The Non-Financial Ledger

Think about what you are doing when you book a mammogram. You are scared. You are managing a body you are not entirely sure is okay. You sit in a paper gown in a cold room and let a stranger press a machine against your chest. You hand over every piece of identification you carry. You give them your Social Security number. You give them your insurance card. You tell them about your health history. You trust them with information so personal that most people do not share it even with close friends.

That is the specific transaction that Onsite Mammography was a party to with 357,265 people. These were not customers buying a product. They were patients at their most physically and emotionally exposed, sharing their bodies and their identities with a medical provider they trusted to keep both safe.

When a cybercriminal walked through the unlocked door of a single employee’s email account in October 2024, everything those patients handed over in good faith left with them. Social Security numbers. Passport numbers. Driver’s license numbers. Dates of birth. Medical and clinical records describing exactly what kind of imaging was done and why. Health insurance information. Billing records. The full picture of a person’s body, identity, and financial life, assembled by a company whose entire business model depended on patients trusting them with it.

The law calls this Protected Health Information and Personally Identifiable Information. Those labels make it sound bureaucratic. It is not. It is the kind of information that, in the wrong hands, allows someone to open a fraudulent credit line, file a false tax return, or impersonate a patient in a medical system. It is also the kind of information that, if exposed, follows a person for years. You cannot change your date of birth. You cannot un-expose your Social Security number. You cannot take back the fact that your breast imaging records are now somewhere you did not put them.

The patients in this case found out approximately six months after it happened. They received a postcard. They were told to visit a website. The system offered them a form to fill out to prove their own losses. The burden of documentation fell on them. The settlement offers them up to $5,000 if they can show receipts, or a pro-rata share of whatever cash remains after everyone else is paid. For context: 357,265 people share a fund of $2,525,000. After legal fees, administrative costs, service awards, and documented loss claims, the cash that filters down to patients who submit no documentation could be cents.

The breach happened in an email account. Not a server. Not a complex cloud architecture. One employee’s inbox, accessible to a third party who should never have been there.

Legal Receipts

These are direct quotes from the court-filed settlement agreement and supporting declaration. Nothing has been paraphrased.

• This establishes that the entire breach originated from a single employee email account, not from a sophisticated attack on a secure server or encrypted database. The access point was one inbox.
• The phrase “on or around October 2024” means the exact date of discovery has not been publicly specified with precision, but the company knew about it months before it notified patients.

• The repeated hedge “may have been impacted” is standard legal language in settlements but is significant: the company cannot confirm whether the data was actually exfiltrated or only accessed. The risk of harm is unresolved.
• The document confirms that PHI under HIPAA was present inside a standard employee email account, raising obvious questions about how sensitive medical files ended up stored there.

• The breach was discovered in October 2024. Notice began April 21, 2025. That is approximately six months between discovery and notification to affected patients. Six months during which those patients had no way to protect themselves from the exposed data.

• This is the full inventory of exposed data. The combination of Social Security numbers, passport numbers, medical records, and payment data in a single breach represents near-complete identity exposure for affected patients.
• The phrase “medical/clinical information” specifically covers the imaging results that brought these patients to Onsite, meaning sensitive health diagnoses and screening results are part of the exposed dataset.

• Onsite is paying $2,525,000 and agreeing to provide a confidential declaration about its security practices while simultaneously claiming it did nothing wrong and had adequate security. These positions exist in the same document.
• The denial of liability is standard in class action settlements and does not mean the company is absolved. It means the settlement resolves the case without a court ever ruling on whether the security was negligent.

Profit-Maximization at All Costs

The $2,525,000 settlement fund is the ceiling of Onsite’s financial exposure. Before a single patient sees a dollar, the fund is divided in a specific order that prioritizes administration and legal fees above patient compensation.

• The fund pays out in this sequence: first, notice and administrative expenses; second, taxes; third, service awards to named plaintiffs; fourth, attorney fees and costs; fifth, documented out-of-pocket loss claims; sixth, credit monitoring claims; and finally, pro-rata cash payments to everyone else. Patients who cannot document losses are last in line.
• Class counsel intends to request attorney fees of up to one-third of the settlement fund, which equals approximately $841,667, plus reimbursement of expenses up to $30,000.
• Each of the eight named plaintiffs is eligible for a $3,500 service award, totaling up to $28,000.
• EisnerAmper LLP is appointed as the settlement administrator, and its fees come out of the fund before any patient payments. Administrative costs are not capped in the public documents.
• If attorney fees, administrative costs, service awards, and documented loss claims absorb the bulk of the fund, the pro-rata payment available to the remaining 357,265 patients could be a few dollars or less per person.
• Onsite’s obligation is capped absolutely at $2,525,000. The company faces no financial exposure beyond that figure regardless of the scale of harm documented by class members.

At minimum, $899,667 leaves the fund before any patient receives a pro-rata cash payment, assuming legal expenses and service awards hit their caps. That leaves a theoretical maximum of approximately $1,625,333 for patient claims, split across up to 357,265 people, plus administrative costs that are not publicly capped.

Societal Impact Mapping

Public Health

The people affected by this breach were specifically seeking cancer screening services. The type of data exposed compounds the harm beyond standard identity theft.

• Medical and clinical information exposed in the breach includes imaging data and health records tied to breast cancer screening. For patients awaiting results or in ongoing treatment, the exposure of this information to unknown third parties represents a loss of control over some of the most private medical decisions in a person’s life.
• Health insurance information and billing records were exposed alongside clinical data. This combination can be used to commit medical identity fraud, including filing false claims under a patient’s insurance, which can corrupt a patient’s actual medical record and interfere with future care.
• The six-month gap between Onsite discovering the breach and notifying patients meant those 357,265 people had no ability to monitor their medical or financial accounts for fraud during that window. Any harm that occurred during those months was invisible to them.
• The settlement provides three years of credit monitoring, but standard credit bureau monitoring does not detect medical identity theft. The CyEx Medical Shield Complete service included in the settlement offers some medical data monitoring, but its effectiveness depends on patients activating it, which requires submitting a claim.

Economic Inequality

The structure of the settlement shifts financial burden onto the people least equipped to absorb it.

• Patients who experienced documented financial harm from the breach must gather and submit proof of that harm to receive reimbursement. People with fewer resources, less documentation of their finances, or limited digital access face a higher barrier to claiming the compensation the settlement is designed to provide.
• The pro-rata cash payment requires submitting a claim form. Class members who do nothing receive nothing. Settlement administrators typically see low claim rates in large data breach settlements, meaning the majority of affected people may never see any money.
• Remainder funds after uncashed checks expire go to court-approved charitable organizations via cy pres distribution, not back to patients. Money that should compensate patients for harm instead leaves the class entirely.
• The out-of-pocket loss cap of $5,000 per person is the ceiling, not a guaranteed payment. It requires documented, verifiable losses traceable to the breach. Patients who suffered real harm but cannot produce paperwork connecting that harm directly to the Onsite incident will have their claims denied and converted to the pro-rata line.

The Settlement Isn’t Justice

The math of this settlement makes the inadequacy legible without any editorializing.

• 357,265 patients had sensitive medical and identity data exposed. The total settlement fund is $2,525,000. Divided equally across all class members with no deductions, that is approximately $7.07 per person. After attorney fees alone, it is closer to $4.72 per person before administrative costs are subtracted.
• The settlement includes no admission of wrongdoing by Onsite. The company pays $2,525,000 and walks away with its denial of liability formally preserved in the court record. No finding of negligence. No ruling on whether storing Social Security numbers, passport numbers, and medical records in a standard employee email account violated HIPAA or any other standard of care.
• The confidential declaration Onsite will provide to class counsel, attesting to what happened and what security measures were implemented afterward, is explicitly sealed. It will not be made public unless a court orders otherwise. Patients whose data was exposed will not know what Onsite actually did or failed to do.
• Onsite can terminate the entire settlement if more than 500 class members opt out. This provision gives Onsite a numerical kill switch. If patients exercise their right to reject the settlement in meaningful numbers, the deal collapses, and the class starts over.
• Attorneys’ fees come from the same pool as patient compensation. Every dollar paid to class counsel is a dollar not paid to patients. The legal incentive structure is not aligned with maximizing patient recovery.
• The costs Onsite spent on security improvements after the breach are described as “paid by Defendant separate and apart from other Settlement benefits,” meaning those expenditures are explicitly not counted as part of the $2,525,000 owed to patients. Onsite gets credit for fixing the problem, but patients do not get any portion of that spending.

The “Cost of a Life” Metric

This Is the System Working as Intended

The outcome of this case is not a malfunction. Every element of it follows a well-worn path that consistently produces the same result: companies pay small fractions of the harm they caused, deny wrongdoing, and continue operating.

• Ten separate lawsuits were filed by different legal teams after the breach became public. The court consolidated them into one action. Consolidation is procedurally efficient, but it also means 357,265 patients are represented by three law firms whose fee is capped at one-third of a $2.525 million fund, regardless of how large the actual harm was.
• The settlement was negotiated before formal discovery. The parties exchanged “informal discovery,” meaning class counsel evaluated Onsite’s liability exposure without the full evidentiary record a trial would have required. Onsite had strong incentive to settle quickly before its internal security practices were subject to formal scrutiny and made part of the public record.
• The confidentiality of Onsite’s post-breach security declaration ensures that no competitor, regulator, or patient will learn what specific failures made 357,265 people’s medical data accessible through a single email account. The company gets to fix the problem privately and avoid the accountability that public disclosure would create.
• The 500-person opt-out kill switch is a documented structural tool that tilts the resolution toward settlement acceptance. Patients who might prefer to litigate individually risk collapsing the settlement and returning the entire class to square one, which creates social pressure to accept terms that most affected patients will never act on at all.
• HIPAA governs how healthcare entities protect PHI, and the Department of Health and Human Services Office for Civil Rights enforces it. This settlement resolves the private class action. It does not resolve any HIPAA enforcement action, which is a separate regulatory process. Whether HHS has investigated or will investigate Onsite is not addressed in the settlement documents. The civil payout does not translate to regulatory accountability.

What a Legitimate Fix Looks Like

The core structural failure this case exposes is the absence of any enforceable standard requiring healthcare providers to keep Protected Health Information out of standard employee email accounts, combined with a civil litigation system that caps corporate liability at amounts too small to change corporate behavior. The following are editorial recommendations grounded in the documented failure modes of this case.

Regulatory Track

• The HHS Office for Civil Rights should open a HIPAA enforcement investigation into Onsite Mammography’s data handling practices, specifically focusing on whether PHI belonging to 357,265 patients was stored in an employee email account in violation of the HIPAA Security Rule’s requirements for access controls, encryption, and audit logging.
• OCR should require healthcare entities that partner with medical practices to provide on-site services to undergo the same HIPAA compliance audits as the practices themselves. Onsite’s business model of operating within OB/GYN and primary-care offices creates a secondary data custodian relationship that should carry equivalent security obligations.
• The FTC should examine whether Onsite’s data practices constituted an unfair or deceptive practice under Section 5 of the FTC Act, specifically whether patients were adequately informed that their medical and identity data would be retained in employee email systems.
• Mandatory breach notification timelines under HIPAA require notification within 60 days of discovering a breach. The documented gap between October 2024 discovery and April 21, 2025 notification appears to approach or exceed this limit. OCR should determine whether Onsite’s notification timeline was compliant.

Legislative Track

• Congress should establish a federal minimum penalty per affected patient for data breaches involving PHI, set at a level that creates genuine financial deterrence for companies of Onsite’s scale. A per-patient floor would prevent settlements like this one from reducing liability to single-digit dollars per victim.
• State legislatures in jurisdictions with affected patients should consider legislation requiring healthcare data custodians to disclose their data storage practices to patients at the point of service, including whether PHI is retained in email systems or other non-encrypted storage.
• Federal law should prohibit class action settlements in healthcare data breach cases from including confidential declarations about security failures. If a company’s negligent practices exposed medical records, the public has an interest in knowing what those practices were.

Corporate Governance Track

• Onsite should be required, as a condition of the final settlement approval, to implement and publicly certify that PHI is no longer stored in standard employee email accounts and that access to patient data requires multi-factor authentication and audit logging.
• Healthcare companies that partner with medical practices to deliver services should be required to designate a Privacy Officer under HIPAA with board-level reporting authority, creating a direct line of accountability between data security failures and executive leadership.
• Executive compensation structures at companies handling PHI should include clawback provisions tied to data security failures, so that a breach that harms hundreds of thousands of patients carries a financial consequence for the decision-makers who set security budgets.

The above recommendations are editorial analysis by EvilCorporations.com. They are not findings of the source document.

What Now?

Onsite Mammography, LLC (d/b/a Onsite Women’s Health) is the defendant. Its legal counsel on this case is Mason Floyd and Peter Berk of Clark Hill, PLC, Chicago. The company’s leadership is not named in the settlement documents and has not been identified here.

If You Were Affected

• You should have received a postcard notice if Onsite had your address on file. If you used Onsite’s services at any point before October 2024 and did not receive notice, check the settlement website at www.OnsiteSettlement.com to verify whether you are a class member.
• Submit a claim for the three years of CMIS (Credit and Medical/Healthcare Data Monitoring and Insurance Services) even if you have nothing to document. It costs you nothing and provides $1 million in identity theft insurance. You can delay activation for up to 12 months after claiming it.
• If you have documented any financial losses you can trace to this breach, including costs to freeze or unfreeze credit, credit monitoring you paid for yourself, or other verifiable expenses, file for the out-of-pocket loss reimbursement of up to $5,000 at www.OnsiteSettlement.com.
• You have the right to opt out of the settlement if you want to preserve your ability to sue Onsite independently. The opt-out deadline is 60 days after the Notice Date. If you opt out, you receive no settlement benefits but retain your right to litigate.
• You have the right to object to the settlement terms in writing to the court before the Objection Deadline, also 60 days after the Notice Date. Objections go on the court record and are reviewed before final approval.

Watchlist: Who Has Authority Over Onsite

Mutual Aid and Organizing

• Share this article with anyone who received an Onsite notification postcard. The claim deadline is 90 days after the Notice Date. Most people throw away settlement postcards. Getting claims filed is the only way to force the fund to be distributed to patients rather than handed over as cy pres to charities.
• Contact patient advocacy organizations in your area about healthcare data security. Onsite’s model of embedding imaging services inside OB/GYN and primary care practices means their data practices affect patients at clinics that may not know what standards their partners are applying to patient records.
• If you work in a medical office that partners with a company like Onsite for on-site imaging services, ask your employer directly: where is patient data stored, who has access to it, and when was the last security audit conducted? These are questions patients are entitled to answers to before they consent to services.