Gandara Mental Health Center Agrees to Settle Data Breach Class Action Lawsuit

May 18, 2026HIPAA News Today0

Gandara Mental Health Center located in Springfield, Massachusetts, decided to settle a class action lawsuit related to a cyberattack and data breach in June 2024 that affected 17,543 individuals.

Gandara Mental Health discovered the cyberattack on June 20, 2024 and submitted a data breach report to HHS Office for Civil Rights. The organization confirmed the breach of personal information and protected health information (PHI) during the incident. The affected information included names, addresses, birth dates, Social Security numbers, driver’s license numbers, diagnoses, treatment data, and medical insurance information.

The hackers claimed to have stolen approximately 450 GB of data from Gandara Mental Health Center systems.

Plaintiff Eugene Mitchell filed a class action lawsuit in the Court in the Commonwealth of Massachusetts, Hampden County, under the case name Eugene Mitchell v. Gandara Mental Health Center, Inc. The lawsuit alleged that Gandara Mental Health Center failed to properly secure its network, which resulted in the theft of personal information and PHI belonging to plaintiffs and other affected individuals.

The complaint included claims for breach of implied contract, negligence, negligence per se, breach of fiduciary duty, and unjust enrichment.

Gandara Mental Health Center denied the allegations raised in the lawsuit. The organization denied claims and contentions related to wrongdoing, fault, and liability.

The settlement agreement was reached to avoid additional legal costs, expenses, and uncertainty associated with trial proceedings and possible appeals. Under the terms of the settlement, eligible class members may enroll in three years of identity theft protection and medical data monitoring services.

The settlement also permits class members to submit claims for reimbursement of certain losses connected to the data breach. Eligible individuals may seek reimbursement of up to $500 for ordinary losses. The settlement terms state that reimbursement for lost time is limited to four hours at a rate of $25 per hour.

Class members may also submit claims for up to $5,000 in extraordinary losses associated with the data breach. Individuals who do not submit claims for reimbursement of losses or lost time may instead request a one-time cash payment of $60.

The total benefits available to class members are capped at $900,000. If claims exceed that amount, payments will be reduced on a pro rata basis. The deadline for objections to the settlement and requests for exclusion from the settlement is July 24, 2026. Claims must also be submitted by July 24, 2026.

The final approval hearing for the settlement is scheduled for August 25, 2026.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2026 ComplianceHome. All rights reserved.