Minnesota Department of Human Services Data Breach Affects Over 300K Individuals

Posted by Steve Alder

The Minnesota Department of Human Services (DHS) has notified almost 304,000 individuals about unauthorized access to their demographic records. The records were stored in the MnChoices system, which is used by counties, Tribal Nations, and managed care organizations to support their assessment and planning work for state residents requiring long-term services and support.

The system is managed by the third-party vendor, FEI Systems, which notified the Minnesota DHS in November about unauthorized access to data in the system by a user associated with a licensed healthcare provider. While there was a legitimate reason to access limited information in the system, some data was accessed without authorization by the user. The unauthorized access ceased on September 21, 2025, and the user’s access to the system was fully removed on October 30, 2025.

For the majority of affected individuals, the information accessed was limited to demographic information, although for 1,206 individuals, additional information was also accessed. Some medical information was accessed, and for certain individuals, the last four digits of their Social Security numbers. While the forensic investigation identified the categories of information accessed, it was not possible to determine, on a record-by-record basis, exactly what information was accessed for each individual. Due to the limited nature of the data accessed, Minnesota DHS is not providing the affected individuals with free credit monitoring services.

A forensic investigation was ordered to determine the exact types of information accessed and the individuals affected. At the time of issuing notification letters on January 16, 2026, no data misuse had been identified. Minnesota DHS has confirmed that the user no longer has access to the system, and additional safeguards have been implemented to prevent similar unauthorized access incidents in the future.

The DHS Office of Inspector General was made aware of the incident and has developed data-driven processes to monitor and evaluate billing information to determine whether there has been inappropriate or fraudulent use of the accessed data. Should any fraudulent use be identified, a thorough investigation will be conducted, and the matter will be reported to law enforcement. In that regard, the Minnesota DHS has requested that all individuals who receive a notification letter about the incident carefully review their health care statements and report any suspicious charges or services.

The post Minnesota Department of Human Services Data Breach Affects Over 300K Individuals appeared first on The HIPAA Journal.

Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

The healthcare technology company Veradigm Inc. (formerly Allscripts) has agreed to settle a class action lawsuit that was filed in response to a 2024 data breach that compromised sensitive patient data. The Illinois-based company provides software tools to healthcare organizations, including electronic medical record software and practice management tools. In December 2024, cybercriminals accessed its network and potentially obtained patient data belonging to its healthcare clients. More than 2 million patients were affected. Data compromised in the incident included names, contact information, dates of birth, health record information, insurance claim data, payment information, and other identifiers, such as Social Security numbers and copies of their driver’s licenses.

The first class action lawsuit in response to the data breach was filed in June 2025 by plaintiffs Tony Goodrum and Jason Mixton, individually and on behalf of similarly situated individuals. A second class action lawsuit was subsequently filed, and the two actions were consolidated into a single action in the U.S. District Court for the Northern District of Illinois, since they had overlapping claims.

The consolidated lawsuit – Goodrum, et al. v. Veradigm Inc.– alleged that the data breach was the result of negligence, and could have been prevented had reasonable and appropriate cybersecurity measures been implemented. In addition to negligence, the lawsuit asserted claims for negligence per se, breach of implied contract, unjust enrichment, declaratory judgment, and injunctive relief.

Veradigm denies all claims of wrongdoing and liability; however, shortly after the two lawsuits were filed, the company explored the prospect of early resolution. Following mediation after the consolidated lawsuit was filed, an agreement in principle was reached to settle the litigation, with no admission of liability or wrongdoing. Class counsel and the class representatives believe the negotiated settlement is fair and in the best interests of the class members.

Under the terms of the settlement agreement, Veradigm has agreed to establish a $10,500,000 settlement fund to cover claims for benefits for the class members, settlement administration costs, and attorneys’ fees and costs, as approved by the court. Class members are entitled to submit a claim for up to $5,000 as reimbursement of documented, unreimbursed losses due to the data breach or, alternatively, may claim a cash payment, which is expected to be $50, but will be adjusted based on the number of valid claims received. Regardless of the option chosen, class members are also entitled to claim a two-year membership to a medical data monitoring product. Further information on what may be claimed can be found on the settlement website: https://veradigmdatasettlement.com/

The deadline for objection and opting out of the settlement is February 17, 2026. Claims must be submitted by March 3, 2026, and the final fairness hearing has been scheduled for March 18, 2026.

The post Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.