Nearly 600,000 people were affected by a ransomware attack that compromised sensitive data across WellNow Urgent Care and its affiliates.
WellNow Urgent Care, operating clinics across New York, Illinois, Michigan, and Ohio, has agreed to a $4.4 million class action settlement following a ransomware attack detected in April 2023. The breach affected around 597,000 individuals and compromised personal and health-related information, including names, birth dates, Social Security numbers, driver’s license details, health insurance records, banking information, and biometric data.
The attack also impacted WellNow’s parent company, ADMI Corp. (also known as The Aspen Group), and affiliates such as Aspen Dental and Physicians Immediate Care. Notifications to individuals began in February 2024.
Multiple lawsuits were filed in response to the breach by affected individuals and were consolidated into a single case in Illinois: Tambroni, et al. v. WellNow Urgent Care, P.C., et al. Plaintiffs alleged negligence, breach of implied contract, and unjust enrichment. Although the defendants denied all allegations, both sides agreed to settle due to the potential costs and uncertainty of continued litigation.
The settlement splits affected individuals into two subclasses:
The non-SSN subclass settlement is capped at $3.3 million, and the SSN subclass at $1.1 million. Attorneys’ fees and service awards will be deducted proportionally from these funds.
Settlement benefits include claims for lost time (up to 2 or 3 hours, depending on subclass), documented out-of-pocket expenses, and extraordinary expenses (up to $7,500 per claimant). SSN subclass members may opt for a pro rata cash payout instead of submitting claims. Class members must file by July 11, 2025, or they will not receive any compensation. The court has given preliminary approval, with a final hearing set for August 15, 2025.
The case illustrates the long-term impact ransomware attacks can have on the healthcare sector, especially when large networks and their affiliates are involved. Although settlements may offer financial compensation, the exposure of sensitive health and identity information can lead to persistent risks for those affected. Healthcare organizations continue to face targeting by cybercriminals, making it important to invest in both preventive security measures and effective breach response plans.
The court split the class into two groups based on the severity of exposure. Those whose Social Security numbers were compromised (SSN subclass) face higher identity theft risks and are therefore eligible for different compensation terms than those in the non-SSN subclass.
The inclusion of biometric data, banking info, and health insurance records makes this breach more dangerous than typical identity theft cases. Biometric data, for example, can’t be changed, making long-term misuse harder to prevent.
While denying liability, they likely chose to settle to avoid the unpredictability and expense of a trial, a common strategy in high-cost data breach cases where litigation could drag on for years.
Possibly. If you visited a WellNow clinic or one of its affiliates and suspect your data may have been involved, you can check the official settlement website or contact the claims administrator to see if you're listed as a class member.
You’ll lose your right to any compensation or reimbursement under the settlement terms. Submitting a claim is the only way to ensure you’re eligible for benefits.