Mindpath Health agrees to settle $3.5 million lawsuit

The mental health service provider is agreeing to a settlement following two data breaches. 

What happened

Mindpath Health, which operates in seven states and is based in California, recently reached a settlement following a data breach. The lawsuit has a final hearing scheduled for February 19th, 2026. 

The incident stems from two related data breaches that took place on March 2022 and July 2022. In both cases, an unauthorized party accessed Microsoft Office 365 business email accounts that stored personally identifiable information about Mindpath patients and other individuals. The incident was disclosed to the victims in January 2023, and an initial complaint was filed on January 30th, 2023. 

The incident was one of the largest in 2023, impacting approximately 193,947 individuals. Impacted information included names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information. 

What’s new

The initial complaint alleged negligence, breach of implied contract, breach of fiduciary duty, breach of confidence, unjust enrichment/quasi-contract, and the violation of several California privacy laws. 

Mindpath continues to deny any allegations of wrongdoing, but has ultimately decided to settle the case for $3.5 million, which will go to victims, lawyers, and be used to cover any administrative costs. The settlement website mentions that individuals who received a notice about the incident are considered class members, but anyone who received services from Mindpath prior to August 2022, regardless of having received a notice, may also be class members. 

The big picture 

The incident highlights the time it takes for a class action suit to move through the court process, even if the defendant ultimately agrees to a settlement. If Mindpath wished to take the case to trial, the case would likely take even longer to resolve. While the time-consuming nature of a lawsuit is unavoidable, it can still have detrimental effects on companies and individuals. For Mindhealth, they likely faced some financial limbo as they determined if and how much they would be financially impacted by the event. For victims who experienced financial harm as a result of the incident, it’s likely they have experienced the repercussions of resolving identity theft or credit fraud. 

The vast majority of data breach lawsuits end in a settlement, but that doesn’t mean organizations aren’t paying a hefty price. According to IBM, the average cost of a data breach is $11 million, which is the highest cost of any industry. The large price tag includes the price of settlement alongside additional costs, like penalties, which can range from several thousand to several million, and costs that go into resolving the breach, notifying patients, and improving cybersecurity. 

FAQs

Why would someone opt out of a settlement? 

The lawsuit’s settlement website notes that opting out of the settlement would allow an impacted individual to continue to sue, file a separate suit, or be part of another lawsuit against Mindpath for this same incident. If someone wishes to pursue additional legal action, opting out may be an option for them. 

Why do these suites take so long to resolve? 

There are many reasons a lawsuit make take a long time to work its way through the court systems. It may take time, for instance, to gather evidence, notify and communicate with victims, present the case, and schedule various hearings with the court. After a settlment is reached, there’s also additional time to allow individuals to opt out or seek additional information.