California Radiology Provider Announces 13,000-Record Data Breach

Posted by Steve Alder

Data breaches have been reported by Radiology Associates of San Luis Obispo, North Oaks Health System, The Children’s Center of Hamden, Huron Regional Medical Center, and Franklin Dermatology Group.

Pacific Imaging Management (Radiology Associates of San Luis Obispo)

Pacific Imaging Management, doing business as Radiology Associates of San Luis Obispo in California, has identified unauthorized access to certain employee email accounts. Suspicious activity was identified within its email environment on March 13, 2025. An investigation was launched, which revealed that certain email accounts were accessed by an unauthorized third party at various times between February 3, 2025, and March 17, 2025.

The accounts were reviewed and found to contain the protected health information of 13,158 individuals. The types of data involved vary from individual to individual and are detailed in the individual notification letters that started to be mailed on September 10, 2025. Policies and procedures are being reviewed and enhanced, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

North Oaks Health System, Louisiana

North Oaks Health System, one of the largest community hospital organizations in Louisiana, has experienced a breach of its email system, which exposed the protected health information of 6,243 patients.  Suspicious activity was identified in certain employee email accounts on June 4, 2025. The affected accounts were immediately secured, and an investigation was launched to determine the extent of the breach.

The investigation confirmed that certain emails and attachments in the compromised accounts were accessed between May 28, 2025, and June 5, 2025, and some of those emails contained patient information such as names, birth dates, health insurance information, and clinical information related to the services received at North Oaks. A limited number of Social Security numbers were also exposed. North Oaks is enhancing its security protocols, technical safeguards, monitoring, and employee cybersecurity training to prevent similar incidents in the future.

Children’s Center of Hamden, Connecticut

The Children’s Center of Hamden (TCCOH), a nonprofit behavioral health center in Hamden, Connecticut, has recently announced a security incident that was first identified on December 28, 2025. Unusual activity was identified within its computer systems, and third-party digital forensics experts were engaged to investigate. They confirmed unauthorized access to its network, including systems that contained patient information. On June 29, 2025, it was confirmed that files containing patients’ protected health information were accessed or acquired in the attack.

The file review was completed on August 7, 2025, and confirmed that names, dates of birth, Social Security numbers, driver’s license information, passport information, biometric data, and diagnosis and treatment information had been exposed. Notification letters have been mailed to the 5,213 individuals, and steps have been taken to enhance security.

Huron Regional Medical Center, South Dakota

Huron Regional Medical Center in South Dakota identified suspicious activity within its computer network on or around May 31, 2025. An investigation was launched to determine the nature and scope of the suspicious activity, with assistance provided by third-party digital forensics experts. Unauthorized network access was confirmed, and the exposed files were reviewed and found to contain information such as names, addresses, phone numbers, dates of birth, dates of service, cost of services, health insurance information, lab results, medical diagnostic images, prescription information, Medicare/Medicaid numbers, diagnoses, and treatment information.

Huron Regional Medical Center is reviewing its policies, procedures, and data security measures and will make enhancements to better defend against future attacks. Individual notification letters started to be mailed to the affected individuals on September 9, 2025. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Franklin Dermatology Group

Franklin Dermatology Group in Tennessee has recently confirmed that it was affected by the cyberattack and data breach at the collections vendor, Nationwide Recovery Service (NRS). A hacking group had access to the NRS network between July 5, 2024, and July 11, 2024, and copied certain files from its network. Those files contained names, dates of birth, Social Security numbers, health insurance information, financial account information, and/or protected health information.

Franklin Dermatology Group was notified that it had been affected on February 7, 2025, and NRS said it would be issuing notifications to the affected individuals, although Franklin Dermatology Group said NRS reneged on that promise on April 3, 2025. Franklin Dermatology Group issued notifications to the affected individuals in September 2025 and has offered them complimentary single-bureau credit monitoring, credit score, and credit report services for 12 months. The breach was recently reported to the Maine Attorney General as affecting 2,457 individuals. In total, the NRS data breach has affected more than 545,000 individuals.

The post California Radiology Provider Announces 13,000-Record Data Breach appeared first on The HIPAA Journal.

Teamsters Union 25 Health Services & Insurance Plan Hacking Incident Affects 19,000 Members

Posted by Steve Alder

Teamsters Union 25 Health Services & Insurance Plan, a health and wellness benefits plan for members of Teamsters Union Local 25, a trade union representing truck drivers, warehouse workers, clerical workers, and service and technology employees, identified suspicious activity within its computer network on or around August 1, 2025, potentially indicating unauthorized access.

Third-party cybersecurity experts were engaged to investigate the activity and confirmed unauthorized access to the network. Further investigation uncovered evidence that certain data on the network was accessed and potentially copied without authorization. The data related to members of the Teamsters Union 25 Health Services & Insurance Plan and the Teamsters Union 25 Investment Plan.

The review of the affected files was completed on August 18, 2025, and notification letters were mailed to the affected individuals on September 3, 2025. The affected individuals have been offered 12-24 months of complimentary credit monitoring and identity theft protection services, and steps have been taken to enhance security to prevent similar breaches in the future. The data involved varies from individual to individual and may include names, member IDs, Social Security numbers, health information, and health insurance information. The HHS’ Office for Civil Rights was informed that the protected health information of 19,231 individuals was compromised in the incident.

Anthony L. Jordan Health Corporation

Anthony L. Jordan Health Corporation (AJHC) in Rochester, New York, has fallen victim to a phishing attack that involved unauthorized access to the email, OneDrive, and SharePoint accounts of three employees. Suspicious activity was identified in an employee’s email account on June 30, 2025. The account was immediately secured, and an investigation was launched to determine the nature and scope of the incident.

The investigation confirmed that an unauthorized actor had accessed the accounts at various times between April 30, 2025, and July 9, 2025, after the employees responded to phishing emails. The purpose of the unauthorized access appeared to be to fraudulently obtain funds from Jordan Health, rather than to obtain patient data; however, unauthorized access to patient information could not be ruled out.

The affected accounts were reviewed and found to contain patient information such as names, dates of birth, medical record numbers, provider names, dates of service, and health insurance information. In total, 2,974 patients potentially had information compromised in the incident. Jordan Health has provided additional cybersecurity awareness training to the workforce to prevent similar incidents in the future.

Sentara Health

Last week, Sentara Health notified 696 patients about a mailing incident that disclosed a limited amount of patient data. The mailing was sent to patients of a specific Sentara Behavioral Health Specialists provider to advise them of the departure of that provider from Sentara.

An error was made when compiling the list of recipients for the mailing, resulting in the mismatching of patients’ names and addresses. Letters intended for one patient were sent to a different patient, resulting in the disclosure of the patient’s name, location of the practice, and the provider’s name. Sentara Health addressed the matter with the employee in question, according to its internal policies and procedures, and has taken steps to prevent similar incidents in the future, including evaluating additional training opportunities.

The post Teamsters Union 25 Health Services & Insurance Plan Hacking Incident Affects 19,000 Members appeared first on The HIPAA Journal.

R1 RCM & Dignity Health to Pay $675,000 to Settle Data Breach Lawsuit

Posted by Steve Alder

A $675,000 settlement has been agreed upon to resolve a class action data breach lawsuit against R1 RCM Inc., a revenue cycle management company,  and Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus in Henderson, Nevada.

The lawsuit stems from a data breach at R1 RCM, which was detected on November 23, 2023. R1 RCM determined that the hacker had exfiltrated sensitive data such as names, contact information, dates of birth, Social Security numbers, service locations, diagnosis information, patient account numbers, and medical record numbers.  The data breach was reported to the HHS’ Office for Civil Rights as affecting 16,121 individuals.

The lawsuit – Heather Hillbom v. R1 RCM, Inc. and Dignity Health dba Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus – was filed in the U.S. District Court for the District of Nevada on April 5, 2024, and alleged that the defendants were negligent by failing to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. The defendants maintain there was no wrongdoing and that there is no liability; however, the decision was made to settle the lawsuit to avoid the costs and risks associated with continuing with the litigation.

Under the terms of the settlement, class members are entitled to claim two years of three-bureau credit monitoring services and identity theft protection services through CyEx Medical Shield Total.  In addition, all class members may claim a monetary payment, which will be calculated after attorneys’ fees, credit monitoring costs, legal expenses, settlement administration costs, service awards, and claims for out-of-pocket expenses have been deducted from the settlement fund. Claims may also be submitted for reimbursement of documented, unreimbursed, out-of-pocket losses. Up to $500 may be claimed as reimbursement for ordinary out-of-pocket expenses, and up to $2,500 for extraordinary out-of-pocket expenses, such as losses to fraud and identity theft.

The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 14, 2025. The deadline for objecting to and exclusion from the settlement is October 13, 2025, and all claims must be received by November 11, 2025.

The post R1 RCM & Dignity Health to Pay $675,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.