Vendors Veradigm and ApolloMD Share Insights on Health Data Breaches

The healthcare sector is currently grappling with significant vendor security concerns as evidenced by recent reports from Veradigm, previously known as Allscripts, and ApolloMD. These companies, which provide key practice and revenue cycle management solutions, have disclosed hacking incidents that have raised alarms among healthcare providers and affected patients.

This week, Veradigm announced that it has begun notifying several state regulators about a data breach linked to compromised customer credentials. The company uncovered that unauthorized actors accessed sensitive customer data earlier this year, specifically on July 1, revealing that the breach stemmed from credentials obtained during a prior incident targeting one of their clients. The unauthorized access reportedly began on December 15, 2024, though Veradigm learned about it only recently through investigations by a third party.

The compromised data varies among those affected but may include names, birth dates, contact information, health records, Social Security numbers, health insurance details, payment information, and even drivers’ license numbers. Veradigm has enlisted cybersecurity experts to conduct a thorough review of the breach, employing significant resources to bolster the security of its client solutions.

In a statement to Information Security Media Group, Veradigm clarified that the breach did not extend to its primary network or operational systems currently used by providers. They are in the process of contacting impacted patients and have informed relevant authorities. However, Veradigm has refrained from disclosing further details regarding the client involved in the breach or the number of individuals affected. As of now, this incident has not been reported to the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool.

In a related incident, ApolloMD, based in Atlanta, released a notice revealing it had begun informing its affiliated physician practices about a data security breach that potentially exposed patient information to unauthorized access. With the first awareness of unusual activity occurring on May 22, the organization has engaged third-party experts to investigate the security incident, which has now been reported to law enforcement.

The investigation indicates that data was accessed in ApolloMD’s IT environment from May 22 to May 23, with compromised information potentially affecting patient names, birth dates, addresses, diagnoses, provider names, service dates, treatment details, health insurance information, and Social Security numbers. ApolloMD has yet to provide additional details but has not posted the incident on the HHS OCR breach reporting website as of this date.

These recent breaches highlight ongoing risks associated with third-party vendors in healthcare. To date, the HHS Office for Civil Rights has listed 537 significant health data breaches impacting over 41.8 million individuals in 2025. Notably, more than one-third of these incidents, totaling 196, involved business associates, affecting about 17.5 million individuals—42% of all victims thus far.

According to regulatory attorney Paul Hales, the prevalence of lawsuits among breach victims underscores serious deficiencies in health information privacy and security measures, especially within smaller HIPAA-regulated entities. Such vulnerabilities heighten risks associated with critical vendor relationships. The reliance on technical safeguards alone is inadequate; in-depth workforce training is crucial to counter social engineering tactics, identified as a major cybersecurity threat. As recent history demonstrates, even established HIPAA business associates can present significant risks, underscoring the ongoing urgency for all organizations to take their responsibilities concerning the protection of patient health information seriously.