For nearly six months, a cybercriminal had access to your name, your Social Security number, your health records, your bank account details, and your passport number — and Self Esteem Brands either didn’t know, or didn’t tell you.

Six Months. Your Entire Financial Life. Their Silence.

Self Esteem Brands, LLC — the company that operates under the trade name Purpose Brands — confirmed in its own settlement documents that a cybersecurity breach began on or around December 19, 2023. The company did not discover it, or at the very least did not disclose it, until June 2024. That is approximately 170 days during which the files of potentially thousands of Americans sat exposed.

The settlement defines the class as “all living individuals residing in the United States whose Personal Information may have been compromised in the Security Incident discovered by Self Esteem Brands in June 2024, including all those who were notified of the Security Incident.” The word “discovered” is doing a lot of heavy lifting there. The company didn’t stop the breach in December. It found out about it six months later.

The data exposed reads like a complete identity theft starter kit. The settlement documents confirm the compromised files “may have contained personal information such as names; Social Security numbers; tax identification numbers; driver’s license numbers; state identification numbers; passport or other government identification numbers; financial account information; payment card information; health information; and health insurance information.”

The Exposed Data Is a Thief’s Dream Inventory

Social Security numbers combined with health insurance information and financial account data give a fraudster everything they need to open credit lines, file fake tax returns, submit fraudulent medical claims, and drain bank accounts — sometimes simultaneously. This combination of data is specifically what identity thieves seek because it enables the most severe and long-lasting financial damage.

The breach window did not close quickly. It ran across “certain dates” spanning from December 19, 2023 to June 6, 2024 — nearly a full half-year. During that entire period, the people whose records were exposed had no way to protect themselves because they did not know they were at risk.

The $25 Insult: A Settlement That Rewards the Lawyers, Not the Victims

When a corporation breaches its duty to protect your most sensitive personal data, the question of “how much is that worth?” reveals everything about who the legal system is actually designed to serve. Self Esteem Brands’ answer: $25 (about the cost of a fast food meal for two, or a single streaming service month) with no proof required.

That $25 “Alternative Cash Payment” requires victims to submit zero documentation and zero explanation. The settlement says plainly: “You do not have to provide any proof or explanation to claim this payment.” The company structured it this way because the alternative — documenting real losses — is deliberately burdensome. You need receipts, bank statements, and third-party documentation proving your losses were “more likely than not” caused by this specific breach.

While individual victims navigate that gauntlet for a maximum of $25 with no paperwork, or up to $5,000 with an evidence mountain, the attorneys representing the class get an agreed-upon fee cap of $150,000 (enough to cover rent for a family of four for over two years in most American cities). The lead plaintiff, Ashley Anderson, gets a “Service Award” of $3,000 (about 120 times the $25 offered to every other member of the class).

The Math That Should Make You Furious

The administration budget caps at $14,400 (about 576 individual victim payouts). That is the cost to mail postcards, run a website, and process claims. Self Esteem Brands pays that separately from the settlement benefits — meaning the company structured the deal so that the operational cost of telling people their data was stolen is treated as a distinct expense from actually compensating them.

“No cap” sounds generous. It means an unlimited number of people can claim the $25. But what it actually tells you is that Self Esteem Brands structured this settlement knowing that most people will take the easiest path: $25, no paperwork, sign away your rights. The company built the friction into the system on purpose.

The Non-Financial Ledger: What $25 Cannot Undo

Settlement agreements measure harm in dollar amounts. Courts review whether compensation is “fair, reasonable, and adequate.” But the document in your hands cannot quantify what it feels like to learn that a company you trusted held onto your Social Security number, your health records, and your financial account details — and failed to protect them for nearly six months.

The people in this class did not choose to be in a database. They did not sign up to have their passport numbers and health insurance information stored in a system that a cybercriminal could access freely from December 2023 through June 2024. They were customers, employees, or associates of Self Esteem Brands because they patronized a gym, a fitness franchise, or a wellness business — looking to improve their lives. They handed over sensitive data as a condition of service, trusting the company to guard it. That trust was broken, and the breach ran uninterrupted for 169 days.

Health information is a category of data that carries unique, enduring consequences. A Social Security number can be frozen. A credit card can be canceled. Health data cannot be recalled. When your medical history, your health insurance policy numbers, and your diagnoses enter the wrong hands, that information follows you for life. It can surface in insurance underwriting, in employment screening, in targeted scams that use your specific conditions to manipulate you. The settlement documents list health information and health insurance information among the potentially compromised data categories, and no credit monitoring service — not even the two years being offered here — can undo the downstream exposure of that kind of information.

The settlement caps compensation for “Lost Time” at four hours at $20 per hour — a maximum of $80 (roughly what you’d earn in two hours at a living wage job in most major cities). But the actual time cost of a serious identity theft event is not four hours. It is days of phone calls, months of monitoring, years of hypervigilance every time a new account is opened in your name or a new fraudulent medical claim appears on your insurance statement. The settlement framework acknowledges this with the Extraordinary Losses category, capped at $5,000 (enough to cover about two months of medical bills for an average American) — but requires victims to prove, with third-party documentation, that their losses were “more likely than not” caused by this specific breach. For many people, that proof is simply impossible to obtain.

Legal Receipts: The Documents Speak For Themselves

“The Security Incident means the cybersecurity incident affecting Defendant which occurred on or around December 19, 2023, and on certain dates until June 6, 2024.” — Settlement Agreement and Release, Paragraph 30 (Definition of “Security Incident”)

“The Settlement Class means all living individuals residing in the United States whose Personal Information may have been compromised in the Security Incident discovered by Self Esteem Brands in June 2024, including all those who were notified of the Security Incident.” — Settlement Agreement and Release, Paragraph 34 (Definition of “Settlement Class”)

“Personal Information includes, but is not limited to, name, Social Security number, tax identification number, driver’s license number, state identification number, passport or other government identification number, financial account information, payment card information, health information, and health insurance information.” — Settlement Agreement and Release, Paragraph 24 (Definition of “Personal Information”)

“Upon the Effective Date, and in consideration of the Settlement benefits described herein, each Releasing Party shall be deemed to have completely and unconditionally released, acquitted, and forever discharged Defendant and each of the Released Parties from any and all Released Claims, including Unknown Claims.” — Settlement Agreement and Release, Paragraph 64 (The Release)

“Unknown Claims means claims that could have been raised in the Action and claims Releasing Parties do not know or suspect to exist, which, if known by him, her or it, might affect his, her or its agreement to release the Released Parties or the Released Claims or might affect his, her or its decision to agree, object or not to object to the Settlement.” — Settlement Agreement and Release, Paragraph 65 (Unknown Claims)

“Defendant agrees not to oppose Settlement Class Counsel’s request for an award of attorneys’ fees, costs and expenses not to exceed One Hundred Fifty Thousand Dollars ($150,000.00).” — Settlement Agreement and Release, Paragraph 69 (Attorneys’ Fees and Costs and Expenses)

“Defendant denies the allegations and causes of action pled in the Action and otherwise denies any liability or wrongdoing to Plaintiff in any way.” — Settlement Agreement and Release, Recitals (Defendant’s denial of liability)

The Cost of a Life: Running the Numbers

Societal Impact: Who Really Pays for This

Public Health: When Your Medical Records Become a Weapon

The settlement explicitly lists “health information” and “health insurance information” among the categories of potentially compromised data. This is worth slowing down on. Health records are among the most weaponizable data a person carries. Unlike a credit card number, you cannot issue yourself a new medical history.

When health insurance account numbers and diagnosis data land in the wrong hands, fraudulent medical claims get filed under your identity. Those phantom claims appear on your Explanation of Benefits statements, exhaust your annual coverage limits, and in some cases result in fraudulent medical records being entered into your file — records that can affect future coverage, employment physicals, and life insurance applications. This is the kind of downstream harm that takes years to surface and years more to correct, and it is the exact kind of harm that the “Unknown Claims” waiver in this settlement would prevent victims from ever pursuing legally.

The settlement offers two years of single-bureau credit monitoring and $1 million in identity theft protection insurance. Credit monitoring catches new credit accounts opened in your name. It does not monitor for fraudulent medical billing, does not alert you when your health insurance is being misused, and does not flag the use of your passport number for foreign financial fraud. The protection offered is genuinely insufficient for the breadth of data that was exposed.

Economic Inequality: The $25 Offer Is Designed for Desperate People

The structure of this settlement contains an embedded class assumption: that most victims will take the $25 because they do not have the time, resources, or documentation to pursue the harder claims. Documenting “Extraordinary Losses” from identity theft requires bank statements, fraud reports, proof you exhausted existing insurance, and a chain of causation linking your losses specifically to this breach and not another. That is a significant administrative burden that disproportionately falls on people who are already time-poor and financially stressed.

The settlement also quietly caps Lost Time at $20 per hour. For context, the federal minimum wage is $7.25 per hour. But for workers earning above that — and the data exposed suggests this covers a broad swath of employed Americans — $20 per hour for the time you spend cleaning up a corporate security failure is not compensation. It is an insult dressed as generosity. The cap of four hours means the maximum payout for your time is $80 (about what a plumber charges for the first 15 minutes of a service call).

The 90-day claims window, the expiring checks, and the documentation requirements all function as attrition mechanisms. Every deadline, every form, every requirement to submit receipts and attach attestations is a filter that reduces the number of people who actually collect anything. The company structured the settlement so that the most vulnerable and time-pressed victims — the ones with the fewest resources to pursue documentation — are most likely to end up with $25 or nothing at all.

There is also a barely-noticed escape hatch: if more than 15 Settlement Class Members submit valid exclusion requests, Self Esteem Brands can unilaterally terminate the entire settlement agreement with 14 days’ notice. Fifteen people opting out can unwind the whole deal. That provision exists not to protect victims but to give the corporation a panic button if too many people assert their right to independent legal action.

What Now: Your Rights Before You Sign Anything

Before You Accept $25, Do This

Read the opt-out deadline carefully. You have 60 days after the Notice Commencement Deadline to submit a Request for Exclusion. If you opt out, you keep your right to sue Self Esteem Brands independently. If you stay in the class and accept any benefit — including the $25 — you permanently waive all current and future legal claims against the company for this breach, including harms you have not discovered yet.

Check your accounts now. Pull your free credit reports at annualcreditreport.com. Place fraud alerts or credit freezes at all three major bureaus (Equifax, Experian, TransUnion). Review your health insurance Explanation of Benefits statements for claims you did not authorize. If you find fraudulent activity, document everything with dates, account numbers, and screenshots — that documentation is what turns a $25 payout into a $5,000 documented claim.

Connect with others who were affected. The settlement’s termination clause — which lets Self Esteem Brands walk if more than 15 people opt out — reveals something important: the company is afraid of organized, independent legal action. Local legal aid organizations, consumer rights clinics, and mutual aid networks can help you understand your options without the corporate filter. The EFF (Electronic Frontier Foundation), EPIC (Electronic Privacy Information Center), and your state’s consumer protection office are free resources. You do not have to navigate this alone, and you do not have to accept $25 for six months of your most sensitive personal data sitting in a criminal’s hands.