If you received a notification letter about the Staten Island University Hospital data breach, you can file a claim for up to $1,000 in reimbursement for out-of-pocket expenses, a flat $35 cash payment, or two years of medical data monitoring with a $1 million identity theft insurance policy. The claim form is available through the official settlement website at medibasesiuhdatabreachsettlement.com, and the deadline to submit is March 16, 2026.
The settlement resolves a class action lawsuit filed on behalf of roughly 35,106 individuals whose protected health information was exposed when Medibase Group Inc., a healthcare solutions vendor for SIUH, suffered a cyberattack in January 2024. This article walks through the specific details of the claim form, what documentation you need, how to choose between the three settlement options, and what deadlines you cannot afford to miss. We also cover what data was compromised, what the lawsuit alleged, and what to watch out for if you are considering opting out instead of filing a claim.
Table of Contents
- What Is the Staten Island University Hospital Data Breach Settlement and Who Can File a Claim?
- What Information Was Exposed and Why It Matters for Your Claim
- How to Complete the Claim Form Step by Step
- Comparing the Three Settlement Benefit Options
- Critical Deadlines and What Happens If You Miss Them
- What SIUH’s Vendor Relationship With Medibase Means for Affected Patients
- The Growing Pattern of Healthcare Vendor Breaches
- Frequently Asked Questions
What Is the Staten Island University Hospital Data Breach Settlement and Who Can File a Claim?
The settlement stems from the case *Belle De Santiago and Elena Girenko v. staten Island University Hospital*, Case No. 25CVE0998, filed in the Superior Court of Cherokee County, Georgia. The plaintiffs alleged that SIUH failed to implement reasonable and appropriate security measures to protect sensitive patient data after its vendor, Medibase Group Inc., was hit by a targeted cyberattack. SIUH denies all claims of wrongdoing, fault, and liability, but agreed to settle rather than continue litigation. You are eligible to file a claim if you were one of the 35,106 individuals identified as affected by the breach.
Notification letters were mailed on July 5, 2024, so if you received one, that is your clearest confirmation of eligibility. The letter should contain a unique ID number that you will need when completing the claim form. If you believe you were affected but did not receive a letter — perhaps because you moved or the letter was lost — you should contact the settlement administrator through the official website to verify your status before the March 16, 2026 filing deadline. One important detail: this settlement covers data compromised through Medibase’s systems, not a direct breach of SIUH’s own network. SIUH has confirmed it no longer conducts business with Medibase. That distinction matters because it means the security failures at issue were within a third-party vendor’s infrastructure, which is an increasingly common pattern in healthcare data breaches.
What Information Was Exposed and Why It Matters for Your Claim
The breach compromised a serious range of personal data. According to the notification sent to affected individuals, the exposed information included names, Social Security numbers, dates of birth, medical information, and health insurance information. This is not a minor email-only breach — Social Security numbers and medical records are among the most sensitive categories of personal data, and their exposure creates long-term risk for identity theft and medical fraud. The type of data compromised directly affects what damages you can claim. For example, if someone opened a fraudulent credit account using your Social Security number after January 2024, that expense — including costs for credit freezes, notary fees, or time spent resolving the fraud — could be reimbursable under the settlement‘s out-of-pocket expense option.
However, if your only concern is the potential for future misuse and you have not yet experienced any concrete harm, the flat $35 payment or the monitoring services option may be more appropriate. You cannot claim speculative future damages under this settlement. Medical information exposure carries a unique risk that financial data does not. Unlike a credit card number, which can be canceled and reissued, your medical history cannot be changed. Fraudulent use of medical identity can lead to corrupted health records, insurance claim denials, or even incorrect treatments if someone else’s medical data gets mixed with yours. This is why the settlement includes medical data monitoring specifically, not just standard credit monitoring.
How to Complete the Claim Form Step by Step
The claim form is accessible through medibasesiuhdatabreachsettlement.com and can be submitted either online or by mail. You will need your unique claim ID from the notification letter, your contact information, and — depending on which benefit you select — supporting documentation for any out-of-pocket expenses. For the $35 flat payment option, the form is straightforward. You verify your identity, confirm your eligibility, and select the cash payment. No documentation of harm is required.
This option exists for class members who want compensation without the burden of gathering receipts or proving specific losses. For the monitoring services option, you similarly do not need to prove existing harm — you are enrolling in a protective service rather than seeking reimbursement. The out-of-pocket reimbursement option (up to $1,000) requires more effort. You will need to provide documentation such as bank statements, receipts, invoices, or other records showing expenses directly caused by the data breach. Examples include costs for credit monitoring services you purchased before the settlement was announced, fees for placing or lifting credit freezes, charges for obtaining credit reports, costs related to identity theft resolution, and even lost wages if you had to take time off work to deal with fraud. Be specific and thorough — vague claims without supporting documentation are likely to be reduced or denied.
Comparing the Three Settlement Benefit Options
The three claim options present a clear tradeoff between potential payment, potential reimbursement, and ongoing protection. The $35 flat payment is the simplest: guaranteed money with no documentation required. It is the right choice if you have not suffered any direct financial harm and do not feel you need ongoing monitoring. The downside is obvious — $35 is a modest sum for a breach that exposed Social Security numbers and medical records. The up to $1,000 reimbursement option offers significantly more money but requires proof.
If you spent $200 on a credit monitoring subscription after the breach, paid $50 in credit freeze fees, and lost four hours of work at $30 per hour dealing with a fraudulent account, that totals $370 in documented expenses you could recover. But if you cannot produce receipts or records, you will likely receive less than you claim. The monitoring option — two years of medical data monitoring plus $1 million in identity theft insurance — has no direct cash value but provides meaningful protection, especially given that medical identity theft often surfaces months or years after a breach. If you have not yet experienced harm, this option hedges against future risk in a way that $35 cannot. You should also consider that the $35 payment amount could decrease if a large number of class members file claims, depending on how the settlement fund is structured. Reimbursement claims, by contrast, are tied to your documented losses up to the $1,000 cap.
Critical Deadlines and What Happens If You Miss Them
Three dates govern this settlement, and missing any of them could cost you. The opt-out deadline was March 2, 2026 — if you wanted to exclude yourself from the settlement and preserve your right to sue SIUH independently, that window has already closed. The claim filing deadline is March 16, 2026, and this is a hard cutoff. Claims submitted after this date will almost certainly be rejected regardless of their merit. The final fairness hearing is scheduled for March 31, 2026. At this hearing, the court will review the settlement terms and decide whether to grant final approval.
If you filed an objection to the settlement (which also had to be submitted by the opt-out deadline), the judge will consider it during this hearing. If the court approves the settlement, payments will be processed afterward, though the exact timeline for disbursement is not specified and can take several months. One limitation worth noting: if you already opted out by the March 2 deadline, you cannot also file a claim. Opting out means you are no longer part of the class and are not entitled to any settlement benefits. This is a one-way door. Conversely, if you stay in the class and file a claim, you give up your right to pursue an independent lawsuit against SIUH over this breach.
What SIUH’s Vendor Relationship With Medibase Means for Affected Patients
The breach originated not with SIUH directly but with Medibase Group Inc., a healthcare solutions vendor that processed data on SIUH’s behalf. On May 8, 2024, Medibase notified SIUH that an unauthorized third party had accessed systems containing protected health information during the January 2024 cyberattack. This vendor-to-hospital notification lag — roughly four months — is a point the lawsuit highlighted, as patients were not informed until July 5, 2024, six months after the initial breach.
SIUH has stated it no longer conducts business with Medibase. For affected patients, this means the specific vulnerability that led to the breach has been addressed at the vendor level, though it does not retroactively protect data that was already exposed. If you are a current SIUH patient, the hospital’s decision to sever ties with Medibase is relevant context but does not eliminate the need to monitor your accounts and file a claim.
The Growing Pattern of Healthcare Vendor Breaches
The SIUH-Medibase incident fits a broader and troubling pattern in healthcare cybersecurity. Hospitals and health systems increasingly rely on third-party vendors for billing, data management, and administrative functions, and each of those vendor relationships creates a potential point of failure. When a vendor like Medibase is breached, the hospital’s patients bear the consequences even though the hospital’s own systems may have been secure.
For individuals affected by this specific breach, the immediate priority is filing a claim before March 16, 2026. But beyond that, this case underscores the importance of monitoring your medical and financial records on an ongoing basis — not just in the months after a breach notification, but as a permanent practice. The two-year monitoring option in this settlement provides a structured way to do that, at least for the near term.
Frequently Asked Questions
How do I know if I am part of the Staten Island University Hospital data breach settlement?
If you received a notification letter mailed around July 5, 2024, you are one of the 35,106 affected individuals. Your letter should include a unique claim ID. If you did not receive a letter but believe you were affected, contact the settlement administrator through medibasesiuhdatabreachsettlement.com.
Can I file for more than one of the three settlement benefit options?
The settlement offers three claim options — the $35 cash payment, the up to $1,000 reimbursement, or the monitoring services. Check the claim form carefully for whether options can be combined, as some settlements allow monitoring plus a cash payment while others require you to choose one.
What documents do I need to claim the up to $1,000 reimbursement?
You need receipts, bank statements, invoices, or other records showing out-of-pocket expenses directly caused by the breach. This includes credit monitoring costs, credit freeze fees, identity theft resolution expenses, and documented lost wages from time spent addressing fraud.
What happens after the March 31, 2026 final fairness hearing?
If the court grants final approval, the settlement administrator will process and distribute payments. The timeline for receiving funds varies but typically takes several months after final approval, and can be longer if there are appeals.
Is it too late to opt out of the settlement?
Yes. The opt-out deadline was March 2, 2026. If you did not request exclusion by that date, you are bound by the settlement terms and cannot pursue an independent lawsuit against SIUH over this breach.
You Might Also Like
- American National Bank & Trust Data Incident Class Action Settlement: Claim Form Details
- Shimano Defective Crankset Class Action Settlement: Claim Form Details
- Hyundai And Kia Defective Airbag Control Units Class Action Settlement: Claim Form Details