The Non-Financial Ledger

Picture what it means to have your entire financial identity, your medical history, and the proof of who you are as a legal person sitting in a folder on a stranger’s server. That is what happened to 74,385 people in February 2023, and most of them had no idea for the better part of a year.

The data that was stolen covers every angle of a person’s existence. Your Social Security number is the master key to your credit history, your tax records, and your ability to open any financial account in the country. Your driver’s license number ties to your state identity record. Your passport number is your international identity. Your date of birth, mother’s maiden name, and tax identification number are exactly the combination that banks, lenders, and government agencies use to authenticate that you are you. Your medical information and health insurance data reveal conditions, treatments, and coverage you may not have disclosed to anyone outside a doctor’s office. Your electronic signature can, in the wrong hands, authorize documents you never saw. Your financial account information is the direct path to your money.

All of it was taken in a single breach that spanned just two days: February 7 and February 8, 2023.

Then the bank stayed silent for eight months.

From February through October, every person in that database lived their normal life. They swiped debit cards, applied for credit, filed taxes, visited doctors, and trusted that the institution holding their information was doing its job. They had no reason to watch for signs of fraud, no reason to freeze their credit, no reason to check whether someone had filed a tax return in their name or opened a new line of credit under their identity. The bank knew. The bank said nothing.

The notification finally went out on or around October 12, 2023. By then, the damage that could be done with that data had eight months to be done. Identity theft doesn’t always announce itself immediately. Stolen data is packaged, sold, traded, and weaponized on timelines that victims only discover when a collection call arrives or a loan application comes back rejected for accounts they didn’t open.

The settlement offers class members up to $5,000 for documented losses, but documentation is the problem. To get that money, you have to prove that the specific fraudulent charge or credit inquiry or identity theft incident was caused by this specific breach, at this specific bank, and not one of the dozens of other breaches affecting Americans every year. That burden of proof falls on the victim, not the institution that lost the data. For most people, the practical option is the $100 alternative cash payment, which becomes smaller if too many people claim it, or the $150 California-only payment, which is subject to the same reduction.

For the 74,385 people whose lives were swept into this case, the experience is a specific kind of modern betrayal: you trusted a bank with information you had no choice but to give them, and the bank lost it, waited nearly a year to tell you, and then settled the legal consequences for about $15.93 a head before costs.

That sentence is from the settlement agreement itself. It is not an accusation from plaintiffs’ lawyers. It is the bank’s own description of what was taken. Every word of it describes a piece of someone’s life that they cannot change, cannot retrieve, and cannot protect retroactively.

Legal Receipts: What the Documents Actually Say

The settlement agreement and the supporting declaration are court filings signed under penalty of perjury. They establish the facts of this case in Tri Counties Bank’s own words. Here is what those words prove.

Translation: Tri Counties Bank settled because it was cheaper than fighting. Not because it took responsibility. The settlement agreement says explicitly that it “shall not constitute, be construed as, or be admissible in evidence as, any admission by Defendant of any wrongdoing, fault, violation of law, or liability of any kind.”

Societal Impact Mapping

Public Health

Medical information and health insurance data were among the categories confirmed stolen in this breach. The exposure of health data carries harms that extend beyond financial fraud.

• Health insurance information in criminal hands can be used to fraudulently bill for medical services, potentially depleting coverage limits or triggering claim disputes that delay legitimate care for the actual patient. Victims may not discover the fraud until they try to use their insurance and find their benefits exhausted or their records corrupted.
• Medical information, including diagnoses, treatment histories, and prescription records, can be used for targeted blackmail or social harm. In a community-banking context, where Tri Counties Bank operates across Northern and Central California, this level of data exposure can have direct, personal consequences in relatively small towns where reputation matters.
• The mental health toll of identity theft is documented and significant. Studies by the Identity Theft Resource Center consistently show that identity theft victims report anxiety, insomnia, and loss of trust in financial institutions at rates comparable to victims of property crime. All 74,385 people in this settlement class were exposed to that risk, many for eight months without warning or tools to protect themselves.
• The settlement offers one year of single-bureau credit monitoring with up to $1 million in fraud insurance as part of the benefits package. Single-bureau monitoring covers only one of the three major credit bureaus, meaning fraud activity reported by the other two would not trigger an alert.

Economic Inequality

The structure of this settlement, like most data breach settlements, systematically favors those with the resources and documentation infrastructure to navigate a claims process, while delivering the least to the most economically vulnerable.

• The $5,000 documented loss option requires victims to have kept records: bank statements, credit card statements, receipts, and invoices linking specific expenses to this specific breach. People living paycheck to paycheck, who may have dealt with fraudulent charges by simply calling their bank to dispute them rather than retaining paperwork, are effectively locked out of the highest compensation tier.
• The alternative cash payment of $100 (and the $150 California statutory payment) is subject to pro rata reduction if total claims exceed the available fund. The people most dependent on that $100 or $250, because they have no other financial cushion to absorb identity theft consequences, are the same people whose individual recovery shrinks as more of their peers make claims.
• The settlement class includes individuals whose financial account information was stolen. For someone with limited savings, unauthorized account access or fraudulent withdrawals can mean bounced checks, overdraft fees, and cascading financial harm. The settlement does not prioritize these individuals over others with more complex documented losses.
• The bank’s mandatory arbitration clauses (standard in consumer banking agreements) and the legal complexity of proving individual causation in a data breach effectively prevented most victims from ever filing individual lawsuits. The class action mechanism is the only practical route to any compensation, and it produces an average recovery that, before fees and costs, is less than $16 per person.
• Attorneys for the class can seek up to 35% of the $2.185 million “total economic benefits” figure, which includes the bank’s own security spending. If the court awards fees at that ceiling, lawyers stand to receive more money from this case than all 74,385 class members combined if claims rates are typical of data breach settlements, which frequently see single-digit participation rates.

The “Cost of a Life” Metric

For comparison: the average American identity theft case costs victims $1,343 in out-of-pocket expenses according to the Identity Theft Resource Center. The settlement offers most people $15 to $100.

What Now?

If you are one of the 74,385 people in this settlement class, or one of the millions of Americans whose data sits inside a bank that has not been breached yet, here is what you can do right now.

Leadership at Tri Counties Bank

• The settlement agreement identifies Tri Counties Bank as the defendant. Specific executive names responsible for data security oversight are not enumerated in the source documents. The company’s Chief Information Security Officer [REDACTED – Not in Source] and Chief Executive Officer [REDACTED – Not in Source] bear institutional responsibility for the security posture that allowed this breach and the notification delay that followed.
• Defense counsel is the law firm Gordon Rees Scully Mansukhani, LLP. Class counsel are Scott Edward Cole (Cole & Van Note), Jason M. Wucetich (Wucetich & Korovilas LLP), and John J. Nelson (Milberg Coleman Bryson Phillips Grossman, PLLC).
• The case is before the Honorable Virginia L. Gingery in Butte County Superior Court, Case No. 23CV03115. A preliminary approval hearing is scheduled for January 21, 2026 at 9:00 a.m. in Department 7. That hearing is public.

Watchlist: Regulatory Bodies That Should Be Paying Attention

• California Attorney General (AG): California’s data breach notification law (Civil Code § 1798.82) requires timely notification. The 247-day gap between breach discovery and victim notification warrants scrutiny from the AG’s office, which has authority to investigate and fine entities that fail to comply with the statute.
• Consumer Financial Protection Bureau (CFPB): As a regulated financial institution, Tri Counties Bank falls under CFPB jurisdiction. The CFPB has authority to examine banks’ data security practices and to take enforcement action for violations of consumer financial protection laws.
• Federal Deposit Insurance Corporation (FDIC): The FDIC supervises state-chartered banks that are not members of the Federal Reserve. It has authority to examine information security programs and can issue enforcement actions for deficient security practices under the Gramm-Leach-Bliley Act (GLPA) Safeguards Rule.
• Office of the Comptroller of the Currency (OCC) / Federal Reserve: Depending on Tri Counties Bank’s charter classification, one of these agencies holds primary federal banking oversight. Both can examine a bank’s cybersecurity program under guidance issued after the 2005 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information.
• Department of Health and Human Services (HHS) / Office for Civil Rights (OCR): The breach included medical information and health insurance data. If any of that information qualifies as protected health information under HIPAA, HHS OCR has jurisdiction to investigate and fine the institution, even if it is a bank rather than a covered healthcare entity.
• Federal Trade Commission (FTC): The FTC enforces the Health Breach Notification Rule and the Safeguards Rule for non-bank financial institutions. If any Tri Counties Bank affiliates or vendors fall under FTC jurisdiction, the agency could examine whether adequate data security was maintained.

For Class Members: File Your Claim

• File a claim. If you received a notice about the Tri Counties Bank data breach in October 2023, you are almost certainly a class member. The settlement website will be launched before notices go out. Watch for it and file within 60 days of the notice date. Doing nothing means getting nothing.
• Gather documentation. Even if you cannot meet the $5,000 documented loss threshold, collect any records you have of costs you incurred after October 2023 related to credit monitoring, identity theft, or fraud response. Even deficient documented-loss claims are automatically converted to alternative cash payment claims rather than rejected outright.
• Check for California residency eligibility. If you lived in California at any point between September 19, 2023, and the claims deadline, you can claim an additional $150 statutory payment on top of the alternative cash payment. A sworn statement is sufficient proof.
• Freeze your credit at all three bureaus. This is free under federal law. A credit freeze at Equifax, Experian, and TransUnion prevents new accounts from being opened in your name. The settlement’s identity monitoring covers only one bureau. Protect the other two yourself.
• File a police report or FTC identity theft report if you have experienced fraud. An FTC Identity Theft Report at IdentityTheft.gov is free, takes 15 minutes, and creates the legal documentation you need to dispute fraudulent accounts and clean your credit file. It also strengthens any documented-loss claim you submit.

For Everyone: Mutual Aid and Organizing

• Support the Electronic Frontier Foundation. The settlement designates the EFF as a cy pres recipient for any residual funds. The EFF fights for digital privacy rights and data security standards that, if enacted, would reduce the frequency and severity of breaches like this one. Regardless of the settlement, their work is directly relevant to why this happened.
• Contact your state representative. California’s breach notification law has a gap: it does not specify a hard deadline for notification, only “expedient time.” Lobbying for a strict 30 or 72-hour notification requirement (as exists in the EU under GDPR) is a concrete, achievable policy goal that protects everyone in your state.
• Talk to your neighbors. Community banks and regional banks are not more secure than big banks. They often have smaller IT budgets, less sophisticated security operations, and fewer staff dedicated to cybersecurity. Local banking relationships come with local breach risk. Mutual aid networks that share knowledge about data breach responses help everyone act faster when the next one hits.
• Attend the January 21, 2026 hearing. The preliminary approval hearing for this settlement is a public court proceeding in Butte County Superior Court, Department 7. Class members who object to the settlement have the right to appear and speak. If you believe $15 per person is not a fair price for 14 categories of stolen data and 247 days of silence, show up and say so.