What a Stolen Medical File Actually Costs You

Robeson County, North Carolina, sits in one of the most economically disadvantaged regions in the state. The people who sought care from Robeson Health Care Corporation were not wealthy patients at a downtown private clinic. They were working people, rural residents, people without many options, people who trusted a local health care institution with some of the most sensitive details of their lives.

When you hand your information to a health care provider, you are not making a casual transaction. You are giving them your name, your address, your date of birth, your insurance identifiers, your treatment records, the financial details tied to your care. That data, in the wrong hands, becomes a tool. It can be used to open fraudulent accounts, to steal tax refunds, to impersonate you in medical settings, to ruin credit that took years to build. For a person in a county where the poverty rate runs well above the national average, a destroyed credit file is not an inconvenience. It is a catastrophe.

The breach happened in February 2023. Patients did not know their information had been stolen until notification letters arrived. In that window between the breach and the notification, anything could have happened to their data and they had no way to protect themselves. They could not freeze their credit. They could not monitor for fraudulent medical claims. They could not do anything, because they did not know they were already victims.

Two years passed between the breach and the court filing a preliminary approval order for a settlement. Two years of uncertainty. Two years of checking bank statements and credit reports and waiting for something to go wrong. That psychological toll does not appear anywhere in the $750,000 settlement fund. It has no line item. It does not count.

The three named plaintiffs, Julianna McKenzie, Judith Hammonds, and Ronnie McGriff, stepped forward to represent every person who received a breach notification. That takes courage. It means your name is on a court document, publicly associated with your data having been exposed. It means your life gets examined by attorneys on both sides. The court acknowledges they showed genuine personal interest in the outcome. What the court document does not say is what it cost each of them personally to stand up and be counted.

The settlement offers what lawyers call “resolution.” But for the people of Robeson County who trusted RHCC with their most private information, what was taken cannot be given back. A check, whatever amount it turns out to be after attorneys and administrators take their shares, does not restore the thing that was lost. The data is already out there.

What They Actually Said in Court

These are verbatim quotes from the court’s Preliminary Approval Order filed March 25, 2025. They are not summaries or paraphrases. They are the actual words that define your rights as a class member.

“All individuals who were notified that their PII was potentially compromised in the February 2023 Data Breach.”
— Settlement Class Definition, Paragraph 5

“Upon the Effective Date, each Settlement Class Member, including Plaintiffs, shall be deemed to have, and by operation of the Judgment shall have, fully, finally, and forever released, relinquished, and discharged all Released Claims and Unknown Claims.”
— Release Provision, Paragraph 31

“Each Settlement Class Member, including Plaintiffs, shall either directly, indirectly, representatively, as member of or on behalf of the general public or in any capacity, be permanently barred and enjoined from commencing, prosecuting, or participating in any recovery in any action in this or any other forum…”
— Release Provision, Paragraph 31

“Any Settlement Class Member who fails to comply with the requirements for objecting herein and in the Settlement Agreement shall waive and forfeit any and all rights he or she may have to appear separately and/or object to the Settlement Agreement.”
— Paragraph 19

Who Actually Gets Hurt When Health Data Gets Stolen

Public Health

Health care data breaches do not just expose financial information. They expose the entire relationship between a patient and the medical system, with consequences that extend well beyond identity theft.

• Medical identity theft, where a criminal uses stolen health credentials to obtain treatment or prescription drugs in the victim’s name, can corrupt a patient’s medical records with false diagnoses and medication histories. A future emergency room doctor reading that corrupted file could make a lethal treatment decision based on someone else’s fraudulent data.
• Patients whose mental health records, addiction treatment records, or reproductive health information is exposed face the specific risk of that data being used by employers, insurance companies, or personal contacts to discriminate against or harm them. Health privacy protections exist precisely because this information carries stigma. A breach removes those protections permanently.
• Rural health care patients in counties like Robeson often have fewer provider options than urban residents. If a data breach causes patients to distrust local providers and delay or avoid seeking care, the public health cost of that avoidance, untreated conditions, deferred screenings, late-stage diagnoses, falls entirely on those patients and on an already strained regional health system.
• The breach notification process itself creates a secondary health burden. Patients must spend time monitoring credit reports, filing fraud alerts, contacting financial institutions, and managing the anxiety and stress of not knowing how their information has been or will be used. That time and mental load has real health consequences for vulnerable populations.

Economic Inequality

The financial consequences of this breach fall hardest on the people least equipped to absorb them, residents of one of North Carolina’s most economically distressed counties.

• Robeson County consistently ranks among the highest-poverty counties in North Carolina. Residents here have fewer financial reserves to absorb the costs of credit monitoring services, identity restoration assistance, legal consultations, and the time lost to dealing with fraud. The same breach that costs a wealthy urban patient a few hours of paperwork can cost a low-income rural patient weeks of wage-affecting disruption.
• The settlement’s $750,000 total must be divided among an unspecified number of class members, minus attorney fees and administrative costs. In comparable health care data breach settlements, per-claimant payouts frequently amount to tens of dollars per person. That figure cannot come close to compensating a person who has experienced fraudulent account openings, damaged credit, or out-of-pocket monitoring expenses.
• Accepting the settlement means signing away the right to sue for future harms from the same breach. For a lower-income class member who accepts a small payment today and experiences significant identity theft next year, there is no legal recourse remaining. The release of “Unknown Claims” transfers long-term financial risk from RHCC to the individual class member.
• Businesses and legal processes that run credit checks, such as landlords, utility companies, auto lenders, and employers, can act on damaged credit without any knowledge that a data breach caused it. Class members in Robeson County who face housing instability or limited employment options have even less tolerance for credit damage than average, making the compounded economic impact of this breach disproportionately severe for this specific population.

What the Settlement Math Actually Looks Like

What Now: Your Deadlines, Your Rights, Your Moves

If you received a breach notification letter from Robeson Health Care Corporation, you have specific deadlines and specific choices. Here is what the court documents say you can do, and what you should do regardless of the settlement.

Your Settlement Deadlines (from entry of the Preliminary Approval Order, March 24, 2025)

• Notice will begin arriving by mail within 30 days of March 24, 2025, and must be substantially complete within 45 days. If you have not received notice by mid-May 2025, check the Settlement Website once it is established.
• You have 90 days after the Notice Commencement Date to opt out or object. Missing this deadline means you are automatically bound by the settlement terms, whether you file a claim or not.
• You have 135 days after the Preliminary Approval Order entry to submit a claim form. That deadline is approximately late July 2025 based on the March 24 approval date.
• The Final Fairness Hearing is scheduled no earlier than 165 days after March 24, 2025, which places it in approximately late August or September 2025. The exact date and time will be posted on the Settlement Website.

Watchlist: Who Oversees Health Care Data Protection

• U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR): Enforces HIPAA. If RHCC is a HIPAA-covered entity, this is the federal body with jurisdiction to investigate the breach. File a complaint at hhs.gov/ocr.
• North Carolina Department of Health and Human Services (NC DHHS): State-level regulator for health care providers operating in North Carolina. Can apply pressure independent of the federal settlement.
• North Carolina Attorney General’s Office: The AG enforces state data breach notification laws. North Carolina law requires timely notification of breaches affecting state residents. If RHCC delayed notification, this is a separate potential violation.
• Federal Trade Commission (FTC): Has jurisdiction over unfair or deceptive practices, including inadequate data security at organizations that handle consumer information.

What to Do Right Now, Settlement or Not

• Freeze your credit at all three bureaus (Equifax, Experian, TransUnion) immediately if you have not already done so. A credit freeze is free and prevents new accounts from being opened in your name. It is the single most effective protection against financial identity theft after a breach.
• Request your medical records from RHCC and review them for any treatment or prescriptions you did not receive. Medical identity theft entries in your records can be disputed, but only if you find them. Do this before any settlement deadline closes your legal options.
• Contact NC Legal Aid (ncbar.org) or the North Carolina Justice Center if you cannot afford an attorney and want independent advice before deciding whether to opt out, object, or accept the settlement terms.
• Connect with mutual aid networks in Robeson County for practical support. Organizations like the Robeson County Food Bank and local faith-based networks can help with the real-world costs, like transportation to appointments or access to computers for online claim filing, that the settlement does not cover.
• Share this information with anyone you know who may have been a patient at RHCC. Many class members, especially older residents or those with limited internet access, will not know about the settlement deadline until it has already passed. Grassroots outreach is the only thing that closes that gap.