NextGen Healthcare, a major provider of electronic health record (EHR) software used by thousands of clinics and medical practices, disclosed in April 2023 that a criminal cyberattack had exposed sensitive patient information for more than a million people. The compromised data reportedly included names, addresses, dates of birth, Social Security numbers, insurance details, and driver’s license numbers—exactly the mix that can enable long-term identity theft and medical fraud. The incident was especially alarming because it followed another ransomware attack tied to the BlackCat group earlier in 2023, underscoring how attractive healthcare databases are to attackers and how disruptive repeat incidents can be for patients and providers alike. The class action (Miller v. NextGen Healthcare Inc., N.D. Ga.) was filed because plaintiffs allege NextGen failed to implement reasonable data security safeguards and violated various state consumer-protection and related laws; NextGen denies wrongdoing but agreed to a $19.375 million settlement to avoid the expense and risk of continued litigation. If approved, eligible class members can choose reimbursements for documented losses up to $7,500, payments for time spent addressing the breach, or a simpler flat cash option ($50 for most, $150 for certain California residents), plus three years of identity defense services—an important feature given that SSNs and birthdates can’t be “changed” after exposure. More broadly, the case fits a growing wave of healthcare-breach lawsuits that test what “reasonable security” means for health-tech vendors and their partners under a patchwork of rules: HIPAA’s privacy and security framework for protected health information, state breach-notification statutes, and—where applicable—state privacy regimes like California’s, all against a backdrop of intensifying ransomware pressure on hospitals, EHR platforms, and their supply chains.