Healthcare tech company Veradigm data breach exposed patient data

Veradigm LLC, a healthcare information technology company formerly known as Allscripts, is reporting a data breach affecting tens of thousands of patients across multiple healthcare practices. 

Veradigm, headquartered in Chicago, Illinois, operates as a provider of healthcare data and technology solutions, serving a network of more than 180,000 physician users with products deployed in 2,700 hospitals and 13,000 extended care organizations. The company provides electronic health records, practice management tools, patient engagement platforms, and analytics services to healthcare providers, hospitals, extended care organizations, life sciences companies, and health plans across the United States.

The security incident was detected by Veradigm on July 1, 2025. The investigation revealed that the original breach had occurred much earlier, on or around December 15, 2024, and remained undetected for nearly seven months. Veradigm only became aware of the incident through a third party investigating an original data security incident involving one of its impacted customers.

The attack vector is a credential-based breach where the unauthorized actor used credentials obtained from a separate data security incident targeting one of Veradigm's customers to gain access to a Veradigm storage account. The attacker used the compromised credential to access the storage account where sensitive patient information was maintained, effectively turning a single customer's security failure into a broader systemic breach.

Veradigm claims that no other company systems or environments were affected by this incident, and the breach was contained to the specific storage account accessed through the compromised credential. The compromised data includes:

• Names and contact details
• Dates of birth
• Social Security numbers (for some individuals)
• Driver's license numbers (for some individuals)
• Health records data (including diagnoses, medications, test results, and treatments)
• Health insurance information
• Payment details and financial information

Based on breach notifications filed with state attorneys general offices, the incident has affected at least 65,216 individuals across multiple states. The total number of impacted individuals is likely significantly higher as additional state filings and the federal notification to the Department of Health and Human Services may reveal broader impact.

The company initiated patient notifications by mail on September 22, 2025. Veradigm is providing complimentary credit monitoring and identity protection services for a period of 12 to 24 months, depending on the individual's specific circumstances. These services require active enrollment by affected individuals and include monitoring of credit reports, identity theft protection, and fraud resolution services. The company has also established a dedicated toll-free incident response line to answer questions and provide support to affected individuals during regular business hours.

Update - As of 2nd of November 2025, it appears that the breached third party is Sunflower Medical Group (SMG) whose accounts were used to access a Veradigm storage account containing other clients' data, potentially affecting up to 2 million people. Investigative analysis of the leaked data found that multiple Veradigm clients' records appeared to be stored directly on SMG's server in various folders which contradicts Veradigm's claim that the data was in a separate storage account on Veradigm's own servers. Neither Veradigm nor SMG informed affected patients that their sensitive health information was leaked on the dark web. Veradigm has not responded to multiple requests for clarification about where the data was actually stored or why so many clients' records were commingled on what appears to be SMG's server.