Hillcrest Convalescent Center Settles Class Action Data Breach Litigation – The HIPAA Journal
Hillcrest Convalescent Center Settles Class Action Data Breach Litigation
Hillcrest Convalescent Center, a short-term inpatient rehabilitation and skilled nursing facility in Durham, North Carolina, has agreed to settle class action litigation over a June 2024 cyberattack.
Hackers breached its network, resulting in unauthorized access to and the potential theft of patients’ personal and protected health information. The hackers had access to information such as names, addresses, dates of birth, financial account numbers, driver’s license numbers, Social Security numbers, medical treatment information, and health insurance information. The incident affected more than 106,000 individuals, who were notified by mail in March 2025.
The data breach sparked several class action lawsuits, which were consolidated as they had overlapping claims. The consolidated lawsuit – In re Hillcrest Convalescent Center, Inc. Data Breach Litigation – is pending in the Superior Court of Durham County, North Carolina. Hillcrest Convalescent Center denies the allegations of wrongdoing and liability and, in September 2025, filed a motion to dismiss the consolidated complaint. The plaintiffs filed their response in October 2025, and later that month, the defendant filed their reply in further support of the motion to dismiss. Shortly thereafter, the parties began exploring the possibility of a settlement.
During mediation in January 2026, the parties agreed on the material terms of a settlement, which has now been finalized and has received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for reimbursement of documented out-of-pocket losses due to the data incident up to a maximum of $2,500 per class member. Class members who choose not to submit such a claim may instead claim an alternative cash payment, estimated to be $50 per claimant.
Regardless of the option chosen, class members are eligible to enroll in two years of credit monitoring services, which include a $1 million identity theft insurance policy. Claims must be submitted by August 26, 2026, and the final approval hearing has been scheduled for August 24, 2026. Individuals who do not submit a claim will lose the right to sue the defendant over the data breach and will receive nothing from the settlement. Individuals who want to retain the right to sue can exclude themselves and must do so by July 27, 2026. Objections to the settlement must be filed by July 27, 2026.
The post Hillcrest Convalescent Center Settles Class Action Data Breach Litigation appeared first on The HIPAA Journal.
British Scattered Spider Hacker Pleads Guilty to Cyberattacks on TfL; SSM Health Care; Sutter Health
Two British hackers have pleaded guilty to a cyberattack on Transport for London (TfL), one of whom also admitted to hacking two U.S. healthcare companies in September 2024: SSM Health Care Corporation and Sutter Health.
Owen Flowers, 18, from Walsall, West Midlands, and Thalha Jubair, 20, from East London, were both teenagers when they conducted the attacks and were members of the cybercriminal group Scattered Spider. In contrast to many cybercriminal groups, Scattered Spider is an English-speaking collective whose members are primarily based in the United States, the United Kingdom, and Canada.
Scattered Spider is believed to have been formed in May 2022 and primarily targeted telecommunications companies before expanding attacks on varied targets. The group has been linked with attacks on more than 120 companies, including Snowflake, Twilio, Mailchimp, DoorDash, American Airlines, WestJet, Hawaiian Airlines, and Aflac. The group was behind the ransomware attacks on Caesars Entertainment and MGM Resorts in September 2023, the TfL attack in late August 2024, and a string of ransomware attacks on UK retailers Marks & Spencer, Harrods, and Co-op Group in April 2025.
The two hackers were arrested at their home addresses on September 16, 2025, in connection with the retail attacks, along with two other individuals. An investigation conducted by the National Crime Agency (NCA) and City of London Police linked the pair to the TfL attack. That attack caused disruption to TfL’s online services, prevented live London Underground train information from appearing in the TfL app and on the TfL website, and forced all 28,000 TfL employees to attend a TfL office for a password reset. The attack cost TfL £29 million ($38 million) in loss and recovery costs.
Investigators searched the residences of the two individuals and recovered laptops, desktop computers, hard drives, and USB sticks, which contained evidence of the pair’s involvement in the TfL attack. Investigators also found evidence on devices owned by Flowers of his involvement in attacks on SSM Health Care and Sutter Health, which resulted in infiltration and damage to computers, according to the UK’s National Crime Agency.
Jubair ran a Telegram channel called Star Chat that was used by a SIM-swapping group that engaged in voice and SMS-based phishing attacks to steal credentials from employees at UK and US wireless providers. The access was then used to redirect individuals’ phone numbers to devices controlled by the attackers, allowing them to intercept calls and text messages.
Jubair has been charged in the United States for his role in Scattered Spider cyberattacks on at least 120 computer networks, involving 47 U.S. entities. New Jersey prosecutors have charged Jubair with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If convicted on all U.S. charges, Jubair faces up to 95 years in jail.
The hackers were scheduled for a 6-week trial in Woolwich Crown Court in London, starting on June 22, 2026. On day 1 of the trial, Flowers and Jubair pleaded guilty to the attack on TfL. Flowers also admitted to conspiring to commit unauthorized acts against the computer systems of SSM Health Care Corporation and Sutter Health in September 2024.
The hackers are both scheduled for a 2-day sentencing hearing starting on July 15, 2026. Jubair also faces a trial in the United States. Depending on negotiations between UK and US authorities, Jubair could be temporarily transferred after sentencing to stand trial for the charges in the United States before returning to complete his sentence, or he may face a trial in the U.S. after serving the entirety of his UK sentence.
“This has been a lengthy, highly complex, and painstaking investigation. The perseverance and meticulousness of our officers, and the work of our partner organisations, meant that Jubair and Flowers had no option other than to plead guilty and take responsibility for their offending,” said Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit. “The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider. This is why we work closely with partners at home and abroad to identify offenders within these networks and bring them to justice.”
The post British Scattered Spider Hacker Pleads Guilty to Cyberattacks on TfL; SSM Health Care; Sutter Health appeared first on The HIPAA Journal.
Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company
Florida Retina Center has identified unauthorized access to systems containing the protected health information of more than 13,600 patients. Acadia Healthcare Company has experienced a breach affecting 1,800 patients.
Florida Retina Center
Bonita Springs-based Florida Retina Center has announced a cybersecurity incident that was first identified on January 30, 2026. Immediate action was taken to secure its network, and an investigation was launched to determine the nature and scope of the unauthorized activity. On May 19, 2026, Florida Retina Center confirmed unauthorized access to parts of its network containing patient data.
The file review confirmed that the data of 13,652 patients was exposed and potentially acquired in the incident. The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Notification letters have been mailed to the affected individuals, and 12 months of complimentary credit monitoring and identity theft protection services have been made available. At the time of issuing notification letters, no misuse of the affected data had been identified.
Acadia Healthcare Company
Franklin, Tennessee-based Acadia Healthcare Company, Inc., a provider of psychiatric and chemical dependency services, has announced a data breach affecting 1,807 individuals. Unusual activity was identified within an employee’s email account on March 25, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to a single employee’s email account and associated SharePoint files between March 21, 2026, and March 25, 2026. There was no unauthorized access to any other email accounts, other systems, or the electronic medical record system.
The types of data involved varied from individual to individual, and for the majority of affected individuals, involved one or more of the following data elements in addition to their names: address, date of birth, treatment information, dates of treatment, type of treatment, and health insurance information. Certain individuals also had their Medicare Health Insurance Claim Number (HICN) exposed, which may include their Social Security number. Notification letters were mailed to the affected individuals on May 22, 2026, and additional safeguards have been implemented to prevent similar incidents in the future.
The post Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company appeared first on The HIPAA Journal.
April 2026 Healthcare Data Breach Report – The HIPAA Journal
April 2026 Healthcare Data Breach Report The HIPAA Journal
April 2026 Healthcare Data Breach Report
In April 2026, 47 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). That represents a 33.8% reduction in large healthcare data breaches from the 71 large data breaches reported in March 2026, and well below the 12-month average of 62.4 data breaches per month.
The year-to-date figures also show a reduction in large healthcare data breaches. From January 1 to April 30, 252 large healthcare data breaches have been reported by HIPAA-regulated entities, compared to 276 (-8.7%) for the corresponding period in 2025 and 299 (-15.7%) for the corresponding period in 2024.
Across the 47 data breaches, the protected health information of 1,336,264 individuals was exposed or impermissibly disclosed – the second lowest monthly total in the past 12 months, and currently an 84.9% reduction from March 2026. The number of affected individuals is likely to increase, as some regulated entities have reported breaches with placeholder estimates of 500 or 501 affected individuals.
The year-to-date figures for affected individuals are encouraging. From January 1 to April 30, the protected health information of 20.1 million individuals has been breached, and while that is a sizeable figure, it is a reduction of 25.5% from the corresponding period in 2025 and a reduction of 48.8% from the corresponding period in 2024.
The Biggest Healthcare Data Breaches Reported in April 2026
In April, 15 data breaches affecting 10,000 or more individuals were reported to the HHS’ Office for Civil Rights, all but one of which were hacking incidents. The biggest data breach of the month was reported by the medical group Florida Physician Specialists, involving unauthorized access to the protected health information of 276,498 individuals. Two of the 15 data breaches were confirmed ransomware attacks, and one incident involved unauthorized access by “a business counterparty” after access was thought to have been terminated.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Type of Breach | Location of Breached Information | Cause of Breach |
| Florida Physician Specialists | FL | Healthcare Provider | 276,498 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| Southern Illinois Dermatology | IL | Healthcare Provider | 160,312 | Hacking/IT Incident | Network Server | Hacking incident |
| Laurel Eye Clinic | PA | Healthcare Provider | 145,221 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| Innovative Scientific Solutions, LLC | SC | Healthcare Provider | 143,842 | Hacking/IT Incident | Network Server | Hacking incident |
| Hospital Caribbean Medical Center | PR | Healthcare Provider | 92,000 | Hacking/IT Incident | Network Server | Ransomware attack (The Gentlemen) – Data theft confirmed |
| Tri-Cities Gastroenterology | TN | Healthcare Provider | 67,115 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| City Health, a medical corporation | CA | Healthcare Provider | 65,000 | Unauthorized Access/Disclosure | Electronic Medical Record | Access to its electronic medical record system by a former business counterparty after termination |
| Hematology Oncology Consultants | MI | Healthcare Provider | 62,972 | Hacking/IT Incident | Network Server | Hacking incident – Data theft likely |
| GrayRobinson, P.A. | FL | Business Associate | 54,131 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| Rocky Mountain Associated Physicians, P.C. | UT | Healthcare Provider | 50,640 | Hacking/IT Incident | Network Server | Hacking incident |
| Heart South Cardiovascular Group | AL | Healthcare Provider | 46,666 | Hacking/IT Incident | Network Server | Hacking incident |
| Mt. Spokane Pediatrics | WA | Healthcare Provider | 32,021 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| University of Nebraska Medical Center | NE | Healthcare Provider | 26,937 | Hacking/IT Incident | Network Server | Hacking of a third-party software application |
| Liberty Bankers Life Ins. Co. | TX | Health Plan | 20,202 | Hacking/IT Incident | Network Server | Hacking incident at a business associate |
| Bayside Dental | WA | Healthcare Provider | 10,216 | Hacking/IT Incident | Network Server | Ransomware attack (Sinobi) – Data theft claimed |
Three data breaches were reported in April before data reviews had been completed. Placeholder figures of 500 or 501 affected individuals were used and will be updated when the file reviews are concluded.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Spokane Digestive Disease Center, P.S. | WA | Healthcare Provider | 501 | Unauthorized access to its email environment |
| FMRS Health Systems, Inc. | WV | Healthcare Provider | 500 | Hacking incident – data theft confirmed |
| CARE Clinic | MN | Healthcare Provider | 500 | Unauthorized access to its email environment |
Causes of April 2026 Healthcare Data Breaches
Hacking and other types of IT incidents dominated the breach reports in April, accounting for 36 (76.6%) of the 47 reported large data breaches. Across those incidents, the protected health information of 1,240,571 individuals was exposed or impermissibly disclosed. Hacking/IT incidents accounted for 92.8% of the affected individuals in April. The average breach size was 32,883 individuals, and the median breach size was 4,547 individuals.
There were 9 unauthorized access/disclosure incidents in April, which accounted for 19.1% of the month’s data breaches. Across those incidents, the protected health information of 86,717 individuals was accessed without authorization or was impermissibly disclosed – 6.5% of the month’s affected individuals. The average breach size was 9,635 individuals, and the median breach size was 1,467 individuals. There were no loss, theft, or improper disposal incidents in April.
States Affected by April 2026 Healthcare Data Breaches
Data breaches were reported by HIPAA-regulated entities in 25 states, the District of Columbia, and Puerto Rico in April. California was the worst-affected state in terms of data breaches, while Florida was the worst-affected state in terms of the number of individuals affected.
April 2026 Healthcare Data Breaches
| State | Breaches |
| California | 6 |
| Texas & Washington | 4 |
| Florida & Virginia | 3 |
| Illinois, Minnesota, Oklahoma, Pennsylvania & West Virginia | 2 |
| Alabama, Delaware, Iowa, Indiana, Kentucky, Maryland, Michigan, Missouri, Nebraska, New Jersey, New York, South Carolina, Tennessee, Utah, Vermont, the District of Columbia & Puerto Rico | 1 |
Individuals Affected by April 2026 Healthcare Data Breaches
| State | Individuals Affected | State | Individuals Affected |
| Florida | 331,316 | Oklahoma | 8,233 |
| Illinois | 162,203 | Maryland | 7,213 |
| Pennsylvania | 145,976 | Iowa | 6,717 |
| South Carolina | 143,842 | Indiana | 5,900 |
| Pouerto Rico | 92,000 | Vermont | 5,892 |
| California | 78,846 | Minnesota | 5,885 |
| Tennessee | 67,115 | Kentucky | 3,677 |
| Michigan | 62,972 | Virginia | 2,552 |
| Utah | 50,640 | New York | 2,123 |
| Alabama | 46,666 | Missouri | 2,027 |
| Washington | 46,202 | West Virginia | 1,500 |
| Nebraska | 26,937 | District of Columbia | 1,467 |
| Texas | 26,648 | ||
April 2026 Data Breaches at HIPAA Regulated Entities
In April 2026, 36 data breaches were reported by healthcare providers, 8 breaches were reported by health plans, and 3 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.
The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 11 of the 47 breaches (rather than 3) occurred at business associates in April.
HIPAA Enforcement Activity in April 2026
The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, announced 4 settlements with HIPAA-regulated entities in April to resolve alleged violations of the HIPAA Rules. When alleged HIPAA violations are settled, the settlement agreement includes a corrective action plan to address the areas of noncompliance identified by OCR. When a civil monetary penalty is imposed, OCR cannot compel the regulated entity to adopt a corrective action plan.
All four of the settlements related to ransomware attacks, and in all cases, OCR identified a risk analysis failure. The HIPAA Security Rule requires regulated entities to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to electronic protected health information. It is the most commonly identified HIPAA Security Rule violation. You can read more about each enforcement action in this post. No state attorneys general announced any HIPAA penalties in April.
| HIPAA -Regulated Entity | Entity Type | Reason for Investigation | Alleged HIPAA violation(s) | Settlement Amount |
| Regional Women’s Health Group (Axia Women’s Health) | Healthcare Provider | Reported ransomware attack involving the protected health information of 37,989 individuals | Risk analysis failure; impermissible disclosure of ePHI | $320,000 |
| Assured Imaging Affiliated Covered Entities | Healthcare Provider | Reported ransomware attack involving the protected health information of 244,813 individuals | Risk analysis failure (never conducted); breach notification failure | $375,000 |
| Consociate, Inc. (Consociate Health) | Business Associate | Reported ransomware attack involving the protected health information of 136,539 individuals | Risk analysis failure | $225,000 |
| Star Group, L.P. Health Benefits Plan | Health Plan | Reported ransomware attack involving the protected health information of 9,316 individuals | Risk analysis failure | $245,000 |
The post April 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.
Columbus Regional Health; St. Joseph Hospital Settle Pixel Privacy Lawsuits – The HIPAA Journal
Free Webinar: AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind
Artificial intelligence has tremendous potential in healthcare, and healthcare organizations have embraced AI tools in all areas of their operation; however, there are compliance risks associated with AI when tools engage with health information protected under the Health Insurance Portability and Accountability Act (HIPAA). Incorporating AI tools while complying with all HIPAA Privacy and Security Rule implementation specifications can be challenging, especially when there is limited guidance on how HIPAA applies to AI.
Fortunately, help is at hand. On July 8, 2026, the HIPAA-compliant communication platform provider Paubox is hosting a webinar where healthcare organizations can learn from a diverse panel of experts about AI-related HIPAA compliance challenges and receive invaluable advice on how to keep innovating without leaving HIPAA compliance behind.
During the webinar, attendees will learn about how real-world healthcare teams are developing and implementing AI tools and the challenges they have faced, the specific questions you need to be asking any AI vendor before you sign and handle business associate agreements (BAAs), what responsible use of AI with PHI looks like, and what the future holds, and what you need to do right now. At the end of the webinar, there will be time allocated for a Q&A with the panel to get answers to your questions.
Speakers:
|
|
Heather Phillips – Advisory Committee Member, FoXX Health |
 |
Tim Gutwald – Partner, Elevare Law |
 |
Brittany Sigler – DrPH, Founder & Product Leader, Bright Signal Consulting |
 |
Mike Maseda – Head of Sales & Ops, GenHealth.ai |
Webinar Details
AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind
July 8, 2026
1.00 p.m. ET | 12.00 p.m. CT | 11.00 a.m. MT | 10:00 a.m. PT
Click Here to Register for the Webinar
Can’t attend on the day? Register to receive a link to the recording!
This webinar is eligible for 1 self-reported CPE
The post Free Webinar: AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind appeared first on The HIPAA Journal.