The lawsuit stems from a late-2023 cybersecurity incident at Fred Hutchinson Cancer Center, a major research and treatment institution, where unauthorized parties allegedly accessed certain files between November 10 and November 25, 2023. Because healthcare records can include highly sensitive identifiers—often enough to enable financial fraud or “medical identity theft” (such as someone obtaining care or prescriptions under another person’s name)—patients typically face unique risks after a breach, including long-term exposure due to the difficulty of changing medical identifiers and histories. Plaintiffs filed the class action claiming the center failed to adequately safeguard patient information and should be held accountable for the heightened risk of identity theft and related harms, asserting theories such as negligence, breach of implied contract, unjust enrichment, and violations of the Washington Consumer Protection Act. The proposed $11.5 million settlement offers a tiered set of benefits: up to $5,000 for documented out-of-pocket losses (proof required), a cash payment up to $599 (generally pro rata depending on claims), and two years of medical identity-theft protection and monitoring, with a claim deadline of May 7, 2025. More broadly, this case fits a growing wave of healthcare data-breach class actions that often turn on whether an organization’s security practices were “reasonable” and whether affected individuals can show compensable harm beyond mere exposure of data. The healthcare sector operates under an unusually dense compliance environment—most notably HIPAA’s privacy and security rules and state consumer-protection statutes—yet breaches remain common due to ransomware, third-party vendors, and legacy systems, making settlements like this one a key mechanism for compensating patients while pressuring providers to strengthen security controls and incident-response practices