Veradigm Data Breach 2025 (Rhysida Ransomware): 2.67M Patients of Provider Customers Exposed. $10.5M Settlement Preliminarily Approved. What To Do
Veradigm (formerly Allscripts) is a Chicago healthcare IT vendor whose storage account was accessed via credentials stolen from a client during a Rhysida ransomware attack in December 2024. 2,672,036 patients of downstream provider customers were affected. The Goodrum class action has a $10.5M settlement in preliminary approval.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 15, 2024
Unauthorized access to a Veradigm storage account using credentials stolen from a client (Sunflower Medical Group) during Rhysida ransomware attack
Jan 7, 2025
Sunflower Medical Group discovers its breach; Rhysida adds SMG to its dark web leak site the same day with proof of claims
Jul 1, 2025
Veradigm learns of the storage-account access through the client's third-party forensic investigation
Sep 22, 2025
Veradigm begins mailing individual notification letters and filing with state attorneys general
Sep 22, 2025
Filed with HHS OCR: 2,672,036 individuals, Hacking/IT Incident on Network Server, Business Associate
Nov 1, 2025
DataBreaches.net reports Veradigm client data found in the Rhysida/SMG leak tranche, contradicting Veradigm's framing that operational systems were unaffected
Nov 6, 2025
Judge John Robert Blakey grants preliminary approval to $10.5M class action settlement (Goodrum v. Veradigm)
Feb 17, 2026
Class-action opt-out and objection deadline
Mar 16, 2026
Class-action claim submission deadline (9:00 a.m. ET)
Mar 18, 2026
Final fairness hearing scheduled
Dec 15, 2024
Unauthorized access to a Veradigm storage account using credentials stolen from a client (Sunflower Medical Group) during Rhysida ransomware attack
Jan 7, 2025
Sunflower Medical Group discovers its breach; Rhysida adds SMG to its dark web leak site the same day with proof of claims
Jul 1, 2025
Veradigm learns of the storage-account access through the client's third-party forensic investigation
Sep 22, 2025
Veradigm begins mailing individual notification letters and filing with state attorneys general
Sep 22, 2025
Filed with HHS OCR: 2,672,036 individuals, Hacking/IT Incident on Network Server, Business Associate
Nov 1, 2025
DataBreaches.net reports Veradigm client data found in the Rhysida/SMG leak tranche, contradicting Veradigm's framing that operational systems were unaffected
Nov 6, 2025
Judge John Robert Blakey grants preliminary approval to $10.5M class action settlement (Goodrum v. Veradigm)
Feb 17, 2026
Class-action opt-out and objection deadline
Mar 16, 2026
Class-action claim submission deadline (9:00 a.m. ET)
Mar 18, 2026
Final fairness hearing scheduled
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Veradigm LLC is a Chicago-based healthcare IT vendor. It is the same company that operated as Allscripts Healthcare Solutions until a 2022 rebrand, and it sells electronic health record (EHR) software, practice management systems, payer analytics, and provider data feeds to physician practices, health systems, and insurers across the United States. Veradigm was publicly traded on Nasdaq under the ticker MDRX until February 2024, when Nasdaq delisted the company for failing to file required SEC reports on time after a series of financial restatements. The stock is now quoted on the over-the-counter market.
The 2025 breach did not originate inside Veradigm. According to Veradigm’s own notice and to follow-on reporting, in December 2024 the Rhysida ransomware group compromised one of Veradigm’s clients, Sunflower Medical Group in Kansas. While inside Sunflower’s network, Rhysida stole valid credentials that Sunflower used to access a Veradigm storage account. The attackers then used those credentials to log in to Veradigm’s storage environment and exfiltrate data on or around December 15, 2024.
Veradigm did not learn of the access for nearly seven months. On July 1, 2025, the third-party firm investigating Sunflower’s incident informed Veradigm that the attackers had moved laterally from Sunflower into Veradigm. Veradigm began notifying state attorneys general and mailing individual notification letters on September 22, 2025, and filed the breach with HHS OCR the same day. The OCR record lists 2,672,036 affected individuals, type “Hacking/IT Incident,” location “Network Server,” and Veradigm’s role as Business Associate.
Veradigm’s public statement frames the incident narrowly: “This incident did not affect Veradigm’s primary network, customer systems actively used by providers, or daily operations.” DataBreaches.net challenged that framing on November 1, 2025, reporting that the Rhysida leak-site tranche for Sunflower included subdirectories of data from at least four downstream Veradigm clients (Urology Associates of Mobile, Cabarrus Eye Center, Family Medical Group of Texarkana, and Peachtree Neurological / Piedmont Physicians Group Peachtree Neurology), meaning the stolen data appears to have been published on the dark web rather than contained.
Why you are hearing about it from your doctor, not from Veradigm
This is the part most patients find confusing. Veradigm is a business associate under HIPAA. It does not have a direct treatment relationship with you. The HIPAA Breach Notification Rule lets a business associate either notify affected individuals itself or delegate that duty back to the covered entity (the practice or hospital you actually saw). Veradigm took the second approach: it identified the affected files, packaged the names and addresses by client, and asked each affected provider to send the notification letters in its own name.
That is why your letter likely came from a name you recognize. Practices that have been publicly linked to this incident include:
- Sunflower Medical Group (Kansas; also includes Heartland Primary Care and Women’s Clinic Associates) — the original Rhysida victim and source of the stolen credentials
- Urology Associates of Mobile (Alabama)
- Cabarrus Eye Center (North Carolina)
- Family Medical Group of Texarkana (Texas / Arkansas)
- Peachtree Neurological, now Piedmont Physicians Group Peachtree Neurology (Georgia)
- UofL Health (Kentucky; posted a Veradigm HIPAA media notice on its website in November 2025)
This is almost certainly a partial list. State attorney general filings in South Carolina and Texas alone accounted for roughly 70,000 affected individuals. With 2.67 million people in total, dozens of additional Veradigm provider clients are involved.
What was stolen
The data elements Veradigm has confirmed in its substitute notice and in state attorney general filings:
- Full name
- Contact information (address, phone, email)
- Date of birth
- Social Security number (subset of affected individuals)
- Driver’s license number (subset of affected individuals)
- Health insurance information (insurer, member ID, claim details)
- Medical records information: diagnoses, medications, test results, treatments
- Payment details
Because the stolen data was published on Rhysida’s dark web leak site (according to DataBreaches.net’s review of the Sunflower tranche), this is not a hypothetical-risk breach. The data is in circulation.
The $10.5M class action settlement is already preliminarily approved
The class action filed against Veradigm consolidated in the U.S. District Court for the Northern District of Illinois as Goodrum, et al. v. Veradigm, Inc., No. 1:25-cv-07062. Lead plaintiffs include Tony Goodrum, Jason Mixton, Marty Wooley, Todd Clay, and Tanya Walker. The court (Judge John Robert Blakey) granted preliminary approval of the settlement on November 6, 2025.
Settlement terms:
- $10,500,000 non-reversionary settlement fund covering all class member benefits, administration costs, attorneys’ fees, and service awards
- Tier A: Up to $5,000 reimbursement for documented out-of-pocket losses tied to the breach
- Tier B: Approximately $50 cash payment (pro-rata adjusted based on claim volume) for class members who cannot or do not document specific losses
- All class members: Two years of medical-data monitoring (a different product class from credit monitoring; designed to catch medical identity theft signals such as insurance fraud, prescription fraud, or unauthorized care billed under your name)
Class definition: living US residents who were sent a notice that their Private Information may have been impacted by the Veradigm data incident.
Key deadlines:
- February 17, 2026 — opt-out and objection deadline
- March 16, 2026, 9:00 a.m. ET — claim submission deadline
- March 18, 2026 — final fairness hearing
The settlement administrator is Kroll Settlement Administration LLC. The official claim portal is at veradigmdatasettlement.com.
Veradigm denies all wrongdoing and is settling without admission of liability.
What Veradigm is offering directly
Independent of the class action, Veradigm offered complimentary Experian IdentityWorks credit monitoring and identity-theft protection to affected individuals. The enrollment code and instructions are in the individual notification letter. The duration is two years for individuals whose Social Security numbers or driver’s license numbers were exposed.
What to do if you received a letter
This week:
- Enroll in the credit monitoring. Use the enrollment code in your letter to activate the Experian IdentityWorks subscription. It is free to you. Then place free credit freezes at all three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). The freezes do more than the monitoring does, because they prevent new accounts from being opened in your name at all.
- File the class action claim. Visit veradigmdatasettlement.com before the March 16, 2026 deadline. If you have any documented losses (fraudulent charges, time spent dealing with the breach, costs of credit reports, lost wages from dealing with identity theft), submit them under Tier A. Otherwise file under Tier B for the cash payment. Either tier also gets you two years of medical-data monitoring.
- If your letter mentions SSN or driver’s license exposure: file IRS Form 14039 (Identity Theft Affidavit) and place a fraud alert with the Social Security Administration. Tax-refund fraud and unemployment-insurance fraud are common downstream consequences.
This month:
- Decide whether to opt out. The opt-out deadline is February 17, 2026. Opting out preserves your right to sue Veradigm individually but forfeits your right to any class settlement benefit. For most affected individuals the class settlement is the better option, but if you have catastrophic documented losses you may want to consult a plaintiffs’ attorney directly. We are not a law firm.
- Stop the ongoing flow of your medical data. The data Rhysida posted publicly includes diagnoses, medications, and treatments. Once that data is in the wild, it is bought, enriched, and resold by data brokers, ad-tech firms, and consumer-health platforms. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across the data-broker ecosystem so the medical record exposed in this breach is not continuously re-sold downstream. Credit monitoring and the class settlement address financial fraud. They do not address the flow of your diagnoses through the data-broker layer.
Frequently asked questions
Veradigm says its primary systems were not affected. Is my data still at risk?
Yes. Veradigm’s statement refers to its production EHR and practice management environments, which were not encrypted or otherwise disrupted. But a storage account containing 2.67 million patient records was accessed, and DataBreaches.net’s review of the Rhysida leak-site tranche indicates Veradigm client data was published publicly. The distinction matters operationally for Veradigm but not for your personal exposure.
How did Rhysida get in if Veradigm itself was not hacked?
Through credential reuse. Sunflower Medical Group, a Veradigm client, was compromised first. Rhysida found credentials inside Sunflower’s environment that Sunflower legitimately used to log in to a Veradigm storage location, then used those credentials to access Veradigm directly. This is a common business-associate-breach pattern: the vendor is not breached at the perimeter, but a customer’s stolen credentials become the path in.
Why did the OCR filing take nine months from the original incident?
Veradigm has stated that it did not learn of the access until July 1, 2025, when the firm investigating Sunflower’s breach told them. From that discovery date, the OCR filing on September 22, 2025 is within HIPAA’s 60-day window. The longer timeline reflects how long Sunflower’s own forensic investigation took before the lateral movement into Veradigm was identified.
Is Veradigm still in business?
Yes, though its corporate status is unusual. Veradigm was delisted from Nasdaq in February 2024 for failing to file SEC reports on time after a series of accounting restatements. The stock is currently quoted over-the-counter under the ticker MDRX. The company continues to operate its EHR, practice management, and payer-data businesses normally.
Is HealthConsent affiliated with Veradigm, the class action, or any provider customer?
No. HealthConsent is an independent health-data privacy service.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: Veradigm Announces Data Breach Affecting Several Customers
- HIPAA Journal: Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit
- DataBreaches.net: Veradigm's Breach Claims Under Scrutiny After Dark Web Leak
- BankInfoSecurity: Vendors Veradigm and ApolloMD Report Health Data Hacks
- BankInfoSecurity: EHR Vendor Veradigm to Pay $10.5M to Settle Hack Lawsuit
- Veradigm Settlement Site (Kroll Settlement Administration)
- Goodrum v. Veradigm Long-Form Settlement Notice (PDF)
- Goodrum v. Veradigm Preliminary Approval Order (PDF)
- CourtListener Docket: Goodrum v. Veradigm, 1:25-cv-07062 (N.D. Ill.)
- University of Louisville Health: Veradigm HIPAA Media Notice (PDF)
- Veradigm Investor Relations: Nasdaq Delisting Notice (Feb 2024)
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.