Data Breaches Announced by Elara Caring; Excelas; Pulpdent Corp.

Posted by Steve Alder

Elara Caring has confirmed that thousands of its patients were affected by the cyberattack on vendor Doctor Alliance. Data breaches have also been announced by the medical record organization and analysis SaaS company Excelas, and Pulpdent, a dental research and manufacturing company.

Elara Caring

Elara Caring, a nationwide provider of home-based skilled nursing care, personal care, and palliative care services, has been affected by a cyberattack involving one of its third-party vendors. On December 12, 2025, the vendor notified Elara Caring that a threat actor had accessed and downloaded files from its network. There was no unauthorized access to the Elara Caring network. The incident was confined to the vendor’s systems, which were accessed between November 4 and November 6, 2025, and again between November 14 and November 17, 2025. During those times, files containing names, addresses, dates of birth, medical records, Social Security numbers, and health insurance information were stolen.

While Elara Caring did not disclose the name of the vendor in its breach notification letters, based on the dates of unauthorized access, it was Doctor Alliance, the provider of a platform for managing and facilitating electronic physician signatures. Notification letters were mailed to the affected individuals on May 12, 2025, and the affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. Elara Caring provides services across the United States. While it is currently unclear how many individuals have been affected in total, the Texas Attorney General was informed that more than 3,300 Texas residents were affected.

Excelas

Ocelot Ventures, LLC, doing business as Excelas, a provider of medical record organization and analysis software, has identified unauthorized access to its network. A suspected intrusion was detected on or around January 28, 2026. Assisted by law enforcement and third-party cybersecurity specialists, Excelas determined that an unauthorized third party had access to certain computer systems from November 27, 2025, to December 3, 2025. During that time, a limited amount of data may have been viewed or copied.

The file review confirmed that names, dates of birth, Social Security numbers, government-issued ID numbers, diagnoses, referring/treating physician names, medications, medical record images, payment information, and health insurance information were involved. Excelas is working on implementing additional safeguards to prevent similar incidents in the future. At the time of issuing notification letters on May 12, 2026, no attempted or actual misuse of the impacted information had been detected. As a precaution, single-bureau credit monitoring and fraud protection services have been offered to the affected individuals.

Cl0p, a financially motivated threat group that engages in data theft and extortion, claimed that it had exfiltrated sensitive data from Excelas systems. The incident has been reported to regulators, although it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Pulpdent Corp.

Pulpdent Corp., a Watertown, Massachusetts-based dental research and manufacturing company, has alerted certain individuals about a cybersecurity incident it first detected on March 13, 2026. Systems were secured, and an investigation was launched into the unauthorized activity. On or around April 17, 2026, Pulpdent determined that information such as names, Social Security numbers, driver’s license numbers, and financial account information had been exposed and potentially stolen.

Notification letters started to be mailed to the affected individuals on May 8, 2026, and complimentary credit monitoring and identity theft protection services have been made available. Individuals who receive a notification letter should take advantage of those free services. The Inc Ransom ransomware group took responsibility for the attack and claimed to have exfiltrated sensitive data. The number of affected individuals has yet to be publicly disclosed.

The post Data Breaches Announced by Elara Caring; Excelas; Pulpdent Corp. appeared first on The HIPAA Journal.

Esse Health Agrees to Pay 2.53M to Settle Data Breach Lawsuit

Posted by Steve Alder

American Multispecialty Group, doing business as Esse Health, a Missouri-based independent physician group serving the greater St. Louis area, experienced a cyberattack and data breach in April 2025. Esse Health faced multiple class action lawsuits in response to the data breach, and the consolidated class action lawsuit has recently been settled. Esse Health has agreed to pay $2,525,000 to resolve the lawsuit.

The cyberattack was detected by Esse Health on April 21, 2025, and the forensic investigation confirmed that the hackers obtained sensitive data such as names, addresses, birth dates, health information, and health insurance information. Around 5,000 individuals also had their Social Security numbers compromised in the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the electronic protected health information of 23,671 patients; however, the data breach was much more extensive. The Maine Attorney General was informed that the breach affected 263,601 individuals. The lawsuit states that approximately 521,167 individuals were affected.

The data breach was first announced by Esse Health on May 15, 2025, and shortly thereafter, a class action lawsuit was filed by Plaintiff Casten Clausner in the U.S. District Court for the Eastern District of Missouri. A further seven plaintiffs filed similar actions in state court in St. Louis County and the City of St. Louis. All actions were consolidated in the 22nd Judicial Circuit Court of St. Louis City, Missouri, in June 2025.

The consolidated lawsuit – Clausner et al. v. American Multispecialty Groupclaims that the data breach could have been prevented and was due to the failure of the defendant to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, breach of confidence, breach of fiduciary duty, invasion of privacy, unjust enrichment, violation of the Missouri Merchandise Practices Act, and declaratory and injunctive relief. Esse Health maintains that there was no wrongdoing and is no liability; however, following mediation, a settlement was agreed upon by all parties to avoid the costs and risks associated with continuing with the litigation.

Under the terms of the settlement, Esse Health has agreed to establish a $2,525,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the 8 class representatives, and benefits for the class members. After costs and expenses have been deducted from the settlement fund, the remainder will be used to pay for class member benefits. While most class action lawsuit settlements allow class members to submit a claim for reimbursement of losses, this settlement only provides a pro rata cash payment, which is expected to be $50 per class member. The payments may be higher or lower depending on the number of claims received.

In addition, class members are entitled to enroll in two years of medical identity protection services, which include a $1 million medical identity theft insurance policy. The cost of the medical identity protection will be paid separately by Esse Health. The settlement has received preliminary approval from the court. The deadline for objection and exclusion from the settlement is July 5, 2026. Claims must be submitted by August 4, 2026, and the final approval hearing has been scheduled for August 3, 2026.

The post Esse Health Agrees to Pay 2.53M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers

Posted by Steve Alder

Ransomware groups have claimed responsibility for attacks on Advanced Family Surgery Center in Tennessee, Orem Eye Clinic in Utah, and Belmont Aesthetic & Reconstructive Plastic Surgery in Virginia/Washington D.C.

Surgery Center of Oak Ridge (Advanced Family Surgery Center)

Surgery Center of Oak Ridge, LLC, doing business as Advanced Family Surgery Center in Oak Ridge, Tennessee, has notified certain patients about a network intrusion first identified on or around November 26, 2025. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that certain parts of its network were accessed by an unauthorized third party who potentially viewed or acquired files containing patient information.

The files were reviewed and found to contain names, addresses, dates of birth, dates of service, health insurance information, medical diagnosis information, medical record numbers, Medicare/Medicaid numbers, patient account numbers, prescription/treatment information, provider names, and Social Security numbers. Additional security measures have been implemented to prevent similar incidents in the future, and policies and procedures with respect to data security are being reviewed.

This appears to have been a ransomware attack with data theft. The Genesis ransomware group, a financially motivated threat group that has attacked many healthcare providers, claimed responsibility for the attack and added Advanced Family Surgery Center to its dark web data leak site. Genesis claims to have exfiltrated 100 GB of data in the attack, including files containing patient information.

Orem Eye Clinic

Orem Eye Clinic in Orem, Utah, has notified individuals and the HHS’ Office for Civil Rights about a cybersecurity incident involving unauthorized access to parts of its network that contained the protected health information of approximately 5,800 patients. No substitute breach notice has been added to the Orem Eye Clinic website at the time of publication of this article, so the exact details, such as the types of data involved and the nature of the incident, have yet to be confirmed. Individuals receiving a notification letter should be aware that a ransomware group called Nightspire claimed responsibility for the attack and added Orem Eye Clinic to its dark web data leak site. The group claims to have exfiltrated 1 terabyte of data in the attack.

Belmont Aesthetic & Reconstructive Plastic Surgery

Belmont Aesthetic & Reconstructive Plastic Surgery, a cosmetic and reconstructive surgery practice with locations in Washington, D.C., and Virginia, has reported a data breach to the HHS’ Office for Civil Rights that has affected 528 individuals. While there is currently no website notice, and no other information has been released about the data breach so far, this appears to have been a ransomware attack. The Insomnia ransomware group added Belmont Aesthetic & Reconstructive Plastic Surgery to its dark web data leak site in early March 2026 and threatened to publish the stolen data if the ransom was not paid.

The post Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers appeared first on The HIPAA Journal.