Capital Health has agreed to pay $4.5 million to resolve a class action lawsuit stemming from a significant data breach that occurred in November 2023. The settlement resolves claims from over 500,000 affected patients whose sensitive personal and medical information was compromised during a cyberattack by the LockBit ransomware group. This settlement represents one of the larger healthcare breach settlements in recent years, reflecting the severity of the incident and its impact on patients at Capital Health facilities across New Jersey. The breach itself unfolded over November 11-26, 2023, when attackers gained unauthorized access to Capital Health’s systems.
LockBit publicly announced the breach on January 7, 2024, claiming to have stolen more than 10 million files from the hospital network. According to the HHS Office for Civil Rights, 503,071 individuals were affected by the unauthorized access to their personal and medical records. This settlement provides multiple compensation options for affected patients, ranging from direct cash reimbursement for documented losses up to $5,000, alternative cash payments of approximately $100 per person, and three years of complimentary credit monitoring services. For patients who experienced additional losses—such as costs related to identity theft monitoring, credit reporting issues, or other direct damages—the settlement’s higher reimbursement tier offers meaningful financial recovery.
Table of Contents
- What Data Did Hackers Steal in the Capital Health Cyberattack?
- Service Disruptions During the Hospital Cyberattack
- Who Is Eligible for Compensation Under the Settlement?
- How Do You File a Claim for This Settlement?
- Credit Monitoring and Identity Theft Prevention Following the Breach
- The LockBit Ransomware Group and Hospital Targeting
- The Broader Context of Healthcare Data Breaches and Settlement Trends
- Conclusion
What Data Did Hackers Steal in the Capital Health Cyberattack?
The LockBit ransomware group accessed a comprehensive range of personal and sensitive health information during their breach of Capital Health’s systems. The compromised data included names, home addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and detailed medical information pertaining to patient care. This collection of data types represents exactly the kind of information that identity thieves and fraudsters prize most, since it enables multiple forms of financial crime and identity theft.
The scale of the breach made it particularly damaging. With 10 million files stolen and over 500,000 individuals affected, the attackers obtained a vast repository of exploitable information. For comparison, many notable healthcare breaches expose data on far smaller populations—a 100,000-person breach is considered significant in the healthcare industry. Capital Health’s breach was five times larger, meaning the risk of widespread fraud and misuse extends across a much larger victim population for a longer period of time.
Service Disruptions During the Hospital Cyberattack
Beyond the data theft itself, the Capital Health cyberattack forced the hospital to shut down critical patient services while staff worked to contain the breach and restore systems. Outpatient radiology services were disrupted, forcing patients to reschedule imaging appointments at other facilities or wait for Capital Health’s systems to be restored. Multiple elective surgeries were cancelled, affecting surgical schedules and forcing patients to postpone necessary procedures. The disruption extended to specialized medical services as well.
Neurophysiology testing was postponed, affecting patients whose diagnostic needs depended on these specialized evaluations. These operational disruptions added another layer of harm beyond the data compromise—patients experienced treatment delays, inconvenience, and anxiety about their care continuity. Unlike some data breaches where the victim may never discover they’re affected, the service disruptions during the Capital Health attack were immediately visible and disruptive to patient care. The hospital eventually restored most services, but the operational recovery took weeks in some departments.
Who Is Eligible for Compensation Under the Settlement?
Any individual whose information was exposed in the Capital Health data breach can claim compensation, provided they fall within the affected population identified by Capital Health and the HHS Office for Civil Rights. The settlement covers patients from Capital Health facilities who were impacted, with the class including all 503,071 individuals the breach touched. Claimants don’t need to prove they suffered identity theft or fraud to receive payment—the settlement recognizes that exposure to this data creates inherent risk and harm to all affected individuals.
The settlement provides flexible compensation options to accommodate different circumstances. If you have documented, unreimbursed losses directly tied to the breach—such as out-of-pocket expenses for credit monitoring services you purchased yourself, costs associated with credit freezes, or verified fraud losses that weren’t covered by insurance—you can claim up to $5,000 in direct reimbursement. This approach acknowledges that some victims faced immediate tangible costs in response to the breach, while others may not have incurred specific expenses.
How Do You File a Claim for This Settlement?
Capital Health settlement claim administrators established a process for patients to file claims and receive compensation, either through direct reimbursement or the alternative cash payment option. Claimants must submit documentation supporting any claimed losses—receipts for credit monitoring services, billing statements showing fraud charges, or other evidence of direct costs. The $5,000 individual maximum ensures that claims are evaluated fairly across the victim population while acknowledging that not all victims suffered identical losses. For those who didn’t incur documented out-of-pocket expenses, the settlement offers an approximately $100 alternative cash payment per class member.
This default payment requires minimal documentation and provides baseline compensation to acknowledge the inherent harm of having sensitive data compromised. The three-year credit monitoring service, valued at $90 per year, is available to all class members at no cost. One important limitation to understand: alternative cash payments and direct reimbursement are mutually exclusive. You choose one compensation path based on your circumstances, rather than stacking multiple benefits. The settlement administrators will provide detailed instructions on claim submission timelines and documentation requirements.
Credit Monitoring and Identity Theft Prevention Following the Breach
The settlement includes three years of complimentary credit monitoring services for all affected individuals, which represents a significant benefit given that credit monitoring typically costs $90 to $150 annually from commercial providers. This monitoring service will alert you to suspicious activity on your credit reports, new credit accounts opened in your name, or other signs of potential identity theft. For a breach involving Social Security numbers and dates of birth—the core data needed for opening fraudulent accounts—credit monitoring provides an important early warning system. However, credit monitoring has meaningful limitations that claimants should understand.
Monitoring services can only track activity that appears in credit bureau files—they cannot prevent fraud, they can only detect it after it occurs. If a fraudster uses your stolen information to open accounts with companies that don’t report to major credit bureaus, that fraud may not appear on your credit report for months or even years. Additionally, credit monitoring doesn’t cover non-credit fraud, such as fraudulent tax returns filed using your stolen Social Security number or healthcare fraud using your medical information. The three-year monitoring window is also finite; after the complimentary period expires, you’ll need to decide whether to pay for continued monitoring or rely on manual credit report reviews.
The LockBit Ransomware Group and Hospital Targeting
The Capital Health breach was conducted by LockBit, a notorious ransomware gang that has targeted healthcare organizations repeatedly over the past several years. LockBit operates what’s known as a “ransomware-as-a-service” model, where the group develops and sells encryption malware to other cybercriminals, then shares a percentage of ransom payments collected. Hospitals are particularly attractive targets for ransomware operators because they face extraordinary pressure to restore services quickly—a system outage in a hospital directly impacts patient care and creates life-or-death urgency that encourages organizations to pay ransoms faster.
The public announcement of the Capital Health breach by LockBit (rather than Capital Health itself) illustrates another troubling reality of modern healthcare breaches. Ransomware groups often exfiltrate data before encrypting systems, then threaten to sell or publish the stolen information if the victim refuses to pay. By publicly announcing the breach and claiming to have 10 million files, LockBit was essentially publicizing Capital Health’s breach to maximize pressure on the organization and warn other institutions that their data could be sold to criminals or published online.
The Broader Context of Healthcare Data Breaches and Settlement Trends
Healthcare remains the industry most frequently targeted by ransomware and data breach attacks, with hospitals and health systems facing both external criminal attacks and internal security failures. The Capital Health settlement, while significant at $4.5 million, reflects a broader trend of healthcare organizations settling breach litigation. Larger breaches—particularly those affecting hundreds of thousands of patients—now regularly result in multi-million-dollar settlements, medical record monitoring programs, and organizational security improvements.
The settlement also underscores a growing expectation among patients and regulators that healthcare organizations will notify victims quickly and provide meaningful remediation. The combination of cash compensation, credit monitoring, and acknowledgment of the breach reflects lessons learned from previous healthcare breach settlements. As healthcare cybersecurity threats continue to evolve and attacks grow more sophisticated, settlements like Capital Health’s may become increasingly common, particularly for breaches involving established, well-resourced hospital systems where victims can more easily pursue litigation.
Conclusion
The Capital Health data breach settlement resolves a significant incident affecting over half a million patients whose sensitive personal and medical information was compromised by the LockBit ransomware group. The $4.5 million settlement provides affected patients with meaningful compensation options, including up to $5,000 in direct reimbursement for documented losses, alternative cash payments of approximately $100, and three years of credit monitoring services. Patients who experienced service disruptions—cancelled surgeries, postponed imaging, and delays in specialized testing—can now pursue financial recovery for those impacts.
If you received notification that your information was compromised in the Capital Health breach, review the settlement claim instructions carefully to determine which compensation option best suits your situation. For those who incurred specific out-of-pocket costs related to the breach, gather your documentation to support a direct reimbursement claim. For others, the alternative cash payment and credit monitoring services provide baseline protection. The settlement’s claim deadline will be strictly enforced, so act promptly to file your claim and protect your eligibility for compensation.
You Might Also Like
- Kaiser Privacy Settlement Claims Patient Website Data Was Shared With Third Parties
- Geisinger Health Data Settlement Covers Patients Affected by Employee Data Access Incident
- Fidelity Investments Data Breach Settlement Covers Customers Whose Information Was Exposed
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: