Corporate Misconduct Accountability Project
WellNow Urgent Care, P.C. · class action settlement
WellNow Data Breach Exposes 597,000 Patients’ Personal Information
A data security incident at WellNow Urgent Care and affiliated companies exposed the personal information of nearly 600,000 individuals, including Social Security numbers for over 55,000 people. The settlement provides tiered compensation based on the sensitivity of data compromised.
HIGH SEVERITY
TL;DR
WellNow Urgent Care, Physicians Immediate Care, and Aspen Dental Management companies suffered a data breach that exposed the personal information of approximately 597,001 individuals. For 55,131 victims, the compromised data included Social Security numbers, creating heightened risks of identity theft. The companies reached a preliminary settlement creating two classes of victims with different benefit levels based on the type of data exposed.
If you were a patient at these facilities, check if your data was compromised and understand your rights under the settlement.
597,001
Total individuals whose data was exposed
55,131
Victims whose Social Security numbers were compromised
541,870
Victims with other personal information exposed
The Allegations: A Breakdown
Core Allegations
What they did · 6 points
| 01 | WellNow Urgent Care, Physicians Immediate Care, and Aspen Dental Management companies allowed unauthorized third parties to access personal information of approximately 597,001 individuals in a Data Security Incident. | high |
| 02 | The companies failed to protect Social Security numbers for approximately 55,131 individuals, exposing them to heightened identity theft risks. | high |
| 03 | An additional 541,870 individuals had other forms of personal information exposed to unauthorized access, creating widespread vulnerability across the United States. | high |
| 04 | The companies operate significant urgent care and dental services operations, handling vast amounts of sensitive patient data that they failed to adequately secure. | high |
| 05 | The data breach affected healthcare-related entities, meaning much of the compromised data likely includes patient health information or data closely associated with healthcare interactions. | high |
| 06 | The settlement creates two tiers of victims based on data sensitivity, acknowledging that Social Security number exposure carries higher risk of identity theft and long-term financial fraud. | medium |
Regulatory Failures
System gaps that enabled the breach · 5 points
| 01 | The occurrence of such a large-scale data breach, despite existing data protection regulations, points to potential systemic weaknesses in enforcement and oversight. | high |
| 02 | The sheer volume of exposed records suggests that whatever safeguards were in place at the defendant companies were insufficient to prevent significant unauthorized access. | high |
| 03 | The existence of a Data Security Incident inherently implies a failure in the defendants’ systems to adequately protect sensitive information entrusted to them by their patients and customers. | high |
| 04 | Corporations might technically meet baseline compliance standards while still being vulnerable, especially if those standards lag behind the sophistication of cyber threats or if enforcement is lax. | medium |
| 05 | The settlement is reached without requiring an admission of wrongdoing by the defendants, limiting public scrutiny of the specific corporate conduct that led to the harm. | medium |
Profit Over People
Cost calculations that left data vulnerable · 6 points
| 01 | The imperative to maximize profit can create incentives that deprioritize robust investment in areas like cybersecurity, which are expensive but non-revenue-generating. | high |
| 02 | Comprehensive data security measures involving advanced technology, regular updates, employee training, and vigilant monitoring are expensive, creating pressure to underinvest when facing demands to deliver shareholder value. | high |
| 03 | The settlement itself, while providing some recourse to victims, often represents a calculated cost of doing business, potentially less than the sustained investment required for top-tier security that might have prevented the breach. | high |
| 04 | Companies facing pressure to increase margins might consciously or unconsciously underinvest in cybersecurity, weighing the cost of adequately protecting nearly 600,000 individuals’ data against other financial priorities. | high |
| 05 | The potential cost of a breach, including legal settlements and reputational damage, is weighed against immediate savings from reduced security expenditures as part of risk management strategy. | medium |
| 06 | When companies collect vast amounts of personal data as a valuable asset, but the primary driver is economic return, investment in security may be minimized until a crisis forces action. | medium |
Economic Fallout
The financial burden on victims · 6 points
| 01 | The nearly 600,000 individuals whose data was exposed face significant and long-lasting economic fallout, including risks of identity theft, fraudulent financial account openings, and damage to their credit scores. | high |
| 02 | Victims of data breaches, especially those involving Social Security numbers, can spend years and countless hours of personal effort undoing damage to their financial standing. | high |
| 03 | The settlement benefits often cover only direct, easily quantifiable losses like credit monitoring services or documented out-of-pocket expenses. | high |
| 04 | Settlement compensation may not fully cover less tangible yet very real harms such as emotional distress, time spent dealing with consequences of data exposure, or ongoing anxiety about future misuse of information. | medium |
| 05 | The burden of vigilance against identity theft shifts heavily onto the individual, whose only fault was entrusting their information to organizations that failed to protect it. | medium |
| 06 | The public is often left bearing the economic and personal toll of these incidents disproportionately, while corporations resolve challenges through settlements that become factored in as a cost of doing business. | medium |
Public Health and Safety
Privacy breaches in healthcare · 5 points
| 01 | The defendants include urgent care and dental management companies, signifying that much of the compromised data likely pertains to patient health information or data closely associated with healthcare interactions. | high |
| 02 | The exposure of health-related data is not merely a financial inconvenience but represents a breach of privacy concerning personal health matters. | high |
| 03 | Failures to safeguard healthcare data can erode public trust in healthcare institutions and potentially expose individuals to discrimination or embarrassment if their sensitive health-related data falls into the wrong hands. | high |
| 04 | Under a system that increasingly digitizes health records, the responsibility of healthcare providers to safeguard this information is paramount, making this breach particularly troubling. | high |
| 05 | The Data Security Incident touches upon critical concerns about the vulnerability of personal health information within corporate data systems. | medium |
Corporate Accountability Failures
Settlement without admission of wrongdoing · 7 points
| 01 | The settlement is reached without an admission of wrongdoing by the defendants, meaning financial compensation is provided to victims without public litigation of corporate conduct. | high |
| 02 | Defendants retain all rights to object to class certification if the settlement is not finally approved, preserving their legal position. | medium |
| 03 | If the settlement terminates, the representative plaintiffs will dismiss the action without prejudice and parties will resume arbitration proceedings, not litigation in court. | medium |
| 04 | This settlement structure means that while financial compensation is provided, the full details of corporate conduct leading to the harm may not be publicly litigated or scrutinized through a trial. | high |
| 05 | Systemic issues may remain unaddressed, allowing corporations to resolve legal challenges without fundamentally changing practices that might have contributed to the problem. | high |
| 06 | All discovery and other proceedings in the Civil Action are stayed and suspended except for actions necessary to implement the settlement, limiting further investigation. | medium |
| 07 | The focus remains on administering the settlement rather than a deeper probe into the causes of the breach within the framework of this specific court order. | medium |
The PR Machine
Sanitized language obscures corporate failure · 4 points
| 01 | The court document repeatedly uses the term Data Security Incident, a sanitized and neutral phrase that obscures the reality of what occurred: a failure by corporations to protect private data of hundreds of thousands of people. | medium |
| 02 | This kind of technocratic language is common in legal and corporate settings and can inadvertently downplay the severity and human impact of such events. | medium |
| 03 | The incident framing presents the exposure of sensitive information not as a direct consequence of potentially inadequate safeguards or decisions, but as an unavoidable accident. | medium |
| 04 | This language subtly shifts the focus away from corporate responsibility and onto the event itself as an external occurrence. | medium |
The Bottom Line
A predictable outcome of profit-driven data practices · 6 points
| 01 | The preliminary approval of the settlement offers a measure of relief for the nearly 600,000 individuals whose personal data was compromised, but broader societal questions remain unresolved. | medium |
| 02 | This case, like many before it, shines a harsh light on the pervasive issue of corporate data stewardship in an era of rampant data collection. | high |
| 03 | The exposure of such a vast quantity of personal information, including highly sensitive Social Security numbers, by healthcare-related entities underscores a profound vulnerability at the intersection of commerce, technology, and personal privacy. | high |
| 04 | Large-scale data breaches can be seen not merely as failures of the system, but as predictable outcomes within a system that often prioritizes profit and operational efficiency over comprehensive safeguards. | high |
| 05 | The legal and financial repercussions, often resolved through settlements that include no admission of guilt, can become factored in as a cost of doing business rather than a catalyst for fundamental change. | high |
| 06 | Without a balance between profit pursuit and commitment to protecting individuals whose data fuels the modern economy, the economic and personal toll of these incidents will continue to mount, borne disproportionately by the public. | high |
Timeline of Events
April 2023
Data Security Incident occurs at WellNow Urgent Care and affiliated companies, exposing personal information of approximately 597,001 individuals
2025
Class action lawsuit filed by Genevieve Tambroni, John Lattimore, and other plaintiffs against WellNow, Physicians Immediate Care, and Aspen Dental entities
April 1, 2025
Court grants preliminary approval of class action settlement, finding it fair, reasonable, and adequate
April 11, 2025
Defendants required to provide class list to settlement administrator
May 12, 2025
Notice sent to affected Settlement Class Members
July 11, 2025
Deadline for class members to object, request exclusion, or submit claims
July 18, 2025
Class Counsel files fee award petition and final approval motion
August 15, 2025
Final Fairness Hearing scheduled at 11:00 a.m. via Zoom videoconference
Direct Quotes from the Legal Record
QUOTE 1
Scale of Social Security Number Exposure
allegations
“The approximately 55,131 Settlement Class Members whose personal information, including Social Security numbers, was impacted in the Data Security Incident.”
💡 This reveals that over 55,000 individuals had their most sensitive identifier compromised, creating heightened identity theft risks.
QUOTE 2
Total Scope of Data Breach
allegations
“The approximately 541,870 individuals within the United States of America whom Defendants have identified as having Non-Social Security number personal information exposed to unauthorized third parties as a result of the Data Security Incident.”
💡 This shows the massive scale of the breach, with over half a million additional people having their personal data exposed beyond those whose Social Security numbers were compromised.
QUOTE 3
No Admission of Wrongdoing
accountability
“The Court recognizes that, pursuant to the Settlement Agreement, Defendants retain all rights to object to the propriety of class certification in the Civil Action in all other contexts and for all other purposes should the settlement not be finally approved.”
💡 The defendants maintain their legal position and make no admission that they did anything wrong, despite nearly 600,000 people having their data exposed.
QUOTE 4
Settlement Avoids Full Litigation
accountability
“The Court further recognizes that, pursuant to the Settlement Agreement, if the settlement is terminated then Representative Plaintiffs will dismiss this action without prejudice and the Parties will resume the arbitration proceedings, not litigate in this Court.”
💡 If the settlement falls through, the case would not proceed to public trial but would instead move to private arbitration, limiting public scrutiny.
QUOTE 5
Binding on All Class Members
accountability
“Settlement Class Members shall be bound by all determinations and orders pertaining to the Settlement, including the release of all claims to the extent set forth in the Settlement Agreement, unless such persons request exclusion from the Settlement Class in a timely and proper manner.”
💡 Unless victims actively opt out by the deadline, they will be bound by the settlement terms and release all claims against the companies.
QUOTE 6
Litigation Freeze During Settlement
accountability
“Pending the final determination of the fairness, reasonableness, and adequacy of the proposed Settlement Agreement, no Settlement Class Member may prosecute, institute, commence, or continue any lawsuit with respect to the Released Claims against the Released Parties.”
💡 Victims are prohibited from pursuing their own legal action while the settlement is being finalized, limiting their options for individual recourse.
QUOTE 7
Arm’s Length Negotiation Finding
allegations
“There is good cause to find that the Settlement Agreement was negotiated at arm’s length between the Parties, who were represented by experienced counsel.”
💡 The court legitimizes the settlement based on the negotiation process, though this does not address whether the underlying security practices were adequate.
QUOTE 8
Two-Tier Victim Classification
economic
“SSN Class Members are eligible to submit a Claim for SSN Settlement Benefits from the SSN Settlement Fund. Non-SSN Class Members are eligible to submit a Claim for Non-SSN Settlement Benefits.”
💡 The settlement acknowledges that different types of data exposure create different levels of harm, with Social Security number victims receiving access to a separate settlement fund.
QUOTE 9
Healthcare Entity Involvement
health
“Defendants WellNow Urgent Care, P.C., Physicians Immediate Care, LLC, Physicians Immediate Care Chicago, P.C., Aspen Dental Management, Inc., and ADMI Corp. d/b/a TAG – The Aspen Group.”
💡 These are significant healthcare providers, meaning the breach likely involved protected health information and medical data, not just financial information.
QUOTE 10
Strict Objection Requirements
accountability
“Any Settlement Class Member who fails to comply with the requirements for objecting in paragraph 4.1 of the Settlement Agreement shall waive and forfeit any and all rights he or she may have to appear separately and/or to object to the Settlement Agreement.”
💡 Victims who fail to follow exact procedures for objecting will lose their right to challenge the settlement, creating barriers to dissent.
QUOTE 11
Exclusion Consequences
economic
“Any person in the Settlement Class who elect to be excluded shall not: (a) be bound by any orders or the Final Approval Order; (b) be entitled to relief under the Settlement Agreement; (c) gain any rights by virtue of the Settlement Agreement; or (d) be entitled to any aspect of the Settlement Agreement.”
💡 Victims who opt out receive no compensation but preserve their right to sue independently, forcing them to choose between settlement benefits and future legal rights.
QUOTE 12
Prohibited Mass Opt-Outs
accountability
“No person within the Settlement Class, or any person acting on behalf of, in concert with, or in participation with that person within the Settlement Class, may request exclusion from the Settlement Class of any other person within the Settlement Class.”
💡 The settlement prohibits coordinated opt-out efforts, preventing victims from organizing collective action outside the settlement framework.
QUOTE 13
Court Retains Ongoing Jurisdiction
accountability
“The Court will have continuing jurisdiction over the Civil Action for the purpose of implementing the settlement until the Civil Action and all related matters are fully resolved, and for enforcement of the settlement the Settlement Agreement and final order thereafter.”
💡 The court maintains control over enforcement, ensuring the settlement is implemented but also potentially limiting victims’ ability to challenge issues that arise later.
QUOTE 14
Discovery Suspended
accountability
“All discovery and other proceedings in the Civil Action as between Representative Plaintiffs and Defendants are stayed and suspended until further order of the Court except such actions as may be necessary to implement the Settlement Agreement and this Order.”
💡 The legal investigation into what happened and why is halted, preventing further public disclosure of the defendants’ security practices and decision-making.
QUOTE 15
Preliminary Class Certification Finding
allegations
“For settlement purposes only, the Court finds that the prerequisites to class action treatment under 735 ILCS 5/2-801 – including numerosity, commonality and predominance, adequacy, and appropriateness of class treatment of these claims – have been preliminarily satisfied.”
💡 The court finds the case suitable for class treatment, enabling a collective resolution but also meaning individual circumstances may not be fully addressed.
Frequently Asked Questions
What happened in the WellNow data breach?
Unauthorized third parties gained access to personal information of approximately 597,001 individuals through a Data Security Incident at WellNow Urgent Care and affiliated companies including Physicians Immediate Care and Aspen Dental Management. For about 55,131 people, this included their Social Security numbers, while the remaining 541,870 individuals had other personal information exposed.
What types of information were exposed?
The breach exposed two categories of data. For SSN Class Members, the compromised information included Social Security numbers along with other personal information. For Non-SSN Class Members, other forms of personal information were exposed, likely including names, addresses, dates of birth, and potentially health-related information given these are healthcare entities.
How much compensation will victims receive?
The settlement creates two tiers of benefits. SSN Class Members whose Social Security numbers were compromised are eligible for SSN Settlement Benefits from a dedicated SSN Settlement Fund. Non-SSN Class Members can submit claims for Non-SSN Settlement Benefits. The specific dollar amounts are not detailed in the preliminary approval order, but typically these settlements cover credit monitoring, documented expenses, and limited compensation for time and inconvenience.
When is the deadline to file a claim?
Class members must submit their claims by July 11, 2025. This is also the deadline to object to the settlement or request exclusion from the class. Missing this deadline means losing the right to receive settlement benefits or to challenge the agreement.
Will the companies admit they did something wrong?
No. The settlement agreement allows the defendants to resolve the case without admitting any wrongdoing or liability. The court order explicitly states that defendants retain all rights to object to class certification if the settlement is not approved, preserving their legal position that they did nothing improper.
Can I sue the companies separately if I opt out?
Yes, but with limitations. If you request exclusion by July 11, 2025, you will not be bound by the settlement and preserve your right to sue independently. However, the settlement agreement indicates that if you opt out, the case would likely proceed to arbitration rather than court litigation. If you do not opt out, you release all claims against the companies and cannot sue them later for this breach.
What are the risks of identity theft from this breach?
For the 55,131 individuals whose Social Security numbers were exposed, the risks are particularly high. Social Security numbers can be used to open fraudulent financial accounts, file false tax returns, obtain credit in your name, and cause long-term damage to your credit score. For the larger group with other data exposed, risks include targeted phishing, account takeover, and potential discrimination or embarrassment if health information was included.
How do I know if my data was affected?
Affected individuals should receive notice by May 12, 2025. The settlement administrator, Kroll Settlement Administration LLC, is responsible for sending notifications to all class members identified by the defendants. If you were a patient at WellNow Urgent Care, Physicians Immediate Care, or Aspen Dental facilities and have not received notice by mid-May 2025, you should contact the settlement administrator directly.
What can I do to protect myself now?
Monitor your credit reports from all three bureaus regularly for suspicious activity. Consider placing a fraud alert or credit freeze on your credit files. Watch for phishing emails or calls from people claiming to be from financial institutions. Keep detailed records of any suspicious activity or time spent dealing with potential fraud. If you are eligible for credit monitoring through the settlement, enroll immediately. File your taxes early to prevent fraudulent returns in your name.
Why did this breach happen?
The preliminary court order does not detail the specific causes of the Data Security Incident. However, the scale of the breach affecting nearly 600,000 individuals suggests that the security safeguards in place were insufficient to prevent unauthorized access. The settlement structure avoids full litigation, meaning the specific failures in the companies’ cybersecurity practices, decision-making about security investments, and response protocols may never be publicly disclosed.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
