Behavioral Health Resources located in Thurston County, Olympia, Washington, decided to settle a combined class action lawsuit associated with a data breach discovered on November 20, 2024. According to the forensic investigation, unauthorized access to the system of this behavioral and mental health services company resulted in the compromise and probable theft of the personal data and protected health information (PHI) of 50,083 present and past patients. In compliance with the HIPAA Breach Notification Law, Behavioral Health Resources notified the affected individuals regarding the incident in January 2025.
In response to the data breach, plaintiff Carol Walker filed the first class action lawsuit in the Superior Court of Thurston County, Washington. Plaintiffs Rebecca A. Campos, Smukweshun Okena, Adam Shotswell, and Kim Ridgway also filed separate class action lawsuits, which were combined as the Walker et al. v. Behavioral Health Resources lawsuit.
The plaintiffs assert that Behavioral Health Resources did not carry out proper cybersecurity procedures to safeguard patients’ PHI, which meant violating government and state regulations. Behavioral Health Resources states that no wrongdoing was done and that class members and class representatives did not sustain any damages as a result of the data breach. The defendant argues that the complaint does not satisfy the requirements of a class action lawsuit. After mediation and successful talks, all parties consented to resolve the lawsuit to prevent even more legal expenses and the unpredictability of a trial. All parties agreed to a settlement on August 25, 2025, which the court granted preliminary approval.
Behavioral Health Resources will create a $1.1 million settlement fund to take care of attorneys’ fees and costs, settlement management costs, and the class representatives’ service awards. After deducting those costs, what is left of the settlement fund will be spent on the class members’ benefits. Each class member may file a claim to reimburse documented, unreimbursed costs associated with the data breach up to $5,000. Class members may additionally file a claim to reimburse validated lost time, a maximum of five hours valued at $25 an hour, as well as a one-time cash payment, which is estimated to be roughly $100 each class member, although it may be higher or lower, based on the number of valid claims received.
Class members can claim three years of CyEx Medical Shield Total healthcare data monitoring service, including the $1 million identity theft insurance coverage. The schedule of the final approval hearing is February 6, 2026. The last day to opt out and object to the settlement is December 13, 2025. The last day to file a claim is January 1, 2026.
Image credit: Daniel, AdobeStock / logo©BehavioralHealthResources
