In early 2023, a serious data breach hit Upstream Rehabilitation, a leading network of outpatient physical therapy providers in the U.S. The breach exposed private and sensitive information of tens of thousands of people, including their names, Social Security numbers, birth dates, insurance details, and even medical records.
The breach happened between January 24–31 and February 3–9, 2023, during which cybercriminals gained unauthorized access to Upstream’s systems. The exposed data was enough to open victims to identity theft, medical fraud, and other digital crimes. This incident raised important questions about how well healthcare providers are protecting personal information in today’s cyber-threatened world.
$4.3 Million Settlement Announced to Help Victims
Following this breach and the resulting public concern, a class action lawsuit was filed. The outcome? Upstream Rehabilitation agreed to a $4.3 million settlement to help those affected and reduce the risk of future data breaches.
This amount was set aside to compensate victims in three main ways:
- Reimbursements for financial losses
- One-time cash payments
- Free credit and identity monitoring for three years
While the claim deadline (January 30, 2025) has now passed, it’s still important to understand how the process worked and what it means going forward.
What Kind of Information Was Stolen?
The cyberattack exposed deeply personal information. This included:
- Full names
- Social Security numbers
- Dates of birth
- Health insurance policy numbers
- Clinical data, diagnoses, and treatment details
- Billing and claims records
This kind of information is extremely valuable to cybercriminals. It can be used in identity theft, insurance fraud, or phishing scams. Victims could face long-term risks, including fake insurance claims made in their name or having their identity used to open fraudulent accounts.
Who Was Eligible to Claim Settlement Benefits?
To qualify for benefits under the class action settlement, individuals needed to receive a notification letter from Upstream Rehabilitation or one of its affiliated clinics, such as:
- BenchMark Physical Therapy
- Drayer Physical Therapy Institute
- SERC Physical Therapy
The letter would have confirmed that the person’s private data was exposed in the breach. Even if someone did not experience immediate financial damage, they were still eligible for certain benefits under the settlement.
This inclusive approach acknowledged that even potential harm—such as the risk of future identity theft—deserves compensation and preventive action.
What Was Included in the Settlement?
The $4.3 million settlement offered three types of compensation:
1. Reimbursement for Documented Financial Losses (Up to $5,000)
Victims who suffered actual out-of-pocket costs could claim up to $5,000. They had to provide proof, such as:
- Bank or credit card statements showing fraud
- Receipts for credit monitoring services
- Invoices for identity theft recovery services
- Signed statements explaining steps taken to fix the situation
This part of the settlement was meant to cover the real emotional and financial toll that victims faced after the breach.
2. Pro Rata Cash Payments (Estimated Minimum $50)
Even if someone didn’t face clear financial loss, they were still eligible to receive a minimum estimated cash payment of $50. The exact amount depended on how many people submitted valid claims.
These payments served as recognition of the inconvenience, stress, and risks that come with knowing your data is out there—possibly forever.
3. Free Credit Monitoring and Identity Protection for 3 Years
All affected individuals were also offered three years of free credit monitoring, including:
- Daily tracking of credit reports
- Fraud alerts and suspicious activity notices
- Identity restoration services if problems were detected
- Access to financial wellness tools
This benefit alone is worth hundreds of dollars per person. It helps victims protect themselves from long-term consequences, even years after the breach.
How Did People Submit a Claim?
Though the deadline to file a claim has passed, the claim process was fairly simple and helps serve as a model for future class action cases.
Here’s how the process worked:
- Visit UpstreamDataSettlement.com – This was the official website for all forms and FAQs.
- Choose the benefit option – Victims could request a reimbursement, a cash payment, or free credit monitoring.
- Collect and upload documentation – For those claiming losses, they had to gather receipts or records.
- Submit the form online or by mail – Everything had to be submitted by January 30, 2025.
- Wait for updates – Claimants were notified via email or mail regarding the status and final payout.
What to Do If You Missed the Deadline
If you missed the filing deadline, you are no longer eligible to receive money or benefits from this settlement. However, there are still important steps you can take to protect yourself:
- Check Your Claim Status – If you did submit a claim earlier, you can still visit the official site to track its progress.
- Contact the Settlement Administrator – If you believe your data was affected but you didn’t receive a notification, reach out for clarification.
- Take Preventive Action – Sign up for credit monitoring on your own or freeze your credit reports to block any new accounts from being opened using your data.
Why This Case Matters for All Americans
The Upstream breach is not an isolated case. In fact, more than 88 million Americans were affected by healthcare data breaches in 2023 alone, according to the U.S. Department of Health and Human Services.
Medical records are among the most valuable types of stolen data. Unlike credit cards, which can be cancelled, you can’t easily change your medical history, date of birth, or Social Security number.
Lessons for Healthcare Providers and Consumers
For healthcare organizations, the message is clear: Cybersecurity is not optional. It’s time to invest more in:
- Strong data encryption
- Employee cybersecurity training
- Regular system security audits
- Multi-factor authentication protocols
For regular consumers, there are also clear takeaways:
- Monitor credit reports regularly
- Use strong, unique passwords
- Never click on suspicious email links
- Stay informed about data breaches and class actions
The Bigger Picture: Protecting Yourself in a Digital Age
As cybercrime becomes more common, understanding your rights and options after a data breach is more important than ever. The Upstream Rehabilitation settlement shows that people do have legal ways to seek justice and compensation—but timing matters.
By staying aware, you can act quickly if a similar event happens in the future. Sign up for alerts from services like the Federal Trade Commission (FTC), and make sure your contact information is up to date with healthcare providers, banks, and insurers.