Oak Valley Hospital, located in Oakdale, California, reached a settlement in a class action related to a 2023 data breach. On July 18, 2023, Oak Valley detected suspicious activity on its IT systems. Pursuant to the forensic investigation, Oak Valley determined that an unauthorized third-party had access to its systems from April 21 to July 18, 2023. Based on the investigation, Oak Valley determined that during that timeframe, billing files and treatment records may have been viewed and/or exfiltrated. The affected information included names, health insurance information, treatment information, and Social Security numbers. The breach affected 268,267 patients.

The class action against Oak Valley alleged that breach victims were subject to heightened and ongoing risk of identity theft.

Pursuant to the terms of the settlement, class members who submit valid claims may be eligible for a $100 payment and may also receive reimbursement for documented out-of-pocket expenses if such expenses are “fairly traceable” to the breach, up to $5,000. Class members may also submit claims for lost time at $30 per hour.

Further, as part of the settlement, Oak Valley also agreed to enhance its cybersecurity practices and safeguards to protect personal and protected health information.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.