Veradigm agrees to $10.5 million settlement after 2024 data breach

The healthcare technology firm will resolve consolidated litigation tied to a breach affecting more than two million patients.

What happened

Veradigm Inc., an Illinois-based healthcare technology company formerly known as Allscripts, has agreed to settle class action litigation related to a 2024 cyber incident that exposed patient data linked to its healthcare provider clients. Court filings show that attackers accessed Veradigm’s network in December 2024 and may have obtained sensitive patient information, including health and insurance records, payment details, and government identifiers. Multiple lawsuits filed in 2025 were consolidated in the U.S. District Court for the Northern District of Illinois, where plaintiffs alleged that inadequate security controls contributed to the breach.

Going deeper

The breach affected data belonging to patients of organizations that relied on Veradigm’s electronic medical record and practice management platforms. Plaintiffs argued that reasonable safeguards could have limited the scope of the incident and reduced downstream harm. The company disputed the allegations but entered mediation shortly after the consolidation of the lawsuits. The parties reached an agreement in principle to resolve the claims without further litigation, citing the costs and uncertainty of prolonged court proceedings. The settlement is subject to court approval and includes relief options for affected individuals as well as commitments related to security oversight.

What was said

In the settlement agreement filed in Goodrum v. Veradigm Inc., Veradigm denied all allegations and said the resolution does not indicate an admission of wrongdoing. The agreement states that Veradigm “expressly denies all allegations of wrongdoing, fault, liability, or damages” and that the settlement “shall not be construed as an admission of any liability or unlawful conduct.”

Class representatives and counsel said the agreement provides relief to affected individuals while avoiding the cost, risk, and delay of continued litigation. The settlement will be subject to court review for fairness, reasonableness, and adequacy following the objection and claims process. Veradigm has not issued a separate public statement detailing operational or security changes beyond those set out in the settlement framework.

In the know

More than a dozen healthcare organizations were impacted by the Veradigm incident, according to reporting by BankInfoSecurity. Affected clients included:

• Virginia Ear, Nose and Throat Associates
• Carolina Ear Nose and Throat Allergy Center
• Neighborhood Health Center of Western New York
• Cabarrus Eye Center
• Family Medical Group of Texarkana
• La Red Health Center
• Urology Associates of Mobile
• Peachtree Neurological Clinic
• North Buncombe Family Medicine
• Thomaston Medical Clinic
• Henrietta Johnson Medical Center in Wilmington
• Catholic Health Initiatives, including CommonSpirit Health and MercyOne
• Nystrom and Associates
• Genesis Healthcare, including Unio Specialty Care
• Delaware Healthnet
• Corona-Temecula Orthopedic Associates Medical Group

The big picture

Breaches at healthcare technology vendors affect multiple organizations. An American Hospital Association review found that more than 80% of stolen health records in recent years were taken from third-party vendors and service providers rather than hospitals themselves. As platforms like electronic medical records and billing systems centralize data for multiple clients, a single compromise can expose millions of patients at once. Industry groups warn that many providers have limited visibility into where their data sits once it moves into vendor environments, resulting in both breach impact and legal fallout when incidents occur.

FAQs

Why do vendor breaches affect so many patients at once?

Healthcare technology vendors often support numerous providers, so a single intrusion can expose data linked to millions of patients across multiple organizations.

Does a settlement mean the company admitted fault?

No. Settlements commonly resolve disputes without an admission of liability, allowing both sides to avoid the risk and cost of continued litigation.

What types of claims are common in healthcare breach lawsuits?

Claims often include negligence, breach of implied contract, and unjust enrichment, along with requests for injunctive relief.

What should affected patients do after a breach like this?

They should review notices carefully, monitor financial and insurance records, and be cautious of communications that reference their healthcare data.

Why are courts seeing more cases involving health IT vendors?

As healthcare systems outsource data management to third parties, legal responsibility increasingly extends beyond providers to the technology companies that store and process patient information.