The Non-Financial Ledger: What You Cannot Put a Dollar Amount On

Imagine getting a letter in the mail, or more likely an email you almost deleted as spam, telling you that a casino you visited, stayed at, or worked for lost your Social Security number to criminals three months ago. The breach happened in November. The letter arrived in February. For ninety days, you had no idea.

During those ninety days, you paid your bills, filed your taxes, maybe applied for a loan or renewed your insurance. You had no way to freeze your credit for a threat you didn’t know existed. You had no way to monitor your financial accounts for fraud connected to a cause you hadn’t been told about. You were exposed, and the company holding your data said nothing.

Social Security numbers are not like passwords. You cannot reset them. A leaked Social Security number can be used to open lines of credit, file fraudulent tax returns, apply for government benefits, or establish entirely fake identities in your name. The consequences of that kind of theft do not arrive all at once. They arrive slowly, sometimes years later, as a rejection letter from a mortgage lender, a debt collector calling about an account you never opened, or a letter from the IRS saying someone already filed a return under your Social Security number this year.

The settlement agreement in this case defines what happened as a “Data Security Incident.” That clinical language flattens something that is, for real people, a grinding and ongoing experience of vulnerability. The 229,410 class members in this case did not sign up for that experience. Many of them became linked to Eureka’s database through ordinary transactions: checking into a hotel room, signing up for a loyalty program, applying for a job. They trusted the company with sensitive personal information because the law and social convention both say companies will protect it.

Eureka’s response to this trust, codified in the settlement agreement, is to deny that anyone was harmed at all. Section after section of the settlement document repeats the phrase “Eureka disagrees with Plaintiffs’ claims and denies any wrongdoing.” The company denies that the 229,410 people in this class “have suffered any damage or harm.” That denial is not just a legal formality. It is a statement of institutional posture. The company’s position is that the people whose most sensitive identifying information was stolen from its servers should not expect an acknowledgment that anything went wrong.

There is also a clause in Section 12.14 of the settlement agreement that the press and public rarely discuss because it reads like boilerplate. The non-disparagement clause prohibits all settling parties from saying anything “derogatory or detrimental to the good name or business reputation” of any other party. For the corporation, this clause protects a brand. For a breach victim who accepts a settlement payment and then discovers their identity has been stolen three years from now and wants to warn others, this clause is a legal muzzle enforced by the same court system that just handed them their check.

The settlement also requires that Eureka’s new cybersecurity measures remain confidential. Future guests, employees, and loyalty members at Eureka Casino Hotel have no public accounting of what failed, what was fixed, or whether the company’s systems can be trusted today. They will make the same decision to hand over their personal information in the same state of ignorance that the 229,410 people in this class action were in before November 9, 2022.

That is the non-financial ledger. The dollar amounts are documented elsewhere. This is the cost that never appears in a court filing.

Legal Receipts: The Document Admits It in Their Own Words

The settlement agreement, filed December 19, 2025 in the U.S. District Court for the District of Nevada, contains language that tells the whole story if you know where to look. Every quote below is verbatim from the court document.

“this consolidated action arises from the security incident experienced by Eureka on or around November 9-13, 2022 during which unauthorized third parties gained access to Eureka’s system and exfiltrated personally identifiable information (‘Private Information’) belonging to approximately 229,410 Class Members” Settlement Agreement, Recitals — Case 2:23-cv-00276-CDS-NJK, Document 80-1, Page 2

• The word “exfiltrated” is the legal term for stolen. Unauthorized third parties did not merely view the data; they copied it and took it. The document confirms both unauthorized access and data extraction in the same sentence.
• The number 229,410 is the company’s own figure from its own records. This is not an estimate by plaintiffs or an outside agency.

“Defendant has denied and continues to deny: (a) each and every allegation and all charges of wrongdoing or liability of any kind whatsoever asserted or which could have been asserted in this Litigation; (b) that the Plaintiffs in the Litigation, and the class they purport to represent, have suffered any damage or harm” Settlement Agreement, Recitals — Case 2:23-cv-00276-CDS-NJK, Document 80-1, Page 3

• The company simultaneously acknowledges that 229,410 people’s Social Security numbers and financial account numbers were stolen AND denies that any of those people were harmed. Both statements appear in the same document.
• This denial is legally protected. Section 12.3 of the same agreement states the settlement “is not” and “may not be deemed to be” evidence of wrongdoing or liability “in any civil, criminal or administrative proceeding.”

“which Defendant first began notifying Class Members of on or about February 16, 2023” Settlement Agreement, §1.13 — Case 2:23-cv-00276-CDS-NJK, Document 80-1, Page 7

• The breach occurred November 9-13, 2022. Notification began February 16, 2023. That is a gap of approximately 95 days before affected individuals were told their most sensitive personal data had been stolen.
• During this window, class members had no ability to take protective action: no credit freezes triggered by knowledge of the breach, no fraud alerts placed, no monitoring services activated.

“Settlement Benefits means the non-reversionary cash fund that shall be established by Defendant in the amount of One Million Dollars ($1,000,000.00), from which all Settlement Administrator Expenses, Fee Award and Service Awards, Litigation Costs, and Attorneys’ Fees shall be paid.” Settlement Agreement, §1.31 — Case 2:23-cv-00276-CDS-NJK, Document 80-1, Page 9

• The entire $1,000,000 must cover attorney fees (up to $333,333), litigation costs (up to $35,000), service awards to named plaintiffs (up to $10,000), claims administration costs (amount not specified but paid from the same fund), and then whatever remains is distributed to 229,410 people.
• The fund is described as “non-reversionary,” meaning Eureka cannot get the unclaimed money back. However, Section 2.4 notes that residual funds from uncashed checks will be handled by mutual agreement between the parties, which could include distribution to nonprofit organizations rather than victims.

“Without admitting any liability, Defendant has implemented and maintained certain cybersecurity and data privacy protocols, and has deployed additional security measures. Upon request, Defendant will provide a confidential declaration to Class Counsel detailing the measures and their associated costs.” Settlement Agreement, §2.5 — Case 2:23-cv-00276-CDS-NJK, Document 80-1, Page 14

• The remediation measures that were supposedly implemented are kept confidential. Class counsel can request a declaration describing what was done, but that declaration is not public. Future Eureka customers have no access to this information.
• The phrase “without admitting any liability” means the improvements, if genuine, cannot be treated as evidence that the original security was inadequate.

“Settling Parties shall not, directly or indirectly, by word or by deed, disparage the name, reputation, character, services or products of the other Parties or make or solicit any comments, statements or the like to the media or other third parties that would reasonably be considered to be derogatory or detrimental to the good name or business reputation of any other Party.” Settlement Agreement, §12.14 — Case 2:23-cv-00276-CDS-NJK, Document 80-1, Page 30

• This clause applies to all settling parties, which includes every class member who accepts a settlement payment and does not opt out. A victim who later discovers fraud traceable to this breach and wants to warn others publicly would be in breach of this agreement.
• The clause covers statements “to the media or other third parties,” which under a broad reading could include social media posts, reviews, or public forum comments.

“Defendant has denied and continues to deny… that the Plaintiffs in the Litigation, and the class they purport to represent, have suffered any damage or harm.”

Societal Impact Mapping

Public Health

Financial fraud and identity theft produce documented psychological harm. The 229,410 people in this class were exposed to that risk from the moment the breach occurred, not the moment they were told about it.

• Social Security numbers were among the categories of stolen data. SSN exposure creates a permanent, ongoing identity theft risk that cannot be remediated by a one-time credit monitoring service or a $2.74 payout. The threat persists indefinitely.
• Financial account numbers were also exfiltrated. Direct financial account compromise can result in drained accounts, fraudulent transactions, and credit damage that affects access to housing, healthcare financing, and employment background checks.
• Passport numbers were in the stolen dataset. Passport number theft enables document fraud and international identity theft schemes that are significantly harder to detect and reverse than domestic credit fraud.
• Driver’s license and state-issued ID numbers were included. These numbers are used for employment verification, government benefit applications, and criminal identity fraud, where another person’s ID number is given to law enforcement at time of arrest, leaving the victim with a fraudulent criminal record.
• The 95-day notification delay compounded all of the above harms. Research on data breach outcomes consistently shows that early notification and rapid credit freezing reduce downstream fraud rates. Every week of silence after the November 2022 breach was a week during which class members remained unprotected.
• The Medicare declaration field on the settlement claim form acknowledges that some class members are Medicare beneficiaries seeking emotional distress damages. Elderly and Medicare-eligible individuals are disproportionately targeted by identity theft schemes and experience higher rates of severe psychological distress following data exposure.

“Social Security numbers cannot be reset. For 229,410 people, the risk created by this breach does not expire when the settlement check clears.”

Economic Inequality

The settlement’s compensation structure creates dramatically unequal outcomes depending on a victim’s resources, legal sophistication, and state of residence, a design that systematically disadvantages the least economically powerful class members.

• The pro-rata cash payment available to all class members is estimated at approximately $2.74 per person if every eligible person files a claim, and less than $5 per person even under optimistic claims-rate assumptions. This is the only compensation available to the majority of class members who cannot document specific out-of-pocket losses.
• The $5,000 out-of-pocket loss claim requires third-party documentation, strict proof that the loss was “more likely than not caused by the Data Security Incident,” and exhaustion of all available credit monitoring and identity theft insurance. People without access to paper records, those who are unbanked or have informal financial lives, and those who don’t know how to link a fraud event to a specific breach are systematically unable to meet this standard.
• California residents receive a $100 statutory cash payment that is unavailable to identically situated victims in the other 49 states. This disparity exists because California enacted stronger consumer privacy laws (the CCPA and CCRA). Victims in states with weaker privacy law received weaker protection and weaker compensation for the same harm.
• Up to $333,333 in attorney fees comes from the same fund as victim compensation. This is a structural feature of class action settlements that concentrates benefit at the top of the legal hierarchy regardless of the scale of individual harm.
• The opt-out threshold of 100 victims gives Eureka the unilateral right to void the entire settlement if too many class members decide to preserve their right to sue individually. This effectively penalizes collective self-advocacy and creates pressure on class members to stay passive and accept the lowest-tier settlement benefit.
• Settlement checks void after 90 days unless re-issued, and re-issuance requests expire six months after the effective date. Victims who are transient, homeless, incarcerated, hospitalized, or simply slow to navigate mail-based bureaucracy lose their compensation automatically, with no exception.
• The claims form requires a Settlement Class Member ID or the last four digits of a Social Security number to verify eligibility. This creates an additional barrier for people who did not receive the original breach notification, including those who moved, use P.O. boxes, or whose mail was intercepted.

The “Cost of a Life” Metric: What $1,000,000 Means Per Person

Who Is Who: The Power Structure in This Case

This case involves four distinct parties whose roles and interests do not align. The relationship map below shows how money and liability flow through the settlement structure.

What Now? What You Can Do

The settlement is not final as of the filing date; court approval is still required. That window is the only moment when class members can meaningfully shape the outcome.

Leadership and Corporate Roles in This Case

• Defendant: Rancho Mesquite Casino, Inc. dba Eureka Casino Hotel. Corporate officers and directors are not named individually in the settlement agreement and are explicitly excluded from the settlement class.
• Claims Administrator: Angeion Group LLC. This third-party firm controls the claims process, validates or rejects individual claims, and distributes all payments from the settlement fund.
• Class Counsel: M. Anderson Berry (Emery Reddy PC, Seattle, WA) and Gary M. Klinger (Milberg PLLC, Chicago, IL). These attorneys represent the interests of all 229,410 class members in negotiations with Eureka.
• Mediators: Bruce Friedman, Esq. of JAMS (May 30, 2023 mediation) and Rodney Max, Esq. of Watson White (June 4, 2025 mediation, which produced the agreement).
• Presiding Court: U.S. District Court for the District of Nevada, Case No. 2:23-cv-00276-CDS-NJK. Judge assigned to the action is excluded from the settlement class.

Regulatory Watchlist: Who Has Jurisdiction Over This

• Federal Trade Commission (FTC): Has broad authority over unfair or deceptive data security practices. The FTC’s Health Breach Notification Rule and Safeguards Rule both impose affirmative data security obligations on companies holding consumer data. A complaint can be filed at ftc.gov/complaint.
• Nevada Gaming Control Board (NGCB): Nevada casino operators are licensed and regulated entities. The NGCB has the authority to impose conditions on gaming licenses, including cybersecurity compliance requirements. File a complaint or inquiry at gaming.nv.gov.
• Nevada Office of the Attorney General: Nevada’s Identity Theft Protection Act (NRS Chapter 603A) requires data collectors to implement reasonable security measures and notify affected individuals promptly after a breach. The AG’s office enforces these requirements.
• California Attorney General’s Office: Given that California residents are specifically identified as a higher-protected subclass in this settlement (CCPA and CCRA applicability), the California AG has enforcement jurisdiction over California class members’ claims. File at oag.ca.gov.
• Consumer Financial Protection Bureau (CFPB): Financial account numbers were among the stolen data categories. The CFPB has jurisdiction over financial data security and can investigate entities whose security failures result in consumer financial harm. File at consumerfinance.gov/complaint.

Your Direct Options if You Are a Class Member

• File your claim before the claims deadline. The deadline is 90 days after the Notice Commencement Date (which is 30 days after the Preliminary Approval Order). Watch the settlement website for the exact date. If you received a breach notification letter from Eureka, you are almost certainly eligible. You can use your Settlement Class Member ID or the last four digits of your SSN to verify eligibility.
• Consider opting out if you have documented losses exceeding $4.36. If you have suffered specific, documentable financial harm traceable to this breach and the amount exceeds what the pro-rata settlement would pay, opting out preserves your right to sue independently. Opt-out requests must be individually signed and postmarked by the Opt-Out Date (60 days after Notice Commencement Date).
• File an objection with the U.S. District Court for the District of Nevada if you believe the settlement is inadequate. The Court address is: Clerk of the Court, Lloyd D. George Federal Courthouse, 333 Las Vegas Boulevard South, Las Vegas, NV 89101. Objections must be postmarked by the Objection Date (60 days after Notice Commencement Date) and must include your name, address, case number, proof of class membership, and a written statement of your grounds for objection.
• Freeze your credit at all three bureaus immediately if you have not already done so. Equifax, Experian, and TransUnion all offer free credit freezes. A freeze does not affect your credit score and prevents new lines of credit from being opened in your name without your explicit permission. This is the single most effective protective action available to breach victims.
• File a complaint with the FTC and your state AG’s office regardless of whether you participate in the settlement. Regulatory complaints are separate from the civil settlement and can inform future enforcement actions that may result in structural changes to how companies like Eureka handle consumer data.

Mutual Aid and Community Organizing

• Connect with local legal aid organizations in Nevada and your home state. Legal aid societies offer free assistance to income-qualified individuals navigating identity theft and fraud claims. Many have specific data breach clinics following major incidents.
• Share information about the settlement and claims process with other casino employees, loyalty program members, and hotel guests who may have been affected. Many people who received the breach notification letter may not know they are class members or how to file a claim.
• Advocate for stronger state-level data breach legislation in Nevada, which currently has weaker consumer privacy protections than California. Organizations like the Electronic Frontier Foundation (EFF) and the National Consumer Law Center (NCLC) track and support state-level privacy legislation.
• Support campaigns for federal data protection standards. The absence of a federal equivalent to the CCPA means that breach victims in most states receive systematically weaker compensation and fewer legal protections than California residents for identical harms. Contact your congressional representatives and demand action on comprehensive federal privacy legislation.