Octapharma Plasma agreed to settle a litigation over its ransomware attack in April 2024 and data breach. Octapharma Plasma has more than 190 blood plasma donation centers located in 35 states. Around April 17, 2024, Octapharma discovered suspicious activity within its computer solutions. The investigation affirmed unauthorized access to areas of its network that contain sensitive personal information, including names, Social Security numbers, birth dates, health data, donor eligibility details, financial data, employee information, and business information.
On April 26, 2024, immediately after the announcement of the cyberattack, Bret Woodall filed a class-action lawsuit against Octapharma. Several other lawsuits were eventually filed in association with the data breach. The multiple lawsuits were consolidated into a single action, Woodall v. Octapharma Plasma Inc., given that they had the same material and substance and had overlapping claims. The combined lawsuit stated that Octapharma failed to properly secure, monitor, and maintain personal data, and because of that failure, the plaintiffs and class members experienced injuries and damages, which include loss of value of their personal information, identity theft, lost time, and out-of-pocket costs mitigating the impact of the data breach.
The lawsuit stated claims of negligence, unjust enrichment, breach of implied contract, breach of fiduciary duty, breach of confidence, declaratory judgment, invasion of privacy, and violations of the California Unfair Competition Law, California Customer Records Act, California Consumer Privacy, California Consumer Legal Remedies Act, California Confidentiality of Medical Information Act, the North Carolina Unfair and Deceptive Trade Practices Act, Oregon Unlawful Trade Practices Act, Oregon Consumer Identity Theft Protection Act, Illinois Personal Information Protection Act, Illinois Uniform Deceptive Trade Practices Act, and Illinois Consumer Fraud and Deceptive Business Practices Act.
Octapharma does not admit to all claims and arguments in the litigation and maintains no wrongdoing. After thinking about the probable costs of moving forward with the litigation and the uncertainty and risks related to a jury trial, all parties decided to resolve the lawsuit. After several months of discussions, all parties reached an acceptable settlement. The settlement has just gotten the court’s preliminary approval.
According to the terms of the settlement, Octapharma decided to create a $2,550,000 settlement fund, which will be used to pay for attorneys’ fees and expenditures, service awards, and settlement administration expenses. The remainder of the settlement fund will pay valid claims submitted by class members.
This settlement of this HIPAA violation gives class members the eligibility to claim the following benefits:
- Compensation of documented, unreimbursed losses because of the data breach, up to $5,000 for each class member
- A flat cash payment is approximated to be $100
- Three years of credit monitoring services
- Residents in California during the data breach can claim an additional $50 flat cash payment
- The cash payments will be adjusted pro rata and may be higher or lower, based on the number of legitimate claims filed.
Individuals wanting to exclude themselves or object to the negotiation must do so by October 29, 2025. Claims should be filed on or before November 14, 2025. The schedule of the final approval hearing is December 4, 2025.
Image credit: Monet, AdobeStock / logo©OctopharmaPlasma
