The Florida-based healthcare software vendor will compensate victims following a 2023 breach that exposed sensitive health and identity data.
Medusind has agreed to pay $5 million to settle a consolidated class action lawsuit over a 2023 data breach that compromised the protected health information (PHI) of more than 701,000 individuals. The breach, discovered on or around December 29, 2023, involved unauthorized access and exfiltration of files from the company’s network.
Exposed data included names, contact information, medical histories, health insurance details, Social Security numbers, and government-issued ID numbers. Notification letters were not sent until over a year after the breach occurred.
Medusind is a revenue cycle and practice management software provider, serving healthcare organizations that rely on it to handle billing and sensitive patient information. Following the breach, eight separate lawsuits were filed, all claiming the company failed to implement adequate data protection safeguards. These were consolidated into a single case: Ashley Owings v. Medusind, Inc., in the Southern District of Florida.
Medusind denied all allegations but agreed to a settlement after mediation in June 2025. The agreement includes:
Though Medusind continues to deny fault or liability, it agreed to resolve the case without admission of wrongdoing. The company will also provide an attestation of its post-breach security improvements before final settlement approval.
Class members have until December 14, 2025, to object or exclude themselves from the settlement. Claims must be filed by December 29, 2025, and a final approval hearing is scheduled for January 12, 2026.
It shows the legal and financial exposure providers face when third-party vendors experience a breach. Organizations should review vendor agreements, indemnification clauses, and their own liability in similar scenarios.
Healthcare organizations should conduct regular vendor risk assessments, ensure Business Associate Agreements (BAAs) are in place, and verify that partners maintain strong encryption, access controls, and breach response protocols.
Yes. Patients are increasingly aware of their rights under HIPAA and state laws like CCPA. Organizations may face more questions about how their vendors secure PHI and how quickly they communicate about breaches.