A Chicago anti-poverty organization and affiliated entities have decided to pay $300,000 to settle a class action lawsuit associated with a 2022 data breach. On or about December 15, 2022, Heartland Alliance announced a data security incident involving an unauthorized third-party that accessed its system, which contained files with sensitive data, such as names, birth dates, driver’s license numbers, Social Security numbers, bank account numbers, and health data. The company sent breach notification letters on or about December 21, 2022. The data breach was reported in December 2022, but the attackers acquired access to the system on January 26, 2022. Heartland Alliance notified the HHS’ Office for Civil Rights about the data breach affecting the protected health information (PHI) of 46,694 people.
Because of the data breach, Heartland entities – Heartland Alliance Health, Wittmeyer et al. v. Heartland Alliance for Human Needs & Human Rights, Heartland Housing, Inc., Heartland Human Care Services, Inc, and Heartland Alliance International, LLC faced several lawsuits filed in the Circuit Court for Lake County, Illinois, County Department, Chancery Division. The plaintiffs claimed that the defendants were negligent because they did not apply acceptable security measures subject to the FTC Act, HIPAA, and the Illinois Consumer Fraud and Deceptive Business Practices Act.
The lawsuit also stated claims of negligence per se, associated with the insufficiency of encryption or safety measures implemented as demanded by HIPAA, breach of implied contract, breach of contract, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. The defendants rejected all claims and arguments in the lawsuit and maintained they did nothing wrong; nevertheless, both parties agreed to a settlement after looking at the rates, expenses, distraction, and risks connected with ongoing litigation.
The terms of the settlement allow class members to claim payment for documented, unreimbursed expenses of around $6,000. That includes approximately $1,000 for ordinary expenses and around $5,000 for extraordinary losses because of identity theft and fraud. Claims can likewise be developed for about three hours of lost time at $22.50 an hour as payment for time spent dealing with concerns associated with the data breach. The settlement additionally requires three-bureau credit monitoring services for two years with an identity theft insurance plan worth $1 million.
The court has given preliminary approval of the settlement. The schedule of the final approval hearing is November 19, 2025. People looking to exclude themselves or object to the settlement can do so on or before September 30, 2025. Impacted people can claim reimbursement, lost time, and credit monitoring services from the law filed on or before October 30, 2025. More information about the settlement can be read on heartlanddatasettlement.com/
Image credit: Thipphaphone, AdobeStock / logo©HeartlandAlliance
