Onsite Women’s Health $2.5M Data Breach Settlement

Posted by Steve Alder

A breach of the email account of an employee of Onsite Women’s Health that exposed the protected health information of 357,265 individuals has resulted in a $2,525,000 settlement. Onsite Mammography, LLC, which does business as Onsite Women’s Health, a Westfield, Massachusetts-based provider of medical imaging services to hospitals, identified unauthorized access to an employee’s email account in October 2024.

The email account was compromised as a result of a response to a phishing email, and while the account was only accessible for a short period of time, sensitive data was exfiltrated, including names, dates of birth, Social Security numbers, driver’s license numbers, credit card numbers, and information related to patients’ mental or physical conditions, and any care they received.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated – Clarkson, et al. v. Onsite Mammography, LLC, d/b/a Onsite Women’s Health – in the United States District Court District of Massachusetts.  The consolidated lawsuit alleged that inadequate security measures had been implemented to prevent attacks on employee email accounts, and if those measures had been implemented, the data breach could have been prevented or at least the attack could have been detected more quickly, limiting the harm caused.

While the affected individuals were offered 12 months of complimentary credit monitoring services, the plaintiffs argue that the offer was insufficient considering the level of risk they face. They also claim that the defendant provided no reassurances that the stolen data had been deleted or that security had been sufficiently strengthened to prevent similar incidents in the future.

The lawsuit asserted claims for negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and declaratory judgment. The defendant maintains there was no wrongdoing and disagrees with the claims and contentions asserted by the plaintiffs. Despite disagreeing with the claims, after considering the likely costs and risks associated with continuing with the litigation, Onsite Women’s Health agreed to settle the lawsuit.

Under the terms of the settlement, Onsite Women’s Health will establish a $2,525,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the eight class representatives. The remainder of the settlement fund will be used to cover benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses incurred as a result of the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for three years of credit and medical data monitoring and insurance services. Class members may also claim a pro rata cash payment, which will be paid after all costs and claims have been paid and will exhaust the settlement fund. The deadline for objection and exclusion is July 13, 2026. Claims must be submitted by August 11, 2026, and the final fairness hearing has been scheduled for September 9, 2026.

The post Onsite Women’s Health $2.5M Data Breach Settlement appeared first on The HIPAA Journal.

Clarinda Regional Health Center Reports Data Breach Affecting 24K Patients

Posted by Steve Alder

Data breaches have been announced by Clarinda Regional Health Center in Iowa, Community Connections in DC, Waveny Lifecare Network in Connecticut, and NJ Pain Care Specialists in New Jersey.

Clarinda Regional Health Center

Clarinda Regional Health Center, a Clarinda, IA-based non-profit hospital, has started notifying 24,341 individuals about a recent cybersecurity incident that exposed sensitive data. Suspicious activity was identified within its computer network on December 15, 2026, and the forensic investigation determined that files containing patient data may have been accessed or acquired without authorization in October 2025. The LockBit5 ransomware group claimed responsibility for the incident.

The file review confirmed that the exposed data included first and last names, dates of birth, medical information, health insurance information, financial account numbers, Social Security numbers, driver’s license numbers, and taxpayer identification numbers. The types of data varied from individual to individual.

The review of the affected files was completed on May 21, 2026, and notification letters started to be mailed to the affected individuals on June 2, 2026. Individuals whose Social Security numbers were exposed in the incident have been offered complimentary credit monitoring and identity theft protection services. Clarinda Regional Health Center has confirmed that additional security measures have been implemented to reduce the risk of similar incidents in the future.

Community Connections

Community Connections, a Washington D.C.-based non-profit provider of behavioral health, residential, and primary health care coordination services, has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 18,943 individuals.

The breach was reported to OCR on May 18, 2026. Details about the data breach have yet to be publicly disclosed; however, a ransomware group – Inc Ransom – claimed responsibility for the incident and listed Community Connections to its dark web data leak site in late March, although it does not appear to have leaked the stolen data.

A similarly sized data breach was experienced in 2024, affecting 18,943 individuals. According to the notifications issued on August 27, 2025. The incident was detected on October 21, 2024, and full names, addresses, dates of birth, Social Security numbers, financial information, driver’s license or state identification information, medical information, and health insurance information were potentially involved. Following that incident, multiple steps were taken to reduce the risk of similar incidents in the future, including implementing new technical safeguards and retraining members of its workforce.

Waveny Lifecare Network

Waveny Lifecare Network, a New Canaan, CT-based community-focused non-profit providing residential care, skilled nursing, and in-home care services to seniors, has recently reported a data security incident to the Maine Attorney General that has affected 8,548 individuals. Suspicious activity was identified within its computer systems on May 28, 2025. Third-party cybersecurity specialists were engaged to investigate the incident and confirmed that a limited amount of data was accessed by an unauthorized third party on May 28, 2025.

Waveny Lifecare Network conducted a time-consuming review of the affected data, and that process was completed on March 23, 2026. Up-to-date contact information was then obtained to allow notification letters to be mailed, which were sent on June 2, 2026. The notification letter to the Maine AG has the data types redacted, although they are detailed in the individual notification letters. As a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

NJ Pain Care Specialists

NJ Pain Care Specialists, LLC, an interventional spine and pain management practice in Ocean Township, New Jersey, has announced a data security incident. Unauthorized activity was identified within its computer network on or around February 28, 2026. The investigation confirmed unauthorized access to its network occurred between February 25, 2026, and February 28, 2026, during which time, files may have been removed from its network.

The investigation to date has determined that data compromised in the incident includes names, addresses, dates of birth, medical record numbers, driver’s license numbers or other ID numbers, clinical or treatment information, medical procedure information, medical provider names, prescription information, and health insurance information.

NJ Pain Care Specialists said it has reviewed and enhanced its data security policies and procedures, and its technical, administrative, and physical safeguards. The investigation is ongoing, and the number of individuals has yet to be determined. The breach has been reported to the HHS’ Office for Civil Rights using an interim total of at least 501 individuals. The total will be updated when the investigation is concluded.

The post Clarinda Regional Health Center Reports Data Breach Affecting 24K Patients appeared first on The HIPAA Journal.