Cyberattack on member-owned healthcare payer ends in $3.5M settlement

A nonprofit health plan in Wisconsin has agreed to pay $3.5 million to settle a class-action lawsuit over a January 25, 2024 data breach that exposed personal records on 533,000 of its members to hackers. With this agreement, announced last week, all claims related to the incident are now resolved. 

Notably, the Group Health Cooperative of South Central Wisconsin—a healthcare payer owned by its members—is regional and only serves roughly 79,000 people. During the cyberattack, however, hackers were able to access records on the families of members, as well as information on those formerly enrolled with the health plan. 

Exposed data included names, addresses, telephone numbers, emails and dates of birth, as well as insurance information. Social Security numbers were also said to have been accessed. 

At the time, Group Health Cooperative said in a notification letter that a “foreign ransomware gang” had contacted it and claimed responsibility for the attack and data theft. The incident had all the hallmarks of a ransomware attack. To date, it’s not clear if one was paid. 

The health plan said it had no evidence stolen data was used maliciously, and to date no trove of personal information related to the incident has been found on the dark web. 

The FBI assisted in the investigation, as did the Cybersecurity and Infrastructure Security Agency. The vector of the attack—how cybercriminals gained access to Group Health Cooperative’s network—was not revealed. 

Such details may have been revealed in trial, but all lawsuits against the payer co-op are now settled out of court. 

Subscribe to Health Exec News

Cash or credit protection?

A website has been established for victims to make a claim for benefits, should they choose to do so. All class members will be given three years of credit monitoring services along with $1 million in identity theft insurance. Those that suffered financial losses as a result of the data breach, such as anyone who had their identity stolen, may seek up to $5,000 in direct reimbursement based on need. 

Additionally, anyone affected may choose to opt out of all of the above and claim a one-time cash payment. No amount was provided, but as is typical with these settlements, claimants get less than $100. 

The deadline for submitting any claim is January 20, 2026. The terms of this agreement and related awards are expected to be finalized during a hearing scheduled for February 4, 2026. 

For more information, check out the settlement website by clicking here.  

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Subscribe to Health Exec News

Subscribe to Health Exec News