HIPAA/HITECH,
Litigation,
Standards, Regulations & Compliance
Breach Compromised Data of Over a Dozen Healthcare Providers, Impacting 2.5 Million Patients
Electronic health records provider Veradigm, previously known as AllScripts, has agreed to a $10.5 million settlement regarding a consolidated class action lawsuit that arose from a hacking incident in December 2024. This breach impacted over a dozen healthcare clients and potentially compromised the data of approximately 2.5 million patients.
The lawsuit against Veradigm cited claims including negligence, breach of implied contract, and unjust enrichment. A breach notice issued by Veradigm revealed that unauthorized access to client data was discovered on July 1, 2025. An attacker reportedly exploited compromised credentials to infiltrate a Veradigm storage system. Although the incident occurred around December 15, 2024, Veradigm only became aware of the breach later, through a third-party investigation of the original security incident affecting their client.
The compromised data varied across individuals but included sensitive information such as names, dates of birth, contact details, health-related data, Social Security numbers, health insurance information, payment details, and driver’s license numbers. In light of this breach, applicable MITRE ATT&CK tactics, including initial access and privilege escalation, may have played a role in the attack’s execution.
In the framework of the preliminary settlement, affected class members can file claims for cash payments of up to $5,000 to compensate for documented losses connected with the incident. Alternatively, they may opt for a flat pro rata payment of about $50. Each affected member can also claim two years of complimentary medical identity theft and fraud monitoring services.
The attorneys representing the plaintiffs are seeking approximately one-third of the settlement fund, amounting to around $3.5 million in fees and expenses. As part of the settlement agreement, Veradigm is required to provide a written and signed declaration to class counsel, detailing the security measures implemented or planned post-breach, no later than 14 days before the final court approval hearing scheduled for February 18.
It is important to note that Veradigm will shoulder the costs for these enhanced security measures independently from the $10.5 million settlement fund. The breach affected several notable healthcare providers, including Virginia Ear, Nose and Throat Associates; La Red Health Center; and Urology Associates of Mobile, among others.
