Santa Clara Tech Management Company Hit with Blizzard of Class Action Suits After Data Breach

A flurry of class action lawsuits against a South Bay digital tech management company landed Monday in federal court after a data breach allegedly exposed the personal, medical and insurance information of nearly half a million people.

Santa Clara-based Serviceaide Inc. provides digital management services to many health care providers and other clients, using AI chatbots that serve as virtual agents to handle routine customer questions and requests without human intervention.

According to the court filings, a massive data leak — discovered by Serviceaide in November 2024 — compromised the personal data for 480,000 patients of Catholic Health Systems Inc., a New York health care provider and one of Serviceaide’s clients.

SPONSORED

The filings allege that Serviceaide failed to disclose the breach to the affected people until May 9, even though the leaked data included, for some of the affected people, names and Social Security numbers as well as insurance and medical information.

Once the Serviceaide breach was revealed, class action lawyers throughout the country sprang into action.

There has been a surge in data breach lawsuits since 2020, and such cases have become a regular stable for plaintiffs’ law firms.

The first suit was filed Thursday by a Chicago class action law firm seeking damages as well as injunctive relief on behalf of a nationwide class of current and former patients of Catholic Health who had sensitive information leaked, exposing them to possible financial fraud or identity theft.

On Sunday, a Fort Lauderdale law firm weighed in, seeking to represent the same class. Its court filing emphasized the significance of the breach. It quoted data from a 2017 survey of people who had been victimized by identity theft. The complaint alleges that 75 percent of the victims reported feeling “severely distressed” from the theft and 37 percent feared for the financial safety of family members. The survey also reported 15 percent of the victims had a personal relationship that ended or was “severely and negatively” affected, and 7 percent felt suicidal.

On Monday, a barrage of six class action lawsuits landed. One was from Milberg Coleman Bryson Phillips Grossman PLLC, a national plaintiffs’ class action firm headquartered in New York, though the suit was filed by lawyers in its San Diego office. Milberg touts having recovered more than $50 billion for its clients since its founding in 1965.

More cases followed from law firms based in Washington, D.C., Los Angeles, Beverly Hills and Santa Barbara.

All of the cases were filed in U.S. District Court for the Northern District of California in San Francisco, a popular venue for data breach cases because of California’s robust consumer protection laws. Serviceaide is also headquartered in the district.

The new cases will likely be handled as a group and the law firms will jockey for roles in the collective litigation. If the cases get traction and a class of plaintiffs seems likely to be approved by a judge, lead counsel will be selected and the firms will coordinate their work until the matter is ultimately resolved by settlement or trial.

A July 2024 newsletter authored by Balanced Bridge Funding, a financial firm that funds law firms and lawsuits, notes, “Class action lawsuits are resulting in massive settlements, which in turn are resulting in large contingency fees for the lawyers who represent class members. Data breach lawsuits are a new source of revenue for lawyers, and we can expect to see this trend continue indefinitely.”

While data breaches in many industries are harmful to consumers, breaches involving data collected by health care providers raise particularly serious issues. Health care data is protected by the Health Insurance Portability and Accountability Act of 1996 and because of the sensitivity of the data, violations carry with them the potential for fines and heavy damages.

The Office of Civil Rights of the U.S. Department of Health and Human Services keeps a tracker that follows open investigations into data breaches at health care organizations and business associates like Serviceaide. The tracker lists 803 open investigations involving health care breaches in the last two years.

California has 51 open investigations on the list involving household names like Kaiser Foundation Health Plan Inc., Blue Shield of California, and Catholic Charities CYO of The Archdiocese of San Francisco.

The tracker lists the number of individuals affected by each breach. The Serviceaide breach is the fifth-largest incident on the California list by that measure with 480,000, comfortably behind an April 2024 network incident at Kaiser (13,400,000) and an April 9, 2025 breach at Blue Shield (4,700,000).

The tracker shows that the total number of affected individuals in California from the breaches is more than 23 million. If overlaps are ignored, the number represents more than half of the state’s residents.

Many of the new lawsuits emphasized the length of delay between discovery of the breach in November 2024 and the notice letter that Serviceaide sent to affected customers on May 9. They also criticized the content of the letter itself as a grossly inadequate response in light of the severity of the problems that such a breach may cause.

One of Monday’s complaints says that sensitive personal information is one of the most valuable commodities on the criminal information black market and may garner as much as $1,000 per person.

Another alleges that once such sensitive information is sold, it “is often used to gain access to various areas of the victim’s digital life, including bank accounts, social media, credit card, and tax details. This can lead to additional private information being harvested from the victim, as well as private information from family, friends and colleagues of the original victim.”

According to the lawsuits, Serviceaide’s letter does not begin to address the harm caused by the breach.

The letter — apparently the same letter was sent to everyone — begins by assuring recipients that “the confidentiality, privacy, and security of personal information within our care are among Serviceaide’s highest priorities.”

It then says, “we are offering credit monitoring and identity theft protection services for twelve (12) months … at no cost to you.” (It cautions however that enrollment would not be automatic, and affected customers need to enroll themselves.)

The letter closes by advising individuals affected by the breach “to remain vigilant against incidents of identity theft and fraud” and ends with the statement, “We sincerely regret any inconvenience or concern this event may cause you.”

An invitation to comment on the litigation was not immediately accepted by Serviceaide.

This article was written by Joe Dworetzky for Bay City News.