EvilCorporations.com · Corporate Accountability Project · Data Security Failures
Data Breach · Healthcare · North Carolina · 2025
Compassion Health Care Left 23,600 Patients Exposed
Social Security numbers, medical records, and health insurance data. All of it accessible to an unknown intruder. None of it adequately protected.
🟡 HIGH SEVERITY
TL;DR
In March 2025, a cybercriminal broke into the computer systems of Compassion Health Care, Inc., a medical practice in Yanceyville, North Carolina, and accessed the private information of up to 23,600 patients and employees. The stolen data included Social Security numbers, driver’s license numbers, medical diagnoses, health insurance records, and other highly sensitive health information. The company waited nearly two months before notifying victims. Patients and workers whose most intimate personal and health data was compromised were left to deal with the fallout on their own.
Three affected individuals filed a class action lawsuit. The company settled for up to $600,000 total, without admitting any wrongdoing. That works out to roughly $25 per person exposed, before attorneys’ fees and administrative costs consume a substantial portion of that sum.
If your data was exposed, you deserve answers. Demand real accountability from the healthcare providers you trust with your most sensitive information.
23,600
Individuals whose private data was exposed
$600K
Total settlement cap (maximum payout)
~$40
Cash payment option for victims with no documentation
$5,000
Maximum per-person reimbursement for documented losses
60 days
Delay before victims were notified
$200K
Maximum attorneys’ fees (from the same $600K cap)
⚠️ Core Allegations: What They Did
Core Allegations
What they did · 5 points
| 01 | Compassion Health Care collected and stored highly sensitive personal and medical data from patients and employees, including Social Security numbers, driver’s license numbers, health insurance plan IDs, medical diagnoses, and clinical records, creating a high-value target for attackers. | high |
| 02 | On or about March 17, 2025, an unauthorized third party accessed the company’s computer systems and network, potentially gaining access to the private information of up to 23,600 individuals. | high |
| 03 | The company did not begin notifying affected individuals until May 16, 2025, nearly two months after discovering the breach, leaving thousands of people unaware that their most sensitive personal and medical information had been compromised. | high |
| 04 | Plaintiffs allege negligence, breach of implied contract, breach of confidence, and unjust enrichment, arguing that the company’s inadequate data security practices directly caused the exposure of protected health information and personally identifiable data. | high |
| 05 | The exposed data included dark web-susceptible identifiers such as Social Security numbers, health savings account details, healthcare beneficiary IDs, and international disease classification codes, giving bad actors multiple vectors for identity theft and medical fraud. | high |
Economic Fallout
Financial harm to those exposed · 5 points
| 01 | The $600,000 settlement cap must cover all cash payments to victims, attorneys’ fees of up to $200,000, settlement administration costs, service awards, and credit monitoring services, meaning the actual money available for the 23,600 affected individuals is far less than the headline figure suggests. | high |
| 02 | The default cash payment option for victims with no documentation is $40, an amount that does not begin to reflect the real, ongoing risk posed by the exposure of Social Security numbers and medical records on the dark web. | high |
| 03 | Cash payments may be reduced on a pro rata basis if the total value of valid claims exceeds the settlement cap, meaning even the modest $40 payment is not guaranteed at its full stated amount. | med |
| 04 | Victims can claim up to $5,000 for documented losses, but must produce third-party documentation for all expenses; personal declarations alone are insufficient, creating a high burden for the very people most harmed by the breach. | med |
| 05 | The three class representatives receive a maximum service award of $1,500 each, totaling $4,500, which also comes out of the same $600,000 cap shared with the remaining 23,597 affected individuals. | low |
Public Health and Safety
Medical data exposure risks · 4 points
| 01 | The breach exposed clinical and diagnostic information related to medical services, including disease classification data and medical record details, creating risks that extend far beyond financial fraud into threats to patients’ medical privacy and physical safety. | high |
| 02 | Health insurance plan IDs, healthcare beneficiary identifiers, and claims information were all compromised, providing thieves with the tools to file fraudulent medical claims and obtain prescription drugs or treatments using victims’ identities. | high |
| 03 | Medical identity theft can corrupt a victim’s healthcare records with inaccurate information, potentially resulting in dangerous misdiagnosis or inappropriate treatment in future medical encounters. | high |
| 04 | The settlement offers only two years of medical data monitoring, despite the fact that compromised Social Security numbers and health records carry risks that persist for a victim’s entire lifetime. | med |
Corporate Accountability Failures
Weak penalties, no admission of fault · 5 points
| 01 | Compassion Health Care settled without admitting any liability or wrongdoing, meaning the company paid to make the lawsuit go away without ever being forced to publicly acknowledge that its data security practices put patients at risk. | high |
| 02 | Settlement terms prohibit the agreement from being used as evidence of wrongdoing in any future proceeding, shielding the company from accountability in any subsequent litigation arising from the same conduct. | high |
| 03 | By settling, the company escapes any binding judicial finding on whether its data security practices met legal standards, removing any precedent that might force improvements at Compassion or put other healthcare providers on notice. | high |
| 04 | Class members who participate in the settlement permanently release all claims related to the breach, including unknown future claims they may not yet know they have, surrendering legal rights in exchange for as little as $40. | high |
| 05 | The settlement contains no requirement for Compassion Health Care to implement specific cybersecurity improvements, meaning the company could continue operating with the same deficient data security practices that led to the breach. | med |
Regulatory Failures
How oversight broke down · 4 points
| 01 | The breach exposed protected health information subject to HIPAA, yet the remedies available under this civil class action settlement do not include regulatory sanctions or mandatory corrective action plans of the kind HIPAA enforcement can require. | high |
| 02 | No governmental entity took enforcement action against Compassion Health Care before or during the class action process, illustrating the gap between regulatory standards on paper and actual enforcement in practice. | med |
| 03 | The settlement explicitly excludes governmental entities from the settlement class, meaning public-sector victims have no pathway to compensation through this proceeding, even if their data was equally compromised. | low |
| 04 | North Carolina’s data breach notification laws permit companies extended windows before notifying affected individuals; the 60-day gap between discovery and notification in this case illustrates how these permissive timelines leave victims exposed while companies manage public relations and legal strategy. | med |
🕐 Timeline of Events
Mar 17, 2025
Compassion Health Care discovers that an unauthorized third party accessed its computer systems and network, potentially compromising the private information of up to 23,600 individuals.
May 16, 2025
Nearly two months after discovering the breach, the company begins sending notification letters to affected individuals.
May 23, 2025
Plaintiff Emily Bushnell files a putative class action in Orange County Superior Court, North Carolina.
May 27, 2025
Plaintiff Amy Allin files a separate putative class action in Caswell County Superior Court.
May 30, 2025
Plaintiff Travis Ramsey files a third related case in Caswell County Superior Court.
Jul 2, 2025
An Amended Class Action Complaint is filed in the Allin action, consolidating all three plaintiffs into a single proceeding.
Aug 7, 2025
The parties reach an agreement on the material terms of the settlement.
Sep/Oct 2025
All plaintiffs and both legal teams sign the settlement agreement. Compassion Health Care’s CEO signs on October 10, 2025.
💬 Direct Quotes from the Legal Record
QUOTE 1
Scope of compromised data
Core Allegations
“The impacted information included names, addresses, phone numbers, date of births or ages, Social Security numbers, driver’s license numbers, health insurance information, claims information, and clinical/diagnostic information related to medical services and other types of personally identifiable information or protected health information.”
💡 This passage confirms the full breadth of data exposure. Social Security numbers combined with medical and insurance records give bad actors everything needed for both financial identity theft and medical identity fraud.
QUOTE 2
Settlement cap limits actual victim payments
Economic Fallout
“Settlement Cap means Defendant’s maximum total financial obligation under this Settlement, which shall not exceed $600,000.00 in the aggregate. This Settlement Cap includes and encompasses all (i) Cash Payments to Settlement Class Members, (ii) Settlement Administration Costs, (iii) Medical Data Monitoring; (iv) any Service Awards approved by the Court, and (v) any Attorneys’ Fees and Costs awarded by the Court.”
💡 Every dollar of attorney fees, administrative costs, and monitoring services comes out of the same pool as victim payments. With attorneys seeking $200,000, victims share what remains among 23,600 people.
QUOTE 3
Company admits no wrongdoing
Corporate Accountability Failures
“Defendant does not in any way acknowledge, admit to, or concede any of the allegations made in any of the complaints or in the Complaint, and expressly disclaims and denies any fault or liability, or any charges of wrongdoing that have been or could have been asserted in the Complaint.”
💡 The company pays to end the lawsuit while publicly maintaining it did nothing wrong. This is the standard corporate playbook: settle without accountability, avoid any finding that could trigger broader scrutiny or regulatory action.
QUOTE 4
Settlement cannot be used as evidence in future cases
Corporate Accountability Failures
“Nothing contained in this Agreement shall be used or construed as an admission of liability, and this Agreement shall not be offered or received in evidence in any action or proceeding in any court or other forum as an admission or concession of liability or wrongdoing of any nature or for any other purpose other than to enforce the terms of this Agreement.”
💡 This clause ensures that even the act of settling cannot be held against the company in any future proceeding. The legal system’s rules, not a spirit of justice, are what shape corporate accountability here.
QUOTE 5
Pro rata reduction means $40 isn’t guaranteed
Economic Fallout
“If the aggregate amount of approved Cash Payments to Settlement Class Members, when combined with the other amounts payable under this Agreement, would exceed the Settlement Cap, then the Cash Payments to Settlement Class Members shall be reduced on a pro rata basis so that the total amount paid by Defendant under this Settlement does not exceed the Settlement Cap.”
💡 Even the $40 baseline payment can be reduced further if claims volume pushes costs toward the cap. The settlement structure consistently prioritizes protecting the company’s total liability over guaranteeing meaningful compensation to victims.
QUOTE 6
Victims release all future claims, including unknown ones
Corporate Accountability Failures
“Upon the Effective Date, and in consideration of the settlement relief and other consideration described herein, the Releasing Parties shall be deemed to have…fully, finally, and forever released, acquitted, relinquished, and completely discharged the Released Parties from any and all Released Claims.”
💡 Victims permanently give up the right to sue, even for harms they do not yet know they have suffered. The full consequences of a medical data breach can take years to materialize; this release ensures the company faces no future liability regardless of what happens.
💬 Commentary
What exactly was stolen, and why does it matter so much?
The breach exposed some of the most sensitive data a person can have: Social Security numbers, medical diagnoses, health insurance IDs, health savings account details, drug and disease classification codes, and clinical records. This is not a simple email or password breach. Medical identity theft can corrupt a victim’s health records with false information, potentially leading to wrong diagnoses or denied coverage. Financial identity theft using Social Security numbers can take years to detect and repair. The harm does not end when the notification letter arrives; it can follow victims for the rest of their lives.
Is $600,000 enough for 23,600 people?
No. By any reasonable measure, it is not. After attorneys’ fees of up to $200,000, administration costs, service awards, and credit monitoring expenses are deducted from the $600,000 cap, the amount left for direct victim payments is likely less than $400,000. Divided among 23,600 people, that is less than $17 per person if everyone filed a claim. The $40 alternate cash payment only exists for people who file a valid claim and is subject to pro rata reduction if total claims approach the cap. The settlement amount reflects the realities of class action litigation costs, not the actual harm suffered by each individual whose most private information was exposed.
Why did it take two months to notify victims?
The settlement document does not explain the reason for the 60-day delay between discovery (March 17, 2025) and notification (May 16, 2025). This gap meant that for nearly two months, 23,600 people were walking around unaware that their Social Security numbers, medical records, and insurance data might already be circulating on the dark web. Every day of delayed notification is a day in which victims cannot take protective action: placing credit freezes, monitoring accounts, or alerting their healthcare providers. The delay is not explained, and the settlement does not require the company to justify it.
Is this lawsuit legitimate and does the settlement seem fair?
The claims asserted, including negligence, breach of implied contract, and breach of confidence, are well-recognized legal theories in data breach cases and have merit based on the facts as described. Whether the settlement is fair is a more complicated question. Class counsel states that the settlement is fair, adequate, and reasonable given the litigation risks involved. That may be true from a legal standpoint. But the structure of the settlement, where victims receive a minimum of $40, the company admits nothing, and no corrective action is required, reveals the structural limits of class action litigation as a tool for achieving meaningful accountability in corporate data security failures. The legal process worked as designed. Whether it worked for the 23,600 people whose data was exposed is a different question.
What happens to Compassion Health Care after this settlement?
Functionally, the company pays a capped sum, denies all wrongdoing, and continues operating. The settlement contains no mandatory cybersecurity audit, no required investment in data protection infrastructure, no public disclosure of what security failures allowed the breach to occur, and no binding commitment to prevent future incidents. The legal process that was meant to hold this company accountable has instead provided it with a clean slate. This is not an accident; it is how the system is structured. Companies can treat data breaches as a foreseeable cost of doing business rather than an unacceptable failure that demands real change.
How should I protect myself if I was affected?
File a claim to receive at minimum the free two-year medical data monitoring service, which includes $1,000,000 in identity theft insurance. Separately, place a credit freeze with all three major bureaus (Experian, Equifax, TransUnion): this is free and prevents new accounts from being opened in your name. Monitor your Explanation of Benefits statements from your health insurer for charges you do not recognize. Request your medical records annually from providers to check for fraudulent entries. Because Social Security numbers never expire and medical records are permanent, your vigilance should extend far beyond the two-year monitoring window this settlement provides.
What can I do to prevent this from happening again?
Contact your state legislators and demand they strengthen North Carolina’s data breach notification laws, including shorter required notification windows and mandatory cybersecurity standards for healthcare providers handling protected health information. Support federal legislation requiring minimum cybersecurity standards for all entities that collect medical data. When selecting healthcare providers, ask about their data security practices. Support organizations that advocate for stronger digital privacy rights and corporate accountability. File a comment with the HHS Office for Civil Rights if you believe HIPAA was violated. And when companies settle data breaches without admitting wrongdoing and without committing to reform, make that fact public. Corporations fear public accountability more than they fear private settlements.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
