Jefferson-Blount-St. Clair Mental Health Authority Data Breach Affects 30,000 Patients

Posted by Steve Alder

Jefferson-Blount-St. Clair Mental Health Authority in Alabama, Cottage Hospital in New Hampshire, WindRose Health Network in Indiana, and Iroquois Memorial Hospital in Illinois have announced that patient data has been exposed in hacking incidents.

Jefferson-Blount-St. Clair Mental Health Authority, Alabama

Jefferson-Blount-St. Clair (JBS) Mental Health Authority in Alabama has notified more than 30,000 individuals that some of their personal and protected health information was exposed and potentially acquired in a ransomware attack. Suspicious activity was identified within its computer network on or around November 25, 2026. The investigation confirmed that hackers gained access to its network on November 25, 2026, and potentially viewed or acquired information relating to individuals who were patients or employees between 2011 and 2025.

The file review has recently concluded and confirmed that the exposed data included names, Social Security numbers, health insurance information, dates of birth, and medical information, which may have included diagnoses, physician information, medical record numbers, Medicare/Medicaid information, prescription/medication information, diagnostic and treatment information, and billing or claims information.

The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements. The HHS’ Office for Civil Rights breach portal indicates 30,434 individuals were affected by the incident.

Cottage Hospital, New Hampshire

Cottage Hospital, a 35-bed critical access hospital in Woodsville, New Hampshire, has detected unauthorized access to its computer network. The forensic investigation confirmed that hackers had access to a single file server on its computer network from October 14, 2025, to October 21, 2025, and on December 8, 2025, the hospital confirmed that files had been exfiltrated in the incident.  The review of the files is ongoing, although it has been confirmed that the server contained current and former employees’ names, Social Security numbers, driver’s license numbers, and potentially bank account information.

The breach notice submitted to the Maine Attorney General indicates 2,156 individuals were affected, including 83 Maine residents. The affected individuals have been offered complimentary credit monitoring, identity theft restoration, and fraud consultation services. The hospital has confirmed that it will continue to implement and evaluate enhanced safeguards and security measures to better protect sensitive data on its network.

WindRose Health Network, Indiana

WindRose Health Network, a Federally Qualified Health Center with five health centers in Indiana, has notified certain patients about a security incident identified on August 22, 2025. The security breach was detected quickly, with the unauthorized access determined to have commenced on the morning of August 22, 2025. The compromised parts of the network contained personal and protected health information, which may have been accessed or acquired.

A data review firm was engaged to determine the types of information in the exposed files and the individuals affected. That process was recently completed, and the results were assessed to determine the individuals who required notifications. Data compromised in the incident vary from individual to individual and may include names in combination with one or more of the following: contact information, date of birth, patient identification number, date(s) of service, provider name(s), diagnosis, treatment information, prescription(s), medical history, lab reports, health insurance information, and limited number government identification numbers, such as driver’s license number or Social Security number.

Third-party cybersecurity experts were engaged to investigate the incident, review security, and further secure its systems. The affected individuals have been advised to remain vigilant against identity theft and fraud. The HHS’ Office for Civil Rights breach portal indicates 691 individuals were affected by the incident

Iroquois Memorial Hospital, Illinois

Iroquois Memorial Hospital in Watseka, Illinois, has recently reported a hacking incident to the HHS’ Office for Civil Rights involving unauthorized access or theft of patients’ protected health information. A substitute breach notice has yet to be posted to the hospital’s website, so it is unclear exactly what types of data were compromised in the incident. The Pear threat group claimed responsibility for the attack.

Pear engages in data theft and extortion but does not encrypt files. The group maintains a data leak site and added Iroquois Memorial Hospital to the site on December 11, 2025. The listing is still active, which suggests the ransom was not paid. The HHS’ Office for Civil Rights breach portal indicates 621 individuals were affected by the incident

The post Jefferson-Blount-St. Clair Mental Health Authority Data Breach Affects 30,000 Patients appeared first on The HIPAA Journal.

Failure to Provide a Medical Screening Examination Results in HHS-OIG Penalty

Posted by Steve Alder

Two hospitals have entered into settlement agreements with the Department of Health and Human Services (HHS) Office of Inspector General (OIG) to resolve alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA).

EMTALA requires Medicare-participating hospitals with emergency departments to provide a medical screening examination and stabilizing treatment for any patient, regardless of the patient’s ability to pay. Patients must not be transferred unless they have first been provided with stabilizing treatment, unless the patient requests a transfer in writing, the benefits outweigh the risks, and if the receiving hospital agrees to accept the patient. Transfers are also permitted if the hospital does not have the capabilities to stabilize the patient, in which case, the patient can be transferred to a hospital with specialized capabilities.

Cordell Memorial Hospital in Oklahoma was investigated by HHS-OIG after an alleged failure to provide a medical screening examination to a pregnant patient in active labor, who presented at the hospital on January 27, 2026. The woman arrived at the hospital in a private vehicle and was having contractions every 1-2 minutes. Staff at Cordell Memorial Hospital’s Emergency Department met the patient outside the facility and asked if the patient’s waters had broken and if there was an immediate need to push. When the patient responded in the negative to both questions, the ED staff recommended that the patient travel to an alternative facility 15 miles away.

The patient did not receive a pelvic examination, and her vital signs were not checked; therefore staff could not make an accurate determination about whether there was time to travel to the other healthcare facility or if the transfer posed a threat to the health and safety of the patient or their unborn child. The child was delivered within approximately 40 minutes of arriving at the other hospital. HHS-OIG determined that the failure to provide a medical screening examination was in violation of EMTALA, and the case was settled with a $40,000 financial penalty.

Holmes Regional Medical Center in Melbourne, Florida, was similarly investigated over an incident involving a pregnant patient, who presented at the Emergency Department 30 weeks pregnant seeking an examination and treatment for high blood pressure. The patient was accompanied by a minor child of approximately 4-6 years of age. As the patient was completing the intake form, a security guard told the patient that the minor child was not permitted to be present in the triage area. As a result, the patient left the ED without having an appropriate medical screening examination. HHS-OIG determined that the failure to provide the MSE was in violation of EMTALA. The alleged violation was settled, with Holmes Regional Medical Center agreeing to pay a $113,407 financial penalty.

The post Failure to Provide a Medical Screening Examination Results in HHS-OIG Penalty appeared first on The HIPAA Journal.