Rocky Mountain Gastroenterology $1K Settlement Over September 2024 Data Breach
Deadline
Deadline: February 2, 2026
Total Settlement Amount
Total amount allocated for all claims
Individual Payout Range
Estimated amount per eligible claim
Proof of Purchase
Online claims require logging in with the Unique ID and PIN from the settlement notice; mailed claims require the Unique ID. If missing, claimants must contact the administrator and provide their name and mailing address. Reimbursement requests must include receipts or other third-party/non-self-prepared documentation showing the costs were actually incurred and unreimbursed, plus an explanation of how the loss relates to the data incident when it is not clear from the documents; self-prepared notes can only supplement other proof. Claims for minors should include the parent/guardian relationship and the minor’s information.
Settlement Summary
Rocky Mountain Gastroenterology Associates PLLC, a healthcare provider, agreed to a class action settlement after a September 2024 cyberattack that may have exposed patients’ private information. Healthcare organizations are frequent targets because they store high-value data used for both financial fraud and “medical identity theft,” where someone uses another person’s identity to obtain care, prescriptions, or insurance benefits. People who received a breach notification from the practice can submit claims for up to $1,000 in documented, unreimbursed losses tied to the incident (incurred between Sept. 1, 2024, and Feb. 2, 2026) and can obtain two years of credit and medical identity monitoring. The lawsuit was filed on the theory that the practice failed to implement and maintain “reasonable security measures,” a common legal claim in data-breach class actions seeking to hold organizations accountable for preventable lapses and to compensate consumers for mitigation costs (like bank fees, monitoring, postage, or travel related to resolving fraud). Even though the defendant denies wrongdoing, settlements like this matter because they can set practical expectations for what “reasonable” cybersecurity looks like in healthcare and because they provide a standardized process for affected patients—including minors, via parents or guardians—to obtain reimbursement and monitoring without having to sue individually. More broadly, this case fits a well-established pattern in healthcare breach litigation: plaintiffs often pursue negligence and consumer-protection theories, while defendants point to the complexity of cybercrime and contest whether plaintiffs can show concrete harm; many cases resolve with monitoring plus limited reimbursement rather than large cash payments to everyone. The regulatory backdrop is also significant: healthcare entities and their vendors operate under HIPAA’s Privacy and Security Rules and the HITECH Act’s breach-notification requirements, which require safeguards for protected health information and timely notice when a breach is suspected. As regulators and courts continue scrutinizing incident response, vendor management, and basic controls like access limits and encryption, these settlements reinforce that healthcare cybersecurity is not just an IT issue but a patient-safety and compliance obligation that can carry real legal and financial consequences.
Entities Involved
Eligibility Requirements
- Reside in the United States
- Received a notification by mail or email from Rocky Mountain Gastroenterology Associates PLLC stating an unauthorized party may have accessed or obtained their private information in the September 2024 data incident
- For reimbursement: experienced actual, documented, unreimbursed out-of-pocket losses that are fairly traceable to the incident
- For reimbursement: losses were incurred between Sept. 1, 2024, and Feb. 2, 2026
- Parents/guardians may submit on behalf of minors who received a notification
Featured Investigations
Stay Updated
Subscribe to our newsletter for the latest settlement updates and news.
Important Notice About Filing Claims
Submitting false information in a settlement claim is considered perjury and will result in your claim being rejected. Fraudulent claims harm legitimate class members and may result in legal consequences.
If you are unsure about your eligibility for this settlement, please visit the official settlement administrator’s website using the link provided above. Review the eligibility criteria carefully before submitting a claim.
Class Action Champion is an independent information resource and is not affiliated with any settlement administrator, law firm, or court. We provide settlement information as a service to help connect eligible class members with legitimate settlements.