Data Breach

Lawsuit Info

Complaint / Answer

Settlement Details

Member Options

Sample Settlement Notice



Bosley Data Breach Class Action Lawsuit Information

Update: The lawsuit has been settled with Bosley paying out $500,000 to the Class Members (11/22/2022)

Details: A class action lawsuit was brought by former Bosley clients who say it failed to properly protect their Personally Identifiable Information (PII) from being taken during a cyber attack, then concealed the data breach for months because it was afraid it would hurt its business.

Customers' information that was potentially stolen includes names, addresses, DOBs, Social Security numbers, driver’s license numbers, financial account and credit card numbers, medical and health insurance information.

* Ken Hashemi et al v. Bosley, Inc., U.S. District Court for the Central District of California, Case number 2:21-cv-00946

You can also visit for more about the case.


Important notice for consumers, customers, patients:

Your personal and financial information may have been stolen during a cyber attack.

The Bosley database was hacked on August 17, 2020 and more than 100,000 people could be affected

Bosley says it sent notices to 100,839 individuals between January and February of 2021 indicating their critical personal information may have been taken as a result of malware infecting its computers.

The information that was potentially accessed includes names, addresses, DOB, Social Security numbers, driver’s license numbers, financial account and credit card numbers, medical and health insurance information.

Bosley learned about the breach on September 24, 2020 but did not explain why it waited over four months to notify people. The notification recommends monitoring accounts for illegal activity and describes how to set up fraud alerts and security freezes with credit reporting agencies to make it more difficult for identity thieves to open new accounts in the individual's name.

A class action lawsuit has been brought by several former clients regarding this incident (see right).

Read the entire Notice of Data Breach at the State of California



Ken Hashemi et al v. Bosley, Inc

The United States District Court for the Central District of California, case #2:21-cv-00946

The lawsuit alleges that Bosley failed to implement standard security measures that would have prevented the Data Breach and then concealed the incident from the public for several months.

This resulted in the lost or diminished value of customers' Personally Identifiable Information (PII) and a heightened risk of identity theft for the lifetimes of the Plaintiffs and Class Members.

If your personal information was in Bosley's computer system and you received a notice of data breach you may be affected by the outcome of this case.



Plaintiffs Allegations in the Complaint: (Plaintiffs are six former Bosley clients. Complaint was filed 02/01/21)

  • Bosley admitted that the Personally Identifiable Information (PII) of Plaintiffs and Class Members was wrongfully disclosed to unauthorized third parties.

  • It failed to implement security measures that could have prevented the Data Breach by properly encrypting customers' PII as stated in its Privacy Policy.

  • Bosley concealed the Data Breach from the public for more than four months because it was afraid it would hurt its business.

  • It committed fraud by deceit or concealment of a material fact with the intent of depriving Plaintiffs and Class Members of legal rights or otherwise causing injury.

  • Former Bosley clients have lost or diminished value of PII and heightened risk of identity theft. The risk will remain for the lifetimes of Plaintiffs and Class Members.

Defendant Bosley's Answer to the Complaint:

  • None. Bosley filed six time extensions from 03/01/21 to 11/15/21 postponing answering the complaint. It never did. The parties entered mediation and reached a proposed settlement agreement that was filed on 01/07/22.


Are you a Settlement Class Member?   If you are a former Bosley customer you may be one of over 100,000 people who are part of the Settlement Class. The “Settlement Class” means all persons residing in the United States whose PII was potentially compromised in the Data Incident first announced by Bosley on or about January 26, 2021.

Will Members need to do anything?   Members will need to act if they want to claim benefits or if they want to hold on to their legal rights. If they do nothing they will lose both. See the Member Options below.

Settlement Details

The Settlement offers the Class three types of monetary relief capped at a maximum of $500,000 for the entire 100,000+ member Class.

  • (1) Reimbursement for ordinary expenses and lost time up to $300 per Class Member; (2) Reimbursement for extraordinary expenses up to $5,000 per Class Member; and (3) California Statutory Claim benefits of $50 per California Subclass Member.


  • Class Members will receive free access to Aura Financial Shield
    for two years. Members will need to sign up to enroll in the free service but won't need to file a claim.

Anyone who files a claim (or does nothing) will be bound by the terms of the settlement and end Bosley's responsibility toward them regarding the data breach.

People who want to retain their legal rights and ability to participate in another lawsuit against Bosley regarding these issues must exclude themselves by opting out, see right.

Terms and benefits of the settlement will be subject to a final settlement approval hearing.


The aggregate cap could lessen what a Member gets in the settlement. Their reimbursement payment might be less than what they claimed. Similarly, the California statutory damages award is subject to a reduction on a pro rata basis if the claims made exceeds the funds available.

A Federal Trade Commission Study of 149 consumer class actions found a median claims rate of 9%. If applied to this settlement the average payment could be about $55 ($500,000 in valid claims divided by 9,000 people).

Each class action is unique and there is no way to tell what the actual numbers will be until after the claims deadline.

Member Options

Class Members have four options:

  • Submit a Claim  Members fill out a claim documenting their expenses along with receipts and submit to the claims administrator before the claims deadline.

  • Exclude Yourself (a.k.a. Opting Out)  People can remove themselves from the settlement by submitting a simple letter. This is the only option that allows them to ever be in another lawsuit against Bosley regarding the data breach.

  • Object  Those who don't like some aspects of the settlement can file a written objection with the court. They will still remain part of the Settlement Class and be bound by its final outcome.

  • Do Nothing  People who do nothing won't benefit from the Settlement and will lose their legal right to sue Bosley about the legal issues in the case.

The Claims Administrator

The claims administrator is CPT Group. Official settlement information and instructions can be found at It has links to important documents in English and Spanish including the Settlement itself, the claim forms, and other relevant court filings. CPT has a 24/7 toll-free phone line with a live operator available to answer any Class Member questions.



Have Questions?  You can read the official 8 page settlement notice posted at the settlement website.

You can also visit

Click the image on the right to view.





Disclaimer: Information on this page comes from documents on file with the court. It does not contain every detail and aspect of the case. It is not a substitute for professional legal advice. This litigation is ongoing and details and terms may change or be modified by the court.


Fairness in Reporting: The companies mentioned have been given the opportunity to correct any inaccuracies.

Privacy policy: This site does not collect any personal information or cookies or share data with third parties