Tangoe Data Breach Settlement Receives Preliminary Approval

Posted by Steve Alder

Tangoe, a provider of software solutions for managing telecom, mobile, and cloud expenses, has agreed to a settlement to resolve a class action lawsuit stemming from a November 2022 security incident. Tangoe experienced a cyberattack, exposing sensitive data such as names, dates of birth, Social Security numbers, medical information, health insurance information, medication information, billing and claims information, and financial account information. Hackers had access to its systems between November 15, 2022, and November 17, 2022.

The breach affected some of its healthcare clients and involved unauthorized access to the protected health information of 4,765 individuals, according to the breach notice filed with the HHS’ Office for Civil Rights. While the breach occurred in November 2022, it took until November 1, 2023, for the affected individuals to be notified. A lawsuit – Kevin McLinden v. Tangoe US, Inc.– was filed in the Superior Court for Marion County, Indiana, over the data breach, alleging Tangoe failed to implement reasonable and appropriate cybersecurity measures, leading to an entirely preventable data breach. Tangoe denies all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability.

After prolonged and extensive arm’s length negotiations, all parties agreed to a settlement to avoid the expense and length of protracted litigation and the uncertainty of a trial and any related appeals. Under the terms of the settlement, class members are entitled to claim two years of credit monitoring services, which include a $1 million identity theft insurance policy. In addition to the credit monitoring services, class members may claim one or more cash payments.

A claim may be submitted for compensation for documented, unreimbursed ordinary losses due to the data breach incurred between November 2022 and June 3, 2026. Claims for reimbursement of ordinary losses have been capped at $750 per class member. A claim may also be submitted for compensation for lost time up to a maximum of four hours at $25 per hour ($100). The lost time claims are included in the $750 ordinary losses cap.

A claim may also be submitted for reimbursement of extraordinary losses, such as documented, unreimbursed losses due to identity theft and fraud. Claims for extraordinary losses have been capped at $5,000 per class member. If a claim for reimbursement of losses/lost time is not submitted, class members are eligible to claim an alternative pro rata cash payment. The cash payments will be paid from the remainder of the settlement fund, and are expected to be around $50, but may be higher or lower depending on the number of claims received. No proof is required to submit a claim for an alternative cash payment.

The deadline for exclusion and objection to the settlement is May 4, 2026. Claims must be submitted by June 3, 2026, and the final fairness hearing has been scheduled for June 11, 2026. Individuals who do nothing will receive no benefits and will lose the right to sue the defendant over the data breach or participate in other lawsuits related to the data breach.

The post Tangoe Data Breach Settlement Receives Preliminary Approval appeared first on The HIPAA Journal.

North Texas Behavioral Health Authority Data Breach Affects 285K Individuals

Posted by Steve Alder

North Texas Behavioral Health Authority (NTBHA), a provider of mental health and substance use treatment and services in Dallas, Ellis, Hunt, Kaufman, Navarro & Rockwall counties, has notified the Department of Health and Human Services (HHS) Office for Civil Rights about a breach of the protected health information of 285,086 individuals. The data breach is the 6th largest data breach reported to OCR so far in 2026.

NTBHA identified unauthorized activity within its computer systems on or around October 15, 2025, and launched an investigation to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party accessed its network between October 13, 2025, and October 15, 2025, during which time files containing patient information may have been viewed or acquired.

It took around three months to review the affected files, and on January 7, 2026, NTBHA confirmed that some of the files contained personal information. The substitute data breach notice does not list the types of data involved, although for some individuals, Social Security numbers were exposed. NTBHA said that at the time of issuing breach notification letters, no evidence had been found of any actual or attempted misuse of the impacted information.

Notification letters started to be sent to the affected individuals on March 6, 2026, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. NTBHA said it continually evaluates its privacy and security measures and has taken steps to augment security following this incident. They include resetting passwords, expanding multi-factor authentication, and deploying advanced endpoint detection and response tools and services. At present, no threat actor appears to have claimed responsibility for the incident. Several law firms have opened investigations in response to the data breach and are considering filing class action lawsuits.

The post North Texas Behavioral Health Authority Data Breach Affects 285K Individuals appeared first on The HIPAA Journal.

Chicago’s Saint Anthony Hospital Reports Breach Affecting 146,000 Individuals

Posted by Steve Alder

Saint Anthony Hospital, a nonprofit, faith-based, acute care, community hospital in Chicago, has started notifying individuals about unauthorized access and/or theft of some of their personal and protected health information. The substitute breach notification does not state when the unauthorized access was detected, only that an unauthorized third party accessed and/or acquired certain files and folders of unstructured data from its email system on February 27, 2025. The forensic investigation confirmed that electronic medical records were not affected by the incident.

More than a year after the unauthorized access occurred, notification letters are being sent to the affected individuals. Saint Anthony Hospital said the third-party specialists engaged to review the affected files completed their review on February 13, 2026, and notification letters started to be mailed to the affected individuals on March 6, 2026, after the results of the data review were verified and contact information was obtained.

The substitute breach notice on the Saint Anthony Hospital website does not state what types of information were involved; however, the hospital had previously disclosed in November 2025 that names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, prescription information, and medical histories were involved. Back in November, the hospital reported that approximately 6,600 patients and employees had been affected; however, the breach notice submitted to the HHS’ Office for Civil Rights shows that the breach was much larger, involving the protected health information of 146,108 individuals.

While no evidence has been found to suggest any actual or attempted misuse of patient data, the affected individuals have been advised to exercise caution and monitor their free credit reports, financial accounts, and explanation of benefits statements carefully for signs of data misuse. Complimentary credit monitoring and identity theft protection services do not appear to have been offered to the affected individuals.

The post Chicago’s Saint Anthony Hospital Reports Breach Affecting 146,000 Individuals appeared first on The HIPAA Journal.

Data Breaches Announced by Mindpath Health; Springfield Hospital; Lone Peak Psychiatry

Posted by Steve Alder

Data breaches have been announced by the California psychiatry and therapy provider Mindpath Health, Springfield Hospital in Vermont, and Lone Peak Psychiatry in Utah.

Community Psychiatry Management (Mindpath Health)

Community Psychiatry Management, LLC, doing business as Mindpath Health, a Sacramento, California-based provider of in-person and online psychiatry and therapy services, has notified the Maine Attorney General about a hacking incident that Mindpath Health learned about on November 14, 2025. The personal and protected health information of 14,060 individuals was potentially compromised in the incident, including 2 Maine residents.

The incident is part of a much larger data breach at its vendor, Pinnacle Holdings, LTD. Pinnacle Holdings provides healthcare consulting services, and the data breach affected many of the company’s healthcare clients. The incident was detected by Pinnacle Holdings on November 25, 2024, when Pinnacle Holdings experienced a network disruption. The forensic investigation confirmed unauthorized network access between November 11, 2024, and November 25, 2024, during which time files containing patient information may have been copied by the threat actor.

Data compromised includes names, addresses, phone numbers, email addresses, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, diagnoses, treatment information, dates of service, patient ID numbers, provider names, medical record numbers, health insurance information, and treatment cost information. Individual notification letters started to be sent to the affected individuals on March 9, 2026, and 12 months of complimentary credit monitoring and identity theft protection services have been offered.

Springfield Hospital

Springfield Hospital in Vermont has started mailing notification letters to patients advising them that some of their personal and protected health information has been exposed in a recent data security incident. Springfield Hospital learned about the incident when it identified suspicious activity within an employee’s email account. The forensic investigation determined that the account was accessed by an unauthorized individual on December 17, 2025, and Springfield Hospital learned that personal and protected health information was involved on February 10, 2026.

Data exposed in the incident includes names, dates of birth, and Social Security numbers, along with protected health information such as medical record numbers, treating physician names, and reasons for visit. Springfield Hospital said it has taken steps to improve email security to prevent similar incidents in the future. At the time of issuing notification letters, Springfield Hospital had not identified any attempted or actual misuse of the exposed information. It is currently unclear how many individuals have been affected.

Lone Peak Psychiatry

Lone Peak Psychiatry, a mental health practice with locations in Lehi and Murray, Utah, has notified state attorneys general about a recent data breach. The notification letters are light on detail and do not contain any information about the nature of the incident, dates of compromise, or types of information involved. There is currently no substitute breach notice on the Lone Peak Psychiatry website.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services, although if the notice to state attorneys general is a reflection of the individual notification letters being sent, then the affected patients do not have enough information to gauge the level of risk they face and whether they need to sign up for the free services being offered. In such cases, it is always wise to err on the side of caution and take steps to protect against identity theft and fraud, including signing up for any free services on offer. There is no listing on the OCR data breach portal at present, so it is unclear how many individuals have been affected.

The post Data Breaches Announced by Mindpath Health; Springfield Hospital; Lone Peak Psychiatry appeared first on The HIPAA Journal.