Early in December 2022, something quietly and catastrophically went wrong somewhere in the vastness of Southern California’s physician-owned healthcare networks. Hackers were able to access servers owned by Heritage Provider Network and its network of connected healthcare institutions. They navigated systems that contained some of the most private information a person could have for about eight days, from December 1 to December 8. names.
Social Security numbers. dates of birth. diagnoses. prescription information. lab findings. reports on radiology. A significant portion of the data had already been lost by the time anyone noticed that workers were having difficulty accessing it.
| Case & Settlement Information | Details |
|---|---|
| Case Name | Head, et al. v. Regal Medical Group, Inc., et al. |
| Case Number | 23STCV02939 |
| Court | Superior Court of the State of California, County of Los Angeles |
| Presiding Judge | Hon. Timothy P. Dillon |
| Lead Defendant | Regal Medical Group, Inc. |
| Parent Network | Heritage Provider Network, Inc. |
| Co-Defendants | Lakeside Medical Organization; ADOC Medical Group; Greater Covina Medical Group; Affiliated Doctors of Orange County; Arizona Health Advantage Inc.; AZPC Clinics LLC; Community Surgery Center of Glendale; Pacific Family Hospice; Valley’s Best Hospice |
| Breach Date | December 1–8, 2022 |
| Notification Date | February 2, 2023 |
| Individuals Affected | Approximately 3,413,000 |
| Settlement Fund | $49,995,000 |
| Identity Monitoring Offered | 3 Years — Medical Shield Total by CyEx |
| Max Out-of-Pocket Reimbursement | Up to $10,000 per class member |
| Documented Time Payment | Up to $210 (7 hours at $30/hour) |
| Expected Cash Payment Range | $68.72 – $357.97 |
| Claim Filing Deadline | December 22, 2025 |
| Exclusion/Objection Deadline | November 24, 2025 |
| Final Approval Hearing | January 28, 2026 |
| Settlement Website | www.RegalMedicalSettlement.com |
| Helpline | (844) 496-0832 |
It’s still hard to fully comprehend the scope of what transpired. In what turned out to be one of the biggest healthcare data breaches in California history, about 3.4 million people’s personally identifiable information and protected health information may have been compromised.
These data points weren’t anonymous. They were patients. Individuals who had entrusted their medical professionals and healthcare system with some of their most personal information were unaware that their trust could be so completely and covertly betrayed.
On February 2, 2023, notification letters started to be sent out. two months following the security breach. Although that was technically within the HIPAA Breach Notification Rule timeline, plaintiffs’ lawyers and critics eventually noted that the rule also requires notification without “undue delay.”
One could legitimately argue that keeping such a large amount of information for sixty days calls into question priorities. The notifications themselves were specifically challenged in one of the early lawsuits, which claimed they were insufficient because they did not specify how long the attackers had access to the stolen data.
Just one week after those letters were sent, on February 9, 2023, the first class action lawsuit was filed. There were twenty-five more. After a significant healthcare breach, this type of legal pile-on is no longer uncommon; in fact, it has become almost predictable. However, the volume and speed of this case showed real concern.
The consolidated case, now formally known as Head et al. v. Regal Medical Group, Inc., et al., brought together plaintiffs whose complaints consistently depicted a large, well-resourced healthcare network that, despite being fully aware that ransomware attacks on healthcare organizations had become commonplace, failed to make sufficient investments in data security, failed to encrypt sensitive patient data, and failed to take the threat environment seriously.
The word “routine” is worth pausing over. Healthcare breaches are becoming more commonplace, which should worry more people than it does. One of the biggest physician-owned integrated healthcare networks in the US is run by Heritage Provider Network and its affiliates.
These aren’t tiny clinics with no IT department and narrow profit margins. The resources were available. The lawsuits brought up the question of why they weren’t deployed, a question that was never fully resolved.
For their part, the defendants consistently denied responsibility and insisted there was no misconduct. In these circumstances, that is standard language, and it may not have much meaning on its own. It does mean that the expense and uncertainty of a full trial had to be considered by both parties.
They reached a settlement in principle after three mediation sessions. The final figure is a $49,995,000 settlement fund, which currently has Superior Court Judge Timothy P. Dillon’s preliminary approval.
Class members, or anyone who was informed that their information might have been compromised, are eligible to receive three years of identity theft monitoring through CyEx’s Medical Shield Total service under the terms of the Head et al. v. Regal Medical Group et al. settlement.
Beyond that, the settlement provides layered, actual financial compensation. Up to $10,000 in documented out-of-pocket losses related to the breach may be claimed; however, this pool is limited to $2 million in total and will be distributed pro rata if it reaches that amount.
Up to seven hours at $30 per hour, or a maximum of $210, capped at $1 million, may be claimed for lost time spent resolving breach-related issues. Additionally, all class members are eligible for a base cash payment, which is currently projected to be between $68 and $357, depending on the final number of claims filed and the number of claims that are approved.
Many impacted people might never make a claim. This is the subtly unsettling reality of settlements such as this one. The people who most need the compensation — those who spent hours dealing with fraud attempts, who had to freeze credit reports and dispute charges, who lost sleep over what strangers might do with their Social Security numbers and medical histories — are often the same people who don’t hear about the settlement in time, or who find the claims process daunting, or who simply don’t believe it will be worth the effort. As these settlements develop, there’s a sense that the headline figure seldom accurately represents the total amount that victims truly receive.
The deadline for participants to submit a claim is December 22, 2025. November 24, 2025 is the deadline for objecting to or withdrawing from the settlement. The date of the final approval hearing is set for January 28, 2026. A unique ID and PIN from the postcard notice that was mailed to those who were impacted can be used to submit claims at the official settlement website.
The December 2022 events will not be reversed by the Head et al. v. Regal Medical Group et al. settlement. Nobody will regain the sense of security that comes from knowing that their most private health information is truly private. However, it might be the most tangible form of accountability for the nearly 3.4 million people who had no say over what happened to their data. At the very least, the hour it takes to file a claim is worthwhile.
Disclaimer
Nothing published on Creative Learning Guild — including news articles, legal news, lawsuit summaries, settlement guides, legal analysis, financial commentary, expert opinion, educational content, or any other material — constitutes legal advice, financial advice, investment advice, or professional counsel of any kind. All content on this website is provided strictly for informational, educational, and news reporting purposes only. Consult your legal or financial advisor before taking any step.
