ID Care & CommuniCare Announce Data Breaches

Posted by Steve Alder

ID Care in New Jersey and Barrio Comprehensive Family Health Care Center (CommuniCare) in Texas have confirmed that patients’ personal and protected health information have been compromised in recent data security incidents.

ID Care

ID Care, a New Jersey-based network of board-certified infectious disease specialists, has recently disclosed a data security incident that involved unauthorized access to the personal and protected health information of current and former patients.

Suspicious activity was identified within certain systems on November 5, 2025. Industry-leading cybersecurity specialists were engaged to investigate the activity and confirmed that an unknown actor gained access to its network and accessed or downloaded files without authorization.

ID Care is currently reviewing the affected files, and while that process has not yet been completed, ID Care has confirmed that the affected files contained full names, dates of birth, Social Security numbers, health insurance information, and medical information, including diagnoses, treatment information, and prescription information.

Policies and procedures are being reviewed to reduce the likelihood of similar incidents in the future, and the HHS’ Office for Civil Rights has been notified about the data breach. The data breach is not yet shown on the OCR breach portal, so the scale of the breach is currently unclear.

Barrio Comprehensive Family Health Care Center (CommuniCare)

Barrio Comprehensive Family Health Care Center (CommuniCare), a non-profit clinic in San Antonio, Texas, has identified unauthorized access to an employee’s email account. The email account breach was identified on September 16, 2025, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity. CommuniCare determined that emails in the account had been accessed without authorization, some of which contained patient information.

Following a lengthy review of the affected emails and files, CommuniCare determined on February 19, 2026, that they contained first and last names, in combination with one or more of the following: dates of birth, health insurance account/member/group numbers, clinical information, diagnoses, medical treatment/procedure information, prescription information, provider locations, and patient account numbers.

CommuniCare said it is unaware of any misuse of patient data as a result of the incident, nor does it have any reason to believe that any information in the compromised account will be misused; however, the affected individuals have been advised to remain vigilant against data misuse by monitoring their accounts, explanation of benefits statements, and free credit reports for suspicious activity. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post ID Care & CommuniCare Announce Data Breaches appeared first on The HIPAA Journal.

Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine

Posted by Steve Alder

Centerwell, a provider of senior healthcare services in 30 U.S. states, has experienced a cyberattack and data breach. Lakeside Pediatric & Adolescent Medicine has recently notified individuals affected by an October 2024 data breach.

Centerwell

Centerwell, a Louisville, Kentucky-based provider of healthcare services to seniors, has recently reported a data breach to the Texas Attorney General that involved unauthorized access to patient information.

The scale of the breach is currently unclear, other than the personal and protected health information of 4,618 Texas residents was compromised in the incident. The breach could be substantially larger, as Centerwell provides senior healthcare services in 30 U.S. states. The Texas Attorney General was informed on March 6, 2026, that data compromised in the incident includes names, addresses, dates of birth, and medical information. At the time of writing, the affected individuals have not been informed by mail, and no known threat group has publicly claimed responsibility for the incident.

This post will be updated when further information about the incident is released.

Lakeside Pediatric & Adolescent Medicine

Lakeside Pediatric & Adolescent Medicine (Lakeside), a Coeur d’Alene, Idaho-based healthcare provider, has started notifying patients about an October 2024 data security incident. Lakeside identified unauthorized access to its computer systems in late 2024. The forensic investigation confirmed that an unauthorized third party accessed its computer systems on November 1, 2024, and on December 15, 2024, Lakeside confirmed that there had been unauthorized access and potential acquisition of files containing patient information.

On January 1, 2025, Lakeside confirmed in a website breach notice that personal and protected health information had been compromised in the incident, although the data review was ongoing at that time. On or around December 26, 2025, Lakeside confirmed the data types involved, although the website notice has not been updated to state what those data types are.

In a breach notice submitted to the Washington Attorney General, Lakeside confirmed that single-bureau credit monitoring and identity theft protection services are being offered to the affected individuals, and that 1,314 Washington residents were affected. The incident has not yet been listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals in total have been affected.

The post Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine appeared first on The HIPAA Journal.

Texas Governor Instructs State Agencies to Audit Chinese Medical Devices

Posted by Steve Alder

Texas Governor Greg Abbot has ordered all state agencies and state-owned medical facilities to conduct an audit of patient monitoring devices to ensure that they do not have unresolved vulnerabilities that could be exploited to gain access to Texans’ sensitive health information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United States Food and Drug Administration (FDA) have issued warnings about vulnerabilities in patient monitoring devices manufactured in China. Devices have been found to contain a backdoor that can be used by a remote attacker to gain access to sensitive patient data.

There has been a proliferation of Chinese-manufactured medical devices within the U.S. healthcare system. The concern is that these devices have backdoors that can be exploited by state-sponsored hacking groups to obtain the private medical information of Americans. Governor Abbot wants to make sure that the private medical data of Texans cannot be obtained by China. “I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data,” Governor Abbot said in a letter to the Texas Health and Human Services Commission (HHSC), Texas Department of State Health Services (DSHS), and the Texas Cyber Command (TXCC).

Governor Abbot has directed state agencies to take action to ensure that sensitive medical data is protected. HHSC and DSHS have been asked to review all state-owned medical facilities under their jurisdiction and attest that all new purchases of medical devices were procured in compliance with the November 19, 2024, Executive Order GA-48, which requires the hardening of cybersecurity by the state government.

HHSC, DSHS, and public systems of higher education are required to catalog all state-owned medical devices capable of transmitting data via a network, or that can be accessed remotely, and share that inventory with TXCC. Assisted by TXCC, HHSC, DSHS, and public systems of higher education, are required to review their cybersecurity policies related to the protection of personal health information at all state-owned medical facilities under their jurisdiction, and specifically include how policies address FDA and CISA-issued alerts for internet-connected medical devices.

TXCC has been instructed to review whether Contec CMS8000 and Epsimed MN-120 patient monitors, and any other devices used by HHSC, DSHS, and public systems of higher education, have been the subject of an FDA safety notice, and to ensure that any that have are placed on the prohibited technology list.

TXCC is also required to convene appropriate executives at HHSC, DSHS, and public systems of higher education and make recommendations for addressing emergent cybersecurity risks, monitoring of devices, and mitigation strategies. Governor Abbot has committed to proposing legislation in the next session to better protect Texans’ private medical data from hostile foreign actors, such as China.

The post Texas Governor Instructs State Agencies to Audit Chinese Medical Devices appeared first on The HIPAA Journal.