Settlement of Datavant Group Class Action Data Breach Lawsuit for $900,000

May 25, 2026HIPAA News Today0

Datavant Group has agreed to a $900,000 settlement to resolve a class action lawsuit arising from a May 2024 email-related data breach involving unauthorized access to an employee email account after responding to a phishing email.

Incident Details

Datavant Group identified suspicious activity in an employee’s email account on May 9, 2024. According to forensic investigation, an unauthorized individual accessed the account between May 8 and May 9, 2024. Access occurred after an employee responded to a phishing email.

The breach was reported to the U.S. Department of Health and Human Services Office for Civil Rights as affecting 320,702 individuals. Information potentially involved in the incident included as names, birth dates, addresses, contact details, financial account details, driver’s license numbers, Social Security numbers, passport numbers, and medical information (PHI included).

Lawsuit and Claims

A class action lawsuit, Jackson v. Ciox Health, LLC d/b/a Datavant Group, was filed in the United States District Court for the District of Arizona. The complaint alleged that the organization did not implement sufficient security measures to protect patient information. The claims included negligence and an alleged violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

Settlement Terms

The parties reached an agreement to resolve the litigation and reduce the costs and risks associated with continued proceedings. The settlement received preliminary approval from the court.

Datavant Group agreed to put $900,000 in a settlement fund. The fund will cover attorneys’ fees and expenses, benefits for class members, service awards for class representatives, and settlement administration and notification costs.

The class includes 58,309 individuals, which differs from the over 320,000 individuals reported in the breach notification submitted to the Office for Civil Rights.

Claims Process and Deadlines

Class members may submit a claim for up to $5,000 for documented, unreimbursed losses linked to the data breach. A second option allows submission of a claim for a one-time pro rata cash payment, with amounts determined by the number of valid claims submitted.

Class members may also enroll in one year of expanded identity theft protection and fraud monitoring services.

The deadline for exclusion from or objection to the settlement is July 20, 2026. The deadline to submit claims is August 18, 2026. The final fairness hearing is scheduled for September 4, 2026.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2026 ComplianceHome. All rights reserved.