Your Medical Records Were Stolen. They Settled for Pennies.

EvilCorporations.com • Case No. STK-CV-UBT-0016713 • 63 min read

What $200 Cannot Buy Back

There is a specific kind of violation that does not show up in court filings as a dollar amount. It is not a fine, not a settlement figure, and not a line item in an attorney’s fee petition. It is the feeling you get when you find out that a company you never chose, never signed a contract with, and never heard of, had been sitting on the most sensitive information about your body, your health, your finances, and your identity — and then lost all of it to a stranger on the internet.

The people in this case did not go to Signature Performance for healthcare. They went to Adventist Health. They went to Southeastern Regional Medical Center, a UNC Health hospital. They were patients seeking treatment for real conditions: diagnoses that carry stigma, treatments that carry cost, health insurance details that expose financial vulnerability. Some were employees of those hospital systems — people who simply showed up to do their jobs and trusted their employers to protect their personnel records.

Signature Performance was the invisible middleman. It handled administrative services for those hospital systems, meaning it collected and stored sensitive medical and personal records as a routine part of its business operations. The people whose data Signature held never consented to Signature holding it. They consented to their hospital. The hospital outsourced the data to a vendor. The vendor got hacked. And now 232,315 people are being offered a postcard in the mail and a $200 claim form as compensation for the exposure of their Social Security numbers, their diagnoses, and their treatment histories.

Think about what it means for your medical diagnosis to be in the hands of someone who stole it. Your HIV status, your mental health treatment, your cancer diagnosis, your substance abuse history — these are not abstract data points. They are the parts of your life you share with a doctor in confidence, behind a closed door. Healthcare privacy law exists because this information causes real harm when it escapes: job loss, insurance denials, discrimination, shame, and exploitation. The law recognized long ago that medical data is different from credit card data. It touches something deeper.

For the employees whose records were swept up in this — their Social Security numbers, their driver’s license numbers, their home addresses — the exposure is a permanent change in their risk profile. Identity theft from this kind of breach does not always happen immediately. It can sit dormant for years. A stolen Social Security number does not expire. The three years of medical monitoring offered in this settlement will run out. The stolen data will not.

The settlement agreement, in its clinical legal language, refers to the people in this class as “Settlement Class Members.” The notice postcard calls them “Class Members.” The claim form asks for a name, an address, an email. None of these documents contain a single sentence acknowledging what these 232,315 people actually went through. There is no apology. Signature Performance explicitly denies all wrongdoing. The agreement states, in bold, that it “shall not be construed as an admission of liability.” The company that lost your medical records is legally protected from ever having to say the words: we were responsible, and we are sorry.

What Signature Performance purchased with $8.5 million was silence. A permanent injunction barring every class member from ever raising these claims again. A release so broad it covers not just what victims know was harmed, but claims they “do not know or suspect to exist” — a legal sweep of future harms that have not yet materialized. The people signing on to this settlement are, in effect, signing away the right to sue for damage that might appear five years from now as a result of data that was stolen today.

That $200 estimated payment — which can be reduced pro rata if too many people file, and which will only arrive after attorneys take up to $2.975 million out of the fund — is the market price Signature Performance has placed on your medical history, your Social Security number, and your trust. The company did not set that price because it thought it was fair. It set that price because it calculated it was cheaper than going to trial.

What the Settlement Documents Actually Say

The following quotes are taken verbatim from the settlement agreement and associated notice documents filed in Case No. STK-CV-UBT-0016713. These are the words that govern what 232,315 people are entitled to — and what they are permanently giving up.

“On or about January 17-18, 2024, Signature’s computer network was infiltrated by an unauthorized individual who accessed the Private Information belonging to approximately 232,315 of Defendant’s clients’ patients and employees.”
— Settlement Agreement, Section I, Paragraph 2

• This is the core admission in the document: an unauthorized person got inside Signature’s network and accessed nearly a quarter-million people’s records. The phrase “infiltrated” is significant — this was not an accidental exposure. Someone broke in.
• The document confirms this happened over two days, January 17 and 18, 2024. Signature did not notify victims until February 9, 2024 — 23 days after the breach was identified.
• The word “clients'” is doing heavy lifting here. The 232,315 people whose data was stolen were never Signature’s customers. They were patients and employees of Signature’s clients. They had no relationship with Signature and no ability to assess or demand security standards from a vendor they never knew held their data.

“‘Private Information’ means information collected and/or maintained by Defendant, including, but not limited to some combination of names, addresses, phone numbers, dates of birth, Social Security numbers, provider names, medical treatment/diagnosis information, Driver’s License/State ID numbers, health insurance provider names, and/or treatment costs.”
— Settlement Agreement, Section II, Paragraph 51

• This definition lists the categories of exposed data. It is not a list of one or two things — it is a comprehensive identity and health profile. Social Security numbers plus medical diagnosis information plus treatment costs plus insurance provider names is the complete toolkit for medical identity fraud.
• The phrase “some combination of” means not every person had every category stolen. But the settlement does not tell individual victims which specific pieces of their data were accessed. Everyone receives the same generic notice, the same $200 offer, regardless of how much of their data was compromised.

“Defendant does not in any way acknowledge, admit to, or concede any of the allegations made in the Complaint, and expressly disclaim and deny any fault or liability, or any charges of wrongdoing that have been or could have been asserted in the Complaint. Nothing contained in this Agreement shall be used or construed as an admission of liability.”
— Settlement Agreement, Section I, Paragraph 9

• This is boilerplate in corporate settlements, but it is no less consequential for being common. Signature Performance pays $8.5 million and admits nothing. The victims receive checks. The company walks away with a clean record.
• The phrase “expressly disclaim and deny any fault or liability” means that if any victim tries to cite this settlement in a future proceeding as evidence that Signature did something wrong, it cannot be used. The settlement is legally quarantined from any other context where accountability might be demanded.

“Released Claims means any and all actual, potential, filed or unfiled, known or unknown, fixed or contingent, claimed or unclaimed, suspected or unsuspected claims, demands, liabilities, rights, causes of action, damages, punitive, exemplary or multiplied damages, expenses, costs… of every nature and description whatsoever, based on any federal, state, local, statutory or common law or any other law, against the Released Parties.”
— Settlement Agreement, Section II, Paragraph 53

• The phrase “known or unknown, suspected or unsuspected” is the critical clause. This releases claims that victims do not even know they have yet. If your stolen data is used to commit medical fraud against you in 2027, and you are a settlement class member who did not opt out, you may have already waived your right to sue Signature for it.
• The release covers not just Signature Performance but also Adventist Health Tulare, Adventist Health System/West, Southeastern Regional Medical Center d/b/a UNC Health, and all entities under common control with any of them. Hospital systems whose patients were victimized are being released from liability they were never even defendants in, in the California state court action where this settlement is being finalized.
• The scope extends to “punitive, exemplary or multiplied damages.” This means class members are also releasing any claim they might have had for a court to punish Signature beyond mere compensation — the kind of damages that would actually hurt a corporation and incentivize better security practices industry-wide.

“Class Counsel shall apply to the Court for an award of attorneys’ fees of up to 35% of the $8,500,000 value of the Settlement Fund ($2,975,000), plus reimbursement of reasonable costs.”
— Settlement Agreement, Section XI, Paragraph 102

• Before a single class member sees a payment, up to $2,975,000 may be paid to the five law firms representing the class. This is 35 cents of every dollar in the fund. On top of that, “reasonable costs” — litigation expenses — are also recoverable, reducing the fund further.
• After attorneys’ fees, costs, settlement administration fees paid to Verita Inc., and medical monitoring costs, the amount left for the 232,315 class members is whatever remains. The settlement documents do not specify what settlement administration will cost. The pro-rata math could make the $200 undocumented payment smaller than advertised.

“Prior to Final Approval, Defendant will provide Class Counsel with a confidential written attestation regarding the security measures that have been implemented or will be implemented… The attestation will provide sufficient information necessary for Plaintiffs to reasonably estimate the costs Defendant has incurred or will incur in connection with the measures.”
— Settlement Agreement, Section V, Paragraph 70

• The security improvements Signature promised as part of this settlement are described in a document that is explicitly labeled “confidential.” Class counsel sees it. The court may review it. The 232,315 people whose data was stolen will never see it.
• The attestation covers measures “implemented or will be implemented” — meaning some of what Signature is promising may not have happened yet at the time of settlement, and none of the affected patients can independently verify any of it.
• Signature is also responsible for the costs of these security improvements “separate and apart” from the $8.5 million settlement fund. This sounds like extra accountability, but there is no disclosed dollar amount, no third-party audit requirement mentioned in the public document, and no mechanism for class members to confirm the improvements were ever made.

The Damage Beyond the Courtroom

Public Health

The exposure of protected health information is a specific category of harm recognized under federal and California law precisely because the consequences reach beyond financial fraud. Here is what the documented data categories in this breach mean for public health:

• Medical diagnosis and treatment information, if exposed, creates a direct pathway for medical identity theft. Fraudsters can bill insurance under a victim’s identity for procedures that never happened, corrupting the victim’s medical record — potentially causing incorrect treatment decisions in future emergency situations.
• Health insurance provider names and treatment cost data allow bad actors to construct detailed pictures of a victim’s health status. This information can be sold to data brokers and used to target vulnerable people with health scams, predatory financial products, or fraudulent medical billing schemes.
• The 232,315 people notified in this breach include patients of hospital systems, meaning the exposed population includes people with serious medical conditions who sought care at regional medical centers. For someone managing a chronic condition or undergoing active cancer treatment, having that fact in the hands of an unknown third party creates documented psychological harm: anxiety, fear of discrimination, and avoidance of future medical care.
• Research on healthcare data breaches consistently shows that victims who experience the exposure of sensitive health information are more likely to delay or avoid seeking medical treatment in the future due to fear of further privacy violations. The $8.5 million settlement does not address this chilling effect on healthcare-seeking behavior at all.
• Three years of medical monitoring is the settlement’s answer to a lifetime of health data exposure. The monitoring itself relies on victims proactively enrolling via an activation code emailed to them — meaning every person who misses the email, does not recognize it, or cannot navigate the enrollment process, receives nothing in the way of ongoing protection.

Economic Inequality

The economic harm from this breach falls disproportionately on the people least equipped to absorb it — patients and employees of regional hospital systems who are more likely to be working-class, uninsured, or underinsured.

• Social Security numbers are the master key to financial identity. With an SSN, a thief can open credit lines, file fraudulent tax returns, claim unemployment benefits, and take out loans. The resolution of each of these fraudulent acts requires time, documentation, legal help, and often money the victim does not have. A $200 settlement payment does not cover a single hour with a fraud resolution specialist.
• The documented losses category, which allows up to $5,000 in reimbursements, requires “reasonable documentation.” For working people without organized financial records, without access to credit reports, without lawyers — documenting fraud-related expenses is a barrier that functionally excludes the most economically vulnerable class members from the highest-tier benefit.
• The settlement payment process offers electronic payment options including PayPal, Venmo, Zelle, and virtual prepaid cards. People without smartphones, without reliable internet access, or without accounts on those platforms are effectively pushed toward paper checks — a slower and more bureaucratically complex option that again disadvantages lower-income victims.
• Class members who fail to file a claim by the deadline receive zero payment but still lose their right to sue. This creates a perverse outcome: the most economically harmed members — those who did not receive the postcard notice due to address changes, who could not navigate the claims website, or who did not understand the legal implications of inaction — are the ones most likely to surrender their rights for nothing.
• The attorneys representing the class will receive up to $2,975,000 before any victim receives a dollar. The seven named class representative plaintiffs can each receive up to $5,000 in service awards, totaling up to $35,000, also paid before the general class. The asymmetry between what legal professionals extract from this fund and what individual victims receive is stark.
• Driver’s license and state ID numbers in the exposed data create risk of synthetic identity fraud that can damage a victim’s ability to pass employment background checks, rent housing, or obtain utilities — economic harms that compound over time and are nearly impossible to definitively link to the original breach once they materialize years later.

What Signature Performance Priced Your Medical Records At

Your Rights, Your Options, Your Next Move

If you received a data breach notification from Signature Performance, Adventist Health, or UNC Health Southeastern after January 2024, you are likely a class member. Here is what you can do, and who to hold accountable beyond the settlement.

Named Leadership and Legal Parties of Record

• Signature Performance, Inc. — the defendant company. Its corporate officer signing the settlement is listed only by title in the public document; the specific executive signatory line is left blank in the filed agreement. The company is represented by Tara Gill Nalencz of Cipriani & Werner, P.C., 450 Sentry Parkway, Ste. 200, Philadelphia, PA 19422.
• Class Counsel: Tyler J. Bean (Siri & Glimstad LLP), M. Anderson Berry (Emery Reddy, PC), Bryan L. Bleichner (Chestnut Cambronne PA), Jeff Ostrow (Kopelowitz Ostrow P.A.), and Jason Wucetich (Wucetich & Korovilas LLP). These are the attorneys seeking up to $2,975,000 in fees from the fund.
• Settlement Administrator: Verita, Inc. All claim disputes, opt-out requests, and objections are processed through Verita. Their decisions on claim validity are final and binding unless appealed within the procedures defined in the agreement.
• Presiding Judge: Honorable Robert T. Waters, Superior Court of California, County of San Joaquin. The Final Approval Hearing is where this settlement can still be challenged by class members who object in writing before the deadline.

Regulatory Watchlist

• HHS Office for Civil Rights (OCR): Enforces HIPAA, which governs the protection of protected health information (PHI). A healthcare vendor that loses PHI through a network breach may have violated HIPAA Security Rule requirements. File a complaint at hhs.gov/ocr.
• California Attorney General (AG): Enforces the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA), both cited in the complaint. The AG can investigate violations independently of the civil settlement.
• Federal Trade Commission (FTC): Has authority over data security practices under Section 5 of the FTC Act. Can investigate whether Signature Performance’s security practices were materially inadequate.
• Nebraska Attorney General: The original federal lawsuit was filed in Nebraska, where Signature Performance operates. Nebraska state consumer protection law may apply independently.
• State Insurance Commissioners: Health insurance provider information was among the stolen data categories. State insurance regulators have jurisdiction over insurance data handling practices.

Your Immediate Action Steps

• File your claim before the deadline. The claim form deadline is 90 days from the date notice is first distributed. Watch for the postcard notice mailed to your address of record. If you do not receive it, check the settlement website when it goes live. Doing nothing costs you both the payment and your right to sue.
• Consider opting out if you plan to pursue your own lawsuit. You have 60 days from the date notice is first distributed to formally opt out by mailing a signed written exclusion request to the settlement administrator. If you have documented significant financial losses from this breach, a personal lawsuit for the full amount may be worth more than the pro-rata settlement payment.
• Place a credit freeze at all three bureaus immediately. This is free, and it is the single most effective action to prevent new accounts from being opened in your name. Do not wait for the settlement’s monitoring to activate. Contact Equifax, Experian, and TransUnion directly.
• File a complaint with HHS OCR about the breach. The OCR investigates HIPAA violations independently of any civil settlement. Your complaint creates a record and can trigger a federal investigation into Signature Performance’s security practices that the settlement cannot silence.
• Object to the settlement if you believe it is inadequate. You have 60 days from the date notice is first distributed to submit a written objection to the settlement administrator. Objections must be signed, state your full name and contact information, and provide specific legal grounds for your objection. The court must consider timely, valid objections at the Final Approval Hearing.
• Connect with mutual aid and digital rights organizations. Groups like the Electronic Frontier Foundation (EFF), the National Consumer Law Center, and your state’s legal aid organization can provide free guidance on protecting yourself after a medical data breach. Local privacy advocacy groups can help you understand your rights under the CMIA and CCPA without the cost of a private attorney.
• Demand transparency from your healthcare provider. If you were a patient of Adventist Health or Southeastern/UNC Health, ask your provider in writing: what vendors currently hold your data, what security standards are contractually required of those vendors, and what notification procedures are in place for future breaches. Make your provider answer in writing. Their response — or non-response — tells you everything about how seriously they take your privacy.