Mt. Spokane Pediatrics Data Breach Affects 32,000 Patients

Posted by Steve Alder

A cyberattack on Mt. Spokane Pediatrics exposed the data of more than 32,000 patients. Data breaches have also been announced by Cornerstone Care Center in California and Michigan Medicine.

Mt. Spokane Pediatrics

Mt. Spokane Pediatrics in Washington state has started notifying 32,021 individuals about the theft of some of their personal and protected health information in a January 2026 cyberattack. According to its website breach notice, the attack occurred on or around January 1, 2026, and the threat actor was found to have exfiltrated files containing patients’ protected health information. The forensic investigation determined on April 22, 2026, that the data exfiltrated in the attack included full names, dates of birth, Social Security numbers, diagnoses, treatment information, patient numbers, medical record numbers, health plan beneficiary numbers, and dates of service.

Mt. Spokane Pediatrics said it is unaware of any actual or attempted fraud as a result of the data breach. Complementary single-bureau credit monitoring services have been offered to the affected individuals as a precaution. The breach notice does not mention ransomware; however, a ransomware group claimed responsibility for the attack. The Lockbit5 ransomware group added Mt. Spokane Pediatrics to its dark web data leak site on January 3, 2026, and threatened to leak the stolen data in 20 days if the ransom was not paid.

Sanger Skilled Care (Cornerstone Care Center)

Sanger Skilled Care, LLC, doing business as Cornerstone Care Center, a skilled nursing and long-term care facility in Sanger, California, has issued prompt notifications about a recent security incident identified on or around April 7, 2026. According to its substitute data breach notice, unauthorized network access was identified on April 7, 2026. Steps were taken to contain the incident, and an investigation was launched to determine the nature and scope of the activity. On April 16, 2026, the investigation was completed, and it was confirmed that the breach was confined to a single account, which contained some protected health information.

The data review confirmed that the exposed data includes names, dates of birth, lab results, diagnoses, prescription and treatment information, provider names, medical record numbers, patient identification numbers, Social Security numbers, health insurance information, and dates of services. Notification letters were mailed to the affected individuals on May 1, 2026, and 12 months of complimentary credit monitoring services have been offered. At present, the number of affected individuals has not been publicly disclosed.

University of Michigan (Michigan Medicine)

The University of Michigan (Michigan Medicine) has recently announced that it has been affected by a data breach involving its electronic medical record company, Epic Systems Corporation. Michigan Medicine was one of several healthcare providers to be affected by the incident, which involved unauthorized access to patient records through a nationwide health information exchange. Third-party companies accessed patient records for reasons unrelated to patient care. Those companies had been granted access after claiming they had a legitimate need to access patient records; however, patient information was accessed for reasons unrelated to the provision of healthcare services.

Michigan Medicine was informed about the breach by Epic Systems, and its internal review determined in March 2026 that 551 individuals had been affected. The types of information viewed or obtained included names, addresses, phone numbers, email addresses, dates of birth, medical record numbers, diagnoses, medications, allergies, test results, treatment information, and health insurance information. Michigan Medicine is working with Epic and the relevant exchange and network parties to investigate the incident and is monitoring the litigation initiated by Epic Systems in response to the unauthorized access.

The post Mt. Spokane Pediatrics Data Breach Affects 32,000 Patients appeared first on The HIPAA Journal.

Rhode Island Finalizes $12 Million Settlement With Deloitte Consulting Over RIBridges Cyberattack

Posted by Steve Alder

An agreement has been reached between the state of Rhode Island and Deloitte Consulting LLP that will see the professional services firm pay an additional $7 million in financial support to the state following the 2024 cyberattack on the state’s benefits administration system – RIBridges. RIBRidges is Rhode Island’s one-stop shop for public benefits for state residents, including applications and management of Medicaid, food stamps, and other benefits. In November 2024, Deloitte Consulting identified the intrusion and took steps to secure the system. The state was notified about the hack in early December.

The investigation confirmed that hackers had access to the system for around 5 months, during which time they gained access to around 28 of the 338 backend environments of the system and exfiltrated sensitive data, including the data of almost 650,000 Rhode Island benefits applicants and recipients – around 59% of the population of the state. The Brain Cipher ransomware group claimed responsibility for the attack, boasting that access was gained by cracking an 8-character password to gain access to a domain controller – a process Brain Cipher claimed took just 5 minutes. The stolen data was subsequently leaked on the dark web.

In early 2025, the state secured a $5 million payment from Deloitte Consulting to cover immediate costs associated with the incident, and now a settlement agreement has been finalized that will see the total financial recovery increase to $12 million. Deloitte Consulting has also agreed to invest $6 million to cover security enhancements, operational support, and business continuity services that were not covered by its contract with the state. The settlement brings the legal wrangles between the state and Deloitte Consulting to an end.

Deloitte Consulting also faced class action litigation over the data breach and opted to settle the litigation in October 2025. Deloitte Consulting agreed to pay $6.3 million to resolve all claims related to the cyberattack and data breach, with no admission of wrongdoing or liability. Class members were eligible to claim up to $5,000 as reimbursement for out-of-pocket losses and a pro rata cash payment.

May 20, 2025: Rhode Island Releases Details of RIBridges Hacking Investigation

The state of Rhode Island has released a summary of the findings of an investigation by the cybersecurity firm CrowdStrike into the hacking of the Rhode Island state benefit system, known as RIBridges, by the Brain Cipher threat group.

Brain Cipher members were able to gain access to 28 of the 338 environments that comprise the RIBridges system and stole sensitive data such as names, addresses, birth dates, Social Security numbers, and health information. The affected individuals had previously signed up to receive public benefits such as food stamps or private health insurance through the HealthSource RI portal. The state issued notification letters to around 657,000 individuals in January informing them that their sensitive data may have been compromised in the incident.

The forensic investigation determined that 114,879 individuals who received the notifications in January had not in fact been affected, although an additional 107,757 individuals had been affected but were not notified in January. They include approximately 30,000 individuals whose data was collected during employment checks or verifications through the child support system and the Department of Children, Youth, and Families. Notification letters are now being sent to those 107,757 individuals. The final total stands at 644,401 affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 5 years.

The investigation started on December 16, 2024, and concluded on January 31, 2025. According to state officials, Brain Cipher actors gained access to the RIBridges system through the RIBridges Virtual Private Network (VPN) using the credentials of a Deloitte employee. Deloitte is the vendor used by the state of Rhode Island to manage the RIBridges system. CrowdStrike was unable to determine how the credentials were obtained and whether multifactor authentication was bypassed or if it was in place.

Brain Cipher first accessed a non-production environment within the RIBRidges system on July 2, 2024; however, the intrusion was not detected until November 28, 2024. After authenticating with the RIBridges VPN, the threat actor performed initial reconnaissance and lateral movement from an application server to six other systems. Privileges were escalated on two systems via Image File Execution Options (IFEO) injection, and credential harvesting was performed on six systems within the RIBridges environment.

Commercially available remote monitoring and management (RMM) tools were used along with a reverse proxy tool to maintain access to the environment. During the five months of access, Brain Cipher performed data access, staging, and data exfiltration from 28 systems. Large data transfers were performed by Brain Cipher out of the RIBridges system in November.

It was not the data transfers that alerted Deloitte to the hack, but rather a post on the Brain Cipher data leak site on December 4, 2024, claiming data had been stolen. Deloitte investigated the claim and identified suspicious activity, although it took until December 13, 2024, for the breach of the RIBridges system to be confirmed. When it was confirmed that the RIBridges systems had been compromised, it was shut down and remained offline for around a month. No evidence was found of any ransomware on the system.

According to the Crowdstrike investigation, the RIBridges firewall denied traffic from an external cloud storage provider IP address to an internal IP address on September 10, 2024, and between November 11, 2024 and November 28, 2024, the firewall management portal generated 397 alerts from 15 systems about large data transfers to an external cloud storage provider. “Deloitte missed some issues that we certainly hold them responsible for,” said state Governor Dan McKee. “That this would be undetected for that period of time is something that is just unacceptable.” Governor McKee confirmed that the state will be pursuing all avenues in our efforts to ensure accountability and is considering legal action against Deloitte.

The state plans to choose a vendor to modernize the RIBridges system, but it is likely to take between 18 and 24 months to roll out the new system. In the meantime, Deloitte will continue to manage the RIBridges system. The state is also planning on increasing the size of its IT workforce and has requested the budget for an additional 15 hires, including an RIBridges Technical Lead.

February 5, 2025: Deloitte to Pay $5 Million to Rhode Island to Cover Ransomware Attack Expenses

Rhode Island Governor Dan McKee has announced that Deloitte has agreed to pay $5 million to the state of Rhode Island to cover expenses incurred as a result of a December 2024 ransomware attack. The ransomware attack caused a prolonged outage of the state’s RI Bridges system, which is used to manage eligibility for public benefits, including programs such as Medicaid, SNAP, HealthSource RI, and RI Works.

The cyberattack was detected on December 5, 2024, and resulted in the prolonged outage of the RI Bridges system. The personal information of more than 650,000 Rhode Islanders was stolen in the attack, and the data was added to the ransomware group’s data leak site when the ransom was not paid. Information stolen and published included names, contact information, employment details, and Social Security numbers.

For around 2 months, the outage of the RI Bridges system prevented approximately 2,000 Rhode Islanders from enrolling in state-paid healthcare coverage by Blue Cross & Blue Shield and Neighborhood Health. Lindsay Musser Hough, Principal at Deloitte Consulting, said the commitment to pay $5 million to the state was not an admission of wrongdoing or fault and is being provided “in the spirit of supporting the state and its constituents in their response to the bad actor’s cyberattack.” Announcing the payment, Governor McKee said, “Deloitte has recognized that the state has immediate and unexpected expenses related to the breach, and we appreciate their willingness to lend financial support.”

Deloitte has also paid for credit monitoring and identity theft protection services for the 650,000+ individuals who had their data stolen in the ransomware attack, and is also covering the cost of the data breach call center.

January 13, 2025: Rhode Island Starts Notifying Individuals Affected by RI Bridges Ransomware Attack

Rhode Island Governor Dan McKee has confirmed that individual notification letters started to be mailed to the individuals whose personal data was stolen in the December 2024 ransomware attack on the RI Bridges system on January 10, 2025.  Individuals affected by the incident have been offered 5 years of complimentary credit monitoring services through Experian and are being encouraged to take advantage of those services as soon as possible. The deadline for signing up for those free services is April 30, 2025.

The notification letters provide instructions for signing up for the credit monitoring services, including a required activation code. State residents can sign up for the credit monitoring services online or over the phone (833-918-6603). The phone lines are manned Monday through Friday from 9 a.m. to 9 p.m., and on weekends from 11 a.m. to 8 p.m.

The data breach is still being investigated by Deloitte and more individuals may have been affected than the initial review suggests. In such cases, notification letters will be promptly sent to those individuals. “We understand the concerns this breach has caused for our residents,” said Governor McKee. “We appreciate everyone’s patience as these letters are delivered.” State officials are confident that the source of the intrusion has been identified and steps have been taken to ensure the RI Bridges systems can be safely restored. The first phase of that process has been completed and the second phase is underway to restore the public-facing part of the system, which is expected to be brought back online in mid-January.

The state has yet to confirm exactly how many individuals have been affected but has previously indicated approximately 650,000 state residents had their personal data exposed or stolen in the ransomware attack.

December 31, 2025: Ransomware Group Behind RI Bridges Attack Starts Leaking Stolen Data

The ransomware group (Brain Cipher) behind the cyberattack on Rhode Island’s online health and human services platform has started to leak stolen files on the dark web, according to State Governor Daniel McKee. Deloitte has been monitoring the dark web and informed the state Attorney General about the data leak.

The Brain Cipher group promised to leak the stolen data if the ransom was not paid, and the data leak indicates the ransom has not been paid. Brain Ciper allegedly demanded a ransom payment of $23 million in cryptocurrency to prevent the stolen data from being leaked. “This is a scenario that the State has been preparing for, which is why earlier this month we launched a statewide outreach strategy to encourage potentially impacted Rhode Islanders to protect their personal information,” said AG McKee.

McKee said Deloitte is investigating and reviewing the impacted files to determine which individuals have been affected and is also looking to analyze the leaked data; however, the analysis of the leaked data has not yet been completed. The HIPAA Journal has been periodically monitoring the Brain Cipher dark web data leak site to determine if data has been released. The site has been largely inaccessible, which will limit the potential for unauthorized individuals to obtain the leaked data.

Dissent from databreaches.net reached out to the Brain Cipher group after receiving no response from Deloitte. The group confirmed they were behind the attack and provided a preview of the data they would be leaking, and said they have been experiencing a DDoS attack on their data leak site, indicating someone is trying to prevent the group from leaking the data. The identity of the third party or third parties is unknown.

December 27, 2024: Rhode Island Ransomware Attack May Affect Half of State Residents

The cyberattack that forced the shutdown of Rhode Island’s public benefits system (RI Bridges) has potentially exposed the personal data of more than half of the population of the state – approximately 650,000 individuals, according to state Governor Daniel McKee.

McKee said conversations between Deloitte and the Brain Cipher group are ongoing, he is being kept informed of any progress, and no sensitive data appears to have been publicly released so far. He did not provide any information about how much the attackers are demanding to prevent the release of the stolen data, or if there is any intention to pay the ransom. Deloitte is working on restoring the crippled RI Bridges system as soon as possible, although it is not expected to be brought back online until some point in January.

December 17, 2024: Brain Cipher Group Claims Responsibility for Rhode Island Ransomware Attack

The Brain Cipher ransomware group has claimed responsibility for the Rhode Island RI Bridges ransomware attack and is threatening to publish the stolen data if the ransom demand is not paid. Brain Cipher is a relatively new ransomware operation that first appeared in June 2024. The group has already conducted some major attacks, including an attack on the National Data Center in Indonesia, which disrupted operations at more than 200 government agencies and saw the group demand a $8 million ransom payment. The group engages in double extortion and maintains a data leak site where stolen data is published if the ransom is not paid.

Countdown clock on the Brain Ciper data leak siteBrain Cipher claimed responsibility for a ransomware attack earlier this month and added Deloitte to its data leak site. Deloitte has issued a statement confirming that only the RI Bridges system was affected by the ransomware attack. The Deloitte listing on the Brain Cipher data leak site has a countdown clock that indicated the data leak would occur on December 17, 2024, if the ransom was not paid; however, on December 19, 2024, the countdown clock was still ticking down and showed 13 hours remaining, after having been reset. The ransomware group appears to still be holding out for a ransom payment.

On December 16, 2024, State Governor Daniel McKee issued a public service announcement encouraging all state residents who have used any of the affected systems in the past to take immediate action to protect themselves against identity theft and fraud. The RI Bridges hack will almost certainly lead to attempted data misuse by cyber criminals if the ransomware group releases the stolen data.

December 15, 2024: Hundreds of Thousands of Rhode Island Residents Affected by RI Bridges Data Breach

Hundreds of thousands of Rhode Island residents have had their data stolen in a cyberattack on the state government’s RI Bridges system, an online portal used by state residents to obtain social services and health insurance. Vendor Deloitte identified a potential RI Bridges system breach on December 5, 2024, and after confirming the unauthorized access, the portal was shut down on December 13 as a precaution. Deloitte has been working with state officials, IT experts, and law enforcement to investigate the cyberattack and data breach and limit its impact.

While the cyberattack was not initially described as a ransomware attack, Rhode Island’s Chief Digital Officer, Brian Tardiff, confirmed that a threat actor had installed malware and issued a ransom demand, payment of which was required to prevent the publication of the stolen data. It has yet to be confirmed how many individuals have been affected or the exact types of data stolen in the attack. Deloitte said it is still evaluating the data theft incident and said it is likely that information such as names, addresses, dates of birth, Social Security numbers, and potentially bank account information was involved.

Any individuals who applied for or received benefits or health insurance through the RI Bridges system may have been affected. The programs and benefits managed through the RI Bridges system include ,but are not limited to:

  • Medicaid
  • Supplemental Nutrition Assistance Program (SNAP)
  • Temporary Assistance for Needy Families (TANF)
  • Child Care Assistance Program (CCAP)
  • Health insurance purchased through HealthSource RI
  • Rhode Island Works (RIW),
  • Long-Term Services and Supports (LTSS)
  • General Public Assistance (GPA) Program

Rhode Island Governor Daniel McKee confirmed on Friday that the number of Rhode Islanders potentially affected was in the hundreds of thousands. Individual notifications will be mailed to all individuals affected by the Rhode Island data breach when the data breach investigation is concluded. Due to the sensitivity of the data stolen in the ransomware attack, anyone who applied for or obtained benefits or health insurance through any of the above programs should be vigilant against identity theft and fraud, monitor the accounts closely, and take advantage of any available free credit monitoring services. They have also been advised to consider placing a credit freeze or fraud alert with one of the three main credit bureaus and to change any common or reused passwords. State officials have not detected any misuse of the impacted data so far. The hackers are still holding out for a ransom payment and are likely to release the stolen data in the coming week if the ransom is not paid. The state has set up a helpline for state residents to find out more about the Rhode Island data breach. The helpline – 833-918-6603 – will be added Mondays through Fridays from 9 a.m. to 9 p.m.

The post Rhode Island Finalizes $12 Million Settlement With Deloitte Consulting Over RIBridges Cyberattack appeared first on The HIPAA Journal.

OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2023

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has submitted a pair of reports to Congress on the state of compliance with the Health Insurance Portability and Accountability (HIPAA) Privacy, Security, and Breach Notification Rules, and breaches of unsecured protected health information for calendar year 2023, as required by Section 13424(a) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

OCR maintains a data breach portal, through which HIPAA-regulated entities must submit their reports of breaches of unsecured protected health information, and a web page through which individuals may submit a health information privacy complaint. There has been a general trend of increasing data breaches and complaints, which is placing greater pressure on OCR’s limited resources; however, OCR made progress in decreasing the backlog of complaint and data breach investigations in 2023.

The reports show data breaches affecting fewer than 500 individuals increased by 7% year-over-year, data breaches affecting 500 or more individuals increased by 17% year-over-year, complaints were up 2%, and there was a 14% increase in compliance reviews initiated by OCR. In total, OCR resolved 14 investigations in calendar year 2023 with settlements totalling $7,735,000. While that is 4 penalties fewer than in 2022, the total penalty amount increased by $6,932,500 year-over-year. OCR also conducted 182 outreach activities to improve public education about HIPAA rights and to advise regulated entities about compliance and trends in large data breaches reported to OCR.

Healthcare Data Breaches in 2023

In calendar year 2023, OCR received 732 reports of data breaches affecting 500 or more individuals. Across those data breaches, 113,173,613 individuals had their protected health information exposed, stolen, or impermissibly disclosed. The largest healthcare data breach of the year – HCA Healthcare – affected 11,270,000 individuals. The average data breach size in 2023 was 154,609 individuals.

Summary of Data Breaches Affecting 500 or More Individuals

HIPAA breaches affecting 500 or more individuals 2019-2023

OCR has five classifications for healthcare data breaches, and the majority of large healthcare data breaches fell into the hacking/IT incident category. Hacking and IT incidents accounted for 81% of the year’s data breaches and 96% of breached records.

Cause of Breach Number of Incidents Individuals Affected Largest Data Breach
Hacking/IT Incident 590 108,725,761 11,270,000 individuals
Unauthorized Access/Disclosure 120 4,359,037 3,179,835 individuals
Theft 14 69,893 34,016 individuals
Loss 4 16,247 13,184 individuals
Improper Disposal 4 2,675 1,005 individuals

Summary of Data Breaches Affecting Fewer Than 500 Individuals

HIPAA breaches fewer than 500 individuals 2019-2023

OCR received 68,315 reports of data breaches affecting fewer than 500 individuals in calendar year 2023. Smaller HIPAA breaches vastly outnumber large data breaches, but they typically affect only a few individuals. Across those HIPAA breaches, the protected health information of 269,290 individuals was exposed, stolen, or impermissibly disclosed, with an average breach size of fewer than 4 individuals.  The vast majority of smaller breaches were due to human error – employee mistakes and a lack of understanding about HIPAA requirements. The most common causes were misdirected communications (fax, email, mailing) and impermissibly accessing the medical records of co-workers, friends, family members, and other individuals.

Cause of Breach Number of Incidents Individuals Affected Percentage of Breaches
Unauthorized Access/Disclosure 64,231 178,031 66%
Loss 2,414 10,186 4%
Hacking/IT Incident 753 61,021 1%
Theft 714 15,742 1%
Improper Disposal 203 4,310 <1%

2023 Settlements to Resolve Alleged HIPAA Violations

OCR settled 14 investigations with financial penalties and corrective action plans in 2023. No civil monetary penalties were imposed.

HIPAA Regulated Entity Affected Individuals Settlement Amount
Montefiore Medical Center 12,517 $4,750,000
LA Care Health Plan 1,498 $1,300,000
Lafourche Medical Group 34,862 $480,000
MedEvolve Inc. 230,572 $350,000
Yakima Valley Memorial Hospital 415 $240,000
Optum Medical Care 1 $160,000
Doctors’ Management Services 206,695 $100,000
St. Joseph’s Medical Center 3 $80,000
UnitedHealthcare 1 $80,000
iHealth Solutions (Advantum Health) 267 $75,000
Green Ridge Behavioral Health 14,000 $40,000
Phoenix Healthcare (dba Green Country Care Center) 1 $35,000
Manasa Health Center, LLC 4 $30,000
David Mente, MA, LPC 1 $15,000

Keen readers of the HIPAA Journal may notice a discrepancy between these figures and those on pages such as our data breach statistics page, as the HIPAA Journal reports on the year the penalty was announced rather than the year it was agreed.

In 2023, OCR imposed financial penalties to resolve HIPAA failures in 11 areas. The most commonly identified HIPAA failure resulting in a financial penalty was the failure to conduct a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information, and the failure to review records of activity in information systems containing protected health information.

Area of HIPAA Noncompliance Cases
Risk Analysis 7
Review records of information system activity 5
HIPAA Right of Access 4
Impermissible Use or Disclosure of PHI 3
Risk Management 2
HIPAA Security Rule Policies and Procedures 2
Mechanisms for Recording/Examining Activity in Information Systems 2
Business Associate Agreements 1
HIPAA Privacy Rule Policies and Procedures 1
Security Measures to Reduce Risks/Vulnerabilities 1
Periodic Technical and Nontechnical Evaluations 1

HIPAA Complaints and Compliance Reviews in 2023

OCR investigates complaints submitted through the health information privacy complaint web page and initiates compliance reviews if complaints are substantiated. Compliance reviews are also initiated in response to data breaches.

Complaints submitted to OCR about HIPAA violations 2019-2023

Summary of HIPAA Complaints

  • 30,968 new complaints received alleging violations of the HIPAA Rules and the HITECH Act (+553 YOY)
  • 9,680 open complaints carried over from previous years (-10,497 YOY)
  • 38,601 complaints were resolved in calendar year 2023 (+6,351 YOY)
  • 30,464 complaints were resolved before an investigation was initiated (-2,357 YOY)
  • 6,749 complaints were resolved through technical assistance (+3,867 YOY)
  • 691 complaints were resolved through voluntary corrective action (+131 YOY)
  • 695 complaints had insufficient evidence of HIPAA violations (-9 YOY)
  • 2 complaints resulted in OCR providing technical assistance after an investigation (-13 YOY)
  • 5 complaints were resolved through resolution agreements, corrective action plans, and monetary settlements ($320,000), three more than in 2022, when $2,425,640 was collected in settlements/civil monetary penalties.

Summary of Compliance Reviews

  • 773 compliance reviews initiated to investigate allegations of HIPAA violations not stemming from complaints
  • 732 compliance reviews were due to large data breaches (affecting 500 or more individuals), 9 were in response to smaller breaches, and 32 were initiated for other reasons
  • OCR closed 737 of those compliance reviews in 2023 – 580 cases (79%) through voluntary compliance, 60 cases (8%) through technical assistance, 67 cases (9%) where there was insufficient evidence of a HIPAA violation, and 30 cases (4%) were closed due to a lack of jurisdiction to investigate.
  • OCR resolved nine compliance reviews with resolution agreements and corrective action plans, collecting $7,415,000 in financial penalties.

You can view a summary of the HIPAA reports for 2022 in this post. Click the following links to access the full OCR reports on HIPAA compliance in 2023 (PDF) and 2023 healthcare data breaches (PDF)

The post OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2023 appeared first on The HIPAA Journal.