A proposed class action settlement may bring closure to one of the largest healthcare software breaches in recent years.
NextGen Healthcare has agreed to a proposed $19.3 million settlement to resolve a consolidated class action lawsuit stemming from a 2023 ransomware attack that exposed sensitive data belonging to over one million individuals. The attack was first detected on April 28, 2023, and led to the filing of multiple lawsuits eventually consolidated in the U.S. District Court for the Northern District of Georgia.
The plaintiffs alleged that NextGen failed to implement reasonable safeguards to protect patient information, asserting 25 legal claims ranging from negligence to privacy violations. The proposed settlement, reached after mediation sessions in June and August 2025, includes compensation for affected individuals and funds for credit monitoring, legal fees, and other related costs. The settlement is now awaiting court approval.
Hackers had access to NextGen’s systems between March 29 and April 14, 2023. The breach, involving the NextGen Office system, affected more than one million individuals and was reported to the Maine Attorney General. The incident followed a separate ransomware attack by the Blackcat group in January 2023.
Under the settlement, affected individuals can claim:
If funds remain after distributions, they will be used to extend identity protection services or go to a nonprofit cybersecurity organization.
NextGen denies all allegations and maintains it acted appropriately. The court previously dismissed most of the plaintiffs’ 25 claims, but five counts were allowed to proceed, including breach of fiduciary duty and violations of privacy laws in Georgia and California.
NextGen argued it owed no fiduciary duty to individuals because it was a service provider and not in a direct relationship with patients. Judge Thomas Thrash disagreed, noting that Georgia law may recognize a fiduciary duty under certain conditions involving the handling of private medical data.
The judge also allowed several claims under state-level privacy and deceptive trade practices laws to move forward. These included the Georgia Uniform Deceptive Trade Practice Act (GUDTPA), the California Consumer Privacy Act (CCPA), and California’s Unfair Competition Law (UCL).
According to the American Hospital Association (AHA), ransomware attacks on hospitals and healthcare technology providers have evolved into threats that endanger both public health and patient safety. The AHA stresses that defending against these attacks requires a coordinated effort that uses “the entire law enforcement, intelligence, and military capabilities of the U.S. government” to deter foreign adversaries targeting healthcare. It also calls for stronger collaboration with the FBI and DHS, better information sharing among hospitals, and unified security practices across IT, clinical, and administrative teams. The NextGen case serves as a reminder that when these safeguards aren’t fully in place, the consequences can be costly, both financially and in terms of patient trust.
Breach of fiduciary duty refers to a failure to act in the best interests of another party in a relationship of trust. In this case, the court suggested that even without a direct relationship, the handling of private medical data might establish such a duty under Georgia law.
The Blackcat attack occurred in January 2023, months before the breach at the center of this lawsuit. While both involved NextGen systems, the April incident led to more extensive data exposure and subsequent legal action.
"Cy pres" is a legal doctrine that allows leftover settlement funds to be distributed to a nonprofit organization aligned with the lawsuit’s purpose - in this case, a cybersecurity nonprofit - when direct distribution to class members is no longer feasible.
Yes. Large settlements and legal scrutiny often lead to increased investment in data security and more cautious breach response strategies across the industry, especially when courts hold vendors accountable for safeguarding sensitive data.