On March 14, 2023, Essen Medical Associates, a New York-based healthcare provider, suffered a nine-day data breach that exposed sensitive personal information belonging to 904,672 current and former patients. The breach remained undetected until March 22, 2023, during which time cybercriminals gained access to names, Social Security numbers, dates of birth, driver’s license numbers, passport information, and detailed medical and insurance records. In response to this massive exposure, Essen Medical Associates agreed to a $4 million settlement to compensate affected patients and address the failure to protect their most sensitive information.
This settlement provides meaningful compensation for individuals whose data was compromised, including cash payments of up to $100 per class member and documented loss reimbursement up to $5,000 for those who can demonstrate actual harm from the breach. The settlement also holds the healthcare provider accountable for negligence in protecting patient privacy and establishes a framework for how healthcare organizations must handle patient data security going forward. However, patients who were affected need to understand an important deadline issue: the claims filing deadline was June 1, 2026, which has now passed. If you did not submit a claim by that date, you may have lost your opportunity to receive compensation unless you can establish that extraordinary circumstances prevented you from filing on time.
Table of Contents
- What Patient Information Was Exposed in the Essen Medical Data Breach?
- Settlement Details and Compensation Available
- Understanding the Breach Timeline and Scope
- Legal Claims Behind the Settlement
- The Data Security Failures That Led to the Breach
- Deadline Status and Filing Requirements
- The Final Fairness Hearing and What Comes Next
- Conclusion
What Patient Information Was Exposed in the Essen Medical Data Breach?
The 2023 Essen Medical Associates breach represents one of the most comprehensive data exposures in recent healthcare history, affecting nearly one million patients’ records. The exposed data included highly sensitive personal identifiers that cybercriminals can use for identity theft, fraud, and other harmful purposes. Names, Social security numbers, and dates of birth—the core components needed for identity theft—were all compromised in the nine-day window when the breach went undetected. Beyond basic identifying information, the breach also exposed government-issued identification numbers including driver’s license numbers, state identification numbers, alien registration numbers, passport numbers, and non-U.S.
identification documents. This type of information is particularly valuable to criminals because it provides the foundation for creating fraudulent accounts, obtaining credit in victims’ names, or engaging in other forms of identity fraud that can take months or years to resolve. The breach also exposed financial account information and detailed medical and health insurance records. Combining medical information with financial data creates an especially dangerous situation—criminals can use medical information to create fake insurance claims, file fraudulent medical procedures under victims’ names, or engage in medical identity theft that directly interferes with future healthcare treatment.
Settlement Details and Compensation Available
The Essen Medical Associates settlement established a $4 million fund to compensate affected patients, with the compensation structured in multiple ways to account for different levels of harm. Every class member is eligible for a cash payment of up to $100 simply for being part of the affected group, recognizing that all patients incurred some level of risk and potential inconvenience from the data exposure. For patients who can document actual losses related to the breach, the settlement provides additional compensation up to $5,000 per person.
Documented losses might include credit monitoring services purchased after learning of the breach, time spent dealing with identity theft recovery, fraudulent charges on accounts, costs associated with correcting credit reports, or other measurable harm directly caused by the data exposure. This approach ensures that patients who experienced actual financial consequences from the breach receive meaningful compensation proportional to their losses. The settlement also addresses attorney compensation and administrative costs, with attorneys’ fees capped at 33.33 percent of the total settlement fund and service awards for class representatives capped at $3,000 each. This structure ensures that the majority of settlement funds go directly to affected patients rather than being consumed by legal fees, while still fairly compensating the attorneys and representatives who brought the case forward.
Understanding the Breach Timeline and Scope
The nine-day exposure window from March 14 to March 22, 2023, represents a critical vulnerability period during which criminals had undetected access to the patient database. Unlike some breaches where exposure occurs over extended periods allowing for gradual discovery, this concentrated nine-day window meant that a large window of vulnerability existed before detection. The fact that the breach went undetected for all nine days suggests significant gaps in Essen Medical Associates’ security monitoring and incident response procedures. The scale of the breach—affecting 904,672 patients—demonstrates that the exposed database included virtually all of Essen Medical Associates’ patient population, both current patients and those treated years earlier.
This comprehensive nature of the breach means that individuals who had received treatment from the practice years or even decades earlier could still be affected, even if they no longer actively use the medical provider’s services. One critical limitation of the settlement from patients’ perspective is that by the time the settlement was reached, the data had already been exposed for an extended period. Data breaches in healthcare frequently result in ongoing risk long after the breach is contained, as criminals may use stolen information months or years after the initial exposure. patients affected by this breach may face ongoing identity theft risks that extend well beyond the settlement period.
Legal Claims Behind the Settlement
The settlement encompassed multiple legal theories of liability against Essen Medical Associates, each addressing different aspects of how the company failed to protect patient information. The negligence claim focused on Essen Medical Associates’ failure to implement adequate security measures to protect patient data, establishing that a healthcare provider has a legal duty to safeguard sensitive health information from unauthorized access. Beyond negligence, the settlement also addressed breach of implied contract, recognizing that when patients entrust their medical information to a healthcare provider, an implicit agreement exists that the provider will protect that information.
Breach of fiduciary duty claims recognized that healthcare providers occupy a position of trust with their patients and owe a duty to act in patients’ best interests, which includes protecting the confidentiality and security of their medical records. The settlement further included claims for unjust enrichment, arguing that Essen Medical Associates benefited from patient relationships while failing to properly invest in the security infrastructure necessary to protect patient data. The violation of New York’s Deceptive Trade Practices Act claim alleged that the company failed to disclose its inadequate security practices to patients and thereby engaged in deceptive conduct. Together, these legal theories created a comprehensive accountability framework that extended beyond simply negligent security practices to encompass broader failures in how the company treated its fiduciary obligations to patients.
The Data Security Failures That Led to the Breach
The Essen Medical Associates breach represents a failure at multiple levels of data security best practices that most healthcare organizations are expected to maintain. Effective data security requires layered protections including encryption of sensitive data both in transit and at rest, proper access controls limiting which employees can access patient information, network segmentation separating sensitive systems from less critical infrastructure, and continuous monitoring systems that detect unusual access patterns quickly. The nine-day delay in detecting the breach suggests that Essen Medical Associates lacked adequate monitoring capabilities to quickly identify unauthorized access. Healthcare organizations handling patient data are expected to implement systems that can detect suspicious activities within hours or at most days, not weeks.
The failure to detect the breach for nine days indicates either that monitoring systems were not in place, were not functioning properly, or that staff were not trained to recognize breach indicators. A critical warning for patients dealing with breaches is that while the settlement provides some compensation, it cannot fully address all risks created by a large-scale healthcare data breach. Even with monitoring and credit freeze services that settlements often fund, patients may experience identity theft issues years after the breach that are difficult to connect to and claim as settlement-related. The long-term nature of identity theft risk means that affected patients should remain vigilant about their credit reports, financial accounts, and medical records indefinitely.
Deadline Status and Filing Requirements
The claims filing deadline for the Essen Medical Associates settlement was June 1, 2026. As of today’s date, June 6, 2026, this deadline has passed. If you are an affected patient and did not submit a claim by June 1, 2026, you have missed the primary filing deadline and may not be eligible to receive compensation from the settlement fund.
The only potential avenue remaining for missed deadlines would be to contact the settlement administrator to determine if late filing is possible under exceptional circumstances. Some settlements allow for late claims if you can demonstrate that you had extraordinary reasons preventing timely filing, such as being out of the country, experiencing a severe illness, or other documented circumstances beyond your control. However, such late filings are considered exceptional cases and are not guaranteed to be accepted. If you missed the deadline, you should contact the settlement administrator at ehcsettlement.com immediately to inquire about your specific situation and whether any late filing options exist.
The Final Fairness Hearing and What Comes Next
The Essen Medical Associates settlement will proceed to a final fairness hearing on July 7, 2026, where a court will determine whether the settlement terms are fair, reasonable, and adequate for the class members it affects. This hearing represents the final opportunity for class members to formally object to the settlement terms, though objections must have been filed by the appropriate deadline if you had concerns about the settlement’s adequacy.
After the final fairness hearing, assuming the court approves the settlement, the settlement administrator will process valid claims and distribute payments to eligible class members. The timing of actual compensation payments typically occurs several weeks after court approval as the administrator processes the claims, verifies eligibility, and arranges payment distribution. Class members who filed valid claims by the deadline should receive their compensation during this distribution period.
Conclusion
The Essen Medical Associates data breach settlement addresses one of the largest patient data exposures in recent healthcare history, affecting over 900,000 individuals and exposing comprehensive personal information including Social Security numbers, identification documents, financial account information, and detailed medical records. The $4 million settlement provides compensation of up to $100 per class member, with additional payments up to $5,000 for those who can document actual losses from the breach.
However, the June 1, 2026 claims filing deadline has now passed, and patients who did not file claims by that date have likely forfeited their right to compensation. If you are an affected patient and missed the deadline, contact the settlement administrator immediately at ehcsettlement.com to determine if any late filing options exist under exceptional circumstances. The final fairness hearing on July 7, 2026 will complete the legal process, allowing the settlement administrator to begin processing approved claims and distributing compensation to eligible claimants.
You Might Also Like
- Complete Payroll Solutions Data Breach Settlement Claims Employee Information Was Exposed
- Krispy Kreme Data Breach Settlement Claims Consumer Information Was Compromised
- Fidelity Investments Data Breach Settlement Covers Customers Whose Information Was Exposed
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: