How the Breach Unfolded
CarePro discovered the incident around November 16, 2023, when it detected suspicious activity on a network system that stored patient information in unencrypted form. By the time the intrusion was contained, attackers had already accessed and removed files containing patient data.
The company later notified affected individuals and regulators, and offered complimentary credit monitoring and identity protection services after confirming that patient information had been exfiltrated.
What Data Was Exposed
According to the litigation filings and settlement papers, the compromised information included a mix of personal, financial, and medical details. Data elements may have included:
- Full names and contact information
- Dates of birth
- Social Security numbers
- Driver’s license or state ID numbers
- Financial account details
- Medical and health-related information
Because this type of information can be misused long after an incident, the lawsuit alleged that patients now face an elevated and ongoing risk of identity theft and fraud.
From Breach Notice to Class Action Lawsuit
The initial lawsuit was filed by CarePro patient Brandi Bell, individually and on behalf of other impacted individuals, after notification letters went out. A second complaint followed, brought by plaintiff Brandie Keegan on behalf of herself and her minor child. The cases were consolidated in the Iowa District Court for Linn County under the caption Bell et al. v. C.R. Pharmacy Services, Inc. d/b/a CarePro Health Services.
The plaintiffs alleged that CarePro failed to use reasonable cybersecurity measures to protect highly sensitive information and that the breach could have been prevented with appropriate safeguards. In addition to negligence theories, the complaint asserted claims such as negligence per se, breach of implied contract, invasion of privacy, breach of fiduciary duty, breach of confidence, unjust enrichment, and violations of Iowa consumer protection and data security statutes.
Patients argued that they suffered concrete injuries, including invasion of privacy, time and effort spent monitoring accounts, anxiety over potential misuse of their data, diminished value of personal information, and loss of the benefit of the bargain for healthcare services that were supposed to include adequate data protection.
CarePro’s Position
CarePro has denied any liability or wrongdoing throughout the case. The company maintains that it disagrees with the allegations but chose to settle to avoid the uncertainty, expense, and disruption of continued litigation, trial, and possible appeals.
The settlement does not constitute an admission of fault. Instead, it represents a negotiated compromise the parties describe as fair and reasonable in light of the risks on both sides.
What the $1.3 Million Settlement Provides
The settlement creates a $1.3 million common fund. From that total, court-approved attorneys’ fees and litigation expenses, service awards for the representative plaintiffs, and administrative costs will be paid first. The remaining balance will be used to provide benefits to class members who submit valid claims.
1. Reimbursement of Documented Losses (Up to $5,000)
Class members can seek reimbursement for documented, unreimbursed out-of-pocket losses that are reasonably traceable to the CarePro data breach, up to a maximum of $5,000 per person. If you’re in the healthcare space and you have not setup a subject rights request portal we will create and help you with this privacy requirement.
Eligible losses can include things like:
- Bank fees, overdraft charges, or late fees linked to fraudulent activity
- Costs for credit monitoring or identity theft protection purchased because of the breach
- Professional fees or expenses related to resolving identity theft issues
- Other documented fraud- or identity-theft-related losses connected to the incident
Claimants will need to provide supporting documentation (for example, statements, invoices, receipts, or correspondence) to qualify for this category of relief.
2. Cash Payments (Estimated Around $100 Per Claimant)
In addition to, or instead of, loss reimbursement, class members may submit a claim for a cash payment from the settlement fund. Current estimates place that payment at approximately $100 per qualifying class member, but the actual amount will be calculated on a pro rata basis.
The final per-person cash payment will depend on how many valid claims are approved, how much is paid out for documented losses, and the cost of credit monitoring and administration that must be covered from the fund.
3. Credit Monitoring and Identity Protection
All settlement class members are also eligible to claim two years of credit and identity protection services. Those services include:
- Three-bureau credit monitoring
- Dark web monitoring
- Identity theft protection and related support services
The cost of providing these services will be paid from the settlement fund before the cash payments are calculated.
Who Is Included in the Settlement Class
The settlement class generally consists of individuals whose personal information was stored in CarePro’s systems and was potentially affected by the November 2023 data incident. The class size is estimated at approximately 151,499 people.
Exact eligibility is defined in the settlement documents and notice materials, which spell out the relevant time period and the types of records that bring someone within the class.
Important Deadlines
Several key dates govern how and when class members can act:
- Claim filing deadline: December 3, 2025
- Deadline to opt out of or object to the settlement: December 3, 2025
- Final approval (fairness) hearing: currently scheduled for January 23, 2026
Class members who do nothing will not receive money or credit monitoring from the settlement but will still be bound by the court’s final judgment and the release of claims if the settlement is approved.
Takeaways for Healthcare Organizations
The CarePro settlement underscores a few trends that have become familiar in healthcare data breach litigation:
- Unencrypted patient data on internet-accessible systems continues to be a prime target for attackers.
- Even mid-sized providers can face class action exposure affecting tens of thousands of patients after a single incident.
- Courts are increasingly receptive to arguments that time spent responding to a breach, monitoring accounts, and dealing with anxiety over potential misuse of data can qualify as real harm.
For covered entities and their business associates, the case is another reminder that technical controls (such as encryption, network segmentation, and robust monitoring) and timely incident response are no longer optional. When those controls fail or are missing, the cost is measured not only in regulatory scrutiny but also in class action settlements like this one.
