Something went wrong in Keenan & Associates’ systems between August 21 and August 27, 2023—five days, or the duration of a normal workweek—and the company would spend the next two years attempting to fix it through the legal system. While the breach was taking place, it was silent. Typically, data breaches are.
An unknown number of people’s health and personal information traveled through unapproved routes and was intercepted by the person on the other end. The notices were sent out months later. Heather Heath and others then filed a lawsuit in Los Angeles Superior Court at the beginning of 2024, initiating the class action that resulted in the $14 million Heath v. Keenan & Associates settlement.
| Category | Details |
|---|---|
| Case Name | Heather Heath, et al. v. Keenan & Associates |
| Case Number | 24STCV03018 |
| Court | Los Angeles Superior Court |
| Settlement Amount | $14 million USD |
| Breach Period | August 21–27, 2023 (5 days) |
| Data Compromised | Personal identifiable information and private health information |
| Maximum Individual Claim | Up to $10,000 (documented fraud-related losses) |
| Cash Payment Option | Pro-rata cash fund payment (in addition to or instead of reimbursement) |
| Credit Monitoring | Three years, three-bureau coverage plus insurance |
| Claims Deadline | October 30, 2025 |
| Opt-Out Deadline | October 15, 2025 |
| Final Approval Hearing | November 14, 2025 |
| Eligibility | Anyone notified by Keenan & Associates of data compromise |
Because Keenan & Associates works in the insurance brokerage and benefits administration industries, the hacked data was extremely sensitive. Email addresses were not lost by a retail business. Both private health information and personally identifying information were contained in the data; they are the kinds of records that, once made public, leave the individuals impacted vulnerable for a long time. Medical information is perpetual.
Years after the initial exposure, they may reappear in identity theft schemes, employment situations, and insurance judgments. Although the settlement’s three-year credit monitoring period is a useful mitigation, it’s fair to question if any monitoring time adequately tackles the risk profile of having health data circulating without your awareness.
For documented fraud-related losses directly related to the breach, the settlement structure permits affected individuals to claim up to $10,000. This is a significant compensation ceiling for anyone who actually spent money addressing identity theft, unauthorized account activity, or other concrete consequences.
Regardless of recorded losses, class members are also eligible for a pro rata cash fund payout, which serves as compensation for the exposure itself even in cases where actual financial injury has not yet occurred. The number of persons who make claims, which is usually significantly below the overall eligible population in situations like this, determines whether that pro-rata payment amounts to something significant or something nominal.
According to the timeline, the claims deadline passed at the end of October, and the final approval hearing is scheduled for November 14, 2025. It’s possible that a significant percentage of eligible members either missed the notification, didn’t recognize it as legitimate, or believed the compensation wasn’t worth the administrative effort of filing.
Class action settlements operate on schedules that most affected people find difficult to follow. The individuals who most require credit monitoring and recompense choices are frequently the least prepared to handle a claims process they have never encountered before, which is a frustratingly common pattern in data breach settlements.
Like the majority of defendants in settlements of this type, Keenan & Associates denied any wrongdoing as part of the agreement—standard language that permits proceedings to finish without a formal acknowledgment of culpability.
Compared to any liability admission, the fourteen million dollars provides a more specific indication of the severity of the breach. Regardless of the legal complexities, a five-day exposure event that results in eight figures in settlement fees is a serious consequence for a corporation handling sensitive health and benefits data.
Following a cycle that begins with notification letters, moves through law firm advertising and class certification, and ends with settlements that seldom alter business practices as significantly as the dollar amounts suggest, data breach class actions have become a fairly predictable aspect of the post-breach landscape.
That pattern is followed by the Heath v. Keenan settlement. It closes a legal chapter that Keenan likely wants behind it, pays harmed parties, and provides funding for three years of monitoring. The more difficult question is whether it leads to significant improvements in data security at similar organizations—the businesses that handle employee benefits, insurance records, and health information for thousands of clients—and it usually doesn’t get addressed until the next breach makes headlines.
