data breach cases is that organizations often cannot definitively confirm what was actually accessed or exfiltrated. In the Awakenings case, like most investigations, the breach notification and investigation statements likely indicate that information “may have been” accessed, rather than confirming with certainty that it was taken. This uncertainty creates challenges for affected individuals seeking compensation—attorneys must prove that real harm occurred or is likely to occur, not just that information was exposed. Additionally, if an individual’s data was on the affected system but they didn’t actually seek counseling there (for example, if they were just on a mailing list), their claim and potential compensation may be different from that of actual patients.
Who Is Investigating the Awakenings Counseling Breach?
Lynch Carpenter, LLP publicly announced in December 2025 that they are investigating claims against Awakenings Center related to the data breach. The firm is accepting inquiries from individuals who believe they were affected, a standard first step in data breach litigation. My Data Breach Attorney is also investigating the case, giving affected individuals multiple law firms to contact. This is typical for high-profile breaches—multiple firms may investigate the same incident independently.
The investigation phase is critical but often invisible to affected individuals. During this period, law firms are gathering public information about the breach, reviewing notification documents, examining the organization’s security practices, and calculating potential damages. They’re also determining whether the breach resulted from negligence, inadequate security measures, or compliance violations. For the Awakenings case, investigators will likely examine whether the center maintained appropriate safeguards for health information, whether they had a security incident response plan, and whether they notified affected individuals in a timely manner. These findings will ultimately determine whether there’s a strong case for settlement negotiations.
What Can Affected Individuals Do Right Now?
If you received a breach notification from Awakenings Counseling or believe you were a patient there when the breach occurred, you can reach out to Lynch Carpenter, LLP or My Data Breach Attorney to discuss your situation. These firms are accepting inquiries free of charge at this stage—they work on contingency, meaning they don’t charge affected individuals upfront. Your role is to provide information about your relationship with Awakenings Center, confirm the personal data you had on file, and describe any resulting harm you’ve experienced (such as identity theft, credit monitoring costs, or emotional distress). Beyond contacting a law firm, you should take immediate protective steps.
Place a fraud alert with the three major credit bureaus (Equifax, Experian, and TransUnion) to warn lenders about potential identity theft. Consider freezing your credit with all three bureaus, which prevents new accounts from being opened in your name without your explicit permission. For mental health data specifically, be aware that if your therapy records were compromised, they could potentially be used for discrimination in employment or insurance contexts. Some affected individuals also place specific alerts with their healthcare providers noting the breach. The tradeoff is that while credit freezes are highly protective, they can inconvenience you when you actually want to apply for credit; however, for a breach of this severity, most security experts recommend the freeze outweighs the inconvenience.
Why Is There No Settlement Yet?
Data breach settlements take time because the legal process requires multiple steps before a settlement is possible. First, law firms must investigate to determine whether they have a case. Second, they may need to file formal litigation against the organization. Third, they must negotiate with the defendant’s insurance company and legal team to reach terms. Fourth, any settlement must be approved by a judge and affected individuals who participate.
The entire process from breach discovery to settlement approval can take 12 to 36 months or longer, depending on the complexity and the defendant’s willingness to settle. In the Awakenings case, the breach was only discovered in September 2025, meaning investigations only began in late 2025. At that timeline, a settlement agreement may still be months or even years away. A limitation to understand is that not all data breaches result in settlements—some cases are dismissed, some defendants fight litigation aggressively, and some settle for smaller amounts than affected individuals hope for. Additionally, the size of any settlement depends partly on how much proof there is of actual harm. If most of the 17,000 affected individuals don’t suffer identity theft or other concrete damages, the settlement value per person will be lower than if widespread fraud occurred.
HIPAA Violations and Regulatory Penalties
Beyond potential civil settlements, organizations like Awakenings Center face HIPAA penalties from the federal government when health information is breached due to inadequate security. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) investigates HIPAA breaches and can impose significant fines on covered entities.
These penalties don’t directly compensate affected individuals, but they incentivize organizations to settle private lawsuits to minimize their total financial exposure. For the Awakenings breach, an OCR investigation is likely underway or will be initiated. If the investigation concludes that the breach resulted from a violation of the HIPAA Security Rule—for example, the organization failed to implement required safeguards like encryption or access controls—the OCR could fine Awakenings Center tens of thousands to millions of dollars depending on the violation’s severity. This regulatory pressure often pushes organizations toward settlement negotiations with law firms, as paying a lawsuit settlement may be preferable to fighting both private litigation and federal penalties simultaneously.
What Comes Next for the Awakenings Case?
Over the coming months, look for updates from Lynch Carpenter, LLP or My Data Breach Attorney regarding whether formal litigation has been filed against Awakenings Center. If a lawsuit is filed, court documents will become public, and the legal arguments on both sides will clarify the case’s strength. Settlement negotiations often happen outside of court and move faster once formal litigation begins, as both sides face the costs and uncertainties of trial.
The timeline for this case will also depend on Awakenings Center’s response. Some organizations settle breaches quickly to minimize damage to their reputation, while others contest liability. Given that Awakenings is a counseling center—not a major corporation with deep pockets—settlement may arrive faster than in cases involving large companies. However, the organization’s insurance company will ultimately drive settlement decisions, and insurers often drag out negotiations to minimize payout amounts.
Conclusion
The Awakenings Counseling data breach is a serious incident affecting over 17,000 individuals, but it is currently in the investigation phase rather than a finalized settlement phase. If you were affected, your immediate steps should be contacting Lynch Carpenter, LLP or My Data Breach Attorney, placing fraud alerts on your credit, and monitoring your accounts for suspicious activity. There is no guarantee of settlement or a specific compensation amount at this stage, as that will depend on the strength of the legal case, the extent of proven harm, and the defendant’s insurance coverage.
Staying informed about developments in this case is important, as settlements often move quickly once formal litigation is filed and negotiations begin. Periodically check with the law firms investigating the case for updates, and consider checking HIPAA Journal and other data breach tracking sources for news on both the regulatory investigation and any settlement announcements. If you have more detailed questions about your specific situation or potential compensation, reaching out directly to one of the investigating law firms will give you the clearest picture of your options.
Frequently Asked Questions
Is there a settlement deadline I need to meet?
As of late 2025, there is no finalized settlement, so there is no deadline. However, once a settlement is reached, there will typically be a claim filing deadline (usually 6 to 12 months after settlement approval). If you believe you were affected, register with one of the investigating law firms now so you’re included if and when a settlement occurs.
How much money will affected individuals receive?
This is unknown because no settlement has been reached. Settlement amounts vary widely depending on the case strength, proven damages, the organization’s insurance limits, and the number of valid claims. They can range from $50 to $500+ per person, but this is highly unpredictable at the investigation stage.
Should I be worried about my therapy records being used against me?
It’s reasonable to be concerned, but the risk depends on how the breached data is used. If records end up on the public internet or are sold to third parties, discrimination in employment or insurance is a real concern. You can alert your employer’s HR department and insurance providers about the breach preemptively. Some states also have additional privacy protections for mental health information beyond HIPAA.
Do I have to pay a lawyer if I participate in the settlement?
No. These cases work on a contingency fee basis, meaning the law firm only gets paid if there is a settlement or judgment in your favor. Their fee comes from the settlement itself, not from you. However, you may need to submit documentation (like proof that you were a patient at Awakenings) to claim your portion.
What should I do if I haven’t received a breach notification from Awakenings?
If you believe you were a patient at Awakenings Center between September 2025 and earlier, and you haven’t received notification, contact the center directly or reach out to Lynch Carpenter, LLP. It’s possible notifications are still being sent, or that contact information on file is outdated.
How long will it take to get a settlement?
Based on typical data breach cases, 6 to 24 months from now is a reasonable estimate, though it could be longer. This depends on how quickly the investigation concludes, whether formal litigation is filed, and how willing the defendant is to negotiate.