Data breaches have recently been announced by Ennoble Care & Circa Health in New Jersey and Dermatology Associates of Concord in Massachusetts.

Ennoble Care/Circa Health, New Jersey

Ennoble Care & Circa Health, LLC, a Hackensack, NJ-based provider of primary care, palliative care, and hospice services to individuals in Georgia, Kansas, Maryland, New York, New Jersey, Oklahoma, Pennsylvania, Virginia, and Washington, D.C., has announced an email account breach that was identified on April 17, 2025.

Ennoble Care said the investigation into the incident is ongoing; however, it has been determined that patient information has been exposed and may have been obtained by an unauthorized individual. The types of information involved include names, addresses, dates of birth, hospice status, status dates, and orders status (CTI, SN, MSW, CH, HHA, etc.). No evidence was found to indicate that its cloud-based electronic health record was compromised.

While no evidence has been found to indicate misuse of the exposed data, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring the explanation of benefits statements that they receive from their health insurance providers. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Dermatology Associates of Concord, Massachusetts

Dermatology Associates of Concord (DAC), a provider of dermatology services to individuals in the greater Boston area, has notified the Massachusetts Attorney General about a recent security incident affecting a currently undisclosed number of individuals. Suspicious activity was identified within its computer systems on September 19, 2025. Assisted by third-party cybersecurity experts, DAC determined that an unauthorized third party accessed a specific computer system between September 18, 2025, and September 19, 2025, and copied files from that system.

The files are being reviewed to determine the types of data involved and the individuals affected, and that process has not yet concluded. While data was stolen, DAC is unaware of any misuse of that information. DAC said it has notified law enforcement about the incident and has augmented its security protocols to prevent similar incidents in the future.

Notification letters will be mailed to the affected individuals when the data review is completed, and complimentary single-bureau credit monitoring, credit report, credit score, and fraud assistance services will be made available to the affected individuals for a period of 24 months.

The post Data Breaches Announced by Ennoble Care & Circa Health; Dermatology Associates of Concord appeared first on The HIPAA Journal.

The senior living company Heritage Communities and the Dallas mental health care company Metrocare Services have announced security incidents that exposed sensitive patient data.

Heritage Communities, Nebraska

Heritage Communities, a senior living company based in Omaha, Nebraska, has recently announced a breach of the personal and protected health information of current and former residents. The data breach affected the company Heritage Holdings LP, a business associate of Heritage Communities, Orchard Pointe, and OnCare Health. On or around September 16, 2025, a network intrusion was identified, and third-party cybersecurity experts were engaged to investigate the incident. The investigation confirmed that an unauthorized actor gained access to its network and a limited amount of protected health information. The forensic investigation could not rule out the possibility that sensitive data was exfiltrated from its network.

The review of the affected data confirmed that a range of data types were exposed, including first and last names, Social Security numbers, driver’s license numbers, bank account information, credit card information, dates of birth, addresses, phone numbers, email addresses, medication information, healthcare diagnosis information, test results, and healthcare provider information. The types of information involved varied from individual to individual.

Additional security measures have been implemented in response to the data breach, and data security policies and procedures are being reviewed. While no misuse of the affected data has been identified, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements. The Worldleaks threat group claimed responsibility for the attack and added Heritage Communities to its dark web data leak site. If the claim is genuine, it suggests that a ransom demand was issued that was not paid.

Metrocare Services, Texas

Metrocare Services, a Dallas, TX-based provider of mental health services to individuals in North Texas, has identified an impermissible disclosure of patient information. On September 9, 2025, an employee sent an encrypted email from their work account to a personal email account, and the email was later shared on an unauthorized network. The investigation confirmed that the encrypted email contained the protected health information of approximately 8,600 patients, including names, medical record numbers, appointment times, doctors’ names, dates of service, and duration and costs of service.

Metrocare Services said it worked with the employee to ensure that the email was deleted from their personal email account, including the trash folder, and said no evidence was found to indicate that the data was further shared  or was accessed by anyone other than the employee who was authorized to access the information.

The post Data Breaches Announced by Heritage Communities & Metrocare Services appeared first on The HIPAA Journal.

North Kansas City Hospital has notified patients about a January 2025 data breach at its EHR vendor Cerner. Data breaches have also been announced by Shasta County Health and Human Services and OncoHealth in Georgia.

North Kansas City Hospital, Missouri

North Kansas City (NKC) Hospital in Missouri issued a substitute breach notice on November 25, 2025, announcing a data breach at its electronic medical record (EHR) vendor. A hacker gained access to a legacy Cerner (now Oracle Health) server that was awaiting migration to the Oracle Cloud infrastructure. According to Oracle Health, the hacker gained access to the server as early as January 22, 2025, and exfiltrated data, including the personal health information of NKC Hospital patients. NKC Hospital stressed that none of its own systems were compromised in the incident, as the breach was limited to two legacy Cerner servers.

The HIPAA Journal first reported on the Oracle Health data breach in March 2025, and in the months following the announcement, several healthcare providers have issued notifications confirming that they have been affected. The NKC Hospital breach notice does not state when Oracle Health confirmed that NKC Hospital had been affected. NKC Hospital said it requested the information required to issue notifications as soon as it learned that it had been affected, and said notifications were delayed at the request of law enforcement and were issued by NKC Hospital as quickly as possible.

Oracle Health said the data compromised in the incident included names, dates of birth, and Cerner patient identifiers, and potentially also information contained in electronic medical records, such as medical record numbers, doctors’ names, diagnoses, medications, test results, medical images, and care/treatment information. The HHS’ Office for Civil Rights breach portal does not currently list the data breach, so it is unclear how many NKC Hospital patients were affected.

Shasta County Health and Human Services

Officials at the Department of Health and Human Services for Shasta County in California have announced an insider data breach that has affected approximately 164 clients. Unauthorized access to the protected health information of patients was detected on September 30, 2025. The investigation confirmed that a former employee had accessed patient information without authorization.

Data potentially accessed included names, dates of birth, chart numbers, health plan information, County Administrative Office search name, diagnoses/conditions, medications, treatment authorizations, and requests related to Mental Health Behavioral Services. The notice does not state the reason for the unauthorized access or whether any information was copied or has been further disclosed. Shasta County said the investigation is ongoing, and any misuse of patient data will be reported to law enforcement

OncoHealth, Georgia

OncoHealth (formerly Oncology Analytics Inc.), an Atlanta, GA-based oncology-focused virtual medical group that partners with Humana Inc. for medical oncology prior authorizations, has announced a data breach that resulted in an impermissible disclosure of protected health information. As a result of a phishing attempt on the Zendesk customer service system, a fraudulent Zendesk account was created. The email address for the account was mistakenly included in a distribution sent to Humana Inc. that included a file containing the protected health information of 39 individuals.

The file contained personal and health information, including first and last names, birth dates, Humana identification numbers, and authorization numbers. OncoHealth said it has found no evidence of misuse of the disclosed information. Steps have been taken to improve internal security controls, and additional security awareness training has been provided to the workforce.

The post North Kansas City Hospital Patients Affected by Cerner Hacking Incident appeared first on The HIPAA Journal.