Starr Insurance Discloses Ransomware Attack

Posted by Steve Alder

The health insurance company Starr Insurance has disclosed a ransomware attack and data breach. Data breaches have also been reported by the medical imaging company Green Imaging and the AI-based care coordination provider Lena Health.

Starr Insurance

Starr Insurance, a Chambersburg, Pennsylvania-based insurance agency, has recently confirmed that hackers accessed parts of its computer network and potentially obtained a range of sensitive data. Suspicious network activity was identified on November 18, 2025. Assisted by third-party cybersecurity experts, Starr Insurance determined that an unauthorized actor accessed and copied files from its network on November 28, 2025.

The review of the affected data confirmed that the hacker obtained information such as names, addresses, Social Security numbers, driver’s license numbers, financial account information, payment card information, medical information, health insurance information, and online account access information.  Regulators have been notified, and individual notification letters are being sent to the affected individuals. Starr Insurance has enhanced its policies and procedures relating to data protection and security.

At the time of issuing notifications, no attempted or actual misuse of patient data had been identified. Starr Insurance did not state if this was a ransomware attack; however, a ransomware group claimed responsibility for the breach. Akira, one of the most active ransomware groups, claimed to have stolen 15 gigabytes of data in the attack. Akira engages in double extortion, stealing data, encrypting files, and demanding a ransom be paid to obtain the decryption keys and prevent the publication of the stolen data. The stolen data was listed for download, indicating that the ransom was not paid. Based on the breach notice issued by Starr Insurance, complimentary credit monitoring and identity theft protection services do not appear to have been offered to the affected individuals. At the time of publication, the number of affected individuals has yet to be publicly disclosed.

Green Imaging

Green Imaging LLC, a full-service virtual medical imaging network with locations in all 50 U.S. states, has started notifying patients about a data security incident first identified on October 17, 2025. Suspicious activity was identified within its email environment, and the investigation confirmed unauthorized access to a single user’s email account between October 7, 2025, and October 17, 2025.

The review of the account has recently been completed, and the results have been validated. The types of information compromised in the incident vary from individual to individual and may include names in combination with one or more of the following: address, date of birth, Social Security number, driver’s license number, other government issued identification number, clinical/treatment information, diagnosis/condition, procedure type, physician information, medication, and other health and/or health insurance information.

Green Imaging has reviewed its policies and procedures related to data privacy and security and has taken steps to reduce the risk of similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Bloom Circle, Inc. – Lena Health

Bloom Circle, Inc., doing business as Lena Health, a Houston, TX-based provider of an AI-based care coordination platform, has recently notified the HHS’ Office for Civil Rights about a data security incident involving the electronic protected health information of up to 3,651 patients. The exposed data was stored in a public cloud storage container (Amazon S3 bucket). A hacker exploited a vulnerability in December 2025, allowing data to be exfiltrated. A patch was available to address the vulnerability; however, it had not been applied quickly enough to prevent exploitation.

Data compromised in the incident included names, dates of birth, phone numbers, medical record numbers, health information, and recordings of phone calls between patients and providers, in which patients discussed their health issues. A threat actor – FulcrumSec – who engages in data theft and extortion, claimed responsibility for the hack. According to databreaches.net, most of the stolen data related to patients of its client, Houston Methodist Hospital in Texas.

The post Starr Insurance Discloses Ransomware Attack appeared first on The HIPAA Journal.

RXNT Notifies Customers About Cybersecurity Incident and Data Breach

Posted by Steve Alder

Networking Technology, Inc., doing business as RXNT, a healthcare software technology company that provides electronic health record software, has started sending notification letters to organizations that use its software to inform them about a recent security incident that exposed patient data. A copy of one of the notification letters was shared with The HIPAA Journal, which states that unauthorized activity was identified within an RXNT solution used by some of its customers. An investigation was immediately launched to determine the nature and scope of the unauthorized activity, with assistance provided by third-party cybersecurity experts.

RXNT has confirmed that an unauthorized actor accessed the solution between March 1, 2026, and March 3, 2026, and obtained a copy of the data stored within the system, which included patient data associated with its customers. The data was reviewed between March 3, 2026, and April 17, 2026, and RXNT can now confirm that patient names, dates of birth, and demographic information such as addresses, contact information, and patient IDs were stolen. Each customer was informed about how many patients were affected.

RXNT said it is taking steps to strengthen security to prevent similar incidents in the future and has offered to handle all breach reporting requirements on behalf of the affected clients (OCR notifications, media notices, individual notifications, and state attorneys general notifications). The affected clients have been given a rather short window to respond and sign up to receive further information about the cybersecurity incident. The notification letters are dated May 1, 2026, and providers are required to register by May 15, 2026. A website has been established specifically for that purpose – RXNTnotification[dot]com.

RXNT has only recently notified the affected organizations and offered to handle breach reporting requirements; therefore, the number of affected individuals has not yet been publicly disclosed. It is clear that multiple clients have been affected, and this has been a significant data breach.

This is a developing data breach story, and further information will be published on this page as it becomes available.

The post RXNT Notifies Customers About Cybersecurity Incident and Data Breach appeared first on The HIPAA Journal.

Alpine Ear, Nose, & Throat Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Alpine Ear, Nose, & Throat, a Fort Collins, Colorado-based healthcare provider with multiple locations in the state of Colorado, has settled a class action lawsuit stemming from a 2024 data breach that was reported to the HHS’ Office for Civil Rights as affecting 65,648 individuals.

The security breach was identified on November 26, 2024, and the data breach was announced on January 17, 2025. It took until October 9, 2025, to complete the data mining process, and the affected individuals were notified on January 30, 2026, 14 months after the data breach was first identified. Data compromised in the incident included names, demographic information, dates of birth, medical information, health information, financial account information, credit card numbers, CVC, and expiration dates, and Social Security numbers.

Shortly after the data breach was announced, but several months before notification letters were mailed, a class action lawsuit was filed by Plaintiff Deborah Knoll in the District Court of Denver County, Colorado, in response to the data breach. On March 13, 2025, the lawsuit was voluntarily dismissed, and plaintiff Anthony Pfirrman was substituted as the plaintiff. At the request of the defendant, the lawsuit – Pfirrman v. Alpine Ear, Nose, & Throat, PLLC – was transferred to District Court for Larimer County, Colorado.

The plaintiff alleged that the defendant was at fault for the data breach due to the failure to implement reasonable security measures to protect sensitive data on its network. The lawsuit asserted claims for negligence, negligence per se, invasion of privacy, breach of implied contract, breach of confidence, breach of fiduciary duty, unjust enrichment, and declaratory judgment, all of which were denied by the defendant, including the claims of wrongdoing and liability.

All parties began to explore the possibility of a settlement to avoid the costs and risks associated with protracted litigation and a trial, and following mediation in November 2025, the material terms of a settlement were agreed upon. The settlement has now been finalized and has received preliminary approval from the court. The defendant has agreed to pay attorneys’ fees and costs up to a maximum of $330,000, a service award for the class representative of $2,500, and the following benefits to the class members.

  1. Two years of credit and medical monitoring services (CyEx Medical Shield Complete)
  2. Reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member
  3. Compensation for lost time, up to a maximum of 4 hours at $20 per hour

Class members who do not wish to submit a claim for reimbursement of losses and compensation for lost time may instead claim an alternative one-time cash payment of $50. Individuals wishing to object to the settlement or exclude themselves must do so by June 23, 2026. The deadline for submitting a claim is July 23, 2026, and the final fairness hearing has been scheduled for August 11, 2026.

The post Alpine Ear, Nose, & Throat Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

CMS Found to Have Leaked Providers’ SSNs

Posted by Steve Alder

A database created by the Centers for Medicare and Medicaid Services (CMS) has been exposed online, exposing providers’ Social Security numbers. The database can be downloaded, as it was by reporters at the Washington Post. The CMS created a new directory last year to help seniors find healthcare providers covered by insurance plans. The directory lists doctors and other healthcare providers who accept certain insurance plans, in an effort to improve transparency and access to care.

The database created by the CMS to power the provider directory has been found to be leaking some sensitive data. The data that populated the directory was found to contain the Social Security numbers of certain providers, which were linked to their names and other identifying information. The database was publicly accessible for several weeks, and while not immediately visible to individuals who visit the provider directory, it was possible to download the database.

The reporters searched the database and identified dozens of Social Security numbers by reviewing just a sample of rows. The CMS has notified and responded, saying it is working on a fix to resolve the issue that led to the data exposure. “[The problem] stems from incorrect entries of provider or provider-representative-supplied information in the wrong places,” explained the CMS. “The agency has taken steps to address it promptly and reinforce safeguards around data submission and validation”.

The explanation suggests that the exposed Social Security numbers are included in the database due to providers entering Social Security numbers into incorrect fields. The CMS did not confirm how many individuals have had their Social Security numbers exposed. Critics suggest that the rollout of the directory was rushed and that the project did not have sufficient oversight. Initially, when the directory was launched, providers were associated with incorrect health plans, with some pages confirming that a provider was covered by an insurance plan, while other pages said they were out of network.

The post CMS Found to Have Leaked Providers’ SSNs appeared first on The HIPAA Journal.

Former Maryland Pharmacist Indicted Over 8-Year Cyber Spying Campaign

Posted by Steve Alder

A former Maryland hospital pharmacist who is alleged to have engaged in a multi-year cyber spying campaign is facing up to 17 years in jail. Matthew Bathula, 41, of Clarksville, is alleged to have engaged in the spying campaign for more than 8 years between July 2016 and September 2024, during which time he intentionally accessed computers without authorization and used a range of cyber intrusion techniques to steal sensitive data, including installing keyloggers and cookie managers, file masquerading, and setting up mailbox rules to avoid detection.

According to the indictment, these techniques allowed Bathula to steal a range of sensitive data, including usernames, passwords, cookies, images, videos, and other sensitive data. The data obtained from his actions was used to spy on current and former employees, individuals in a relationship with current and former employees, and other individuals affiliated with his employer. Credentials were obtained for almost 200 victims, which were used to access their social media accounts, as well as Google Photos, Google Nest, iCloud Photos, dating apps, and Gmail and Microsoft 365 accounts. He also created mailbox rules to delete warning messages, such as Critical Security Alerts, to avoid detection. Since cookies were stolen, they allowed Bathula to maintain access to victims’ accounts on his personal devices that were not connected to his employer’s network.

Further, between February 2023 and July 2024, spyware was installed on one or more of his employer’s computers, allowing him to conduct video surveillance of people at work and record video content. That included accessing Internet-enabled cameras and using them to record videos of young doctors and medical residents pumping breastmilk in closed treatment rooms. He is also alleged to have used stolen credentials to access the home security systems of his victims, which included using those systems to record video footage of women breastfeeding, interacting with young children, and engaging in sexual acts with their partners.

Bathula has been charged with two counts of unauthorized access to a protected computer and one count of aggravated identity theft while working as a pharmacy clinical specialist for Company A, a medical system located in the District of Maryland. “Bathula’s alleged actions are a reprehensible invasion of privacy. He betrayed the trust of his employer and co-workers, as he gained access into the private worlds of nearly 200 victims without their knowledge or consent,” Hayes said. “We, along with our law-enforcement partners, are committed to holding individuals accountable who commit cybersecurity crimes, thereby harming unsuspecting people.”

If found guilty, Bathula faces up to 10 years in jail for the unauthorized access to a protected computer at Company A, up to five years for unauthorized access to victims’ protected computers, and up to two years for aggravated identity theft. The aggravated identity theft sentence will be consecutive to any other sentence imposed.

While Company A was not named in the indictment, Bathula was employed by the University of Maryland Medical Center (UMMC) as a clinical pharmacist. At least six current and former employees have taken legal action against UMMC over Bathula’s actions. The lawsuit, which was reported on by The HIPAA Journal in April 2025, asserted claims for negligence, negligent supervision and retention, negligent security, and intrusion upon seclusion-invasion of privacy. The lawsuit seeks a jury trial, compensatory, exemplary, and punitive damages, litigation expenses and attorneys’ fees, and injunctive and declaratory relief.

The post Former Maryland Pharmacist Indicted Over 8-Year Cyber Spying Campaign appeared first on The HIPAA Journal.