United Seating and Mobility, dba Numotion, decided to resolve a class action litigation associated with two data security incidents in 2024. The mobility equipment provider encountered an attack involving unauthorized access to the protected health information (PHI) of its clients.
Numotion discovered the first incident, a ransomware attack on March 2, 2024. According to the forensic investigation, an unauthorized third party acquired access to its network, which the lawsuit alleged included the personal data and PHI of 685,264 present and past clients and employees. The threat group got access to its system from February 29, 2024 to March 2, 2024, and possibly stole names, birth dates, equipment order information, supporting medical records, health insurance details, and, Social Security numbers for some persons.
The mobility equipment provider discovered the second data security incident on September 29, 2024. A phishing attack resulted in unauthorized access to email accounts. As per the data review, the personal data and PHI of 494,326 individuals was found in the breached accounts, which include names, birth dates, product data, payment and financial account details, medical insurance details, health data, and some Social Security numbers.
Each data breach resulted in the filing of multiple class action lawsuits, which were consolidated into two separate lawsuits. In March 2025, the involved parties from the two consolidated actions decided to consider a settlement of the two lawsuits. After a day of mediation and negotiations, they agreed on the material terms of a settlement. A settlement was finalized on the following weeks, without the defendant admitting to any liability or wrongdoing. The court already gave the settlement its preliminary approval.
The terms of the settlement specified that Numotion agreed to create a $4,000,000 settlement fund for the payment of up to $1,333,333.33 as attorneys’ fees and expenditures, settlement management costs, class representatives’ service awards, and class members’ benefits. Class members can claim two possible cash payments. They can file a claim for a refund of documented, unreimbursed expenses associated with the data breach up to $15,000 for each class member, and a pro rata cash payment. The cash payments shall be paid pro rata after deducting the costs and other benefits, if the settlement fund is not exhausted.
Class members will also get free credit monitoring services for two years without filing a claim. The subclass of people whose Social Security numbers were exposed can claim medical monitoring services for two years. The last day to object to and opt out of the settlement is March 3, 2026. The last day to submit claims is March 18, 2026. The schedule of the final approval hearing is April 2, 2026.
Note: According to the HHS’ Office for Civil Rights information, the first incident affected the PHI of up to 602,265 people. While the second data breach affected the PHI of up to 529,004 people.
Providing employees with HIPAA training can help Numotion to identify suspicious activities and avoid successful cyberattacks.
