Seven Counties Services, a behavioral and mental health provider based in Louisville, Kentucky, has agreed to a settlement worth up to $1,000,000 to resolve claims stemming from a 2024 data breach that exposed sensitive patient information. If you received services from Seven Counties across Bullitt, Henry, Jefferson, Oldham, Shelby, Spencer, or Trimble counties, you may be eligible for up to $5,000 in documented out-of-pocket losses, a flat $75 cash payment requiring no documentation, or free credit monitoring and identity theft protection services. Claims must be filed by April 20, 2026 through the official settlement website at [www.SCSSettlement.com](https://scssettlement.com/). The breach occurred between July 19 and August 12, 2024, when attackers used phishing emails to compromise employee email accounts, gaining access to patient names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, medical diagnoses, and dates of service.
For a mental health provider, this kind of exposure is particularly concerning — someone whose diagnosis or treatment history is leaked faces risks that go well beyond fraudulent credit card charges. The case, *Overstreet v. Seven Counties Services*, was filed in Jefferson Circuit Court under Case No. 24-CI-007516, and the settlement fund covers multiple forms of compensation. Below, we break down who qualifies, what you can claim, and the tradeoffs between the different payment options.
Table of Contents
- What Does the Seven Counties Services Data Breach Settlement Offer in Cash and Credit Monitoring?
- Who Is Eligible and How the Phishing Attack Compromised Patient Data
- How to File a Claim Before the April 2026 Deadline
- Choosing Between the $75 Cash Payment and Documented Loss Claims
- Why Mental Health Data Breaches Carry Heightened Risks
- The Role of Stranch, Jennings & Garvey in the Litigation
- What Comes Next for Affected Individuals
What Does the Seven Counties Services Data Breach Settlement Offer in Cash and Credit Monitoring?
The settlement provides three distinct compensation tracks. The simplest is the Alternative Cash Payment of $75, which requires no receipts, no proof of harm, and no documentation at all. You simply submit a valid claim form by the deadline. For anyone who experienced actual financial losses tied to the breach — fraudulent charges, fees for credit freezes, costs of hiring an identity theft resolution service — the settlement allows claims for documented out-of-pocket expenses up to $5,000. The third track covers lost time, compensating class members for hours spent dealing with breach-related problems like disputing unauthorized transactions or placing fraud alerts. On top of the monetary options, the settlement includes credit monitoring and identity theft protection services.
This is standard in data breach settlements, but it matters here because the compromised data included Social Security numbers and dates of birth — the two pieces of information most useful for opening fraudulent accounts. If you haven’t already enrolled in some form of credit monitoring since the breach was disclosed in October 2024, this benefit alone has real value. Unlike the cash payment, credit monitoring provides ongoing protection rather than a one-time payout. It is worth noting that the $1,000,000 total fund is a cap, not a guarantee of individual payouts. If the volume of valid claims exceeds the fund, payments may be reduced on a pro rata basis. The $75 alternative cash payment and the $5,000 out-of-pocket maximum are upper limits, and actual distributions depend on how many people file.
Who Is Eligible and How the Phishing Attack Compromised Patient Data
Eligibility extends to individuals whose personal information was contained in the compromised email accounts during the breach window of July 19 through August 12, 2024. Seven Counties Services sent notification letters to affected individuals on October 3, 2024, so if you received one of those letters, you are almost certainly a class member. However, if you were a patient at Seven Counties during that period and did not receive a letter, that does not automatically mean you were unaffected — notification processes sometimes miss people due to outdated mailing addresses or other administrative gaps. The official settlement site at [SCSSettlement.com](https://scssettlement.com/) can confirm your eligibility. The breach itself was a phishing attack, meaning no one hacked through a firewall or exploited a software vulnerability in the traditional sense. Attackers sent emails that appeared to come from a trusted source, and employees clicked through and inadvertently gave up their account credentials.
Once inside those email accounts, the attackers had access to whatever patient data those accounts contained — which turned out to include highly sensitive categories like diagnoses and Social Security numbers. This method of attack is alarmingly common in healthcare; phishing accounts for the majority of healthcare data breaches because it targets the human link in the security chain rather than the technical one. One important limitation: the settlement covers losses “fairly traceable” to this specific data breach. If you experienced identity theft but cannot connect it to the Seven Counties incident — for example, if your data was also compromised in a separate, unrelated breach around the same time — your claim for out-of-pocket losses may face scrutiny. The $75 flat payment, by contrast, does not require you to prove any specific harm, making it the safer option for anyone unsure about causation.
How to File a Claim Before the April 2026 Deadline
Filing a claim requires submitting a completed claim form either online through [SCSSettlement.com](https://scssettlement.com/) or by mail, postmarked no later than April 20, 2026. The online process is straightforward — you will need to provide identifying information to verify your class membership and select which compensation category you are claiming. For the $75 alternative cash payment, that is essentially all you need to do. If you are pursuing documented out-of-pocket losses, you will need to gather supporting evidence before filing. This includes bank or credit card statements showing fraudulent charges, receipts for credit monitoring services you purchased on your own, invoices from identity theft resolution companies, or records of fees you paid to obtain credit reports or place security freezes.
The stronger your documentation, the less likely your claim is to be reduced or denied. For example, if you noticed unauthorized charges on your credit card in September 2024 — after the breach period but before the notification letters went out — and you can show those charges were linked to information exposed in the breach, that creates a clear paper trail. For lost time claims, you will generally need to describe the time you spent and the activities you undertook in response to the breach. Keep in mind that vague claims like “I spent a lot of time worrying” are unlikely to be compensated. Concrete actions — calling your bank, filing a police report, disputing charges, enrolling in monitoring services — are what settlement administrators look for.
Choosing Between the $75 Cash Payment and Documented Loss Claims
The decision between taking the flat $75 and pursuing a larger claim for documented losses comes down to a simple tradeoff: certainty versus potential upside. The $75 payment requires no proof and no effort beyond filling out the form. If your claim is valid, you get $75 (subject to pro rata reduction if the fund is oversubscribed). There is almost no risk of denial. Claiming documented out-of-pocket losses up to $5,000 offers a significantly larger potential payout, but it requires work. You need documentation, you need to articulate how the losses connect to this specific breach, and there is a chance the settlement administrator reduces or rejects portions of your claim.
If you spent $200 on a credit monitoring subscription and $50 on credit report fees, the math favors filing for documented losses. If your actual provable expenses are under $75, take the flat payment — it is simpler and likely nets you more money. You generally cannot double-dip by claiming both the $75 alternative payment and documented out-of-pocket losses. The claim form requires you to select one compensation path or the other. However, credit monitoring and identity theft protection services are typically available to all class members regardless of which monetary option they choose. Review the claim form carefully at [SCSSettlement.com](https://scssettlement.com/) to confirm the specific terms.
Why Mental Health Data Breaches Carry Heightened Risks
Not all data breaches are created equal, and one involving a behavioral and mental health provider sits near the top of the severity scale. When a retailer gets breached, attackers get your name and credit card number. When a mental health provider gets breached, attackers may get your psychiatric diagnoses, substance abuse treatment records, and dates of service — information that can be weaponized for blackmail, discrimination, or targeted social engineering scams. Seven Counties Services serves a vulnerable population across seven Kentucky counties, providing services that many clients would prefer to keep private.
The exposure of diagnoses alongside identifying information like Social Security numbers and addresses creates a layered risk: not only can bad actors commit financial fraud, they can also potentially use sensitive health information in ways that cause reputational or emotional harm. This is a dimension of damage that the settlement’s $5,000 cap on out-of-pocket losses may not fully address, since emotional distress and privacy violations are harder to quantify in dollars. If you were affected by this breach and are concerned about the exposure of your mental health records specifically, consider placing a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion) independently of whatever monitoring the settlement provides. A credit freeze is free, and it prevents anyone from opening new accounts in your name — a more aggressive protection than monitoring, which only alerts you after suspicious activity has already occurred.
The Role of Stranch, Jennings & Garvey in the Litigation
The law firm Stranch, Jennings & Garvey, PLLC, which lists privacy and cybersecurity litigation among its core practice areas, has been involved in pursuing this case on behalf of the class. In data breach class actions, the plaintiff’s attorneys typically work on a contingency basis, meaning their fees come out of the settlement fund rather than from individual class members’ pockets.
This is relevant because it means the $1,000,000 fund will be reduced by attorney fees and administrative costs before the remainder is distributed to claimants. For class members, the practical implication is that the effective pool of money available for individual payments is smaller than the headline $1,000,000 figure. This is standard practice in class action settlements and is not unusual, but it is worth understanding when you set expectations about what your individual payment might look like.
What Comes Next for Affected Individuals
The April 20, 2026 claims deadline is approaching, and anyone who believes they were affected should act sooner rather than later. Gathering documentation takes time, and the settlement website may experience delays as the deadline draws near. Filing early ensures you are not scrambling at the last minute or missing the cutoff due to a technical issue.
Looking ahead, data breaches involving healthcare providers are likely to continue increasing in frequency and severity. The Seven Counties incident is a reminder that phishing remains one of the most effective attack vectors in the healthcare sector, and that the consequences for patients extend beyond financial fraud into deeply personal territory. Whether or not this particular settlement fully compensates you for the exposure of your data, taking protective steps now — credit freezes, monitoring, and vigilant review of your financial accounts — is the most practical thing you can do.