Omni Family Health Reaches $6.5M Settlement in 2024 Hack Lawsuits

Omni Family Health, a nonprofit organization serving communities in California, has agreed to pay $6.5 million to settle litigation stemming from a cyberattack in 2024 that potentially compromised the personal information of around 470,000 current and former patients and employees. The breach has raised significant concerns regarding data security in the healthcare sector.

This settlement comes after a ransomware group, known as Hunters International, claimed responsibility for the attack and subsequently listed Omni Family Health as a victim on its dark web platform in August 2024. The breach reportedly exposed sensitive information on the dark web, leading to class action lawsuits alleging negligence in data handling and protection practices.

As part of the settlement agreement, Omni has committed to enhancing its data security protocols to prevent further incidents. This measure is crucial considering the persistent threats faced by healthcare organizations today. The MITRE ATT&CK framework identifies potential adversary tactics that may have facilitated this breach, including initial access and exploitation techniques, which attackers commonly leverage to infiltrate vulnerable systems.

All U.S. residents whose personal information was compromised due to this incident are eligible to join the settlement class. This includes individuals who were located in California at any time between August 7, 2024, and the claims deadline of January 5, 2026. The settlement offers affected parties compensation of up to $5,000 for documented out-of-pocket expenses related to the breach, including losses associated with identity theft and fraud, as well as professional fees.

Furthermore, class members will receive a two-year subscription to complimentary credit monitoring and medical identity protection services. Notably, California residents within the settlement subclass are eligible for an additional $100 cash payout under the California Confidentiality of Medical Information Act.

The collective lawsuit, which holds Omni accountable for allegedly inadequately securing sensitive data, highlights the pressing imperative for organizations, particularly in healthcare, to refine their cybersecurity measures. The leaked information included a range of personal details, such as names, Social Security numbers, and medical information.

Despite the settlement, Omni maintains that it did not engage in any wrongdoing. The organization initially reported the incident on October 4, 2024, to the U.S. Department of Health and Human Services, identifying 468,344 individuals as impacted. Following the breach, Omni initiated an investigation, collaborating with external cybersecurity experts and notifying federal enforcement agencies.

A final court hearing regarding the settlement approval is scheduled for February 26, 2026. This case underscores the critical importance of robust cybersecurity frameworks as organizations must navigate the evolving landscape of digital threats that continue to challenge industry standards.