Sedgebrook & Heartland Health Center Hit with Ransomware Attacks

Posted by Steve Alder

Ransomware attacks have recently been announced by the Illinois retirement village and skilled nursing provider Sedgebrook, and the Nebraska healthcare provider Heartland Health Center.

Sedgebrook

Sedgebrook, a retirement village and skilled nursing facility in Lincolnshire, Illinois, has recently announced a ransomware attack that involved unauthorized access to files containing individuals’ personal and protected health information. The attack was detected on May 5, 2025, when network disruption was experienced. Assisted by third-party digital forensics experts, Sedgebrook determined that a ransomware group had access to its network from May 4 to May 5, 2025, and used ransomware to encrypt files. During that time, data may have been exfiltrated from its network.

The exposed files were reviewed, and on August 26, 2025, it was confirmed that some of those files contained protected health information, including names, addresses, birth dates, Social Security numbers, driver’s license numbers, financial account information, medical treatment information, medical record numbers, and health insurance information. Notification letters started to be mailed to the affected individuals on October 24, 2025.

While no evidence was found to indicate any misuse of the exposed information, individuals whose Social Security numbers or driver’s license numbers were exposed have been offered complimentary credit monitoring and identity theft protection services. Steps have also been taken to improve security to prevent similar incidents in the future. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Heartland Health Center

Heartland Health Center, a provider of medical, dental, and behavioral health services at clinics in Ravenna and Hastings in Nebraska, has recently disclosed a security breach that was first identified on February 4, 2025. An investigation was launched, with assistance provided by third-party cybersecurity experts, to determine if any sensitive data had been exposed. Following an exhaustive review, Heartland Health Center determined on June 3, 2025, that sensitive data had been exposed and may have been acquired in the attack.

The types of information involved vary from individual to individual and may have include names plus one or more of the following: date of birth, Social Security number, driver license number, financial account number, username and access information for a non-financial account, dates of service, diagnosis information, health insurance information, physician/medical facility information, medical condition/treatment information, medical record number, Medicare or Medicaid number, patient account number, certificate or license number, full face photo, and referral information.

Heartland Health Center said it already had robust cybersecurity measures in place, and they will continue to be reviewed and enhanced as necessary. As a precaution against misuse of patient information, the affected individuals have been offered complimentary single-bureau credit monitoring, credit score, and credit report services. While not described as a ransomware attack, the Medusa ransomware group claimed responsibility for the incident. Medusa is known to exfiltrate and either sell or publish the stolen data, so the affected individuals should ensure that they take advantage of the credit monitoring services on offer. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

The post Sedgebrook & Heartland Health Center Hit with Ransomware Attacks appeared first on The HIPAA Journal.

$19.3 Million Settlement Proposed to Resolve NextGen Class Action Data Breach Lawsuit

Posted by Steve Alder

A $19,375,000 settlement has been proposed to resolve a consolidated class action lawsuit against the electronic health records and practice management software provider NextGen Healthcare over a 2023 ransomware attack that affected more than one million individuals.

The attack was detected on April 28, 2023, and the first complaint was filed on May 5, 2023, in the United States District Court for the Northern District of Georgia, Atlanta Division. Thereafter, more than a dozen further lawsuits were filed, which were consolidated into a single action in the same court. The consolidated lawsuit alleged negligence and negligence per se for failing to implement appropriate safeguards to protect sensitive patient information, invasion of privacy/intrusion upon seclusion, breach of implied contract, breach of bailment, breach of fiduciary duty, unjust enrichment, and breach notification failures, in violation of federal and state laws, including the Official Code of Georgia Annotated (O.C.G.A).

NextGen Healthcare denies all claims and contentions in the lawsuit and maintains there was no wrongdoing or liability. NextGen Healthcare moved to have the lawsuit dismissed; however, the lawsuit was allowed to proceed (see below). Following mediation on June 25, 2025, and August 6, 2025, and after all parties considered the expense and length of proceedings to continue with the litigation, and the risks associated with doing so, the decision was taken to settle the lawsuit.

Under the terms of the settlement, NextGen Healthcare has agreed to establish a $19,375,000 settlement fund to cover attorneys’ fees and expenses, notice costs, settlement administration costs, service awards, and benefits for class members. Class members may submit a claim for documented, unreimbursed losses due to the data breach up to a maximum of $7,500 per class member and up to $250 for lost time (a maximum of 10 hours at $25 per hour). Alternatively, class members may choose to receive a cash payment, which is expected to be $50, but will be subject to a pro rata adjustment. Class members who were residents of California at the time of the data breach may claim an alternative cash payment of $150.

In addition to the above benefits, class members may also claim three years of credit monitoring and identity theft protection services, and should there be any funds remaining in the settlement fund, they will be used to extend the identity and credit monitoring services or will be distributed cy pres to a non-profit cybersecurity organization. The settlement now awaits approval from the court.

August 6, 2024: NextGen Class Action Data Breach Lawsuit Allowed to Proceed

A class action lawsuit against the electronic health record (EHR) and practice management software provider, NextGen Healthcare, over a 2023 ransomware attack has been allowed to proceed.

Hackers had access to NextGen’s computer systems from March 29, 2023, to April 14, 2023, during which time they exfiltrated a huge volume of sensitive data from the NextGen Office system. The data breach was reported to the Maine Attorney General on May 5, 2023, as affecting 1,049,375 individuals. The ransomware attack was the second to be experienced by NextGen in just a few months, with an earlier Blackcat ransomware attack occurring in January 2023.

It is not uncommon for multiple ransomware attacks to be experienced. A recent report from the cybersecurity firm Semperis suggests that three-quarters of companies that have experienced a ransomware attack were attacked multiple times. Threat actors often deploy malware in their attacks, which allows them to conduct further attacks weeks or months later.

More than a dozen lawsuits were filed against NextGen following the data breach. The plaintiffs sought compensatory, statutory, and punitive damages, additional credit monitoring services, and injunctive relief, requiring NextGen to implement additional security measures to ensure the privacy and security of the data it stores. The lawsuits were consolidated into a single lawsuit – Damon X. Miller v. NextGen Healthcare Inc. – in the U.S. District Court for the Northern District of Georgia.

The consolidated lawsuit alleges NextGen could have prevented the data breach if it had implemented reasonable and appropriate security measures, yet failed to do so, even though it had experienced a ransomware attack in January 2023. The consolidated lawsuit asserted 25 claims, including negligence, unjust enrichment, intrusion upon seclusion, breach of implied contract, breach of bailment, breach of fiduciary duty, and violations of multiple state laws in California, Georgia, Illinois, Iowa, Maine, New Jersey, New Mexico, New York, and Pennsylvania.

NextGen attempted to have 22 of the 25 claims dismissed for failure to state a claim. Most of the claims were dismissed in their entirety by U.S. District Judge Thomas Thrash; however, the motion to dismiss five counts was denied, which gives the plaintiffs the green light to proceed with the action. The motion to dismiss the counts of breach of fiduciary duty, litigation expenses, violation of the Georgia Uniform Deceptive Trade Practice Act (GUDTPA), and violation of the California Consumer Privacy Act (CCPA) was denied in entirety, and the motion to dismiss the count of violation of the California Unfair Competition Law (UCL) was denied with respect to one of the plaintiffs and a putative subclass.

NextGen had argued that, as a service provider to healthcare organizations, it did not owe a fiduciary duty to the plaintiffs, as it had no direct relationship with them and the mere receipt and storage of confidential data does not create a fiduciary relationship. Judge Thrash disagreed, as in some circumstances, the retention of private information that patients provided while seeking medical care can create a fiduciary duty under Georgia law. In his ruling, Judge Thrash did not state whether the circumstances in the case rose to that level, as that was not a question that could be resolved through a motion to dismiss.

Judge Thrash ruled that the plaintiffs had plausibly stated a claim for litigation expenses premised on bad faith, and the motion to dismiss the GUDTPA claim was denied as NextGen’s argument was dependent on “a strained reading of an unadopted Report and Recommendation.” The CCPA claim was allowed to proceed, as while NextGen argued that it is a service provider under CCPA, the plaintiffs stated otherwise, and Judge Thrash accepted those allegations as true, at least at this stage of the litigation. The motion to dismiss the California Unfair Competition Law claim was denied, as the defendant was alleged to have accepted payment to securely keep data and failed to take reasonable security measures, and that is sufficient to state a claim for restitution under UCL.

The post $19.3 Million Settlement Proposed to Resolve NextGen Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Lawsuits Mount Over 10.5 Million-Record Conduent Data Breach

Posted by Steve Alder

A data breach affecting more than 10.5 million individuals was certain to trigger a barrage of lawsuits, and litigation has been swift, with at least 9 class action lawsuits already filed in response to the Conduent data breach in New Jersey federal court. That total is certain to grow over the coming days and weeks, as many law firms have announced that they have opened investigations regarding potential class action litigation.

The lawsuits make similar claims – that Conduent was negligent by failing to adequately protect its network against unauthorized access and for its alleged failure to provide adequate notifications to the individuals affected by the data breach. The cyberattack was first detected by Conduent in January 2025, three months after hackers first gained access to its network. Conduent first announced the data breach three months later, confirming that sensitive data had been exposed and that the incident affected a substantial number of individuals.

It naturally takes time to investigate any data breach and to determine the number of individuals affected and the types of data involved; however, the lawsuits take issue with the length of that process. It has taken 10 months from when the cyberattack was first detected for the scale of the breach to become clear and for the affected individuals to be notified that their sensitive information has been compromised. Notification letters started to be sent in October 2025, one year after Conduent’s network was first accessed by unauthorized individuals.

In addition to negligence and negligence per se, the lawsuits assert claims such as breach of third-party beneficiary contract and unjust enrichment, and seek a jury trial, compensatory, statutory, and punitive damages, and injunctive relief, requiring the court to order Conduent to implement a range of security measures to ensure sensitive data is adequately protected.

The threat group behind the attack may have been the Safepay ransomware group, which added Conduent to its data leak site in January 2025, although Conduent is not currently listed on the Safepay data leak blog. That often means that a ransom has been paid or the stolen data has been sold, although ransomware groups have been known to fabricate claims.

Class action lawsuits are mounting, but Conduent is also likely to face regulatory scrutiny over the data breach. States are likely to investigate a data breach of this magnitude to determine whether appropriate cybersecurity measures had been implemented in line with state laws and the HIPAA Security Rule. Questions are likely to be asked about how the hackers were able to gain access to such a large amount of sensitive data.

Conduent will also face scrutiny from the HHS’ Office for Civil Rights, which will seek to establish whether the data breach was the result of HIPAA compliance failures. While OCR HIPAA compliance investigations often take many months or years, OCR has indicated it is prioritizing high-impact incidents, as it did with the cyberattack on Change Healthcare, which affected north of 190 million individuals. There is, at this stage, no indication that Conduent has violated any regulations at the federal or state level.

October 28, 2025: More Than 10.5 Million Patients Affected by Conduent Business Solutions Data Breach

A data breach at a business associate of several HIPAA-covered entities and government agencies has resulted in the exposure and potential theft of the protected health information of more than 10.5 million patients. The Conduent Business Solutions data breach is the largest healthcare data breach to be announced so far this year, affecting almost twice as many individuals as the second-largest data breach, which was reported earlier this year by Yale New Haven Health. It also ranks as the 8th largest healthcare data breach in history.

Conduent Business Solutions provides a range of back-office services, including printing, mailing, document processing, payment integrity services, and other support services to government agencies and healthcare organizations. It is currently unknown how many HIPAA-regulated entities have been affected by the data breach.

Blue Cross and Blue Shield of Montana recently announced that it had been affected and that notification letters are being mailed to 462,000 individuals. Blue Cross and Blue Shield of Texas has announced that approximately 310,000 UT Select and UT Care plan members have been affected. The incident is also known to have affected Humana customers and Premera Blue Cross members, although it is unclear how many. Conduent provides services to government agencies such as the Wisconsin Department of Children and Families and Oklahoma Human Services (OHS), which experienced temporary disruption to some of their services due to the outage in January, although OHS was informed that it did not have sensitive data exposed in the incident.

State regulators have been informed that 10,515,849 patients have been affected, including more than 4 million individuals in Texas. It is unclear if any non-healthcare clients had data compromised in the incident. The Conduent Business Solutions data breach was reported to the U.S. Securities and Exchange Commission (SEC) in April. In the SEC filing, Conduent explained that a threat actor gained access to a limited portion of its network IT environment and obtained the data of “a significant number” of people. The incident is not yet shown on the HHS’ Office for Civil Rights (OCR) breach portal, which has not been updated by OCR since September 24, 2025, due to the government shutdown.

The intrusion was detected on January 13, 2025. Assisted by third-party digital forensics experts, Conduent determined that initial access occurred on October 21, 2024, with the threat actor maintaining access for almost three months until Conduent secured its network on January 13, 2025. Conduent said it restored access to the affected systems within days, and in some cases, within hours, and the incident did not have any material impact on its operations.

The investigation confirmed that the threat actor exfiltrated files associated with some of its clients. Due to the complexity of the data involved, it has taken several months to complete the file review and determine the individuals affected and the types of data involved. Individual notifications are now being mailed to the affected individuals.

Information compromised in the incident varies from company to company and individual to individual, potentially involving names, dates of birth, Social Security numbers, treatment information, and claims information. Based on the notice provided to the California Attorney General, complimentary credit monitoring and identity theft protection services do not appear to have been offered.

While the total cost of the cyberattack is not yet known, Conduent said in its May 2025 first-quarter earnings report that it incurred $25 million in direct costs related to the breach response. A cyber insurance policy is held, which will cover a proportion of the cost.

This post will be updated when further information is released.

The post Lawsuits Mount Over 10.5 Million-Record Conduent Data Breach appeared first on The HIPAA Journal.