The Capital Health data breach settlement will pay out $4.5 million to roughly 503,071 people whose personal and medical information was compromised during a November 2023 ransomware attack. If you received a notice, you can file a claim for up to $5,000 in documented losses or take an estimated $100 flat payment with no paperwork required — and either way, you can also get three years of free credit monitoring. The deadline to file is April 6, 2026, and you can submit your claim online at CapitalHealthDataBreachSettlement.com. This settlement resolves the consolidated lawsuit *Bruce Graycar, et al. v.
Capital Health Systems, Inc.*, filed in the U.S. District Court for the District of New Jersey. Capital Health, a New Jersey-based healthcare system, was hit by the LockBit ransomware group, which claimed to have stolen 7 terabytes of data — more than 10 million files — including Social Security numbers, dates of birth, clinical records, and contact information. For someone whose Social Security number was in that haul, the stakes are not theoretical. This article walks through exactly what happened, who qualifies, how to choose between compensation options, and what deadlines you cannot afford to miss.
Table of Contents
- What Happened in the Capital Health Data Breach and Why Did It Lead to a $4.5 Million Settlement?
- Who Is Eligible for the Capital Health Settlement and Who Might Not Qualify?
- How Much Money Can You Actually Get From This Settlement?
- How to File Your Claim Before the April 6, 2026 Deadline
- Key Deadlines and What Happens If You Miss Them
- Why the LockBit Connection Makes This Breach Especially Serious
- What to Do After You File Your Claim
- Frequently Asked Questions
What Happened in the Capital Health Data Breach and Why Did It Lead to a $4.5 Million Settlement?
Between November 11 and November 26, 2023, capital Health Systems suffered a full IT systems outage caused by a ransomware attack from LockBit, one of the most prolific cybercrime operations in the world. The attack did not just lock Capital Health out of its own systems — LockBit claimed to have exfiltrated 7 terabytes of sensitive data, encompassing over 10 million files. On January 7, 2024, the group added Capital Health to its public leak site and threatened to release the stolen records unless a ransom was paid. The compromised data included names, addresses, Social Security numbers, dates of birth, email addresses, telephone numbers, and clinical information.
Capital Health reported to the HHS Office for Civil Rights that 503,071 individuals were affected, a group that includes current patients, former patients, guarantors (people financially responsible for a patient’s bills), and employees. The first lawsuit was filed on December 19, 2023, barely a month after the attack began. Multiple lawsuits followed and were consolidated in May 2025. The $4.5 million settlement received preliminary court approval on November 10, 2025. To put the dollar figure in context, if every class member took only the flat cash payment, the fund would need roughly $50 million — so the actual per-person payout depends heavily on how many people file claims.
Who Is Eligible for the Capital Health Settlement and Who Might Not Qualify?
Eligibility covers all individuals whose private information was stored on Capital Health’s IT systems during the breach window of November 11 through November 26, 2023, and was potentially compromised. That is a broad net. You do not need to prove that your data was actually misused — only that it was exposed. If you were a patient, former patient, guarantor, or employee of Capital Health during that period, you likely qualify. Most eligible individuals should have received a mailed notice from the settlement administrator.
However, if you had a relationship with Capital Health but your data was stored on systems unaffected by the breach, you may not be included in the class. Similarly, if you only interacted with Capital Health after November 26, 2023, this settlement does not cover you. One common point of confusion: guarantors. If you co-signed financial responsibility for someone else’s medical care at a Capital Health facility, your personal information may have been in their systems even if you were never a patient yourself. If you are unsure whether you are a class member, check the official settlement website or call the settlement administrator listed on your notice. Do not assume you are excluded just because you do not remember giving Capital Health your Social Security number — healthcare systems routinely collect that information during intake and billing.
How Much Money Can You Actually Get From This Settlement?
There are two cash compensation paths, and you must understand the tradeoff before choosing. Option 1 lets you claim up to $5,000 for documented, unreimbursed losses tied to the breach. That includes out-of-pocket costs from identity theft or fraud, money spent on credit monitoring services you purchased yourself, fees for credit freezes and unfreezes, mileage, postage, and related expenses. The catch is documentation — you need receipts, bank or credit card statements, or third-party records to back up every dollar you claim. Self-prepared documents alone, like a handwritten log of your time, will not cut it. Option 2 is the alternative cash payment: an estimated $100 flat payment per class member with no documentation required. you check a box, submit the form, and wait.
The word “estimated” matters here. That $100 figure is not guaranteed. If an unexpectedly large number of people file claims, the per-person amount could shrink through pro rata reduction. For someone who spent $30 on a credit freeze and has no other provable losses, the $100 flat payment is almost certainly the better deal. For someone who dealt with actual identity theft — paid for credit monitoring, spent hours on the phone with banks, mailed dispute letters — documenting those losses and going for the higher cap could be worth the effort. Regardless of which cash option you pick, you can also claim three years of free credit monitoring, which the settlement values at $90 per year. That is not an either-or choice; it stacks on top of your cash claim.
How to File Your Claim Before the April 6, 2026 Deadline
Filing online is the fastest route. Go to CapitalHealthDataBreachSettlement.com, locate the claim form, and fill it out with your personal information and your chosen compensation option. If you are claiming documented losses under Option 1, you will need to upload supporting records — scans of receipts, bank statements showing fraudulent charges, or records from credit monitoring services. Make sure the documents clearly tie the expense to the breach or to identity protection measures you took after receiving notice. If you prefer paper, you can download and print the PDF claim form from the same website, then mail it to: Capital Health Data Breach Litigation Settlement Administrator, PO Box 4008, Portland, OR 97208-4008.
Mailed claims should be postmarked on or before April 6, 2026. If you are mailing documentation, make copies of everything before sending. Settlement administrators process thousands of envelopes, and lost mail does happen. Whether you file online or by mail, save your confirmation number or mailing receipt. You will have no easy way to verify your claim status without it.
Key Deadlines and What Happens If You Miss Them
Three dates matter. The exclusion and objection deadline is March 9, 2026. If you want to opt out of the settlement — preserving your right to sue Capital Health independently — you must do so by that date. If you want to formally object to the settlement terms while remaining a class member, that deadline also applies. The claim filing deadline is April 6, 2026. Miss it and you get nothing, regardless of how much your data was compromised.
The final fairness hearing is scheduled for July 14, 2026, when the court will decide whether to grant final approval. A warning about opting out: unless you have substantial individual damages and a lawyer willing to take your case, opting out is rarely the better move. Individual data breach lawsuits are expensive, slow, and difficult to win. The settlement exists precisely because pursuing these claims one by one is impractical for most people. On the other hand, if you suffered significant financial harm — tens of thousands of dollars in identity theft losses, for example — the $5,000 cap in this settlement might feel inadequate, and an individual claim could theoretically recover more. That is a conversation to have with an attorney, not a decision to make on a hunch.
Why the LockBit Connection Makes This Breach Especially Serious
LockBit is not a lone hacker in a basement. It was, at the time of this attack, one of the most active ransomware-as-a-service operations globally, responsible for hundreds of attacks on hospitals, schools, and government agencies. When LockBit publicly listed Capital Health on its leak site on January 7, 2024, and threatened to publish the stolen data, that was not an empty bluff — the group has followed through on similar threats against other organizations.
The fact that 7 terabytes of data were exfiltrated, not just encrypted, means copies of those files existed outside Capital Health’s control. Even if Capital Health hardened its systems after the attack, the stolen data may still be circulating in criminal marketplaces. That is why the three years of credit monitoring included in this settlement is worth claiming even if you opt for the flat cash payment.
What to Do After You File Your Claim
Filing the claim form is step one, not the finish line. If you have not already frozen your credit with all three bureaus — Equifax, Experian, and TransUnion — do it now. A credit freeze is free, takes minutes, and prevents anyone from opening new accounts in your name. The credit monitoring included in this settlement will alert you to suspicious activity, but it only watches.
A freeze actually blocks unauthorized access. Given that the stolen data included Social Security numbers and clinical information, the risk of both financial identity theft and medical identity theft is real. Watch your explanation-of-benefits statements from your health insurer for services you did not receive. If someone uses your stolen medical information to obtain care, it can corrupt your medical records in ways that are difficult to unravel and potentially dangerous.
Frequently Asked Questions
Do I need to prove my data was actually stolen or misused to file a claim?
No. You only need to be a class member — someone whose information was stored on Capital Health’s systems during the November 11–26, 2023 breach period. You do not need evidence that your specific data was accessed or misused.
Can I claim both the cash payment and the free credit monitoring?
Yes. The three years of credit monitoring is available to all class members regardless of whether you choose the documented losses option (up to $5,000) or the alternative flat cash payment (estimated $100). They are not mutually exclusive.
What counts as acceptable documentation for the $5,000 claim option?
Receipts, bank or credit card statements, invoices from credit monitoring services, and other third-party records showing expenses related to the breach. Self-prepared documents alone — like a personal spreadsheet of time spent — are not sufficient.
What if I already have credit monitoring through another breach settlement?
You can still claim the credit monitoring offered here, though running multiple monitoring services simultaneously provides limited additional benefit. You may prefer to start this coverage after your current monitoring expires. Either way, you should still file for the cash payment portion.
Will I definitely receive $100 if I choose the flat payment option?
The $100 figure is an estimate, not a guarantee. If more people than expected file claims, the amount could be reduced on a pro rata basis. It could also be higher if fewer people file.
What happens if I do nothing and do not file a claim?
You receive no payment, no credit monitoring, and you give up your right to sue Capital Health individually over this breach. The settlement releases Capital Health from future claims by class members regardless of whether those members filed a claim.