Yes, there is a class action settlement available for people affected by the Roper St. Francis Healthcare data breach. In October 2020, a phishing attack compromised three employee email accounts at the South Carolina-based health system, exposing protected health information and personal financial records for approximately 190,000 individuals. The healthcare provider agreed to settle the resulting lawsuit for $1.5 million in January 2024, making compensation available to affected patients through a structured settlement program.
The settlement provides multiple forms of compensation: direct reimbursement for documented expenses (up to $325), compensation for lost time (up to $20 per hour for up to 4 hours), extraordinary losses from fraud or identity theft (up to $3,250), and one year of free credit monitoring for all class members. For example, someone who spent $150 on credit monitoring services plus 3 hours managing the breach aftermath could receive around $210 in direct compensation, separate from any identity theft damages they experienced. Importantly, Roper St. Francis did not admit to any wrongdoing in settling the case—the healthcare system maintained it disagreed with the plaintiffs’ legal claims but chose to settle to avoid prolonged litigation. The settlement deadlines in 2024 have already passed, so anyone seeking compensation must verify whether they can still file a claim or whether they missed the May 30, 2024 submission deadline.
Table of Contents
- HOW DID THE ROPER ST. FRANCIS DATA BREACH HAPPEN?
- THE $1.5 MILLION SETTLEMENT AND COMPENSATION AMOUNTS
- EXTRAORDINARY LOSSES AND IDENTITY THEFT DAMAGES
- WHO IS ELIGIBLE AND HOW TO FILE A CLAIM
- SETTLEMENT DEADLINES AND IMPORTANT LIMITATIONS
- HOW THE FREE CREDIT MONITORING WORKS
- DATA BREACH SETTLEMENTS AND THEIR BROADER CONTEXT
- Conclusion
HOW DID THE ROPER ST. FRANCIS DATA BREACH HAPPEN?
On October 14-29, 2020, Roper St. Francis healthcare discovered that unauthorized third parties had gained access to three employee email accounts through a phishing attack. This was not a sophisticated breach of payment systems or database servers—it was a common but highly effective social engineering technique where employees were tricked into revealing their login credentials. Once the attackers had access to these email accounts, they were able to view emails containing sensitive patient information. The breach affected approximately 190,000 patients across Roper St.
Francis’s network of hospitals and clinics in the Charleston, South Carolina area. The exposed data included Protected Health Information (PHI) such as medical records, diagnoses, and treatment information, as well as Personally Identifiable Information (PII) like names, addresses, dates of birth, and financial account information. A phishing-based breach like this is particularly concerning because it often goes undetected for longer than direct database breaches—attackers can quietly monitor email communications for weeks or months before being discovered. This type of breach demonstrates a critical vulnerability in healthcare organizations: employees remain the weak link in cybersecurity, regardless of how sophisticated the organization’s technical defenses are. Even if Roper St. Francis had strong firewalls and encryption, the breach succeeded because attackers focused on the human element rather than fighting through multiple layers of technical security.
THE $1.5 MILLION SETTLEMENT AND COMPENSATION AMOUNTS
The settlement reached in Prevost et al. v. Roper St. Francis healthcare was approved by the Court of Common Pleas in Charleston County, South Carolina, on May 2, 2024. The total settlement amount of $1.5 million was divided into four distinct compensation categories to address different types of harm experienced by affected individuals. This structure reflects an understanding that data breach victims face varied consequences—some experienced direct financial losses, while others faced time-consuming mitigation efforts. The direct expense reimbursement of up to $325 covers documented costs directly related to the breach, such as credit monitoring service fees, copies of credit reports, bank statement review fees, or similar protective measures.
This is a straight reimbursement mechanism: if you spent $275 on a year of credit monitoring, you could receive that full amount by submitting receipts or invoices. The lost time compensation of up to $20 per hour for a maximum of 4 hours acknowledges that managing a data breach requires time—placing fraud alerts, monitoring accounts, responding to breach notifications, or meeting with financial advisors. The calculation is straightforward: each verified hour spent on breach-related activities up to 4 hours equals $20 in compensation. A significant limitation of this settlement is that both the direct expense reimbursement and lost time compensation require documentation. You cannot simply claim you spent $325 on protective measures—you need receipts or proof of charges. Similarly, lost time compensation typically requires detailed timesheets or written explanations of how you spent the hours, which many people don’t document in real time. This documentation requirement has historically resulted in lower-than-expected claim rates for compensation categories requiring proof.
EXTRAORDINARY LOSSES AND IDENTITY THEFT DAMAGES
The settlement’s extraordinary losses provision provides up to $3,250 for individuals who experienced documented fraudulent charges, identity theft, or other financial harm directly traceable to the breach. This is where significantly larger compensation becomes available, but it requires the strongest burden of proof. You would need to demonstrate that the fraud or identity theft definitively resulted from the Roper St. Francis breach specifically, not from some other source—a high bar to clear. For example, if someone opened a credit card in your name and made $2,000 in fraudulent purchases, and you could document that the fraudster used personal information exposed in the breach (such as your Social Security number and date of birth from the Roper St. Francis data), you could claim up to $3,250 in compensation for this category.
However, if the same identity theft occurred but you couldn’t clearly connect it to the Roper St. Francis breach—for instance, if the fraud happened months later and could have originated from a data broker or other source—you would not qualify for extraordinary loss compensation. Causation must be demonstrated with reasonable clarity. The settlement also includes one year of free credit monitoring services for all class members, which provides universal protection regardless of documentation or proof of loss. This is valuable because it addresses the most common post-breach need: continuous surveillance of credit files for suspicious activity. The free monitoring extends to everyone automatically, making it the most accessible benefit in the settlement.
WHO IS ELIGIBLE AND HOW TO FILE A CLAIM
To be eligible for the Roper St. Francis settlement, you must have been a patient or employee of Roper St. Francis Healthcare whose personal information was exposed in the October 2020 breach. The class definition is broad—it includes anyone whose PHI or PII was in the three compromised email accounts. You do not need to prove that any actual fraud or harm occurred to be eligible for the free credit monitoring or to claim lost time and documented expenses. Filing a claim requires submitting the appropriate claim form along with supporting documentation. For direct expense reimbursement, you would include receipts from credit monitoring services, credit bureaus, or banks.
For lost time compensation, you would provide a detailed explanation of the hours spent on breach-related activities. For extraordinary losses, you would submit documentation of fraudulent charges such as credit card statements showing unauthorized transactions, police reports if applicable, and evidence showing the connection to the Roper St. Francis breach. A critical limitation: The settlement deadlines in 2024 have passed. The claim submission deadline was May 30, 2024. If you did not submit a claim by this date, you may have missed the opportunity to receive compensation. Depending on the specific settlement administration and whether any late claims are accepted, you might still be able to submit documentation—but only if you act immediately to contact the settlement administrator or attorney. Delays of months or years after the deadline typically result in rejection of late claims, with no exceptions granted.
SETTLEMENT DEADLINES AND IMPORTANT LIMITATIONS
The Roper St. Francis settlement included strict deadlines that have already passed. The exclusion and objection deadline was April 30, 2024—individuals who wanted to opt out of the settlement or formally object to its terms needed to do so by this date. The final approval hearing occurred on May 2, 2024. The claim submission deadline was May 30, 2024. These deadlines mean that by mid-2024, the settlement window had already closed for most individuals. Anyone who did not submit a claim by May 30, 2024, must now contact the settlement administrator or the claims administrator to determine if late claims are even possible. A significant limitation is that Roper St.
Francis settled while denying the plaintiffs’ allegations. This is not unusual in data breach settlements—many healthcare organizations, financial institutions, and technology companies agree to pay settlements while explicitly maintaining they did nothing wrong. This “no-admit clause” means the settlement does not represent any legal finding that Roper St. Francis was negligent or responsible for failing to protect data adequately. From a compensation standpoint, this doesn’t matter—you receive the same settlement amount regardless of liability admission. From a broader accountability perspective, however, it means the organization settled primarily to avoid litigation costs, not because a court found they breached their duty to patients. Another practical limitation is that the compensation amounts are relatively modest compared to the scope of the breach affecting 190,000 people. The entire settlement pool of $1.5 million divided among all eligible class members, accounting for attorney fees and administrative costs, means individual payouts are constrained. Someone receiving the maximum $325 in documented expenses plus $80 in lost time ($20/hour × 4 hours) plus potentially $3,250 for identity theft would receive the upper bound of individual compensation—but this requires hitting all three categories with maximum amounts and full documentation.
HOW THE FREE CREDIT MONITORING WORKS
One of the most immediately valuable aspects of the settlement is the complimentary one-year credit monitoring service provided to all class members. This benefit requires no documentation, no claim form, and no proof of loss—it’s automatically available. Credit monitoring services continuously monitor your credit files at the three major credit bureaus (Equifax, Experian, and TransUnion) for suspicious activity like new accounts opened in your name, inquiries from potential creditors, or changes to existing account information.
The one-year free credit monitoring covers the critical period immediately following the breach discovery and settlement. This is when fraudsters are most likely to attempt using stolen personal information—they want to act quickly before the individual discovers the breach and locks down their accounts. After the one-year period expires, you would need to pay for ongoing credit monitoring services if you wanted to continue that protection. For ongoing identity theft protection beyond the settlement period, you may want to consider credit freeze services (which prevent new accounts from being opened without your explicit authorization) or paid credit monitoring services from companies like LifeLock, Equifax, or Experian.
DATA BREACH SETTLEMENTS AND THEIR BROADER CONTEXT
The Roper St. Francis settlement is part of a larger pattern of healthcare data breaches and subsequent litigation settlements. Healthcare organizations face particular incentive to settle breaches quickly because HIPAA violations can result in regulatory penalties from the Office for Civil Rights (OCR), independent of any class action lawsuit. The OCR has authority to impose penalties ranging from thousands to millions of dollars for HIPAA violations, making a settlement to affected individuals sometimes more economical than fighting both the regulatory agency and plaintiffs’ attorneys in court. Looking forward, healthcare organizations have increasingly invested in phishing-resistant authentication methods like hardware security keys and multi-factor authentication to prevent the type of email account compromise that affected Roper St.
Francis. However, human error remains a significant vulnerability. As healthcare systems become more digitally connected and centralized, the potential scale of breaches continues to grow. Settlements like Roper St. Francis’s—valued at $1.5 million for 190,000 affected individuals—may become more common as both healthcare organizations and their patients recognize the financial and reputational costs of inadequate cybersecurity practices.
Conclusion
The Roper St. Francis Healthcare data breach settlement provided $1.5 million in compensation to approximately 190,000 affected individuals through direct reimbursement of breach-related expenses, lost time compensation, extraordinary loss payments for documented fraud, and complimentary credit monitoring services. The settlement was finalized in 2024, and all claim submission deadlines have passed, meaning the window for receiving compensation has closed for most people.
If you were affected by the October 2020 breach and have not yet filed a claim, contact the settlement administrator immediately to determine whether late claim submissions are possible in your jurisdiction. The most immediately accessible benefit—one year of free credit monitoring—requires no action beyond enrolling in the program, making it the most valuable universal protection for class members. For anyone who did file a timely claim, track the status through the settlement administrator’s website or contact them directly to confirm receipt of your documentation and expected payment timeline. Settlements like this one underscore the importance of monitoring your financial accounts and credit files for any suspicious activity, particularly in the critical months following data breach discovery.