Subscribe To Our Newsletter
South Shore Mental Health Center Inc., d/b/a Aspire Health Alliance, has agreed to a $400,000 class action settlement to resolve claims from a September 2023 data breach that exposed the sensitive personal and medical data of over 17,000 individuals.
The cyberattack potentially exposed the sensitive medical files and personal details of more than 17,000 patients and employees. If you received an official breach notification, you may be eligible to claim up to $2,500 in cash reimbursements and a year of free medical identity monitoring.
The class action lawsuit, titled Joan Tozzi v. South Shore Mental Health Center Inc. d/b/a Aspire Health Alliance, alleges that the Massachusetts-based behavioral healthcare provider failed to maintain reasonable computer network security. This vulnerability left its servers exposed to external threats. In September 2023, cybercriminals launched a targeted digital attack against the organization’s network, infiltrating computer systems containing confidential patient files.
The breach was not immediately noticed, according to court documents, giving unauthorized parties access to sensitive data for a prolonged period. When Aspire Health Alliance finally detected the intrusion, the organization launched an investigation to establish the scope of the exposure. After cross-referencing internal records, the group determined that the personal and protected health information of 17,000 people was caught in the security event. Because healthcare facilities are prime targets for cybercrime, a single security lapse can compromise files belonging to thousands of local residents simultaneously. While Aspire Health Alliance denies any wrongdoing or legal liability, the organization agreed to pay $400,000 to settle the class action rather than face an expensive, drawn-out trial.
When medical networks are compromised, the types of data exposed are often far more dangerous than simple financial details. Unlike credit card numbers, which banks can quickly deactivate, health information cannot be replaced. According to court filings, the September 2023 security incident exposed a wide array of personal, financial, and clinical databases.
The specific categories of compromised data include:
Full names and dates of birth
Detailed dates of medical services
Internal patient account files and treatment information
Names of treating physicians and medical facilities
Individual medical conditions and prescription details
Individual health insurance policy numbers
Medicare or Medicaid identification numbers
If you had your private data exposed on the dark web, you are facing a long-term risk of identity fraud. Bad actors routinely purchase stolen medical files to submit fraudulent insurance claims, obtain prescription drugs illegally, or perform full-scale financial identity theft. Because this data remains vulnerable for years, the long-term emotional and financial burden of protecting your credit falls squarely on your shoulders.
Under both federal and state consumer protection laws, healthcare entities are held to strict standards of data preservation. The Health Insurance Portability and Accountability Act (HIPAA) requires organizations to install robust administrative, physical, and technical barriers to shield electronic patient information. When a company falls short of these standards, it fails in its basic duty of care to the individuals who trust it with their wellness.
The plaintiffs in this case argued that Aspire Health Alliance should have implemented basic cybersecurity standards, including end-to-end encryption, routine network audits, and advanced threat detection. By neglecting these practices, the company left vulnerable patient databases in a format that was easily readable to malicious hackers.
While HIPAA does not let individual patients sue a company directly, state-level consumer protection acts and negligence laws give everyday people the power to take legal action. This class action settlement helps everyday people hold companies accountable, showing major healthcare providers that keeping private data secure is not optional—it is a legal requirement.
The $400,000 settlement provides several avenues for class members to secure compensation. The relief structure is split into documented out-of-pocket reimbursements, pro rata cash distributions, and free medical monitoring.
First, you can file a claim to receive up to $2,500 in cash reimbursements for documented, unreimbursed out-of-pocket losses. These expenses must have occurred between September 13, 2023, and September 16, 2026, as a direct result of the breach. This category covers actual financial damages, including:
Losses stemming from identity theft or fraud
Fees for freezing or unfreezing your credit files
Purchasing third-party credit monitoring services
Costs for notary public services, faxes, postage, and copying
Mileage and long-distance telephone fees incurred to resolve identity issues
If you did not suffer documented financial losses, you do not need to submit a claim form to receive cash. Instead, you will automatically receive an equal pro rata share of the remaining net settlement funds after administrative fees, lawyer costs, and documented claims are paid out. Finally, all class members can receive one year of free CyEx Medical Shield Complete. This service features continuous medical record monitoring and $1 million in medical identity theft insurance.
The settlement is open to a specific group of consumers defined by the court’s preliminary approval order, which was granted on June 4, 2026. You may be eligible if you are a living individual who received a direct, physical mail notice from South Shore Mental Health Center Inc. (doing business as Aspire Health Alliance) stating that your personal health information was potentially compromised during the September 2023 data incident.
The settlement administrator has compiled a master list of the 17,000 individuals whose details were exposed. If you were on this list, you should have received an official court-approved settlement notice in the mail. This notice contains a unique Login ID and PIN code, which are required to log into the settlement website. If you believe your information was involved but did not receive a physical notice, you can contact the settlement administrator to check your name against the official database.
To secure a documented-loss cash payment of up to $2,500, you must actively submit a claim form before the court’s hard filing window closes. The official portal is fully operational at AspireDataIncident.com.
If you choose not to file a documented loss claim, you are still eligible for the automatic pro rata cash distribution and the free year of medical data monitoring. However, you should still visit the portal to ensure your current mailing address is up to date and to select your preferred digital payment method.
1.Locate your unique settlement credentials:Required for online login.
Find the physical settlement notice mailed to you. Retrieve the unique Login ID and PIN printed on the document. If you misplaced this letter, use the contact portal on AspireDataIncident.com to speak with the administrator.
2.Gather your supporting financial evidence:Required for documented claims up to $2,500.
Collect any documentation that proves you lost money because of the breach. This includes credit monitoring bills, bank statements showing fraud, receipts for postage, or travel logs. If you are only seeking the automatic pro rata cash payment, you can skip this step.
3.Submit your completed claim form:Must be completed by September 16, 2026.
Go to AspireDataIncident.com, enter your login details, fill out the forms, and choose your payout option. Make sure your claim is submitted online or postmarked no later than September 16, 2026.
While the settlement has received preliminary approval, the litigation process is not yet complete. The court has scheduled a final approval hearing for October 1, 2026, where the judge will evaluate the fairness of the $400,000 deal, review attorney fees, and listen to any comments or objections raised by consumers.
If you do not agree with the terms of the settlement, you have until September 16, 2026, to submit a written objection or exclude yourself from the lawsuit entirely (opt out). If you exclude yourself, you will not receive any cash payments or free medical monitoring, but you will retain your right to sue Aspire Health Alliance individually. If you do nothing, you will remain in the settlement class, forfeit your right to file independent lawsuits regarding this incident, and receive your automatic pro rata cash and medical monitoring.
Once the court grants final approval, and assuming there are no appeals filed, the settlement administrator is legally required to distribute payments and medical monitoring activation codes within 75 days.
New cases and investigations, settlement deadlines, and news straight to your inbox.