About the Infosys McCamish Settlement
More than 3.7 million individuals across over 40 insurance companies may now participate in the Infosys McCamish Systems data breach settlement.
The settlement follows an alleged LockBit ransomware attack that potentially compromised sensitive personal and health information belonging to insurance customers whose data the company managed through revenue cycle management services.
Breach Impact and Settlement Overview
The $17.5 million Infosys McCamish Systems settlement fund addresses claims that the company failed to implement adequate cybersecurity measures to protect sensitive data entrusted to it by insurance companies and their customers.
Between October 29 and November 2, 2023, cybercriminals are claimed to have successfully infiltrated the company's systems, encrypting files with ransomware and stealing vast amounts of personal information.
Level of exposure
The data breach allegedly exposed an extensive range of consumer-sensitive information including:
- Financial Information: Social Security numbers, bank account numbers, credit card details, and other financial account information.
- Medical Records: Detailed health information, including diagnoses, treatment histories, prescription data, lab results, and clinical information.
- Insurance Details: Policy numbers, member IDs, health insurance group numbers, and coverage information.
- Government IDs: Driver's licenses, state identification numbers, passport numbers, military IDs, and tribal identification.
- Biometric Data: Fingerprints and other biological identifiers used for authentication.
- Personal Information: Names, addresses, phone numbers, email addresses, birthdates, and usernames with passwords.
The putative breach affected insurance companies that mostly relied on Infosys McCamish for billing services.
LockBit Attack and HIPAA Violations Explained
LockBit, a notorious ransomware group, claimed responsibility for the attack on Infosys McCamish Systems.
Modern cyber thief
The cybercriminals allegedly employed sophisticated encryption methods to lock the company out of its own systems while simultaneously exfiltrating a massive amount of data.
Failed ransom offer
According to the lawsuit, Infosys McCamish offered LockBit only $50,000 to prevent the release of stolen data, but LockBit rejected the “lowball offer” and leaked the information on the dark web.
Billing interruptions
Plaintiffs say the revenue cycle management breach disrupted billing processes across dozens of insurance companies. Healthcare providers allegedly found themselves unable to process claims, verify coverage, or access patient billing histories.
Alleged HIPAA violations
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare entities and their business associates to implement specific safeguards to protect patient information.
The class action lawsuit argued that Infosys McCamish:
- Failed to encrypt sensitive data at rest and in transit.
- Neglected to implement multi-factor authentication across all systems.
- Didn't maintain adequate network segmentation to limit breach impact.
- Delayed breach notification beyond HIPAA's 60-day requirement.
- Lacked sufficient incident response protocols.
Plaintiffs claim that basic cybersecurity measures could have prevented or significantly limited the breach's impact.
However, the operational chaos lasted for weeks, with Infosys McCamish reporting that it could not substantially restore its systems until December 31, 2023—nearly two months after the initial breach is claimed to have occured.
Who May Participate in the Infosys Settlement?
Infosys McCamish Systems automatically included US residents who received an individualized data breach notification in the settlement class.
The company sent approximately 3.7 million notices to affected individuals between late 2023 and mid-2024.
Potential class members should verify their eligibility by checking their breach notification letter for a unique class member ID. This identifier appears prominently on the notice and is key to accessing possible settlement benefits.
Estate representatives may also file claims on behalf of individuals who passed away after the breach occurred.
Individuals who have misplaced their notice or believe the data breach affected them should contact Kroll Settlement Administration at (833) 621-8670 to verify their status.
Settlement Compensation Structure and Benefits
Three distinct benefit tiers define the settlement disbursement structure, allowing class members to potentially claim one or all available options based on their circumstances and documented losses.
Tier 1: Documented Loss Reimbursement (Up to $6,000)
Provides the most substantial compensation for victims who have suffered actual financial harm as a result of the claimed data breach.
Eligible expenses include:
- Identity Theft Losses: Unauthorized charges, fraudulent accounts opened in your name, and tax refund theft.
- Professional Service Fees: Costs for attorneys, accountants, or credit repair specialists hired to address breach-related issues.
- Credit Monitoring Expenses: Amounts paid for credit monitoring services purchased between the breach date and claim submission.
- Miscellaneous Costs: Notary fees, postage for mailing documents, long-distance phone charges, and mileage for trips to banks or police stations.
The $6,000 maximum applies per person, not per incident.
Tier 2: Credit Monitoring Package
Every eligible class member may receive two years of credit monitoring at no cost, regardless of whether they claim other benefits, including:
- One-bureau credit monitoring with real-time alerts.
- $1M in identity theft insurance coverage.
- Identity restoration services if fraud occurs.
- Dark web monitoring for your personal information.
This benefit generally requires no documentation. Simply indicate your choice when filing a claim, and monitoring will begin after final settlement approval, expected in early 2026.
Tier 3: Residual Cash Payment
Class members without documented losses may receive a remainder cash payment, currently estimated at $30 per person.
This amount could increase or decrease based on total claims filed, but the settlement caps individual payments at $599.
How to Submit an Infosys Data Breach Claim
One of the fastest way to file is through the official settlement website at InfosysDataSettlement.com. Claimants will need to provide the administrator with the following information:
- Unique class member ID from the breach notification.
- Current contact information for payment delivery.
- Digital copies of any supporting documentation.
- Payment preference selection (PayPal, Venmo, Zelle, or check).
The system provides immediate confirmation upon successful submission.
Mail-in option
Claimants who prefer paper filing or lack internet access can:
- Download the PDF claim form from the settlement website or call (833) 621-8670 to request one.
- Complete all sections in blue or black ink
- Attach supporting documentation copies (not originals.
- Mail to: Kroll Settlement Administration LLC, P.O. Box 225391, New York, NY 10150-5391
Incorrect information or missing documentation may delay processing or may result in claim denial.
Required Documentation for Healthcare Data Breach Claims
The settlement administrator applies strict documentation requirements to prevent fraudulent claims and claim rejection.
Financial loss claims
- Bank Statements: Highlighting unauthorized transactions with dates and amounts clearly visible.
- Credit Card Statements: Showing fraudulent charges and any related fees or interest.
- Police Reports: For identity theft claims exceeding $1,000.
- Letters from Financial Institutions: Documenting disputed charges or account closures.
- IRS Documents: Form 14039 (Identity Theft Affidavit) if tax fraud occurred.
Professional service claims
- Invoices or Receipts: From attorneys, accountants, or credit repair services
- Engagement Letters: Showing services were breach-related
- Proof of Payment: Cancelled checks, credit card statements, or bank transfers
Self-prepared documents, handwritten lists of expenses, or homemade receipts won't be accepted as primary evidence.
Important Settlement Deadlines
- December 1, 2025: Claim submission deadline. All claims must be postmarked (if mailed) or submitted online by 11:59 PM Pacific Time. The administrator will grant no extensions for late submissions.
- November 3, 2025: Opt-out and objection deadline to preserve rights to sue Infosys McCamish separately.
- December 18, 2025, 10:00 AM ET: Final approval hearing to decide whether to approve the settlement as fair and reasonable.
- Expected Payment Timeline: Disbursements may begin in spring 2026, pending final court approval in December 2025, and assuming no party files an appeal.
Next Steps for Affected Insurance Customers
The class action attorneys representing the millions of consumers in this settlement suggest that Infosys McCamish clients should take protective action immediately.
Start by closely monitoring all financial accounts and placing fraud alerts with all three major credit bureaus: Equifax, Experian, and TransUnion.
Cybercriminals often wait months or even years before using stolen data, hoping victims have relaxed their vigilance.
Finally, all Infosys McCamish Systems data breach victims should request copies of their medical records from all providers to verify that they have received all necessary treatments and prescriptions.
For more information about other precautions, the settlement, or the lawsuit, visit: https://infosysdatasettlement.com/
Add Comment