Rancho Family Medical Group Settles Data Breach Litigation for $315K

November 30, 2025HIPAA News0

Primary care medical group, Rancho Family Medical Group, serving patients around Southern California, faced a class action litigation associated with a data breach in 2023 that compromised patients’ protected health information (PHI). To resolve the lawsuit, it has decided to pay $315,000.

KMJ Health Solutions sent a notification to Rancho FMG on January 11, 2024 that it encountered a security breach. KMJ is the medical group’s provider of online signout and charge capture systems. The security incident that occurred on November 19, 2023 resulted in the exposure of patient data, including names, birth dates, medical record numbers, medical procedure codes, service dates, and treatment locations.

KMJ Health Solutions cannot determine precisely the affected patients or the types of exposed data, because the affected data were deleted and cannot be recovered. On or about March 12, 2024, Rancho FMG informed all potentially impacted patients, which include present patients and patients in the last ten years. Roughly 11,500 breach notification letters had been sent by mail, though the notice sent to HHS Office for Civil Rights indicated that 10,480 individuals were affected.

Soon after issuing the notifications, plaintiff Catrina Brannona filed a class action lawsuit in the Superior Court of California, County of Riverside, personally and on behalf of individuals with similar situations. The lawsuit stated claims of violations of California’s Unfair Competition Law (UCL) and the California Confidentiality of Medical Information Act (CMIA).

Rancho FMG does not admit to any wrongdoing and does not concur with all claims and allegations in the lawsuit. The parties involved opted for a mediation to avoid unwanted legal expenses and reached a settlement that was fair to all parties. Based on the terms of the settlement, Rancho FMG will create a $315,000 settlement fund to pay for notice and management costs, service awards, fee awards and expenses, and class members’ benefits. All class members will be sent a code to avail three-bureau credit monitoring services for three years.

On top of that, class members may file a claim for compensation of up to 4 hours of lost time (valued at $17 per hour) spent on addressing the issues linked to the data breach. Claims may likewise be sent for compensation of documented, unreimbursed out-of-pocket expenses because of the data breach, and any outstanding settlement fund will be used for cash payments computed pro rata, which is about $1,000 per class member. The exact amount of cash payments will vary according to the number of valid claims submitted.

The court has given preliminary approval of the settlement. The schedule of the final fairness hearing is January 28, 2026. Class members may object to and/or exclude themselves from the settlement until December 29, 2025. Filing of claims is until December 29, 2025.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.