Active breach tracker Yanceyville and Eden, North Carolina Disclosed May 16, 2025

Compassion Health Care Data Breach 2025: 23,282 Patients Exposed in March SafePay Ransomware Attack · $600K Settlement Pending in Caswell County

Compassion Health Care, Inc., the Yanceyville and Eden, North Carolina medical practice serving Caswell and Rockingham counties, confirmed an unauthorized actor accessed its network in March 2025. Names, Social Security numbers, driver's license numbers, and clinical and insurance information for 23,282 individuals were exposed. Ransomware group SafePay claimed responsibility and asserted it stole 107 GB of data. A $600,000 class-action settlement in Caswell County Superior Court received preliminary approval on November 17, 2025, with a final fairness hearing set for May 18, 2026.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Mar 17, 2025

Unauthorized access to Compassion Health Care's network occurs

Mar 18, 2025

Compassion Health Care announces remote operations after suspected incident

Mar 21, 2025

CHC formally discovers and confirms the network intrusion

Apr 2, 2025

In-person visits resume at Yanceyville and Eden centers

May 16, 2025

HIPAA breach notification filed with HHS OCR; individual notification letters mailed

May 16, 2025

Disclosed publicly

May 23, 2025

First proposed class action filed; two additional lawsuits follow

Jul 2, 2025

Amended complaint filed in Caswell County Superior Court (Allin v. Compassion Health Care)

Nov 17, 2025

Court grants preliminary approval of $600,000 class-action settlement

Feb 23, 2026

Settlement claim deadline for class members with CPT ID under 20,000

May 4, 2026

Settlement claim deadline for class members with CPT ID over 20,000

May 18, 2026

Final fairness hearing scheduled in Caswell County Superior Court

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers Driver's license numbers

02

Health records

Don't expire and can't be reissued

Clinical and diagnostic information

03

Contact & insurance

Phishing + targeted scams

Names Addresses Phone numbers Dates of birth Health insurance information Claims information Employee financial account, bank, and routing numbers (employees only) Employee income details (employees only)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Class counsel of record in Allin v. Compassion Health Care
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Compassion Health Care, Inc., a federally qualified health center operating clinics in Yanceyville and Eden, North Carolina that serve Caswell and Rockingham counties, confirmed that an unauthorized actor accessed its network in March 2025. The intrusion was formally discovered on March 21, 2025, after CHC moved operations remote on March 18; in-person visits resumed at both sites on April 2. The practice filed its HIPAA breach notification with the HHS Office for Civil Rights on May 16, 2025, reporting 23,282 affected individuals in a Hacking/IT Incident at a network server. Ransomware group SafePay publicly claimed responsibility and asserted it stole 107 GB of data; CHC has not confirmed the volume claim.

A consolidated class action, Allin v. Compassion Health Care, was filed in Caswell County Superior Court. The court granted preliminary approval of a $600,000 class-action settlement on November 17, 2025, with a final fairness hearing set for May 18, 2026.

Timeline

  • March 17, 2025 — Unauthorized access to Compassion Health Care’s network occurs.
  • March 18, 2025 — CHC announces it is operating remotely due to a suspected incident.
  • March 21, 2025 — CHC formally discovers and confirms the network intrusion.
  • April 2, 2025 — In-person operations resume at the Yanceyville and Eden centers.
  • May 16, 2025 — HIPAA breach notification filed with HHS OCR; individual notification letters mailed to 23,282 patients and employees.
  • May 23, 2025 — First proposed class action is filed; two additional lawsuits follow.
  • July 2, 2025 — Amended complaint filed in Caswell County Superior Court as Allin v. Compassion Health Care, Case No. 25CV000229-160.
  • November 17, 2025 — Court grants preliminary approval of the $600,000 settlement.
  • February 23, 2026 — Claim deadline for class members with a CPT ID under 20,000.
  • May 4, 2026 — Claim deadline for class members with a CPT ID over 20,000.
  • May 18, 2026 — Final fairness hearing scheduled.

What was exposed

The data elements confirmed exposed vary by individual but include:

  • Name, address, phone number, and date of birth
  • Social Security number
  • Driver’s license number
  • Health insurance information and claims information
  • Clinical and diagnostic information
  • For affected employees: financial account information, bank and routing numbers, and income details

The combination of Social Security numbers, driver’s license numbers, and clinical and insurance data places affected individuals at elevated risk for both financial and medical identity theft. SafePay’s posting of CHC on its data-leak site is consistent with the group’s documented double-extortion pattern through 2025.

What the entity is offering

Compassion Health Care is providing notified individuals with complimentary credit monitoring and identity theft restoration services through HaystackID. Enrollment instructions are included in the individual notification letters.

The proposed $600,000 class-action settlement provides class members with a choice of:

  • Cash Payment Option A: reimbursement for documented out-of-pocket losses traceable to the incident, up to $5,000 per person.
  • Cash Payment Option B: an alternative flat cash payment of $40.
  • Medical Data Monitoring: a settlement-administered monitoring service in lieu of cash.

The $600,000 fund also covers attorneys’ fees and expenses, settlement administration costs, and service awards for the named class representatives. Claims may be submitted at the official settlement site below.

Class-action and regulatory posture

The consolidated case is captioned Allin v. Compassion Health Care, Inc., Case No. 25CV000229-160, in the Caswell County Superior Court, State of North Carolina. The amended complaint alleges negligence, breach of implied contract, breach of confidence, and unjust enrichment. The defendant agreed to settle without admitting liability or wrongdoing after providing informal discovery. The settlement administrator is CPT Group, Inc., in Irvine, CA.

The HHS OCR portal entry for the May 16, 2025 filing remains open. No public state attorney general enforcement action has been announced as of this writing.

What to do if you may be affected

  • File a claim by your CPT ID deadline. If you received a notification letter from Compassion Health Care, you are presumptively a class member. Use the official settlement administrator site listed below; do not pay any third party to file on your behalf. Claim deadlines are February 23, 2026 (CPT ID under 20,000) and May 4, 2026 (CPT ID over 20,000).
  • Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers and driver’s license numbers were exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible.
  • Enroll in the offered credit monitoring through HaystackID. The enrollment code in your letter is single-use, and the service is worth using even if you also freeze your credit.
  • Watch for medical identity theft. Because diagnosis and health insurance data were exposed, review every Explanation of Benefits and request a copy of your medical record from your insurer if you see services you did not receive.
  • Affected CHC employees should add bank-account monitoring. Because employee bank and routing numbers were exposed, place fraud alerts on payroll-linked accounts and watch for unauthorized ACH activity.
  • Be alert to targeted phishing. Threat actors holding name, address, date of birth, and clinical context can craft highly convincing follow-on lures. Treat unexpected calls or emails referencing your CHC visits with skepticism.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.