Veradigm Announces Data Breach Affecting Several Customers

Posted by Steve Alder

On September 22, 2025, Veradigm, a Chicago, Illinois-based provider of practice management and electronic health record solutions to healthcare providers (formerly Allscripts), started issuing notification letters about a July 2025 security incident that involved unauthorized access to customer data.

On July 1, 2025, Veradigm learned that an unauthorized third party had accessed one of its storage locations. Steps were immediately taken to block the unauthorized access, law enforcement was notified, and third-party digital forensics and cybersecurity experts were engaged to investigate the activity and mitigate any impact of the unauthorized access. The investigation determined that a data security incident at one of its customers resulted in credential theft that allowed access to a Veradigm storage account. The attacker used the credentials to access the storage account on or around December 2024. Veradigm learned about the unauthorized access through a third party that was investigating its customer’s security incident. The data breach was limited to the storage account, and no other systems or environments were affected. While data was exposed, Veradigm is unaware of any misuse of the exposed data.

The file review confirmed that the following types of information had been exposed: name, contact information, date of birth, health records information (diagnoses, medications, test results, and treatments), health insurance information, payment details, and limited identifiers, such as Social Security numbers and driver’s license numbers. The types of information involved vary from individual to individual. Veradigm has implemented additional technical safeguards to prevent similar incidents in the future and has offered the affected individuals complimentary credit monitoring and identity theft protection services.

The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected. The data breach affected several of its customers and is likely to be a significant data breach. At least 70,000 individuals have been confirmed as affected in two states alone, based on the breach reports submitted to the Texas and South Carolina state attorneys general. The California Attorney General has also been informed that state residents have been affected.

The post Veradigm Announces Data Breach Affecting Several Customers appeared first on The HIPAA Journal.

Security Researcher Identifies Exposed 150,000-record Home Health Care Database

Posted by Steve Alder

Cybersecurity researcher Jeremiah Fowler has found an exposed 23.7 GB database containing more than 145,000 files, such as PDFs, PNGs, and other image files. The database has been linked to the California home health and palliative care provider, Archer Health. Fowler analyzed a sample of the files and identified patient names, contact information, Social Security numbers, and patient ID numbers. The files included medical documents such as discharge summaries, which included health information such as conditions, diagnoses, admission and discharge dates, treatment information, care plan information, as well as assessments and home health certifications.

Many of the image files were screenshots of healthcare management software that showed active dashboards, logging, tracking, and scheduling details. Some of the folder names included patients’ first and last names – a bad security practice. As Fowler pointed out, personally identifiable information such as patient names can easily be exposed through error or monitoring logs. Fowler was able to link the database to Archer Health and notified the company about the exposed database, which was secured within hours and is no longer accessible. Archer Health thanked Fowler for bringing the matter to their attention and confirmed that an investigation had been launched, and any security issues that led to the exposure would be addressed.

It was not possible to tell how long the database was exposed, if it was accessed or copied by any unauthorized individuals, or whether the database was maintained by Archer Health or one of its vendors. Since only a sample of files was analyzed, it is unclear how many patients had their data exposed.

Mailing Error Impacts More Than 3,100 Arizonans

The Arizona Health Care Cost Containment System (AHCCCS), Arizona’s Medicaid agency, has notified 3,177 members about an impermissible disclosure of a limited amount of protected health information. On August 29, 2025, a mailing error was identified with a routine mailing regarding members’ health plan enrollment when a member called AHCCCS after receiving a misdirected letter.

The mailing was immediately halted, and an investigation was launched to determine the cause of the error, the individuals affected, and the information involved. The letters did not include any highly sensitive information, such as Social Security numbers, only a member’s name, AHCCCS identification number, and health plan name. In each case, the letters were sent to one incorrect recipient. HCCCS said it has conducted a review of its mailing processes and procedures and has taken steps to prevent similar mis-mailings in the future.

The post Security Researcher Identifies Exposed 150,000-record Home Health Care Database appeared first on The HIPAA Journal.

Flo Health; Google; Flurry to Pay $59.5M to Settle Privacy Lawsuit

Posted by Steve Alder

A settlement has been finalized to resolve a litigation against Flo Health, Inc., Google LLC, and Flurry, Inc., over the use of tracking code on Flo Health’s fertility tracking app. Under the terms of the settlement, the defendants will pay almost $60 million to cover legal costs, expenses, and benefits for the plaintiffs and class members.

The Flo Health app is one of the most popular health and wellness apps and has over 38 million monthly users. Prior to using the app, users are asked a series of personal questions about their general, sexual, and gynecological health and menstrual cycles. Further questions are asked as use of the app continues, with the answers used to provide tailored health and wellness advice. Users are told that their information will remain private and confidential and will not be shared with any third parties unless consent is provided, yet code within the app (software development kits) shared that data with the defendants, without the knowledge or consent of app users.

Several lawsuits were filed against Flo Health and the other defendants, which were consolidated into a single action due to the actions having overlapping claims – Erica Frasco, et al v. Flo Health, Inc., Meta Platforms, Inc., Google, LLC, and Flurry, Inc. The lawsuit alleged common law invasion of privacy – intrusion upon seclusion, invasion of privacy, violation of the California Constitution, breach of contract, breach of implied contract, unjust enrichment, and violations of the Stored Communications Act, California Confidentiality of Medical Information Act, Cal. Bus & Prof. Code, and the comprehensive Computer Data Access and Fraud Act.

Meta Platforms Inc. was also a named defendant; however, Meta chose not to settle, and the case proceeded to a jury trial. The jury sided with the plaintiffs and found that Meta was in violation of the California Invasion of Privacy Act. Meta Platforms intends to file an appeal. While the settlement was announced in July, the details have only recently been provided to Judge James Donato in the U.S. District Court for the Northern District of California, San Francisco Division. Under the terms of the settlement, $59.5 million will be paid by the defendants: Google has agreed to pay $48 million, Flo Health will pay $8 million, and Flurry will pay $3.5 million. Flo Health has also committed to ensuring app users’ privacy, and will display a prominent notice on its website to that effect for a period of one year following final approval of the settlement.

Attorneys for the plaintiffs will receive one-third of the settlement amount, which will also cover legal expenses, settlement administration costs, and service awards for the eight named plaintiffs. The remainder of the settlement will be used to pay for benefits for the class members. The class consists of all app users who used the app between November 1, 2016, and February 28, 2019.

The post Flo Health; Google; Flurry to Pay $59.5M to Settle Privacy Lawsuit appeared first on The HIPAA Journal.