“They Took Our Data and Gave Us $50”: Patients Fight Back Against Medical Center Barbour

A hospital entrusted with your most intimate secrets, your Social Security number, your medical diagnoses, your biometric data, suffered a cyberbreach affecting patients and employees, sat on that information for nearly ten months, and then offered survivors a choice: fight a corporation in court for years, or accept fifty dollars ($50, roughly the cost of two fast-food family meals) and go away forever.

Your Medical Secrets, Someone Else’s Property

On or about October 29, 2023, cybercriminals forced their way into the data systems of MCBH, LLC, doing business as Medical Center Barbour, a hospital serving the community of Eufaula, Alabama. The attackers gained access to a stockpile of private information that no stranger should ever hold: full legal names, Social Security numbers, driver’s license and state ID numbers, passport numbers, dates of birth, home addresses, medical records, biometric data, and health insurance information.

This was not a breach of loyalty card points or a streaming service password. This was the complete profile a criminal needs to steal an identity, drain a bank account, commit medical fraud, or ruin a credit history for years. The people whose data MCBH was supposed to protect were its own patients and employees, people who handed over that information because they had no other choice.

MCBH sent written notice of the breach in August 2024, approximately nine to ten months after the attack occurred. That means for the better part of a year, affected individuals had no idea their most sensitive information had potentially been in criminal hands.

Ten Months of Silence, Then a Check Worth a Delivery Fee

The three representative plaintiffs, Lucy Calton, Teretha Spann, and Chaka Ford, all received notices from MCBH confirming their private information was potentially compromised. They allege they would never have handed over their data if they had known MCBH would fail to protect it with even the most basic security measures. That is the core allegation at the heart of this case: the hospital collected extraordinarily sensitive data and, according to the plaintiffs, failed to implement and maintain basic security measures to protect it.

Rather than fight the case to verdict, MCBH and the plaintiffs settled on March 5, 2025, after a full day of mediation. The result is a settlement offering victims a maximum of $5,000 ($5,000 could cover about two weeks of groceries for a family of four for a year, if they’re lucky) in documented expenses, or the simpler option: a flat $50 ($50 is what most people spend on a single tank of gas) with no paperwork required. The entire cash compensation pool for all victims combined is capped at $300,000 ($300,000 is roughly the median American household income for about five years).

Who Actually Gets Paid: The Numbers Don’t Lie

The chart above makes it visceral. The lawyers who negotiated this deal can receive up to $300,000 ($300,000 is what a working-class family would need to save for roughly 10 to 15 years) in fees and costs, a sum equal to the entire capped pool available to every single victim combined. Three representative plaintiffs receive a $1,500 service award each ($1,500 barely covers one month of rent in most American cities) for their trouble. Everyone else gets to fight over whatever is left of $300,000, divided by the number of people who file claims.

If claims come in high and the fund gets prorated downward, that $50 flat payment could shrink further. The settlement document is explicit: “The amount of the Alternative Cash Payment will be decreased on a pro rata basis.” The floor is $50, but it is not guaranteed.

The Non-Financial Ledger: What No Check Can Cover

They Came to You for Care. You Gave Them Exposure.

When you walk into a hospital, you surrender information you would never hand to a stranger on the street. You give them your Social Security number. You tell them about your diagnoses, your medications, your body. You provide your passport number, your insurance details, your address, the place you sleep at night. You do this because you have no choice; the healthcare system demands it. The implicit contract is that the institution receiving this information treats it with the gravity it deserves. Medical Center Barbour, according to the three people who brought this lawsuit, broke that contract entirely.

The breach captured biometric information. Biometric data, fingerprints, retinal scans, facial recognition markers, cannot be changed the way a password or a credit card number can. Once that data exists in criminal hands, it exists there permanently. A person whose biometric data has been compromised carries that vulnerability for the rest of their life. No settlement check, no credit monitoring service, and no corporate apology reaches that dimension of harm. The $50 being offered here does not touch it.

Consider what it means to know, in the abstract, that someone, somewhere, may have your Social Security number, your date of birth, your home address, your medical records, and your biometric data simultaneously. This is the complete toolkit for identity theft, medical fraud, insurance fraud, and targeted harassment. The psychological weight of living under that uncertainty, checking accounts, watching for fraudulent medical claims, worrying about what doors may be opened in your name without your knowledge, is real, daily, and uncompensated. The settlement does acknowledge lost time at a rate of $25 per hour for up to three hours, a maximum of $75, as part of the capped expense reimbursement. That is the dollar value this settlement places on the hours of anxiety, phone calls, and credit-freeze paperwork that victims must navigate.

The Ten-Month Gap and What It Cost Victims in Real Time

The breach happened in late October 2023. Notification went out in August 2024. That is approximately ten months during which victims had no idea their data had potentially been accessed. During that window, they could not freeze their credit proactively. They could not monitor for fraudulent medical claims filed under their insurance. They could not change compromised identification numbers because they did not know anything was wrong. Any fraud committed in that ten-month gap happened with the victim completely in the dark, through no fault of their own.

The settlement acknowledges reimbursement for credit monitoring purchased before the effective date, with certification that it was purchased “primarily as a result of the Data Incident.” But for those ten months, there was nothing to react to. Victims who suffered financial harm during that window of silence, and who can prove it with documentation that is not “self-prepared,” may recover up to $5,000 ($5,000 is roughly what many Americans spend on healthcare out-of-pocket in a single year). Everyone else gets $50 and signs away all future claims. The weight of that asymmetry is not measured in dollars.

Legal Receipts: Their Words, Not Ours

The following passages come directly from the settlement agreement. Read them carefully. Then decide what $50 is worth to you.

“Representative Plaintiffs allege Defendants failed to implement and maintain basic security measures to adequately protect their Private Information.” — Settlement Agreement, Section I: The Action

“This information included both highly sensitive personally identifiable information (‘PII’) and private health information (‘PHI’), and included full names, Social Security numbers, driver’s license or state identification information, passport numbers, dates of birth, addresses, medical information, biometric information, and health insurance information.” — Settlement Agreement, Section I: Definition of ‘Private Information’

“Settlement Class Members can elect to make a claim for a Fifty Dollar ($50.00) Alternative Cash Payment in lieu of the settlement benefits outlined in ¶ 2.1. To receive this benefit, Settlement Class Members must submit a Valid Claim using the Claim Form, but no documentation is required to make a claim. The amount of the Alternative Cash Payment will be decreased on a pro rata basis, depending upon the number of valid claims filed and the amount of funds available for these payments.” — Settlement Agreement, Section 2.2: Alternative Cash Payment

“Released Claims collectively means any and all past, present, and future liabilities, rights, claims, counterclaims, actions, causes of action, demands, damages, penalties, costs, attorneys’ fees, losses, and remedies, whether known or unknown, existing or potential, suspected or unsuspected, liquidated or unliquidated, legal, statutory, or equitable, that result from, arise out of, or are based upon the Data Incident.” — Settlement Agreement, Section 1.22: Definition of ‘Released Claims’

“Settlement Class Members, including Representative Plaintiffs, may hereafter discover facts in addition to, or different from, those that they, and any of them, now know or believe to be true with respect to the subject matter of the Released Claims, but Representative Plaintiffs shall have, and each of the other Settlement Class Member shall be deemed to have… fully, finally and forever settled and released any and all Released Claims.” — Settlement Agreement, Section 1.29: Unknown Claims

That last clause in the Unknown Claims section deserves a second read. By accepting this settlement, victims permanently release MCBH from claims they may not even know they have yet. The document explicitly forces victims to waive protections under California Civil Code § 1542 and equivalent laws in other states, protections specifically designed to prevent exactly this kind of blanket release of undiscovered future harm.

Societal Impact Mapping: The Bigger Picture

Public Health: When Medical Records Become a Weapon

Medical data is among the most dangerous categories of personal information that can be exposed. The breach at Medical Center Barbour included not just names and Social Security numbers but full medical information and health insurance data. Medical identity theft, where criminals use stolen health data to file fraudulent insurance claims, obtain prescriptions, or receive care under a victim’s name, can corrupt a person’s medical records with false diagnoses, incorrect medications, and procedures they never received. A doctor treating you in an emergency could be working from a record that a criminal polluted years before.

Health insurance information in criminal hands enables fraudulent claims that can exhaust a victim’s annual benefit limits, leaving them to pay out of pocket for legitimate care they urgently need. The people most likely to be patients of a regional hospital serving Eufaula, Alabama, a rural community, are often people with fewer financial resources, less access to legal help, and fewer options to absorb that kind of damage. The community Medical Center Barbour serves is precisely the community least equipped to recover from the downstream consequences of this breach.

The settlement offers two years of single-bureau credit monitoring as a remedy. Credit monitoring watches for financial fraud but offers no protection against medical identity theft, which occurs in systems the credit bureaus do not track. The specific harm most likely to flow from a breach of this type falls entirely outside the monitoring window the settlement provides.

Economic Inequality: A $50 Settlement in a Community That Can’t Afford It

Eufaula, Alabama is a small city in Barbour County, a region with median household incomes well below the national average and limited access to the legal and financial infrastructure that wealthier communities take for granted. The people whose data MCBH exposed are not hedge fund managers who can absorb identity theft. They are workers, retirees, people on fixed incomes, and families stretching a paycheck. For these individuals, a fraudulent account opened in their name, an insurance claim denied because of polluted medical records, or a credit score tanked by unauthorized activity is not a nuisance. It is a financial catastrophe.

The settlement’s claims process compounds this inequality. The expense reimbursement option, worth up to $5,000 ($5,000 could cover a month’s mortgage payment for many American families), requires documentation that is not “self-prepared,” meaning receipts, bank records, and paper trails that people in financial precarity often struggle to produce or retain. The $50 flat option exists precisely because the barrier to the real money is too high for most people to clear. The design of the payout structure, whether intentional or not, systematically channels the most vulnerable claimants toward the lowest possible payment.

Meanwhile, the attorneys representing the class, experienced law firms with offices in Birmingham and Washington, D.C., can collect up to $300,000 ($300,000 is roughly what a minimum-wage worker earns over 17 years of full-time work) in fees. The three representative plaintiffs receive $1,500 each ($1,500 is about a month’s rent in many mid-tier American cities). The ratio of legal compensation to victim compensation in this settlement is a clean illustration of how the class action system, at its worst, functions as a wealth transfer from harmed working people to credentialed professionals, with the corporation writing checks to both.

The “Cost of a Life” Metric

What Now? Power Moves for Affected People

Know Your Choices Before You Sign Anything

If you received a notice from Medical Center Barbour about this breach, you are a potential Settlement Class Member. Before you do anything, understand what the settlement document itself says: if you cash a settlement check, you are permanently and forever giving up every legal claim against MCBH related to this breach, including claims you have not discovered yet. The deadline to opt out of the settlement class is 60 days after the Notice Commencement Date. If you opt out, you preserve the right to sue independently.

Regulatory Bodies With Jurisdiction Over This Mess

• HHS Office for Civil Rights (OCR) — HIPAA enforcement authority over healthcare data breaches; file a complaint at hhs.gov/ocr
• Federal Trade Commission (FTC) — Identity theft reporting and consumer protection; reportfraud.ftc.gov
• Consumer Financial Protection Bureau (CFPB) — Financial fraud resulting from identity theft; consumerfinance.gov/complaint
• Alabama Attorney General’s Office — State consumer protection and data breach notification law enforcement
• State Insurance Commissioners — Medical insurance fraud resulting from breach of health insurance data

The Case for Opting Out

The settlement agreement itself acknowledges that Defendants can void the entire deal if 1,220 or more class members opt out. That number is a threshold worth noting: it suggests the corporation considers mass opt-outs a genuine threat. If you believe your harm exceeds $50, if your identity was actually stolen, if you have documented financial losses or corrupted medical records, consult an attorney before the opt-out deadline. Accepting $50 from MCBH closes every door.

Organize, Monitor, and Resist

Rural communities like Eufaula do not have to absorb corporate negligence alone. Connect with local mutual aid networks to share information about credit freeze resources and identity theft recovery. Contact your state legislators about strengthening Alabama’s data breach notification laws, which currently allowed a nine-to-ten-month notification delay in this case. Support patient advocacy organizations pushing for healthcare data security standards that have teeth. And if your data was breached, freeze your credit at all three bureaus today, for free, regardless of what you decide about this settlement.