Recently, San Diego Family Care (SDFC) settled a class action related to a 2020 data breach for $1 million. The class includes all SDFC patients (or their parents/guardians) who received a breach notification in May 2021.

SDFC offers patients primary care services as well as dental and mental health care, has eight health centers in San Diego and examines thousands of patients. In December 2020, SDFC was the victim of a data breach, leading to the unauthorized disclosure of names, dates of birth, Social Security numbers, account numbers, treatment information, insurance data, and other sensitive patient data. The breach occurred as a result of SDFC’s technology-hosting provider’s lax security safeguards. The provider was the victim of a breach, which led to the attack on SDFC. SDFC stated in the notification letter that it learned of the breach in January 2021.

The complaints in the consolidated class actions allege that SDFC failed to protect patients’ information during the 2020 data breach, and that SDFC did not promptly notify patients upon learning of the breach so they could take steps to protect themselves from identity theft or other harm.

Eligible class members may receive cash payments up to $100 and may also submit documentation for reimbursement for ordinary out-of-pocket expenses of up to $1,000 and up to $5,000 for extraordinary out-of-pocket expenses. Each class member may also redeem identity theft protection services within 90 days of receiving a code for such services. The court is scheduled to issue its final approval of the settlement on July 29, 2022, and class members have until July 15, 2022, to submit a claim for reimbursement.