MedQ settles ransomware lawsuit affecting over 54,000

The administrative healthcare services firm has agreed to settle class action claims tied to a 2023 ransomware breach that exposed sensitive personal and medical data.

What happened

MedQ Inc., which provides administrative services to healthcare organizations, has agreed to settle consolidated litigation related to a ransomware attack that occurred in December 2023. The attack resulted in unauthorized access to MedQ’s systems and the exfiltration of personal data from 54,725 individuals. The stolen information included names, birth dates, Social Security numbers, driver’s license numbers, and health and insurance details.

Despite offering free credit monitoring following the breach, MedQ faced five lawsuits from affected individuals. These suits were consolidated in May 2024 into a single class action: Klepper, et al. v. MedQ, Inc., in the District Court of Oklahoma County.

Going deeper

MedQ, Inc., a provider of administrative services to HIPAA-covered entities, experienced a ransomware attack on or around December 26, 2023. Several servers used by the MedQ platform and hosted on a third-party platform were encrypted during the incident. A forensic investigation later confirmed that files were copied from the servers between December 20 and December 26, 2023, before encryption took place.

The compromised files contained Social Security numbers, driver’s license details, dates of birth, clinical information, diagnoses, lab results, medications, treatment data, subscriber IDs, and insurance and claims information. MedQ has since implemented additional security controls to strengthen monitoring and protect its systems. Affected individuals were offered complimentary credit monitoring and identity theft protection. The breach has been reported to the HHS Office for Civil Rights as impacting 54,725 individuals.

What was said

While MedQ maintains that it was not liable for the breach, the company agreed to a settlement valued at up to $1.2 million to avoid further litigation. The court has given preliminary approval, with a final hearing scheduled to determine whether the settlement is fair and reasonable for all parties involved.

The big picture

Healthcare continues to face some of the most damaging and expensive cyber incidents in any industry. Mid-year data shows that the average cost of a healthcare breach has climbed to $11 million in 2025, the highest across all sectors for the 14th straight year, according to Paubox’s analysis of current breach-cost benchmarks. Incidents like the MedQ ransomware attack show why these figures keep increasing. Administrative service vendors often hold large volumes of clinical and financial identifiers on behalf of multiple clients, which means a single compromise can cascade across healthcare networks.

FAQs

Why are administrative service vendors like MedQ high-value targets for ransomware groups?

They often aggregate PHI and financial identifiers from multiple healthcare clients, creating a single entry point with broad downstream impact. Attackers see these environments as rich in sensitive data but historically uneven in security maturity.

What security shortcomings typically surface in litigation involving vendor breaches?

Cases often point to insufficient network segmentation, weak endpoint protections, inadequate logging, or delayed detection. Vendors without a demonstrable, continuously updated security program face sharper legal scrutiny from both clients and plaintiffs.

How should healthcare organizations evaluate the risk posture of their administrative service partners?

Providers should assess vendor MFA coverage, encryption standards, incident-response readiness, and data-handling practices. Contractual requirements for independent audits and breach reporting timelines are increasingly viewed as baseline expectations.