What They Took That Money Cannot Replace

Before we get to the numbers and the legal language and the carefully worded denials, let’s talk about what actually happened to real people.

You went to Rebound Orthopedics & Neurosurgery because something was wrong with your body. Maybe your knee needed surgery. Maybe a sports injury refused to heal. Maybe you needed an MRI, or physical therapy, or a neurosurgical consultation that terrified you. You went because you trusted them with your health. You filled out their forms. You handed over your Social Security number because they asked. You disclosed your health insurance. You gave them your financial account information because that’s what you do when you need care and the system demands it.

You did not consent to any of this leaving the building. You did not sign a form authorizing strangers on the internet to access your medical records. You did not agree to have your diagnosis, your insurance plan ID, your HSA balance, and your driver’s license number bundled together in a file that could be opened by anyone who got into the system.

But that’s what happened on February 1, 2024. Hackers got in. The files were accessed. And Rebound knew.

They knew for two and a half months before they told you. Seventy-five days, give or take, during which the people who stole your data had a head start. During which you had no idea that someone might already be using your Social Security number, or that your health insurance ID might be circulating on the dark web. During which you were still trusting Rebound with your body, not knowing they had already failed to protect your information.

That delay is not a technicality. In the world of identity theft, time is everything. The faster a victim knows, the faster they can freeze their credit, alert their bank, monitor their medical records for fraudulent claims. Every day of silence is a day the thief has the advantage.

When Rebound finally did send notices in April 2024, those letters did not come with an admission of failure. They came with the kind of corporate language designed to minimize alarm. And now, more than a year later, the company has settled a lawsuit without admitting it did a single thing wrong.

The settlement offers you a maximum of $75 if you can’t prove documented losses. Seventy-five dollars for your medical history. Seventy-five dollars for your Social Security number. Seventy-five dollars for your health insurance information and your financial accounts and your diagnosis and every private thing you shared with a doctor because you were sick and scared and needed help.

The lawyers will get up to one-third of the $2.5 million fund. That’s roughly $833,000. The nine people whose names are on the lawsuit get $2,000 each. The company that exposed your data gets to walk away without ever saying it was sorry, without ever saying it was wrong, and with a court order permanently barring you from ever bringing this up again.

That is the non-financial ledger. That is the real cost of what happened. The betrayal of a patient who trusted a medical provider. The months of uncertainty. The permanent loss of legal recourse. The quiet indignity of being told your most private information is worth, at most, seventy-five dollars.

The Documents That Prove It

These are direct quotes from the official settlement agreement filed in Clark County Superior Court. Not paraphrases. Not summaries. The actual words.

“On or about February 1, 2024, Defendant discovered it was experiencing a cyberattack on its computer systems which may have resulted in unauthorized access to certain files within those systems. The files accessed may have included the following Private Information: some combination of [full names, dates of birth, Social Security numbers, driver’s license numbers,] medical information, health insurance information, and financial account information.”

— Settlement Agreement, Section I, Paragraph 2

• This paragraph confirms that Rebound knew about the attack on February 1, 2024, and that the breach covered the full spectrum of sensitive data: government IDs, medical records, insurance details, and financial accounts simultaneously.
• The phrase “may have included” is corporate hedging language. The settlement was still reached for $2.5 million, which signals the parties understood the exposure was real and serious.

“On April 15, 2024, Defendant began sending notice letters to affected individuals regarding the Data Incident.”

— Settlement Agreement, Section I, Paragraph 3

• This is a confession of a 74-day gap between discovery and notification. Under Washington and Oregon law, breach notification is required “in the most expedient time possible.” Whether that 74-day gap constitutes a violation is exactly the kind of question the settlement permanently forecloses.
• During those 74 days, every affected patient was walking around unaware that their most sensitive personal data had potentially been compromised.

“Defendant does not in any way acknowledge, admit to, or concede any of the allegations made in the Complaint, and expressly disclaims and denies any fault or liability, or any charges of wrongdoing that have been or could have been asserted in the Complaint. Nothing contained in this Agreement shall be used or construed as an admission of liability.”

— Settlement Agreement, Section I, Paragraph 9

• This is the standard “we’re paying millions but we didn’t do anything wrong” clause. It is inserted in virtually every corporate class action settlement to prevent the settlement itself from being used as evidence of guilt in any future proceeding.
• Rebound paid $2.5 million and agreed to provide two years of monitoring services, but legally maintains the position that nothing bad happened and that they bear no responsibility for it.

• California Civil Code section 1542 exists specifically to protect people from unknowingly releasing claims for harms they haven’t discovered yet. By waiving it, class members are agreeing they can never sue Rebound for data-breach-related harm they discover in the future, even if that harm hasn’t surfaced yet.
• This waiver applies even to Washington and Oregon residents via equivalent state-law provisions listed in the agreement (Montana Code Ann. § 28-1-1602; North Dakota Cent. Code § 9-13-02; South Dakota Codified Laws § 20-7-11). The breadth of this waiver is extraordinary for a case where the full downstream harm of a medical data breach can take years to materialize.
• Medical identity theft, in particular, can surface years later as fraudulent insurance claims, incorrect medical records, or unexpected debt. By signing onto this settlement (or simply failing to opt out), class members hand Rebound permanent immunity from all of that.

“Cash Payment B — Alternate Cash: As an alternative to Cash Payment A — Documented Losses above, a Settlement Class Member may elect to receive Cash Payment B — Alternate Cash, which is a cash payment in an estimated amount of $75.00.”

— Settlement Agreement, Section V, Paragraph 69(b)

• This is the baseline compensation Rebound’s legal team determined was sufficient for patients who cannot document specific fraud losses. Seventy-five dollars is the price assigned to your Social Security number, your medical diagnosis, your insurance plan, and your financial account data combined.
• The $75 figure is also described as “estimated” and subject to pro rata reduction if too many people file claims. Depending on class size and claims volume, the actual payment could be lower.

“Class Counsel will ask the Court to approve up to one-third of the Settlement Fund as reasonable attorneys’ fees, plus litigation costs.”

— Settlement Agreement, Exhibit 2 (Long Form Notice), Section 14

• One-third of $2,500,000 is approximately $833,333. That is the maximum attorneys’ fee request, paid out of the same fund that is supposed to compensate breach victims.
• Each of the nine named class representatives receives a $2,000 service award, also paid from the same fund, for a total of $18,000 in representative payments.
• Settlement administration costs (postcard mailing, website operation, phone lines, claims processing) are also paid from the fund before any money reaches class members. The settlement document does not specify what those costs are projected to be.

The Damage That Doesn’t Show Up in the Settlement

Public Health

The exposure of medical records creates a category of harm that goes far beyond financial loss. When health data is compromised, the consequences are physical, not just financial.

• Medical identity theft, where a thief uses stolen health insurance credentials to receive care or medication, directly corrupts the victim’s medical record. A fraudulent diagnosis or medication listed in your chart could lead a doctor to make incorrect treatment decisions about your real health, with potentially life-threatening consequences.
• The breach exposed healthcare insurance plan IDs and beneficiary identifier codes. With these details, thieves can file fraudulent claims, drain benefits limits, and leave real patients unable to access covered care — a direct interference with healthcare access.
• Health Savings Account (HSA) information was among the data categories potentially compromised. HSAs contain real money that patients designate specifically for medical expenses. Fraudulent access to an HSA can leave a patient without funds to cover copays, prescriptions, and treatments when they need them most.
• The International Classification of Disease (ICD) codes exposed in this breach are diagnostic codes. Thieves who obtain these codes know exactly what conditions you have been diagnosed with, creating a permanent information asymmetry that can affect insurance applications and employment decisions for years.
• The settlement offers two years of medical data monitoring — but the health records exposed in this breach will exist in the world permanently. Monitoring for two years addresses a fraction of the lifetime exposure risk created by the breach.

Economic Inequality

The structure of this settlement, like most corporate data breach settlements, places the heaviest burden on the people least equipped to navigate it.

• To claim the maximum $5,000 under Cash Payment A, victims must produce third-party documentation of specific losses: receipts, invoices, and records of fraud. People living paycheck to paycheck, who lack the time or resources to compile documentation, or who do not have the financial literacy to navigate a claims process, will default to the $75 baseline or receive nothing.
• Class members who fail to submit any claim by the deadline receive zero cash compensation but are still permanently bound by the settlement’s release of claims. Inaction does not protect rights; it surrenders them without any benefit in return.
• The settlement agreement specifies that residual funds from uncashed checks or unclaimed digital payments go to the Legal Foundation of Washington and the Clark County Volunteer Lawyers Program. This means the less engaged the class members are, the more money flows away from victims and toward institutions, however worthy those institutions may be.
• The Social Security numbers and financial account data exposed in this breach are disproportionately dangerous for people with lower credit scores and fewer financial buffers. A wealthy person can absorb the disruption of a compromised bank account; a working-class patient who lives paycheck to paycheck may face overdraft fees, bounced payments, and credit score damage they cannot quickly repair.
• Attorneys’ fees of up to $833,333 are drawn from the same $2.5 million fund meant to compensate victims, meaning every dollar paid to class counsel is a dollar not available to the people whose medical data was exposed. The structure prioritizes professional fees before patient cash payments in the disbursement order the agreement itself specifies.

The Number That Says Everything

Your Options Before the Deadline Closes

The settlement is not yet final. Court approval is still pending. That means there is still a window to act, but it requires moving before court-set deadlines that have not yet been publicly announced at the time of this reporting.

The People Running Rebound

• The defendant is legally identified as Northwest Surgical Specialists, a Washington Professional Service Corporation, doing business as Rebound Orthopedics & Neurosurgery P.C. The individual who signed the settlement agreement is identified only by the title “C.E.O.” (the name appears as “Klucevek” in the digital signature block, though the document’s scan quality makes full name confirmation from source material alone uncertain). No other executive names are provided in the settlement documents.
• Defense counsel: Michael Jervis of Mullen Coughlin LLC, 426 W. Lancaster Avenue, Suite 200, Devon, PA 19333 (mjervis@mullen.law).

Watchlist: Agencies That Should Hear About This

• Washington State Attorney General’s Office: The Washington Consumer Protection Act is one of the claims in this case. File a complaint at atg.wa.gov. The AG’s office has jurisdiction over data breach violations affecting Washington residents.
• Oregon Department of Justice: The complaint also alleges violations of the Oregon Unlawful Trade Practices Act. Oregon patients should file at oregonconsumer.gov.
• Federal Trade Commission (FTC): The FTC handles identity theft complaints and data security enforcement. Report at reportfraud.ftc.gov. The FTC’s IdentityTheft.gov also has step-by-step recovery plans for breach victims.
• Department of Health and Human Services Office for Civil Rights (HHS OCR): Medical data breaches may implicate HIPAA. File a complaint at hhs.gov/ocr. HHS OCR can investigate whether Rebound’s security practices met federal healthcare data protection standards.
• Consumer Financial Protection Bureau (CFPB): If you have experienced financial fraud connected to this breach, the CFPB handles complaints at consumerfinance.gov/complaint.

What You Can Do Right Now

• If you received a notice letter from Rebound about the February 2024 data incident, you are almost certainly a class member. Check your mail and email carefully for postcard notices from the settlement administrator (Simpluris) and any correspondence referencing Case No. 25-2-00545-06.
• Visit the settlement website once it is live (it will be listed on the postcard notice) and submit your claim before the deadline. If you have documented losses from identity theft or fraud since February 1, 2024, gather your receipts and file under Cash Payment A for up to $5,000. If not, the $75 Cash Payment B requires no documentation.
• Consider opting out if you believe your losses are substantial and you want to preserve the right to pursue your own legal action. Opting out by the published deadline means you are not bound by the settlement’s release of claims, but you also receive no settlement benefits.
• Freeze your credit at all three major bureaus immediately if you have not already done so. Equifax, Experian, and TransUnion all offer free credit freezes. A freeze prevents new accounts from being opened in your name without your explicit unfreeze authorization.
• Review your medical records and insurance explanation-of-benefits statements for any services you did not receive. Contact your health insurer directly if you find unfamiliar claims, as these can signal medical identity theft.
• Connect with local legal aid organizations if you need help navigating the claims process. The Clark County Volunteer Lawyers Program (ccvlp.org) is identified in this very settlement agreement as a cy pres recipient — they serve the community this case involves.
• Talk to neighbors, coworkers, and family members who receive care at Rebound locations in Washington and Oregon. Many people ignore these settlement notices because they do not understand them. Share this article. Help others file claims before the window closes.