California Business Associate Improperly Disposed of Patient Data – The HIPAA Journal
California Business Associate Improperly Disposed of Patient Data The HIPAA Journal
California Business Associate Improperly Disposed of Patient Data
Central Valley Regional Center, a Fresno, California-based state-funded provider of services to individuals with developmental disabilities, has notified patients about the recent exposure of physical documents containing their personal information. The number of affected individuals has yet to be announced.
Central Valley Regional Center employed a new vendor that provided janitorial services. In July, Central Valley Regional Center discovered that the company had been disposing of confidential documents along with regular trash. The documents had been placed in bins for confidential waste and should have been shredded. The vendor had been emptying the shredding bins and disposing of the documents in trash bags along with regular waste.
The investigation revealed that the improper disposal of documents occurred between March 2025 and July 2025 at one Central Valley Regional Center facility only. The documents likely included information such as names, addresses, dates of birth, other personal data, medical information, and Social Security numbers. The incident has been reported to law enforcement, the California Attorney General, the California State Department of Developmental Services, and all vendor contracts have been reviewed, along with policies relating to data privacy and security protocols.
Further, steps have been taken to prevent similar incidents in the future, including adding locks to all shredding bins, restricting access to shredding bits to its approved shredding service provider, revising janitorial service procedures to provide more explicit instructions on waste disposal, adding signage regarding proper waste disposal procedures, implementing routine audits to ensure compliance with internal policies and procedures, and affirming expectations regarding confidentiality and data protection with its vendors. The affected individuals have been notified by mail and have been offered identity protection services.
Improper disposal incidents are relatively rare, yet they can result in the exposure of large amounts of PHI. The incident should serve as a warning to other healthcare organizations about the importance of providing clear instructions to service providers about their responsibilities with respect to confidential information, including service providers who may encounter physical PHI.
The post California Business Associate Improperly Disposed of Patient Data appeared first on The HIPAA Journal.
Data Breaches Announced by Community Health Network; Mid South Rehab Services – The HIPAA Journal
Data Breaches Announced by Community Health Network; Mid South Rehab Services
Cybercriminals have gained access to employee email accounts at Community Health Network in Indiana and Mid South Rehab Services in Mississippi and may have exfiltrated patient information.
Community Health Network, Indiana
Community Health Network, a non-profit health system with more than 200 locations and affiliates in Central Indiana, has recently notified 13,939 Indiana residents about a security incident involving unauthorized access to an employee’s email account. The intrusion was identified on February 26, 2025, and the threat was immediately contained. An investigation was launched to determine the nature and scope of the unauthorized activity, and it was confirmed that the breach was limited to a single email account, which was accessed by an unauthorized individual between February 25 and February 26, 2025.
The email account was reviewed, and on May 8, 2025, it was confirmed that the account contained patients’ protected health information. Following a comprehensive manual document review, on July 15, 2025, Community Health Network confirmed the number of individuals affected and the types of information involved. The exposed data was limited to names, dates of birth, medical information, and health insurance information, which was potentially copied from the email system. After verifying contact information, the affected individuals were notified by mail on September 12, 2025, and advised to remain vigilant against misuse of their data by checking their accounts, free credit reports, and explanation of benefits statements. Credit monitoring services do not appear to have been offered.
Mid South Rehab Services Inc., Mississippi
Mid South Rehab Services Inc., a Ridgeland, Mississippi-based provider of physical, occupational, and speech therapy services, has recently notified patients about a breach of its email environment. Unauthorized activity was identified in an employee’s email account on or around January 16, 2025. The email account was immediately secured, and an investigation was launched to determine the nature and scope of the activity. The investigation covered its entire email environment and confirmed that two email accounts had been accessed by an unauthorized third party.
The review of those accounts confirmed that emails and attachments contained patient information such as names, dates of birth, Social Security numbers, and medical/health information. The affected individuals have been advised to monitor their account statements, credit reports, and explanation of benefit statements for unusual activity. The data breach has been reported to regulators, but the incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
The post Data Breaches Announced by Community Health Network; Mid South Rehab Services appeared first on The HIPAA Journal.
Florida Eye Care Provider Data Breach Affects 153,000 Patients – The HIPAA Journal
Florida Eye Care Provider Data Breach Affects 153,000 Patients The HIPAA Journal
Florida Eye Care Provider Data Breach Affects 153,000 Patients
Retina Group of Florida is the latest eye care provider to report a breach of patient data. The protected health information of almost 153,000 patients was potentially compromised in a November 2024 hacking incident. Retina Group of Florida is a multi-physician, 22-office ophthalmology practice specializing in diseases of the retina. On November 9, 2024, suspicious activity indicative of an intrusion was identified in a portion of its computer network. Immediate action was taken to secure its network and contain the potential threat, and an investigation was launched to determine the nature and scope of the activity.
The investigation confirmed unauthorized network access to parts of its network starting on November 6, 2024. Over the four-day intrusion, patient data may have been copied from the network. The review of all exposed files was completed on August 18, 2025, and over the next month, contact information was verified to allow notification letters to be sent. The notification process started on September 16, 2025, and the affected individuals have been offered credit monitoring and identity theft protection services for 12 months. The HHS’ Office for Civil Rights was notified about the incident on September 9, 2025. The breach report indicates that the electronic protected health information of up to 152,691 individuals was potentially compromised.
Several other data breaches have been reported by ophthalmology practices this year, including a 107,000-record data breach at Black Hills Regional Eye Institute and a 205,000-record data breach at Asheville Eye Associates.
Hampton Regional Medical Center, South Carolina
Hampton Regional Medical Center, a general acute care hospital in Varnville, South Carolina, has warned patients that they may have had some of their personal and health data exposed in a recent cybersecurity incident. Suspicious activity was identified in its computer systems on or around July 16, 2025. An investigation was launched, and it was confirmed that an unauthorized third party had access to certain systems between June 18 and July 16, 2025. During that time, unauthorized access to patient data was possible and patient data may have been copied from its computer systems.
The exposed files are currently being reviewed to determine which patients have been affected and the types of information involved. That process has yet to be completed, so the number of affected individuals is not yet known. Currently, information known to have been exposed includes names, dates of birth, Social Security numbers, driver’s license/state identification numbers, other demographic information, and medical information.
Notification letters will be mailed to the affected individuals when the file review is concluded. In the meantime, all patients have been advised to remain vigilant against identity theft and fraud by monitoring their account statements, free credit reports, and explanation of benefits statements. Hampton Regional Medical Center is implementing additional administrative and technical safeguards to harden security and is reviewing its policies and procedures.
The post Florida Eye Care Provider Data Breach Affects 153,000 Patients appeared first on The HIPAA Journal.
23andMe Requests Bankruptcy Judge Approve Revised $50 Million Data Breach Settlement
23andMe has proposed an increased settlement fund to resolve U.S. litigation over its 2023 data breach, adding a further $20 million to the $30 million settlement proposed last year. The $30 million settlement was given preliminary approval by a federal court judge in December.
The data breach began in April 2023 and involved unauthorized access to customer accounts for around 5 months as a result of a credential stuffing attack. Approximately 7 million customers were affected, 6.4 million of whom were located in the United States. Customer accounts were compromised because they used the same password as other platforms that had previously been breached. While credential stuffing attacks exploit poor password practices by users of a platform, 23andMe was criticized for having inadequate security, such as not requiring multi-factor authentication to protect accounts.
The $30 million settlement was agreed upon and received preliminary approval before 23andMe’s bankruptcy. The company filed for Chapter 11 bankruptcy protection in March 2025 to maximize value through a court-supervised sale. The company was purchased for $305 million by a nonprofit organization led by former 23andMe CEO Anne Wojcicki in July 2025. The sale freed up more assets to cover claims from individuals affected by the data breach.
After the previous settlement was agreed upon, 23andMe received more than 250,000 valid claims from class members who provided proof of losses. The increase in the size of the settlement will resolve “a substantial majority” of U.S. claims, according to 23andMe’s attorneys, who said the proceeds from the sale of the company remain the only source of monetary recovery for victims of the data breach. As such, they hope the judge will be convinced to approve the revised settlement.
In addition to providing reimbursement for documented, out-of-pocket expenses incurred as a result of the data breach, the settlement resolves claims that the company failed to tell customers with Chinese and Ashkenazi Jewish ancestry that they were being targeted by a hacker, and that their stolen data had been offered for sale on the dark web.
In addition to covering reimbursement of losses, class members will also be entitled to enroll in a five-year Privacy & Medical Shield + Genetic Monitoring program from CyEx, which was specifically set up for 23andMe customers affected by the data breach. The package provides enhanced protection, including identity theft monitoring, dark web monitoring, and genetic anomaly detection services. Wojcicki said the revised settlement closely tracks the settlement proposed and approved last year. The proposed settlement now awaits preliminary approval from the court.
23andMe has also asked the Missouri bankruptcy judge to approve a separate $3.25 million settlement (Can$4.49 million) to resolve a class action lawsuit in Canada, which will provide benefits for the 300,000 Canadian citizens affected by the data breach.
September 16, 2024: 23andMe Settles Data Breach Lawsuit for $30 Million
A settlement had previously been agreed in principle to resolve a 23andMe HIPAA data breach lawsuit, and now the terms have been finalized. 23andMe has agreed to pay $30 million to settle the consolidated class action lawsuit – In re 23andMe Inc Customer Data Security Breach Litigation – and received preliminary approval for the settlement in federal court in San Francisco on Thursday. The settlement still requires final approval from a federal court judge.
The 23andMe data breach (summarized below) involved unauthorized access to user accounts through credential stuffing, rather than a cyberattack on the 23andMe platform. The data of 6.9 million users was compromised in the attack, and the stolen data was sold on the dark web, including a dataset of individuals with Chinese and Ashkenazi Jewish heritage who appeared to have been specifically targeted.
Under the terms of the settlement, individuals whose data was compromised are entitled to receive a share of the settlement fund after litigation costs and attorneys’ fees have been deducted. The plaintiffs’ lawyers will receive between one-quarter and one-third of the settlement amount. In addition to a cash payment, class members will also be entitled to three years of complimentary monitoring services. The settlement is intended to resolve all U.S. claims regarding the 2023 credential stuffing attack and data breach.
23andMe denies all wrongdoing and liability but chose to settle the lawsuit to avoid further litigation and the uncertainty of trial and believes the settlement is “fair, adequate, and reasonable.” The plaintiffs’ attorneys have said the settlement addresses the main claims of their clients and avoids the significant risks of continuing litigation.
23andMe has been facing financial difficulties since the security incident. The company’s stock price has fallen from $10 a share when the company went public three years ago to less than $1 a share. 23andMe CEO Anne Wojcicki had offered to take the company private earlier this year but a special committee rejected the offer in early August. 23andMe warned that due to its current financial position, if there is any litigated judgment significantly more than the proposed settlement amount it would likely be uncollectable. The company said it faces parallel litigation in state court and private arbitration forums on behalf of tens of thousands of settlement class members.
Under the terms of the settlement, class members may submit claims for the following:
- An extraordinary claim for up to $10,000 to recover unreimbursed costs and expenditures related to the security incident. The costs can include losses due to identity theft, falsified tax returns, the costs of physical security or a monitoring system purchased in response to the security incident, and unreimbursed costs associated with professional mental health counseling or treatment as a result of the security incident. A cap of $5 million has been placed on these claims.
- If a resident of Alaska, California, Illinois, or Oregon at the time of the breach submits a statutory cash claim for $100, per the genetic privacy laws in those states.
- If health information was compromised, submit a claim for a $100 cash payment.
- All class members can enroll in Privacy & Medical Shield + Genetic Monitoring, which includes a password manager, medical record monitoring, and anti-phishing protection.
23andMe anticipates that around $25 million of the settlement amount will be covered by its cyber insurance policy. Class members can object to the settlement, exclude themselves to allow them to pursue their own legal case against 23andMe, or accept the settlement and submit a claim for their share of the settlement fund.
July 19, 2024: 23andMe Reaches Agreement in Principle to Settle Class Action Data Breach Lawsuit
23andMe has reached an agreement in principle to settle a class action lawsuit that was filed in response to a breach of customer data in 2023. The breach occurred in October 2023 and resulted in the theft of the data of approximately 6.9 million individuals, around half of its customers. There was no breach of 23andMe’s systems; instead, a threat actor conducted a credential stuffing attack, which allowed access to be gained to certain customer accounts. Around 14,000 individual accounts were compromised, around 0.1% of its customers.
When the breach was discovered, 23andMe placed the blame for the attack on customers’ poor security practices. The accounts could only be accessed as the affected customers had used the same username/password combinations that had been used to secure accounts on unrelated platforms. When those third-party platforms experienced data breaches and credentials were stolen, they could be used to access any other account where the credentials had been used, which in this case was 23andMe.
Data obtained from those accounts included uninterrupted raw genotype data, health predisposition reports, and carrier-status reports. The threat actor also exploited a 23andMe feature – DNA Relatives – which allows people to connect with their DNA relatives. Through that feature, the threat actor accessed the profile information of around 5.5 million 23andMe users as well as the Family Tree information of a further 1.4 million individuals. The threat actor then listed datasets for sale, including customers with Jewish and Chinese heritage.
More than 2 dozen lawsuits were filed against 23andMe over the data breach. The plaintiffs’ attorneys claimed that the datasets being offered for sale could be used as a hit list, allowing Jews to be targeted, and the Chinese dataset could be used by the intelligence agencies of the People’s Republic of China to target dissidents. While the 14,000 accounts were accessed due to customers’ password reuse, attorneys for the plaintiffs argued that 23andMe should have done more to protect users’ sensitive data.
They alleged that 23andMe should have been aware that a cyberattack was likely, and should have taken steps to reduce risk, and should have had proper data breach protocols in place. Further, the company should have notified customers with Jewish and Chinese heritage that the datasets had been made available and that they could potentially be targeted. The lawsuits also alleged that 23andMe lied about data security and had failed to implement protections in accordance with industry standards, then lied about the scope and severity of the breach.
At a court hearing on Tuesday, attorneys for the San Francisco-based company disclosed that a settlement had been agreed in principle to bring the litigation to an end. The company is finalizing the details and hopes to produce an executive term sheet in the next week and will then draft a full settlement agreement. “We have reached an agreement in principle for a full settlement of U.S. claims regarding the 2023 ‘credential stuffing’ security incident,” said 23andMe, in a statement provided to the San Francisco Business Times. “We believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement.”
Lawyers for the plaintiffs and class argued that under the Illinois Genetic Information Privacy Act, some of the class were owed up to $3 billion in damages. In its annual report, 23andMe disclosed that the company has around $216 million in cash, so any continued legal action to obtain substantial damages risked 23andMe filing for bankruptcy. The terms of the settlement have not yet been disclosed, but the settlement is likely to involve payment for dark web monitoring services and non-monetary relief. A hearing has been scheduled for July 30 for the court to be provided with an update on the term sheet, and a motion for preliminary approval of the proposed settlement is expected to be filed within a couple of months.
The post 23andMe Requests Bankruptcy Judge Approve Revised $50 Million Data Breach Settlement appeared first on The HIPAA Journal.