Northeast Rehabilitation Hospital Network has agreed to pay $1.5 million to settle a class action lawsuit over a May 2024 data breach that exposed the personal information of 148,515 patients. The breach, attributed to the cyber threat group Hunters International, compromised sensitive data including medical records, Social Security numbers, and financial information belonging to individuals who received care at Northeast Rehabilitation facilities. For example, a patient admitted for post-surgical recovery in March 2024 would have had their complete medical history, including diagnoses, medications, and insurance details, available to the attackers for months before the breach was publicly disclosed. Under the settlement in the case Minicucci, et al. v.
Northeast Rehabilitation Hospital Network (Case No. 218-2025-CV-00897), filed in the Superior Court of Rockingham County, New Hampshire, affected individuals can receive compensation without needing to prove specific damages. Class members are entitled to at least $75 per person with no documentation required, or up to $5,000 each for those who can provide evidence of documented losses such as credit monitoring costs, identity theft expenses, or time spent addressing fraud. The settlement was reached after approximately 18 months of litigation, reflecting both parties’ desire to resolve the matter and provide swift compensation to affected patients. The hospital network has also committed to investing a minimum of $500,000 in computer system upgrades and enhanced security protocols to prevent similar breaches in the future. The February 17, 2026 claim filing deadline is critical—individuals who do not submit claims by this date will lose their right to compensation.
Table of Contents
- What Data Was Compromised in the Northeast Rehabilitation Hospital Network Breach?
- Settlement Compensation Breakdown and Claim Filing Requirements
- How the Hunters International Cyber Threat Group Conducted the Attack
- Understanding the Claims Process and Settlement Website
- Common Pitfalls and Warnings for Claim Filers
- The Role of the Hospitals’ Security Commitments and Future Protections
- What This Settlement Means for Healthcare Data Breach Accountability
What Data Was Compromised in the Northeast Rehabilitation Hospital Network Breach?
The May 22, 2024 breach exposed comprehensive patient information that hackers could use for multiple forms of fraud and identity theft. Medical records, Social Security numbers, and financial information were all stolen, giving criminals access to detailed health histories, precise personal identifiers, and banking or insurance details. This combination of data is particularly valuable to criminals because medical identity theft often goes undetected longer than financial identity theft—a patient might not realize someone has opened a medical line of credit or submitted false insurance claims in their name until bills start arriving. The scale of the breach—affecting 148,515 individuals—means that personal information entered a criminal database accessible to anyone within the Hunters International group and potentially sold on dark web markets. Even after Northeast Rehabilitation discovered the breach, the stolen data remained in circulation.
Patients affected by this breach face different risks than those in a financial institution breach. A stolen Social Security number combined with medical history information can be used to apply for costly surgical procedures or long-term care insurance in someone’s name, which takes significantly longer to detect than fraudulent credit card charges. One key distinction in healthcare data breaches is HIPAA’s legal framework, which applies to covered entities like Northeast Rehabilitation. The hospital network’s obligations under HIPAA breach notification rules required them to notify affected individuals without unreasonable delay. The settlement amount reflects both compensatory damages and the legal costs of addressing the breach, though some patients argue that $75 to $5,000 per person undercompensates for the lifelong risk of medical identity theft.
Settlement Compensation Breakdown and Claim Filing Requirements
The $1.5 million settlement is divided into specific allocations: $500,000 goes directly into the claims fund for individual compensation, $500,000 covers attorneys’ fees and litigation costs, and the remaining funds address administrative expenses and claims processing. The compensation structure includes two pathways—those who simply want to claim the base amount can receive $75 without submitting any documentation, while those who experienced specific financial losses can apply for up to $5,000 by providing evidence of their damages. This no-documentation-required option is unusual and reflects a recognition that many patients will suffer consequences from the breach that don’t fit neatly into traditional “documented loss” categories. A patient who spends 20 hours monitoring credit reports and setting up fraud alerts won’t easily calculate that loss in dollars, yet those hours represent real harm. The tradeoff is that the base $75 payment is intentionally modest—the settlement values simplicity and speed over precision.
Those pursuing the higher compensation route must submit claims with supporting documentation, such as receipts for credit monitoring services, bills for fraudulent charges they had to dispute, or invoices for credit repair services. A critical limitation is the February 17, 2026 deadline—roughly one year from the date of this settlement. Any affected individual who does not file a claim by this date forfeits their right to compensation, regardless of circumstances. This deadline is firm and is not typically extended. Patients who were unaware of the breach notification, those who lost the settlement information, or those who procrastinated will receive nothing. This creates a real-world consequence where the people most vulnerable to misinformation or overwhelmed by the breach may miss out entirely.
How the Hunters International Cyber Threat Group Conducted the Attack
Hunters International, a known cybercriminal group, gained unauthorized access to Northeast Rehabilitation’s systems and spent weeks extracting patient data before being discovered. The breach was detected on May 22, 2024, marking the date when the hospital network identified unauthorized activity and began investigating the extent of the compromise. The fact that the attack went undetected for an unknown period before May 22 suggests the attackers had sufficient access to explore systems, identify valuable data, and establish data extraction pathways without triggering immediate alerts. Healthcare organizations are frequent targets for cybercriminals because patient data is more valuable than financial account information on dark web markets—medical records sell for 10 to 50 times the price of credit card numbers. Hunters International has attacked numerous healthcare providers, financial institutions, and other organizations, often using ransomware tactics combined with data theft to pressure victims into paying extortion demands.
In the case of Northeast Rehabilitation, the group exfiltrated data and apparently either negotiated a payment with the hospital network, the data was recovered, or the attackers simply moved on to other victims. The group’s involvement became public knowledge, which is why cybersecurity researchers and HIPAA Journal were able to identify the attack vector. The breach illustrates why the hospital network’s commitment to spend a minimum $500,000 on system upgrades matters. Legacy security practices, unpatched systems, and poor network segmentation allowed the attackers to move laterally through the hospital’s IT environment and access patient databases. Organizations that segment their networks properly, maintain rigorous patch management schedules, and implement multi-factor authentication across all systems are significantly harder for external attackers to compromise. For affected patients, understanding that the hospital network is now investing in upgrades provides some assurance that their current and future medical information will face better protection—though no security guarantee is absolute.
Understanding the Claims Process and Settlement Website
Affected individuals must navigate the official settlement website, northeastrehabhospitaldatasettlement.com, to file their claims. The website provides the claim form, instructions for submitting documentation, and tracking tools to check the status of applications. For those pursuing the $75 no-documentation claim, the process is streamlined—typically requiring just name, date of birth, and confirmation that the individual was a patient of Northeast Rehabilitation during the relevant time period. For those seeking higher compensation, the website explains what counts as “documented losses” and provides a format for submitting receipts, bills, and other evidence. A practical comparison: no-documentation claims move faster but net less money per person, while documented claims require more effort and time but can yield significantly higher compensation. If a patient incurred $500 in credit monitoring and fraud resolution costs, filing for the higher amount makes sense despite the extra paperwork.
However, if the patient experienced stress, anxiety, and disrupted sleep from identity theft fears but has no receipts to prove financial losses, they are limited to the $75 base amount. The settlement design creates an incentive for those with quantifiable losses to document them, while not penalizing those who cannot easily do so. One tradeoff in using the official settlement website is that it creates a centralized record of participation—affected individuals who file claims are documenting that they were impacted by the breach. While this is necessary for claims administration, it does mean creating an additional digital trail. Some privacy-conscious individuals may weigh this against the benefit of compensation. The settlement administrator is responsible for secure handling of claims data, but individuals submitting documentation should review the website’s privacy policy and understand what happens to their claim information.
Common Pitfalls and Warnings for Claim Filers
A major warning for affected patients: do not assume automatic notification equals guaranteed awareness. Many individuals who received the initial breach notification letters never opened them, lost them, or did not understand that a claim deadline existed. Email notifications were also sent to some patients, but email is easily overlooked or filtered as spam. The fact that the February 17, 2026 deadline is less than a year away means procrastination is a real risk. Individuals who think “I’ll file a claim eventually” often find months have passed, and the deadline has come and gone. Another common pitfall is confusing the settlement claim process with identity theft monitoring or credit reporting. The settlement provides compensation—not free credit monitoring for life.
Some claimants expect that filing will automatically enroll them in identity theft protection services, which is not always the case. Affected individuals should independently consider subscribing to credit monitoring services through Equifax, Experian, or TransUnion, checking their credit reports regularly via AnnualCreditReport.com, and placing fraud alerts or credit freezes with the three major credit bureaus. The settlement compensates for past losses and may reimburse past monitoring costs, but it does not replace ongoing vigilance. Additionally, many claimants make the mistake of failing to gather documentation before the deadline approaches. If you incurred costs related to the breach—credit monitoring services, identity theft insurance, time spent disputing fraudulent charges—you should start collecting receipts and invoices now. Banks, credit card companies, and service providers can provide documentation, but gathering these takes time. Waiting until January or February 2026 to start compiling evidence means you risk running out of time to obtain all necessary documents before the deadline expires.
The Role of the Hospitals’ Security Commitments and Future Protections
As part of the settlement, Northeast Rehabilitation Hospital Network agreed to spend a minimum of $500,000 on computer system upgrades and internal security protocol improvements. This commitment reflects a recognition that the breach resulted from security deficiencies and that remediation is necessary. The specific investments might include upgrading firewalls and intrusion detection systems, implementing or strengthening multi-factor authentication, conducting comprehensive security audits, deploying data loss prevention tools, and retraining staff on security best practices. These investments are designed to reduce the likelihood of future breaches.
However, a limitation is that the $500,000 commitment is a minimum—Northeast Rehabilitation may choose to invest more, but this amount may not address all security vulnerabilities in a large healthcare network. Many hospitals operate complex, aging IT systems that integrate hundreds of medical devices, electronic health record systems, billing platforms, and administrative networks. Comprehensive security improvements across such an environment often cost millions of dollars. The settlement’s security provision holds the hospital accountable to some degree, but it does not guarantee that patient data will be immune from future breaches. Cybersecurity is an ongoing process, not a one-time fix.
What This Settlement Means for Healthcare Data Breach Accountability
The Northeast Rehabilitation settlement joins a series of healthcare data breach class action resolutions that signal increased accountability and compensation for affected patients. Recent years have seen multiple healthcare providers, insurers, and medical device manufacturers settle data breach lawsuits, indicating that courts and litigants are less willing to accept data security failures without compensation. The $1.5 million settlement amount may seem significant, but it must be spread across 148,515 affected individuals, meaning the average compensation is approximately $10 per person if only the base claims are filed—and higher if substantial documented claims are submitted.
Looking forward, healthcare organizations that experience data breaches in 2025 and 2026 should expect similar or larger settlements. The legal and financial consequences of data breaches are becoming more predictable and more severe. For patients, this creates both opportunity and responsibility—settlements exist, but claiming compensation requires active participation before firm deadlines. The healthcare industry’s security practices are under increasing scrutiny, and the push toward mandatory investment in better security reflects an understanding that patient data is a critical asset deserving protection comparable to other high-value data assets in other industries.
You Might Also Like
- Liberty Hospital $1.5 Million Data Breach Class Action Settlement
- Varsity Brands $1.1 Million Data Breach Class Action Settlement
- Tri Counties Bank $1.185 Million Data Breach Class Action Settlement
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: