Florida Medical Imaging Provider Notifies 260,000 Patients About February Data Breach

Posted by Steve Alder

Vital Imaging Medical Diagnostic Centers in Florida has disclosed a February 2025 hacking incident involving unauthorized access and potential acquisition of patient data. The HHS’ Office for Civil Rights has been informed that the protected health information of up to 260,000 patients was compromised in the incident.

In its August 22, 2025, substitute data breach notice, Vital Imaging explained that the intrusion was discovered on February 13, 2025. Cybersecurity experts were engaged to investigate the activity, and the investigation is ongoing. Vital Imaging said there is a reasonable belief that personally identifiable information and protected health information were accessed and acquired by the attackers.

An independent data mining team was retained to assist with the investigation and review the files on the compromised parts of its network to determine the individuals affected and the types of data involved, and has confirmed that medical information, insurance information, and demographic information were compromised, including names, dates of birth, and contact information was involved.

Notification letters will be mailed to the affected individuals when the file review is concluded. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their credit reports, financial account statements, and explanation of benefits statements.

ESHYFT

Security researcher Jeremiah Fowler has identified an exposed database linked to ESHYFT, a provider of a platform that allows nurses to find available per diem shifts at long-term care facilities across the country. The 100 GB database could be accessed without authorization and contained 86,341 records, including sensitive data such as names, IDs, medical reports, profile information, facial images, work schedule logs, professional certificates, work assignment information, CVs/resumes, and other information.

Fowler was unable to determine if the database was maintained by ESHYFT or a third-party service provider, nor how long the database was exposed online, or if it was accessed by any unauthorized individuals. The exposed database was reported to ESHYFT and was secured around a month later. Since ESHYFT works with nurses rather than patients, it is unlikely to be a HIPAA-covered entity, and its website does not include a Notice of Privacy Practices, further indicating the data was not HIPAA-protected.

The post Florida Medical Imaging Provider Notifies 260,000 Patients About February Data Breach appeared first on The HIPAA Journal.

Senators Demand Answers from Aflac About June 2025 Cyberattack

Posted by Steve Alder

A bipartisan pair of senators has written to Aflac Chairman and CEO Daniel P. Amos seeking further information about a recently disclosed cyberattack and data breach. Sen. Bill Cassidy (R-La.), chairman of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Margaret Wood Hassan (D-N.H.), are requesting greater transparency about the incident.

Aflac disclosed the incident on June 12, 2025, in a filing with the U.S. Securities and Exchange Commission (SEC), and subsequently issued a press release confirming that customers’ personal and protected health information was compromised in the incident. The senators have requested further information about the incident, including the security measures in place prior to the cyberattack, how cybersecurity best practices implemented by other critical infrastructure sectors have been incorporated at Aflac, which federal agencies were notified about the incident, and when those notifications were issued.

Aflac has stated that claims and health information were compromised in the incident. The senators want to know what steps have been taken to identify the information that was compromised, when the steps to identify the affected information will be finalized, how Aflac is proactively communicating with the individuals potentially affected by the incident, and what steps have been taken or will be taken in response to the cyberattack to improve its security protocols.

The senators also want to know what additional reporting, beyond the requirements of the Health Insurance Portability and Accountability Act, Aflac commits to doing for individuals whose information was impermissibly disclosed in the incident. Aflac has been given until September 5, 2025, to respond and provide answers to the questions.

June 23, 2025: Aflac Latest Insurer to Suffer Cyberattack and Data Breach

The Columbus, Georgia-based insurance giant Aflac has recently announced that it has fallen victim to a cyberattack. Aflac is the largest provider of supplemental insurance in the United States and claims to provide financial protection for more than 50 million people worldwide.

Aflac disclosed the cyberattack in a June 12, 2025, filing with the U.S. Securities and Exchange Commission (SEC), explaining it had initiated its cybersecurity incident response protocols and contained the intrusion within hours. The attack did not affect business operations, and it has continued to underwrite policies, review claims, and otherwise service customers as usual.

Aflac has engaged the services of leading cybersecurity experts to support its own breach response efforts, and the investigation into the attack is ongoing. Aflac said ransomware was not deployed in the incident; however, data does appear to have been exposed. A review of the potentially exposed files is underway. At this early stage of the file review, it is not possible to determine how many individuals have been affected.

Aflac said the exposed data likely includes names, claims information, health information, Social Security numbers, and other personal information related to customers, beneficiaries, employees, agents, and other individuals in its U.S. business. Complimentary credit monitoring and identity theft protection services will be offered to the affected individuals, and regulators will be notified about the extent of the data breach. “This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group,” explained Aflac in a press release about the cybersecurity incident. “This was part of a cybercrime campaign against the insurance industry.” The data breach was reported to the HHS’ Office for Civil Rights on August 8, 2025, although a placeholder figure of 500 was used for the number of affected individuals. That figure will be updated when the file review is completed and all affected individuals have been identified.

The cybercrime campaign has involved attacks on other large insurers in the United States, including the Pennsylvania-based insurers Erie Insurance Group and Philadelphia Insurance Companies. Similar to the Aflac attack, these two incidents did not involve file encryption, only data theft. There has been no attribution so far, although the timing of these attacks suggests a single threat actor is behind all three incidents.

The likely culprit is a threat group known as Scattered Spider, which is known to target large companies in one sector at a time. Recently, Scattered Spider has targeted the retail sector, with its attacks including the UK retailers Marks & Spencer, Co-op, and the Harrods luxury department store, and U.S. attacks on Victoria’s Secret and United Natural Foods, which supplies the Amazon-owned grocery chain Whole Foods.

Researchers at the Google Threat Intelligence Group issued a warning early last week that the group has pivoted to the insurance industry, and ReliaQuest warned that the group is targeting IT service providers and Managed Service providers to attack their downstream clients. Google Threat Intelligence Group researchers recently confirmed that the recent attacks on the insurance sector show the hallmarks of a targeted Scattered Spider campaign.

Scattered Spider typically breaches company networks and deploys ransomware after data exfiltration, but ransomware was not deployed in these attacks. It is possible that the attacks were detected and blocked before ransomware was deployed, but the group may have simply changed tactics, focusing on data theft and extortion alone. While the perpetrator has yet to be confirmed, it is clear that the insurance industry is being targeted. All insurers should remain on high alert as there could well be further attempted cyberattacks on the sector.

The post Senators Demand Answers from Aflac About June 2025 Cyberattack appeared first on The HIPAA Journal.

Children’s Hospital Medical Center of Akron Settles Pixel Class Action Settlement

Posted by Steve Alder

Another healthcare provider has agreed to settle a class action lawsuit over its use of Meta Pixel and other third-party analytics and tracking tools on its website. Children’s Hospital Medical Center of Akron, doing business as Akron Children’s Hospital, was alleged to have added these tools to its website, but their use and implementation resulted in website visitors’ personally identifiable information being disclosed to Facebook and other third parties without the web visitors’ knowledge or consent.

On January 5, 2024, plaintiff John Doe filed a lawsuit – Doe v. Children’s Hospital Medical Center of Akron – against Akron Children’s Hospital in the Court of Common Pleas, Summit County, Ohio, individually, and as next friend of minors A.D., B.D., and C.D., and other similarly situated individuals. The plaintiff alleged that his own PII and that of his minor children and other individuals was disclosed to third parties such as Meta (Facebook), Google, and others without their knowledge or consent, resulting in an invasion of privacy.

In addition to invasion of privacy – intrusion upon seclusion, the lawsuit asserted claims of negligence, negligence per se, breach of confidence, unjust enrichment, and interception and disclosure of electronic communications. Akron Children’s Hospital denies all claims asserted in the lawsuit and all allegations of wrongdoing and liability; however, it attempted mediation to avoid further litigation costs and the uncertainty of a jury trial. While initial mediation efforts failed, after several months of negotiation, a settlement was agreed that was acceptable to all parties. The settlement agreement has now received preliminary approval from Judge Alison McCarty.

The settlement agreement addresses the harm caused by the alleged data disclosure, the potential for future harm, and economic losses incurred by the plaintiffs and the 313,700 class members. All class members will be entitled to claim a one-time cash payment of $19 and will be provided with two years of credit monitoring and identity theft protection services, which include dark web monitoring, lost wallet assistance, a $1 million identity theft insurance policy, and fully managed identity theft restoration and advisory services.

Akron Children’s Hospital will also pay attorneys’ fees, costs, and expenses, settlement administration costs, service awards for class members, and has agreed to injunctive relief, which includes the removal of pixels from its public-facing website, and a commitment not to add pixels to its patient portal or any forms on its public-facing website. Akron Children’s Hospital is permitted to use pixels that are essential for website functionality and may use HIPAA-compliant third-party companies in the future for analytics functions, provided a business associate agreement is in place.

The deadline for exclusion from the settlement, objection, and submitting a claim is September 29, 2025. The final approval hearing has been scheduled for October 10, 2025.

The post Children’s Hospital Medical Center of Akron Settles Pixel Class Action Settlement appeared first on The HIPAA Journal.