Cyberattacks Announced by Florida Physician Specialists & Mile Bluff Medical Center

Posted by Steve Alder

Florida Physician Specialists has started notifying patients affected by a November 2025 hacking incident. Mile Bluff Medical Center in Wisconsin has announced that it is working under downtime procedures as it recovers from an April 2026 ransomware attack.

Florida Physician Specialists

Florida Physician Specialists, a Jacksonville, FL-based multi-specialty private physician practice serving patients in Northeast Florida, started notifying patients on April 24, 2026, about a November 2025 hacking incident that exposed some of their personal and protected health information.

An investigation was launched into a security incident in late November, which confirmed that an unauthorized third party accessed its network between November 27, 2025, and November 29, 2025. The review of the exposed data was completed on April 6, 2026, when it was confirmed that a limited amount of patient data may have been exfiltrated from its network. Data potentially compromised in the incident included names in combination with one or more of the following: Social Security numbers, driver’s license numbers or state identification numbers, other government identification numbers, financial account information, credit or debit card information, medical information, and/or health insurance policy information.

While data may have been stolen, Florida Physician Specialists is unaware of any actual or attempted misuse of the data; however, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring services. The data breach was reported to the Maine Attorney General as affecting 47 Maine Residents, but it is currently unclear how many individuals have been affected in total. There is currently no listing on the HHS Office for Civil Rights website.

Mile Bluff Medical Center

Mile Bluff Medical Center in Mauston, Wisconsin, is dealing with a cyberattack that resulted in the encryption of files on its network.  Security protocols were immediately implemented when the attack was discovered, and an investigation has been launched with assistance provided by third-party partners.

The medical center has confirmed that the cyberattack caused limited and temporary interruptions to certain computer systems, and its phone system has also been impacted. Clinical teams have been working under downtime procedures while the attack is mitigated, and systems can be safely restored. The priority has been to ensure that care continues to be provided to patients. The medical center is working to fully resolve the issues as soon as possible. At this stage of the recovery process, it is too early to tell to what extent, if any, patient data has been affected. No threat group appears to have claimed responsibility for the attack at the time of writing.

The post Cyberattacks Announced by Florida Physician Specialists & Mile Bluff Medical Center appeared first on The HIPAA Journal.

South Texas Oncology and Hematology Pays $1.1M to Settle Data Breach Lawsuit

Posted by Steve Alder

South Texas Oncology and Hematology, a San Antonio, TX-based provider of leading-edge cancer treatment and other medical services, has settled a class action lawsuit stemming from a February 2024 cyberattack and data breach that involved unauthorized access to the personal information of 176,303 individuals, including the protected health information of 175,195 individuals.

Suspicious network activity was identified on February 15, 2024, and the forensic investigation confirmed that an unauthorized individual accessed its network and potentially obtained employee and patient information. Data exposed in the incident included names, contact information, dates of birth, health information, and Social Security numbers. The affected individuals were notified about the incident in June 2024.

The first class action lawsuit over the data breach was filed by plaintiff Doris Flores on June 24, 2024, in the U.S. District Court for Bexar County, Texas, 438th Judicial District. Several other lawsuits were subsequently filed, and since they made similar claims and had overlapping classes, the plaintiffs’ counsel agreed to work cooperatively and litigate in a single action – Flores v. South Texas Oncology and Hematology, PLLC.

The consolidated lawsuit alleged that the defendant failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network, and that the data breach should have been prevented. South Texas Oncology and Hematology maintains that there was no wrongdoing, there is no liability, and denies all claims and contentions in the lawsuit. The defendant and the plaintiffs agreed to a settlement to avoid the costs and risk associated with a trial, with no admission of fault or liability.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for July 21, 2026. Under the terms of the settlement, South Texas Oncology and Hematology has agreed to pay $1,075,000 to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of up to $5,000 in documented, unreimbursed losses due to the data breach, or they may claim an alternative pro rata cash payment. The cash payments are estimated to be $100 per class member, but may be higher or lower depending on the number of valid claims received. In addition to one of those benefits, class members may also claim two years of free medical data monitoring services. Claims must be submitted by July 6, 2026, and individuals wishing to object to the settlement or exclude themselves must do so by June 22, 2026.

The post South Texas Oncology and Hematology Pays $1.1M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Former FBI Deputy Cyber Chief Calls for Terrorism Classification for Healthcare Ransomware Actors

Posted by Steve Alder

At a recent joint hearing by the Subcommittee on Border Security and Enforcement and the Subcommittee on Cybersecurity and Infrastructure Protection, a former FBI cyber chief called on the U.S. government to consider applying terrorism designations to ransomware actors who attack hospitals and other critical infrastructure entities that put lives or safety at risk.

Ransomware attacks on hospitals typically result in cancelled appointments and surgeries, and ambulances are often put on divert, causing emergency patients to travel further to alternative facilities. These delays to patient care put patient safety at risk, and studies have shown that mortality rates increase at hospitals following ransomware attacks. Ransomware actors conduct attacks on hospitals in the full knowledge that patient care is threatened, as it increases the probability of a ransom being paid.

The subcommittee members heard testimony from Cynthia Kaiser, the former deputy assistant director of the FBI’s Cyber Division from 2022 to 2025 and the current senior vice president of the Halcyon Ransomware Research Center. “When a ransomware gang encrypts a hospital’s systems and demands payment under threat of continued system lockout — knowing that patients are being diverted, that dialysis is being delayed, that surgery schedules are being canceled — I believe a serious legal argument exists that this conduct falls within [terrorism] definitions,” Kaiser said. “At minimum, it merits a formal, deliberate analysis by the Departments of State, Justice, and Treasury, who collectively hold designation authority under Executive Order 13224.”

Executive Order 13224 was signed by President Bush on September 23, 2001, following the 9/11 attacks on the World Trade Center. The purpose of the Executive Order was to disrupt the financial support network for terrorists and terrorist organizations, authorizing the U.S. government to designate and block the assets of foreign individuals and entities that commit, or pose a significant risk of committing, acts of terrorism.

By designating ransomware attacks on hospitals and other critical infrastructure entities as an act of terrorism, attacks would be classed as national security threats, and the government would have a much broader range of tools at its disposal than are currently available, making it easier to restrict financial transactions, freeze assets, and pursue charges against overseas ransomware actors. It would also allow the government to take diplomatic actions against countries – such as Russia – for harboring ransomware actors. Further, Kaiser argued that in the event of a ransomware attack resulting in the death of a patient, the government should be able to pursue murder or manslaughter charges, which may act as a powerful deterrent.

“Federal prosecutors should be empowered — and encouraged — to evaluate whether homicide charges are appropriate in cases where ransomware actors targeted hospitals, where deaths resulted, and where the actors demonstrated clear foreknowledge that their actions endangered life,” said Kaiser. “Those targeting healthcare, those who have caused documented deaths, those operating with impunity under the protection of hostile foreign governments — deserve to face consequences that match the gravity of what they have done.”

The post Former FBI Deputy Cyber Chief Calls for Terrorism Classification for Healthcare Ransomware Actors appeared first on The HIPAA Journal.