Minidoka Memorial Hospital Recovering from Easter Cyberattack

Posted by Steve Alder

Minidoka Memorial Hospital was the victim of a cyberattack on Easter morning, and two further healthcare providers have confirmed they have been affected by the data breach at business associate Doctor Alliance: A Path of Care Home Health and Hospice and Team Select Holdings.

Minidoka Memorial Hospital, Idaho

Minidoka Memorial Hospital in Rupert, Idaho, has confirmed media reports of a cybersecurity incident. On April 17, 2026, Minidoka Memorial Hospital issued a statement on its Facebook page confirming that it experienced a cyber incident on Easter morning that temporarily impacted some of its computer systems.

While the incident did not prevent the hospital from providing care to patients, certain emergency patients were transferred to Intermountain Health Cassia Regional Hospital due to the inability to access certain medical imaging systems. Full access to those systems was restored on April 19, 2026. Minidoka Memorial Hospital said it was not necessary to postpone scheduled appointments, and patients with new health concerns continued to be treated, with the hospital operating under established downtime procedures until such time as systems are restored.

The investigation into the incident is ongoing, and the extent of unauthorized access to patient data has yet to be determined. According to Databreaches.net, a new threat group called Blackwater has claimed responsibility for the attack and has threatened to release the stolen data on April 24, 2026, if the ransom is not paid. Minidoka Memorial Hospital is one of three victims currently listed on the darkweb data leak site.

A Path of Care Home Health and Hospice, Oklahoma

A Path of Care Home Health and Hospice in Oklahoma has notified 3,849 individuals about a data breach at its business associate, Doctor Alliance. Doctor Alliance notified A Path of Care Home Health and Hospice on January 12, 2026, that it had been affected by the incident. A Path of Care Home Health and Hospice confirmed that the breach was limited to Doctor Alliance systems and that its own IT systems were unaffected.

The incident involved unauthorized access to documents containing patient information via a Doctor Alliance web portal between October 31, 2025, and November 17, 2025. The data compromised in the incident was limited to names, addresses, dates of birth, medical record numbers, dates of care, and diagnosis and treatment information. Doctor Alliance confirmed to A Path of Care Home Health and Hospice that several steps have been taken to improve security, including enhancing access controls, expanding monitoring capabilities, and strengthening detection, logging, and alerting measures. A Path of Care Home Health and Hospice has also taken steps to reduce the risk of similar incidents in the future, including conducting additional checks to ensure that medical record requests are coming from a verified source.

A Path of Care Home Health and Hospice is aware of claims that some of the information accessed by the unauthorized third party was further disclosed to other unauthorized individuals, although Doctor Alliance denied any knowledge of any further disclosures.

Team Select, Arizona

Team Select Holdings in Arizona and its affiliated entities were also affected by the data security incident at Doctor Alliance, although the breach was more limited, affecting 949 individuals. Team Select used the Doctor Alliance document management platform to facilitate physicians’ signatures on physician orders and notes. On January 11, 2026, Team Select was informed that it had been affected and that there had been unauthorized access to the platform between November 4, 2025, and November 6, 2025, and between November 14, 2025, and November 17, 2025.

Data compromised in the incident included names, Social Security numbers, dates of birth, addresses, phone numbers, gender information, medical record numbers, dates of care, Medicare or Medicaid IDs, diagnoses, medications, treatment information, physician information, and/or home health provider information. Team Select said it is reviewing its existing policies and procedures with its third-party vendors and working to evaluate additional measures that can be implemented to reduce the risk of similar incidents in the future.

The post Minidoka Memorial Hospital Recovering from Easter Cyberattack appeared first on The HIPAA Journal.

Ransomware Attack on Hospital Caribbean Medical Center Affects 92,000 Individuals

Posted by Steve Alder

A ransomware attack on Hospital Caribbean Medical Center in Puerto Rico has affected up to 92,000 individuals. Data breaches have also been announced by Murray County Medical Center in Minnesota and Aligned Orthopedic Partners in Maryland.

Hospital Caribbean Medical Center, Puerto Rico

A major data breach has been announced by Hospital Caribbean Medical Center in Fajardo, Puerto Rico. While it is unclear when the attack occurred, the hospital issued a press release on February 8, 2026, about a cyberattack that targeted its information systems. The intrusion was detected by its monitoring systems, and steps were immediately taken to contain the incident and prevent further unauthorized access to its IT systems.

The types of information exposed in the incident were not detailed in the press release, nor was the number of affected individuals; however, the incident is now shown on the HHS’ Office for Civil Rights breach portal as affecting up to 92,000 individuals. Hospital Caribbean Medical Center said it has reinforced its monitoring systems, implemented additional updates to its technological infrastructure, and strengthened its internal security protocols.

While not described as a ransomware attack, a ransomware group claimed responsibility for the incident. A group known as The Gentlemen added Hospital Caribbean Medical Center to its dark web data leak site on February 17, 2026, claiming to have exfiltrated sensitive data, including patient information, and threatened to release the stolen data if the ransom was not paid.

Murray County Medical Center, Minnesota

The County of Murray has announced a data security incident that affected current and former patients of Murray County Medical Center in Slayton, Minnesota. The data breach was first announced in early March 2026, although the incident was first detected on August 21, 2025, when suspicious activity was observed in its IT systems.

A leading IT security firm was engaged to assist with the investigation, secure its network, and determine whether any sensitive data had been exposed or stolen in the incident. Unauthorized access to computer systems was confirmed; however, it took until January 27, 2026, to determine that patient and employee data had been compromised in the incident. Information exposed or stolen included patient names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health insurance information, medical treatment information, and medical history information.

The data breach has recently been added to the HHS’ Office for Civil Rights breach portal as affecting 5,073 individuals. Murray County Medical Center has implemented additional safeguards to prevent similar incidents in the future and is offering the affected individuals complimentary credit monitoring and identity theft protection services.

Aligned Orthopedic Partners, Maryland

ASC Ortho Management Company, LLC, which does business as Aligned Orthopedic Partners, has announced a data security incident involving its email platform. Suspicious activity was identified on December 8, 2025, and the investigation confirmed that an unknown actor accessed the platform between November 16, 2026, and December 16, 2026, during which time, personal and protected health information may have been viewed or acquired.

The email system was reviewed, and on February 17, 2026, Aligned Orthopedic Partners confirmed that the exposed data included names, dates of birth, Social Security numbers, driver’s license or state identification numbers, Medicaid or Medicare numbers, financial account numbers, medical dates of service, medical provider names, mental or physical condition, medical treatment information, diagnosis or clinical information, prescription information, health insurance information, patient account numbers, and medical record numbers.

Notification letters were mailed to the affected individuals on April 17, 2026, and complimentary identity protection services have been offered. Steps have been taken to augment security to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ransomware Attack on Hospital Caribbean Medical Center Affects 92,000 Individuals appeared first on The HIPAA Journal.

Tangoe Data Breach Settlement Receives Preliminary Approval

Posted by Steve Alder

Tangoe, a provider of software solutions for managing telecom, mobile, and cloud expenses, has agreed to a settlement to resolve a class action lawsuit stemming from a November 2022 security incident. Tangoe experienced a cyberattack, exposing sensitive data such as names, dates of birth, Social Security numbers, medical information, health insurance information, medication information, billing and claims information, and financial account information. Hackers had access to its systems between November 15, 2022, and November 17, 2022.

The breach affected some of its healthcare clients and involved unauthorized access to the protected health information of 4,765 individuals, according to the breach notice filed with the HHS’ Office for Civil Rights. While the breach occurred in November 2022, it took until November 1, 2023, for the affected individuals to be notified. A lawsuit – Kevin McLinden v. Tangoe US, Inc.– was filed in the Superior Court for Marion County, Indiana, over the data breach, alleging Tangoe failed to implement reasonable and appropriate cybersecurity measures, leading to an entirely preventable data breach. Tangoe denies all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability.

After prolonged and extensive arm’s length negotiations, all parties agreed to a settlement to avoid the expense and length of protracted litigation and the uncertainty of a trial and any related appeals. Under the terms of the settlement, class members are entitled to claim two years of credit monitoring services, which include a $1 million identity theft insurance policy. In addition to the credit monitoring services, class members may claim one or more cash payments.

A claim may be submitted for compensation for documented, unreimbursed ordinary losses due to the data breach incurred between November 2022 and June 3, 2026. Claims for reimbursement of ordinary losses have been capped at $750 per class member. A claim may also be submitted for compensation for lost time up to a maximum of four hours at $25 per hour ($100). The lost time claims are included in the $750 ordinary losses cap.

A claim may also be submitted for reimbursement of extraordinary losses, such as documented, unreimbursed losses due to identity theft and fraud. Claims for extraordinary losses have been capped at $5,000 per class member. If a claim for reimbursement of losses/lost time is not submitted, class members are eligible to claim an alternative pro rata cash payment. The cash payments will be paid from the remainder of the settlement fund, and are expected to be around $50, but may be higher or lower depending on the number of claims received. No proof is required to submit a claim for an alternative cash payment.

The deadline for exclusion and objection to the settlement is May 4, 2026. Claims must be submitted by June 3, 2026, and the final fairness hearing has been scheduled for June 11, 2026. Individuals who do nothing will receive no benefits and will lose the right to sue the defendant over the data breach or participate in other lawsuits related to the data breach.

The post Tangoe Data Breach Settlement Receives Preliminary Approval appeared first on The HIPAA Journal.