Bayhealth Medical Center $2.5M Data Breach Settlement, Claim Up To $5,000 Cash By April 20, 2026 After Ransomware Attack Exposed 497,047 Patients
Bayhealth Medical Center agreed to pay $2.5 million to settle a class action lawsuit after the Rhysida ransomware gang stole patient data including names, Social Security numbers, and medical information in a July 2024 cyberattack affecting 497,047 people. Current and former patients who received breach notifications can claim up to $5,000 for documented losses, an estimated $60 pro-rata cash payment without documentation, plus free medical monitoring services. The claim deadline is April 20, 2026, with payments distributed after final court approval.
What Happened In The Bayhealth Ransomware Attack?
Between July 27 and July 31, 2024, the Rhysida ransomware group infiltrated Bayhealth Medical Center’s computer network and exfiltrated files containing sensitive patient information.
Bayhealth discovered the suspicious activity on July 31, 2024, when hackers had already spent four days inside its systems copying data. The Delaware healthcare system operates two hospital campuses (Kent and Sussex), a freestanding emergency department, and multiple physician practices serving central and southern Delaware.
What Personal Information Was Compromised?
The stolen files contained names, medical information, and Social Security numbers for 497,047 patients. The Rhysida ransomware gang claimed responsibility and uploaded samples to its dark web leak site, including identification documents, Social Security numbers, contact information, and protected health information.
Bayhealth reported the breach to the Department of Health and Human Services’ Office for Civil Rights on October 14, 2024, as a HIPAA violation affecting the electronic protected health information of nearly half a million individuals.
Rhysida demanded a 25 Bitcoin ransom (approximately $1.4 million at the time), which Bayhealth refused to pay.
The Class Action Lawsuit And Settlement
On August 26, 2024, patient Sally Cannon Dunlop filed a lawsuit after discovering her personal data published on the dark web. The complaint alleged negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty.
Dunlop claimed Bayhealth failed to implement reasonable security safeguards to protect patient data and that the ransomware attack reflected a pattern of inadequate cybersecurity. Following mediation in August 2025, Bayhealth agreed to the $2.5 million settlement without admitting wrongdoing.
How Much Money Can You Get From The Bayhealth Settlement?
The $2.5 million settlement fund provides three benefit options for eligible class members.
Pro-Rata Cash Payment Without Documentation
Class members can claim an estimated $60 cash payment without providing any documentation or proof of harm. This is a pro-rata share of the settlement fund after attorneys’ fees (up to 33%), administrative costs, and documented loss claims are deducted.
The actual amount depends on how many people file claims. With 497,047 affected individuals, if claim rates are low, payments could exceed $60 per person.
Reimbursement For Documented Out-Of-Pocket Losses
You can claim up to $5,000 for documented, unreimbursed expenses fairly traceable to the data breach. Eligible expenses include monetary losses due to identity theft or fraud, credit monitoring services purchased after July 31, 2024, costs to freeze or unfreeze credit reports, and expenses like notary fees and copying costs.
Documentation requirements include receipts, invoices, bank statements showing unreimbursed fraudulent charges, police reports, and other proof of identity theft or fraud.
Free Medical Monitoring Services
All class members are entitled to medical monitoring services regardless of whether they file a cash claim. Medical monitoring codes will be emailed to eligible members 35 days after the court grants final approval of the settlement.
These services help detect medical identity theft, where criminals use stolen health information to obtain medical services, prescription drugs, or file fraudulent insurance claims.
How To File Your Bayhealth Settlement Claim
Filing requires specific procedures and documentation by the April 20, 2026 deadline.
Where To Submit Your Claim
Official Settlement Website: bayhealthdataincidentsettlement.com
Settlement Administrator: Kroll Settlement Administration LLC
Mailing Address: Dunlop, et al., v. Bayhealth Medical Center, Inc., c/o Kroll Settlement Administration LLC, P.O. Box 225391, New York, NY 10150-5391
Phone: 833-754-4833
Submit claims online at bayhealthdataincidentsettlement.com or mail them postmarked by April 20, 2026. You’ll need your Class Member ID from the official settlement notice to file online.
Required Documentation
For documented loss claims, submit receipts, invoices, bank or credit card statements showing unreimbursed fees or fraudulent charges, police reports, and other proof of identity theft or fraud.
Visit bayhealthdataincidentsettlement.com to access the online claim form, download settlement documents including the claim form and settlement agreement, and check your claim status after submission. Electronic payment is available for online claims only.
Who Qualifies For The Bayhealth Medical Center Settlement?
The settlement class includes all persons identified on the settlement class list prepared by Bayhealth Medical Center Inc., who resided in the United States when Bayhealth discovered the data breach in July 2024, and received notice from Bayhealth that their personal information may have been compromised.
If you received a data breach notification from Bayhealth Medical Center about the July 2024 incident, you are automatically part of the settlement class and can file a claim.
Why Healthcare Ransomware Attacks Like Bayhealth’s Matter
The Bayhealth settlement reflects the escalating threat of ransomware targeting healthcare providers and the legal consequences of inadequate cybersecurity.
How Rhysida Targets Healthcare Organizations
Rhysida emerged in 2023 as a prolific ransomware-as-a-service gang specifically targeting healthcare. The group’s 2024 victims included Community Health Alliance in Rhode Island, Axis Health System in Colorado, Sunflower Medical Group in Kansas, and most notably, Ann & Robert H. Lurie Children’s Hospital of Chicago (776,000 affected).
Healthcare organizations make attractive targets because they store valuable personal, financial, and medical data, often operate with outdated security systems, and face pressure to pay ransoms to restore critical patient care operations quickly.
The WebTPA data breach settlement of $13.75 million affecting 2.4 million people demonstrates similar vulnerabilities in healthcare administration systems.
Comparing Bayhealth To Recent Healthcare Breach Settlements
Bayhealth’s $2.5 million settlement is mid-range for healthcare data breaches of this scale. Recent comparable settlements include the Yale New Haven Health settlement at $18 million for 5.6 million affected patients ($3.24 per person), Independent Living Systems at $14 million for 4.2 million patients ($3.33 per person), and Hypertension Nephrology Associates at $625,000 for 39,491 patients ($15.83 per person).
Bayhealth’s settlement translates to approximately $5.03 per affected patient before legal fees and administration costs—reflecting the relatively quick settlement timeline and Bayhealth’s cooperation in identifying class members.
Frequently Asked Questions
Who is eligible to claim from the Bayhealth settlement?
All U.S. residents who received a data breach notification from Bayhealth Medical Center about the July 2024 cybersecurity incident qualify. If Bayhealth sent you notice that your personal information may have been compromised, you’re automatically part of the settlement class and can file a claim.
What is the deadline to file a Bayhealth data breach claim?
Claims must be submitted online or postmarked by April 20, 2026. Missing this deadline means you cannot receive any settlement benefits, though you’ll still be bound by the settlement agreement and cannot sue Bayhealth separately over this breach.
How much will I receive from the $2.5 million settlement?
You can claim up to $5,000 with documentation of losses related to the breach, or an estimated $60 pro-rata cash payment without documentation. The exact amount depends on total claims filed, attorneys’ fees, and administrative costs deducted from the settlement fund.
What documentation do I need to claim reimbursement?
For documented losses, you need receipts, invoices, bank statements showing fraudulent charges, police reports, or other proof that expenses resulted from the data breach. Medical monitoring services require no documentation—codes are automatically emailed after final approval.
When will settlement payments be distributed?
Payments will be issued after final court approval is granted and claim processing is completed. Expect payments approximately 60-90 days after the final approval hearing, likely in mid-2026 if no appeals are filed.
What was exposed in the Bayhealth ransomware attack?
The breach compromised names, Social Security numbers, medical information, identification documents, and contact information for 497,047 patients. The Rhysida ransomware gang posted samples of stolen data on the dark web, including patient health records.
Can I still get free credit monitoring if I miss the claim deadline?
Medical monitoring codes are distributed 35 days after final approval only to class members who enrolled. If you miss the April 20, 2026 claim deadline, you cannot receive medical monitoring or any other settlement benefits.
Last Updated: January 26, 2026
Disclaimer: This article provides general information about the Bayhealth Medical Center data breach settlement and is not legal advice—individuals seeking claim assistance or case-specific guidance should consult qualified attorneys.
Don’t wait until the deadline approaches—file your Bayhealth settlement claim now to secure your compensation and medical monitoring benefits before the April 20, 2026 cutoff.
Stay informed, stay protected. — AllAboutLawyer.com
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah