Data Breaches Announced by Mindpath Health; Springfield Hospital; Lone Peak Psychiatry

Posted by Steve Alder

Data breaches have been announced by the California psychiatry and therapy provider Mindpath Health, Springfield Hospital in Vermont, and Lone Peak Psychiatry in Utah.

Community Psychiatry Management (Mindpath Health)

Community Psychiatry Management, LLC, doing business as Mindpath Health, a Sacramento, California-based provider of in-person and online psychiatry and therapy services, has notified the Maine Attorney General about a hacking incident that Mindpath Health learned about on November 14, 2025. The personal and protected health information of 14,060 individuals was potentially compromised in the incident, including 2 Maine residents.

The incident is part of a much larger data breach at its vendor, Pinnacle Holdings, LTD. Pinnacle Holdings provides healthcare consulting services, and the data breach affected many of the company’s healthcare clients. The incident was detected by Pinnacle Holdings on November 25, 2024, when Pinnacle Holdings experienced a network disruption. The forensic investigation confirmed unauthorized network access between November 11, 2024, and November 25, 2024, during which time files containing patient information may have been copied by the threat actor.

Data compromised includes names, addresses, phone numbers, email addresses, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, diagnoses, treatment information, dates of service, patient ID numbers, provider names, medical record numbers, health insurance information, and treatment cost information. Individual notification letters started to be sent to the affected individuals on March 9, 2026, and 12 months of complimentary credit monitoring and identity theft protection services have been offered.

Springfield Hospital

Springfield Hospital in Vermont has started mailing notification letters to patients advising them that some of their personal and protected health information has been exposed in a recent data security incident. Springfield Hospital learned about the incident when it identified suspicious activity within an employee’s email account. The forensic investigation determined that the account was accessed by an unauthorized individual on December 17, 2025, and Springfield Hospital learned that personal and protected health information was involved on February 10, 2026.

Data exposed in the incident includes names, dates of birth, and Social Security numbers, along with protected health information such as medical record numbers, treating physician names, and reasons for visit. Springfield Hospital said it has taken steps to improve email security to prevent similar incidents in the future. At the time of issuing notification letters, Springfield Hospital had not identified any attempted or actual misuse of the exposed information. It is currently unclear how many individuals have been affected.

Lone Peak Psychiatry

Lone Peak Psychiatry, a mental health practice with locations in Lehi and Murray, Utah, has notified state attorneys general about a recent data breach. The notification letters are light on detail and do not contain any information about the nature of the incident, dates of compromise, or types of information involved. There is currently no substitute breach notice on the Lone Peak Psychiatry website.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services, although if the notice to state attorneys general is a reflection of the individual notification letters being sent, then the affected patients do not have enough information to gauge the level of risk they face and whether they need to sign up for the free services being offered. In such cases, it is always wise to err on the side of caution and take steps to protect against identity theft and fraud, including signing up for any free services on offer. There is no listing on the OCR data breach portal at present, so it is unclear how many individuals have been affected.

The post Data Breaches Announced by Mindpath Health; Springfield Hospital; Lone Peak Psychiatry appeared first on The HIPAA Journal.

Arizona & Texas Clinics Notify Patients About Ransomware Incidents

Posted by Steve Alder

Ransomware attacks have been announced by Glendale Obstetrics & Gynecology in Arizona and Lymphedema Therapy Specialists in Texas, and City Health in California has notified patients about a recent data breach.

Glendale Obstetrics & Gynecology

Glendale Obstetrics & Gynecology in Glendale, Arizona, has started issuing notifications about an October 2025 security incident. The incident was described as “network disruption affecting a portion of its digital environment,” terminology often used to describe a ransomware attack. The notification letters sent to state attorneys general do not state when the unauthorized access first occurred, only that it was detected on October 25, 2025.

The files on the compromised parts of its network were reviewed, and that process was completed on March 16, 2026. Data compromised in the incident varies from individual to individual and may include names plus one or more of the following: address, date of birth, Social Security number, driver’s license information, medical information, and health insurance information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

A ransomware group called Safepay claimed responsibility for the attack. SafePay engages in data theft and data encryption and claimed to have exfiltrated data in the attack. SafePay added Glendale Obstetrics to its data leak site on November 11, 2025, and then leaked the stolen data on its dark web site. Glendale Obstetrics reported the data breach to the HHS’ Office for Civil Rights on December 24, 2025, using a placeholder estimate of at least 501 affected individuals. State attorneys general have recently been notified, although the 501 total has yet to be updated on the OCR breach portal, so it is unclear how many individuals have been affected. Individual notification letters started to be mailed on April 9, 2026.

Lymphedema Therapy Specialists

Lymphedema Therapy Specialists (LTS), a Houston, Texas-based clinic providing lymphedema treatment, has recently announced a data breach. Unauthorized network activity was identified on February 11, 2026, and a third-party digital forensic investigation confirmed that its network was accessed by an unauthorized third party who may have viewed or copied patient information.

The compromised parts of its network were reviewed, and on February 18, 2026, LTS confirmed that patient and employee information had been exposed, including names, Social Security numbers, government-issued identification numbers, workers’ compensation information, medical information, and health insurance information.

While not described as a ransomware attack, a ransomware group claimed responsibility for the incident. The INC Ransom group added LTS to its dark web data leak site and claimed that personally identifiable information and protected health information were stolen in the attack, in addition to organizational data. Based on the substitute breach notice on the LTS website, credit monitoring and identity theft protection services do not appear to have been offered. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that 378 Texas residents were affected.

City Health

City Health, a California healthcare provider with locations in San Leandro and Oakland, has notified certain patients about a hacking incident that was identified on March 30, 2026. Assisted by third-party cybersecurity specialists, City Health determined that an unauthorized third party accessed its network between March 2, 2026, and March 11, 2026, and viewed or acquired files containing sensitive information.

Data accessed in the incident included names, insurance provider names, and procedure codes only. City Health said contact information, dates of birth, and Social Security numbers were not involved. The incident was rapidly reported to regulators, including the California Attorney General, who was notified about the incident on April 13, 2026, just two weeks after the breach was first identified. Individual notification letters are now being sent to the affected individuals.

City Health is reviewing its security practices, policies, and procedures, and is taking steps to prevent similar incidents in the future. While data has been exposed, City Health is unaware of any actual or attempted misuse of the exposed data. “We apologize for any inconvenience and concerns this may cause you,” City Health’s management team said. “City Health would like to assure you that we have handled the situation swiftly and have taken necessary steps to ensure that it will not happen again.” The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Arizona & Texas Clinics Notify Patients About Ransomware Incidents appeared first on The HIPAA Journal.

$3.75M Settlement Resolves Data Breach Lawsuit Against Chattanooga Heart Institute

Posted by Steve Alder

Memorial Heart Institute, doing business as Chattanooga Heart Institute in Tennessee, was sued over a data breach in 2023. A $3.75 million settlement has been agreed upon and has received the first nod from a judge. The final fairness hearing has been scheduled for May 28, 2026.

The cyberattack was identified on April 17, 2023. The investigation determined that a threat actor had access to the Chattanooga Heart Institute network between March 8 and March 16, 2023, and exfiltrated files, some of which contained patients’ protected health information. The file review confirmed that data compromised in the incident included names, addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information.

The Karakurt ransomware group claimed responsibility for the attack. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 545,491 individuals. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single action – Cahill, et al., v. Memorial Heart Institute, LLC, d/b/a The Chattanooga Heart Institute – in the U.S. District Court for the Eastern District of Tennessee, Southern Division of Chattanooga.

According to the lawsuit, approximately 460,000 individuals had their private information exposed or stolen in the incident, including 287,000 individuals who had their Social Security numbers exposed. The plaintiffs alleged that Chattanooga Heart Institute negligently maintained patient data and had not implemented appropriate safeguards to prevent unauthorized access, claims strenuously denied by the Chattanooga Heart Institute. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, bailment, breach of fiduciary duty, invasion of privacy, and declaratory and injunctive relief.

Chattanooga Heart Institute sought to have the lawsuit dismissed; however, the request was denied in part, and the lawsuit was allowed to proceed. During discovery, the parties began exploring the possibility of an early resolution, and following mediation, agreed upon the material terms of a settlement. The settlement has now been finalized, with no admission of wrongdoing or liability by the Chattanooga Heart Institute. The defendant will establish a $3,750,000 settlement fund, which will be split into two separate funds – a non-revisionary $2,000,000 fund for the Social Security number subclass and up to $1,750,000 fund for the total class.

All class members may claim two years of credit monitoring services, valued at approximately $120 per year. In addition, a claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,500 per class member. A cash payment may also be claimed by members of the Social Security number settlement class. The cash payments will be paid pro rata after the settlement administration costs, a share of the attorneys’ fees and expenses, and service awards for the class representatives have been deducted. The attorneys’ fees and costs will be divided between the Social Security number class (53%) and the total class fund (47%). The deadline for submitting a claim is July 13, 2026. Individuals wishing to exclude themselves or object to the settlement must do so by June 12, 2026.

The post $3.75M Settlement Resolves Data Breach Lawsuit Against Chattanooga Heart Institute appeared first on The HIPAA Journal.

Illinois Bone and Joint Institute Settles Class Action Data Breach Lawsuit for $4M

Posted by Steve Alder

Illinois Bone and Joint Institute (IBJI), one of the largest orthopedic group practices in Illinois, has agreed to settle a consolidated class action lawsuit stemming from a 2024 cyberattack and data breach that affected up to 665,321 individuals.

IBJI identified unauthorized access to its computer systems on or around July 4, 2024. The forensic investigation determined that hackers had access to its network from May 30, 2024, to July 4, 2024, and copied files containing patient information. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnosis and treatment information, and health insurance/claims information. The breach was initially reported to the HHS’ Office for Civil Rights as affecting approximately 183,000 individuals. The total was later amended to 665,321 individuals, although the lawsuit states that approximately 568,000 individuals are in the settlement class.

The first class action lawsuit over the data breach was filed by plaintiff Guy Redman in the Circuit Court of Cook County, Illinois, County Department, Chancery Division. A further seven lawsuits were filed by other plaintiffs, which were consolidated into a single complaint because the lawsuits had overlapping claims. The consolidated class action lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, invasion of privacy, and a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.

The defendant denied and continues to deny all claims and contentions in the lawsuit, including all claims of fault, wrongdoing, and liability. Following mediation, the material terms of a settlement were agreed upon to bring the litigation to an end and avoid the costs and distraction of protracted litigation and the uncertainty of a trial. The settlement has now been finalized and granted preliminary approval from the court. The final fairness hearing has been scheduled for July 1, 2026.

The defendant has agreed to establish a $4 million settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards from the class representatives. The remainder of the settlement fund will be used to pay for benefits for the class members. Class members are entitled to two years of medical data monitoring, reimbursement of out-of-pocket losses due to the data breach, and a pro rata cash payment. Class members may claim reimbursement of up to $5,000 in documented, unreimbursed losses and the cash payments are estimated to be $50 per class member, although the cash payments may be higher or lower depending on the number of claims received. The deadline for submitting a claim is July 1, 2026. Individuals wishing to exclude themselves or object to the settlement must do so by June 1, 2026.

The post Illinois Bone and Joint Institute Settles Class Action Data Breach Lawsuit for $4M appeared first on The HIPAA Journal.