83,000 Clients Affected by Cyberattack on Ohio Counseling Center

Posted by Steve Alder

The Counseling Center of Wayne and Holmes Counties has experienced a cyberattack affecting 83,350 individuals. Data breaches have also been announced by Neurological Associates of Washington and Pecan Tree Dental.

Counseling Center of Wayne and Holmes Counties

The Counseling Center of Wayne and Holmes Counties (CCWHC) in Wooster, Ohio, has experienced a data security incident affecting 83,354 individuals. On March 3, 2025, CCWHC’s third-party service provider notified CCWHC about a cybersecurity incident, which caused disruption to its IT systems. An investigation was launched, and steps were taken to contain and remediate the incident. All impacted systems and accounts were removed, credentials were reset, and leading data privacy and security experts were engaged to assist with the investigation.

The forensic investigation determined that an unauthorized third party gained access to a single CCWHC server on March 2, 2025, and exfiltrated files on March 3, 2025. Based on the initial findings of the investigation, the general types of information compromised in the incident include names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health insurance information, medical condition information, treatment provider names, medical record numbers, treatment cost information, diagnoses, and treatment information.

CCWHC has worked with cybersecurity experts and privacy professionals to review and further strengthen system security. The file review was completed on December 9, 2025, and notification letters have now been mailed to the affected individuals.

Neurological Associates of Washington

Neurological Associates of Washington (NAW) has recently confirmed that the personal and protected health information of 13,500 individuals was stolen in a December 2025 cyberattack. It is now rare for a healthcare provider to disclose details about a hacking incident in its data breach notice; however, NAW has bucked that trend and disclosed that the Dragonforce ransomware group was behind the attack. NAW also confirmed that sensitive patient data was stolen and published on the dark web by Dragonforce.

NAW immediately alerted the Federal Bureau of Investigation (FBI), which investigated the incident and confirmed that the stolen data was published on the dark web on December 28, 2025. The FBI is conducting further investigations into the attack, but has confirmed that the data compromised in the incident related to patients from 2019 to 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnoses, disability codes, medical information, and other types of data. New patients from January 2025 onwards had their data added to a new cloud-based records system, which was not accessed in the attack.

NAW said it has implemented a deep reset and restructuring of its IT system in response to the incident and confirmed that the affected database is now stored in an offline environment. At the time of issuing notifications, NAW said it was unaware of any actual or attempted misuse of the stolen data. As a precaution against identity theft and fraud, the affected individuals have been offered 12 months of complimentary credit monitoring services.

Pecan Tree Dental

Pecan Tree Dental, PLLC, in Grand Prairie, Texas, has confirmed that it experienced a cybersecurity incident involving unauthorized access to its computer systems. The website notice is light on detail, only stating that steps have been taken to secure its systems, and cybersecurity and legal professionals have been engaged to assist with the investigation. At the time of uploading the notice to its website, it was unaware of any unauthorized access to patient information or data misuse. The OCR breach portal indicates that up to 13,300 individuals had their protected health information exposed in the incident.

The Texas attorney general was informed that data compromised in the incident includes names, addresses, dates of birth, medical information, and health information. This appears to have been a ransomware attack by the Sinobi threat group, which added Pecan Tree Dental to its dark web data leak site on January 11, 2026. Sinobi claims to have exfiltrated 250 Gb of data in the attack and has leaked the stolen data.

The post 83,000 Clients Affected by Cyberattack on Ohio Counseling Center appeared first on The HIPAA Journal.

Staten Island University Hospital Settles Lawsuit Over Business Associate Data Breach

Posted by Steve Alder

Staten Island University Hospital (SIUH) in New York has agreed to settle a class action lawsuit over a 2024 data breach involving one of its business associates. The data breach occurred in January 2024 at The Medibase Group Inc., a vendor that provides healthcare solutions, technical assistance, and business office solutions. On or around May 8, 2024, The Medibase Group notified SIUH that an unauthorized third party had gained access to Medibase systems, which contained the protected health information of 35,106 individuals. Data compromised in the incident included names, Social Security numbers, dates of birth, medical information, and health insurance information. Notification letters were mailed to the affected individuals on July 5, 2024.

A class action lawsuit was filed by plaintiffs Belle De Santiago and Elena Girenko over the data breach – Santiago et al. v. Staten Island University Hospital – in the Superior Court of Cherokee County for the State of Georgia. The lawsuit alleged the data breach was the result of the defendant’s failure to implement reasonable and appropriate security measures to protect sensitive patient data.

The lawsuit asserted claims of negligence/negligence per se, breach of implied contract, and unjust enrichment. SIUH denies all claims of wrongdoing, fault, and liability; however, it agreed to a settlement to avoid the litigation costs and expenses, distractions, burden, expense, and disruption to its business operations associated with further litigation. Class counsel and the lead plaintiffs believe the negotiated settlement is reasonable and fair.

Class members may submit a claim for two years of medical data monitoring services, which include a $1 million identity theft insurance policy. In addition, a claim may be submitted for cash payments. A claim can be submitted for compensation for documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member. A claim may also be submitted for a $35.00 flat cash payment. The deadline for exclusion and opting out is March 2, 2026. The deadline for submitting a claim is March 16, 2026, and the final fairness hearing has been scheduled for March 31, 2026.

The post Staten Island University Hospital Settles Lawsuit Over Business Associate Data Breach appeared first on The HIPAA Journal.

Precipio; Pit River Health Service; Tulane University Medical Group Confirm Data Breaches

Posted by Steve Alder

Data breaches have been announced by the Connecticut diagnostic laboratory Precipio, Pit River Health Service in California, and Tulane University Medical Group in Louisiana.

Precipio, Inc.

Precipio, Inc., a Connecticut-based laboratory specializing in advanced hematopathology diagnostics, has discovered unauthorized access to an employee’s cloud-based storage account. Suspicious activity was identified within the email account on or around November 25, 2025, and the investigation confirmed that an unauthorized third party accessed the employee’s account from November 23, 2025, to November 25, 2025, during which time, files were copied from the account.

The affected files are currently being reviewed to determine the information involved, and that process is currently ongoing. Precipio has yet to disclose a final list of the affected data, but said that, based on its investigation so far, information compromised in the incident includes names, addresses, dates of birth, medical record numbers, clinical/treatment information, medical procedure information, medical provider names, prescription information, and health insurance information.

Since the file review has not yet concluded, the HHS’ Office for Civil Rights has been provided with an interim total of at least 501 affected individuals. The total will be updated when the file review is completed.

Pit River Health Service

Pit River Health Service, the operator of two healthcare clinics in Burney and Alturas in California, has recently announced a data breach affecting up to 1,800 individuals. An unauthorized third party hacked its systems and potentially copied data. Pit River Health Service has confirmed that no data was altered or deleted in the attack, and the Indian Health Service medical record system was not accessed.

In a website update, Pit River Health Service confirmed that some of the affected systems have been restored, although a more extensive security review has been conducted for other affected systems. As a result of the attack, some patient services have been delayed, but appointments and services are continuing. In response to the incident, security monitoring has been stepped up across all of its IT systems.

Tulane University Medical Group

A data breach has been reported to the HHS’ Office for Civil Rights by Administrators of the Tulane Educational Fund d/b/a Tulane University Medical Group. The Louisiana-based medical group experienced a ransomware attack that involved unauthorized access to the protected health information of 6,530 patients.

Tulane University Medical Group does not currently have a substitute data breach notice on its website, so it is unclear exactly what types of information were compromised in the incident. The Cl0p ransomware group claimed responsibility for the attack and added the medical group to its data leak site. Cl0p exploits vulnerabilities in mass attacks, typically vulnerabilities in file-sharing software. Sensitive data is stolen, and ransom demands are issued. Cl0p claims to have exploited a vulnerability on or around November 18, 2025.

The post Precipio; Pit River Health Service; Tulane University Medical Group Confirm Data Breaches appeared first on The HIPAA Journal.

McLaren Health Care Pays $14 Million to Settle Litigation Over Ransomware Attacks

Posted by Steve Alder

McLaren Health Care has agreed to pay $14 million to settle class action litigation stemming from two ransomware attacks in 2023 and 2024 that affected more than 2.8 million patients and employees.

McLaren Health Care is a Grand Rapids, Michigan-based integrated healthcare delivery system that operates 12 hospitals and many healthcare facilities in Michigan, Indiana, and Ohio, and also a health plan. Over the space of a year, McLaren Health Care experienced two ransomware attacks. The first attack was conducted by the ALPHV/BlackCat ransomware group, which had access to its computer network from July 28, 2023, to August 23, 2023. The second attack was conducted by the Inc Ransom ransomware group, which accessed its network between July 17, 2024, and August 3, 2024.

The ALPHV/BlackCat ransomware attack affected 2,103,881 individuals, and the Inc Ransom ransomware attack affected 743,131 individuals. Data compromised in the attacks included names, Social Security numbers, information about past, present, or future physical, mental, or behavioral health or conditions, the provision of health care, and payment for health care.

The first attack was detected on August 22, 2023, and notification letters were mailed to the affected individuals on November 9, 2023. At least eight class action lawsuits were filed in response to the first data breach, which were consolidated in the United States District Court for the Eastern District of Michigan. Following the 2024 ransomware attack and data breach, a further two class action lawsuits were filed. The lawsuits were consolidated in the Michigan 7th Judicial Circuit Court for Genesee County – Cindy Womack-Devereaux, et al. v. McLaren Health Care Corporation.

The lawsuit alleged that McLaren Health Care had inadequate security measures, did not comply with industry standards for data security, FTC guidelines, or the HIPAA Rules, resulting in the first attack. Then, McLaren Health Care failed to learn from the ransomware attack and did not make the necessary security upgrades to prevent further incidents, resulting in a second ransomware attack.

The plaintiffs alleged that they suffered concrete injuries as a result of the attacks, including invasion of privacy, theft of their private information, lost or diminished value of their private information, lost time and opportunity costs, loss of benefit of the bargain, loss of employment opportunities, and a continued risk of their private information being misused, as it remains unencrypted and available for other parties to access via the dark web. The lawsuit asserted claims of negligence, breach of implied contract, breach of express contract, and unjust enrichment. McLaren Health Care disagrees with all claims and contentions in the lawsuit.

Following months of dialogue about a potential settlement, the plaintiffs issued a settlement demand, and an appropriate settlement was ultimately agreed upon following mediation. Under the terms of the settlement, class members may submit a claim for one year of single-bureau credit monitoring and identity theft protection services plus one or two cash payments. The first cash payment may be claimed for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. The losses must have been incurred on or after July 28, 2023, and be more likely than not traceable to either of the data breaches.

Regardless of whether a claim is submitted for reimbursement of losses, class members may submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees and expenses, settlement administration costs, service awards for the lead plaintiffs, credit monitoring costs, and claims for reimbursement of losses have been deducted. McLaren Health Care has also agreed to take certain remedial measures and enhance security.

The deadline for exclusion and objection is March 16, 2026. The deadline for submitting a claim is April 29, 2026, and the final approval hearing has been scheduled for April 21, 2026.

The post McLaren Health Care Pays $14 Million to Settle Litigation Over Ransomware Attacks appeared first on The HIPAA Journal.