A 2023 ransomware attack exposed sensitive health and personal data of over 60,000 people; legal settlement now moves forward.
Greater Cincinnati Behavioral Health Services (GCBHS) has agreed to pay up to $850,000 to settle litigation stemming from a ransomware attack in December 2023. The DragonForce ransomware group gained unauthorized access to the GCBHS network using stolen employee credentials, compromising 72 GB of data. Initial access occurred on December 9, and the breach was detected on December 10.
Roughly 62,000 individuals were affected, with the exposed data including names, dates of birth, Social Security numbers, driver’s license numbers, state IDs, health records, and insurance information. Notifications to patients and employees began on June 12, 2024.
The breach led to two class action lawsuits that were later merged into a single case: In Re: Greater Cincinnati Behavioral Health Services Data Incident Litigation, filed in Ohio’s Hamilton County Court of Common Pleas. The consolidated complaint alleged that GCBHS failed to implement adequate cybersecurity protections and included claims of negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. GCBHS denies all allegations of wrongdoing.
Although initial mediation did not result in a resolution, ongoing negotiations produced a settlement agreement that has received preliminary court approval. The agreement includes up to $850,000 to cover attorneys’ fees, administration costs, service awards for class representatives, and reimbursements to affected individuals.
Class members may claim up to $5,000 in documented, unreimbursed losses. A pro rata cash payment is also available, expected to range between $60 and $120 per person. In addition, all affected individuals are eligible for a one-year subscription to CyEx Medical Shield, a three-bureau credit monitoring service.
Deadlines for the settlement process are as follows: objections or exclusions must be submitted by November 11, 2025; claims must be filed by December 11, 2025; and the final approval hearing is scheduled for January 14, 2026.
According to the Health-ISAC 2025 Annual Threat Report, ransomware remains one of the most urgent and destabilizing threats facing the healthcare industry. The report notes a sharp rise in targeted attacks, with cybercriminals increasingly focusing on behavioral health providers, medical-device networks, and third-party vendors. In the first nine months of 2025 alone, Health-ISAC recorded 293 ransomware incidents against healthcare providers and 130 more involving healthcare-adjacent businesses such as billing firms and service vendors.
The ransomware attack on Greater Cincinnati Behavioral Health Services fits this broader trend of escalating risk across mid-sized healthcare organizations. These incidents not only compromise protected health information but also lead to prolonged legal battles and costly settlements. As ransomware continues to disrupt patient care and expose sensitive data, security experts warn that behavioral health and community-based providers, often operating with limited IT resources, remain among the most vulnerable targets.
The GCBHS case demonstrates the financial and reputational consequences of ransomware incidents in behavioral health settings. Even mid-sized providers can face class action litigation and six-figure settlements when cybersecurity and access controls are found lacking.
The breach originated from stolen employee credentials, indicating the need for strict identity and access management controls, multi-factor authentication (MFA), and employee phishing prevention programs across healthcare organizations.
Names, Social Security numbers, medical records, and insurance details were exposed data categories explicitly covered under HIPAA. Such breaches reinforce the obligation for organizations to maintain encrypted data storage and transmission, implement audit logs, and routinely review their HIPAA security risk assessments.
Behavioral health organizations often handle highly sensitive patient data but may lack strong cybersecurity budgets. The GCBHS settlement shows that even one day of unauthorized access can trigger long-term legal, financial, and trust consequences, making investments in HIPAA compliant communication and proactive security posture management necessary.