Sandhills Medical Foundation Ransomware Attack Affects 169,000 Patients

Posted by Steve Alder

Sandhills Medical Foundation in South Carolina and Laurel Eye Clinic in Pennsylvania have experienced security incidents that exposed patient data. The ransomware attack on Sandhills Medical Foundation affected more than 169,000 individuals.

Sandhills Medical Foundation, South Carolina

Sandhills Medical Foundation, Inc., a federally qualified community health center (FQHC) that provides primary care, behavioral health, and immunization services to residents of Chesterfield, Kershaw, Lancaster, and Sumter Counties in South Carolina, has notified 169,017 individuals that some of their personal and health information was stolen by a ransomware group that compromised its network in May 2025.

The ransomware attack was detected on May 8, 2025, when files were encrypted. Digital forensics experts were engaged to investigate the incident, who determined that the ransomware group had access to its network from May 2, 2025, to May 8, 2025. During that time, files were exfiltrated from its network. The exposed and stolen files have been reviewed and were found to contain names, dates of birth, and personal health information. Sandhills Medical Foundation has enhanced its network protocols and security partners to strengthen cybersecurity and protect against similar incidents in the future. Notification letters were mailed to the affected individuals on or around April 28, 2026, and they have been offered credit monitoring and proactive fraud assistance services for 12 months.

The INC Ransom ransomware group claimed responsibility for the attack and added Sandhills Medical Foundation to its dark web data leak site on May 30, 2025. The ransomware group proceeded to leak all of the stolen data on June 15, 2026, indicating the ransom was not paid.

Laurel Eye Clinic, Pennsylvania

Patients of Brookville, Pennsylvania, headquartered Laurel Eye Clinic, Laurel Laser & Surgery Center, and LaBrasca Plastic Surgery, are being notified about a data security incident that was identified more than a year ago on January 25, 2025. Laurel Eye Clinic engaged a third-party cybersecurity firm to investigate the incident, and on March 6, 2025, the investigation confirmed that files were obtained by the threat actor.

The files were reviewed, and that process was completed on October 30, 2025; however, it took a further five and a half months to verify the identities and obtain contact information for the 42,295 affected individuals. The finalized list of individuals to notify was obtained on April 15, 2026, and notification letters have now been sent. Laurel Eye Clinic said that at the time of issuing the notification letters, no actual or attempted misuse of patient data had been identified.

Data obtained by the threat actor included names, dates of birth, driver’s license numbers, usernames and passwords, medical information, and health insurance information. Complementary credit monitoring and identity theft protection services have been offered to the affected individuals, and Laurel Eye Clinic has confirmed that it has implemented additional security measures to prevent similar incidents from occurring in the future.

The post Sandhills Medical Foundation Ransomware Attack Affects 169,000 Patients appeared first on The HIPAA Journal.

Vendor Data Breaches Announced by Six HIPAA-Regulated Entities

Posted by Steve Alder

There have been several announcements about data breaches at business associates of HIPAA-regulated entities recently, including Providence St. Joseph Orange and Skin & Beauty Center in California, Management-ILA Managed Health Care Trust Fund in New York, and Ideal Home Care, Duncan Regional Home Care, and Chisholm Trail Hospice in Oklahoma.

Providence St. Joseph Orange, California

Providence St. Joseph Orange, a catholic general hospital in Orange, California, has been affected by a data security incident at its vendor, Pinnacle Holdings, LTD, a health care consulting company. Pinnacle experienced a network disruption in November 2024, and the forensic investigation confirmed unauthorized access to its network between November 11, 2024, and November 25, 2024, during which time files containing protected health information may have been exfiltrated from Pinnacle’s network.

Data potentially compromised in the incident included patients’ first and last name, address, email address, date of birth, encounter ID number, health insurance claim number, health insurance policy number, medical record number, patient account number, patient ID number, phone number, email address, prescription information, social security number, Medicare/Medicaid number, provider name, date of service, health insurance information, treatment cost information, and/or medical/diagnostic information.

It has taken a considerable amount of time for individual notifications to be issued. It took Pinnacle more than a year to notify Providence St. Joseph Orange that it had been affected, with the notification issued on December 30, 2025. On February 27, 2026, Providence St. Joseph Orange notified the HHS’ Office for Civil Rights that the protected health information of 11,329 patients was potentially compromised in the incident. Pinnacle has notified the affected individuals directly and has offered them 2 years of complimentary credit monitoring and identity theft protection services.

Skin & Beauty Center, California (DermCare Management)

Skin & Beauty Center in California has announced that it has been affected by a data breach at its management company, DermCare Management. Dermcare Management is a Hollywood, Florida-based full-service practice management company for more than 70 skincare and dermatology clinics in Florida, Texas, Virginia, and California, that serve more than 600,000 patients.

Suspicious activity was identified on February 26, 2025, and on March 3, 2025, it was confirmed that patient data had been compromised. It has taken a year to review the affected data. On March 2, 2026, it was confirmed that names, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information were impacted. The types of data vary from individual to individual.

The notification letters make no mention of complimentary credit monitoring and identity protection services. The affected individuals have been advised to monitor their free credit reports, financial accounts, and explanation of benefits statements, and should report any suspicious activity to the appropriate institution. It is currently unclear how many patients have been affected.

Other clinics affected by the data breach include:

  • Berman Skin Institute, California
  • Dania Dermatology, Florida
  • Dermatology Treatment and Research Center, Texas
  • Florida Academic Dermatology Center, Florida
  • Hillcrest Plastic Surgery & Dermatology, Florida
  • Hollywood Dermatology, Florida
  • Keys Dermatology, Florida
  • Miami Plastic Surgery, Florida
  • Rendon Center for Dermatology & Aesthetic Medicine, Florida
  • Skin Center of South Miami, Florida

Management-ILA Managed Health Care Trust Fund

Management-ILA Managed Health Care Trust Fund, a provider of medical, behavioral health, and prescription drug benefits, has been affected by a data breach at the New York law firm, Mazzola Mardon, P.C. According to the law firm, the protected health information of 2,123 individuals was potentially compromised in the incident. Mazzola Mardon explained in its April 15, 2026, substitute breach notice, that unusual activity was detected within its network, and third-party cybersecurity specialists confirmed that a hacker accessed its network and downloaded files on August 8, 2025. The review of those files was completed on January 27, 2026, and the affected individuals were notified by mail on March 23, 2026.

In addition to names, data compromised in the incident included one or more of the following: address, date of birth, Social Security number, drivers’ license and/or state identification number, financial account information, mental or physical condition, treatment/diagnosis information, dates of service, provider name, procedure type, prescription information, medical record number, Medicare identification number, health insurance information, and/or billing/claim information. Mazzola Mardon said it is reviewing and enhancing its cybersecurity posture to prevent similar incidents in the future.

Ideal Home Care & Duncan Regional Hospital (DRH Health), Oklahoma

Two more healthcare providers have recently confirmed that they were affected by the data breach at vendor, Doctor Alliance, a healthcare technology firm that provides a software platform that physicians use to review and sign clinical documentation. Doctor Alliance experienced a breach of its platform, with unauthorized access occurring between October 31, 2025, and November 17, 2025. The review of the affected data was completed on April 6, 2026.

  • Ideal Home Care, a home health care service provider in Oklahoma, has confirmed that 1,331 individuals were affected. The information potentially accessed included names, addresses, dates of birth, medical record numbers, dates of care, and diagnosis and treatment information.
  • Duncan Regional Hospital (DRH Health) in Oklahoma was also affected, with the breach affecting patients of Duncan Regional Home Care and Chisholm Trail Hospice. The breach was reported to the HHS’ Office for Civil Rights as affecting 724 patients.  Data compromised included names, addresses, dates of birth, dates of service, health insurance information, medical diagnosis & treatment information, and prescription information.

Other healthcare providers affected by the data breach include Bayada Home Health Care in New Jersey, A Path of Care Home Health and Hospice in Oklahoma, Team Select in Arizona, Community Nurse in Massachusetts, and Enhabit Home Health & Hospice and AccentCare in Texas.

The post Vendor Data Breaches Announced by Six HIPAA-Regulated Entities appeared first on The HIPAA Journal.

Southern Illinois Healthcare Enterprises Pixel Settlement Approved

Posted by Steve Alder

A settlement has been agreed to resolve litigation against defendants Southern Illinois Healthcare Enterprises, Southern Illinois Hospital Services, and Southern Illinois Medical Services over their use of website tracking technologies without website users’ knowledge or consent.

Southern Illinois Healthcare Enterprises Pixel Settlement

A class action lawsuit over the use of website tracking technologies has been settled. The lawsuit was filed by John Doe, individually and on behalf of similarly situated individuals, against the defendants Southern Illinois Healthcare Enterprises, Southern Illinois Hospital Services, and Southern Illinois Medical Services over an alleged impermissible disclosure of the plaintiff’s and class members’ private information to third parties.

The lawsuit – Doe v. Southern Illinois Healthcare Enterprises, Inc. – was filed in Williamson County Circuit Court, Illinois, and alleged that personally identifiable information was disclosed to Meta (Facebook) via third-party tools on the defendants’ websites without the knowledge or permission of website visitors. The lawsuit asserted claims for negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Illinois Consumer Fraud and Deceptive Practices Act.

The defendants removed the action to the U.S. District Court for the Southern District of Illinois and sought to have the lawsuit dismissed. That motion was partially successful and led to an amended complaint being filed that alleged negligence, negligence per se, invasion of privacy, breach of express contract, breach of implied contract, unjust enrichment, breach of bailment, breach of fiduciary duty, conversion, trespass to chattel, violation of the Illinois Eavesdropping Statute, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

The defendant sought to have the amended complaint dismissed; however, the motion was denied by the court. The defendant denied and continues to deny any wrongdoing or liability but agreed to a settlement to avoid the cost of protracted litigation and the risks of a trial. All class members are entitled to claim a one-year membership to the CyEx Privacy Shield Pro service and a one-time cash payment of $17.50. The objection, exclusion, and claims deadline is June 15, 2026. The final fairness hearing has been scheduled for August 24, 2026.

The post Southern Illinois Healthcare Enterprises Pixel Settlement Approved appeared first on The HIPAA Journal.