Community Psychiatry Management LLC, doing business as Mindpath Health, reached a $3.5 million class action settlement related to two data incidents in 2022 involving unauthorized access to employee email accounts containing patient information.

The incidents occurred in March 2022 and July 2022 and were later discovered through review of Mindpath Health's email environment, after which notices were sent around January 2023 to affected individuals.

Approximately 193,947 current and former patients were notified that personal and health information may have been exposed, including names and other data elements. Under the settlement, eligible class members can seek reimbursement for documented ordinary losses up to $1,500, documented extraordinary losses up to $10,000, compensation for lost time responding to the breach, or alternative pro rata cash payments. Three years of credit monitoring is also available.

Source: https://topclassactions.com/lawsuit-settlements/open-lawsuit-settlements/3-5m-mindpath-health-data-breach-class-action-settlement/

Commentary

In the above matter, Mindpath Health's settlement as to two email account breaches shows how a single incident - an employee email - can trigger large scale notification, litigation, and loss for a health provider.

For healthcare executives and managers, the case reinforces the fact that protected health information in email systems carries the same regulatory, financial, and reputational stakes as data in core electronic health record platforms.

Class allegations that Mindpath Health did not adequately safeguard its email environment, followed by a multi-million-dollar fund, demonstrate how plaintiffs' attorneys now treat email compromises as fertile ground for HIPAA-related and consumer privacy claims.

Healthcare executives and managers should prioritize a layered defense around email and associated data, including technical, procedural, and contractual safeguards. Practical steps include:

• Enforce multi-factor authentication on all email accounts, especially those with access to patient or financial data
• Move routine PHI exchange to secure messaging or portals and restrict PHI in standard email where feasible
• Implement effective phishing defenses, user training, and simulations focused on real-world healthcare attack patterns
• Deploy data loss prevention and encryption controls for messages containing patient identifiers or clinical details
• Limit email retention, regularly purging old messages that contain PHI beyond legal or operational needs
• Test incident response plans for email breaches, including rapid forensic review, notification decisions, and regulatory reporting
• Confirm that cyber insurance and vendor contracts explicitly cover email-related data incidents and associated class actions

The final takeaway is that the healthcare leaders who treat email as regulated data infrastructure - backed by layered controls, disciplined retention, and rehearsed response - will be far better positioned to prevent, detect, and contain email-based breaches.

Additional Sources: https://www.classaction.org/news/3.5m-mindpath-health-settlement-resolves-class-action-lawsuit-over-2022-data-breach; https://www.calhipaa.com/mindpath-health-settles-data-breach-lawsuit-for-3-5-million/; https://www.claimdepot.com/settlements/mind-path-settlement; https://www.hipaajournal.com/mindpath-health-data-breach-settlement/; https://www.paubox.com/blog/mindpath-health-agrees-to-settle-3.5-million-lawsuit; https://www.marca.com/en/lifestyle/us-news/personal-finance/2025/11/30/692cb63a22601d2b3c8b4581.html; https://www.paleobarchart.com/mindpath-healths-3-5-million-settlement/