Balance Autism Agrees to Resolve Class Action Data Breach Lawsuit

Balance Autism has decided to resolve a class action lawsuit related to a cybersecurity incident that exposed patient information in March 2025. The Altoona, Iowa-based organization reported the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights as involving unauthorized access to the protected health information (PHI) of 1,281 individuals.

Details of the Cybersecurity Incident

Balance Autism identified the incident on or around March 17, 2025. Hackers had gained access to its network between March 11, 2025, and March 17, 2025. The compromised data included names, birth dates, Social Security numbers, medical insurance details, and Medicaid numbers. The organization reported the breach as unauthorized access to PHI.

Litigation Background

Plaintiff Andrea Bennett filed the Bennett v. Balance Autism class action lawsuit in the Iowa District Court for Polk County, individually and on behalf of other affected individuals. The lawsuit alleged that the incident resulted from negligence in failing to implement the proper cybersecurity guidelines to secure sensitive data. Claims included breach of implied contract, negligence, unjust enrichment, breach of fiduciary duty, and violation of privacy. Balance Autism denied all allegations of wrongdoing, and , but agreed to a settlement to resolve the litigation.

Settlement Terms

Under the settlement agreement, Balance Autism will provide two years of credit monitoring and identity theft protection services. Affected individuals may submit claims for reimbursement of out-of-pocket losses up to $400 and up to four hours of lost time at $20 per hour. Alternatively, class members may submit a claim for a cash payment estimated at $50, subject to adjustment depending on the number of claims received.

Deadlines and Court Approval

The deadline for exclusion and objection is May 1, 2026. The claims deadline is June 1, 2026. The final approval hearing will be on June 12, 2026.