Active breach tracker Maine Disclosed April 11, 2025

Endue Software Data Breach 2025: 118,028 Affected · Hacking/IT Incident · Maine Business Associate · Class Action Settled

Endue Software, a Maine-based infusion management platform used by rheumatology and infusion-therapy providers, confirmed that an unauthorized actor accessed its systems on February 16, 2025. Names, Social Security numbers, dates of birth, medical record numbers, diagnosis and prescription details, and (for a subset) financial account information for 118,028 individuals were exposed. A class-action settlement in Pauley v. Endue received preliminary approval on March 27, 2026.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 16, 2025

Unauthorized actor gains access to Endue Software systems; files copied

Feb 17, 2025

Endue identifies unauthorized access; forensic investigation begins

Mar 31, 2025

Forensic file review confirms exposure of patient data

Apr 11, 2025

Endue files HIPAA breach notification with HHS OCR (118,028 affected); individual notification mailings begin; Vermont AG notice posted

Apr 15, 2025

Multiple plaintiff firms (Strauss Borrelli, Federman & Sherwood, Migliaccio & Rathod, Pittman Dutton, others) open class-action investigations

Mar 27, 2026

Preliminary approval granted in Pauley v. Endue, Inc., No. CACE-25-015155 (17th Jud. Cir., Broward County, Fla.)

Jun 30, 2026

Settlement claim submission deadline

Jul 15, 2026

Final approval hearing scheduled

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical record number and patient account number Diagnosis and treatment information Prescription information

03

Contact & insurance

Phishing + targeted scams

Full name and contact information Provider name(s) and date(s) of service Health insurance information Financial account information and routing numbers (subset of individuals)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Endue Software, a Maine-based developer of infusion-therapy management software used by rheumatology practices and infusion centers, confirmed that an unauthorized actor accessed its systems on February 16, 2025 and copied files containing patient data. The intrusion was identified on February 17, 2025. On April 11, 2025, Endue filed a HIPAA breach notification with the HHS Office for Civil Rights reporting 118,028 affected individuals and began mailing individual notification letters. A proposed class-action settlement in Pauley v. Endue, Inc. received preliminary approval on March 27, 2026, with a final approval hearing set for July 15, 2026.

One important note for affected patients: Endue is the business associate, not your direct provider. Endue’s software is integrated with electronic medical records and pharmacy systems (Epic, NextGen, Azalea, CareCloud, Meditab, CareTend, CPR+) used by rheumatology and infusion clinics. The notification letter you received likely came from your provider’s practice or from Endue’s notice administrator on the provider’s behalf.

Timeline

  • February 16, 2025 — Unauthorized actor gains access to Endue Software systems; files are copied during a brief access window.
  • February 17, 2025 — Endue identifies the unauthorized access. Third-party forensic investigation begins; access is contained.
  • March 31, 2025 — Forensic file review confirms that patient data was contained in the affected files.
  • April 11, 2025 — Endue files the HIPAA breach notification with HHS OCR reporting 118,028 individuals affected. Individual notification mailings begin. Substitute notice posted with the Vermont Attorney General the same day.
  • April 15, 2025 and following — Multiple plaintiff firms publicly open class-action investigations.
  • 2025Pauley, et al. v. Endue, Inc. filed in the 17th Judicial Circuit, Broward County, Florida (Case No. CACE-25-015155).
  • March 27, 2026 — Court grants preliminary approval of the class-action settlement.
  • June 30, 2026 — Deadline for class members to submit claims.
  • July 15, 2026 — Final approval hearing scheduled.

What was exposed

The data elements confirmed exposed vary by individual but include:

  • Full name and contact information
  • Date of birth
  • Social Security number
  • Medical record number and patient account number
  • Diagnosis and treatment information
  • Prescription information
  • Provider name(s) and date(s) of service
  • Health insurance information
  • Financial account information and routing numbers (a subset of affected individuals)

The incident is classified by HHS OCR as a Hacking/IT Incident at Network Server. No ransomware group has publicly claimed responsibility in the sources reviewed, and the publicly available reporting describes the event as unauthorized access with data exfiltration rather than encryption-based ransomware.

Who’s notifying you (and why it’s not your doctor)

Endue Software is a HIPAA business associate. It does not have a direct treatment relationship with patients; it provides infusion-management software to provider organizations (rheumatology practices, infusion centers, specialty clinics). Under HIPAA, the covered-entity provider remains responsible for ensuring affected individuals are notified, but the business associate frequently performs the notification on the provider’s behalf.

Practically, this means:

  • Your notification letter may bear Endue’s name, your provider’s name, or both.
  • At least one Endue customer, Rheumatology Associates of Baltimore, filed its own separate OCR report for 28,968 of its patients tied to the same incident. Other Endue customers may file separately as well; if so, you may receive more than one letter referencing the same underlying event.
  • The dedicated assistance line published by Endue is 1-833-998-5748.

42 CFR Part 2 considerations

Public reporting describes Endue’s customer base as rheumatology and infusion-therapy clinics, not substance use disorder (SUD) treatment programs. The heightened confidentiality protections of 42 CFR Part 2 apply to records of federally assisted SUD treatment programs and would not, on the public record reviewed, apply to the data exposed in this incident. If you received an Endue-related notice from a provider that is a Part 2 program, contact that provider directly to confirm whether your specific record set falls under Part 2 and what additional notice and redisclosure restrictions apply.

Class-action posture

The class action is captioned Pauley, et al. v. Endue, Inc. d/b/a Endue Software, Case No. CACE-25-015155, in the 17th Judicial Circuit in and for Broward County, Florida. The court granted preliminary approval on March 27, 2026. The total settlement fund is $870,000. Class counsel are Jeff Ostrow of Kopelowitz Ostrow P.A. and A. Brooke Murphy of Murphy Law Firm.

Per the official settlement notice posted at EndueSoftwareDataSettlement.com (administered by Simpluris):

  • Up to $2,500 per person for documented out-of-pocket losses traceable to the incident (identity theft, fraud, falsified tax returns, information misuse, credit monitoring fees, ID replacement costs), covering losses incurred between February 16, 2025 and June 30, 2026. Third-party documentation required.
  • Alternative $65 flat cash payment with no documentation required (total alternative payments capped at $260,000; individual amount may increase or decrease pro rata based on total valid claims).
  • Two years of CyEx Medical Shield Complete coverage — includes $1 million in medical identity theft insurance, healthcare insurance ID exposure monitoring, Medical Record Number (MRN) monitoring, unauthorized Health Savings Account (HSA) spending monitoring, and access to a fraud resolution agent.
  • Endue has represented that it has purged all affected personal information from the impacted environment.

Settlement notice mailings began April 16, 2026. To submit a claim online using the Login ID and PIN from your notice, go to EndueSoftwareDataSettlement.com. If you cannot locate your Login ID and PIN, contact the settlement administrator at [email protected] or (833) 386-6509 (24/7 toll-free).

Claim deadline: June 30, 2026 (online or postmarked). Opt-out deadline: June 30, 2026. Final approval hearing: July 15, 2026 at 9:30 a.m.

At least five proposed federal class actions were also filed against Endue earlier in 2025; the publicly reported settlement consolidates the consumer claims.

What to do

  • File a claim by June 30, 2026. If you received a notification letter referencing Endue Software (directly or via your provider), you are presumptively a settlement class member. Submit your claim at EndueSoftwareDataSettlement.com using the Login ID and PIN printed on your notice, or call (833) 386-6509 to request a claim form by mail. Do not pay any third party to file on your behalf.
  • Freeze your credit with Equifax, Experian, and TransUnion. Social Security numbers were exposed for many affected individuals. A security freeze is free, reversible, and materially more protective than monitoring alone.
  • Enroll in the offered identity-protection coverage. The two-year CyEx Medical Shield Complete enrollment code in your letter is single-use; enroll even if you have credit monitoring from a prior breach. The coverage includes $1 million in medical identity theft insurance and specific monitoring for your Medical Record Number and health insurance ID — the medical-record components are the ones most directly at risk given the diagnosis and prescription data exposed.
  • Watch for medical identity theft. Review every Explanation of Benefits from your health insurer for services you did not receive, and request a copy of your medical record from your insurer if anything looks unfamiliar. Diagnosis, prescription, and provider data are the precise inputs an attacker needs to bill fraudulent infusion or specialty-drug claims.
  • Be alert to targeted phishing. Threat actors holding your name, date of birth, provider name, and treatment details can craft highly convincing follow-on lures (fake “billing department” calls, fake portal-login emails). Treat unexpected outreach referencing your treatment with skepticism and call your provider back at a number you look up independently.
  • If financial account or routing numbers were called out in your letter, contact your bank to flag the account and consider rotating it. Only a subset of affected individuals received that disclosure.
  • Stop the ongoing flow of your infusion and rheumatology treatment data. HealthConsent files HIPAA restriction requests so the diagnosis, prescription, and provider information exposed in this breach is not continuously re-shared across insurer networks and clearinghouses.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.