Data breach round up: Big numbers, big dollars at stake in healthcare cybercrimes

It’s a tough world out there for healthcare organizations, especially when it comes to cybersecurity. Data breaches are getting more frequent and more expensive than ever, and cybercriminals are hitting the jackpot more often with massive hauls of patient files totaling in the millions. 

This fall has been particularly painful for the industry, with a series of major breaches piling up – and huge amounts of money on the line as lawsuits around earlier events start to filter their way through the courts.  

Here’s some of the latest news from the world of cybersecurity, including info on new breaches and updates on settlements for previously announced incidents.  

Conduent discloses massive data breach affecting more than 10.5 million records

Government contractor Conduent, which works with many state governments on Medicaid administrative tasks, has announced a large data breach affecting more than 10.5 million individuals that took place between October 2024 and January 2025. The number of individuals involved places the breach among the biggest in recent memory. 

A ransomware group known as SafePay claimed responsibility for the event, which allegedly includes 8.5 terabytes of data, including “a significant number of individuals’ personal information associated with our clients’ end-users,” according to a related SEC filing from Conduent in April. 

Compromised data elements may include patient names, dates of birth, postal address information, Social Security numbers, medical service information (treatment and diagnosis codes, provider names, dates of service and claim amounts), group numbers, and subscriber numbers, according to partner Blue Cross Blue Shield of Texas.  

“Due to the complexity of the files, the Company engaged cybersecurity data mining experts to evaluate the exfiltrated data and was recently informed of its nature, scope and validity,” Conduent stated in its SEC filing. “The Company is continuing to further analyze and document the precise and detailed impact of the data exfiltrated, and clients are being informed as appropriate in order to determine next steps as required by federal and state law.” 

Conduent is currently not aware of any fraud or misuse of data stemming from the breach, the company said.  

Yale New Haven Health System agrees to $18 million settlement for March incident  

Yale New Haven Health System (YNHHS) is preparing to pay out an $18 million settlement over a data breach that occurred in March 2025, compromising the information of more than 5 million individuals. 

A federal judge preliminarily approved the settlement in October, which will entitle affected patients to seek up to $5000 in reimbursement for documented losses associated with the event, or an alternative cash payment of around $100.   

YNHHS “denies all liability and all allegations of wrongdoing of any kind,” according to court documents, and has agreed to the settlement to avoid further distractions and litigation stemming from the incident. 

YNHHS identified unusual activity in its systems on March 8, 2025, and began notifying affected individuals on April 11, an extremely speedy turnaround compared to many other health systems. Compromised information varied by patient, but included demographics, Social Security numbers, and medical record numbers.  

Medical billing company may have had 1.2 million files stolen

Class action lawsuit firms are abuzz with reports that Texas-based Doctor Alliance, which provides administrative services to physicians, has had approximately 1.2 million files stolen by a hacker called “Kazu.”  The reports stem from a listing on a hacking forum that claims “Kazu” has exfiltrated 353 GB of data from the company and is demanding $200,000 in ransom by November 21, 2025, or the files will be sold. 

According to a press release by law firm Levi & Korsinsky, LLP, “Kazu” claims to have accessed Doctor Alliance’s systems between October and November via an unpatched vulnerability.  

Samples of the allegedly stolen data include names, dates of birth, addresses, phone numbers, email addresses, Medicare identification numbers, medical record numbers, diagnoses, treatment plans with medical codes, medications and dosages, and provider information. 

In a statement shared by The HIPAA Journal, Doctor Alliance says it is aware of the claims and is investigating the situation. The company has not yet issued any formal notification that a breach has occurred or confirmed that the leaked data sample is from its records. 

Settlement over 2023 HCA Healthcare data breach moves forward with undisclosed payouts

About two years after at least 11 million patients had their data exposed, HCA Healthcare is getting ready to settle the matter. A federal judge in Tennessee approved a settlement of dozens of consolidated class action lawsuits, but court documents have not disclosed the amount of money in the pool available to affected individuals. 

Based on the fact that the $3.1 million in attorney’s fees and expenses represents a maximum of 8.75% of the total benefits, however, the total settlement may be in excess of $30 million. 

As is usual in settlement cases, HCA Healthcare “denies any wrongdoing whatsoever” for the incident. 

Unlike many other settlements, however, HCA Healthcare is not making funding available for cash alternative payouts. Anyone wishing to claim a portion of the settlement fund must provide reasonable documentation of loss from the event, and may claim up to $5000 if the documentation is sufficient. 

Nebraska gets a green light to sue Change Healthcare over record-breaking data breach

The Nebraska Attorney General’s Office will be allowed to proceed with a lawsuit against Change Healthcare, its parent company, and UnitedHealthcare’s other subsidiary, Optum, over the historic cyberattack that slammed the healthcare industry in 2024. 

Lancaster County District Court denied Change Healthcare’s Motion to Dismiss earlier in November, allowing the state to proceed with its claims that the cybersecurity incident resulted in violations of Nebraska’s consumer protection and data privacy laws.  

“The Court’s decision ensures we can continue pursuing accountability and promoting stronger protections for Nebraskans’ health information,” Nebraska Attorney General Mike General Hilgers said in a statement. “Nearly half of Nebraskans had their most sensitive information exposed because of this breach. Our office is grateful the Court allowed this action to proceed so we can continue our fight to protect the privacy and rights of Nebraskans.” 

 Nebraska’s lawsuit isn’t the only legal action pending against Change Healthcare. Multiple states have filed federal cases alleging negligence and consumer protection claims in relation to the breach.  These cases have been consolidated in the US District Court of Minnesota to simplify the litigation process, considering that all of the suits have similar facts involved and similar goals.  The next hearing in the consolidated federal case will occur on November 20, 2025. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].