Data Breaches Reported by New York & Texas Plastic Surgery Practices

Posted by Steve Alder

Data breaches have recently been reported by Vantage Plastic Surgery in New York City and Austin Plastic and Reconstructive Surgery in Texas.

Vantage Plastic Surgery, New York

Vantage Plastic Surgery, a plastic surgery practice in New York City, has recently disclosed a security incident involving unauthorized access to the protected health information of 4,600 current and former patients. The plastic surgery practice said it first learned about the cyberattack on January 15, 2026, and immediate action was taken to secure its computer environment. Third-party cybersecurity specialists were engaged to assist with the investigation, and on January 22, 2026, the practice confirmed that patient data had been exposed and may have been obtained by an unauthorized third party.

The file review determined that names, addresses, phone numbers, email addresses, dates of birth, and medical record information had been exposed in the incident. The practice announced the data breach on February 14, 2026, and is now notifying the affected patients. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, and steps have been taken to bolster security to prevent similar incidents in the future.

Austin Plastic and Reconstructive Surgery, Texas

Austin Plastic and Reconstructive Surgery in Texas has notified patients about a security incident that involved unauthorized access to its network last summer. The incident was detected on or around July 1, 2025, and the forensic investigation confirmed unauthorized access to its network between June 30, 2025, and July 1, 2025.

Third-party cybersecurity professionals were engaged to investigate the incident, and the affected files were reviewed. On February 28, 2026, it was confirmed that files accessed or acquired in the incident contained names, addresses, dates of birth, financial account information, driver’s license numbers/state identification numbers, passport numbers, Social Security numbers, medical information, and health insurance information.

Notification letters were sent to the affected individuals on March 11, 2026, and at that time, no misuse of the affected data had been identified. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. The breach is not currently listed on the HHS Office for Civil Rights breach portal of the website of the Texas Attorney General, so it is currently unclear how many individuals have been affected.

The post Data Breaches Reported by New York & Texas Plastic Surgery Practices appeared first on The HIPAA Journal.

Urgent Action Required to Fix Critical Citrix NetScaler Vulnerability

Posted by Steve Alder

Cybersecurity researchers warn that there could potentially be mass exploitation of a critical flaw in Citrix NetScaler products on a scale similar to the CitrixBleed vulnerability in 2023, which was exploited by ransomware groups. Earlier this week, Citrix disclosed a critical vulnerability affecting its NetScaler ADC and NetScaler Gateway application-delivery products. The vulnerability is an input validation flaw that could allow an attacker to leak sensitive information.

The vulnerability occurs in NetScaler ADC and NetScaler Gateway when configured as a SAML IdP, leading to memory overread. The vulnerability is tracked as CVE-2026-3055 and has a CVSS v4 severity score of 9.3. The vulnerability affects the following NetScaler products, but only when the appliance is configured as a SAML identity provider (IdP):

  • NetScaler ADC and NetScaler Gateway 1 BEFORE 14.1-66.59
  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
  • NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262

Citrix has released updated software versions to fix the vulnerability, and all customers are advised to prioritize remediation of this vulnerability due to the high risk of exploitation. NetScaler devices are constantly targeted by threat actors, and the vulnerability is certain to be targeted when a proof-of-concept exploit is released.

This is not the only vulnerability to be disclosed by Citrix this week. Citrix also disclosed a race condition flaw – CVE-2026-4368 – that affects  NetScaler ADC and NetScaler Gateway 14.1-66.54, when the appliance is configured as either a gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or a AAA virtual server. The vulnerability is rated high severity, with a CVSS base score of 7.7. Action should be taken to mitigate the vulnerability for customer-managed instances. The vulnerability has been fixed in version 14.1-60.58. Further information on the flaws can be found in the Citrix security bulletin.

The post Urgent Action Required to Fix Critical Citrix NetScaler Vulnerability appeared first on The HIPAA Journal.

Excelsior Orthopaedics; Buffalo Surgery Center Pay $2.4 Million to Settle Data Breach Lawsuit

Posted by Steve Alder

A settlement has been reached to resolve class action data breach litigation against Excelsior Orthopaedics and Buffalo Surgery Center. The lawsuit was filed in response to a 2024 data breach that affected hundreds of thousands of patients. On or around June 23, 2024, Amherst, New York-based Excelsior Orthopaedics identified suspicious network activity, and its forensic investigation confirmed that an unauthorized third party accessed and copied data from its network. The data breach also affected Northtowns Orthopaedics in Buffalo and Buffalo Surgery Center.

Excelsior Orthopaedics reported the data breach to the HHS’ Office for Civil Rights as affecting 394,752 individuals, and Buffalo Surgery Center reported the breach as affecting 64,000 of its patients. The hackers obtained names, demographic information, driver’s license numbers, Social Security numbers, medical information, health insurance information, and financial information. The affected individuals were notified on December 31, 2024.

Multiple class action lawsuits were filed against Excelsior Orthopaedics and Buffalo Surgery Center over the data breach. The lawsuits were consolidated – Szucs et al. v. Excelsior Orthopaedics, LLP et al. – in the Supreme Court of the State of New York, County of Erie. The consolidated lawsuit alleged that the plaintiffs and class members suffered multiple injuries as a result of the data breach, and that those injuries were caused as a result of the “defendants’ failures to properly secure, safeguard, encrypt, and/or timely and adequately destroy Plaintiffs’ and Class Members’ sensitive personal identifiable and health information.”

The lawsuit alleged that the defendants failed to comply with industry standards for cybersecurity, FTC guidelines, and their obligations under HIPAA. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, and violations of the New York Deceptive Acts and Practices Act.

The defendants deny all claims and contentions in the lawsuit and deny any wrongdoing or liability; however, the defendants and the plaintiffs agreed that a settlement was the best outcome to avoid the costs of protracted litigation and the uncertainty of trial. Under the terms of the settlement, the defendants agreed to pay $2,400,000 to settle the lawsuit, from which attorneys’ fees and expenses, notification and settlement costs, and service awards for the 9 named plaintiffs will be deducted. The remainder of the settlement fund will be used to pay for benefits for the class members.

Those benefits include two years of three-bureau credit monitoring services, the code for which will be automatically sent to the class members, without having to submit a claim. In addition, class members may choose to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, if a claim for reimbursement of losses is not submitted, class members may claim a cash payment. The cash payments will be paid pro rata, and the value will depend on the remaining settlement funds. The deadline for objection to the settlement and exclusion is May 17, 2026. Claims must be submitted by June 11, 2026, and the final fairness hearing has been scheduled for July 8, 2026.

The post Excelsior Orthopaedics; Buffalo Surgery Center Pay $2.4 Million to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

BakerHostetler: Healthcare Remains Most Targeted Sector with Extortion-Only Attacks on the Rise

Posted by Steve Alder

Healthcare has retained its position as the industry most targeted by cyber actors, an unwanted accolade that the sector has held for more than a decade, and in 2025, healthcare had the highest average ransom payments, averaging $1,154,245, according to the recently published BakerHostetler 2026 Data Security Incident Response Report. The report is based on more than 1,250 data security incidents that the law firm was engaged in last year.

BakerHostetler has been publishing annual breach reports for 12 years, and in each of those years, healthcare accounted for more cyber incidents than any other industry. In 2025, healthcare – which includes biotech and pharma – accounted for 27%, with finance/insurance in second spot, accounting for 18% of incidents. While healthcare data breaches remain high – more than 700 last year – 2025 was the second consecutive year where breaches impacting 500 or more individuals declined, albeit only slightly.

Last year saw some threat actors issue astronomical ransom demands, the highest of which was $98 million, more than double the highest ransom demand in 2024 ($40 million). The largest ransom paid was $5.65 million, down from more than $20 million in 2024. Ransom payments increased in 2025, from an average payment of $501,338 in 2024 to $682,702, although average payments in healthcare were 69% higher.

BakerHostetler’s analysis revealed threat actors are spending less time in networks, with the dwell time falling from 36 days in 2023 to just 22 days in 2025. As defenders have got better at detecting intrusions, threat actors have had to adapt and are spending less time snooping to find data of interest. Linked to this is a growing trend of encryption being abandoned in some attacks, with some threat groups opting to solely conduct extortion only attacks. These are faster and quieter, with less chance of discovery before the attackers have achieved their aims, although in some attacks, the exfiltration of data is what tipped off victims to the attack, forcing the attackers to abandon encryption.

In 2025, across all industry sectors, 34% of victims of ransomware attacks paid the ransom, but there was a notable shift in the reason for payment last year. In 2024, 43% of victims of ransomware attacks paid the ransom to obtain a decryptor, with 34% paying to prevent the publication of stolen data. Those figures were reversed in 2025, with 31% of victims paying to obtain the decryptor, 43% paid to prevent the publication of stolen data, and 26% paid to recover data and prevent a data leak. Out of all extortion/ransomware incidents, 64% resulted in data theft requiring notices to individuals.

The Qilin ransomware group stepped up its attacks in 2025, having recruited affiliates from other ransomware operations, although Akira took top spot, based on the number of incidents BakerHostetler was engaged to assist with. Lynx/Inc ransom took third spot followed by Clop in 4th, and the now defunct RansomHub in 5th. The law enforcement operations against the LockBit ransomware group have clearly been effective, as BakerHostetler reports that for the first time in the past 5 years, LockBit was not in the top five most active ransomware groups.

This year’s report includes a spotlight on the healthcare sector. Out of all healthcare incidents that BakerHostetler was engaged in, 35% were attributed to vendors, which remain an Achilles heel in the industry. Vendor incidents were among the largest data breaches, such as the data breach at Conduent that affected more than 10 million individuals, the 5 million+ data breach at Episource, and the data breach at Oracle Health (Cerner). The number of individuals affected by the latter has not been disclosed, but is certainly in the millions.

While announcements were made about 21 resolution agreements in 2025, only 12 of the settlements/notices of final determination had 2025 dates. Out of those 12, seven resolved alleged HIPAA violations at business associates, as OCR demonstrated it is taking a keen interest in HIPAA compliance by vendors.

BakerHostetler suggests that fewer penalties are likely to be imposed this year, as OCR may opt for providing more efficient technical assistance; however, state attorneys general may well fill the gap as they exercise their authority to penalize healthcare organziations over breaches of the protected health information of state residents.

BakerHostetler predicts that state actions are likely to increase, as states are increasing staffing in their data privacy units. The expected focus will be data breach incident investigation, data awareness and data minimization, more robust protections for sensitive data, and greater incident investigation transparency, and with Congress yet to pass federal data privacy legislation, more states will implement their own privacy legislation.

The post BakerHostetler: Healthcare Remains Most Targeted Sector with Extortion-Only Attacks on the Rise appeared first on The HIPAA Journal.