Nova Recovery Center 5000 Settlement Over May 2025 Data Breach Exposing SSNs

Nova Recovery LLC (Nova Recovery Center), a U.S.-based addiction treatment provider, faced a class action after a targeted cyberattack beginning around May 22, 2025 allegedly let unauthorized actors access files containing highly sensitive data—names, addresses, dates of birth, Social Security numbers, and payment information. For patients, that combination is especially risky because it can enable identity theft and financial fraud and, in the healthcare setting, can compound harm through the exposure of deeply personal treatment relationships. The proposed settlement offers affected people a menu of benefits: up to $5,000 for documented out-of-pocket losses tied to the breach (such as fraud-related costs, credit freezes, or replacement IDs), an $85 alternative cash payment for those without documented losses, and three years of credit monitoring with fraud insurance and assistance, with claims due May 12, 2026. The lawsuit was filed to argue that Nova Recovery did not implement reasonable safeguards to protect private information, a core allegation in many data-breach cases where plaintiffs seek compensation for unreimbursed losses and the time and effort required to mitigate future misuse. Even though Nova Recovery denies wrongdoing, settling can be significant because it creates a structured pathway for affected individuals to get reimbursement and monitoring without each person suing separately, while also pressuring organizations handling sensitive data to invest in security controls. Broader implications echo other healthcare-related breach settlements: plaintiffs frequently point to security “reasonableness,” incident response practices, and whether timely, clear notice was provided, while defendants often contest causation and whether increased risk alone is enough for damages. Industry context matters because addiction treatment providers operate in a heavily regulated privacy environment: HIPAA’s Privacy and Security Rules generally require covered entities and business associates to implement administrative, physical, and technical safeguards, and the HIPAA Breach Notification Rule (along with many state breach-notification statutes) governs when and how affected individuals must be notified. While HIPAA itself doesn’t typically give individuals a direct right to sue, breach litigation is commonly brought under state consumer-protection, negligence, or contract theories, using HIPAA standards as a benchmark for what “reasonable” security should look like. Cases like this also reflect a larger trend of ransomware and targeted intrusions in healthcare, where attackers know medical and identity data are valuable and where the operational urgency to restore services can make providers particularly vulnerable to costly fallout and litigation-driven remediation efforts