The Non-Financial Ledger: What a Number on a Settlement Document Doesn’t Capture

Somewhere in the pile of 58,309 names inside that breached email account is a person who now has to wonder, every time they apply for credit, whether someone else already tried. There is a person who opened their mail one day in December 2024 and read a letter telling them that their Social Security number, their health records, their bank account information, and their passport number had all been sitting in a stranger’s inbox for some unknown period of time. The letter arrived seven months after it happened.

Seven months is a long time. It is long enough for a thief to open accounts you don’t know about yet. It is long enough for your health information to be sold, stored, and referenced in ways you will never trace. The breach was one day long. The exposure could be permanent.

Datavant’s response—both the delay in notification and the settlement structure itself—treats this harm as a cost of doing business. The $900,000 total fund, divided among 58,309 people who managed to hear about the settlement, file paperwork, and submit it before the deadline, works out to roughly $15 per person in the absolute best-case scenario where every single class member files a claim and receives only the pro-rata alternative cash payment. Most will receive less, because attorneys, administrative costs, and documented-loss claimants all get paid before the general fund is divided. Some will receive nothing because they never heard about the settlement at all, or couldn’t navigate the claims process, or missed the deadline.

These are not abstract people. They are patients whose health records traveled somewhere without their knowledge. They are workers who trusted a company with their driver’s license. They are people who now carry a free year of credit monitoring as a settlement benefit, which is itself an implicit acknowledgment that their data is at risk, handed to them by the same company that let it get taken.

Legal Receipts: What the Document Actually Says

“on or around May 9, 2024, Defendant discovered that it was the subject of a phishing email attack in which a threat actor gained access to a company email account between May 8, 2024 and May 9, 2024 and potentially accessed personal information stored therein.”

• This establishes the core event: a threat actor had active access to a company email account for at minimum one day. The word “potentially” does not limit the legal exposure; it is standard qualifying language in breach notifications.
• The personal information stored in that email account included Social Security numbers, financial account information, health information, and passport numbers. This is not a mailing list. This is the data set used to steal someone’s identity, their money, and their medical history.

“Defendant began notifying potentially impacted individuals about the Data Security Incident on or around December 6, 2024.”

• The breach was discovered on or around May 9, 2024. Notification began on or around December 6, 2024. That is approximately 211 days between discovery and notification.
• During that window, affected individuals had no way to place credit freezes, change account numbers, or monitor for fraud attributable to this specific incident because they did not know it had happened.

“This Agreement, whether or not consummated, and any actions or proceedings taken pursuant to this Agreement, are for settlement purposes only. Defendant specifically denies any and all wrongdoing.”

• This clause means the settlement, once approved, cannot be cited as evidence that Datavant did anything wrong in any future lawsuit, regulatory proceeding, or criminal investigation. The company pays $900,000 and exits with a clean legal record.
• The denial of wrongdoing combined with the no-admission clause is standard in class action settlements, but its practical effect is that 58,309 people whose data was breached receive compensation from a company that officially did nothing wrong.

“Defendant shall have the right to void the Settlement if more than 150 Class Members opt out of the Settlement.”

• One hundred and fifty opt-outs out of 58,309 class members is a threshold of 0.26%. If more than a quarter of one percent of affected individuals choose to preserve their individual right to sue, Datavant can cancel the entire agreement.
• This clause creates a structural pressure against class members opting out. If word spreads that opt-outs are approaching the threshold, the entire settlement collapses for everyone who was counting on it.

“Class Counsel will file a motion seeking an award of attorneys’ fees of up to 35% (thirty-five percent) of the Settlement Fund (i.e., $315,000), and, additionally, reasonably incurred litigation expenses and costs (i.e., Fee Award and Costs), not to exceed $30,000.”

• Before a single class member receives a dollar, up to $345,000 of the $900,000 fund can be removed for legal fees and costs. That is 38.3% of the total fund.
• This is not a critique of the lawyers; class action litigation is expensive and attorneys work on contingency. It is a description of what the math produces for affected individuals.

Public Deception: What Datavant Claimed vs. What the Record Shows

The settlement agreement documents a meaningful gap between Datavant’s public posture toward the breach and the reality documented in the litigation record.

• Claimed: Datavant “had appropriate cybersecurity safeguards in place at the time of the Data Security Incident.” Reality: A phishing attack succeeded in granting a threat actor full access to a company email account containing Social Security numbers, health records, and financial data. The claim of “appropriate safeguards” was made by the company after the safeguards demonstrably failed to prevent a basic phishing compromise.
• Claimed: “No one has been harmed as a result of the Data Security Incident.” Reality: The settlement agreement itself defines an entire class of harm-eligible individuals, allows claims for documented out-of-pocket losses up to $5,000, offers identity theft monitoring, and provides up to $1,000,000 in fraud insurance—all of which exist precisely because the harm from this type of exposure is real and documented.

Profit-Maximization at All Costs: The Math Behind the Settlement

The settlement structure reveals a calculus in which the total cost of compensating 58,309 people whose most sensitive data was breached was determined to be $900,000; that is less than $16 per person at maximum distribution.

• The total settlement fund is $900,000. Class counsel can seek up to $315,000 (35% of the fund) in attorney fees and up to $30,000 in costs. The class representative can receive up to $2,500 as a service award. All administrative expenses also come from the fund. The residual is what class members actually divide.
• In the scenario where attorney fees, costs, service award, and administrative expenses consume roughly $360,000 of the fund, the remaining $540,000 divided among 58,309 people produces less than $9.30 per person if every single class member filed a claim for the alternative cash payment. In practice, far fewer will claim, so individual amounts may be higher, but total class compensation stays the same.
• The settlement is structured on a non-reversionary basis, meaning Datavant cannot recover money once the effective date occurs. This is standard and appropriate. However, it does not change the fundamental dollar amount placed on the harm caused to 58,309 people.

How Capitalism Exploits Delay: 211 Days of Silence

The timeline between when Datavant discovered the breach and when it told the people affected is the most consequential fact in this case for the 58,309 people whose data was exposed.

• The breach was discovered on or around May 9, 2024. Notification of potentially impacted individuals began on or around December 6, 2024. That is approximately 211 days during which affected individuals could not take informed protective action specific to this breach.
• The types of data exposed—Social Security numbers, financial account information, health records, and passport numbers—are exactly the data types that enable fraudulent account openings, tax fraud, and medical identity theft, all of which can take months to detect and years to remediate.
• The settlement does not compensate class members for harm that occurred during the notification gap because the settlement extinguishes all claims. Any fraud committed using this data between May 2024 and December 2024 is included in the released claims, whether or not the affected individual knew it was happening.

Societal Impact Mapping: Who Gets Hurt and How

Public Health and Personal Safety

The exposure of health information alongside identity documents creates a specific category of harm that extends beyond financial fraud.

• Health information compromised in the breach can enable medical identity theft: a form of fraud where someone uses a victim’s information to obtain medical care, prescriptions, or insurance benefits. This can corrupt a victim’s medical records and create dangerous inaccuracies in clinical settings.
• The combination of Social Security numbers, health data, and financial account information in a single breach event means that affected individuals face compound identity risk across multiple domains simultaneously. Resolving fraud in one area does not protect them from fraud in another.
• The 211-day notification delay means that any health-data-based fraud initiated in the gap between discovery and notification occurred without the victim’s knowledge and is now released as a claim by the settlement.

Economic Inequality

The settlement’s compensation structure places the highest burden on the people least equipped to navigate it.

• To claim up to $5,000 in documented losses, class members must supply bank statements, credit card statements, invoices, telephone records, and receipts, and must demonstrate that the losses are “fairly traceable” to the breach. People with less formal financial records, people experiencing housing instability, or people with limited English proficiency face a higher barrier to claiming the maximum benefit.
• The alternative cash payment requires no documentation and is available to everyone who files, but its value is a fraction of the documented loss cap. The settlement design effectively creates a two-tier system where more resourced claimants can claim more.
• Class members who do not file before the deadline receive nothing and are still bound by the settlement’s release of all claims. People who are harder to reach by mail, people who distrust legal processes, or people who simply did not have time to engage with a claims website lose all legal recourse without compensation.
• The breach itself affected individuals who had provided their data to a healthcare records company. These are not customers who voluntarily chose a consumer product; they are patients and individuals whose information was handled as a condition of receiving healthcare services.

The Settlement Isn’t Justice: What $900,000 Doesn’t Cover

A $900,000 settlement fund for 58,309 people whose Social Security numbers and health records were exposed is not punishment. It is a line item.

• The settlement contains no admission of wrongdoing. The agreement states explicitly that it cannot be used as evidence of fault, negligence, or any violation of law in any future proceeding. Datavant emerges from this litigation with a clean legal record.
• The 211-day notification delay is not directly penalized anywhere in the settlement terms. It is a documented fact of the case, but its specific contribution to class member harm is folded into the general release rather than addressed as a standalone accountability measure.
• At maximum theoretical distribution of the net class fund, after all fees and expenses, each of the 58,309 class members would receive a figure in single or low double digits. Identity theft remediation, credit monitoring, and fraud resolution can cost hundreds of dollars per incident and months of time.
• Datavant retains the right to void the entire settlement if more than 150 class members (0.26%) opt out. This threshold effectively discourages class members from preserving individual legal rights, because doing so risks cancelling the settlement for the rest.
• The settlement specifically preserves Datavant’s right to pursue any claims it has against class members from unrelated business relationships. The release runs in one direction: class members cannot sue Datavant over the breach; Datavant can still sue class members over anything else.

This Is the System Working as Intended

Every structural feature of this settlement is functioning exactly as designed. That is the problem.

• The no-admission clause is not an accident or a compromise. It is a standard demand in corporate settlements and exists because it limits future liability exposure. Datavant’s lawyers asked for it; Datavant’s lawyers got it. The system delivered.
• The 35% attorney fee cap is a standard ceiling in data breach class actions. It reflects a litigation economy in which the cost of organizing 58,309 individual claims into a class action is genuinely high. The system that requires this level of legal machinery to address a corporate breach is the same system that makes individual suits by 58,309 people economically impossible. Both facts are true at the same time.
• The opt-out void threshold of 150 people is a lever that keeps affected individuals from exercising individual legal rights without collectively risking the settlement for everyone. It makes class cohesion a condition of class compensation. Individuals who want more accountability face a collective-action penalty.
• The 211-day notification delay exists in a legal environment where breach notification timelines vary by state and industry. The settlement does not address whether this delay was a violation of any applicable notification law because no regulator has made that determination, and no such finding is required for a civil class settlement to proceed.
• Datavant denies wrongdoing. No regulator has sanctioned Datavant. No criminal referral appears in the record. A company whose email security failed, exposing Social Security numbers and health records for 58,309 people, will pay less per person than a fast food meal, admit nothing, and continue operating. This is the system working as intended.

What a Legitimate Fix Looks Like: Editorial Analysis

The core structural failure this case exposes is a legal and regulatory environment that allows companies holding the most sensitive personal data to breach their security obligations, notify victims months later, and resolve all resulting liability for a sum that imposes no meaningful financial deterrence relative to the scale of harm.

Regulatory Track

• Mandatory breach notification timelines specific to healthcare-adjacent data handlers should be enforced at the federal level. The 211-day gap between discovery and notification in this case represents a fundamental failure of affected individuals’ ability to protect themselves. Existing state notification laws are inconsistent and contain exemptions that can extend notification timelines. A federal standard requiring notification within 30 days of confirmed or probable unauthorized access to Social Security numbers, health data, or financial account information would directly address the harm documented here.
• Regulators with jurisdiction over healthcare records companies (including the FTC and HHS Office for Civil Rights) should conduct a formal review of Datavant’s security posture and notification timeline under applicable federal consumer protection and HIPAA frameworks. The settlement releases private claims but does not preclude regulatory action.
• Email security standards for companies handling protected health information or financial data should require multi-factor authentication and anti-phishing controls as a compliance condition, with documented annual testing. A phishing attack that succeeds against an inbox containing Social Security numbers and health records represents a preventable failure against a well-documented attack vector.

Legislative Track

• Congress should establish a minimum per-person statutory damages floor for data breach class actions involving Social Security numbers, health information, or financial account data. Without a minimum, the economics of class settlements consistently produce sub-dollar-per-person outcomes. A statutory minimum would change the cost-benefit calculation for companies that underinvest in security.
• Legislation should prohibit no-admission clauses in data breach settlements involving government-regulated sensitive data categories, or alternatively require that no-admission provisions be disclosed prominently to class members in plain language as part of the notice. Class members in this case may not understand that their settlement participation produces no legal finding of wrongdoing against the company.
• The void-on-opt-out mechanism should be capped by statute in consumer data breach class actions. Allowing a defendant to void a settlement when as few as 0.26% of affected individuals exercise their legal right to pursue individual claims creates a structural coercion that undermines access to the courts.
jackson-v-ciox-health-llc-settlement-agreement_1Download

Explore by category

01

Antitrust

Monopolies and anti-competition tactics used to crush rivals.

View Cases →

02

Product Safety Violations

When companies sell dangerous goods, consumers pay the price.

View Cases →

03

Environmental Violations

Pollution, ecological collapse, and unchecked greed.

View Cases →

04

Labor Exploitation

Wage theft, worker abuse, and unsafe conditions.

View Cases →

05

Data Breaches & Privacy

Misuse and mishandling of personal information.

View Cases →

06

Financial Fraud & Corruption

Lies, scams, and executive impunity that distort markets.

View Cases →

07

Intellectual Property

IP theft that punishes originality and rewards copying.

View Cases →

08

Misleading Marketing

False claims that waste money and bury critical safety info.

View Cases →
Post Views: 16

Related posts:

6,000,000 People’s Personal Information Stolen | Infosys McCamish Systems Law Firm Kelley Drye & Warren Accused of Leaving Thousands Exposed to Cybercriminals Premium Mortgage Data Breach Exposed 10,835 Customers for Eight Days You Trusted Chrysler. Criminals Got Your Social Security Number