Harvard Pilgrim $16 Million Patient Data Breach Class Action Settlement

Harvard Pilgrim Health Care and its parent company Point32Health have agreed to pay $16 million to settle a data breach lawsuit affecting approximately 3 million patients. The settlement compensates individuals whose sensitive health and personal information was exposed in a ransomware attack that occurred between March 28 and April 17, 2023. This is one of the larger healthcare data breach settlements in recent years, reflecting the significant impact of the breach on affected individuals’ privacy and the company’s liability for failing to adequately protect patient records.

The settlement offers multiple compensation options for affected class members, including cash payments for documented expenses related to the breach, credit monitoring services, and a default payment of $150 for those who don’t submit detailed claims. Unlike many data breach cases where injured parties receive minimal compensation, this settlement provides substantial recovery opportunities, though the amount you receive will depend on the type and extent of harm you can document. Harvard Pilgrim, a health insurance provider serving customers across New England, failed to prevent unauthorized access to systems containing detailed patient information including names, Social Security numbers, health diagnoses, and medical treatment records. The company’s inadequate cybersecurity measures allowed attackers to maintain access for three weeks before the breach was discovered.

Table of Contents

• What Triggered the Harvard Pilgrim Data Breach and Settlement?
• What Personal Information Was Stolen in the Breach?
• How Much Compensation Will You Receive from This Settlement?
• How Do You File a Claim and What Evidence Do You Need?
• What Are the Critical Deadlines and Legal Milestones?
• What Legal Claims Did This Settlement Resolve?
• What Should Affected Individuals Do Now to Protect Themselves?

What Triggered the Harvard Pilgrim Data Breach and Settlement?

On April 17, 2023, Harvard Pilgrim discovered that its computer systems had been compromised by a ransomware attack that lasted nearly three weeks. The attackers gained unauthorized access on March 28 and maintained that access through April 17, giving them ample time to locate and potentially exfiltrate sensitive patient information. Ransomware attacks like this one typically involve criminals encrypting a company’s files and demanding payment in exchange for a decryption key, but the real damage often comes from the data theft that occurs before encryption.

The breach exposed information on approximately 3 million patients—a staggering number that included everyone enrolled in Harvard Pilgrim’s health insurance plans. Once the company discovered the intrusion, they notified affected individuals and regulatory authorities, triggering the legal process that resulted in this $16 million settlement. This case illustrates a critical vulnerability in healthcare: even large, established insurers with significant resources can fall victim to sophisticated cyber attacks if their security practices lag behind current threats. The fact that the breach went undetected for three weeks suggests the company lacked adequate monitoring systems to identify unauthorized access quickly.

What Personal Information Was Stolen in the Breach?

The breach exposed a comprehensive collection of sensitive personal and health information that criminals and malicious actors could use for identity theft, medical fraud, or targeted phishing attacks. Exposed data included names, physical addresses, phone numbers, dates of birth, Social Security numbers, taxpayer identification numbers, and complete health insurance account information. Additionally, patients’ medical histories, diagnoses, treatment information, dates of service, and provider names were all compromised. This type of information is particularly valuable to criminals because it enables multiple forms of fraud. Someone with your name, Social Security number, date of birth, and health insurance account details could potentially file fraudulent claims with other insurers, open credit accounts in your name, or conduct sophisticated targeted phishing attacks using knowledge of your medical conditions.

The scope of the data breach—combining financial information, health data, and personal identifiers—creates a much higher risk than a breach involving only one category of data. An important limitation of this settlement is that it cannot undo the exposure or guarantee that your information won’t be misused in the future. Even with two years of complimentary credit monitoring, affected individuals remain at elevated risk for identity theft and medical fraud indefinitely. The settlement amount, while substantial, may not fully compensate someone whose identity is stolen or whose medical records are used fraudulently months or years after the breach. This reality underscores why taking proactive steps to monitor your own accounts is critical.

How Much Compensation Will You Receive from This Settlement?

The $16 million settlement fund is divided among approximately 2.97 million class members, which means individual payments depend on how you file your claim and what documentation you can provide. If you submit no claim at all, you’ll automatically receive $150—a default payment. However, this amount is likely far below what you’re entitled to if you’ve experienced documented harm from the breach. The settlement offers four compensation categories. First, you can claim up to $2,500 for documented, unreimbursed out-of-pocket expenses directly caused by the breach—things like credit monitoring fees you paid out of pocket, identity theft repair costs, or fees related to replacing compromised documents. Second, you can claim up to 7 hours of lost time at $30 per hour (totaling $210 maximum) for time spent dealing with the breach fallout.

Third, you can claim up to $35,000 for “fairly traceable extraordinary losses,” which would apply if the breach directly resulted in significant financial harm such as fraudulent charges or identity theft losses you weren’t able to recover. Additionally, all class members receive 2 years of credit monitoring services at no cost. One important limitation is that the burden of proof lies with you. You’ll need to submit documentation showing you actually incurred the expenses or suffered the losses you’re claiming. Submitting vague claims without supporting evidence is likely to result in reduced payments. Similarly, the “fairly traceable extraordinary losses” category requires you to demonstrate a clear causal link between the breach and your specific losses, which can be challenging. The default $150 payment, while guaranteed, is significantly lower than what most affected individuals could potentially receive with proper documentation.

How Do You File a Claim and What Evidence Do You Need?

To access compensation beyond the $150 default payment, you must submit a claim by August 25, 2025. The claim deadline is firm—submissions can be made online through the official settlement website or postmarked by mail on or before that date. Filing is straightforward in terms of process, but the real challenge is gathering the documentation needed to support your claim. For out-of-pocket expense claims, you’ll need to provide receipts, invoices, or bank statements showing that you actually paid money related to the breach. If you paid $500 for credit monitoring services or $200 to place fraud alerts with credit bureaus, those receipts become critical evidence.

For lost time claims, you should document the hours spent dealing with breach-related issues (contacting the company, monitoring accounts, filing disputes). For extraordinary losses, you’ll need to provide evidence connecting specific fraudulent activity or financial harm directly to the breach—bank statements showing unauthorized charges, identity theft reports, or documentation of funds you had to recover. The tradeoff with claiming higher amounts is that it requires more effort to gather documentation. A class member seeking $150 simply does nothing, while someone seeking $1,000 in out-of-pocket expenses and $210 in lost time must compile receipts, statements, and detailed explanations. However, the potential additional recovery often justifies this effort. If you’ve genuinely spent $1,500 dealing with the breach over the past year, that documentation could result in a $2,500 payment rather than $150.

What Are the Critical Deadlines and Legal Milestones?

Three key dates control your ability to participate in this settlement: the opt-out deadline of June 27, 2025, the claim submission deadline of August 25, 2025, and the final approval hearing scheduled for July 28, 2025. Understanding these deadlines is essential because missing them could result in losing your right to compensation entirely. If you choose to opt out by June 27, 2025, you can pursue your own separate lawsuit against Harvard Pilgrim instead of accepting settlement payments. This option typically makes sense only if you believe you’ve suffered damages far exceeding what the settlement would provide and you’re willing to fund your own litigation. Most class members should not opt out, as the costs and uncertainties of individual litigation far outweigh the settlement benefits. After June 27, you’re bound by the settlement and must file your claim by August 25, 2025, to receive any compensation.

The final approval hearing on July 28, 2025, is when the court will formally approve the settlement if the judge determines it’s fair and reasonable to the class. A critical warning: the August 25, 2025, claim deadline is absolute. Claims postmarked after that date will be rejected, and you’ll be limited to the $150 default payment. Given that this deadline is before the final approval hearing, start gathering your documentation now. Don’t wait until August to hunt for receipts from expenses you incurred a year ago. If you’ve had any identity theft or fraudulent charges since the breach, file a police report or obtain documentation from your bank immediately, as you’ll need this evidence to prove extraordinary losses.

What Legal Claims Did This Settlement Resolve?

The settlement resolves claims of breach of implied contract, breach of fiduciary duty, unjust enrichment, and negligence. These legal theories reflect different angles of attack on Harvard Pilgrim’s conduct. The breach of implied contract claim argues that by collecting sensitive information from patients, Harvard Pilgrim implicitly promised to protect that data with reasonable security measures and breached that promise.

Breach of fiduciary duty contends that as a health insurance provider, Harvard Pilgrim owed a fiduciary duty to its members to safeguard their information and failed to do so. The unjust enrichment claim suggests that Harvard Pilgrim benefited from collecting detailed patient information without compensating those patients for the risk that information would be exposed. The negligence claim simply states that Harvard Pilgrim failed to exercise reasonable care in securing its systems against a foreseeable threat (ransomware attacks are well-documented in healthcare). Together, these theories created multiple pathways to hold the company accountable for allowing the breach to occur and persist for three weeks undetected.

What Should Affected Individuals Do Now to Protect Themselves?

Even though the settlement provides compensation and credit monitoring, you shouldn’t rely solely on these protections. Begin monitoring your credit report immediately by accessing your free annual credit reports at annualcreditreport.com. Check for unfamiliar accounts, inquiries, or charges. Place a fraud alert with the major credit bureaus (Equifax, Experian, and TransUnion) to make it harder for someone using your stolen information to open new accounts in your name.

If you discover fraudulent activity, file a report with the Federal Trade Commission at identitytheft.gov, which creates an official record you may need for the settlement claim process. The credit monitoring services provided through the settlement will help flag new fraudulent accounts, but they won’t prevent fraud from occurring. Start the claim filing process now by gathering documentation of any expenses you’ve incurred related to the breach. Document any time you’ve spent dealing with breach-related matters, and keep receipts for any out-of-pocket costs. This documentation will be invaluable when you submit your claim before the August 25, 2025, deadline.

You Might Also Like

• Lehigh Valley Health Network $65 Million Patient Data Breach Class Action Settlement
• T-Mobile $350 Million Customer Data Breach Class Action Settlement
• Panera Bread $2.5 Million Customer Data Breach Class Action Settlement

Browse more: Class Action | showcase | Uncategorized

Open Settlements You Can Claim Now

Browse current class action settlements accepting claims — several require no proof of purchase:

• Comcast Xfinity Data Breach Settlement
• Labcorp AMCA Data Breach Settlement
• Flagstar Bank Data Breach Settlement
• 16 Class Action Settlements You Can Claim in June 2026