In early 2025, Upstream Rehabilitation experienced a serious data breach that revealed sensitive personal and health-related information of tens of thousands of individuals.
The breach impacted patients of affiliated providers such as BenchMark Physical Therapy, Drayer Physical Therapy Institute, and SERC Physical Therapy.
In response, a class action lawsuit was filed, resulting in a $4.3 million settlement to compensate victims and implement stronger security practices.
If your information was involved, you may have been entitled to financial compensation, identity theft protection, or credit monitoring—even if you didn’t experience direct harm.
Although the claim deadline has passed, understanding this settlement provides valuable insight into your rights as a data breach victim and offers guidance on staying protected in the future.
Overview
Here are the essential facts at a glance:
| Feature | Details |
|---|---|
| Settlement Amount | $4.3 million |
| Breach Period | January 24–31 and May 3–9, 2025 |
| Eligible Parties | Anyone notified their data was compromised |
| Claim Deadline | January 30, 2025 (now closed) |
| Reimbursement Amount | Up to $5,000 for documented losses |
| Estimated Cash Payment | At least $50 (pro rata) |
| Credit Monitoring Offered | 3 years free with identity theft protection |
| Settlement Website | UpstreamDataSettlement.com |
Upstream Data Breach
Between January 24 and May 9, 2025, Upstream Rehabilitation’s systems were infiltrated by cybercriminals. The attackers gained unauthorized access to patient records containing:
- Full names
- Dates of birth
- Social Security numbers
- Health insurance policy details
- Clinical and diagnostic data
- Billing and claims history
This information is highly valuable to identity thieves, who can use it for fraud, medical identity theft, or targeted phishing scams. After the breach, Upstream implemented new security protocols and agreed to settle with affected individuals through a class action lawsuit.
Who Was Eligible?
If you received a breach notification letter from Upstream or one of its affiliates, your data was likely exposed. All individuals who were notified were included in the settlement class, regardless of whether they experienced financial harm.
Even without documented damages, affected individuals were still eligible for benefits. The settlement recognized that data exposure alone carries risks and can lead to future misuse of your personal information.
Compensation
The settlement offered three major forms of compensation:
Reimbursement for Documented Losses
Victims who suffered financial damages could claim up to $5,000 in reimbursement. Eligible expenses included:
- Fraudulent charges
- Credit freeze fees
- Identity restoration services
- Lost wages or out-of-pocket expenses
- Professional support (e.g., legal or tax advice)
Claimants were required to submit documentation, such as bank statements or affidavits, proving their loss.
Pro Rata Cash Payments
If you didn’t experience fraud or identity theft, you could still receive a general cash payment. These were distributed evenly based on the number of approved claims, with estimated payments starting at $50 per person.
Three Years of Free Credit Monitoring
All class members were eligible to receive credit monitoring services, which included:
- Daily credit checks
- Fraud alerts
- Access to identity theft recovery specialists
- Financial account tracking tools
This benefit helps reduce future risks for victims who may be targeted long after the breach.
How to Claim
Although the January 30, 2025 deadline has passed, here’s a summary of the claim process:
Step 1: Go to UpstreamDataSettlement.com
Step 2: Select the type of compensation you’re claiming
Step 3: Submit documentation (if applicable)
Step 4: Submit the claim online or by mail
Step 5: Monitor for updates about approval and payment
Those who filed correctly are now receiving payments or services depending on the option they chose.
Missed Deadline
If you did not submit a claim, you are no longer eligible for compensation. However, you still have ways to protect yourself:
- Check Your Claim Status: If you filed before the deadline, track your claim at the official website.
- Contact the Administrator: Reach out if you think your information was affected but you never received notification.
- Use Preventive Tools: Consider enrolling in a private credit monitoring service and freezing your credit to prevent future misuse.
Matters
This breach is part of a growing pattern. In 2025 alone, more than 88 million Americans were affected by healthcare-related data breaches. Medical records are particularly valuable on the black market, and the healthcare industry remains vulnerable to cyberattacks.
For healthcare providers, the Upstream case is a reminder of the importance of investing in cybersecurity. For consumers, it’s a lesson in staying vigilant. Even if your data wasn’t used today, it could be misused months or years down the line.
Take steps to protect your digital identity, monitor your accounts, and respond quickly if you suspect suspicious activity.
FAQs
Who qualified for the Upstream settlement?
Anyone who received a breach notice from Upstream in 2025.
What was the claim deadline?
Claims had to be submitted by January 30, 2025.
What was the average cash payment?
Around $50 or more, depending on total valid claims.
Can I still submit a claim now?
No, the claims period is closed as of April 2025.
How do I check my claim status?
Visit UpstreamDataSettlement.com or contact the administrator.
