Data Breaches Announced by Corewell Health & Rocky Mountain Care

Posted by Steve Alder

Rocky Mountain Care in Utah has announced a January 2026 data breach, and Corewell Health in Michigan has confirmed that more than 19,000 patients have been affected by a data breach at business associate Pinnacle Holdings.

Corewell Health, Michigan

Corewell Health, a non-profit Michigan health system, has recently confirmed that the protected health information of more than 19,000 of its patients has been exposed in a data breach at one of its business associates, Colorado-based Pinnacle Holdings, LTD. Pinnacle Holdings, a provider of consulting services, experienced a network disruption on November 25, 2024, that affected some of its IT systems, including systems containing the protected health information of patients of its clients.

Pinnacle Holdings said immediate action was taken to secure its systems; however, the detailed data review has taken many months to complete due to the complexity of the impacted data. The company has now confirmed that patient names, phone numbers, birth dates, Social Security numbers, driver’s license numbers, health insurance information, prescription information, and dates of service were compromised. The affected Corewell Health patients have been offered complimentary credit monitoring and identity theft protection services, and Pinnacle Holdings has implemented additional safeguards to prevent similar incidents in the future.

The data breach at Pinnacle Holdings affected several of the company’s clients, including the Chicago-based Catholic health system, CommonSpirit Health, as previously reported by The HIPAA Journal. It is currently unclear how many clients were affected in total or the number of individuals whose data was compromised in the incident.

Rocky Mountain Care, Utah

Rocky Mountain Care, a Woods Cross, Utah-based provider of skilled nursing care and home health services to seniors in Utah and Wyoming, has announced a January 2026 cybersecurity incident that involved unauthorized access to parts of its network that contained patient information. The forensic investigation determined that a hacker gained access to files on its network between January 30, 2026, and February 2, 2026. The review of the impacted data is ongoing, so the full impact of the incident has yet to be determined. Rocky Mountain Care said notification letters will be mailed to the affected individuals when the review is concluded

While further details about the attack have not been disclosed, a threat actor has claimed responsibility for the incident. The Qilin threat group added Rocky Mountain Care to its dark web data leak site on February 23, 2026, and issued a ransom demand along with a threat to publish the stolen data if the ransom was not paid. Samples of data allegedly stolen in the attack were also added to the listing. Qilin claimed to have exfiltrated 33 GB of data in the attack and later published the stolen data, indicating the ransom was not paid.

The post Data Breaches Announced by Corewell Health & Rocky Mountain Care appeared first on The HIPAA Journal.

Woodfords Family Services Notifies Patients Affected by April 2024 Ransomware Attack

Posted by Steve Alder

Westbrook, Maine-based Woodfords Family Services, a provider of services to individuals with special needs and their families, has notified the Maine Attorney General about a breach of the personal and protected health information of 8,073 individuals in a ransomware attack, including 7,701 Maine residents.

Suspicious network activity was identified on April 8, 2024. The investigation confirmed that its network had been accessed by the Medusa ransomware group. Immediate action was taken to investigate the incident and ensure the security of its systems, and the forensic investigation ended on May 30, 2024. A preliminary breach notice was issued on June 3, 2024, and a media notice was issued on June 7, 2024, to alert individuals potentially affected by the incident. Some notification letters were mailed to individuals in March 2025, although some people have only recently received notification letters.

While the incident was initially investigated internally, Woodfoods Family Services determined that it was unable to identify the full scope of the incident and engaged data mining specialists on September 25, 2024, to confirm the individuals affected and the types of data involved. The initial data mining process took until October 3, 2025, to complete, then the data had to be reviewed internally. The internal review was completed on January 29, 2026, mailing addresses for the affected individuals were verified, and the last of the notification letters were mailed to the affected individuals on March 27, 2026.

Data compromised in the incident included names, Social Security numbers, driver’s license numbers, financial account information, health insurance information, and diagnosis and treatment information. The affected individuals have been offered a complimentary 12-month membership to credit monitoring and identity theft protection services.

The data breach was reported to the HHS’ Office for Civil Rights in June 2024 using a placeholder figure of at least 500 affected individuals. The total has yet to be updated, although OCR has delayed adding new breach reports to its portal. This is not the first ransomware attack to be experienced by Woodfoods Family Services. An attack on June 19, 2023, involved unauthorized access to the personal information of 17,285 individuals, including the protected health information of 6,691 individuals.

The post Woodfords Family Services Notifies Patients Affected by April 2024 Ransomware Attack appeared first on The HIPAA Journal.

Healthcare Software Company Announces Breach of its Electronic Health Record Environment

Posted by Steve Alder

The Somerset, New Jersey-based healthcare software company CareCloud has notified the U.S. Securities and Exchange Commission (SEC) about a security incident that caused network disruption on March 16, 2026. CareCloud is a business associate of hospitals and physician practices and works with more than 45,000 providers. The company provides software solutions, including electronic health records systems, and it was its electronic health record environment that was subject to unauthorized access.

According to the SEC filing, a hacker gained access to one of its six electronic health record environments for a period of around 8 hours, partially disrupting functionality and data access. CareCloud was able to fully restore the environment on the evening of March 16, 2026. CareCloud believes that the threat actor no longer has access to its systems. Initially, the incident was reported to law enforcement, its cyber insurer was notified, and third-party cybersecurity specialists were engaged to assist with the investigation and help with securing its environment. When it became clear that this was a material incident due to the sensitivity of the data stored within the compromised environment and the potential cost of a data breach, the SEC was notified.

CareCloud believes that the incident was contained in the one CareCloud Health environment, and no other business systems were involved. The investigation to determine the nature and scope of the unauthorized activity is ongoing, including the extent to which patient data was accessed or exfiltrated, and the categories of and volume of data involved.

As of the date of the SEC filing, the incident has had no material impact on the company’s operations, and the initial assessment suggests that the incident is not reasonably likely to have a material impact on the company’s financial position or results of operations, although the impact of the incident has yet to be fully assessed. There will naturally be costs associated with remediation and response, legal, regulatory, and notification-related matters, and possible effects on patients, customers, counterparties, reputation, and operations. The company holds cyber insurance policies and believes that it has sufficient insurance coverage to cover any costs.

CareCloud has not publicly disclosed how any of its clients have been affected, nor has it provided an estimate for the number of individuals whose medical records were exposed in the incident. Notifications will be issued to the affected clients and individuals when they have been identified. At the time of publication, no cyber threat actor is known to have claimed responsibility for the attack.

The post Healthcare Software Company Announces Breach of its Electronic Health Record Environment appeared first on The HIPAA Journal.