Salud Data Breach: $8M Class Action Settlement Details

Case Background

In March 2024, Michelle Hedges initiated a major legal action against Bona Fide Mao Inc., a company operating under the trade name "Salud." Filed in the Superior Court of California for San Francisco County, this class action lawsuit stemmed from a significant cybersecurity incident that exposed highly sensitive personal and medical data. Salud's business model involved collecting private information directly from consumers and patients. Hedges filed the complaint on behalf of herself and a larger group of similarly affected individuals whose data resided on Salud’s network during the breach. The litigation focused on the company's alleged failures to secure this data and a substantial delay in informing the victims after discovering the intrusion.

Cause

The foundational cause of the lawsuit was Salud's alleged inadequacy in implementing and maintaining proper data security measures. The complaint detailed that when Salud collected sensitive personal and health information from consumers, it assumed a legal and ethical duty to safeguard that data according to reasonable industry standards. The Plaintiffs argued that Salud breached this duty by failing to utilize sufficient cybersecurity protocols, such as robust encryption and effective tools for detecting unauthorized network access.

A critical component of the complaint centered on the timeline of the breach and subsequent notification. Salud initially detected unusual activity on its computer network around September 7, 2022. An ensuing investigation confirmed that unauthorized actors accessed files containing patient data between September 7 and September 9, 2022. Despite discovering this significant breach in late 2022, Salud did not begin sending notification letters to affected individuals, including Hedges, until approximately February 22, 2024. The lawsuit argued this delay of nearly eighteen months constituted a severe failure of duty, as it kept victims in the dark and prevented them from taking timely steps to protect their financial and medical identities.

Injury

The cyberattack compromised a broad spectrum of highly sensitive information belonging to Hedges and the class members. The stolen data included a combination of personal identifiers, such as full names linked with Social Security numbers. Furthermore, the breach exposed private medical information, including medical history, diagnoses, treatment details, and health insurance account information.

Hedges argued that the theft of this specific combination of data subjected the victims to a distinct, imminent, and lifelong risk of identity theft and medical fraud. The complaint noted that once cybercriminals steal this type of "Private Information," they often sell it on the dark web, leading to fraudulent activities that can surface years later. Beyond the future risk, the victims suffered immediate, concrete injuries. These included out-of-pocket expenses for purchasing credit monitoring services and placing security freezes on their credit reports. They also experienced a loss of value regarding their private information and dedicated significant time to investigating the breach, monitoring their accounts for suspicious behavior, and managing the stress and anxiety caused by the exposure of their most personal details.

Damages Sought

Through the class action, Hedges and the represented group sought comprehensive relief from the Court. They requested compensatory damages to reimburse them for actual financial losses stemming from the breach, as well as damages for the emotional distress resulting from the release of their confidential medical records.

In addition to monetary compensation, the lawsuit sought injunctive relief, asking the Court to mandate that Salud improve its future data security practices. This included demands for the implementation of industry-standard encryption, better firewalls, regular database scanning, and mandatory cybersecurity training for employees. The Plaintiffs also requested restitution, seeking the return of any profits Salud gained by allegedly cutting corners on data security spending, along with reimbursement for their legal fees and Court costs.

Key Arguments and Proceedings

The case moved through the San Francisco Superior Court as complex class action litigation. The Plaintiff's legal team constructed claims based on several legal theories, notably negligence, breach of implied contract, and invasion of privacy under California law. They argued that a special relationship existed between Salud and its customers, creating a fiduciary duty that the company violated by failing to keep their information secure. The proceedings eventually shifted from an adversarial litigation path toward negotiation, resulting in a proposed settlement agreement between the parties. The focus of the proceedings then turned to obtaining judicial approval of this agreement.

Legal Representation

Plaintiff(s): Michelle Hedges, acting individually and representing all others similarly situated.

·       Counsel for Plaintiff(s): Alex R. Straus | Kristen G. Simplicio | Emily Feder Cooper | Glenn A. Danas | Shana H. Khader | Christina M. Le | Kristen Simplicio

Defendant(s): Bona Fide Mao Inc., doing business as Salud.

·       Counsel for Defendant(s): Christopher T. Berg

Key Arguments or Remarks by Counsel

Claims

Plaintiff's counsel framed the situation as a clear case of corporate negligence regarding consumer privacy. They argued that Salud knew, or reasonably should have known, that the repository of sensitive data it held was a prime target for cyberattacks. Despite this foreseeable risk, the company allegedly failed to invest in necessary security measures, effectively prioritizing profit margins over the safety of its customers' data. Counsel emphasized the severity of the eighteen-month notification delay, arguing that this prolonged silence significantly exacerbated the harm by leaving victims defenseless against potential fraud for an extended period after Salud already knew of the theft.

Defense

While specific defense pleadings were not part of the reviewed materials, the complaint anticipated standard defenses common in data breach cases. It is likely Salud argued that it exercised reasonable care in its security practices and that the company itself was a victim of a sophisticated criminal act. The defense typically contends in such cases that Plaintiffs lack standing to sue because the mere risk of future identity theft does not constitute a concrete, present injury. By entering into a settlement, the Defendant generally does not admit to any liability or wrongdoing but agrees to resolve the claims to avoid the uncertainty and expense of further litigation.

Settlement

The parties resolved the dispute through a negotiated class action settlement rather than proceeding to a jury verdict. Under the terms of the agreement presented to the Court, Bona Fide Mao Inc. agreed to pay a total of $8,000,000 to resolve the claims brought by Michelle Hedges and the class.

On November 20, 2024, the case came before the Honorable Ethan P. Schulman for a Final Approval Hearing to determine if the $8 million settlement was fair, reasonable, and adequate for the class members. At that time, Judge Schulman decided not to grant final approval immediately. The Court issued an order continuing, or postponing, the motion because it required additional information before making a final ruling. Specifically, the judge requested an updated declaration regarding the claim's rate, indicating a need to understand how many eligible class members had successfully submitted claims to participate in the settlement fund. The hearing for final approval was rescheduled to December 16, 2024, pending the submission of this crucial participation data.

Court documents are available upon request at jurimatic@exlitem.com