Between May 13 and May 15, 2024, an unauthorized third party accessed the computer systems of Okanogan Behavioral HealthCare (OBHC), a mental health and substance use disorder treatment provider based in Omak, Washington. The breach compromised some of the most sensitive categories of health information that exist under HIPAA: psychiatric diagnoses, substance abuse treatment records, and other protected health information belonging to patients who trusted that their data would be handled responsibly.
OBHC discovered the intrusion on May 15, 2024. The organization reported the incident to the U.S. Department of Health and Human Services and began mailing notification letters to affected individuals on August 23, 2024. A class action lawsuit followed. As of June 2026, a proposed settlement has been reached, and affected patients can now file claims.
This article breaks down what happened, what data was exposed, what the settlement offers, and what behavioral health organizations should learn from this incident.
What Okanogan Behavioral HealthCare Does
OBHC is a behavioral health provider that has served residents of Okanogan County and surrounding areas in Washington State since 2002. The organization employs over 50 staff members and offers crisis response, counseling, case management, and substance use disorder treatment services.
That service profile matters for understanding the severity of this breach. Behavioral health records carry an elevated sensitivity under both HIPAA and Washington State law. A breach involving a primary care provider's billing records is bad. A breach involving psychiatric diagnoses and substance abuse treatment histories is materially worse for affected patients, both in terms of identity theft risk and potential personal harm from disclosure.
The Breach: May 13 to 15, 2024
According to OBHC's own notification and the court filings in Doe v. Okanogan Behavioral Healthcare (Case No. 24-2-00502-24, Okanogan County Superior Court), the unauthorized access occurred over a three-day window.
On May 13, 2024, a third party gained access to OBHC's systems. The intrusion continued through May 15, when OBHC detected the activity after it disrupted the organization's IT systems. A forensic investigation confirmed that certain files containing sensitive personal and health information had been accessed during that window.
The specific attack vector (ransomware, credential theft, phishing, or other method) has not been publicly disclosed by OBHC. What has been confirmed is the scope of the data that was exposed.
What Data Was Exposed
The compromised files contained the following categories of information:
- Full names and contact information
- Social Security numbers
- Dates of birth
- Driver's license numbers and other government identification
- Medical records, including treatment details and clinical notes
- Psychiatric and behavioral health diagnoses
- Health insurance information
This is not a situation where an attacker accessed email addresses and phone numbers. The combination of Social Security numbers, dates of birth, and government IDs creates a near-complete identity theft package. Layer in behavioral health diagnoses, and the exposure carries real potential for discrimination, stigma, and personal harm that goes well beyond financial fraud.
The HIPAA Implications
Several elements of this breach raise questions about OBHC's compliance posture under the HIPAA Security Rule:
Access Controls (45 CFR 164.312(a)): The Security Rule requires covered entities to implement technical policies to restrict access to electronic protected health information (ePHI) to authorized persons. A three-day unauthorized access window suggests the controls in place were either insufficient or not monitored effectively.
Audit Controls (45 CFR 164.312(b)): Covered entities must implement mechanisms to record and examine activity in systems that contain or use ePHI. The fact that the intrusion disrupted IT operations before it was detected raises questions about whether adequate logging and alerting were in place.
Risk Analysis (45 CFR 164.308(a)(1)(ii)(A)): Every covered entity is required to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Whether OBHC had a current, thorough Security Risk Assessment prior to the breach is unknown, but the breach itself suggests potential gaps.
Breach Notification (45 CFR 164.404): HIPAA requires individual notification without unreasonable delay and no later than 60 days following discovery of a breach. OBHC discovered the breach on May 15, 2024, and began mailing notification letters on August 23, 2024, which is roughly 100 days. Whether there were extenuating circumstances that justified the delay (such as an ongoing law enforcement investigation) is not clear from public filings.
For other behavioral health organizations reading this, the lesson is straightforward. If you have not completed a current risk assessment and gap analysis, this is the kind of incident that should move that to the top of your priority list.
The Settlement
The class action was filed as Doe v. Okanogan Behavioral Healthcare in Okanogan County Superior Court. The use of "John Doe" as the named plaintiff is notable. It reflects the sensitivity of the data at issue. In behavioral health breach cases, plaintiffs frequently seek anonymity to avoid the very disclosure harm the breach created.
The proposed settlement includes the following benefits for class members:
Ordinary Loss Reimbursement (up to $300): Documented out-of-pocket expenses incurred between May 13, 2024 and May 7, 2026, including bank fees, credit monitoring costs, postage, phone charges, and mileage related to the breach.
Extraordinary Loss Reimbursement (up to $5,000): For documented losses that are reasonably traceable to the breach, occurring between May 13, 2024 and September 3, 2026. This category requires documentation showing the loss was more likely than not caused by the breach.
Credit Monitoring: Two years of CyEx Medical Shield Complete, which includes $1 million in identity theft protection insurance.
Alternative Cash Payment ($50): For class members who already have credit monitoring and decline the CyEx enrollment.
Security Improvements: OBHC has agreed to implement or maintain enhanced data security measures, with costs paid separately by OBHC outside the settlement fund.
Attorney fees and costs are capped at $200,000. The class representative service award is up to $5,000.
How to File a Claim
The deadline to file a claim is September 3, 2026.
You can file online at okanogandatasettlement.com/form/claim. You will need the unique ID and PIN from the settlement notice letter you received.
You can also file by mail:
Doe v. Okanogan Behavioral Healthcare
c/o Settlement Administrator
P.O. Box 25226
Santa Ana, CA 92799
For questions, contact the settlement administrator at 833-386-6599 or info@OkanoganDataSettlement.com.
Payment is available via PayPal, Venmo, Zelle, or paper check.
If you wish to exclude yourself from the settlement, the opt-out deadline is August 4, 2026. The Final Fairness Hearing is scheduled for September 3, 2026 at 9:00 a.m.
What Behavioral Health Organizations Should Take From This
Behavioral health providers face a uniquely difficult cybersecurity position. The data they hold is among the most sensitive in all of healthcare. A breach at a dental office exposes names, insurance IDs, and maybe X-rays. A breach at a behavioral health provider can expose psychiatric diagnoses, substance abuse histories, and treatment records that patients would never want disclosed to anyone.
That sensitivity demands a higher standard of care. Not legally (HIPAA applies the same requirements to all covered entities), but practically. The consequences of a behavioral health breach are worse for patients, and the litigation risk for providers is correspondingly higher.
If you run a behavioral health practice, a counseling center, or a substance use disorder treatment program, here is what this incident should prompt you to review:
- When was your last Security Risk Assessment? If it was more than 12 months ago, or if you have never completed one, you are operating with a known compliance gap. The HIPAA Security Rule requires annual risk assessments.
- Do you have a current inventory of where ePHI lives in your systems? This includes EHR databases, file shares, email inboxes, cloud storage, backups, and any device that touches patient data.
- Are your access controls appropriate for the sensitivity of your data? Role-based access, multi-factor authentication, and audit logging are not optional for organizations handling behavioral health records.
- Do you have an incident response plan? If an attacker accessed your systems tonight, do you know who to call, what to preserve, how to notify, and what your legal obligations are under HIPAA and state law?
- Have your staff completed HIPAA training in the last 12 months? Phishing remains the most common entry point for healthcare breaches. Training is not a formality.
- Are your vendor agreements and BAAs current? If you use a third-party EHR, billing service, cloud host, or IT provider, you need a signed Business Associate Agreement with each one. And that agreement needs to be more than a PDF collecting dust in a drawer.
The Bottom Line
Nearly 1,100 patients trusted Okanogan Behavioral HealthCare with some of the most private information a person can share: their mental health diagnoses, their treatment for substance use disorders, and their personal identifiers. A three-day cyberattack in May 2024 put all of that at risk.
The settlement offers modest compensation. Up to $5,300 and two years of credit monitoring. But no settlement can undo the exposure of a psychiatric diagnosis or a substance abuse treatment record. That information is now outside the organization's control permanently.
For behavioral health providers, this incident is a clear reminder. The question is not whether your organization will be targeted. It is whether your security controls, your training, your policies, and your incident response plan will hold up when it happens.
If you are not sure where your organization stands, schedule a consultation to discuss your compliance posture and identify your highest-priority gaps.
Frequently Asked Questions
What happened at Okanogan Behavioral HealthCare?
Between May 13 and May 15, 2024, an unauthorized third party accessed OBHC's computer systems and potentially viewed files containing patient names, Social Security numbers, dates of birth, driver's license numbers, medical records, diagnoses, and health insurance information.
How many people were affected by the Okanogan Behavioral HealthCare data breach?
Approximately 1,100 individuals were affected, according to the breach report filed with the U.S. Department of Health and Human Services.
Is there a settlement for the Okanogan Behavioral HealthCare data breach?
Yes. A class action settlement has been proposed in Doe v. Okanogan Behavioral Healthcare (Case No. 24-2-00502-24). Class members can receive up to $300 for ordinary losses, up to $5,000 for extraordinary losses, and two years of credit monitoring with $1 million in identity theft insurance.
How do I file a claim for the Okanogan data breach settlement?
You can file online at okanogandatasettlement.com/form/claim using the unique ID and PIN from your notification letter. You can also file by mail. The claim deadline is September 3, 2026.
What is the deadline to file a claim?
The deadline to submit a claim is September 3, 2026. The deadline to opt out of the settlement is August 4, 2026.
Why is a behavioral health data breach particularly harmful?
Behavioral health records include psychiatric diagnoses, substance abuse treatment histories, and other clinical information that carries significant stigma risk. Unlike a credit card number, which can be replaced, a disclosed mental health diagnosis cannot be retracted. The potential for discrimination, relationship harm, and personal distress makes behavioral health breaches among the most damaging types of healthcare data exposure.
Sources
- Okanogan Data Settlement FAQ
- Settlement Claim Form
- Class Notice (Long Form)
- Strauss Borrelli PLLC investigation announcement
- Washington State Attorney General breach notification
- ClaimDepot settlement summary
- OBHC formal notice letter to affected individuals
- Court filings in Doe v. Okanogan Behavioral Healthcare (Case No. 24-2-00502-24)