Recently, San Diego Family Care (SDFC) settled a class action related to a 2020 data breach for $1 million. The class includes all SDFC patients (or their parents/guardians) who received a breach notification in May 2021.

SDFC offers patients primary care services as well as dental and mental health care, has eight health centers in San Diego and examines thousands of patients. In December 2020, SDFC was the victim of a data breach, leading to the unauthorized disclosure of names, dates of birth, Social Security numbers, account numbers, treatment information, insurance data, and other sensitive patient data. The breach occurred as a result of SDFC’s technology-hosting provider’s lax security safeguards. The provider was the victim of a breach, which led to the attack on SDFC. SDFC stated in the notification letter that it learned of the breach in January 2021.

The complaints in the consolidated class actions allege that SDFC failed to protect patients’ information during the 2020 data breach, and that SDFC did not promptly notify patients upon learning of the breach so they could take steps to protect themselves from identity theft or other harm.

Eligible class members may receive cash payments up to $100 and may also submit documentation for reimbursement for ordinary out-of-pocket expenses of up to $1,000 and up to $5,000 for extraordinary out-of-pocket expenses. Each class member may also redeem identity theft protection services within 90 days of receiving a code for such services. The court is scheduled to issue its final approval of the settlement on July 29, 2022, and class members have until July 15, 2022, to submit a claim for reimbursement.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.