General Physician P.C. $2.5M Data Breach Class Action Settlement, Claim Deadline is May 27, 2026

ByAll About Lawyer Reading Time: 8 minutes

General Physician P.C., a multi-disciplinary medical group based in Buffalo, New York, agreed to pay $2.5 million to resolve a class action lawsuit alleging the healthcare provider failed to protect sensitive patient information stored on its systems from a data breach that occurred between April 6, 2024, and June 12, 2024. The General Physician class action settlement received preliminary approval from the court on January 23, 2026. 

The incident impacted an estimated 490,210 individuals. Current and former patients and other individuals who received a notification letter from General Physician P.C. about the breach may be eligible for up to $5,000 in documented loss reimbursements, an estimated $60 alternate cash payment, and two years of free credit and medical monitoring. The claim deadline is May 27, 2026.

Quick Facts

  • Lawsuit type: Class action — data breach / failure to protect patient health information
  • Defendant: General Physician, P.C. (GPPC)
  • Case name: Newhart v. General Physician, P.C., Index No. 815961/2024
  • Court: Supreme Court of the State of New York, County of Erie
  • Settlement status: Preliminarily approved (January 23, 2026)
  • Settlement fund: $2,500,000
  • Who may be affected: U.S. individuals who received a letter from General Physician P.C. notifying them that their private information may have been accessed in the April–June 2024 data breach
  • Estimated individuals affected: ~490,210
  • Maximum compensation: Up to $5,000 for documented losses; estimated $60 alternate cash payment; two years of credit and medical monitoring (valued at $179.40/year)
  • Opt-out / objection deadline: April 27, 2026
  • Claim deadline: May 27, 2026
  • Final approval hearing: June 4, 2026
  • Official settlement website: GeneralPhysicianDataIncidentSettlement.com
  • Administrator: Kroll Settlement Administration LLC

Current Status & What Happens Next

The General Physician class action settlement received preliminary approval from the court on January 23, 2026. Here is what is happening now and what comes next:

  • Claims open now — eligible class members can file online or by mail
  • Opt-out and objection deadline: April 27, 2026
  • Claim deadline: May 27, 2026 (online by 11:59 p.m. ET; mail postmarked by that date)
  • Final approval hearing: June 4, 2026, at 9:30 a.m. ET, via Microsoft Teams or in person at the Erie County Court Building, 25 Delaware Avenue, Buffalo, NY 14202, Courtroom Part 15
  • Payments: The settlement administrator will issue payments and monitoring codes to approved claimants approximately 90 days after the court grants final approval of the settlement.

To opt out: Mail a written exclusion request to the settlement administrator postmarked no later than April 27, 2026. Opting out allows you to sue, continue to sue, or be part of another lawsuit against General Physician and the released parties related to the legal claims resolved by this settlement.

To object: File your written objection with the Court and send copies by U.S. mail to Class Counsel, Defendant’s Counsel, and the Settlement Administrator, postmarked no later than April 27, 2026. You may also request permission to speak at the Final Approval Hearing on June 4, 2026.

What the Lawsuit Alleges

General Physician P.C. is a multi-specialty medical group serving patients in Western New York. The group offers a broad range of medical services and maintains detailed patient records that include sensitive personal, financial, and protected health information.

Suspicious activity was identified within General Physician’s email environment on June 12, 2024. A forensic investigation confirmed that an unauthorized third party had access to its email system from April 6, 2024, to June 12, 2024.

Patient information exposed and potentially accessed or stolen in the incident included full names, addresses, Social Security numbers, financial account information, dates of birth, medical history information, mental and physical treatment information, diagnosis information, treating physician names, medical record numbers, and health insurance information.

General Physician P.C. $2.5M Data Breach Class Action Settlement, Claim Deadline is May 27, 2026

Several class action lawsuits were filed in response to the data breach, which were consolidated as Newhart v. General Physician, P.C. in the Supreme Court of the State of New York, County of Erie. The plaintiffs alleged that General Physician was negligent for failing to implement reasonable and appropriate cybersecurity measures to protect sensitive patient data on its network.

General Physician P.C. denies all wrongdoing. The company maintains there was no wrongdoing and no liability, and all parties explored an early settlement and reached material terms following mediation.

Who Could Be Included

You are a Settlement Class Member if you received a letter from General Physician P.C. notifying you that your Private Information — including full name, address, Social Security number, financial account information, date of birth, medical history information, mental and physical treatment information, diagnosis information, treating physician, medical record number, health insurance information, policy number, subscriber number, or group/plan number — may have been accessed and/or acquired by an unauthorized party as a result of the data breach reported by the company in October 2024.

Class members are individuals in the United States whose private information the data breach General Physician reported in October 2024 potentially accessed and/or acquired. If you received a notice from Kroll Settlement Administration containing a class member ID, you are likely already identified as an eligible class member.

If you believe you qualify but did not receive a notice, contact the settlement administrator at (833) 319-5992 or via the contact form at GeneralPhysicianDataIncidentSettlement.com.

Settlement Details

Total Fund & Breakdown

If approved by the court, General Physician P.C. will pay $2,500,000 to resolve the lawsuit. The settlement fund will be used to pay attorneys’ fees of up to $833,333.33 plus reimbursement of reasonable costs, $3,000 service award payments to each class representative, and settlement administration costs. The remainder of the fund will cover cash payments to eligible class members who submit valid claims.

What You Could Receive

The settlement offers eligible class members three benefit options:

Cash Payment A — Documented losses (up to $5,000): Class members can claim up to $5,000 for documented losses traceable to the data incident. Documented losses claims require supporting documentation, which may include bank or credit card statements showing unreimbursed fees or fraudulent charges, invoices for services, receipts, and other proof of identity theft or fraud.

Cash Payment B — Alternate cash payment (estimated $60, up to $599): Class members who do not submit a documented losses claim can submit a claim to receive a pro rata cash payment estimated at $60 but no more than $599. The settlement administrator will determine the final payment amount by the total number of claims filed.

Credit and medical records monitoring (two years, free): All class members can elect to receive two years of one-bureau credit and medical records monitoring valued at $179.40 per year. Services include real-time alerts and up to $1,000,000 in medical identity theft insurance coverage.

How to File a Claim

  • Online: Visit GeneralPhysicianDataIncidentSettlement.com and click “Submit Claim.” Online claims require the class member ID from the settlement notice received.
  • By mail: Request a paper claim form by calling (833) 319-5992 or using the Contact Us form on the settlement website, then mail to:

Newhart v. General Physician, P.C. c/o Kroll Settlement Administration LLC P.O. Box 5324 New York, NY 10150-5324

  • Phone: (833) 319-5992
  • Deadline: May 27, 2026 (online by 11:59 p.m. ET; mail must be postmarked by May 27, 2026)

Payout options: Electronic payment is available for online claims only. Checks may also be issued.

Prior Cases / Context

The General Physician P.C. breach and resulting settlement fit a well-documented pattern of cyberattacks targeting medical groups’ email environments. The breach involved unauthorized access to General Physician’s email system over a period of more than two months — a timeline consistent with a growing category of healthcare sector intrusions in which threat actors gain persistent access to email accounts to harvest patient data over an extended period before being detected.

Healthcare organizations consistently rank among the most targeted sectors for cyberattacks. The U.S. Department of Health and Human Services’ Office for Civil Rights reported more than 700 major healthcare data breaches in a single recent year, affecting tens of millions of patients.

Similar settlements involving healthcare provider data breaches in New York and beyond have followed the same structure seen here, reflecting a well-developed litigation framework around healthcare data breach class actions. For example, settlements in comparable healthcare data breach cases have included similar compensation structures, with documented loss caps of $5,000, alternative pro rata cash payments, and multi-year credit or medical monitoring.

Frequently Asked Questions

Is the General Physician lawsuit a class action? 

Yes. Newhart v. General Physician, P.C. is a consolidated class action filed in the Supreme Court of the State of New York, County of Erie. It covers U.S. individuals whose private information was potentially accessed in the data breach General Physician reported in October 2024.

Has the settlement been approved? 

The settlement received preliminary approval on January 23, 2026. The Final Approval Hearing is scheduled for June 4, 2026, at 9:30 a.m. ET.

Who is eligible to file a claim?

 You are eligible if you received a letter from General Physician P.C. notifying you that your private information — such as your name, Social Security number, medical history, health insurance information, or financial account details — may have been accessed in the April–June 2024 data breach.

What information was exposed in the breach? 

Patient information potentially exposed included full names, addresses, Social Security numbers, financial account information, dates of birth, medical history, mental and physical treatment information, diagnosis information, treating physician names, medical record numbers, and health insurance information.

How much could I receive? 

Eligible class members may claim up to $5,000 for documented losses traceable to the breach, or an estimated pro rata cash payment of $60 (up to $599) with no proof required, plus two years of free credit and medical records monitoring valued at $179.40 per year.

What is the claim deadline? 

Claims must be submitted online by May 27, 2026, at 11:59 p.m. ET, or postmarked by May 27, 2026, if filing by mail.

What is the deadline to opt out or object? 

Both the opt-out and objection deadlines are April 27, 2026.

Where is the official settlement website? 

The court-authorized settlement website is GeneralPhysicianDataIncidentSettlement.com, administered by Kroll Settlement Administration LLC.

What happens if I do nothing?

 If you do nothing, you will not receive any settlement benefits and will give up your right to sue, continue to sue, or be part of another lawsuit against General Physician P.C. related to the legal claims resolved by this settlement.

Additional Context

The General Physician P.C. settlement is notable for the breadth of sensitive health data potentially exposed — including mental health treatment information, diagnoses, and Social Security numbers — which places affected patients at heightened long-term risk of both financial fraud and medical identity theft. Medical identity theft, in which someone uses another person’s health insurance credentials to fraudulently obtain care, can have consequences that persist for years and are significantly harder to remediate than financial fraud alone.

The settlement covers all individuals residing in the United States whose private information may have been accessed and/or acquired by an unauthorized third party as a result of the data breach reported by General Physician in October 2024 — meaning anyone who received a breach notification letter, regardless of whether they experienced confirmed harm, is eligible to file a claim.

Last Updated: March 6, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *