Subscribe To Our Newsletter

This field is for validation purposes and should be left unchanged.

Aspire Health Alliance Settles 2023 Data Breach Class Action for $400,000

South Shore Mental Health Center Inc., d/b/a Aspire Health Alliance, has agreed to a $400,000 class action settlement to resolve claims from a September 2023 data breach that exposed the sensitive personal and medical data of over 17,000 individuals.

large-field-of-ripe-wheat-under-the-open-sky-on-a-2025-02-12-05-09-11-utc 1

The cyberattack potentially exposed the sensitive medical files and personal details of more than 17,000 patients and employees. If you received an official breach notification, you may be eligible to claim up to $2,500 in cash reimbursements and a year of free medical identity monitoring.

What Happened in the Aspire Health Alliance Cyberattack?

The class action lawsuit, titled Joan Tozzi v. South Shore Mental Health Center Inc. d/b/a Aspire Health Alliance, alleges that the Massachusetts-based behavioral healthcare provider failed to maintain reasonable computer network security. This vulnerability left its servers exposed to external threats. In September 2023, cybercriminals launched a targeted digital attack against the organization’s network, infiltrating computer systems containing confidential patient files.

The breach was not immediately noticed, according to court documents, giving unauthorized parties access to sensitive data for a prolonged period. When Aspire Health Alliance finally detected the intrusion, the organization launched an investigation to establish the scope of the exposure. After cross-referencing internal records, the group determined that the personal and protected health information of 17,000 people was caught in the security event. Because healthcare facilities are prime targets for cybercrime, a single security lapse can compromise files belonging to thousands of local residents simultaneously. While Aspire Health Alliance denies any wrongdoing or legal liability, the organization agreed to pay $400,000 to settle the class action rather than face an expensive, drawn-out trial.

What Private Patient Data Was Exposed in the Breach?

When medical networks are compromised, the types of data exposed are often far more dangerous than simple financial details. Unlike credit card numbers, which banks can quickly deactivate, health information cannot be replaced. According to court filings, the September 2023 security incident exposed a wide array of personal, financial, and clinical databases.

The specific categories of compromised data include:

  • Full names and dates of birth

  • Detailed dates of medical services

  • Internal patient account files and treatment information

  • Names of treating physicians and medical facilities

  • Individual medical conditions and prescription details

  • Individual health insurance policy numbers

  • Medicare or Medicaid identification numbers

If you had your private data exposed on the dark web, you are facing a long-term risk of identity fraud. Bad actors routinely purchase stolen medical files to submit fraudulent insurance claims, obtain prescription drugs illegally, or perform full-scale financial identity theft. Because this data remains vulnerable for years, the long-term emotional and financial burden of protecting your credit falls squarely on your shoulders.

The Legal Duty of Healthcare Providers to Guard Patient Information

Under both federal and state consumer protection laws, healthcare entities are held to strict standards of data preservation. The Health Insurance Portability and Accountability Act (HIPAA) requires organizations to install robust administrative, physical, and technical barriers to shield electronic patient information. When a company falls short of these standards, it fails in its basic duty of care to the individuals who trust it with their wellness.

The plaintiffs in this case argued that Aspire Health Alliance should have implemented basic cybersecurity standards, including end-to-end encryption, routine network audits, and advanced threat detection. By neglecting these practices, the company left vulnerable patient databases in a format that was easily readable to malicious hackers.

While HIPAA does not let individual patients sue a company directly, state-level consumer protection acts and negligence laws give everyday people the power to take legal action. This class action settlement helps everyday people hold companies accountable, showing major healthcare providers that keeping private data secure is not optional—it is a legal requirement.

How Much Cash and Credit Monitoring Can You Claim?

The $400,000 settlement provides several avenues for class members to secure compensation. The relief structure is split into documented out-of-pocket reimbursements, pro rata cash distributions, and free medical monitoring.

First, you can file a claim to receive up to $2,500 in cash reimbursements for documented, unreimbursed out-of-pocket losses. These expenses must have occurred between September 13, 2023, and September 16, 2026, as a direct result of the breach. This category covers actual financial damages, including:

  • Losses stemming from identity theft or fraud

  • Fees for freezing or unfreezing your credit files

  • Purchasing third-party credit monitoring services

  • Costs for notary public services, faxes, postage, and copying

  • Mileage and long-distance telephone fees incurred to resolve identity issues

If you did not suffer documented financial losses, you do not need to submit a claim form to receive cash. Instead, you will automatically receive an equal pro rata share of the remaining net settlement funds after administrative fees, lawyer costs, and documented claims are paid out. Finally, all class members can receive one year of free CyEx Medical Shield Complete. This service features continuous medical record monitoring and $1 million in medical identity theft insurance.

Are You Eligible to Join the Aspire Health Alliance Class Action?

The settlement is open to a specific group of consumers defined by the court’s preliminary approval order, which was granted on June 4, 2026. You may be eligible if you are a living individual who received a direct, physical mail notice from South Shore Mental Health Center Inc. (doing business as Aspire Health Alliance) stating that your personal health information was potentially compromised during the September 2023 data incident.

The settlement administrator has compiled a master list of the 17,000 individuals whose details were exposed. If you were on this list, you should have received an official court-approved settlement notice in the mail. This notice contains a unique Login ID and PIN code, which are required to log into the settlement website. If you believe your information was involved but did not receive a physical notice, you can contact the settlement administrator to check your name against the official database.

How to File a Claim and Secure Your Settlement Cash

To secure a documented-loss cash payment of up to $2,500, you must actively submit a claim form before the court’s hard filing window closes. The official portal is fully operational at AspireDataIncident.com.

If you choose not to file a documented loss claim, you are still eligible for the automatic pro rata cash distribution and the free year of medical data monitoring. However, you should still visit the portal to ensure your current mailing address is up to date and to select your preferred digital payment method.

1.Locate your unique settlement credentials:Required for online login.

Find the physical settlement notice mailed to you. Retrieve the unique Login ID and PIN printed on the document. If you misplaced this letter, use the contact portal on AspireDataIncident.com to speak with the administrator.

2.Gather your supporting financial evidence:Required for documented claims up to $2,500.

Collect any documentation that proves you lost money because of the breach. This includes credit monitoring bills, bank statements showing fraud, receipts for postage, or travel logs. If you are only seeking the automatic pro rata cash payment, you can skip this step.

3.Submit your completed claim form:Must be completed by September 16, 2026.

Go to AspireDataIncident.com, enter your login details, fill out the forms, and choose your payout option. Make sure your claim is submitted online or postmarked no later than September 16, 2026.

What Lies Ahead as the Settlement Moves Toward Final Court Approval

While the settlement has received preliminary approval, the litigation process is not yet complete. The court has scheduled a final approval hearing for October 1, 2026, where the judge will evaluate the fairness of the $400,000 deal, review attorney fees, and listen to any comments or objections raised by consumers.

If you do not agree with the terms of the settlement, you have until September 16, 2026, to submit a written objection or exclude yourself from the lawsuit entirely (opt out). If you exclude yourself, you will not receive any cash payments or free medical monitoring, but you will retain your right to sue Aspire Health Alliance individually. If you do nothing, you will remain in the settlement class, forfeit your right to file independent lawsuits regarding this incident, and receive your automatic pro rata cash and medical monitoring.

Once the court grants final approval, and assuming there are no appeals filed, the settlement administrator is legally required to distribute payments and medical monitoring activation codes within 75 days.

Subscribe To Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

This field is for validation purposes and should be left unchanged.
The Time for Action is Now!
Mass Arbitrations
Active Data Breaches
Date of Breach: July 13, 2026
Date of Breach: July 12, 2026
Date of Breach: August 25, 2025
Latest News