Minnesota Department of Human Services Data Breach Affects Over 300K Individuals

Posted by Steve Alder

The Minnesota Department of Human Services (DHS) has notified almost 304,000 individuals about unauthorized access to their demographic records. The records were stored in the MnChoices system, which is used by counties, Tribal Nations, and managed care organizations to support their assessment and planning work for state residents requiring long-term services and support.

The system is managed by the third-party vendor, FEI Systems, which notified the Minnesota DHS in November about unauthorized access to data in the system by a user associated with a licensed healthcare provider. While there was a legitimate reason to access limited information in the system, some data was accessed without authorization by the user. The unauthorized access ceased on September 21, 2025, and the user’s access to the system was fully removed on October 30, 2025.

For the majority of affected individuals, the information accessed was limited to demographic information, although for 1,206 individuals, additional information was also accessed. Some medical information was accessed, and for certain individuals, the last four digits of their Social Security numbers. While the forensic investigation identified the categories of information accessed, it was not possible to determine, on a record-by-record basis, exactly what information was accessed for each individual. Due to the limited nature of the data accessed, Minnesota DHS is not providing the affected individuals with free credit monitoring services.

A forensic investigation was ordered to determine the exact types of information accessed and the individuals affected. At the time of issuing notification letters on January 16, 2026, no data misuse had been identified. Minnesota DHS has confirmed that the user no longer has access to the system, and additional safeguards have been implemented to prevent similar unauthorized access incidents in the future.

The DHS Office of Inspector General was made aware of the incident and has developed data-driven processes to monitor and evaluate billing information to determine whether there has been inappropriate or fraudulent use of the accessed data. Should any fraudulent use be identified, a thorough investigation will be conducted, and the matter will be reported to law enforcement. In that regard, the Minnesota DHS has requested that all individuals who receive a notification letter about the incident carefully review their health care statements and report any suspicious charges or services.

The post Minnesota Department of Human Services Data Breach Affects Over 300K Individuals appeared first on The HIPAA Journal.

Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

The healthcare technology company Veradigm Inc. (formerly Allscripts) has agreed to settle a class action lawsuit that was filed in response to a 2024 data breach that compromised sensitive patient data. The Illinois-based company provides software tools to healthcare organizations, including electronic medical record software and practice management tools. In December 2024, cybercriminals accessed its network and potentially obtained patient data belonging to its healthcare clients. More than 2 million patients were affected. Data compromised in the incident included names, contact information, dates of birth, health record information, insurance claim data, payment information, and other identifiers, such as Social Security numbers and copies of their driver’s licenses.

The first class action lawsuit in response to the data breach was filed in June 2025 by plaintiffs Tony Goodrum and Jason Mixton, individually and on behalf of similarly situated individuals. A second class action lawsuit was subsequently filed, and the two actions were consolidated into a single action in the U.S. District Court for the Northern District of Illinois, since they had overlapping claims.

The consolidated lawsuit – Goodrum, et al. v. Veradigm Inc.– alleged that the data breach was the result of negligence, and could have been prevented had reasonable and appropriate cybersecurity measures been implemented. In addition to negligence, the lawsuit asserted claims for negligence per se, breach of implied contract, unjust enrichment, declaratory judgment, and injunctive relief.

Veradigm denies all claims of wrongdoing and liability; however, shortly after the two lawsuits were filed, the company explored the prospect of early resolution. Following mediation after the consolidated lawsuit was filed, an agreement in principle was reached to settle the litigation, with no admission of liability or wrongdoing. Class counsel and the class representatives believe the negotiated settlement is fair and in the best interests of the class members.

Under the terms of the settlement agreement, Veradigm has agreed to establish a $10,500,000 settlement fund to cover claims for benefits for the class members, settlement administration costs, and attorneys’ fees and costs, as approved by the court. Class members are entitled to submit a claim for up to $5,000 as reimbursement of documented, unreimbursed losses due to the data breach or, alternatively, may claim a cash payment, which is expected to be $50, but will be adjusted based on the number of valid claims received. Regardless of the option chosen, class members are also entitled to claim a two-year membership to a medical data monitoring product. Further information on what may be claimed can be found on the settlement website: https://veradigmdatasettlement.com/

The deadline for objection and opting out of the settlement is February 17, 2026. Claims must be submitted by March 3, 2026, and the final fairness hearing has been scheduled for March 18, 2026.

The post Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Valley Eye Associates Confirms Patient Data Stolen in Ransomware Attack

Posted by Steve Alder

Valley Eye Associates has fallen victim to a ransomware attack in which sensitive patient data was exfiltrated from its network. Imperial Beach Community Clinic has started notifying patients about unauthorized access to its email environment.

Valley Eye Associates, Wisconsin

Valley Eye Associates, an ophthalmology, optometry, and LASIK eye surgery center in Appleton, WI, has recently announced that it fell victim to a ransomware attack on or around October 8, 2025. Third-party cybersecurity specialists were engaged to assist with the investigation and determined that the ransomware group had access to its network between October 8, 2025, and October 9, 2025, during which time files were exfiltrated from its network.

While data was stolen, Valley Eye Associates said there are no indications that the stolen data has been or will be used inappropriately. It is unclear how that determination was made. The ransomware group behind the attack was not mentioned in the breach notice, although the Qilin ransomware group claimed responsibility for the attack and published the stolen data, indicating the ransom was not paid. The group claimed to have exfiltrated 139 GB of data.

Valley Eye Associates is still reviewing the affected data and will notify the affected individuals when that process is completed. Valley Eye Associates said it has taken steps to improve security to prevent similar incidents in the future, including implementing additional security protections for its email environment, which suggests that email was used for initial access.

Imperial Beach Community Clinic, California

Imperial Beach Community Clinic, a California community healthcare serving the San Diego South Bay area, has notified the California Attorney General about a cybersecurity incident and data breach that was first identified almost a year ago. According to the breach notice, unusual activity was identified within its email environment on April 15, 2025. An investigation was launched to determine the nature and scope of the activity, and it was confirmed that an unauthorized individual had access to certain email accounts from February 4, 2025, to May 2, 2025. During that time, certain information in the accounts may have been acquired.

The affected data set was reviewed, and on December 30, 2025, the file review was concluded. Data compromised in the incident included name, age, appointment date, claim number, date of birth, encounter ID number, gender, insurance information, insurance name, patient ID number, procedure type, provider name, service date, and visit type. Imperial Beach Community Clinic has reviewed and enhanced its data privacy and security policies and procedures to prevent similar incidents in the future. The California Attorney General breach notice does not state how many individuals were affected, and the data breach is not yet shown on the HHS’ Office for Civil Rights breach portal.

The post Valley Eye Associates Confirms Patient Data Stolen in Ransomware Attack appeared first on The HIPAA Journal.