CorrectCare settles class action over 2022 data breach for $6.49 million

CorrectCare Integrated Health LLC, a Kentucky-based third-party medical claims administrator for correctional facilities, has agreed to a $6.49 million settlement following a 2022 data breach. The breach, which exposed sensitive personal and medical information of nearly 600,000 individuals, prompted a class action lawsuit that has now reached its conclusion, with final court approval granted on September 17, 2024.

The data breach occurred between January 22, 2022, and July 7, 2022, due to a misconfiguration on CorrectCare’s web server, allowing unauthorized access to sensitive files. The compromised data included names, dates of birth, inmate numbers, diagnosis codes, treatment details, and, in some cases, Social Security numbers. The breach impacted individuals who received treatment between January 1, 2012, and July 7, 2022.

The law firm Shub & Johns initiated the class action lawsuit in December 2022 and amended it in March 2024. Despite CorrectCare’s motion to dismiss, the lawsuit proceeded, culminating in a tentative settlement in April 2024, followed by a claims submission period ending August 27, 2024. Over 100,000 claims were filed, representing approximately 17% of the affected individuals.

One-third of the settlement amount will cover legal fees, while $12,313 will address litigation expenses. The five named plaintiffs will each receive service awards of $2,500. Chief Judge Danny C. Reeves, who oversaw the case, approved the final settlement, emphasizing the importance of collective legal action in securing compensation for those unlikely to pursue individual claims.