Center for Advanced Eye Care; Southwest C.A.R.E Center; Evergreen Healthcare Group Announce Data Breaches

Posted by Steve Alder

The Center for Advanced Eye Care in Pennsylvania/Delaware, Southwest C.A.R.E Center in New Mexico, and Evergreen Healthcare Group in Washington have notified patients about cybersecurity incidents involving unauthorized access to patient information.

Center for Advanced Eye Care

The Center for Advanced Eye Care, a provider of ophthalmology services in Pennsylvania and Delaware, has recently announced a security incident that involved unauthorized access to patient data. Suspicious activity was identified within its legacy environment on December 16, 2025. The affected systems were secured, and an investigation was launched to determine the nature and scope of the activity.

Assisted by third-party cybersecurity experts, The Center for Advanced Eye Care confirmed that protected health information within the legacy environment was accessed by an unauthorized third party and was stolen in the attack. The exact types of data involved have not been publicly disclosed at present, and the types of information involved have been redacted from the notices provided to state attorneys general.

As a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The affected individuals should avail themselves of those services, as a hacker claimed in December to be selling the stolen data. The data breach is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Southwest C.A.R.E Center

Southwest C.A.R.E Center, a nonprofit healthcare provider in New Mexico, has started notifying patients about a cybersecurity incident last summer that impacted some of their protected health information. The cybersecurity incident was detected on or around June 3, 2025. Third-party cybersecurity experts were engaged to conduct a forensic investigation, which confirmed that patient data had been exposed and may have been stolen.

The specific types of data involved were not stated in its substitute data breach notice, only that the data breach may have included first and last names, personal information, and protected health information. Southwest C.A.R.E Center said it has not identified any misuse of patient data as a result of the incident. Southwest C.A.R.E Center has reviewed and enhanced its technical safeguards and has offered complimentary credit monitoring services and identity theft protection services to all affected individuals for 12 months.

While not described as a ransomware attack, the Medusa ransomware group claimed responsibility for the attack. Medusa is a ransomware-as-a-service group that engages in data theft and encryption, and either sells or leaks the stolen data if the ransom is not paid. Medusa claimed to have exfiltrated more than 143 GB of data in the attack. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Evergreen Healthcare Group

Couve Healthcare Consulting, LLC, doing business as Evergreen Healthcare Group, has alerted patients about a breach of its cloud-based healthcare platform. Evergreen Healthcare Group, a Vancouver, WA-based provider of management consulting, administrative, and operational services to skilled nursing homes and assisted living communities, identified unauthorized activity within the cloud-based system on December 3, 2025. The forensic investigation found evidence of data exfiltration. The file review was completed on February 24, 2026, and confirmed that names, dates of birth, Social Security numbers, and medical information were subject to unauthorized access or were acquired in the incident.

The cloud-based platform has been secured, and Evergreen Healthcare Group has verified the security of its internal systems. Additional technical safeguards and enhanced security measures have been implemented to prevent similar incidents in the future, and complementary credit monitoring and identity theft restoration services have been offered to the affected individuals.  The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Center for Advanced Eye Care; Southwest C.A.R.E Center; Evergreen Healthcare Group Announce Data Breaches appeared first on The HIPAA Journal.

Medical Device Manufacturer UFP Technologies Confirms Data Stolen in Cyberattack

Posted by Steve Alder

The U.S. medical device manufacturer UFP Technologies has submitted a FORM 8-K filing to the U.S Securities and Exchange Commission (SEC) to notify the SEC and investors about a cyberattack and data breach that could potentially impact its financial condition or operations.

UFP Technologies is a publicly traded contract manufacturer based in Newburyport, Massachusetts, that makes single-use medical devices and highly engineered components for the aerospace, automotive, healthcare, and defense industries. The company produces a wide range of medical devices and medical components for products used in wound care, implants, and orthopedic and surgical products. UFP Technologies has an annual revenue of $600 million and employs 4,300 people.

According to the filing, UFP Technologies detected an IT systems intrusion on February 14, 2026. Immediate action was taken to assess, contain, and remediate the threat, and third-party cybersecurity experts were engaged to assist with the investigation. UFP Technologies said it believes the cyber threat actor responsible for the attack has been eradicated from its IT environment and confirmed that it has restored access to systems and information impacted by the incident in all material respects. While the attack did not impact all of its IT systems, many were affected, including the systems used for billing and label-making. UFP Technologies implemented its incident response and contingency plans, and since the incident was detected, it was able to continue operations in all material respects.

Some company and company-related data was either stolen or destroyed in the attack, which suggests this was a ransomware attack or that wiper malware was used. No threat group appears to have claimed responsibility for the attack. UFP Technologies explained in the filing that data has been recovered from backups. The company has confirmed that some data was exfiltrated from its system, although it is too early to determine the extent of the data theft, such as whether any personal or protected health information was stolen. The investigation to determine the nature and scope of the incident is ongoing, and the company is exploring the legal and regulatory notifications and filings that may be required.

As of the date of the filing (February 19, 2026), UFP Technologies said the incident has not had any material impact on its financial systems, operations, or financial condition. While costs have naturally been incurred, the company expects a significant proportion of the costs of containment, investigation, and mitigation will be covered by its cyber insurance policy.

The post Medical Device Manufacturer UFP Technologies Confirms Data Stolen in Cyberattack appeared first on The HIPAA Journal.

North Korean Hackers Using Medusa Ransomware in Attacks on U.S. Healthcare Sector

Posted by Steve Alder

North Korean state-sponsored hackers are targeting U.S. healthcare organizations and non-profits and deploying Medusa ransomware, according to a joint investigation by Symantec and the Carbon Black Threat Hunter Team.

A wave of recent attacks has been linked to the Lazarus Group, an umbrella term covering multiple cyber threat actors linked to the Reconnaissance General Bureau (RGB) of the North Korean government. The Lazarus Group engages in attacks for espionage purposes, as well as disruptive and destructive attacks on targets primarily in South Korea, but also engages in financially motivated campaigns, often targeting organizations in the United States.

Medusa emerged in 2023 as a ransomware-as-a-service (RaaS) operation, which is believed to be run by a cybercrime group called Spearwing. Affiliates are recruited to conduct attacks using the Medusa encryptor and infrastructure in exchange for a percentage of any ransom payments they generate. Medusa actors engage in double extortion, stealing and encrypting data. A ransom must be paid to obtain the decryption keys and to prevent the leaking or sale of stolen data. Medusa often auctions off stolen data if the ransom is not paid, leaking data that has not been sold.

While North Korean state-sponsored hackers are known to have used Maui and Play ransomware in their financially motivated attacks, Symantec and Carbon Black Threat Hunter Team uncovered evidence that the Lazarus Group has started using Medusa in its ransomware campaigns. They identified an attack on a target in the Middle East, plus four attacks on healthcare organizations and non-profits in the United States since November 2025. U.S. victims include a non-profit mental health service provider and an educational facility for autistic children. Since November 2025, when the first Medusa ransomware attacks were attributed to the Lazarus Group, the average ransom demand is $260,000.

A Lazarus subgroup known as Stonefly (aka Andrael) is believed to be one of the groups involved in the attacks. Stonefly has previously focused on espionage attacks on high-value targets; however, for the past five years, the group has engaged in ransomware attacks, often against hospitals and other healthcare providers. The U.S. Department of Justice has indicted a suspected member of the group, the North Korean Rim Jong Hyok, on charges related to ransomware attacks on U.S. healthcare providers. Rim is alleged to be linked to the RGB and, along with other members of the group, is thought to be involved in ransomware attacks to raise funds for the group’s espionage activities.

Symantec and the Carbon Black Threat Hunter Team have not been able to attribute the attacks to any specific subgroup of Lazarus, but have found sufficient evidence confirming that Lazarus is behind the attacks. Symantec and Carbon Black have tracked more than 366 ransomware attacks involving the Medusa encryptor, although the group has claimed attacks on more than 500 organizations, including more than 40 healthcare organizations. Symantec and Carbon Black have shared indicators of compromise (IoCs) associated with the attacks, along with the range of tools used by the Lazarus group in its current ransomware campaigns.

The post North Korean Hackers Using Medusa Ransomware in Attacks on U.S. Healthcare Sector appeared first on The HIPAA Journal.

Cedar Point Health; Wee Care Pediatrics; Easterseals NI Announce Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by Cedar Point Health in Colorado, Wee Care Pediatrics in Utah, and Easterseals Northeast Indiana.

Cedar Point Health

Cedar Point Health, a network of health clinics in Colorado, has recently disclosed a cybersecurity incident involving unauthorized access to parts of its network containing patient and employee information.  The intrusion was detected on or around June 16, 2025, and third-party cybersecurity experts were engaged to investigate the incident.

Cedar Point Health said it has taken several months of extensive efforts to identify, review, and analyze the impacted data, and on January 27, 2026, that process was completed. Data compromised in the incident includes full names, addresses, dates of birth, medical treatment information, diagnosis or procedure information, clinical information, health insurance information, financial account information, driver’s license or state-issued identification numbers, passport numbers, and/or Social Security numbers/ITINs.

No evidence has been found to indicate any fraud as a result of the incident; however, the affected individuals have been advised to remain vigilant against identity theft and fraud by reviewing their accounts and explanation of benefits statements for suspicious activity. Individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services. The data breach is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Wee Care Pediatrics

Wee Care Pediatrics, a pediatric healthcare provider with several locations in northern Utah, has recently announced a cybersecurity incident involving unauthorized access to or the acquisition of patient information. Suspicious activity was identified within its computer network on or around December 15, 2025. Third-party cybersecurity specialists were engaged to investigate the activity and determined that there had been unauthorized access to its network.

The review of the exposed data is ongoing; however, it has been determined that the following types of personal and protected health information were involved: first and last name, contact information, date of birth, Social Security number, treatment/diagnosis information, prescription/medication information, date(s) of service, provider name, medical record number, patient account number, Medicare/Medicaid ID number, and health insurance information.

Immediate action was taken to contain the incident, and steps have been taken to enhance security to prevent similar incidents in the future. Out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Easterseals Northeast Indiana

Easterseals Northeast Indiana, a nonprofit provider of services to individuals with disabilities and their families, has confirmed that protected health information was accessed and acquired in a security breach. Suspicious activity was identified within its computer network on September 4, 2025. Immediate action was taken to secure the network and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity.

On November 10, 2025, data theft was confirmed, including individuals’ first and last names, contact information, birth date, Social Security numbers, diagnostic and treatment information, and health insurance information. While not stated by Easterseals, this appears to have been a ransomware attack. The Inc Ransom ransomware group claimed to have stolen 405 GB of data in the attack. As a precaution against identity theft and fraud, Easterseals has offered complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were involved. At present, it is unclear how many individuals have been affected.

The post Cedar Point Health; Wee Care Pediatrics; Easterseals NI Announce Data Breaches appeared first on The HIPAA Journal.

QualDerm Partners Confirms Significant Data Breach

Posted by Steve Alder

QualDerm Partners, LLC, a provider of healthcare management services to 158 dermatology and skin care practices in 17 U.S. states, has announced a security incident involving unauthorized access to its computer network. Unauthorized network activity was identified on December 24, 2025, and immediate action was taken to contain the incident and secure its network and computer systems. Third-party cybersecurity experts were engaged to conduct a forensic investigation to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized access to its network between December 23 and December 24, 2025. During that time, files containing sensitive data were exfiltrated from its network.

The data review is ongoing to determine the individuals and types of information involved. So as not to unduly delay notifications, QualDerm Partners is mailing notification letters to the affected individuals on a rolling basis. Data compromised in the incident varies from individual to individual, and may include names, email addresses, dates of birth/death, doctor names, medical record numbers, diagnoses, treatment information, and health insurance information. A very small subset of individuals may also have had their government-issued identification information, such as driver’s license numbers, compromised in the incident.

QualDerm Partners said it is reviewing its policies, procedures, and protocols related to data security, and while no misuse of patient data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. QualDerm Partners has yet to publicly confirm exactly how many individuals have been affected, and the incident is not yet shown on the HHS’ Office for Civil Rights breach portal. This does appear to be a significant data breach, as the Texas Attorney General has been informed that 174,837 Texas residents have been affected. Since QualDerm Partners works with dermatology practices in 17 U.S. states, the total number of affected individuals is likely to be considerably higher.

This post will be updated when further information becomes available.

The post QualDerm Partners Confirms Significant Data Breach appeared first on The HIPAA Journal.