OneBlood to pay up to $1 million in settlement over 2024 data breach

OneBlood, a non-profit organization that provides blood to about 350 hospitals across the southeastern United States, has agreed to pay up to $1 million to resolve a class action lawsuit stemming from a ransomware attack and data breach in July 2024 that exposed the personal information of more than 167,000 individuals.

The cyberattack, which occurred between July 14 and July 29, 2024, gave a threat actor access to OneBlood’s systems, allowing them to steal sensitive information and encrypt company files. An investigation later confirmed that names and Social Security numbers belonging to 167,400 people had been compromised.

Three individuals affected by the breach, Deanna Newberry, Matthew Shuttleworth, and Andy Shuttleworth, filed suit against OneBlood, alleging the organization failed to maintain reasonable security safeguards. The plaintiffs argued that the attack and resulting data theft could have been prevented with stronger protections. The lawsuit, filed as Newberry, et al. v. OneBlood, Inc., sought damages for the named plaintiffs and others in the same situation.

OneBlood has denied any wrongdoing and disputes the plaintiffs’ claims but agreed to settle in order to avoid the expense and uncertainty of prolonged litigation. Florida Circuit Court Judge Keathan B. Frink granted preliminary approval of the settlement, which offers compensation and additional security commitments.

Under the terms, class members may file for reimbursement of up to $2,500 in documented, unreimbursed losses directly tied to the breach or choose an alternative cash payment of $60. OneBlood will cover attorneys’ fees, settlement administration costs, service awards, and payments to class members, with the total capped at $1 million. If claims exceed the limit, payments will be reduced proportionally.

As part of the resolution, OneBlood has also committed to enhancing its data security practices. The organization will provide class counsel with a confidential list of measures implemented since the breach, with the goal of improving protections for donors and patients.

Individuals affected by the breach have until December 4, 2025, to submit a claim. Anyone wishing to opt out of the settlement or file an objection must do so by November 9, 2025. A final fairness hearing is scheduled for December 9, 2025, to determine whether the settlement will receive final approval.