If you were a patient at Granite Wellness Centers and received a breach notification letter in early 2021, you may be entitled to a cash payment of roughly $750 — or up to $5,000 if you suffered documented losses — from a newly opened class action settlement. The settlement resolves the lawsuit *Bente, et al. v. Granite Wellness Centers*, filed after a January 2021 ransomware attack exposed the sensitive personal and medical data of up to 15,600 patients at the Northern California addiction treatment network.
Claims are now being accepted through the official settlement website at www.GraniteWellnessDataSettlement.com, with a filing deadline of April 26–27, 2026. The $725,000 settlement fund offers two payment tracks: a straightforward pro-rata cash payment requiring no proof of harm, and a documented loss reimbursement option for those who can show out-of-pocket expenses tied to the breach. California residents get an additional $100 statutory payment on top of either option. For someone who spent hours freezing credit reports, paid for identity monitoring out of pocket, or dealt with fraudulent charges after the breach, that $5,000 cap on documented losses is worth paying attention to.
Table of Contents
- What Is the Granite Wellness Centers Data Breach Settlement and Who Qualifies?
- How Much Money Can You Actually Get from This Settlement?
- What Data Was Exposed and Why This Breach Is More Serious Than Most
- How to File Your Claim Before the April 2026 Deadline
- Key Deadlines and What Happens If You Miss Them
- How the $725,000 Settlement Fund Gets Divided
- Broader Implications for Healthcare Data Breach Accountability
What Is the Granite Wellness Centers Data Breach Settlement and Who Qualifies?
The settlement stems from a ransomware attack detected on January 5, 2021, targeting Granite Wellness Centers, which operates drug addiction treatment facilities in Northern California. The attackers gained access to systems containing deeply sensitive information — not just names and addresses, but treatment data, medical histories, health insurance details, Social Security numbers, driver’s license numbers, and bank account numbers. The combination of substance abuse treatment records with financial identifiers makes this breach particularly damaging, since victims face both identity theft risk and potential stigma from exposed health information. Granite Wellness says it detected the attack while it was still underway, pulled systems offline to prevent data exfiltration, and did not pay any ransom. The organization notified affected individuals on or around March 5, 2021, in compliance with the HIPAA Breach Notification Rule.
The lawsuit that followed — filed in the Superior Court of California, County of Placer — alleged negligence, negligence per se, breach of implied contract, unjust enrichment, and sought declaratory judgment. If you received that March 2021 notification letter, you are almost certainly a class member. If you are unsure whether you were affected, you can contact the settlement administratorsettlement administrator[contact via the official settlement website]. Compared to other healthcare data breach settlements of similar size, the per-claimant payout here is relatively strong. Many settlements covering tens of thousands of victims offer $50 to $150 per person. The estimated $750 pro-rata payment reflects the smaller class size of 15,600 individuals against a $725,000 fund — though that number will shift depending on how many people actually file claims and how much is deducted for attorney fees and expenses.
How Much Money Can You Actually Get from This Settlement?
There are two payment options, and the right choice depends on whether you have documentation of actual losses. Option 1 is a pro-rata cash payment, currently estimated at around $750 per class member. You do not need to prove any specific harm — just that you were part of the affected group. This amount is not guaranteed at $750; it is subject to proration, meaning if more people file claims than expected, the per-person amount drops. If fewer people file, it could go up. Option 2 allows reimbursement of up to $5,000 for documented out-of-pocket losses that are traceable to the data breach.
This could include costs like credit monitoring services you purchased yourself, fees for credit freezes or unfreezes, bank charges related to fraudulent transactions, time spent dealing with identity theft at a reasonable hourly rate, or even losses from actual fraud committed using your stolen information. However, the key word is “traceable” — you will need to connect the expense to the breach, not just show that something bad happened with your identity at some point after January 2021. If you subscribed to an identity protection service in February 2021 specifically because of the Granite Wellness notification, that is straightforward. If you had a fraudulent charge appear on a credit card in 2023 and cannot tie it to this specific breach, that claim is weaker. California residents receive an additional $100 statutory cash payment on top of whichever option they choose, though this amount is also subject to proration. This bonus reflects California’s stronger consumer privacy statutes, which provide for statutory damages in data breach cases even without proof of specific harm.
What Data Was Exposed and Why This Breach Is More Serious Than Most
Not all data breaches carry the same weight. A breach that exposes email addresses and usernames is an inconvenience. A breach that exposes Social Security numbers, bank account numbers, and detailed medical histories related to substance abuse treatment is a different category of harm entirely. The Granite Wellness breach falls squarely in that second category. The exposed data included names, birth dates, home addresses, dates of care, treatment data, care provider names, health information, medical insurance details, medical histories, Social Security numbers, driver’s license numbers, and bank account numbers.
For patients of an addiction treatment center, the medical information carries a particular sting — substance abuse treatment records are among the most sensitive categories of health data under both HIPAA and 42 CFR Part 2, the federal regulation that provides extra privacy protections for addiction treatment information. A person whose treatment history becomes public could face discrimination in employment, housing, child custody disputes, or personal relationships. This is a meaningful consideration when deciding whether to accept the settlement or opt out and pursue individual litigation. The settlement offers potential compensation without the burden of proving individual damages in court. But if you experienced concrete, provable harm — say, someone used your stolen information to open accounts in your name, and you can document thousands of dollars in losses and hundreds of hours of remediation — the $5,000 cap on documented losses under this settlement may feel insufficient for your situation.
How to File Your Claim Before the April 2026 Deadline
Filing a claim requires visiting www.GraniteWellnessDataSettlement.com, the official settlement website administered by Angeion Group. You will need the unique ID from your notice letter to submit a claim. If you have lost your notice or never received one but believe you were affected, call the settlement administratorsettlement administrator[contact via the official settlement website] to verify your eligibility and obtain your claim information. If you are choosing Option 1 — the pro-rata cash payment — the process is relatively simple. You confirm your identity and class membership, and that is essentially it. If you are choosing Option 2 — documented loss reimbursement up to $5,000 — you will need to gather and submit supporting documentation.
This means receipts for credit monitoring services, bank statements showing fraudulent charges, records of time spent on identity theft remediation, and any correspondence with creditors or law enforcement related to misuse of your information. The stronger your paper trail, the better your chances of receiving the full amount you claim. The tradeoff between the two options is straightforward: Option 1 is compensation with no documentation burden, but it caps out around $750 or less. Option 2 has a much higher ceiling of $5,000, but you are doing real work to assemble proof, and there is no guarantee the settlement administrator will approve the full amount you request. For most class members who did not suffer specific documented losses, Option 1 is the practical choice. For those who did incur real costs, Option 2 is worth the extra effort.
Key Deadlines and What Happens If You Miss Them
The most critical date is the claims submission deadline of April 26–27, 2026. Miss this date and you receive nothing from the settlement, period. There is no grace period, and settlement administrators are strict about cutoffs. Put it on your calendar now if you intend to file. Before that, the opt-out and objection deadline falls on March 27–28, 2026. If you want to exclude yourself from the settlement — preserving your right to file an individual lawsuit against Granite Wellness — you must submit your opt-out request by this date.
Similarly, if you want to remain in the class but object to the settlement terms (for example, if you believe the attorney fees are too high or the payment amounts are too low), your objection must be filed by the same deadline. The final fairness hearing, where the court will decide whether to approve the settlement, is scheduled for April 28, 2026. A word of caution: opting out is a serious decision. You retain the right to sue individually, but you also give up potential compensation from this settlement. Individual data breach lawsuits are expensive, time-consuming, and uncertain. Unless you have substantial documented losses well above the $5,000 cap and a strong attorney willing to take your case, staying in the class and filing a claim is almost always the better move for the average affected individual.
How the $725,000 Settlement Fund Gets Divided
Before any money reaches class members, the fund takes several deductions. Attorney fees can consume up to 33.33% of the $725,000 — roughly $241,600. Litigation expenses are capped at $20,000. And class representatives who brought the lawsuit can receive service awards of up to $2,000 each. After these deductions, the remaining amount gets distributed among all valid claimants.
This is standard for class action settlements, but it is worth understanding because it directly affects your payout. If attorney fees hit the maximum, litigation expenses reach the cap, and service awards are paid, the pool available for class members could be closer to $460,000. Divide that among 15,600 potential claimants and you get under $30 per person — but in practice, far fewer than all eligible class members file claims. Typical claim rates in data breach settlements range from 5% to 15%, which is why the estimated pro-rata payment of around $750 is plausible. The fewer people who file, the larger each individual payment becomes.
Broader Implications for Healthcare Data Breach Accountability
The Granite Wellness settlement is part of a broader pattern of healthcare organizations facing legal consequences for inadequate data security. Ransomware attacks on healthcare providers have surged in recent years, and courts are increasingly willing to certify class actions and approve meaningful settlements when organizations fail to protect patient data — especially when that data includes the kind of deeply sensitive information involved here.
For patients of any healthcare provider, this case is a reminder to pay close attention to breach notification letters rather than dismissing them as junk mail. That letter is not just a legal formality — it may be your ticket to real compensation. And for healthcare organizations still dragging their feet on cybersecurity investments, the accumulating cost of settlements, legal fees, and reputational damage should make the business case clear.