Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

The healthcare technology company Veradigm Inc. (formerly Allscripts) has agreed to settle a class action lawsuit that was filed in response to a 2024 data breach that compromised sensitive patient data. The Illinois-based company provides software tools to healthcare organizations, including electronic medical record software and practice management tools. In December 2024, cybercriminals accessed its network and potentially obtained patient data belonging to its healthcare clients. More than 2 million patients were affected. Data compromised in the incident included names, contact information, dates of birth, health record information, insurance claim data, payment information, and other identifiers, such as Social Security numbers and copies of their driver’s licenses.

The first class action lawsuit in response to the data breach was filed in June 2025 by plaintiffs Tony Goodrum and Jason Mixton, individually and on behalf of similarly situated individuals. A second class action lawsuit was subsequently filed, and the two actions were consolidated into a single action in the U.S. District Court for the Northern District of Illinois, since they had overlapping claims.

The consolidated lawsuit – Goodrum, et al. v. Veradigm Inc.– alleged that the data breach was the result of negligence, and could have been prevented had reasonable and appropriate cybersecurity measures been implemented. In addition to negligence, the lawsuit asserted claims for negligence per se, breach of implied contract, unjust enrichment, declaratory judgment, and injunctive relief.

Veradigm denies all claims of wrongdoing and liability; however, shortly after the two lawsuits were filed, the company explored the prospect of early resolution. Following mediation after the consolidated lawsuit was filed, an agreement in principle was reached to settle the litigation, with no admission of liability or wrongdoing. Class counsel and the class representatives believe the negotiated settlement is fair and in the best interests of the class members.

Under the terms of the settlement agreement, Veradigm has agreed to establish a $10,500,000 settlement fund to cover claims for benefits for the class members, settlement administration costs, and attorneys’ fees and costs, as approved by the court. Class members are entitled to submit a claim for up to $5,000 as reimbursement of documented, unreimbursed losses due to the data breach or, alternatively, may claim a cash payment, which is expected to be $50, but will be adjusted based on the number of valid claims received. Regardless of the option chosen, class members are also entitled to claim a two-year membership to a medical data monitoring product. Further information on what may be claimed can be found on the settlement website: https://veradigmdatasettlement.com/

The deadline for objection and opting out of the settlement is February 17, 2026. Claims must be submitted by March 3, 2026, and the final fairness hearing has been scheduled for March 18, 2026.

The post Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Valley Eye Associates Confirms Patient Data Stolen in Ransomware Attack

Posted by Steve Alder

Valley Eye Associates has fallen victim to a ransomware attack in which sensitive patient data was exfiltrated from its network. Imperial Beach Community Clinic has started notifying patients about unauthorized access to its email environment.

Valley Eye Associates, Wisconsin

Valley Eye Associates, an ophthalmology, optometry, and LASIK eye surgery center in Appleton, WI, has recently announced that it fell victim to a ransomware attack on or around October 8, 2025. Third-party cybersecurity specialists were engaged to assist with the investigation and determined that the ransomware group had access to its network between October 8, 2025, and October 9, 2025, during which time files were exfiltrated from its network.

While data was stolen, Valley Eye Associates said there are no indications that the stolen data has been or will be used inappropriately. It is unclear how that determination was made. The ransomware group behind the attack was not mentioned in the breach notice, although the Qilin ransomware group claimed responsibility for the attack and published the stolen data, indicating the ransom was not paid. The group claimed to have exfiltrated 139 GB of data.

Valley Eye Associates is still reviewing the affected data and will notify the affected individuals when that process is completed. Valley Eye Associates said it has taken steps to improve security to prevent similar incidents in the future, including implementing additional security protections for its email environment, which suggests that email was used for initial access.

Imperial Beach Community Clinic, California

Imperial Beach Community Clinic, a California community healthcare serving the San Diego South Bay area, has notified the California Attorney General about a cybersecurity incident and data breach that was first identified almost a year ago. According to the breach notice, unusual activity was identified within its email environment on April 15, 2025. An investigation was launched to determine the nature and scope of the activity, and it was confirmed that an unauthorized individual had access to certain email accounts from February 4, 2025, to May 2, 2025. During that time, certain information in the accounts may have been acquired.

The affected data set was reviewed, and on December 30, 2025, the file review was concluded. Data compromised in the incident included name, age, appointment date, claim number, date of birth, encounter ID number, gender, insurance information, insurance name, patient ID number, procedure type, provider name, service date, and visit type. Imperial Beach Community Clinic has reviewed and enhanced its data privacy and security policies and procedures to prevent similar incidents in the future. The California Attorney General breach notice does not state how many individuals were affected, and the data breach is not yet shown on the HHS’ Office for Civil Rights breach portal.

The post Valley Eye Associates Confirms Patient Data Stolen in Ransomware Attack appeared first on The HIPAA Journal.