Case Overview

| Article Type | Settlement Roundup |

| Vertical | Privacy, Data & TCPA |

| Cases Covered | 3 |

| Deadlines | Spring–Summer 2026 |

Healthcare Data Breach Settlements to Watch in 2026: Rebound Orthopedics, Norton Healthcare, and More

Several significant healthcare and corporate data breach cases are making news in early 2026 — including a newly announced $2.5 million settlement and an $11 million fund that recently opened for claims. If your personal information was exposed in any of these incidents, you may be running out of time to understand your options.

Here's a breakdown of three data breach cases worth knowing about right now.

1. Rebound Orthopedics & Neurosurgery Data Breach Settlement

Settlement Fund: $2.5 million

Who May Qualify: Current and former patients whose personal information was exposed in the Rebound Orthopedics & Neurosurgery data breach

Proof Required: Notice of data breach from Rebound Orthopedics & Neurosurgery; documentation of losses may increase potential compensation

According to a recent report from the HIPAA Journal, Rebound Orthopedics & Neurosurgery — a Vancouver, Washington-based orthopedic and neurosurgery practice — has agreed to pay $2.5 million to resolve a class action lawsuit stemming from a data breach that allegedly compromised patients' personal and protected health information.

The lawsuit alleged that Rebound Orthopedics & Neurosurgery failed to implement adequate security measures to protect sensitive patient data. Given the nature of the practice, the information at risk may have included names, Social Security numbers, medical records, and other protected health information — the kind of data that, according to the complaint, can expose individuals to identity theft and financial fraud.

Settlement class members who received a data breach notification from the practice may be eligible to file a claim for compensation, which could include reimbursement for out-of-pocket losses and, potentially, a base cash payment. Exact amounts will depend on the number of valid claims filed and the nature of documented losses.

How to claim: Visit the official settlement administrator's website for claim instructions. Deadline information is expected to be detailed in the class notice sent to eligible individuals.

2. Norton Healthcare Data Breach — $11 Million Settlement

Settlement Fund: $11 million

Who May Qualify: Individuals who received a data breach notification letter from Norton Healthcare following its 2023 ransomware attack

Proof Required: No receipt required; data breach notification letter may be sufficient to establish eligibility

Norton Healthcare, one of Kentucky's largest healthcare systems, has agreed to an $11 million class action settlement to resolve claims related to a 2023 ransomware attack that the lawsuit alleged compromised the personal and medical information of patients, employees, and their dependents.

According to the complaint, the breach exposed sensitive data including names, Social Security numbers, dates of birth, health insurance information, and medical records. The lawsuit alleged that Norton Healthcare failed to maintain reasonable data security practices, leaving individuals vulnerable to identity theft and other harms.

The settlement fund, if approved by the court, could provide compensation to eligible class members for documented out-of-pocket losses, lost time, and other claimed damages. Those who received a data breach notification letter from Norton Healthcare may be eligible to participate in the settlement process.

How to claim: Eligible individuals should watch for class notice communications and visit the settlement administrator's website for claim filing instructions and deadline information.

3. Workday & Salesforce Data Breach — Class Action Filed

Status: Newly filed lawsuit; no settlement at this time

Who May Be Affected: Consumers whose personal information was allegedly compromised in a 2025 data breach linked to Workday and Salesforce systems

What to Watch: Court proceedings and any future settlement announcements

A new class action lawsuit filed in early 2026 alleges that enterprise software giants Workday and Salesforce are responsible for a 2025 data breach that the complaint claims compromised the personal information of millions of consumers.

According to the lawsuit, the defendants allegedly failed to implement adequate data security safeguards to protect consumer information stored within or processed through their platforms. The complaint alleges that sensitive personal data was exposed as a result of this alleged security failure, potentially putting affected individuals at risk of identity theft and other financial harm.

It is important to note that this case is in its early stages. No settlement has been announced, and both companies may deny the allegations. Litigation of this nature can take months or years to resolve. Individuals who believe they may have been affected should monitor developments in this case closely.

How to follow: Check court filings and news updates for case developments. No claim process is available at this time.

Key Takeaways

• Healthcare data is a high-value target. Two of the three cases in this roundup involve orthopedic, surgical, or hospital systems — industries that store some of the most sensitive personal and medical data.
• You may not need receipts to file. In many data breach settlements, a notification letter from the affected company is sufficient to establish baseline eligibility for a claim.
• Not all cases are in the settlement phase. The Workday and Salesforce lawsuit is newly filed, meaning no compensation is available yet — but it may be worth monitoring if you believe your data was affected.
• Settlement amounts vary per claimant. Final payouts depend on the number of claims filed and whether you can document specific losses — meaning early and complete filings often fare better than last-minute submissions.
• Court approval is not guaranteed. All settlements must receive final judicial approval before any compensation is distributed.

Have you received a data breach notification from any of the companies mentioned above? Share your experience in the comments below.

InjuryClaims.com reports on class action lawsuits and settlements as a news service. Nothing on this page constitutes legal advice. Eligibility for any settlement can only be determined by qualified legal counsel or the settlement administrator.