NextGen proposes $19.3m settlement over 2023 ransomware lawsuit

A proposed class action settlement may bring closure to one of the largest healthcare software breaches in recent years.

What happened

NextGen Healthcare has agreed to a proposed $19.3 million settlement to resolve a consolidated class action lawsuit stemming from a 2023 ransomware attack that exposed sensitive data belonging to over one million individuals. The attack was first detected on April 28, 2023, and led to the filing of multiple lawsuits eventually consolidated in the U.S. District Court for the Northern District of Georgia.

The plaintiffs alleged that NextGen failed to implement reasonable safeguards to protect patient information, asserting 25 legal claims ranging from negligence to privacy violations. The proposed settlement, reached after mediation sessions in June and August 2025, includes compensation for affected individuals and funds for credit monitoring, legal fees, and other related costs. The settlement is now awaiting court approval.

Going deeper

Hackers had access to NextGen’s systems between March 29 and April 14, 2023. The breach, involving the NextGen Office system, affected more than one million individuals and was reported to the Maine Attorney General. The incident followed a separate ransomware attack by the Blackcat group in January 2023.

Under the settlement, affected individuals can claim:

• Up to $7,500 for documented, unreimbursed losses
• Up to $250 for time lost (10 hours at $25/hour)
• A cash payment estimated at $50 (pro rata)
• California residents may opt for an alternative $150 cash payment
• Three years of credit monitoring and identity theft protection

If funds remain after distributions, they will be used to extend identity protection services or go to a nonprofit cybersecurity organization.

NextGen denies all allegations and maintains it acted appropriately. The court previously dismissed most of the plaintiffs’ 25 claims, but five counts were allowed to proceed, including breach of fiduciary duty and violations of privacy laws in Georgia and California.

What was said

NextGen argued it owed no fiduciary duty to individuals because it was a service provider and not in a direct relationship with patients. Judge Thomas Thrash disagreed, noting that Georgia law may recognize a fiduciary duty under certain conditions involving the handling of private medical data.

The judge also allowed several claims under state-level privacy and deceptive trade practices laws to move forward. These included the Georgia Uniform Deceptive Trade Practice Act (GUDTPA), the California Consumer Privacy Act (CCPA), and California’s Unfair Competition Law (UCL).

The big picture

According to the American Hospital Association (AHA), ransomware attacks on hospitals and healthcare technology providers have evolved into threats that endanger both public health and patient safety. The AHA stresses that defending against these attacks requires a coordinated effort that uses “the entire law enforcement, intelligence, and military capabilities of the U.S. government” to deter foreign adversaries targeting healthcare. It also calls for stronger collaboration with the FBI and DHS, better information sharing among hospitals, and unified security practices across IT, clinical, and administrative teams. The NextGen case serves as a reminder that when these safeguards aren’t fully in place, the consequences can be costly, both financially and in terms of patient trust.

FAQs

What is breach of fiduciary duty, and why is it significant in this case?

Breach of fiduciary duty refers to a failure to act in the best interests of another party in a relationship of trust. In this case, the court suggested that even without a direct relationship, the handling of private medical data might establish such a duty under Georgia law.

What is the difference between this and the earlier Blackcat ransomware attack on NextGen?

The Blackcat attack occurred in January 2023, months before the breach at the center of this lawsuit. While both involved NextGen systems, the April incident led to more extensive data exposure and subsequent legal action.

What does "cy pres" mean in the context of the settlement?

"Cy pres" is a legal doctrine that allows leftover settlement funds to be distributed to a nonprofit organization aligned with the lawsuit’s purpose - in this case, a cybersecurity nonprofit - when direct distribution to class members is no longer feasible.

Could this settlement influence how other healthcare software providers handle breaches?

Yes. Large settlements and legal scrutiny often lead to increased investment in data security and more cautious breach response strategies across the industry, especially when courts hold vendors accountable for safeguarding sensitive data.