The Staten Island University Hospital data breach settlement offers three distinct categories of compensation to roughly 35,106 affected individuals: a flat $35 cash payment simply for being a class member, up to $1,000 in reimbursement for documented out-of-pocket losses, and two years of medical data monitoring backed by a $1 million identity theft insurance policy. If you received a notice about the Santiago et al. v. Staten Island University Hospital case, you likely qualify for at least the $35 payment — but the claim deadline is March 16, 2026, leaving very little time to act.
The breach itself traces back to January 2024, when an unauthorized third party accessed systems belonging to The Medibase Group Inc., a business associate that provides healthcare solutions, technical assistance, and business office services to SIUH. Medibase did not notify the hospital until around May 8, 2024, meaning months passed before affected patients learned their names, Social Security numbers, dates of birth, medical information, and health insurance details may have been exposed. Some files also contained hospital admit and discharge dates along with outstanding balances.
Table of Contents
- What Are the Three Settlement Benefits Available to Staten Island University Hospital Breach Victims?
- How the $1,000 Out-of-Pocket Reimbursement Works and Its Limitations
- What the Two-Year Medical Data Monitoring Actually Covers
- Filing Your Claim Before the March 16 Deadline — What to Prioritize
- Common Problems With Data Breach Settlement Claims and How to Avoid Them
- What Happens at the Final Fairness Hearing on March 31
- Lessons From the Medibase Breach for Healthcare Data Security
- Frequently Asked Questions
What Are the Three Settlement Benefits Available to Staten Island University Hospital Breach Victims?
The settlement in Santiago et al. v. staten Island University Hospital structures its relief into three tiers, and class members can claim more than one. The first is the simplest: a $35 flat cash payment available to every eligible class member who submits a valid claim form. You do not need to prove you suffered any harm — the breach itself qualifies you.
The second tier covers out-of-pocket reimbursement of up to $1,000 per person for documented, unreimbursed expenses that resulted directly from the breach. The third is two years of medical data monitoring services that include a $1 million identity theft insurance policy, designed as a forward-looking safeguard rather than a backward-looking reimbursement. To put that in practical terms, consider someone who discovered a fraudulent medical bill after the breach, spent time on the phone disputing it, and paid for a credit monitoring service out of pocket. That person could claim the $35 base payment, submit receipts for their monitoring subscription and any costs tied to resolving the fraudulent bill under the $1,000 reimbursement category, and enroll in the two-year monitoring program — all through a single claim. By contrast, someone who simply received a breach notice but experienced no tangible losses would still be eligible for the $35 payment and the monitoring enrollment. The gap between the minimum and maximum benefit is significant, and which tier matters most depends entirely on your situation.
How the $1,000 Out-of-Pocket Reimbursement Works and Its Limitations
The up-to-$1,000 reimbursement is the most valuable cash benefit in the settlement, but it comes with strings. You need to provide documentation showing that you incurred actual, unreimbursed expenses as a direct result of the Medibase data breach. That can include costs for credit monitoring services you purchased on your own, fees related to credit freezes or fraud alerts, charges tied to fraudulent transactions that were not reversed by your bank, and time spent dealing with identity theft or fraud — though time-based claims typically require a detailed log and are often compensated at a modest hourly rate set by the settlement terms. However, if your losses were reimbursed by your bank, insurance company, or any other source, they do not count toward this $1,000 cap. The settlement specifically covers unreimbursed expenses, so double-recovery is not permitted.
This is a common stumbling block in data breach settlements: people assume they can claim the full amount of a fraudulent charge even if their bank already credited them back. They cannot. Additionally, the $1,000 figure is a per-person cap, not a potential payout. If you spent $200 on a credit monitoring subscription after learning about the breach and can document it, you would receive $200, not the full $1,000. Keep your receipts, confirmation emails, bank statements, and any correspondence with creditors or fraud departments — all of it strengthens your claim.
What the Two-Year Medical Data Monitoring Actually Covers
The monitoring component of this settlement is particularly relevant because the breach exposed medical information, not just financial data. Standard credit monitoring — the kind offered in most data breach settlements — watches for new credit inquiries, accounts opened in your name, and changes to your credit report. Medical data monitoring goes further. It is designed to detect signs that someone is using your personal information to obtain medical care, file insurance claims, or access prescription drugs in your name. Medical identity theft can be harder to spot and more dangerous than financial identity theft because it can corrupt your health records, leading to incorrect treatments or insurance denials.
The settlement pairs this monitoring with a $1 million identity theft insurance policy. That policy does not hand you a million dollars — it provides coverage for costs you might incur while recovering from identity theft during the monitoring period. Think of it as a safety net for legal fees, lost wages from time spent resolving fraud, and other recovery-related expenses. For the 35,106 people affected by the Medibase breach, this is arguably the most important benefit, especially given that the compromised data included Social Security numbers and health insurance information. A stolen credit card number can be canceled in minutes. A stolen Social Security number paired with medical records is a problem that can resurface for years.
Filing Your Claim Before the March 16 Deadline — What to Prioritize
With the claims deadline set for March 16, 2026, you have just days to submit. The official settlement website at medibasesiuhdatabreachsettlement.com is the only place to file. Do not use third-party claim-filing services that charge fees or ask for payment information — legitimate class action settlements never require you to pay to file a claim. The tradeoff most claimants face is between speed and completeness.
If you have documented out-of-pocket losses and the receipts to prove them, take the time to gather that documentation and submit a claim for both the $35 cash payment and the reimbursement. If you have losses but cannot locate your documentation before the deadline, it is generally better to file for the $35 payment and the monitoring enrollment now rather than miss the deadline entirely while searching for receipts. A partial claim filed on time is worth infinitely more than a complete claim filed a day late. The exclusion deadline of March 2, 2026, has already passed, so if you did not opt out, you are part of the class and bound by whatever the court approves at the final fairness hearing on March 31, 2026.
Common Problems With Data Breach Settlement Claims and How to Avoid Them
The most frequent reason claims get denied or reduced in settlements like this one is insufficient documentation. Stating that you spent money on credit monitoring is not enough — you need a receipt or bank statement showing the charge. Claiming lost time requires a written log with dates, descriptions of what you did, and how long each task took. Vague or unsupported claims are routinely rejected by settlement administrators.
Another issue specific to healthcare-related breaches is the difficulty of proving causation. If you experience medical identity theft in 2026, how do you prove it resulted from the January 2024 Medibase breach rather than some other source? The settlement terms generally require a reasonable connection rather than absolute proof, but this is where many claims get challenged. If you notice suspicious medical bills or insurance statements, document them immediately — screenshot the bills, note the dates, and file a police report if warranted. That paper trail is what separates a successful $1,000 reimbursement claim from a denied one. Also be aware that the $35 flat payment could be reduced pro rata if the number of valid claims exceeds the settlement fund’s allocation for that benefit category, though this is common across virtually all class action settlements.
What Happens at the Final Fairness Hearing on March 31
The court has scheduled a final fairness hearing for March 31, 2026, where a judge will review the settlement terms, consider any objections from class members, and decide whether to grant final approval. If approved, the settlement administrator will begin processing claims and distributing payments. If the judge raises concerns or a significant number of objections are filed, the process could be delayed or the terms modified.
For most class members, the hearing requires no action. You do not need to attend or submit anything beyond your claim form. However, if you believe the settlement is unfair — for instance, if you suffered substantial losses that far exceed the $1,000 cap — you had the option to file an objection. Since the exclusion deadline has passed, objecting is the only remaining avenue for class members who disagree with the terms but are still bound by them.
Lessons From the Medibase Breach for Healthcare Data Security
The Medibase breach highlights a persistent vulnerability in healthcare data: third-party vendors. SIUH did not suffer a direct breach of its own systems. Instead, it was The Medibase Group — a business associate handling technical and business office services — whose systems were compromised. Under HIPAA, covered entities like hospitals are required to have business associate agreements in place, but those contracts do not prevent breaches.
They simply establish legal accountability after one occurs. For affected individuals, the takeaway is practical. Healthcare organizations share your data with dozens of vendors, billing companies, and service providers. Enrolling in the monitoring services offered by this settlement is a sensible step, but it should not be your only one. Regularly reviewing your Explanation of Benefits statements from your insurer, checking your medical records for unfamiliar entries, and freezing your credit with all three bureaus are actions that provide protection beyond what any settlement monitoring program offers.
Frequently Asked Questions
How much money can I get from the Staten Island University Hospital settlement?
At minimum, you can receive a $35 flat cash payment. If you have documented out-of-pocket expenses from the breach, you can claim up to $1,000 in reimbursement on top of that. The $35 payment may be reduced pro rata depending on how many valid claims are filed.
What is the deadline to file a claim in the SIUH data breach settlement?
The claims deadline is March 16, 2026. Claims must be submitted through the official site at medibasesiuhdatabreachsettlement.com. There is no extension once this deadline passes.
Can I still opt out of the Staten Island University Hospital settlement?
No. The exclusion deadline was March 2, 2026, which has already passed. All class members who did not opt out by that date are bound by the settlement terms once the court grants final approval.
What does the medical data monitoring include?
The settlement provides two years of medical data monitoring services, which track whether your personal and medical information is being misused. It also includes a $1 million identity theft insurance policy that covers expenses related to recovering from identity theft during the monitoring period.
What kind of expenses qualify for the $1,000 reimbursement?
Documented, unreimbursed out-of-pocket costs caused by the data breach. Examples include credit monitoring subscriptions you purchased, fees for credit freezes, unreimbursed fraudulent charges, and time spent dealing with fraud or identity theft. You must provide receipts, bank statements, or other documentation.
What data was exposed in the Medibase breach?
The breach exposed names, Social Security numbers, dates of birth, medical information, and health insurance information. Some files also contained hospital admit and discharge dates and outstanding balance information.
You Might Also Like
- Shimano Settlement Benefits Explained: Cash, Credits, And Monitoring Options
- Hyundai And Kia Settlement Benefits Explained: Cash, Credits, And Monitoring Options
- DoorDash Settlement Benefits Explained: Cash, Credits, And Monitoring Options