Compliance

Granite Wellness Centers Pays $725,000 to Settle Data Breach Litigation

By Daniel Lopez

Granite Wellness Centers has agreed to a $725,000 class action settlement to resolve litigation arising from a January 2021 ransomware attack and data breach affecting up to 15,600 individuals.

Incident Overview

Granite Wellness Centers is a network of drug addiction treatment centers in Northern California. The organization detected a ransomware attack on or around January 5, 2021. A forensic investigation confirmed that the ransomware actor acquired files that contain sensitive patient data.

The information involved included names, birth dates, home addresses, dates of care, treatment data, care providers, health information, medical insurance details, medical histories, Social Security numbers, driver’s license numbers, and bank account numbers.

Up to 15,600 individuals were affected by the incident. In compliance with the HIPAA Breach Notification rule, the covered entity notified the affected individuals on or around March 5, 2021.

Litigation History

The first class action lawsuit was filed on June 14, 2023. In September 2023, an amended complaint was filed in Bente, et al. v. Granite Wellness Centers in the Superior Court of the State of California, County of Placer.

The lawsuit asserted claims for breach of implied contract, negligence, negligence per se, declaratory judgment, and unjust enrichment. Granite Wellness Centers claims it committed no wrongdoing and stated that the data breach did not harm the affected individuals.

After mediation, the parties agreed to resolve the litigation to avert the cost and uncertainty of a trial. The settlement includes no admission of wrongdoing or liability by Granite Wellness Centers.

Settlement Terms

The settlement requires Granite Wellness Centers to create a $725,000 settlement fund. The fund will cover attorneys’ fees of up to 33.33 percent of the settlement fund, litigation expenses of up to $20,000, service awards of up to $2,000 per class representative, and payments to class members.

Class members may file a claim for a cash payment pro-rated to be approximately $750 per class member. The actual payment amount may be higher or lower depending on the number of claims submitted.

Class members may also submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member.

Individuals who were California residents at the time of the data breach may file a claim for an additional $100 statutory cash payment.

Deadlines and Hearing Date

The deadline to opt out of the settlement or object to its terms is March 28, 2026. The deadline to submit a claim is April 27, 2026. The final fairness hearing schedule is on April 28, 2026.

Image credits: Fotograf, Adobestock / logo©GraniteWellnessCenters

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA

Related News

ApolloMD’s May 2025 Ransomware Attack Affected 626,500 Patients

Shadow AI-Linked Data Breaches Increase Costs and Insider Incident Losses