Massachusetts Residents Eligible for Up to $5,600 Each in Gandara Mental Health Data Breach Settlement

In June 2024, Gandara Mental Health Center discovered an unauthorized intrusion into its network that exposed personal and health information of about 17,543 individuals. The incident prompted a class action lawsuit alleging the center failed to implement adequate access controls and monitoring. Gandara denied wrongdoing but agreed to a $900,000 settlement to avoid protracted litigation.

- The settlement fund totals $900,000. - Eligible Massachusetts residents may receive up to $5,600 each, covering ordinary losses, lost time, extraordinary losses, or a flat $60 alternative payment. - All class members also qualify for three years of credit monitoring with $1 million identity‑theft insurance. - To receive payment, claimants must submit a notice ID and confirmation code, plus documentation for any claimed losses, by July 23, 2026. - If approved claims exceed the fund, payments will be reduced proportionally.

The settlement provides a concrete remedy for individuals whose data was compromised, while highlighting the financial consequences of insufficient network defenses. Organizations handling sensitive health data should note that breach‑related liabilities can reach hundreds of thousands of dollars per incident, not including regulatory fines or reputational harm. Security teams should review incident‑response plans and ensure timely detection of unauthorized access.

Defenders should enforce multi‑factor authentication on all remote access points, segment networks to isolate health‑record systems, and apply patches for known vulnerabilities. Implement continuous monitoring for anomalous login attempts using MITRE ATT&CK techniques T1078 (Valid Accounts) and T1021 (Remote Services). Enforce least‑privilege access, encrypt data at rest and in transit, and conduct quarterly penetration tests to validate controls.