Octapharma Plasma agreed to resolve litigation associated with its April 2024 ransomware attack and data security breach. Octapharma Plasma manages over 190 blood plasma donation centers across 35 states. On or about April 17, 2024, Octapharma noticed suspicious activity inside its computer network. The investigation revealed unauthorized access to segments of its system where it keeps sensitive personal data, such as names, Social Security numbers, dates of birth, medical information, donor qualification details, financial data, employee records, and business details.
On April 26, 2024, soon after the report of the cyberattack, Bret Woodall filed a class-action lawsuit against Octapharma. A few other lawsuits were later filed because of the data breach. The multiple lawsuits were consolidated into one action, Woodall v. Octapharma Plasma Inc., considering that they had similar material and substance and had overlapping statements. The combined lawsuit claimed that Octapharma did not appropriately secure, check, and keep personal information, and due to that failure, the plaintiffs and class members sustained injuries and damages, such as loss of value of their personal data, identity theft, lost time, and out-of-pocket expenditures addressing the consequences of the data breach.
The lawsuit mentioned claims of unjust enrichment, negligence, breach of implied contract, breach of confidence, breach of fiduciary duty, declaratory judgment, intrusion of privacy, and violations of the California Unfair Competition Law, California Consumer Privacy, California Customer Records Act, California Confidentiality Of Medical Information Act, California Consumer Legal Remedies Act, the North Carolina Unfair and Deceptive Trade Practices Act, Oregon Consumer Identity Theft Protection Act, Oregon Unlawful Trade Practices Act, Illinois Consumer Fraud And Deceptive Business Practices Act, Illinois Personal Information Protection Act, and Illinois Uniform Deceptive Trade Practices Act.
Octapharma does not agree with all claims and disputes in the legal action and responds with no wrongdoing. After contemplating the possible expenses of ongoing litigation and the uncertainty and risks connected with a jury trial, all parties opted to negotiate the lawsuit. After a few months of talks, all parties reached a fair settlement. The settlement has lately obtained the court’s preliminary approval.
Based on the terms of the settlement, Octapharma has decided to set up a $2,550,000 settlement fund, which will be utilized to cover attorneys’ costs and expenses, service awards, and settlement management fees. The rest of the fund will cover valid claims filed by class members.
Class members can claim these benefits:
- Each class member is entitled to a refund of recorded, unreimbursed losses resulting from the data breach up to $5,000
- Credit monitoring services for three years
- A flat cash payment is projected to be $100
- People residing in California during the time of the data breach should be able to get an extra flat cash payment of $50
The cash payments will be changed pro rata and might be higher or lower, subject to the number of eligible claims received. People looking to exempt themselves or object to the settlement deal must do so on or before October 29, 2025. Claims should be sent by November 14, 2025. The final approval hearing will be on December 4, 2025.
HIPAA-covered entities need to look at how they can comply with the HIPAA-training requirements to ensure they do not fail to address cybersecurity and repeat ransomware attacks.
