Active breach tracker Aventura, Florida Disclosed January 7, 2025

Medusind Inc. Data Breach: 701,475 Affected by December 2023 Network Intrusion at Major Medical Billing Vendor; $5M Class-Action Settlement Paid April 2026

Medusind Inc., an Aventura, FL revenue cycle management and medical billing vendor serving more than 6,000 healthcare providers, filed a HIPAA breach notification with HHS OCR on January 7, 2025 reporting 701,475 individuals affected by a December 2023 network intrusion. A $5 million class-action settlement received final court approval January 26, 2026; payments issued April 10, 2026. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 23, 2023

Suspicious activity detected on Medusind network; affected systems taken offline same day

Dec 23, 2023

Internal discovery of unauthorized access

Jan 7, 2025

Medusind filed HIPAA breach notification with HHS OCR and notified the Maine and California Attorneys General; individual notice letters mailed

Jan 7, 2025

Initial OCR filing listed 694,054 affected; later updated to 701,475 (initial state-AG filings cited 360,934)

Jan 9, 2025

First putative class action filed in S.D. Fla.; eight related complaints later consolidated

Jun 10, 2025

Parties reached settlement in principle following mediation

Jul 22, 2025

Preliminary settlement approval entered by S.D. Fla.

Jan 26, 2026

Final approval hearing held before Judge Rodolfo A. Ruiz II (S.D. Fla.); court granted final approval of $5M settlement — Ashley Owings v. Medusind, Inc., No. 1:25-cv-20117-RAR

Apr 10, 2026

Settlement administrator issued payments to all approved claimants (claim deadline was December 29, 2025)

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers, taxpayer IDs, driver's license numbers, passport numbers

02

Health records

Don't expire and can't be reissued

Health information (medical history, medical record numbers, prescription information)

03

Contact & insurance

Phishing + targeted scams

Names, addresses, dates of birth, email addresses, phone numbers Health insurance information (policy numbers, claims/benefits information) Billing and payment information (debit/credit card numbers, bank account numbers)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Pittman Dutton Hellums Bradley & Mann Abington Cole + Ellery (Abington Law) Arnold Law Firm
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Medusind Inc., an Aventura, Florida revenue cycle management and medical billing vendor that serves more than 6,000 healthcare providers across the United States and India, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on January 7, 2025, ultimately reporting 701,475 affected individuals in a hacking incident at a network server. The intrusion itself occurred on December 23, 2023 and was detected the same day; Medusind’s individual notification letters to patients followed only in January 2025 after the company completed file review with a third-party forensic firm that found evidence of data exfiltration. Eight putative class actions were filed and consolidated in the Southern District of Florida. A $5 million settlement received final court approval from Judge Rodolfo A. Ruiz II on January 26, 2026; the settlement administrator issued payments to approved claimants on April 10, 2026. The claim filing deadline (December 29, 2025) has now passed.

Timeline

  • December 23, 2023 — Medusind detected suspicious activity on its network and took affected systems offline the same day. A third-party cybersecurity forensic firm was retained and later found evidence of data exfiltration.
  • January 7, 2025 — Medusind submitted its HIPAA breach report to HHS OCR and filed notifications with the Maine and California Attorneys General. Individual notice letters began going out the same week. The initial state filing cited 360,934 individuals; the OCR figure was later updated to 694,054 and then to 701,475.
  • January 9, 2025 — The first putative class action was filed in the Southern District of Florida. Seven additional related complaints followed and were consolidated under Ashley Owings v. Medusind, Inc., No. 1:25-cv-20117 (S.D. Fla.).
  • June 10, 2025 — Parties reached a settlement in principle following mediation.
  • July 22, 2025 — The court entered preliminary approval of the $5 million class-action settlement.
  • December 14, 2025 — Deadline for class members to exclude themselves from or object to the settlement.
  • December 29, 2025 — Claim submission deadline (now passed).
  • January 26, 2026 — Final approval hearing held before Judge Rodolfo A. Ruiz II; the court granted final approval of the $5 million settlement (Ashley Owings v. Medusind, Inc., No. 1:25-cv-20117-RAR, S.D. Fla.).
  • April 10, 2026 — Settlement administrator issued payments to all approved claimants.

What was exposed

According to Medusind’s sample notice filed with the California Attorney General, the categories of information involved varied by individual but could include:

  • Names, addresses, dates of birth, email addresses, and phone numbers
  • Social Security numbers, taxpayer IDs, driver’s license numbers, and passport numbers
  • Health insurance and billing information, including policy numbers and claims or benefits information
  • Payment information, including debit and credit card numbers and bank account numbers
  • Health information, including medical history, medical record numbers, and prescription information

Medusind has not publicly described the intrusion further beyond confirming that a third-party forensic firm found evidence of data exfiltration. No ransomware group has claimed responsibility for the attack, and the company has not attributed the intrusion to a named threat actor.

Who is notifying you

Medusind is a business associate under HIPAA — it processes claims, billing, and revenue cycle data on behalf of dental, medical, and specialty practices. That means an affected patient’s notification letter may arrive from Medusind directly, from the patient’s own provider, or from both. The sample notice on file with the California AG was sent under Medusind’s own letterhead and identifies the company by name, but downstream providers may also issue their own notices referencing the Medusind incident as the source.

If you received a letter referencing a “third-party vendor” or “medical billing partner” data incident with a December 2023 timeframe and a January 2025 notification date, it is likely tied to this event.

Downstream provider customers

Medusind has not publicly identified the specific provider customers whose patients were caught in this breach. The company states publicly that it serves more than 6,000 dental, medical, and specialty healthcare providers. As individual provider notices surface in state attorney general filings, this section will be updated.

Class-action posture

Eight separate complaints filed after the January 2025 disclosure were consolidated in the Southern District of Florida as Ashley Owings v. Medusind, Inc., No. 1:25-cv-20117-RAR. The consolidated action alleged negligence and related claims for Medusind’s failure to implement reasonable safeguards over patient and beneficiary data.

The $5 million settlement received preliminary approval on July 22, 2025, and final approval on January 26, 2026, from Judge Rodolfo A. Ruiz II (S.D. Fla.). The settlement administrator issued payments to approved claimants on April 10, 2026. The claim filing deadline was December 29, 2025.

Settlement benefits included:

  • Up to $5,000 per class member in reimbursement for documented out-of-pocket losses, identity theft costs, fraud losses, credit-related expenses, and time spent dealing with the breach; or
  • A flat pro-rata payment of approximately $100 for class members who did not submit documented claims.
  • An additional California subclass payment of approximately $100 for California residents as of the date of the incident, on top of either option above.
  • Two years of credit monitoring with identity theft restoration services for all class members, via Kroll.
  • Injunctive relief requiring Medusind to implement enhanced security measures and provide written attestation of those measures to class counsel.

Plaintiff firms that publicly investigated or represented class members include Pittman Dutton Hellums Bradley & Mann, Abington Law, and the Arnold Law Firm.

What to do

  1. The class-action claim window is closed. The December 29, 2025 filing deadline has passed, and the settlement administrator issued payments on April 10, 2026. If you filed a timely claim and have not yet received payment, contact the settlement administrator at medusinddataincidentsettlement.com or call 1-888-885-6687.
  2. Activate Kroll identity monitoring if you have not already done so. Medusind offered two years of Kroll credit monitoring following the breach, and the settlement added two more years for class members who claimed it. Check your original notice letter for your activation code.
  3. Freeze your credit with Equifax, Experian, and TransUnion. With Social Security numbers, driver’s license numbers, and bank account information in the exposed dataset, a credit freeze is the single highest-leverage protective step available at no cost.
  4. Watch for tax-related identity theft. Taxpayer IDs were among the exposed elements; if you receive an unexpected IRS notice or a rejected e-filed return, request an IRS Identity Protection PIN at irs.gov/identity-theft-central.
  5. Check your provider’s notice carefully. If your dentist or specialist used Medusind for billing and you also received a separate notice from them, both notices likely reference the same incident.
  6. Stop the ongoing flow of your billing and health data. HealthConsent files HIPAA restriction requests so the revenue cycle and billing data exposed in this breach is not continuously re-shared with insurers, clearinghouses, and downstream business associates.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.