Des Moines Orthopaedic Surgeons has reached a settlement in a data breach class action lawsuit affecting over 300,000 current and former patients whose sensitive personal and medical information was exposed in February 2023. Under the settlement, eligible class members can receive compensation for out-of-pocket expenses related to the breach, including identity monitoring costs, document replacement fees, and time spent addressing the incident. For example, a patient who spent $250 on credit monitoring services and 8 hours filing fraud reports can claim up to $400 in ordinary expenses, with an option to pursue up to $5,000 in extraordinary damages if they can document significant financial or medical harm. The settlement also provides three years of complimentary credit monitoring and identity theft protection services to all affected individuals, regardless of whether they file a claim.
The company, however, has not admitted fault, stating in the settlement agreement that it denies any wrongdoing or violations of HIPAA regulations. This is a common pattern in data breach settlements where organizations settle to avoid prolonged litigation while maintaining their legal position. The deadline to submit a claim is March 23, 2026, making this an urgent matter for anyone who received notification of their inclusion in the class and wishes to pursue compensation. Those who choose not to participate must request exclusion from the class by February 23, 2026, or they will be bound by the settlement terms.
Table of Contents
- What Data Was Compromised in the Des Moines Orthopaedic Surgeons Breach?
- Understanding the Settlement Payment Structure and Limitations
- Credit Monitoring and Identity Theft Protection Coverage
- How to File a Claim and Meet the March 23, 2026 Deadline
- Important Warnings About Scams and Fraudulent Claims
- HIPAA and Healthcare Data Breach Law Context
- Future Protections and Long-Term Considerations
What Data Was Compromised in the Des Moines Orthopaedic Surgeons Breach?
The February 2023 breach exposed a comprehensive collection of personal identifiers and health information for patients who had received treatment at Des Moines Orthopaedic Surgeons. The compromised data included names, Social Security numbers, dates of birth, driver’s license numbers, state identification numbers, passport numbers, bank account information, direct deposit details, patient health records, and medical insurance information. This combination of data types makes the breach particularly concerning, as cybercriminals can use Social Security numbers and financial information for identity theft, while health records can be sold on dark web marketplaces or used for targeted insurance fraud. To understand the severity, consider that a patient’s Social Security number combined with their birth date and health conditions creates a nearly complete profile for medical identity theft.
A fraudster could potentially open medical accounts in a victim’s name, receive expensive treatments, and leave the bill for the patient to discover months later. This is different from financial identity theft and can be much harder to resolve, as it requires contacting healthcare providers individually and potentially obtaining affidavits from medical facilities stating the services were fraudulent. The settlement recognizes this tiered risk by offering higher compensation ($100 per person) to those whose Social Security numbers were specifically exposed, compared to $25 for general class members. This distinction reflects the legal system’s understanding that SSN exposure carries elevated risk of identity theft compared to other personal information alone.
Understanding the Settlement Payment Structure and Limitations
The settlement establishes a payment hierarchy with three main compensation pathways, each with specific caps and documentation requirements. Class members can claim documented out-of-pocket expenses (ordinary expenses up to $400, extraordinary up to $5,000), or they can accept an alternative flat cash payment ($25 or $100 depending on SSN exposure) without submitting receipts or documentation. However, the entire settlement fund is capped at $1,000,000 across all eligible claimants, which means that if many people file claims for high amounts, individual payouts may be reduced proportionally. The out-of-pocket expense category includes reasonable costs directly caused by the breach, such as credit monitoring services, identity theft protection subscriptions, copies of credit reports, document replacement fees, notarization costs, and travel to file police reports.
Time loss compensation is valued at approximately $25 per hour for up to 4 hours of documented time spent addressing the breach. This $100 maximum for time loss is substantially lower than what many people actually invest in resolving identity theft issues; a patient who spends 12 hours contacting banks, credit agencies, and healthcare providers would only recover $100 even though they invested significantly more time. One critical limitation is that the settlement does not compensate for actual identity theft that occurs after the breach—it covers only preventive measures and the time spent responding to the breach itself. If you discover that fraudulent accounts were opened in your name two years after the breach, you may have limited recourse through this settlement and would need to pursue separate legal action against those responsible for the actual theft.
Credit Monitoring and Identity Theft Protection Coverage
Every member of the settlement class receives three years of complimentary credit monitoring and identity theft protection services, making this arguably the most valuable aspect of the settlement for many patients. These services typically include continuous monitoring of credit reports from all three major bureaus (Equifax, Experian, TransUnion), alerts when someone attempts to open new accounts in your name, SSN monitoring for misuse on the dark web, and coverage for some costs associated with identity theft recovery. The three-year duration aligns with federal recommendations that suggest most fraudulent activity arising from a breach surfaces within the first two to three years. However, healthcare data breaches present unique long-term risks; medical identity theft can emerge years later when someone uses your information to obtain prescription medications or schedule procedures.
Once the three-year monitoring period expires, patients would need to pay for their own monitoring services if they want continued protection, creating a potential gap in coverage. Some class members may discover they already had credit monitoring through their employer, credit card company, or other subscription service. In these cases, the settlement’s monitoring represents redundant coverage, though having multiple monitoring services can be beneficial since different providers use different alert algorithms and may catch fraud at different times. The settlement documentation should specify which provider will deliver the credit monitoring services and how to activate your coverage.
How to File a Claim and Meet the March 23, 2026 Deadline
Eligible class members who wish to pursue compensation beyond the automatic credit monitoring must submit a claim form by March 23, 2026. The settlement administrator has typically established a claims website (in this case, desmoinesorthodataincident.com) where you can download the claim form, register your information, and submit your request online or by mail. For those choosing the alternative flat payment ($25 or $100), the claims process is simplified—you need only provide your name, contact information, and confirmation that you were a patient of Des Moines Orthopaedic Surgeons during the relevant period. If you’re pursuing out-of-pocket expense reimbursement, you’ll need to gather documentation for all claimed costs: receipts for credit monitoring services, copies of credit reports you purchased, invoices for document replacement services, and records of time spent addressing the breach.
The settlement typically requests that you provide reasonable documentation without requiring notarization or official certification for most expenses. Keep in mind that some types of expenses may be disputed; for example, a general personal finance book on identity protection probably wouldn’t qualify, but a targeted credit monitoring service subscription would. The claim process is straightforward to navigate compared to some other settlements, but the hard deadline is unforgiving. Unlike class actions where late claims might be considered in certain circumstances, missing the March 23, 2026 deadline likely means forfeiting your right to compensation entirely. If you received a class notice but cannot locate your claim forms, you can contact the settlement administrator directly through the official settlement website or check your email for notifications—these notices are required to provide multiple submission methods for accessibility.
Important Warnings About Scams and Fraudulent Claims
Data breach settlements frequently attract scam artists who target class members with phishing emails, fake settlement websites, and fraudulent claim services. These scams typically direct people to enter their personal information into cloned websites or offer to file claims for a percentage fee ($50 to $200), claiming they can maximize your payout. The official settlement website is desmoinesorthodataincident.com, and legitimate claims can be filed directly through this site at no cost. Another common trap is believing that you must respond to every communication claiming to be from the settlement administrator. Be skeptical of unsolicited phone calls asking you to “verify your information” or pressure you to claim immediately.
Legitimate settlement administrators send materials by mail to your address of record and allow you to initiate contact through their official website. If you’re uncertain whether a communication is genuine, independently verify the sender by visiting the official settlement website directly rather than clicking links provided in emails. Class members should also be aware that receiving the settlement credit monitoring services doesn’t prevent them from filing a claim for out-of-pocket expenses, and vice versa. Some fraudulent services claim you must choose between these options or that you can only claim one type of compensation. In reality, you can accept the automatic credit monitoring and simultaneously file a claim for documented expenses—these are separate benefits designed to work together.
HIPAA and Healthcare Data Breach Law Context
This settlement occurred in the healthcare industry, where data breaches are subject to regulations under the Health Insurance Portability and Accountability Act (HIPAA) and state-specific medical privacy laws. HIPAA requires covered entities like Des Moines Orthopaedic Surgeons to maintain reasonable security safeguards and notify affected individuals within 60 days of discovering a breach affecting more than 500 people. The organization must also notify the Department of Health and Human Services and, in this case, given the size of the breach, media outlets were notified as well.
The fact that Des Moines Orthopaedic Surgeons denied HIPAA violations in the settlement agreement is significant but not unusual. HIPAA violations are notoriously difficult to prove in litigation, as they require demonstrating negligence or willful disregard for security requirements. The settlement allows the company to avoid the expense and risk of litigation while providing compensation to affected patients, without the burden of proving a HIPAA violation in court.
Future Protections and Long-Term Considerations
The Des Moines Orthopaedic Surgeons settlement is one of many healthcare data breaches in recent years, reflecting broader challenges in healthcare cybersecurity. Patients should recognize that no settlement can fully prevent future breaches; instead, the focus should be on personal protective measures. This includes regularly checking your credit reports (free annually from annualcreditreport.com), considering a credit freeze if you’re not actively seeking new credit, and being cautious about unsolicited communications requesting personal health information.
Looking forward, increased regulatory scrutiny and patient awareness of data breach risks are pushing healthcare organizations to invest more substantially in security infrastructure. However, breaches will continue to occur as long as healthcare providers store sensitive data and face determined cybercriminals. The settlement model—providing credit monitoring, compensation for documented harm, and alternative payments—represents the current legal framework for managing these incidents.
You Might Also Like
- Wilmington Community Clinic Data Breach Class Action Settlement
- UA Sprinkler Fitters Local 669 Data Breach Class Action Settlement
- Sentinel Security Life Insurance Data Breach Class Action Settlement
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: