Rebound Orthopedics & Neurosurgery agrees to $2.5M settlement

The Northwest Oregon-based service provider recently announced a data breach settlement following a 2024 incident.

What happened

In a lawsuit titled Cooper, et al. v. Rebound Orthopedics & Neurosurgery P.C., Plaintiffs alleged that the practice was negligent, breached their fiduciary duty, and allowed for an invasion of privacy to take place. The claims arise from a 2024 data incident that led to the exposure of data from 426,536 patients. While multiple lawsuits were formed, they were all ultimately consolidated.

Rebound decided to settle the case through mediation, a process which began in September of 2025. Under the settlement, Rebound has agreed to establish a fund of $2.5 million, which will go towards attorney fees, settlement costs, service awards for class representatives, and benefits for the class members.

The backstory

The case is the aftermath of a breach Rebound faced in 2024. According to a notice sent to patients on February 4th, 2025, Rebound faced a breach one year prior, on February 3rd, 2024. At the time, the company became aware of suspicious activity and determined that an unauthorized user accessed data between February 1st, 2024 and February 3rd, 2024. Data involved included names, medical information, health insurance information, Social Security numbers, financial account information, driver’s license numbers, passport numbers, and dates of birth. Notices began being mailed out to impacted patients in April of 2024.

Why it matters

Over the past several years, Paubox has been documenting the gradual climb in both data breaches and the lawsuits that follow them. According to the Identity Theft Resource Center (ITRC), over 1.7 billion data breaches were reported in 2024, a 312% increase compared to 2023. While numbers for 2025 haven’t been released yet, it’s likely we’ll see another jump. One Paubox report found that 73% of healthcare IT leaders expect more breaches in coming years.

Although some breaches never result in a lawsuit, many do, especially as states tighten requirements for data breach reporting and response, which some organizations are slow to adapt to. After a lawsuit is filed, it’s common for organizations to choose to settle to avoid lengthy costs associated with going to trial. Suits, alongside the other costs associated with data breaches, can easily cost organizations an average of $11 million. These breaches cause real financial harm and stress to patients and the organizations that are victimized.

FAQs

Why do lawsuits get consolidated?

Generally, multiple lawsuits may be filed by different victims, but collectively make the same points or are about the same issue. When these plaintiffs come together to consolidate the suit, it can make for a stronger case. For the court, it can also help prevent multiple, similar cases, from being litigated.

How is a settlement determined?

Settlements are determined through mediation by the attorneys for the plaintiff and defendant. These individuals, along with the help of a mediator, determine a suitable monetary outcome. Settlement amounts can vary widely depending on the facts of the case and the discussions between the attorneys.