Greater Cincinnati Behavioral Health Services to pay up to $850,000 in ransomware settlement

Greater Cincinnati Behavioral Health Services (GCBHS), a nonprofit provider of mental health and addiction recovery services, has agreed to pay up to $850,000 to settle litigation stemming from a December 2023 ransomware attack that compromised patient and employee data.

The organization discovered the cyberattack on December 10, 2023, and determined that hackers had gained access to its network the previous day using stolen employee credentials. The DragonForce ransomware group was identified as responsible for the intrusion, which resulted in the theft of approximately 72 gigabytes of sensitive data, including names, birth dates, Social Security numbers, driver’s license numbers, and health insurance details.

According to a filing with the Maine Attorney General, about 62,000 individuals were affected by the breach, and the U.S. Department of Health and Human Services’ Office for Civil Rights was notified that protected health information for up to 50,000 people may have been exposed. GCBHS began notifying affected patients and employees on June 12, 2024.

The breach prompted two class action lawsuits, later consolidated into a single case, In Re: Greater Cincinnati Behavioral Health Services Data Incident Litigation, filed in the Court of Common Pleas for Hamilton County, Ohio. The complaint accused GCBHS of failing to implement adequate cybersecurity safeguards to protect personal and medical information. It included claims of negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. GCBHS denied all allegations of wrongdoing.

Following mediation and extended negotiations, the parties reached a settlement in principle that has now received preliminary court approval. Under the agreement, GCBHS will establish a settlement fund of up to $850,000, covering attorneys’ fees, administrative expenses, and service awards for class representatives. Approximately 61,850 individuals are eligible to participate in the settlement.

Class members may file claims for reimbursement of documented, unreimbursed losses up to $5,000 per person. Those without such losses may receive a pro rata cash payment estimated between $60 and $120. All affected individuals will also be eligible for a one-year subscription to the CyEx Medical Shield identity protection service, which monitors credit activity across all three major bureaus.

The deadline to object to or exclude oneself from the settlement is November 11, 2025. Claims must be submitted by December 11, 2025. A final approval hearing is scheduled for January 14, 2026.