What Was Actually Taken From These People
The people in this class are not investors. They’re not wealthy executives. They are current and former employees of Robbie D. Wood, Inc., the normal ass workers who handed over their most sensitive information as a basic condition of employment. You don’t get a paycheck without giving your employer your Social Security number. You don’t get health coverage without sharing your medical history. You don’t fill out an HR form without trusting that the company holding your data takes that responsibility seriously.
That trust was broken on October 1, 2024.
What was exposed was not abstract. The breach accessed files potentially containing names, dates of birth, driver’s license numbers, financial account information, medical information, and Social Security numbers. A Social Security number is not a password you can reset. It follows a person for life. Once it’s in the hands of someone willing to use it, the damage it can do (such as fraudulent tax filings, new accounts opened in your name, medical identity theft that corrupts your health records) can take years to undo and may never be fully corrected.
Medical information is its own category of violation. When your employer knows your diagnoses, your prescriptions, your treatment history, that information was shared under the implicit guarantee of confidentiality. A breach that exposes that data doesn’t just create a financial risk. It exposes something deeply personal to strangers with unknown intentions.
And then came the silence. For more than four months (from October 1, 2024, when the attack happened, to February 11, 2025, when notifications finally went out) these 3,777 people had no idea their data had been taken. They couldn’t freeze their credit. They couldn’t put alerts on their accounts. They couldn’t monitor for fraudulent filings. They were left exposed and uninformed while the clock ran on whatever damage was already being done.
The settlement offers $65 to acknowledge all of this. Sixty-five dollars. That is what this company and its lawyers determined was a reasonable number to place on the unauthorized exposure of a person’s Social Security number, medical history, and financial account information, combined with a four-month notification delay that stripped those same people of any chance to protect themselves in real time.
What the Documents Actually Say
The settlement agreement and accompanying court filings contain several passages that deserve to be read in full, without paraphrase.
“on or around October 1, 2024, a cyber-attack occurred on Defendant’s system that resulted in a data breach of certain data on its network, of which Defendant notified affected individuals on or about February 11, 2025”
- This single sentence establishes the core timeline: the breach occurred October 1, 2024, and notification did not happen until February 11, 2025. That is a gap of approximately 133 days between the attack and when employees were told their data had been compromised.
- The phrase “on or around” applied only to the attack date, not the notification date, which is stated as a definite date… meaning the delay is precisely documented, not some fuzzy estimated date.
“These files may have contained personal information such as names, dates of birth, driver’s license numbers, financial account information, medical information, and Social Security numbers.”
- The word “may” is doing significant work here. It is standard legal hedging in breach settlements, but the breadth of the data categories listed — spanning identity documents, financial records, and protected health information — means the potential exposure covers virtually every sensitive category that exists for a private individual.
- The inclusion of “medical information” alongside Social Security numbers elevates this beyond a standard financial data breach. Compromised medical information carries protections under federal law and creates a distinct category of harm that financial restitution alone cannot address.
“Defendant denies the allegations and causes of action pled in the Action and otherwise denies any liability to Plaintiff in any way.”
- This is the standard corporate denial that appears in virtually every data breach settlement. The company pays $65 per person, funds $125,000 in attorneys’ fees, and still maintains in the legal record that it did nothing wrong.
- The practical effect: the settlement cannot be cited as evidence of wrongdoing in any other proceeding. The legal record is scrubbed clean of any finding of fault.
“Defendant will provide a confidential affidavit to Settlement Class Counsel describing its information security improvements since the Data Breach and estimating the annual cost of those improvements.”
- The security improvements are documented in a confidential affidavit — meaning the 3,777 affected employees, the public, and any future employees of Robbie D. Wood will never know what was changed, whether the changes are sufficient, or how much the company is investing in protecting the data it holds.
- Settlement Class Counsel receives this information. The people whose data was breached do not.
- This means a class member who does nothing — files no claim, receives no money, takes no action — still permanently surrenders their right to sue Robbie D. Wood over this breach. Inaction is treated as consent to the release.
- The release covers not only known claims but explicitly includes “Unknown Claims” — legal injuries the affected person doesn’t yet know they have, including harms that may emerge years from now as a direct result of this breach.
The Four-Month Gap: What Employees Weren’t Told
The core documented gap in this case is the period between when the breach was discovered and when the people whose data was taken were notified. The settlement agreement establishes both dates with precision.
- The cyberattack occurred on or around October 1, 2024. Robbie D. Wood did not notify affected individuals until on or about February 11, 2025. That is roughly 133 days during which employees had no knowledge their information had been compromised.
- During those 133 days, affected individuals could not take the most basic protective steps: freezing credit, placing fraud alerts with credit bureaus, monitoring financial accounts for unauthorized activity, or alerting their banks.
- The settlement’s reimbursement structure reflects this delay. Credit monitoring costs are only covered if incurred “on or after mailing of the notice of the Data Breach” — February 11, 2025. Any protective costs incurred before notification, during the four-month gap, fall outside the reimbursable window.
- The Long Form Notice states that documented losses must have occurred “between October 1, 2024, and [Claims Deadline],” which acknowledges the breach date as the start of the harm window — while simultaneously limiting credit monitoring reimbursement to the post-notification period. The affected person is on the hook for any costs they incurred trying to protect themselves before the company got around to telling them they needed to.
Case Chronology: From Breach to Settlement
The documented timeline of this case reveals a pattern familiar in data breach litigation: harm occurs silently, notification comes months later, a lawsuit follows quickly once word gets out, and a settlement is reached before a judge ever rules on the merits.
- October 1, 2024: Cyberattack hits Robbie D. Wood’s systems. Files containing employees’ names, Social Security numbers, medical information, financial account data, driver’s license numbers, and dates of birth are accessed. The class of affected individuals numbers approximately 3,777.
- February 11, 2025: Robbie D. Wood sends notification letters to affected individuals — 133 days after the breach. This is the first moment the majority of affected employees learned their data had been compromised.
- August 20, 2025: Plaintiff Jevon Worrell files a class action complaint in the Circuit Court of Jefferson County, Alabama, approximately six months after notification and ten months after the breach itself.
- March 20, 2026: Settlement Agreement is signed by Plaintiff and Settlement Class Counsel. The document reflects agreement reached after “extensive and arm’s length negotiations.”
- March 27, 2026: Document execution is completed per the document ID timestamp.
Who Gets Hurt and How
Public Health and Personal Safety
When medical information is part of a data breach, the harm extends beyond finances into a domain that most people consider among the most private aspects of their lives.
- The breached files potentially contained “medical information” — a category that can include diagnoses, prescription histories, insurance details, and treatment records. This class of data is classified as Protected Health Information under federal law precisely because its unauthorized exposure can cause documented harm, including discrimination, stigma, and exploitation.
- Medical identity theft — where a thief uses someone else’s health information to fraudulently obtain medical services or prescriptions — can corrupt a victim’s medical records in ways that create dangerous errors in future treatment. Unlike financial fraud, medical identity theft can directly threaten a person’s physical safety if incorrect information enters their health record.
- The 133-day notification gap means affected employees had no opportunity to place alerts with healthcare providers or insurers during the period when this risk was live and unknown to them.
Economic Inequality
The financial architecture of this settlement distributes costs and benefits in a way that systematically disadvantages the people with the least resources.
- The highest-value benefit — up to $5,000 for documented losses — requires claimants to produce third-party documentation including bank statements, receipts, and professional fee records. Workers who have already absorbed financial harm from identity theft are the least likely to have preserved the documentation trail required to claim full reimbursement.
- The no-documentation alternative cash payment is capped at $65.00. This is the realistic option for most working-class claimants who don’t have receipts, don’t know what was done with their data, or can’t afford the time to compile a documentation file.
- Settlement Class Counsel receives up to $125,000 in attorneys’ fees, paid by Robbie D. Wood separately from victim benefits. The lead plaintiff receives a $3,000 service award. Both figures are fixed and certain. Victim compensation is variable, capped, and documentation-dependent.
- Any class member who misses the claims deadline — because they didn’t receive the postcard notice, didn’t understand the process, or simply lacked the time to engage — receives nothing but still loses their right to sue.
- Settlement checks expire 90 days after issuance and become void if not cashed, with no reissuance after that point. For people who move frequently, experience housing instability, or receive mail unreliably, this creates an additional barrier to collecting even the $65 cash payment.
$65 Is Not Accountability
The structure of this settlement tells you exactly how much the legal system values the unauthorized exposure of your Social Security number, medical history, and financial account information when the person holding that data is a corporation.
- The no-documentation cash payment is $65.00 per person. That is the number the parties agreed upon to compensate for the exposure of Social Security numbers, medical records, driver’s license numbers, dates of birth, and financial account information — combined with a 133-day delay in notification.
- Settlement Class Counsel’s fee award of up to $125,000 is paid separately and in full, regardless of how many class members file claims or how much they receive. The attorneys’ compensation is structurally guaranteed. The victims’ compensation is not.
- The settlement includes no admission of wrongdoing. The agreement states explicitly: “No action taken by the Parties either previously or in connection with the negotiations or proceedings connected with this Agreement shall be deemed or construed to be an admission of the truth or falsity of any claims or defenses.” Robbie D. Wood pays and walks away with a clean legal record.
- The settlement cannot be used as evidence in any other proceeding. If other harms emerge from this breach — against the same individuals, in a different forum — the existence of this settlement provides no legal foothold.
- The release covers “Unknown Claims” — harms the victims haven’t discovered yet, including future identity theft directly traceable to data accessed in this breach. A person who accepts (or simply fails to opt out of) this settlement is surrendering legal rights over injuries they don’t yet know they have.
- Robbie D. Wood’s security improvement commitments are delivered in a confidential affidavit to class counsel, not to the affected employees and not to the public. There is no mechanism in this settlement for the 3,777 affected individuals to verify whether their employer’s systems are now actually secure.
The Math of Impunity
The maximum no-documentation cash payment available to each of the 3,777 employees whose names, Social Security numbers, medical information, financial account data, driver’s license numbers, and dates of birth were exposed in the October 2024 breach — compared to up to $125,000 guaranteed to attorneys.
This Is Not a Bug. This Is the Feature.
The outcome of this case — a corporation exposes thousands of employees’ most sensitive data, notifies them four months later, settles for $65 per person with no admission of fault, and secures a permanent release of all future claims — is not an accident or a failure of the legal system. It is the legal system working exactly as designed for corporate defendants.
- The class action mechanism, as deployed here, consolidates 3,777 individual claims into a single proceeding where the corporation negotiates with a small number of attorneys rather than facing 3,777 independent lawsuits. The efficiency that makes class actions valuable for plaintiffs also makes settlement on corporate-favorable terms structurally easier to achieve.
- The “no admission of liability” standard is a feature of settlement law that allows corporations to pay money to resolve claims while preserving the ability to deny wrongdoing in every subsequent context. Robbie D. Wood pays the settlement and simultaneously maintains, in the legal record, that it did nothing wrong.
- The confidential affidavit mechanism for security improvements means Robbie D. Wood’s future employees will never be able to independently assess whether the company securing their personal data has actually fixed the vulnerabilities that enabled this breach. The opacity that made the breach possible is preserved in the settlement that resolves it.
- The “Unknown Claims” waiver — requiring affected individuals to surrender rights over harms they don’t yet know they have — is standard settlement boilerplate. Its routine use means the full long-term cost of a data breach is systematically excluded from the settlement calculus, always to the corporation’s benefit.
- The claims deadline, check expiration policy, and documentation requirements create structural attrition: the more barriers between victims and their compensation, the fewer claims get filed, and the lower the total payout becomes. The settlement structure is optimized for claim suppression, not claim fulfillment.
What Real Accountability Would Require
The core structural failure this case exposes is a breach notification and remediation system that provides no meaningful deterrence, no genuine transparency, and no proportionate accountability for employers who fail to protect the data their employees are legally required to hand over.
The following recommendations are editorial analysis grounded in the documented failure modes of this case. They are not findings of the settlement agreement or the court.
Regulatory Track
- State and federal data breach notification laws should establish a maximum mandatory notification window of 30 days from breach discovery for breaches involving Social Security numbers or medical information. The 133-day delay in this case occurred within the current legal framework — meaning the framework is inadequate.
- Regulatory agencies overseeing employer data security (including the FTC and relevant state attorneys general) should require post-breach security audits to be filed publicly, not confidentially with opposing counsel. An employer’s obligation to secure employee data does not end when litigation does.
- The confidential affidavit mechanism used in this settlement should be rejected by courts as an inadequate substitute for verified, public disclosure of remediation measures when the affected parties are employees who remain in the company’s data systems.
Legislative Track
- Legislation should establish a baseline statutory damages floor for data breaches involving Social Security numbers and medical information — a minimum recovery per person that does not require documentation and cannot be settled below. A $65 floor is not a deterrent; it is an invitation.
- The “Unknown Claims” waiver in data breach settlements should be subject to a mandatory sunset period: class members should not be required to permanently waive rights over harms arising from a breach that have not yet manifested at the time of settlement. Legislative reform should cap the waiver at documented, existing claims only.
- Settlement check expiration policies that forfeit victim compensation within 90 days should be prohibited when the claimants are a certified class of individuals, many of whom may face housing or mail instability.
Corporate Governance Track
- Employers who hold employee Social Security numbers and medical information should be required to maintain and publicly disclose the existence of an independent data security audit program, with findings reportable to the state attorney general — not just to plaintiff’s counsel in a settlement affidavit.
- Executive compensation structures at companies experiencing data breaches should be subject to mandatory clawback provisions when a breach results in certified class harm, creating a direct financial incentive at the leadership level to invest in preventive security rather than post-breach settlement.
- Board-level responsibility for data security governance should be formally required for any employer that holds Protected Health Information or Social Security numbers for a workforce of more than 500 people.
What You Can Do Right Now
If you are one of the 3,777 individuals in the Robbie D. Wood settlement class, you have specific options with real deadlines. Everyone else can apply pressure where it belongs.
If You Are a Class Member
- Do not do nothing and assume you are protected. Inaction means you lose your legal rights and receive zero compensation. Check the Settlement Website (URL to be established by Atticus Administration LLC) or call the toll-free number on your postcard notice to confirm your status.
- File a claim for the Alternative Cash Payment ($65) if you have no documentation. No proof is required. You can also simultaneously claim the two-year credit monitoring service through CyEx Medical Shield Complete.
- If you have documented out-of-pocket expenses caused by identity theft or fraud traceable to this breach, gather bank statements, receipts, and professional fee records and file for the Documented Losses reimbursement (up to $5,000).
- If you believe this settlement does not adequately compensate you and you want to preserve your right to sue independently, submit a written Request for Exclusion by the Opt-Out Deadline (60 days after the Notice Deadline). Do this by certified mail so you have proof of postmark.
- Regardless of your claims decision, place a credit freeze with all three major bureaus (Equifax, Experian, TransUnion) and an alert with ChexSystems if you have not already done so. This is free and you can unfreeze when needed. Do not wait for the settlement to resolve to take this step.
Watchlist: Who Answers for Data Security
- Federal Trade Commission (FTC): Primary federal enforcement authority for data security failures by non-healthcare employers. File complaints at ftc.gov/complaint.
- Alabama Attorney General: State-level enforcement of Alabama data breach notification law. Documented notification delays in breach cases fall within AG investigative jurisdiction.
- Department of Health and Human Services — Office for Civil Rights: If any of the breached medical information was Protected Health Information under HIPAA, OCR has jurisdiction. File at hhs.gov/ocr.
- Consumer Financial Protection Bureau (CFPB): If financial account information was misused following the breach, the CFPB takes complaints related to financial fraud at consumerfinance.gov/complaint.
Mutual Aid and Grassroots Action
- Connect current and former Robbie D. Wood employees with local worker center organizations in Jefferson County, Alabama, who can provide free guidance on navigating identity theft, disputing fraudulent accounts, and accessing legal aid if documented losses exceed settlement reimbursement caps.
- Contact Alabama Legal Services or the National Consumer Law Center if you believe your documented losses from this breach exceed $5,000 and you are considering opting out to pursue independent litigation.
- Share this case with coworkers at other employers. Data breach settlements structured identically to this one are filed in courts across the country every week. Worker awareness of these settlements — and of the opt-out right — is the only leverage that makes corporate data security investments financially rational.
The source document for this investigation is attached below.
Explore by category
Product Safety Violations
When companies sell dangerous goods, consumers pay the price.
View Cases →Financial Fraud & Corruption
Lies, scams, and executive impunity that distort markets.
View Cases →


