🏳️‍⚧️ trans rights are human rights 🏳️‍⚧️
Theme

Massive Data Breach of Names, Social Security Numbers, and Medical Records @ Robbie D. Wood

What Was Actually Taken From These People

The people in this class are not investors. They’re not wealthy executives. They are current and former employees of Robbie D. Wood, Inc., the normal ass workers who handed over their most sensitive information as a basic condition of employment. You don’t get a paycheck without giving your employer your Social Security number. You don’t get health coverage without sharing your medical history. You don’t fill out an HR form without trusting that the company holding your data takes that responsibility seriously.

That trust was broken on October 1, 2024.

What was exposed was not abstract. The breach accessed files potentially containing names, dates of birth, driver’s license numbers, financial account information, medical information, and Social Security numbers. A Social Security number is not a password you can reset. It follows a person for life. Once it’s in the hands of someone willing to use it, the damage it can do (such as fraudulent tax filings, new accounts opened in your name, medical identity theft that corrupts your health records) can take years to undo and may never be fully corrected.

Medical information is its own category of violation. When your employer knows your diagnoses, your prescriptions, your treatment history, that information was shared under the implicit guarantee of confidentiality. A breach that exposes that data doesn’t just create a financial risk. It exposes something deeply personal to strangers with unknown intentions.

And then came the silence. For more than four months (from October 1, 2024, when the attack happened, to February 11, 2025, when notifications finally went out) these 3,777 people had no idea their data had been taken. They couldn’t freeze their credit. They couldn’t put alerts on their accounts. They couldn’t monitor for fraudulent filings. They were left exposed and uninformed while the clock ran on whatever damage was already being done.

The settlement offers $65 to acknowledge all of this. Sixty-five dollars. That is what this company and its lawyers determined was a reasonable number to place on the unauthorized exposure of a person’s Social Security number, medical history, and financial account information, combined with a four-month notification delay that stripped those same people of any chance to protect themselves in real time.

What the Documents Actually Say

The settlement agreement and accompanying court filings contain several passages that deserve to be read in full, without paraphrase.

“on or around October 1, 2024, a cyber-attack occurred on Defendant’s system that resulted in a data breach of certain data on its network, of which Defendant notified affected individuals on or about February 11, 2025”
  • This single sentence establishes the core timeline: the breach occurred October 1, 2024, and notification did not happen until February 11, 2025. That is a gap of approximately 133 days between the attack and when employees were told their data had been compromised.
  • The phrase “on or around” applied only to the attack date, not the notification date, which is stated as a definite date… meaning the delay is precisely documented, not some fuzzy estimated date.
“These files may have contained personal information such as names, dates of birth, driver’s license numbers, financial account information, medical information, and Social Security numbers.”
  • The word “may” is doing significant work here. It is standard legal hedging in breach settlements, but the breadth of the data categories listed — spanning identity documents, financial records, and protected health information — means the potential exposure covers virtually every sensitive category that exists for a private individual.
  • The inclusion of “medical information” alongside Social Security numbers elevates this beyond a standard financial data breach. Compromised medical information carries protections under federal law and creates a distinct category of harm that financial restitution alone cannot address.
“Defendant denies the allegations and causes of action pled in the Action and otherwise denies any liability to Plaintiff in any way.”
  • This is the standard corporate denial that appears in virtually every data breach settlement. The company pays $65 per person, funds $125,000 in attorneys’ fees, and still maintains in the legal record that it did nothing wrong.
  • The practical effect: the settlement cannot be cited as evidence of wrongdoing in any other proceeding. The legal record is scrubbed clean of any finding of fault.
“Defendant will provide a confidential affidavit to Settlement Class Counsel describing its information security improvements since the Data Breach and estimating the annual cost of those improvements.”
  • The security improvements are documented in a confidential affidavit — meaning the 3,777 affected employees, the public, and any future employees of Robbie D. Wood will never know what was changed, whether the changes are sufficient, or how much the company is investing in protecting the data it holds.
  • Settlement Class Counsel receives this information. The people whose data was breached do not.
“All Settlement Class Members who do not request to be excluded from the Settlement Class shall be bound by the terms of this Settlement Agreement, including the Release, regardless of whether he or she files a Claim Form or receives any monetary benefits from the Settlement.”
  • This means a class member who does nothing — files no claim, receives no money, takes no action — still permanently surrenders their right to sue Robbie D. Wood over this breach. Inaction is treated as consent to the release.
  • The release covers not only known claims but explicitly includes “Unknown Claims” — legal injuries the affected person doesn’t yet know they have, including harms that may emerge years from now as a direct result of this breach.

The Four-Month Gap: What Employees Weren’t Told

The core documented gap in this case is the period between when the breach was discovered and when the people whose data was taken were notified. The settlement agreement establishes both dates with precision.

  • The cyberattack occurred on or around October 1, 2024. Robbie D. Wood did not notify affected individuals until on or about February 11, 2025. That is roughly 133 days during which employees had no knowledge their information had been compromised.
  • During those 133 days, affected individuals could not take the most basic protective steps: freezing credit, placing fraud alerts with credit bureaus, monitoring financial accounts for unauthorized activity, or alerting their banks.
  • The settlement’s reimbursement structure reflects this delay. Credit monitoring costs are only covered if incurred “on or after mailing of the notice of the Data Breach” — February 11, 2025. Any protective costs incurred before notification, during the four-month gap, fall outside the reimbursable window.
  • The Long Form Notice states that documented losses must have occurred “between October 1, 2024, and [Claims Deadline],” which acknowledges the breach date as the start of the harm window — while simultaneously limiting credit monitoring reimbursement to the post-notification period. The affected person is on the hook for any costs they incurred trying to protect themselves before the company got around to telling them they needed to.
Visual: What You Were Told vs. The Reality of the Timeline WHAT WAS CLAIMED / IMPLIED THE DOCUMENTED REALITY Company acted promptly after discovering the breach 133 days elapsed between Oct 1, 2024 and Feb 11, 2025 before employees were notified Settlement provides meaningful compensation for the breach No-documentation cash payment is $65.00 per person; attorneys receive up to $125,000 Security improvements will be made to protect employees going forward Details are in a confidential affidavit — the affected employees will never see it Accepting the settlement preserves some legal rights Staying in class permanently waives all claims, including Unknown Claims not yet known to the victim

Case Chronology: From Breach to Settlement

The documented timeline of this case reveals a pattern familiar in data breach litigation: harm occurs silently, notification comes months later, a lawsuit follows quickly once word gets out, and a settlement is reached before a judge ever rules on the merits.

  • October 1, 2024: Cyberattack hits Robbie D. Wood’s systems. Files containing employees’ names, Social Security numbers, medical information, financial account data, driver’s license numbers, and dates of birth are accessed. The class of affected individuals numbers approximately 3,777.
  • February 11, 2025: Robbie D. Wood sends notification letters to affected individuals — 133 days after the breach. This is the first moment the majority of affected employees learned their data had been compromised.
  • August 20, 2025: Plaintiff Jevon Worrell files a class action complaint in the Circuit Court of Jefferson County, Alabama, approximately six months after notification and ten months after the breach itself.
  • March 20, 2026: Settlement Agreement is signed by Plaintiff and Settlement Class Counsel. The document reflects agreement reached after “extensive and arm’s length negotiations.”
  • March 27, 2026: Document execution is completed per the document ID timestamp.
Timeline: Robbie D. Wood Data Breach — Key Dates Oct 1, 2024 Breach Occurs 133 days of silence Feb 11, 2025 Victims Notified ~6 months Aug 20, 2025 Lawsuit Filed Mar 20, 2026 Settlement Signed

Who Gets Hurt and How

Public Health and Personal Safety

When medical information is part of a data breach, the harm extends beyond finances into a domain that most people consider among the most private aspects of their lives.

  • The breached files potentially contained “medical information” — a category that can include diagnoses, prescription histories, insurance details, and treatment records. This class of data is classified as Protected Health Information under federal law precisely because its unauthorized exposure can cause documented harm, including discrimination, stigma, and exploitation.
  • Medical identity theft — where a thief uses someone else’s health information to fraudulently obtain medical services or prescriptions — can corrupt a victim’s medical records in ways that create dangerous errors in future treatment. Unlike financial fraud, medical identity theft can directly threaten a person’s physical safety if incorrect information enters their health record.
  • The 133-day notification gap means affected employees had no opportunity to place alerts with healthcare providers or insurers during the period when this risk was live and unknown to them.

Economic Inequality

The financial architecture of this settlement distributes costs and benefits in a way that systematically disadvantages the people with the least resources.

  • The highest-value benefit — up to $5,000 for documented losses — requires claimants to produce third-party documentation including bank statements, receipts, and professional fee records. Workers who have already absorbed financial harm from identity theft are the least likely to have preserved the documentation trail required to claim full reimbursement.
  • The no-documentation alternative cash payment is capped at $65.00. This is the realistic option for most working-class claimants who don’t have receipts, don’t know what was done with their data, or can’t afford the time to compile a documentation file.
  • Settlement Class Counsel receives up to $125,000 in attorneys’ fees, paid by Robbie D. Wood separately from victim benefits. The lead plaintiff receives a $3,000 service award. Both figures are fixed and certain. Victim compensation is variable, capped, and documentation-dependent.
  • Any class member who misses the claims deadline — because they didn’t receive the postcard notice, didn’t understand the process, or simply lacked the time to engage — receives nothing but still loses their right to sue.
  • Settlement checks expire 90 days after issuance and become void if not cashed, with no reissuance after that point. For people who move frequently, experience housing instability, or receive mail unreliably, this creates an additional barrier to collecting even the $65 cash payment.

$65 Is Not Accountability

The structure of this settlement tells you exactly how much the legal system values the unauthorized exposure of your Social Security number, medical history, and financial account information when the person holding that data is a corporation.

  • The no-documentation cash payment is $65.00 per person. That is the number the parties agreed upon to compensate for the exposure of Social Security numbers, medical records, driver’s license numbers, dates of birth, and financial account information — combined with a 133-day delay in notification.
  • Settlement Class Counsel’s fee award of up to $125,000 is paid separately and in full, regardless of how many class members file claims or how much they receive. The attorneys’ compensation is structurally guaranteed. The victims’ compensation is not.
  • The settlement includes no admission of wrongdoing. The agreement states explicitly: “No action taken by the Parties either previously or in connection with the negotiations or proceedings connected with this Agreement shall be deemed or construed to be an admission of the truth or falsity of any claims or defenses.” Robbie D. Wood pays and walks away with a clean legal record.
  • The settlement cannot be used as evidence in any other proceeding. If other harms emerge from this breach — against the same individuals, in a different forum — the existence of this settlement provides no legal foothold.
  • The release covers “Unknown Claims” — harms the victims haven’t discovered yet, including future identity theft directly traceable to data accessed in this breach. A person who accepts (or simply fails to opt out of) this settlement is surrendering legal rights over injuries they don’t yet know they have.
  • Robbie D. Wood’s security improvement commitments are delivered in a confidential affidavit to class counsel, not to the affected employees and not to the public. There is no mechanism in this settlement for the 3,777 affected individuals to verify whether their employer’s systems are now actually secure.
Sixty-five dollars. That is the number placed on your Social Security number, your medical records, and four months of silence while your data was already exposed.

The Math of Impunity

$65.00

The maximum no-documentation cash payment available to each of the 3,777 employees whose names, Social Security numbers, medical information, financial account data, driver’s license numbers, and dates of birth were exposed in the October 2024 breach — compared to up to $125,000 guaranteed to attorneys.

Settlement Benefit Comparison: Attorneys’ Fees vs. Per-Person Cash Payment $0 $31K $63K $94K $65 Per-Person Cash Payment $125,000 Attorneys’ Fee Award Attorneys receive 1,923x the per-person no-documentation cash payment

This Is Not a Bug. This Is the Feature.

The outcome of this case — a corporation exposes thousands of employees’ most sensitive data, notifies them four months later, settles for $65 per person with no admission of fault, and secures a permanent release of all future claims — is not an accident or a failure of the legal system. It is the legal system working exactly as designed for corporate defendants.

  • The class action mechanism, as deployed here, consolidates 3,777 individual claims into a single proceeding where the corporation negotiates with a small number of attorneys rather than facing 3,777 independent lawsuits. The efficiency that makes class actions valuable for plaintiffs also makes settlement on corporate-favorable terms structurally easier to achieve.
  • The “no admission of liability” standard is a feature of settlement law that allows corporations to pay money to resolve claims while preserving the ability to deny wrongdoing in every subsequent context. Robbie D. Wood pays the settlement and simultaneously maintains, in the legal record, that it did nothing wrong.
  • The confidential affidavit mechanism for security improvements means Robbie D. Wood’s future employees will never be able to independently assess whether the company securing their personal data has actually fixed the vulnerabilities that enabled this breach. The opacity that made the breach possible is preserved in the settlement that resolves it.
  • The “Unknown Claims” waiver — requiring affected individuals to surrender rights over harms they don’t yet know they have — is standard settlement boilerplate. Its routine use means the full long-term cost of a data breach is systematically excluded from the settlement calculus, always to the corporation’s benefit.
  • The claims deadline, check expiration policy, and documentation requirements create structural attrition: the more barriers between victims and their compensation, the fewer claims get filed, and the lower the total payout becomes. The settlement structure is optimized for claim suppression, not claim fulfillment.

What Real Accountability Would Require

The core structural failure this case exposes is a breach notification and remediation system that provides no meaningful deterrence, no genuine transparency, and no proportionate accountability for employers who fail to protect the data their employees are legally required to hand over.

The following recommendations are editorial analysis grounded in the documented failure modes of this case. They are not findings of the settlement agreement or the court.

Regulatory Track

  • State and federal data breach notification laws should establish a maximum mandatory notification window of 30 days from breach discovery for breaches involving Social Security numbers or medical information. The 133-day delay in this case occurred within the current legal framework — meaning the framework is inadequate.
  • Regulatory agencies overseeing employer data security (including the FTC and relevant state attorneys general) should require post-breach security audits to be filed publicly, not confidentially with opposing counsel. An employer’s obligation to secure employee data does not end when litigation does.
  • The confidential affidavit mechanism used in this settlement should be rejected by courts as an inadequate substitute for verified, public disclosure of remediation measures when the affected parties are employees who remain in the company’s data systems.

Legislative Track

  • Legislation should establish a baseline statutory damages floor for data breaches involving Social Security numbers and medical information — a minimum recovery per person that does not require documentation and cannot be settled below. A $65 floor is not a deterrent; it is an invitation.
  • The “Unknown Claims” waiver in data breach settlements should be subject to a mandatory sunset period: class members should not be required to permanently waive rights over harms arising from a breach that have not yet manifested at the time of settlement. Legislative reform should cap the waiver at documented, existing claims only.
  • Settlement check expiration policies that forfeit victim compensation within 90 days should be prohibited when the claimants are a certified class of individuals, many of whom may face housing or mail instability.

Corporate Governance Track

  • Employers who hold employee Social Security numbers and medical information should be required to maintain and publicly disclose the existence of an independent data security audit program, with findings reportable to the state attorney general — not just to plaintiff’s counsel in a settlement affidavit.
  • Executive compensation structures at companies experiencing data breaches should be subject to mandatory clawback provisions when a breach results in certified class harm, creating a direct financial incentive at the leadership level to invest in preventive security rather than post-breach settlement.
  • Board-level responsibility for data security governance should be formally required for any employer that holds Protected Health Information or Social Security numbers for a workforce of more than 500 people.

What You Can Do Right Now

If you are one of the 3,777 individuals in the Robbie D. Wood settlement class, you have specific options with real deadlines. Everyone else can apply pressure where it belongs.

If You Are a Class Member

  • Do not do nothing and assume you are protected. Inaction means you lose your legal rights and receive zero compensation. Check the Settlement Website (URL to be established by Atticus Administration LLC) or call the toll-free number on your postcard notice to confirm your status.
  • File a claim for the Alternative Cash Payment ($65) if you have no documentation. No proof is required. You can also simultaneously claim the two-year credit monitoring service through CyEx Medical Shield Complete.
  • If you have documented out-of-pocket expenses caused by identity theft or fraud traceable to this breach, gather bank statements, receipts, and professional fee records and file for the Documented Losses reimbursement (up to $5,000).
  • If you believe this settlement does not adequately compensate you and you want to preserve your right to sue independently, submit a written Request for Exclusion by the Opt-Out Deadline (60 days after the Notice Deadline). Do this by certified mail so you have proof of postmark.
  • Regardless of your claims decision, place a credit freeze with all three major bureaus (Equifax, Experian, TransUnion) and an alert with ChexSystems if you have not already done so. This is free and you can unfreeze when needed. Do not wait for the settlement to resolve to take this step.

Watchlist: Who Answers for Data Security

  • Federal Trade Commission (FTC): Primary federal enforcement authority for data security failures by non-healthcare employers. File complaints at ftc.gov/complaint.
  • Alabama Attorney General: State-level enforcement of Alabama data breach notification law. Documented notification delays in breach cases fall within AG investigative jurisdiction.
  • Department of Health and Human Services — Office for Civil Rights: If any of the breached medical information was Protected Health Information under HIPAA, OCR has jurisdiction. File at hhs.gov/ocr.
  • Consumer Financial Protection Bureau (CFPB): If financial account information was misused following the breach, the CFPB takes complaints related to financial fraud at consumerfinance.gov/complaint.

Mutual Aid and Grassroots Action

  • Connect current and former Robbie D. Wood employees with local worker center organizations in Jefferson County, Alabama, who can provide free guidance on navigating identity theft, disputing fraudulent accounts, and accessing legal aid if documented losses exceed settlement reimbursement caps.
  • Contact Alabama Legal Services or the National Consumer Law Center if you believe your documented losses from this breach exceed $5,000 and you are considering opting out to pursue independent litigation.
  • Share this case with coworkers at other employers. Data breach settlements structured identically to this one are filed in courts across the country every week. Worker awareness of these settlements — and of the opt-out right — is the only leverage that makes corporate data security investments financially rational.

The source document for this investigation is attached below.

Explore by category

01

Antitrust

Monopolies and anti-competition tactics used to crush rivals.

View Cases →
02

Product Safety Violations

When companies sell dangerous goods, consumers pay the price.

View Cases →
03

Environmental Violations

Pollution, ecological collapse, and unchecked greed.

View Cases →
04

Labor Exploitation

Wage theft, worker abuse, and unsafe conditions.

View Cases →
05

Data Breaches & Privacy

Misuse and mishandling of personal information.

View Cases →
06

Financial Fraud & Corruption

Lies, scams, and executive impunity that distort markets.

View Cases →
07

Intellectual Property

IP theft that punishes originality and rewards copying.

View Cases →
08

Misleading Marketing

False claims that waste money and bury critical safety info.

View Cases →
Aleeia
Aleeia

I'm Aleeia, the creator of this website.

I have 6+ years of experience as an independent researcher covering corporate misconduct, sourced from legal documents, regulatory filings, and professional legal databases.

My background includes a Supply Chain Management degree from Michigan State University's Eli Broad College of Business, and years working inside the industries I now cover.

Every post on this site was either written or personally reviewed and edited by me before publication.

Learn more about my research standards and editorial process by visiting my About page

Articles: 1944