NextGen Healthcare proposed a $19,375,000 settlement to take care of a combined class action lawsuit over a ransomware attack in 2023 that impacted over one million people.
The electronic health records and practice management software company discovered the attack on April 28, 2023. On May 5, 2023, the first complainant filed a lawsuit in the United States District Court for the Northern District of Georgia, Atlanta Division. Afterwards, over twelve lawsuits had been filed, which were combined into one lawsuit filed in the same court. The allegations include negligence and negligence per se for not applying proper safety measures to safeguard sensitive patient data, breach of implied contract, violation of privacy/intrusion upon seclusion, breach of fiduciary duty, unjust enrichment, breach of bailment, and breach notification failures, violation of government and state regulations, which includes the Official Code of Georgia Annotated (O.C.G.A).
NextGen Healthcare rejects all claims and allegations in the lawsuit and responds with no wrongdoing or liability. NextGen Healthcare filed a motion to dismiss the lawsuit; nonetheless, the lawsuit was permitted to continue. After the mediation on June 25, 2025, as well as on August 6, 2025, all parties agreed to settle the lawsuit, considering the cost and duration of the litigation, and the risks involved in doing so.
Based on the conditions of the settlement, HIPAA-certified NextGen Healthcare will create a $19,375,000 settlement fund to pay the lawyers’ fees and expenditures, notice costs, settlement management costs, benefits for class members, and service awards. Class members could file a claim for recorded, unreimbursed losses associated with the data breach, approximately $7,500 for each class member and around $250 for lost time (no more than 10 hours valued at $25/hour). Otherwise, class members could opt to be given a cash payment, which is expected to be $50, yet it could be adjusted pro rata. Class members who reside in California during the time of the data breach could assert a different cash payment of $150.
Besides the benefits mentioned above, class members could likewise claim 3 years of credit monitoring and identity theft protection services. If there are funds left in the settlement account, they are going to be used to lengthen identity and credit monitoring services or will be given to cy pres to a non-profit cybersecurity company. The settlement is awaiting the court’s approval.
