Compassion Health Care Data Breach 2025: 23,282 Patients Exposed in March SafePay Ransomware Attack · $600K Settlement Pending in Caswell County
Compassion Health Care, Inc., the Yanceyville and Eden, North Carolina medical practice serving Caswell and Rockingham counties, confirmed an unauthorized actor accessed its network in March 2025. Names, Social Security numbers, driver's license numbers, and clinical and insurance information for 23,282 individuals were exposed. Ransomware group SafePay claimed responsibility and asserted it stole 107 GB of data. A $600,000 class-action settlement in Caswell County Superior Court received preliminary approval on November 17, 2025, with a final fairness hearing set for May 18, 2026.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Mar 17, 2025
Unauthorized access to Compassion Health Care's network occurs
Mar 18, 2025
Compassion Health Care announces remote operations after suspected incident
Mar 21, 2025
CHC formally discovers and confirms the network intrusion
Apr 2, 2025
In-person visits resume at Yanceyville and Eden centers
May 16, 2025
HIPAA breach notification filed with HHS OCR; individual notification letters mailed
May 16, 2025
Disclosed publicly
May 23, 2025
First proposed class action filed; two additional lawsuits follow
Jul 2, 2025
Amended complaint filed in Caswell County Superior Court (Allin v. Compassion Health Care)
Nov 17, 2025
Court grants preliminary approval of $600,000 class-action settlement
Feb 23, 2026
Settlement claim deadline for class members with CPT ID under 20,000
May 4, 2026
Settlement claim deadline for class members with CPT ID over 20,000
May 18, 2026
Final fairness hearing scheduled in Caswell County Superior Court
Mar 17, 2025
Unauthorized access to Compassion Health Care's network occurs
Mar 18, 2025
Compassion Health Care announces remote operations after suspected incident
Mar 21, 2025
CHC formally discovers and confirms the network intrusion
Apr 2, 2025
In-person visits resume at Yanceyville and Eden centers
May 16, 2025
HIPAA breach notification filed with HHS OCR; individual notification letters mailed
May 16, 2025
Disclosed publicly
May 23, 2025
First proposed class action filed; two additional lawsuits follow
Jul 2, 2025
Amended complaint filed in Caswell County Superior Court (Allin v. Compassion Health Care)
Nov 17, 2025
Court grants preliminary approval of $600,000 class-action settlement
Feb 23, 2026
Settlement claim deadline for class members with CPT ID under 20,000
May 4, 2026
Settlement claim deadline for class members with CPT ID over 20,000
May 18, 2026
Final fairness hearing scheduled in Caswell County Superior Court
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Compassion Health Care, Inc., a federally qualified health center operating clinics in Yanceyville and Eden, North Carolina that serve Caswell and Rockingham counties, confirmed that an unauthorized actor accessed its network in March 2025. The intrusion was formally discovered on March 21, 2025, after CHC moved operations remote on March 18; in-person visits resumed at both sites on April 2. The practice filed its HIPAA breach notification with the HHS Office for Civil Rights on May 16, 2025, reporting 23,282 affected individuals in a Hacking/IT Incident at a network server. Ransomware group SafePay publicly claimed responsibility and asserted it stole 107 GB of data; CHC has not confirmed the volume claim.
A consolidated class action, Allin v. Compassion Health Care, was filed in Caswell County Superior Court. The court granted preliminary approval of a $600,000 class-action settlement on November 17, 2025, with a final fairness hearing set for May 18, 2026.
Timeline
- March 17, 2025 — Unauthorized access to Compassion Health Care’s network occurs.
- March 18, 2025 — CHC announces it is operating remotely due to a suspected incident.
- March 21, 2025 — CHC formally discovers and confirms the network intrusion.
- April 2, 2025 — In-person operations resume at the Yanceyville and Eden centers.
- May 16, 2025 — HIPAA breach notification filed with HHS OCR; individual notification letters mailed to 23,282 patients and employees.
- May 23, 2025 — First proposed class action is filed; two additional lawsuits follow.
- July 2, 2025 — Amended complaint filed in Caswell County Superior Court as Allin v. Compassion Health Care, Case No. 25CV000229-160.
- November 17, 2025 — Court grants preliminary approval of the $600,000 settlement.
- February 23, 2026 — Claim deadline for class members with a CPT ID under 20,000.
- May 4, 2026 — Claim deadline for class members with a CPT ID over 20,000.
- May 18, 2026 — Final fairness hearing scheduled.
What was exposed
The data elements confirmed exposed vary by individual but include:
- Name, address, phone number, and date of birth
- Social Security number
- Driver’s license number
- Health insurance information and claims information
- Clinical and diagnostic information
- For affected employees: financial account information, bank and routing numbers, and income details
The combination of Social Security numbers, driver’s license numbers, and clinical and insurance data places affected individuals at elevated risk for both financial and medical identity theft. SafePay’s posting of CHC on its data-leak site is consistent with the group’s documented double-extortion pattern through 2025.
What the entity is offering
Compassion Health Care is providing notified individuals with complimentary credit monitoring and identity theft restoration services through HaystackID. Enrollment instructions are included in the individual notification letters.
The proposed $600,000 class-action settlement provides class members with a choice of:
- Cash Payment Option A: reimbursement for documented out-of-pocket losses traceable to the incident, up to $5,000 per person.
- Cash Payment Option B: an alternative flat cash payment of $40.
- Medical Data Monitoring: a settlement-administered monitoring service in lieu of cash.
The $600,000 fund also covers attorneys’ fees and expenses, settlement administration costs, and service awards for the named class representatives. Claims may be submitted at the official settlement site below.
Class-action and regulatory posture
The consolidated case is captioned Allin v. Compassion Health Care, Inc., Case No. 25CV000229-160, in the Caswell County Superior Court, State of North Carolina. The amended complaint alleges negligence, breach of implied contract, breach of confidence, and unjust enrichment. The defendant agreed to settle without admitting liability or wrongdoing after providing informal discovery. The settlement administrator is CPT Group, Inc., in Irvine, CA.
The HHS OCR portal entry for the May 16, 2025 filing remains open. No public state attorney general enforcement action has been announced as of this writing.
What to do if you may be affected
- File a claim by your CPT ID deadline. If you received a notification letter from Compassion Health Care, you are presumptively a class member. Use the official settlement administrator site listed below; do not pay any third party to file on your behalf. Claim deadlines are February 23, 2026 (CPT ID under 20,000) and May 4, 2026 (CPT ID over 20,000).
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers and driver’s license numbers were exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible.
- Enroll in the offered credit monitoring through HaystackID. The enrollment code in your letter is single-use, and the service is worth using even if you also freeze your credit.
- Watch for medical identity theft. Because diagnosis and health insurance data were exposed, review every Explanation of Benefits and request a copy of your medical record from your insurer if you see services you did not receive.
- Affected CHC employees should add bank-account monitoring. Because employee bank and routing numbers were exposed, place fraud alerts on payroll-linked accounts and watch for unauthorized ACH activity.
- Be alert to targeted phishing. Threat actors holding name, address, date of birth, and clinical context can craft highly convincing follow-on lures. Treat unexpected calls or emails referencing your CHC visits with skepticism.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (filing dated 2025-05-16, 23,282 individuals, Hacking/IT Incident, Network Server).
- HIPAA Journal — EMSA & Compassion Health Care Settle Data Breach Litigation — settlement summary, class-action history, claim options.
- Comparitech — North Carolina clinics notify 23K people of data breach; SSNs, financial and medical info leaked — SafePay attribution, operational timeline, exposed data, locations.
- ClassAction.org — $600K Compassion Health Care Settlement — preliminary approval order, settlement structure, fairness hearing date.
- ClassAction.org — Compassion Health Care Data Breach Lawsuit Investigation — claim deadlines and class definition.
- Paubox — Compassion Health Care notifies patients of breach — notification context and exposed data summary.
- Allin v. Compassion Health Care — Official Settlement Administrator Site — case caption, case number, deadlines, claim portal.
- ComplianceJunction — Compassion Health Care Data Breach Settlement Resolves Class Action Over 2025 Cybersecurity Incident — settlement terms, legal theories pled.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Emergency Medical Services Authority & Compassion Health Care Settle Data Breach Litigation
- Comparitech — North Carolina clinics notify 23K people of data breach; SSNs, financial and medical info leaked
- ClassAction.org — $600K Compassion Health Care Settlement Wraps Up Class Action Lawsuit Over Data Breach Discovered in March 2025
- ClassAction.org — Compassion Health Care Data Breach Lawsuit Investigation
- Paubox — Compassion Health Care notifies patients of breach
- Allin v. Compassion Health Care — Official Settlement Administrator Site
- ComplianceJunction — Compassion Health Care Data Breach Settlement Resolves Class Action Over 2025 Cybersecurity Incident
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.