The short answer is: it depends on which part of the Staten Island University Hospital data breach settlement you are filing for. If you are claiming the $35 flat cash payment, you do not need to provide proof of harm or any supporting documentation — you just need to be a class member and submit your claim form. But if you want reimbursement for out-of-pocket expenses up to $1,000, you absolutely need documented proof of unreimbursed losses tied directly to the breach. That distinction matters, because filing for the wrong tier without understanding the requirements could mean leaving money on the table or wasting your time gathering paperwork you never needed. This settlement stems from a January 2024 data breach at The Medibase Group Inc., a business associate of Staten Island University Hospital that handles healthcare solutions and business office services.
On or around May 8, 2024, Medibase notified SIUH that an unauthorized third party had accessed its systems, compromising the data of 35,106 individuals. The exposed information included names, Social Security numbers, dates of birth, medical details, and health insurance information — essentially the full toolkit for identity theft. The case, Santiago et al. v. Staten Island University Hospital, resulted in a settlement that offers three forms of relief, each with different proof thresholds.
Table of Contents
- What Proof Does the Staten Island University Hospital Data Breach Settlement Actually Require?
- What Data Was Exposed and Why That Shapes Your Claim Strategy
- The Medical Data Monitoring Benefit Most People Will Ignore
- How to File Your Claim Before the March 16 Deadline
- Why “No Fault Admitted” Does Not Mean You Have No Claim
- Common Documentation Mistakes That Get Claims Denied
- What the SIUH Settlement Signals About Healthcare Vendor Breach Liability
- Frequently Asked Questions
What Proof Does the Staten Island University Hospital Data Breach Settlement Actually Require?
The settlement creates a two-tier system that treats claimants differently based on what they are asking for. The first tier — the $35 flat cash payment — functions like a no-questions-asked acknowledgment that your data was compromised. You do not need to show that someone opened a credit card in your name, that you spent hours on the phone with your bank, or that you suffered any financial loss at all. You file the claim, you confirm you are a class member, and the payment is yours. Think of it as the settlement’s baseline recognition that having your Social Security number and medical records exposed is, on its own, a compensable harm. The second tier works completely differently.
If you are seeking reimbursement for out-of-pocket expenses — which can reach up to $1,000 — you need to bring receipts. The settlement requires documented, unreimbursed out-of-pocket losses that were directly caused by the data breach. That means bank statements showing fraudulent charges, invoices from credit monitoring services you paid for before the settlement, costs associated with placing or lifting credit freezes, or fees for obtaining credit reports. The key word in the requirement is “unreimbursed” — if your bank already reversed a fraudulent charge, you cannot claim that amount again here. A useful comparison: this structure is common in data breach settlements but not universal. Some settlements, like the Equifax breach, offered tiered payments where even the basic cash alternative required attestation of time spent dealing with the breach. The SIUH settlement’s flat $35 payment is simpler than that — there is no attestation of time, no description of harm, just a straightforward claim submission.
What Data Was Exposed and Why That Shapes Your Claim Strategy
The nature of the compromised data here is particularly serious. We are not talking about just email addresses and passwords. The breach at Medibase exposed names, Social Security numbers, dates of birth, medical details, and health insurance information. That combination is what fraud specialists call “fullz” — a complete identity profile that can be used for medical identity theft, tax fraud, synthetic identity creation, and insurance scams. Medical data, in particular, is worth significantly more on the black market than financial data because it cannot be changed the way you change a credit card number.
This matters for your claim because the types of fraud that stem from medical data breaches often surface months or even years after the initial exposure. You might not see the damage right now. However, if you start receiving explanation-of-benefits statements for medical procedures you never had, or if a debt collector contacts you about a hospital bill from a facility you have never visited, those are signs your medical identity has been used. The expenses you incur dealing with those situations — certified mail to dispute fraudulent bills, notarized affidavits, time off work for in-person identity verification — could all potentially qualify for the out-of-pocket reimbursement tier, provided you document them as they happen. One important limitation: the settlement specifies that out-of-pocket losses must be “directly caused by the data breach.” If you experienced identity theft but cannot reasonably connect it to the Medibase breach specifically — say, because your data was also compromised in three other breaches that year — the causal link becomes harder to establish. This is not an automatic disqualifier, but it is a gray area where thorough documentation strengthens your position.
The Medical Data Monitoring Benefit Most People Will Ignore
Beyond the cash payments, the settlement includes two years of medical data monitoring services bundled with a $1 million identity theft insurance policy. This is arguably the most valuable component of the settlement for many class members, yet in nearly every data breach settlement, the monitoring benefit has the lowest uptake. People see the $35 check and stop reading. That is a mistake. Medical data monitoring is not the same as standard credit monitoring you might already have through your bank or a service like Credit Karma. Standard credit monitoring watches for new credit inquiries and account openings.
Medical data monitoring specifically tracks whether your health insurance credentials, medical record numbers, or personal health information are being used by someone else to obtain medical care, fill prescriptions, or file insurance claims. Given that the Medibase breach exposed medical details and health insurance information, this is precisely the type of monitoring most relevant to the risk you face. The $1 million identity theft insurance policy attached to the monitoring is also worth noting. It does not mean you get a million dollars. It means that if you experience identity theft that can be traced back to this breach and you incur costs dealing with it — legal fees, lost wages, professional recovery services — the policy covers those costs up to $1 million. That kind of coverage is expensive to buy on the open market. Getting it as part of a settlement claim that costs you nothing more than a few minutes of paperwork is a practical benefit worth securing.
How to File Your Claim Before the March 16 Deadline
The claim deadline is March 16, 2026, and that date is firm. Missing it means you get nothing — not the $35, not the expense reimbursement, not the monitoring. The official settlement website at medibasesiuhdatabreachsettlement.com is where you file. If you received a notice about this settlement by mail or email, that notice likely includes a unique claim ID that simplifies the process. If you did not receive a notice but believe you were affected, you can still file, though you may need to provide identifying information to verify your class membership. For the flat $35 payment, the process is straightforward: fill out the claim form with your identifying information and submit. For the out-of-pocket reimbursement, you will need to attach or describe your documented expenses. The tradeoff here is real: spending time gathering documentation for a modest expense reimbursement may or may not be worth it depending on your actual losses.
If you spent $40 on a credit monitoring subscription after learning about the breach, the documentation is simple — one receipt, one claim line. If you are trying to document a complex chain of identity theft consequences totaling $900, that requires substantially more effort. Either way, you should file for the $35 payment regardless, because the cost of doing so is minutes, not hours. Two other deadlines matter even if you are not filing a claim. The opt-out deadline was March 2, 2026 — that window has already closed. The final fairness hearing is scheduled for March 31, 2026, where the court will decide whether to approve the settlement terms. If you had objections to the settlement, those needed to be raised before the opt-out deadline. At this point, the practical path forward for most class members is simply to file a claim before March 16.
Why “No Fault Admitted” Does Not Mean You Have No Claim
A detail in the settlement that sometimes confuses people: Staten Island University Hospital denies any fault or liability, and the settlement explicitly states it cannot be construed as an admission of liability. This is standard language in virtually every class action settlement, but it still trips people up. Some class members read that language and assume it means the case was frivolous or that they somehow do not deserve compensation. That is not what it means. Settlement agreements include no-fault language because that is the entire point of settling rather than going to trial. The defendant avoids the risk of a jury finding them liable, and the plaintiffs avoid the risk of losing at trial and getting nothing.
Both sides make a calculated trade. The denial of fault has zero impact on your ability to file a claim or receive payment. It is a legal formality, not a substantive judgment about whether the breach happened or whether your data was compromised. The one area where this language does matter is if you are considering separate litigation. By accepting a payment from this settlement, you are releasing your individual claims against SIUH related to this breach. If you believe your damages significantly exceed what the settlement offers — and you have the documentation and resources to pursue individual litigation — you would have needed to opt out before March 2, 2026. For the vast majority of the 35,106 affected individuals, the settlement’s combination of cash, expense reimbursement, and monitoring is the most practical path to compensation.
Common Documentation Mistakes That Get Claims Denied
The most frequent reason out-of-pocket claims get reduced or denied is not a lack of harm — it is a lack of documentation connecting the harm to the specific breach. A class member who submits a credit card statement showing a fraudulent charge of $500 but no evidence that the charge relates to the Medibase breach (as opposed to any other source of data compromise) is in a weaker position than someone who submits the same statement alongside a police report referencing the SIUH notification letter and a timeline showing the fraud started after January 2024. Another common mistake is claiming expenses that were already reimbursed.
If your bank reversed a fraudulent charge, that loss has been made whole — you cannot double-recover through the settlement. Similarly, if your employer already provides credit monitoring and you signed up for an additional paid service after the breach, the settlement may reimburse the additional service but not a service you were already receiving. Read the claim form carefully and only list genuinely unreimbursed, breach-related costs.
What the SIUH Settlement Signals About Healthcare Vendor Breach Liability
This case is part of a growing wave of settlements targeting not just healthcare providers but their business associates and vendors. The breach did not occur at Staten Island University Hospital’s own systems — it occurred at The Medibase Group Inc., a vendor that provides healthcare solutions and business office services. The legal theory underlying Santiago et al. v.
SIUH reflects an expanding view that healthcare organizations bear responsibility for the data security practices of the third parties they entrust with patient information. For consumers, this trend is actually encouraging. It means that even when a breach happens several steps removed from the entity you actually interact with, there is an increasingly viable legal path to compensation. For the healthcare industry, it signals that vendor risk management is not just a compliance checkbox — it is a litigation exposure. Expect more settlements with this structure as healthcare data breaches continue to involve third-party processors, and expect the proof requirements for basic payments to remain relatively low as courts recognize that the mere exposure of sensitive medical and financial data constitutes real harm.
Frequently Asked Questions
Do I need proof of harm to get the $35 payment from the SIUH data breach settlement?
No. The $35 flat cash payment is available to all class members who submit a valid claim form by March 16, 2026. You do not need to provide documentation of losses or demonstrate that you were personally harmed by the breach.
What documentation do I need for the out-of-pocket expense reimbursement?
You need records of unreimbursed expenses directly caused by the data breach, up to $1,000. This can include bank or credit card statements showing fraudulent charges, receipts for credit monitoring services you purchased, costs related to credit freezes, or other expenses you can tie to the January 2024 Medibase breach.
What is the deadline to file a claim in the Staten Island University Hospital data breach settlement?
The deadline to submit a claim is March 16, 2026. The opt-out deadline of March 2, 2026 has already passed. The final fairness hearing is scheduled for March 31, 2026.
Does the hospital admitting no fault mean I cannot get paid?
No. The no-fault language is standard in class action settlements and has no impact on your ability to file a claim and receive payment. It is a legal formality that allows the defendant to settle without admitting liability.
What does the medical data monitoring cover?
The settlement provides two years of medical data monitoring services that specifically track misuse of your health insurance credentials and medical information. It also includes a $1 million identity theft insurance policy that covers costs you incur from identity theft related to this breach.
Can I file for both the $35 payment and the out-of-pocket reimbursement?
The settlement offers both a flat $35 payment and reimbursement for documented out-of-pocket expenses up to $1,000. Review the claim form at medibasesiuhdatabreachsettlement.com for specific instructions on which benefits you can claim together.