Subscribe To Our Newsletter
ApolloMD Business Services has agreed to a $4.02 million class action settlement following a May 2025 ransomware attack that compromised the private medical and personal records of over 626,000 patients. Affected consumers who received a data breach notice can file claims for up to $5,000 in documented fraud losses or an estimated $75 alternative cash payment, alongside a free year of specialized medical data monitoring. The final deadline to submit a claim is September 30, 2026.
Everyday people whose sensitive medical and personal records were compromised in a massive cyberattack against ApolloMD Business Services LLC can now take action to secure financial compensation.
ApolloMD has agreed to establish a $4.02 million class action settlement fund to resolve claims that the company failed to implement reasonable cybersecurity protocols, exposing the private data of more than 626,000 current and former patients. If you received an official data breach notification letter indicating your personal health information or personal data was compromised during the May 2025 cyberattack, you may be eligible to submit a claim for a cash payout up to $5,000 or credit and medical monitoring.
The class action lawsuit stems from an IT network intrusion that ApolloMD discovered on May 22, 2025. According to investigative reports and legal filings, an unauthorized third party infiltrated the company’s information systems between May 22 and May 23, 2025. Data breach investigators later linked the attack to the Qilin ransomware group, which claimed to have exfiltrated roughly 238 gigabytes of sensitive files from ApolloMD’s computer network.
ApolloMD serves as a major healthcare management and medical staffing firm based in Atlanta, Georgia. The company handles administrative services for more than 125 physician practices across 18 states, treating roughly 4 million patients annually. Because of ApolloMD’s central administrative role, the ransomware attack trickled down into multiple affiliated medical groups, exposing hundreds of thousands of individuals who had simply visited their local doctors or emergency departments.
Cybercriminals managed to access and acquire files containing both personally identifiable information and protected health information. The specific types of patient records compromised in the breach varied by individual, but the exposed datasets generally included full names, home addresses, dates of birth, medical diagnoses, treating provider names, dates of service, and detailed clinical treatment information.
Furthermore, a specific subset of the 626,540 impacted individuals had their Social Security numbers stolen. The exposure of combined medical records and government identification numbers places affected patients at an elevated risk for both financial identity theft and medical identity fraud, prompting class action attorneys to take legal action to hold companies accountable for data security failures.
Plaintiffs filed the class action lawsuit alleging that ApolloMD acted with negligence by failing to implement adequate data security safeguards to protect sensitive patient records. The lawsuit argued that the company breached an implied contract with patients to preserve the confidentiality of their medical data under industry standard cybersecurity frameworks and federal health privacy regulations.
ApolloMD strongly denies all allegations of wrongdoing and maintains that it did not violate any laws or data security standards. However, the company chose to enter into the $4.02 million settlement agreement to completely avoid the ongoing expenses, distractions, and unpredictable risks associated with a protracted trial and further litigation.
You may be eligible to participate in the settlement benefits if you reside in the United States and received a formal, written notice from ApolloMD or its settlement administrator stating that your private information was impacted by the May 2025 data breach. The settlement class encompasses patients treated across a wide network of partner medical practices.
Impacted entities listed in public records include Broad River Physicians Group LLC, Pensacola Hospitalist Physicians LLC, Passaic Hospitalist Services LLC, Lorain Emergency Physicians LLC, Aurora Emergency Physicians LLC, Olive Branch Emergency Physicians LLC, Methodist University Emergency Physicians PLLC, Trinity Emergency Physicians LLC, Passaic River Physicians LLC, The Bortolazzo Group LLC, and Pennsylvania Hospitalist Group LLC.
Eligible class members can choose between two main financial compensation structures depending on whether they suffered direct identity theft losses or financial fraud as a result of the cybersecurity breach:
Cash Payment A (Documented Loss Reimbursement): Class members who experienced actual financial harm can submit a claim for up to $5,000. This tier provides direct reimbursement for reasonable, documented out-of-pocket losses, fraudulent bank account charges, credit fees, or identity theft resolution expenses linked directly to the ApolloMD incident.
Cash Payment B (Alternative Pro Rata Payout): If you did not suffer documented financial losses but still want to claim a cash rebate, you can opt for an alternative cash payment. This amount is estimated at $75, though the final cash value will be adjusted pro rata up or down based entirely on the total number of approved claims submitted by the public.
Beyond the direct cash payments, all approved class members have the option to sign up for a complimentary one-year subscription to CyEx’s specialized medical data monitoring service. This identity protection package is designed to mitigate the specific risks associated with health data exposure and includes real-time single-bureau credit file monitoring alongside automated dark web scanning.
The monitoring service also provides class members with direct security freeze assistance, professional victim resolution agents, and up to $1 million in comprehensive identity theft insurance coverage featuring a zero-dollar deductible. This service aims to give patients peace of mind against long-term medical identity fraud, which often takes months or years to fully manifest after a health system breach occurs.
To secure your share of the settlement fund, you must fill out a claim form online or download a physical PDF form to return via mail. The court-appointed administrator managing the distribution is Kroll Settlement Administration LLC. If you prefer to send a paper claim form, it must be postmarked and addressed to: Settlement Administrator – #83375, c/o Kroll Settlement Administration LLC, P.O. Box 5324, New York, NY 10150-5324.
Every claimant must provide the unique Class Member ID printed on the official settlement letter they received in the mail to validate their submission. If you are applying for the $5,000 documented loss tier, you must also attach supporting evidence, such as bank statements, invoices, or receipts showing unreimbursed fraudulent charges or expenses.
If you wish to receive any cash or credit monitoring benefits from this litigation, your completed claim form must be submitted or postmarked no later than September 30, 2026. Failing to file by this exact deadline will strip you of your right to collect compensation, and you will permanently forfeit your ability to sue ApolloMD over these specific data breach claims in the future.
If you prefer to preserve your right to file an independent lawsuit against ApolloMD regarding this incident, you must formally exclude yourself from the class. The hard deadline to submit an opt-out request or file a legal objection to the settlement terms is August 31, 2026. The final court approval hearing is currently scheduled for October 5, 2026.
Approved class members can expect to receive their financial payouts roughly 75 days after the court officially grants final approval to the settlement agreement. Assuming the presiding judge approves the deal during the October 5, 2026 hearing and no subsequent legal appeals are filed by outside parties, distribution checks and electronic payments should begin processing in late December 2026.
The $4.02 million settlement fund will be broken down to cover all administrative costs, the costs of the CyEx medical data monitoring enrollments, and court-approved legal fees. Plaintiff attorneys are authorized to request up to $1.34 million from the total fund to cover their attorneys’ fees, plus additional out-of-pocket litigation costs, before the remaining money is distributed to claimants via PayPal, Venmo, Zelle, or paper check.
New cases and investigations, settlement deadlines, and news straight to your inbox.