In re: Netgain Technology, LLC, Consumer Data Breach Litigation
- Susan Nelson
- 0:21-cv-01210
- U.S. District Court · District of Minnesota
- 23
In In re: Netgain Technology, LLC, Consumer Data Breach Litigation, Judge Susan Richard Nelson granted final approval of a $1,900,000 class action settlement resolving claims that Netgain failed to protect the personal information of approximately two million people whose data was stolen by hackers in 2020.
Approximately two million U.S. residents whose personal information — including Social Security numbers, medical records, and financial data — was stolen from Netgain Technology's servers in a 2020 cyberattack. These individuals are members of the settlement class and are bound by the settlement unless they validly opted out (no one did). Netgain Technology, LLC is permanently released from claims related to the breach.
What happened
In re: Netgain Technology, LLC, Consumer Data Breach Litigation arises from a 2020 cyberattack in which criminals broke into servers operated by Netgain Technology, LLC, a company that manages IT and cloud computing services for healthcare and accounting businesses. The hackers stole sensitive personal information — including Social Security numbers, medical records, bank account details, and other identifying data — belonging to customers of Netgain's clients. Six named plaintiffs filed suit in 2021 on behalf of approximately two million affected individuals, asserting claims for negligence, violations of California and Minnesota privacy laws, and requests for court-ordered relief.
The parties negotiated a settlement with the help of a retired federal magistrate judge acting as a neutral mediator. Under the agreement, Netgain will pay $1,900,000 into a fund that cannot be returned to the company. Class members can file claims for up to $5,000 to cover documented out-of-pocket losses or time spent dealing with the breach, or they can instead receive a cash payment from whatever money remains after those claims are paid. Netgain also agreed to adopt or continue specific cybersecurity improvements — such as multi-factor authentication, firewall upgrades, and virus prevention technology — for three years, subject to verification by class counsel. A court-appointed administrator found over 5,000 valid claims among more than 700,000 responses to the notice campaign. No class member objected to the settlement and no one asked to be excluded.
On November 3, 2025, Judge Susan Richard Nelson formally certified the settlement class and granted final approval of the settlement, finding it fair, adequate, and reasonable. The court dismissed all claims against Netgain with prejudice, meaning those claims cannot be refiled. All class members who did not opt out are legally bound by the settlement and release their claims against Netgain. A separate ruling on the attorneys' fees and service awards for the named plaintiffs is still pending.
The detailed version
- In re: Netgain Technology, LLC, Consumer Data Breach Litigation, No. 21-cv-1210 (SRN/LIB)
- Susan Richard Nelson, U.S. District Judge
- November 3, 2025
Background and Claims Netgain Technology, LLC provides outsourced IT, cloud computing, and data management services to clients primarily in the healthcare and accounting industries. In September and November 2020, criminals unlawfully accessed Netgain's servers and exfiltrated personal identifying information (PII) — including names, Social Security numbers, dates of birth, driver's license data, bank account information, tax records, medical records, prescription data, and health insurance information — belonging to individuals who were customers of Netgain's clients. Netgain began notifying clients of the breach in early 2021.
Multiple plaintiffs filed separate putative class action lawsuits in 2021, which were consolidated into this action. The named plaintiffs — Misty Meier (on behalf of minor child G.C-M.), Jane Doe, Susan M. Reichert, Robert Smithburg, Thomas Lindsay, and Robin Guertin — filed a consolidated complaint asserting: negligence, negligence per se, violations of the California Consumer Privacy Act, violations of the California Unfair Competition Law, violations of the Minnesota Health Records Act (MHRA), and claims for declaratory and injunctive relief.
Netgain moved to dismiss, and the court partially granted and partially denied that motion. The court dismissed the negligence per se claim and the MHRA claim but allowed the remaining claims to proceed. The parties then conducted discovery.
Settlement Negotiations The parties engaged in multiple mediated settlement negotiations before the Honorable Jeffrey J. Keyes (Ret.) of Keyes ADR. The court found the negotiations were conducted in good faith and at arm's length.
Settlement Terms - Monetary relief: Netgain agreed to pay $1,900,000 into a non-reversionary settlement fund (meaning the money cannot revert to Netgain regardless of claim rates). - Individual claims: Class members could submit claims for (a) documented monetary losses (up to $5,000), (b) lost time as defined in the agreement (up to $5,000 combined with documented losses), or (c) a pro rata cash payment from funds remaining after documented loss and lost time claims are paid. - Injunctive relief: For three years after the settlement's effective date, Netgain must adopt, continue, or implement specified cybersecurity measures, including firewall upgrades, secure routing gateways, geo-blocking, multi-factor authentication in hosting environments, virus prevention technology, and data backup protection. Class counsel has the right to verify compliance. - Release: Named plaintiffs and all class members who did not timely opt out release Netgain from all claims arising from or related to the data breach. - Opt-outs and objections: No class members requested exclusion and no written objections were filed.
Settlement Class Definition The court finally certified the following class under Federal Rule of Civil Procedure 23(b)(3): all natural persons residing in the United States whose PII was stored by Netgain clients on Netgain servers and compromised in the attacks, including those sent notice by a Netgain client that their PII may have been compromised. Excluded are presiding judges and their families, Netgain and its related entities and officers/directors, and (now moot, as no one opted out) persons who timely requested exclusion.
Notice The settlement administrator, CPT Group, Inc., conducted a 45-day media campaign beginning approximately June 19, 2025, targeting states where affected Netgain clients were located. The campaign included programmatic display ads on desktops and mobile devices, social media ads (Facebook and Instagram), online video ads, paid sponsored search results, press releases, a dedicated website, and a toll-free phone number. The administrator received 704,551 total responses and, after fraud screening using a tool called ClaimScore and secondary verification by a digital payment vendor, approved over 5,000 valid claims: 51 for out-of-pocket losses, 1,363 for lost time, and 4,105 for cash payments.
Rule 23 Analysis The court analyzed certification under Rule 23(a) (numerosity, commonality, typicality, adequacy of representation) and Rule 23(b)(3) (predominance of common questions, superiority of class treatment). The court found all requirements met: the class of approximately two million people satisfies numerosity; common questions about Netgain's duty of care, breach, and causation satisfy commonality and predominance; the named plaintiffs' claims arising from the same breach satisfy typicality; and the named plaintiffs and experienced class counsel adequately represent the class. Class treatment is superior because individual claims are small relative to litigation costs and because the breach affected millions of people nationwide.
Fairness Analysis The court evaluated the settlement under the fairness factors identified in Van Horn v. Trickey, 840 F.2d 604 (8th Cir. 1988), and found all factors favored approval: (1) the settlement provides certain relief against the backdrop of novel and risky data breach litigation; (2) continued litigation would be complex, expensive, and lengthy; (3) the settlement resulted from informed, arm's-length negotiations facilitated by an experienced neutral mediator; and (4) the class's reaction was overwhelmingly positive — zero objections and zero opt-outs.
Orders Entered
- Final approval of the settlement is granted; it is fair, adequate, and reasonable.
- The settlement class is finally certified under Rule 23(b)(3).
- Class counsel (Gayle Blatt, Christopher Renz, and Brian Gudmundson) and class representatives are affirmed.
- The $1,900,000 settlement fund is approved as a Qualified Settlement Fund under Internal Revenue Code Section 458B.
- All claims against Netgain are dismissed on the merits and with prejudice, with each party to bear its own costs except as provided in the settlement agreement.
- Class members are permanently barred from bringing released claims against Netgain.
- The notice provided to the class satisfied Rule 23 and constitutional due process requirements.
- The court retains jurisdiction over implementation, administration, and enforcement of the settlement.
- The clerk is directed to enter final judgment.
- A separate order on the pending fee petition (attorneys' fees, litigation expenses, and service awards for named plaintiffs) will follow.
Note
The opinion references Gayle Blatt as one of the three appointed class counsel in the final order (paragraph 7), while the introductory section identifies Kate Baxter-Kauf, Christopher Renz, and Brian Gudmundson as appearing counsel. This discrepancy is in the opinion itself and is not resolved by the opinion text.
Reviewer note from the AI+
Read the full 23-page opinion on CourtListener, the free public archive maintained by the Free Law Project.