Columbus Regional Health; St. Joseph Hospital Settle Pixel Privacy Lawsuits

Posted by Steve Alder

Settlements have been agreed to resolve class action lawsuits against two healthcare providers over their use of website tracking technologies. The lawsuits alleged that the deployment of these tools caused the personal and protected health information of patients to be disclosed to third parties without patients’ knowledge or consent.

Website tracking tools, such as pixels, are installed on websites across the internet for tracking the actions of website users. They can record a range of information about user interactions, such as the pages visited, time spent on each page, how the user navigated to the website, and other information. That information may be sent to the third-party providers of the tools, allowing the user to be tracked as they navigate to other webpages. They may then be served targeted advertisements across the internet based on their actions on a website where the tools were installed. For instance, if an individual visited a page related to obesity, they may be served adverts related to weight loss medications.

Many lawsuits have been filed against healthcare providers over website tracking tools, alleging privacy violations. Two of the latest lawsuits to be settled were filed against Bartholomew County Public Hospital d/b/a Columbus Regional Health and St. Joseph Hospital of Nashua, N.H. In both cases, the defendants maintain that there was no wrongdoing, no laws were violated, and there is no liability; however, settlements were agreed to avoid the cost, distraction, and risks of continuing with the litigation.

Columbus Regional Health Pixel Settlement

Bartholomew County Public Hospital d/b/a Columbus Regional Health is a non-profit regional health system that includes a 225-bed Columbus hospital serving patients in southeastern Indiana. Columbus Regional Health was alleged to have collected and transmitted patient data to Meta (Facebook) via Meta Pixel and other tracking tools on its website without the knowledge or permission of website users. The first lawsuit was filed in May 2023 – Brian Elkins and Annie Elkins v. Bartholomew County Public Hospital d/b/a Columbus Regional Health  – in Marion County Superior Court, with a further three plaintiffs joining the action after filing similar complaints.

The consolidated lawsuit asserted claims for negligence, negligence per se, invasion of privacy—intrusion upon seclusion, invasion of privacy—public disclosure of private facts; breach of implied contract; unjust enrichment; breach of fiduciary duty; and violation of the Indiana Deceptive Consumer Sales Act.

Settlement Terms

Claims may be submitted for a one-time cash payment of $25.50, and class members will be automatically enrolled in a 12-month membership to the CyEx Privacy Shield Pro digital privacy and identity protection service. The defendant has agreed to cover the cost of attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the 5 class representatives. The deadline for opting out and exclusion has passed.

Eligibility: Individuals who resided in Indiana and completed a registration for access to their electronic records or logged into the patient portal between November 1, 2017, and June 30, 2022.

Claims deadline: September 19, 2026

Final approval hearing: July 22, 2026

Further information: https://columbusregionalsettlement.com/

St. Joseph Hospital of Nashua, N.H. Pixel Settlement

St. Joseph Hospital Corporate Services, Inc. is a New Hampshire healthcare corporation that operates the 208-bed St. Joseph Hospital in Nashua. The hospital is alleged to have used tracking technologies on its website that disclosed website users’ sensitive information to Microsoft, without their knowledge or consent. The plaintiffs alleged that the data collected via the tools was used to enhance Microsoft’s advertising technology and serve targeted advertisements to patients based on the information disclosed on the defendant’s website.

The first lawsuit was filed in the Superior Court of Hillsborough County, New Hampshire, which was later amended, due to an inaccuracy in the defendant’s corporate entity – Fiorillo, et al., v. St. Joseph Hospital of Nashua, N.H. The lawsuit asserted claims including negligence, invasion of privacy – intrusion upon seclusion, and unjust enrichment.

Settlement Terms

Claims may be submitted for a one-time cash payment of $50 per class member. The defendant has also agreed to pay attorneys’ fees and expenses, settlement administration and notification costs, and service awards to the class representatives.

Eligibility: Individuals who used the MyChart patient portal associated with St. Joseph Hospital from January 1, 2023, to the present.

Opt out and exclusion deadline: July 30, 2026

Claims deadline: August 14, 2026

Final approval hearing: September 14, 2026

Further information: https://columbusregionalsettlement.com/

The post Columbus Regional Health; St. Joseph Hospital Settle Pixel Privacy Lawsuits appeared first on The HIPAA Journal.

LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches

Posted by Steve Alder

Data breaches have been announced by Lifepoint Health, Southwest Behavioral & Health Services, and Nottingham Village.

Lifepoint Health

Lifepoint Health Inc., a healthcare delivery network that operates more than 60 hospital campuses in 28 U.S. states, more than 30 rehabilitation and behavioral health hospitals, and over 170 acute rehabilitation units, discovered unauthorized activity within its network on February 23, 2026. The forensic investigation traced the activity to a compromised user account. Assisted by third-party cybersecurity experts, Lifepoint Health determined that an unauthorized third party gained limited access to certain internal databases on February 22, 2026. The incident was fully contained within 24 hours.

Lifepoint Health determined that the data breach was limited in scope and was restricted to employees of contracted vendors. Direct employees of the company and patients were not affected. The affected employees had their names, addresses, phone numbers, dates of birth, and Social Security numbers compromised in the incident. Notification letters were sent to those individuals on April 23, 2026, and complimentary credit monitoring and identity theft protection services have been made available.

Southwest Behavioral & Health Services

Southwest Behavioral & Health Services, a Phoenix, AZ-based non-profit behavioral health organization, has identified a breach of its email environment. Suspicious activity was identified within its email environment on April 1, 2026, and the forensic investigation determined that six employee email accounts were compromised.

The review of the affected email accounts was completed on April 30, 2026, and notification letters have now been sent to the 2,316 affected individuals. Southwest Behavioral & Health Services has published a substitute breach notice on its website, but it does not state the types of information exposed in the incident. No evidence has been identified to suggest any misuse of the exposed data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services, and steps have been taken to improve email security to prevent similar incidents in the future.

Nottingham Village

Nottingham Village, a skilled nursing and assisted living facility in Northumberland, Pennsylvania, has notified 5,240 individuals about a security incident that was identified on November 9, 2025. After securing its network, an investigation was launched, and on May 12, 2026, it was confirmed that the exposed data included names, birth dates, Social Security numbers, driver’s license numbers/state government IDs, financial account information, medical information, and health insurance information. Nottingham Village said it continually evaluates and modifies its security practices and will continue to do so in the future.

The post LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches appeared first on The HIPAA Journal.

Xsolis Data Breach Affects 1.4M Individuals

Posted by Steve Alder

Xsolis, a business associate of HIPAA-covered entities that provides AI-powered solutions for improving case and utilization management to achieve more efficient outcomes, has experienced a major data breach as a result of a phishing attack.

According to the data breach notification filed with the California Attorney General, unauthorized activity was identified within the Xsolis environment on January 22, 2026, as a result of a targeted phishing attack. The incident has been contained, unauthorized access has been terminated, no evidence has been found of unauthorized access since January 22, 2026, and Xsolis has found no evidence to suggest any of the exposed data has been misused.

An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that patient data had been exposed and may have been copied. Xsolis engaged digital specialists to review the affected data, and that process has now been completed. Xsolis is notifying the affected individuals and has offered them complementary credit monitoring and identity theft protection services through Kroll for 12 months.

The Kroll website notice about the security incident states that an unauthorized third party had access to a limited portion of the Xsolis environment from January 20, 2026, to January 22, 2026. Data exposed in the incident included names, dates of birth, Social Security numbers, health insurance information, and medical treatment information.

The data breach has been reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 1,396,519 patients of its healthcare provider clients. A list of the affected clients has not been published; however, VHC Health, a healthcare provider serving patients in Northern Virginia and the Washington D.C. Metro area, has confirmed that it has been affected, as has Rochester Regional Health in New York.

Additional security measures have been implemented to prevent similar incidents in the future, system monitoring has been increased, all passwords for key users have been reset, new protective technologies have been deployed, security awareness training for employees has been accelerated, and credential management processes have been strengthened.

The post Xsolis Data Breach Affects 1.4M Individuals appeared first on The HIPAA Journal.

Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients

Posted by Steve Alder

Blue Fish Pediatrics in Texas has announced a July 2025 cyberattack that affected more than 41,000 Texas patients. Data breaches have also been announced by Cherry Health in Michigan, Coastal Carolina Centers of Urology and Surgery in South Carolina, and Regence in Oregon.

Blue Fish Pediatrics, Texas

Blue Fish Pediatrics, a Houston, Texas-based network of pediatric medical practices, has notified the Texas Attorney General about a cybersecurity incident last year that exposed the personal and protected health information of its patients.

In a substitute breach notice on its website, Blue Fish Pediatrics explained that unauthorized access to its IT systems was identified on or around July 17, 2025. After securing its systems, an investigation was conducted to determine the nature and scope of the unauthorized activity. The forensic investigation confirmed that a threat actor had access to a limited number of files between July 11, 2025, and July 17, 2025. Some of those files contained personally identifiable information and protected health information and may have been acquired in the incident.

The files have now been reviewed and found to contain full names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, medical record numbers, diagnosis/condition information, lab results, medications, claims information, and clinical/treatment information. Notification letters are now being mailed to the affected individuals, and complementary credit monitoring have been made available to individuals whose Social Security numbers were exposed.

The total number of affected individuals has yet to be disclosed; however, the bulk of the affected individuals reside in Texas. The Texas Attorney General was informed that 41,485 Texas residents were affected.

Cherry Health, Michigan

Cherry Health, Michigan’s largest non-profit Federally Qualified Health Center serving six counties in the state, announced a breach of patients’ protected health information on June 18, 2026. Suspicious network activity was identified on or around April 19, 2026. The forensic investigation confirmed unauthorized access to its network and the copying of files containing patient information.

The file review is ongoing; however, information likely stolen in the incident includes names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID numbers, patient ID numbers, provider names, service dates, and, for a limited number of individuals, Social Security numbers. Cherry Health said it has not identified any misuse of the impacted data. Cherry Health is working on implementing additional safeguards to prevent similar incidents in the future. At present, it is unclear how many individuals have been affected.

Coastal Carolina Centers of Urology and Surgery, South Carolina

Coastal Carolina Centers of Urology and Surgery, LLC, doing business as Rivertown Surgery Center in Conway, South Carolina, has notified the HHS’ Office for Civil Rights about a network server hacking incident involving unauthorized access to the electronic protected health information of 2,886 individuals.

Only limited information has been made public about the breach, such as it involved unauthorized access to names and health records; however, this appears to have been a ransomware attack by the Qilin ransomware group. Qilin added Coastal Carolina Centers of Urology and Surgery to its dark web data leak site on September 4, 2025, along with screenshots of files allegedly stolen in the attack.  According to the notice sent to the Indiana Attorney General, the breach occurred on August 26, 2025, and notifications were mailed on or around May 22, 2026.

Regence, Oregon

Regence Blue Cross Blue Shield of Oregon has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 2,856 individuals. According to a notice on the Regence website, unauthorized actors registered and accessed some Regence digital member accounts between January 1, 2026, and April 15, 2026, and redeemed wellness rewards for gift cards. Information in the accounts may have been accessed.

The post Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients appeared first on The HIPAA Journal.