Ransomware groups have claimed responsibility for attacks on Advanced Family Surgery Center in Tennessee, Orem Eye Clinic in Utah, and Belmont Aesthetic & Reconstructive Plastic Surgery in Virginia/Washington D.C.

Surgery Center of Oak Ridge (Advanced Family Surgery Center)

Surgery Center of Oak Ridge, LLC, doing business as Advanced Family Surgery Center in Oak Ridge, Tennessee, has notified certain patients about a network intrusion first identified on or around November 26, 2025. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that certain parts of its network were accessed by an unauthorized third party who potentially viewed or acquired files containing patient information.

The files were reviewed and found to contain names, addresses, dates of birth, dates of service, health insurance information, medical diagnosis information, medical record numbers, Medicare/Medicaid numbers, patient account numbers, prescription/treatment information, provider names, and Social Security numbers. Additional security measures have been implemented to prevent similar incidents in the future, and policies and procedures with respect to data security are being reviewed.

This appears to have been a ransomware attack with data theft. The Genesis ransomware group, a financially motivated threat group that has attacked many healthcare providers, claimed responsibility for the attack and added Advanced Family Surgery Center to its dark web data leak site. Genesis claims to have exfiltrated 100 GB of data in the attack, including files containing patient information.

Orem Eye Clinic

Orem Eye Clinic in Orem, Utah, has notified individuals and the HHS’ Office for Civil Rights about a cybersecurity incident involving unauthorized access to parts of its network that contained the protected health information of approximately 5,800 patients. No substitute breach notice has been added to the Orem Eye Clinic website at the time of publication of this article, so the exact details, such as the types of data involved and the nature of the incident, have yet to be confirmed. Individuals receiving a notification letter should be aware that a ransomware group called Nightspire claimed responsibility for the attack and added Orem Eye Clinic to its dark web data leak site. The group claims to have exfiltrated 1 terabyte of data in the attack.

Belmont Aesthetic & Reconstructive Plastic Surgery

Belmont Aesthetic & Reconstructive Plastic Surgery, a cosmetic and reconstructive surgery practice with locations in Washington, D.C., and Virginia, has reported a data breach to the HHS’ Office for Civil Rights that has affected 528 individuals. While there is currently no website notice, and no other information has been released about the data breach so far, this appears to have been a ransomware attack. The Insomnia ransomware group added Belmont Aesthetic & Reconstructive Plastic Surgery to its dark web data leak site in early March 2026 and threatened to publish the stolen data if the ransom was not paid.

The post Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers appeared first on The HIPAA Journal.

Data breaches have recently been announced by Verber Dental Group in Pennsylvania, Northwoods Surgery Center in Minnesota, Cunningham Prosthetic Care in Maine, Healthcare In Action in California, and Preakness Healthcare Center in New Jersey.

Verber Dental Group

Verber Dental Group, a Camp Hill, PA-based dental group comprising 14 dental practices, has recently notified patients of unauthorized network access that exposed patient data. Suspicious network activity was identified on January 27, 2026. The network was secured, and an investigation was launched, which revealed the threat actor had access to its network from January 26, 2026, to January 27, 2026. The investigation confirmed that patient information had been exposed, including names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, medical records, and health insurance information.

Verber Dental has not identified any misuse of patient information. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals as a precaution. At present, the incident is not shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Northwoods Surgery Center

Northwoods Surgery Center in Virginia, MN, identified unauthorized activity within its computer network on or around September 8, 2025. Its network was secured, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized network access over a two-month period between July 11, 2025, and September 8, 2025. The compromised parts of the network were reviewed, and it was confirmed that files containing patient information had been exposed and may have been accessed or acquired by the threat actor.

In total, 5,385 individuals were affected. Data potentially compromised in the incident included names, addresses, dates of birth, health insurance information, patient medical record numbers, doctor’s name, practice type, medical date of service, medication information, diagnosis and treatment information, and medical claims or billing information. While patient data was exposed, Northwoods Surgery Center has not identified any actual or attempted misuse of patient information. Notification letters are now being mailed, and complimentary credit monitoring services have been made available.

Cunningham Prosthetic Care

Cunningham Prosthetic Care, a Saco, ME-based prosthetic and orthotic practice, has notified the HHS’ Office for Civil Rights about a data breach affecting 2,523 patients. On or around October 22, 2025, suspicious activity was identified within its email environment. An investigation was launched that confirmed unauthorized access to an employee’s email account. The account was reviewed, and on March 4, 2026, Cunningham Prosthetic Care confirmed that the account contained patient information.

Data exposed and potentially acquired included names, dates of birth, Social Security numbers, medical record numbers, driver’s license numbers, diagnostic and treatment information, and health insurance information. The types of exposed data varied from individual to individual. Notification letters were mailed to the affected individuals on May 1, 2026. The practice has implemented additional security measures to enhance data privacy and security.

Healthcare in Action

Healthcare In Action, a medical group serving the homeless population in California, has recently identified unauthorized access to an employee’s email account between January 28, 2026, and January 30, 2026. The account was compromised using stolen credentials. The unauthorized access was limited to a single email account, which has now been secured. Third-party experts were engaged to investigate and determined that the account contained the information of 1,143 individuals, including patients and other individuals.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: date of birth, email address, phone number, driver’s license/state ID number, Social Security numbers, ethnicity, housing application case number/HMIS number, health plan information, mailing/ physical address, medical record number, diagnosis/condition information, date(s) of service, location(s) of service, treatment information, disability verification information, and/or medication information. For non-patients, the compromised data included names, addresses, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Preakness Healthcare Center

Preakness Healthcare Center, a Wayne, NJ-based skilled nursing facility, has recently identified unauthorized access to its computer network. Suspicious activity was first identified on March 4, 2026. The forensic investigation confirmed that an unauthorized third party had access to parts of its computer network from February 24, 2026, to March 4, 2026, during which time residents’ data may have been viewed or acquired. The exposed data included residents’ names, demographic information, and limited clinical information. The affected individuals had been admitted on or after January 1, 2019. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. At present, the number of affected individuals has not been publicly disclosed.

The post Verber Dental Group Notifies Patients About January Hacking Incident appeared first on The HIPAA Journal.