Community Health Center of Buffalo & Greenbaum Rowe Smith & Davis Confirm Data Breaches

Data breaches have been announced by Community Health Center of Buffalo in New York and the New Jersey law firm Greenbaum Rowe Smith & Davis.

Community Health Center of Buffalo, New York

Community Health Center of Buffalo (CHCB) in New York has identified a cybersecurity incident in which sensitive data was potentially accessed or acquired. Suspicious activity was identified within its computer network on April 21, 2026. Assisted by digital forensics experts, unauthorized network access was confirmed between April 20 and April 21, 2026.

The files are currently being reviewed to determine the types of data involved and the affected individuals. That process is ongoing; however, CHCB reports that the types of data likely involved includes names in combination with one or more of the following: address, date of birth, Social Security number, driver’s license, medical information such as diagnoses, treatment information, prescriptions/medications, treatment locations, lab results, medical record numbers, provider names, patient medical histories, and health insurance information

Data privacy and security practices are being reviewed, and steps are being taken to improve security. Credit monitoring and identity theft protection services will be made available. The data breach has been reported to the HHS’ Office for Civil Rights using an interim total of at least 501 affected individuals. The total will be updated when the investigation and file review are concluded.

Greenbaum Rowe Smith & Davis, New Jersey

Greenbaum Rowe Smith & Davis LLP, a New Jersey-based law firm, has started notifying 12,801 individuals about a breach of their protected health information. The practice provides legal services to healthcare practices in the state of New Jersey, which require access to certain patient data. The practice has confirmed that it experienced a cybersecurity incident involving unauthorized access to systems containing the data of patients of Atlantic Health System, Hackensack Meridian Health, and Trinitas Regional Medical Center.

Data exposed in the incident included names, Social Security numbers, medical information, health insurance information, and other personal data. At the time of issuing notifications, the practice was unaware of any public release of the impacted data. The practice is offering the affected individuals complimentary credit monitoring and identity theft protection services and has taken steps to improve security to prevent similar incidents in the future.

The post Community Health Center of Buffalo & Greenbaum Rowe Smith & Davis Confirm Data Breaches appeared first on The HIPAA Journal.

Physicians Primary Care of Southwest Florida Agrees to Data Breach Settlement

Physicians Primary Care of Southwest Florida was the victim of a targeted cyberattack in September 2024 that exposed patient data. The data breach sparked a class action lawsuit alleging the breach could have been prevented, as Physicians Primary Care of Southwest Florida failed to implement reasonable and appropriate security measures to prevent unauthorized access to patient data in its possession.

Physicians Primary Care of Southwest Florida is a medical facility with offices in Fort Myers, Cape Coral, Estero, and Lehigh Acres, Florida, that specializes in internal medicine, obstetrics, gynecology, family practice, and pediatrics. On or around September 17, 2024, unauthorized access to its network was identified. The hackers behind the attack had access to the network from September 15, 2024, to September 17, 2024, and potentially viewed or obtained patient data such as names, health information, and Social Security numbers. The data breach was reported to the HHS’ Office for Civil Rights as affecting 170,653 individuals.

The first lawsuit over the data breach was filed on December 3, 2024, in the Circuit Court of the Twentieth Judicial Circuit. An amended complaint was filed on March 7, 2025, in the Circuit Court for Lee County, Florida, naming two alternative plaintiffs, as the plaintiff who filed the initial complaint was determined not to be a putative class member.

The lawsuit – Cirillo et al. v. Physicians Primary Care of Southwest Florida, P.L. – asserted claims for negligence, breach of implied contract, breach of fiduciary duty, violation of the Florida Deceptive and Unfair Trade Practices Act, and declaratory judgment. Physicians Primary Care of Southwest Florida denies wrongdoing and liability and disagrees with the claims and contentions asserted by the lawsuit.

Shortly after the amended complaint was filed, the parties began exploring the possibility of an early resolution. A settlement was not agreed upon during mediation, but after several months of negotiations, terms were agreed that were acceptable to all parties. The settlement class consists of all living adults in the United States who received a notification that the data breach involved their information.

Under the terms of the settlement, class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $5,000 per class member. There is no alternative cash payment; however, all individuals are eligible to enroll in two years of medical monitoring services, which include a $1 million identity theft insurance policy.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for September 14, 2026. Individuals wishing to object to the settlement or opt out must do so by August 30, 2026. Claims must be submitted by September 29, 2026

The post Physicians Primary Care of Southwest Florida Agrees to Data Breach Settlement appeared first on The HIPAA Journal.

Why Medical Device Compliance Is Growing More Important Every Year

You don’t have to look very far to see the everyday applications of the medical device industry. They’re in the new technology and equipment in doctors’ offices, hospitals, and medical clinics. They surface in the expanding repertoire of devices that patients can use at home, expanding healthcare access and convenience. And they’re in the medical implants that often address serious health problems, including everything from pacemakers to stents to hip replacements to spinal fusion.

All these products are considered part of the medical device industry, which academic database ScienceDirect defines as a sector focused on the development, manufacturing, and distribution of devices that provide medical support and improve health outcomes, leveraging advances in biotechnology and bioengineering. A rapidly growing segment of the global economy, the medical device industry was valued at around $570 billion in 2025. It is expected to surpass $600 billion in 2026, before touching one trillion dollars sometime over the next decade.

Medical Device Compliance Defined

Like many large, lucrative industries, medical device manufacturers must adhere to a range of regulations imposed by the markets in which they operate. These regulations are developed and implemented to ensure that the industry’s products are safe, effective, and regularly monitored over the course of their lifetimes in the marketplace.

Due to the inherent risks involved, medical device manufacturing is an extensively regulated industry. Patients’ health, physical capabilities, and even lives are at stake when it comes to these technologies, and because of this, manufacturers have considerable legal responsibilities in countries like the U.S., the U.K., and Canada, as well as economic blocs like the European Union. Violating these regulations can trigger serious consequences, too, including penalties of $100,000 or more and imprisonment in cases of criminal negligence.

The World’s Major Medical Device Regulations

While the medical device sector spans the entire globe, industry regulations, and the legal obligations they impose, differ from one country to the next.

The U.S.: FDA and QSMR

The U.S. regulates medical devices through the Food and Drug Administration (FDA), which determines legal obligations based on three different risk categories. In addition to these classifications, medical device manufacturers must obtain FDA clearance to sell and market their devices, adhere to a Quality Management System Regulation (QSMR) harmonized to ISO 13485, and carry out post-market surveillance by monitoring defects, malfunctions, and other adverse events.

The EU: the MDR

In 2021, the EU replaced its Medical Device Directive (MDD) with the Medical Device Regulation (MDR), a change many describe as the largest shift in medical device compliance in years. The MDR imposes stricter requirements than its predecessor, with a higher threshold for clinical evidence and an expectation that manufacturers carry out post-market clinical follow-up to confirm that devices are working as intended and marketed.

In addition, the EU strengthened its requirements for the notifying bodies that certify devices for CE markings, reducing the number of organizations authorized to issue certifications.

The U.K. and the MHRA

To sell medical devices in the United Kingdom, manufacturers and importers must obtain a UKCA marking. Prior to 2021, products were classified into three different categories, with specific directives regulating each of them:

  • Directive 90/385/EEC applies to active implantable medical devices.
  • Directive 93/42/EEC applies to medical devices.
  • Directive 98/79/EC applies to in vitro diagnostic medical devices.

Today, businesses must get their devices registered and certified through the Medicines and Healthcare products Regulatory Agency (MHRA), the government body responsible for post-market surveillance.

Canada’s CMDR

Canada regulates medical devices through the nation’s Medical Devices Directorate (MDD), a government agency responsible for evaluating the safety and effectiveness of medical technology. Devices are classified into four different risk categories, and products that are categorized in Class II, Class III, or Class IV must all obtain licenses to sell their products.

Products in these three classes must undergo a rigorous review process. During this process, the manufacturer submits a completed application for a license; the MDD reviews the application; and the MDD then issues a license where applicable. In addition to issuing licenses, the directorate also conducts post-market surveillance. According to the Canadian government, if a medical device is found to no longer meet safety and effectiveness requirements, the MDD may suspend its license or ask the manufacturer to recall or refit the medical device.

An Evolving Compliance Landscape

In recent years, medical device compliance has grown more demanding all over the world. In many countries, manufacturers are now responsible for a range of regulatory responsibilities, including but not limited to:

  • Ensuring the safety of their devices.
  • Adhering to material regulations, including substance bans, maximum thresholds, and other restrictions.
  • Communicating and disclosing information to the public.
  • Carrying out post-market surveillance in accordance with regulatory requirements.

According to scientific publisher Elsevier, the number of regulations for medical device manufacturers increased 64% between 2015 and 2022, and the landscape has continued expanding since. One statistic that puts the sector’s regulatory obligations in perspective: U.S. manufacturers spend, on average, around $24 million on FDA-related requirements when bringing a single medical device from initial concept to market. For devices classified in the highest-risk Class III by the FDA, that figure rises to $75 million. In the EU, research suggests that the recent transition from the MDD to the MDR has increased regulatory costs on manufacturers up to tenfold.

Medical device compliance is not only becoming more costly. It is also becoming more time-intensive. Manufacturers operating in the U.S. can expect to spend anywhere between a few weeks and eight months working through the FDA’s regulatory approval process, with significant variance depending on the complexity and potential risks of the device. In other countries and regions, this path takes longer. Companies operating in the EU should prepare to commit a year or longer to the compliance process, while businesses in Japan spend between one and three years working to gain regulatory approval for new medical devices, placing Japan among the countries with the longest medical device approval timelines.

Given the time and financial resources required for regulatory adherence, manufacturers need to fully understand and meet their legal obligations to access the large, expanding global marketplace for medical devices.

How Medical Device Manufacturers Can Achieve Regulatory Compliance

Given the stakes associated with products that impact individual health and well-being, medical device manufacturers need to treat regulatory compliance as a major priority. Violations of the MDD, the QSMR, or the MHRA, among other directives, carry substantial financial and legal consequences.

Understand All Regulations That Apply To Your Business

In order to practice effective compliance, manufacturers first need to understand the scope of their responsibilities. The first step in doing that is identifying what specific regulations apply to them and their products. Organizations should review all the countries where their product is manufactured, imported, or sold, and what those nations’ legal obligations are for medical devices.

Medical device regulations remain in an early stage of development. The landscape remains fragmented and heterogeneous, with little harmonization between nations. Businesses must remember that achieving adherence with one directive does not prevent them from violating another.

Carry Out Necessary Steps for Certification

After establishing the scope of their obligations, manufacturers must then begin the process of gathering all the information required to achieve certification with the applicable regulatory bodies. For the more demanding national directives, this may include a number of individual steps:

  • Confirm product classification.
  • Reach out to a notified body or other accredited third-party organization.
  • Work with the notified body to compile all necessary documentation, including device descriptions, bills of materials (BOMs), general safety and performance requirements (GSPR), and risk management standards set by the International Organization for Standardization (ISO 14971).
  • Prepare a clinical evaluation report that pulls together clinical data, risks and benefits, and the intended purpose of the device.
  • Establish a plan for carrying out post-market clinical follow-up and implementing a post-market surveillance system.

While these steps vary from one regulation to the next, companies operating in multiple national markets should be prepared to fulfill most or all of them.

Foster Expertise and Develop Resources for Post-Market Surveillance

The post-market responsibilities imposed by directives like the MDD cannot be haphazard or ad-hoc. Organizations should have an established framework in place, with dedicated compliance professionals and a clear process for reviewing market data, issuing safety reports, and summarizing clinical performance. Post-market clinical follow-up (PMCF) and post-market surveillance (PMS) are strict obligations that can derail a product’s rollout or longevity when neglected, even after a device has reached the marketplace.

Leverage Third-Party Compliance Tools

The medical device and technology industry is comprised of many small and midsized businesses (SMBs), plenty of whom do not have the internal resources or bandwidth to effectively manage all the compliance obligations the sector imposes. In these cases, manufacturers can utilize a compliance tool that helps them understand their legal responsibilities, collects all the necessary compliance data, and submits technical documentation and clinical evaluations to the appropriate regulatory body. These software tools can support organizations through a regulatory process that is otherwise complex, lengthy, and difficult for smaller companies with limited bandwidth.

The post Why Medical Device Compliance Is Growing More Important Every Year appeared first on The HIPAA Journal.

May 2026 Healthcare Data Breach Report

Based on the current data on the HHS’ Office for Civil Rights (OCR) breach portal, 61 healthcare data breaches affecting 500 or more individuals were reported in May 2026. May’s current total represents a 27.1% month-over-month increase in data breaches. Over the past 12 months, an average of 64 large healthcare data breaches were reported each month.

Healthcare data breaches in the past 12 months - May 2026

From January 1, 2026, to May 31, 2026, 319 data breaches affecting 500 or more individuals have been reported to OCR. This time last year, the total stood at 342 large data breaches.

HEalthcare data breaches - January 1 - May 31 - 2022-2026

While data breaches increased from April, the number of affected individuals fell by 34.8% to 879,447 individuals. In May, an average of 14,417 individuals were affected by healthcare data breaches, down from an average of 28,116 individuals in April. Over the past 12 months, an average of 10.6 million individuals have been affected by healthcare data breaches each month.

Individuals affected by healthcare data breaches in the past 12 months - May 2026

Data breaches are down slightly year-over-year, but there has been a massive reduction in the number of affected individuals. Very large data breaches have not been reported to OCR in the numbers seen in previous years. From January 1, 2026, to May 31, 2026, across the 319 data breaches, at least 21,085,405 individuals have been affected. The OCR breach portal shows that from January 2025 to May 2025, 33,116,809 individuals were affected by data breaches.

Individuals affected by healthcare data breaches - jan 1 - May 31, 2022-2026

Biggest Healthcare Data Breaches of May 2026

In May 2026, 17 data breaches affecting 10,000 or more individuals were reported to OCR, all of which were hacking incidents. The biggest data breach of the month was reported by Radiology Associates of Richmond, affecting more than 266,000 individuals, followed by a hacking incident at Western Orthopaedics which affected more than 113,000 individuals.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Radiology Associates of Richmond VA Healthcare Provider 266,183 Hacking incident
Western Orthopaedics, P.C. CO Healthcare Provider 113,330 Hacking incident
ERMI LLC GA Healthcare Provider 74,074 Hacking incident
Singing River Health System MS Healthcare Provider 53,888 Hacking incident
Southern Illinois Ob-Gyn Associates, S.C. IL Healthcare Provider 38,700 Hacking incident
Gastro Health FL Healthcare Provider 35,632 Unauthorized access to email accounts
Eyemart Express, LLC TX Healthcare Provider 25,000 Hacking incident
Connecticut Department of Social Services CT Health Plan 22,500 Unauthorized access to provider portal website
Bridle Trails Family Dentistry WA Healthcare Provider 20,976 Unauthorized access to email account
Community Connections DC Healthcare Provider 18,943 Ransomware attack (INCRansom)
Virta Medical PC CO Healthcare Provider 14,636 Hacking incident (Lapsus$)
Saurabh N. Patel, M.D – Florida Retina Center LA Healthcare Provider 13,652 Hacking incident
Greenbaum Rowe Smith & Davis LLP NJ Business Associate 12,801 Hacking incident
Wellpoint Washington, Inc. IN Health Plan 12,020 Unauthorized access to email account
Defense Health Agency (TriWest) VA Health Plan 11,848 Hacking incident
IKRON Corporation OH Healthcare Provider 11,845 Hacking incident
Elara Caring TX Healthcare Provider 10,490 Hacking incident at third-party vendor

May’s total number of affected individuals may increase considerably over the coming weeks and months, as healthcare organizations complete their data breach investigations. HIPAA-regulated entities have 60 days from the date of discovery of a data breach to issue notifications to the HHS’ Office for Civil Rights and the affected individuals. HIPAA requires OCR to be notified even if the total number of individuals has yet to be determined by the 60-day deadline. In such cases, an estimate should be provided. Many regulated entities use a placeholder estimate of 500 or 501 individuals in such cases, and in May, 7 regulated entities appear to have used these placeholder figures.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
United Medical Doctors CA Healthcare Provider 501 Hacking/IT Incident
NJ Pain Care Specialists, LLC NJ Healthcare Provider 501 Hacking/IT Incident
Palomar Health Medical Group CA Healthcare Provider 501 Hacking/IT Incident
Aroostook Mental Health Center ME Healthcare Provider 501 Hacking/IT Incident
Campbell University NC Healthcare Provider 500 Hacking/IT Incident
BAYADA Home Health Care, Inc. NJ Healthcare Provider 500 Hacking/IT Incident
Integrated Pain Associates TX Healthcare Provider 500 Hacking/IT Incident

Causes of May 2026 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in May, as has been the case each month for several years. Out of the month’s 61 large healthcare data breaches, 54 were classed as hacking/IT incidents – 88.5% of the month’s data breaches. Across those incidents, the protected health information of 853,532 individuals was compromised- 88.5% of the month’s total affected individuals. On average, hacking/IT incidents affected 15,806 individuals in May, with a median breach size of 3,619 individuals.

Causes of May 2026 healthcare data breaches

There were 7 data breaches classed as unauthorized access/disclosure incidents, representing 11.5% of the month’s breaches. Across those incidents, the protected health information of 25,915 individuals was unlawfully accessed or disclosed. On average, 3,702 individuals were affected by each incident in May. The median breach size was 3,086 individuals. There were no reported theft, loss, or improper disposal incidents in May.

Given the large number of hacking incidents, it is no surprise that the most common location of breached protected health information was network servers. Email incidents were also reported in high numbers.

Location of breached PHI in May 2026 healthcare data breaches

States Affected by May 2026 Healthcare Data Breaches

Large healthcare data breaches were reported by HIPAA-regulated entities in 26 U.S. states and the District of Columbia. California was the worst affected state with 6 breaches.

State Breaches
California 6
Florida, New Jersey, New York, North Carolina, Ohio, Texas & Virginia 4
Colorado 3
Indiana, Maine, Michigan, Pennsylvania, South Carolina & the District of Columbia 2
Arizona, Connecticut, Georgia, Illinois, Iowa, Louisiana, Massachusetts, Mississippi, Oregon, Tennessee, Washington & Wisconsin 1

In terms of affected individuals, Virginia topped the list with almost 300,000 state residents affected.

State Individuals Affected State Individuals Affected
Virginia 290,254 Louisiana 13,652
Colorado 128,661 Pennsylvania 7,095
Georgia 74,074 South Carolina 6,946
Mississippi 53,888 Iowa 6,666
Florida 44,649 Michigan 6,456
Texas 40,045 California 5,303
Illinois 38,700 North Carolina 4,949
Ohio 28,540 Massachusetts 3,086
Connecticut 22,500 Maine 3,024
Washington 20,976 Oregon 2,856
District of Columbia 20,014 Arizona 2,316
New York 19,674 Tennessee 1,807
Indiana 17,325 Wisconsin 1,080
New Jersey 14,911

Data Breaches at HIPAA -Regulated Entities

In May 2026, 42 data breaches were reported by healthcare providers, 9 breaches were reported by health plans, and 10 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.

The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 22 of the 61 breaches (rather than 10) occurred at business associates in May.

May 2026 data breaches at HIPAA-regulated entities

Individuasl affected by data breaches at HIPAA-regulated entities in May 2026

HIPAA Enforcement Activity in May 2026

No enforcement actions were announced by OCR or state attorneys general in May.

The post May 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.