Veradigm LLC is a health information technology company that provides software solutions to healthcare providers. On September 22, 2025, Veradigm filed breach notification letters with some state attorneys general.
According to the notice, Veradigm learned that an unauthorized party accessed some clients’ data on December 15, 2024. The clients’ data was located in a storage account that the attacker accessed after obtaining a credential from an attack on an unnamed Veradigm client.
Veradigm states it first became aware of the breach on July 1, 2025, through a third-party investigation of the client’s data breach. Although they were unaware of the incident until July 1, some impacted patients had already filed a class-action lawsuit against them on June 25, 2025.
According to Veradigm’s notification, the specific information impacted varied by individual, but included name, contact details, date of birth, health records data (such as diagnoses, medications, test results, and treatments), health insurance information, payment details, and limited identifiers, such as Social Security numbers or driver’s license numbers. The Goodrum v. Veradigm lawsuit in the Northern District of Illinois has reached a settlement that the court is likely to approve.
Nothing seemed unusual or particularly suspicious about Veradigm’s description of the incident until the day someone with knowledge of the unnamed client’s breach contacted DataBreaches to alert us that the unnamed client was Sunflower Medical Group, and if we looked at the Sunflower data tranche on Rhysida’s leak site, we would find Veradigm client data.
DataBreaches started researching the Sunflower Medical Group incident.
The Sunflower Medical Group Breach
On January 7, 2025, Sunflower Medical Group (“SMG”) in Kansas learned that an unauthorized third party may have accessed and obtained copies of specific files. An investigation confirmed that the breach occurred on or around December 15, 2024.
SMG is an independent group of primary care physicians comprising Sunflower Medical Group, Heartland Primary Care, and Women’s Clinic Associates. SMG notified HHS of the incident on March 7, 2025, and reported that 220,698 patients were impacted.
Following its own investigation, HHS closed its investigation with the following summary:
The covered entity (CE), Sunflower Medical group, reported that it experienced a cyberattack that compromised the protected health information (PHI) of approximately 220,968 individuals. The PHI involved names, dates of birth, addresses, social security and driver’s license numbers, claims information, diagnoses/conditions, lab results, medications, and other treatment information. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE deployed endpoint monitoring, implemented security enhancements, and retrained its workforce to better protect its electronic PHI. OCR provided the CE with technical assistance regarding the HIPAA Rules.
SMG’s notice did not inform patients that their information was leaked on the dark web. SMG did not mention that any non-SMG data had been mixed in with theirs in a dark web leak. But had it been?
Did SMG compare the SMG data tranche on Rhysida’s leak site with the data on its own servers? If they found non-SMG data on their own servers or in the data tranche, what did they do in response?
DataBreaches contacted SMG to ask, but received no reply.
Starting to Connect Some Dots
SMG’s notice did not mention Veradigm, and Veradigm’s notice did not mention SMG, but both entities mentioned a breach that occurred on December 15, 2024. Did the Rhysida gang, who had added SMG to their dark web leak site on January 7, obtain some credential from SMG that enabled them to access a Veradigm storage account? That is what Veradigm’s notification and website notice would seem to claim, but is that accurate?
Veradigm’s notification to state attorneys general did not list the clients whose patients were impacted by the breach, nor did it specify the total number of affected patients. If Veradigm has notified HHS, it has not yet shown up due to the government shutdown. Reports filed with the state attorneys general of Texas, South Carolina, Montana, and Massachusetts indicate that 65,270 residents of those states were affected. A report filed with California did not include any numbers.
Although available state numbers do not suggest that this was a big breach, the Goodrum v. Veradigm settlement proposal suggests that two million people may have been affected.
With the exception of SMG, Veradigm’s clients do not appear to have issued their own breach disclosures. However, some clients’ websites link directly to Veradigm’s breach notification, including Urology Associates of Mobile, Cabarrus Eye Center in North Carolina, Family Medical Group of Texarkana, and Peachtree Neurological (now known as Piedmont Physicians Group Peachtree Neurology). Data from all four of those entities was found in the SMG data tranche on Rhysida’s leak site.
Examining the SMG Data Tranche
On January 7, the same day that SMG claims they learned of a breach, the Rhysida gang added SMG to its dark web leak site with proof of claims. They did not make any claims about the number of unique patients, but claimed to have more than 400,000 driver’s licenses, insurance cards, and social security numbers. There were 7.6 TB of data, comprising 5,288,062 files. An SQL database was more than 3 TB.
According to what Veradigm had written, a credential found in a client’s data breach was used to access a Veradigm storage account containing data on other Veradigm clients. As Veradigm describes the incident, and as the settlement documents describe it, the storage account was presumably located on Veradigm’s server. So why was DataBreaches seeing data from Veradigm’s clients in the SMG tranche?
Was the client data actually on SMG’s server and not Veradigm’s server? Or had Rhysida mistakenly combined data from two separate breaches into one tranche?
There was no evidence that Rhysida found any credentials or used them to access Veradigm client data. To the contrary, the Veradigm client data found on SMG’s server was in plain text with no access control at all. Nor did DataBreaches consider it likely that Rhysida would have combined Veradigm client data with SMG data. If there had been a separate breach, Rhysida would have been more likely to try to extort Veradigm directly, but Veradigm has not suggested anything like that.
Veradigm’s version of the incident was no longer making sense.
What Veradigm Clients Had Data on SMG’s Server?
Inspection of one part of the 10-part SMG tranche uncovered data from the following entities:
- Neighborhood Health Center (formerly Northwest Buffalo CHC)
- Urology Associates of Mobile (UAMPA)
- Family Medical Group of Texarkana
- Peachtree Neurological Clinic (now known as Piedmont Physicians Group Peachtree Neurological)
- Virginia Ear, Nose & Throat Associates (Virginia ENT)
- Cabarrus Eye Center
- North Buncombe Family Medicine, P.A.
- Clinton County Medical Center
- Corona-Temecula Orthopaedic
- Northeast Orthopedic Clinic
- Genesis Healthcare Partners (now known as Unio Specialty Care)
- Advanced Health & Wellness (Advance Care Health System, Rogue Valley Health & Wellness)
- Premier Primary Care
- Thomaston Medical Clinic
Seven folders, listed under the “/data” directory, included folders for Cabarrus Eye Center, Corona-Temecula Orthopaedic, North Buncombe Family, Northeast Orthopedic Clinic, Ntierfiles, and Sunflower Medical Group. The Ntierfiles folder comprised hundreds of collection notices sent by Genesis Health Partners to patients.
DataBreaches observed that SMG was on the same hierarchical level as the other entities, and three of those entities have posted links on their websites to Veradigm’s breach notification.
If those were the only non-SMG entities found in the SMG tranche, it could support a claim of a storage account; however, this part of the /data directory was not the only data from other non-SMG entities. In another part of the tranche, DataBreaches found folders with what might be employees’ names. Some of the folders with what could be employees’ names included data on other medical practices or groups that seemed unrelated to SMG.
In the folder named “Anila,” there were files from patients in Mississippi.
In the folder named “Saranam,” DataBreaches noted files from Advanced Health & Wellness, Family Medical Group, Premier Primary Care, and Thomaston Medical Clinic. Family Medical Group was one of the clients that has posted a link on its website to Veradigm’s breach notification.
In the folder called “Sudarsan,” there were files from Peachtree Neurological, Virginia Ear Nose & Throat, Buffalo Community Health, and Urology Associates of Mobile. Peachtree Neurological and Urology Associates are Veradigm clients that have also publicly linked to Veradigm’s breach notice.
Data in various folders appears to contradict a claim that the client data was in one storage account on Veradigm’s server.
There were even more files from numerous other entities in a folder called “ChrisM,” as illustrated in the screengrab below.
There was data from CHI hospitals in Minnesota and North Dakota, Mercy Clinics in Iowa, Physician Enterprise in Centerville and three states, patients in Baudette and Breckenridge, Minnesota, and the Physician Network in Nebraska. Were these entities all clients of Veradigm? DataBreaches is not sure, but it seems unlikely that they data are linked to Sunflower Medical Group.
A search of Google found that Veradigm (formerly known as Allscript) had employees with some of the names we found, but without last names, it was impossible to verify fully.
Unanswered Questions
DataBreaches emailed Veradigm five times between September 30 and October 31 to request clarification of their claims in their breach notification. In our last email, we provided them with a list of suspected Veradigm clients found in the SMG tranche and the screengrab of the “ChrisM” folder and asked them to please confirm or deny whether the entities were Veradigm clients.
DataBreaches also repeated a question about where the storage account was hosted — on their server or on SMG’s server.
Veradigm did not reply to any of the questions.
DataBreaches cannot be sure that Veradigm clients’ data was on SMG’s server, but the SMG data tranche raises a lot of questions.
As noted previously, SMG did not notify patients that their data was leaked on the dark web. Veradigm has also failed to inform its clients’ patients that their information has been leaked on the dark web.
If Veradigm of SMG replies to the inquiries, this post will be updated.