Xsolis Data Breach Affects 1.4M Individuals

Posted by Steve Alder

Xsolis, a business associate of HIPAA-covered entities that provides AI-powered solutions for improving case and utilization management to achieve more efficient outcomes, has experienced a major data breach as a result of a phishing attack.

According to the data breach notification filed with the California Attorney General, unauthorized activity was identified within the Xsolis environment on January 22, 2026, as a result of a targeted phishing attack. The incident has been contained, unauthorized access has been terminated, no evidence has been found of unauthorized access since January 22, 2026, and Xsolis has found no evidence to suggest any of the exposed data has been misused.

An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that patient data had been exposed and may have been copied. Xsolis engaged digital specialists to review the affected data, and that process has now been completed. Xsolis is notifying the affected individuals and has offered them complementary credit monitoring and identity theft protection services through Kroll for 12 months.

The Kroll website notice about the security incident states that an unauthorized third party had access to a limited portion of the Xsolis environment from January 20, 2026, to January 22, 2026. Data exposed in the incident included names, dates of birth, Social Security numbers, health insurance information, and medical treatment information.

The data breach has been reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 1,396,519 patients of its healthcare provider clients. A list of the affected clients has not been published; however, VHC Health, a healthcare provider serving patients in Northern Virginia and the Washington D.C. Metro area, has confirmed that it has been affected, as has Rochester Regional Health in New York.

Additional security measures have been implemented to prevent similar incidents in the future, system monitoring has been increased, all passwords for key users have been reset, new protective technologies have been deployed, security awareness training for employees has been accelerated, and credential management processes have been strengthened.

The post Xsolis Data Breach Affects 1.4M Individuals appeared first on The HIPAA Journal.

Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients

Posted by Steve Alder

Blue Fish Pediatrics in Texas has announced a July 2025 cyberattack that affected more than 41,000 Texas patients. Data breaches have also been announced by Cherry Health in Michigan, Coastal Carolina Centers of Urology and Surgery in South Carolina, and Regence in Oregon.

Blue Fish Pediatrics, Texas

Blue Fish Pediatrics, a Houston, Texas-based network of pediatric medical practices, has notified the Texas Attorney General about a cybersecurity incident last year that exposed the personal and protected health information of its patients.

In a substitute breach notice on its website, Blue Fish Pediatrics explained that unauthorized access to its IT systems was identified on or around July 17, 2025. After securing its systems, an investigation was conducted to determine the nature and scope of the unauthorized activity. The forensic investigation confirmed that a threat actor had access to a limited number of files between July 11, 2025, and July 17, 2025. Some of those files contained personally identifiable information and protected health information and may have been acquired in the incident.

The files have now been reviewed and found to contain full names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, medical record numbers, diagnosis/condition information, lab results, medications, claims information, and clinical/treatment information. Notification letters are now being mailed to the affected individuals, and complementary credit monitoring have been made available to individuals whose Social Security numbers were exposed.

The total number of affected individuals has yet to be disclosed; however, the bulk of the affected individuals reside in Texas. The Texas Attorney General was informed that 41,485 Texas residents were affected.

Cherry Health, Michigan

Cherry Health, Michigan’s largest non-profit Federally Qualified Health Center serving six counties in the state, announced a breach of patients’ protected health information on June 18, 2026. Suspicious network activity was identified on or around April 19, 2026. The forensic investigation confirmed unauthorized access to its network and the copying of files containing patient information.

The file review is ongoing; however, information likely stolen in the incident includes names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID numbers, patient ID numbers, provider names, service dates, and, for a limited number of individuals, Social Security numbers. Cherry Health said it has not identified any misuse of the impacted data. Cherry Health is working on implementing additional safeguards to prevent similar incidents in the future. At present, it is unclear how many individuals have been affected.

Coastal Carolina Centers of Urology and Surgery, South Carolina

Coastal Carolina Centers of Urology and Surgery, LLC, doing business as Rivertown Surgery Center in Conway, South Carolina, has notified the HHS’ Office for Civil Rights about a network server hacking incident involving unauthorized access to the electronic protected health information of 2,886 individuals.

Only limited information has been made public about the breach, such as it involved unauthorized access to names and health records; however, this appears to have been a ransomware attack by the Qilin ransomware group. Qilin added Coastal Carolina Centers of Urology and Surgery to its dark web data leak site on September 4, 2025, along with screenshots of files allegedly stolen in the attack.  According to the notice sent to the Indiana Attorney General, the breach occurred on August 26, 2025, and notifications were mailed on or around May 22, 2026.

Regence, Oregon

Regence Blue Cross Blue Shield of Oregon has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 2,856 individuals. According to a notice on the Regence website, unauthorized actors registered and accessed some Regence digital member accounts between January 1, 2026, and April 15, 2026, and redeemed wellness rewards for gift cards. Information in the accounts may have been accessed.

The post Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients appeared first on The HIPAA Journal.

VA OIG Identifies Lack of Oversight of VA GenAI Chat Tools

Posted by Steve Alder

A review of the use of generative artificial intelligence (GenAI) tools by Department of Veterans Affairs (VA) staff has identified potential patient safety risks from a lack of safeguards and oversight. The review was conducted by the VA Office of Inspector General (OIG) between October 2025 and January 2026 and found that more than 15,000 VA staff members were using general-purpose GenAI chat tools authorized for use by the Veterans Health Administration (VHA) – VA GPT and Microsoft 365 Copilot Chat.

The reviewers identified broad staff engagement with the AI chat tools. An analysis of an internal prompt‑sharing application identified 135 prompts for the GenAI chat tools, 79 of which were clinical. The drafting of clinical notes and summarization of patient care were among the most common uses of the tools. The VA OIG notes that the tools were not specifically developed for clinical use, and while the VA provides clinical users with general training and resources, the VA does not centrally curate or evaluate prompts or the generative output, which may be applied to clinical decision making. The VA OIG notes that studies of genAI usage in medical settings found that prompt techniques can play a critical role in output errors that could impact diagnoses and care management if not corrected.

The Office of Management and Budget’s 2025 memorandum (Accelerating Federal Use of AI through Innovation, Governance, and Public Trust) requires all agencies to identify high-impact AI use and implement safeguards to manage risk. The VA did not identify the use of VA GPT and Copilot Chat as high-impact, and therefore, the required risk management actions did not apply.

The VHA had determined that Ambient AI Scribe was high-impact, which triggered safety requirements such as pre-deployment testing of the AI tool and providing human oversight before use. Ambient AI Scribe is a targeted clinical documentation tool that listens to clinical visits and drafts medical record notes. The VA-OIG said the tool had functionality similar to the clinical documentation prompts VA staff were using with VA GPT and Copilot Chat, which were not considered high-impact.

The VA OIG made three recommendations to the VHA regarding the use and assessment of GenAI chat tools: Evaluating these tools as high-impact, implementing the required safeguards, and integrating monitoring of AI-related risks into existing patient safety programs. The VHA concurred in principle with the recommendation to evaluate the tools as high -impact and concurred with the other two recommendations. The VHA has provided the VA OIG with an action plan, will develop guidance on the use of the GenAI chat tools, and is working on addressing the recommendations by April 2027.

As the use of GenAI tools in healthcare accelerates, concern is growing that sensitive patient data may be shared with publicly accessible chatbots, and that AI tools could generate output that puts patients at risk of harm or even death. Earlier this year, Health-ISAC and the Health Sector Coordinating Council Cybersecurity Working Group issued guidance on developing effective AI governance frameworks – Health-ISAC’s White Paper: Policies and Safeguards for a Safe Use of AI and the HSCC Health Industry AI Cyber Governance Framework Implementation Guide to help healthcare organizations create an effective AI governance and safeguards framework and responsibly use GenAI and LLMs while minimizing risk.

The post VA OIG Identifies Lack of Oversight of VA GenAI Chat Tools appeared first on The HIPAA Journal.

ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data

Posted by Steve Alder

One Medical, the Amazon-owned primary care provider, has recently announced a cybersecurity incident in which an unauthorized third party gained access to a third-party file storage system containing archived information for One Medical Seniors patients. Last week, the ShinyHunters threat group added One Medical to its dark web data leak site and claimed to have exfiltrated 8.8 terabytes of data.

According to the One Medical website data breach notice, the unauthorized access was identified on June 13, 2026, and was limited to the file storage system, which contained legacy data of One Medical Seniors patients. One Medical Seniors is the new name for Iora Health, which One Medical acquired in 2021. When the breach was discovered, the affected system was immediately secured, and all access was revoked. An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that the file storage system was accessed by an unauthorized third party between June 8 and June 11, 2026. While it has only been a few days since the breach was discovered, One Medical has confirmed that the breach was limited to the file storage platform, which only contained legacy data of certain Iora Health/One Medical Seniors patients. No other One Medical clinics, services, or the One Medical electronic medical record system were accessed.

The data review has begun, and One Medical has confirmed that the system contained demographic information and the clinical records of Iora Health/One Medical Seniors patients in Atlanta, Cape Cod, Charlotte, Piedmont Triad, Denver, Houston, Phoenix, Tucson, and Seattle. The exact data types involved have yet to be made public.  In response to the breach, One Medical said it has revoked all user access and is rotating credentials for all employees with access to the system, and has implemented additional safeguards to prevent similar incidents in the future. The number of affected individuals has yet to be publicly disclosed. One Medical has not confirmed the name of the group behind the attack.

ShinyHunters is a prolific data extortion group that targets large companies, breaches their networks, exfiltrates sensitive data, and demands a ransom to prevent a data leak. The group’s previous healthcare victims include dental benefits administrator DentaQuest, and the medical device manufacturer Medtronic. Last week, ShinyHunters claimed it had stolen 8.8 TB of data from One Medical and threatened to publish the stolen data unless One Medical entered ransom negotiations. One Medical was given until June 22, 2026, to do so, or the data would be leaked. The claim has not been verified by One Medical, and currently, no samples of the stolen data have been provided as proof of data theft. “This is a final warning to reach out by 22 June 2026 before we leak along with several annoying (digital) problems that’ll come your way,” states ShinyHunters on its dark web data leak site.

The post ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data appeared first on The HIPAA Journal.