North Texas Behavioral Health Authority (NTBHA), a provider of mental health and substance use treatment and services in Dallas, Ellis, Hunt, Kaufman, Navarro & Rockwall counties, has notified the Department of Health and Human Services (HHS) Office for Civil Rights about a breach of the protected health information of 285,086 individuals. The data breach is the 6^th largest data breach reported to OCR so far in 2026.

NTBHA identified unauthorized activity within its computer systems on or around October 15, 2025, and launched an investigation to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party accessed its network between October 13, 2025, and October 15, 2025, during which time files containing patient information may have been viewed or acquired.

It took around three months to review the affected files, and on January 7, 2026, NTBHA confirmed that some of the files contained personal information. The substitute data breach notice does not list the types of data involved, although for some individuals, Social Security numbers were exposed. NTBHA said that at the time of issuing breach notification letters, no evidence had been found of any actual or attempted misuse of the impacted information.

Notification letters started to be sent to the affected individuals on March 6, 2026, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. NTBHA said it continually evaluates its privacy and security measures and has taken steps to augment security following this incident. They include resetting passwords, expanding multi-factor authentication, and deploying advanced endpoint detection and response tools and services. At present, no threat actor appears to have claimed responsibility for the incident. Several law firms have opened investigations in response to the data breach and are considering filing class action lawsuits.

The post North Texas Behavioral Health Authority Data Breach Affects 285K Individuals appeared first on The HIPAA Journal.

Saint Anthony Hospital, a nonprofit, faith-based, acute care, community hospital in Chicago, has started notifying individuals about unauthorized access and/or theft of some of their personal and protected health information. The substitute breach notification does not state when the unauthorized access was detected, only that an unauthorized third party accessed and/or acquired certain files and folders of unstructured data from its email system on February 27, 2025. The forensic investigation confirmed that electronic medical records were not affected by the incident.

More than a year after the unauthorized access occurred, notification letters are being sent to the affected individuals. Saint Anthony Hospital said the third-party specialists engaged to review the affected files completed their review on February 13, 2026, and notification letters started to be mailed to the affected individuals on March 6, 2026, after the results of the data review were verified and contact information was obtained.

The substitute breach notice on the Saint Anthony Hospital website does not state what types of information were involved; however, the hospital had previously disclosed in November 2025 that names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, prescription information, and medical histories were involved. Back in November, the hospital reported that approximately 6,600 patients and employees had been affected; however, the breach notice submitted to the HHS’ Office for Civil Rights shows that the breach was much larger, involving the protected health information of 146,108 individuals.

While no evidence has been found to suggest any actual or attempted misuse of patient data, the affected individuals have been advised to exercise caution and monitor their free credit reports, financial accounts, and explanation of benefits statements carefully for signs of data misuse. Complimentary credit monitoring and identity theft protection services do not appear to have been offered to the affected individuals.

The post Chicago’s Saint Anthony Hospital Reports Breach Affecting 146,000 Individuals appeared first on The HIPAA Journal.

Data breaches have been announced by the California psychiatry and therapy provider Mindpath Health, Springfield Hospital in Vermont, and Lone Peak Psychiatry in Utah.

Community Psychiatry Management (Mindpath Health)

Community Psychiatry Management, LLC, doing business as Mindpath Health, a Sacramento, California-based provider of in-person and online psychiatry and therapy services, has notified the Maine Attorney General about a hacking incident that Mindpath Health learned about on November 14, 2025. The personal and protected health information of 14,060 individuals was potentially compromised in the incident, including 2 Maine residents.

The incident is part of a much larger data breach at its vendor, Pinnacle Holdings, LTD. Pinnacle Holdings provides healthcare consulting services, and the data breach affected many of the company’s healthcare clients. The incident was detected by Pinnacle Holdings on November 25, 2024, when Pinnacle Holdings experienced a network disruption. The forensic investigation confirmed unauthorized network access between November 11, 2024, and November 25, 2024, during which time files containing patient information may have been copied by the threat actor.

Data compromised includes names, addresses, phone numbers, email addresses, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, diagnoses, treatment information, dates of service, patient ID numbers, provider names, medical record numbers, health insurance information, and treatment cost information. Individual notification letters started to be sent to the affected individuals on March 9, 2026, and 12 months of complimentary credit monitoring and identity theft protection services have been offered.

Springfield Hospital

Springfield Hospital in Vermont has started mailing notification letters to patients advising them that some of their personal and protected health information has been exposed in a recent data security incident. Springfield Hospital learned about the incident when it identified suspicious activity within an employee’s email account. The forensic investigation determined that the account was accessed by an unauthorized individual on December 17, 2025, and Springfield Hospital learned that personal and protected health information was involved on February 10, 2026.

Data exposed in the incident includes names, dates of birth, and Social Security numbers, along with protected health information such as medical record numbers, treating physician names, and reasons for visit. Springfield Hospital said it has taken steps to improve email security to prevent similar incidents in the future. At the time of issuing notification letters, Springfield Hospital had not identified any attempted or actual misuse of the exposed information. It is currently unclear how many individuals have been affected.

Lone Peak Psychiatry

Lone Peak Psychiatry, a mental health practice with locations in Lehi and Murray, Utah, has notified state attorneys general about a recent data breach. The notification letters are light on detail and do not contain any information about the nature of the incident, dates of compromise, or types of information involved. There is currently no substitute breach notice on the Lone Peak Psychiatry website.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services, although if the notice to state attorneys general is a reflection of the individual notification letters being sent, then the affected patients do not have enough information to gauge the level of risk they face and whether they need to sign up for the free services being offered. In such cases, it is always wise to err on the side of caution and take steps to protect against identity theft and fraud, including signing up for any free services on offer. There is no listing on the OCR data breach portal at present, so it is unclear how many individuals have been affected.

The post Data Breaches Announced by Mindpath Health; Springfield Hospital; Lone Peak Psychiatry appeared first on The HIPAA Journal.

Ransomware attacks have been announced by Glendale Obstetrics & Gynecology in Arizona and Lymphedema Therapy Specialists in Texas, and City Health in California has notified patients about a recent data breach.

Glendale Obstetrics & Gynecology

Glendale Obstetrics & Gynecology in Glendale, Arizona, has started issuing notifications about an October 2025 security incident. The incident was described as “network disruption affecting a portion of its digital environment,” terminology often used to describe a ransomware attack. The notification letters sent to state attorneys general do not state when the unauthorized access first occurred, only that it was detected on October 25, 2025.

The files on the compromised parts of its network were reviewed, and that process was completed on March 16, 2026. Data compromised in the incident varies from individual to individual and may include names plus one or more of the following: address, date of birth, Social Security number, driver’s license information, medical information, and health insurance information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

A ransomware group called Safepay claimed responsibility for the attack. SafePay engages in data theft and data encryption and claimed to have exfiltrated data in the attack. SafePay added Glendale Obstetrics to its data leak site on November 11, 2025, and then leaked the stolen data on its dark web site. Glendale Obstetrics reported the data breach to the HHS’ Office for Civil Rights on December 24, 2025, using a placeholder estimate of at least 501 affected individuals. State attorneys general have recently been notified, although the 501 total has yet to be updated on the OCR breach portal, so it is unclear how many individuals have been affected. Individual notification letters started to be mailed on April 9, 2026.

Lymphedema Therapy Specialists

Lymphedema Therapy Specialists (LTS), a Houston, Texas-based clinic providing lymphedema treatment, has recently announced a data breach. Unauthorized network activity was identified on February 11, 2026, and a third-party digital forensic investigation confirmed that its network was accessed by an unauthorized third party who may have viewed or copied patient information.

The compromised parts of its network were reviewed, and on February 18, 2026, LTS confirmed that patient and employee information had been exposed, including names, Social Security numbers, government-issued identification numbers, workers’ compensation information, medical information, and health insurance information.

While not described as a ransomware attack, a ransomware group claimed responsibility for the incident. The INC Ransom group added LTS to its dark web data leak site and claimed that personally identifiable information and protected health information were stolen in the attack, in addition to organizational data. Based on the substitute breach notice on the LTS website, credit monitoring and identity theft protection services do not appear to have been offered. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that 378 Texas residents were affected.

City Health

City Health, a California healthcare provider with locations in San Leandro and Oakland, has notified certain patients about a hacking incident that was identified on March 30, 2026. Assisted by third-party cybersecurity specialists, City Health determined that an unauthorized third party accessed its network between March 2, 2026, and March 11, 2026, and viewed or acquired files containing sensitive information.

Data accessed in the incident included names, insurance provider names, and procedure codes only. City Health said contact information, dates of birth, and Social Security numbers were not involved. The incident was rapidly reported to regulators, including the California Attorney General, who was notified about the incident on April 13, 2026, just two weeks after the breach was first identified. Individual notification letters are now being sent to the affected individuals.

City Health is reviewing its security practices, policies, and procedures, and is taking steps to prevent similar incidents in the future. While data has been exposed, City Health is unaware of any actual or attempted misuse of the exposed data. “We apologize for any inconvenience and concerns this may cause you,” City Health’s management team said. “City Health would like to assure you that we have handled the situation swiftly and have taken necessary steps to ensure that it will not happen again.” The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Arizona & Texas Clinics Notify Patients About Ransomware Incidents appeared first on The HIPAA Journal.