PHI Compromised in Cyber Incidents at Medenet; United Medical Doctors; Stewart Home & School
Cybersecurity incidents involving unauthorized access to protected health information have been announced by the revenue cycle management company Medenet, the California medical group United Medical Doctors, and the Kentucky residential school, Stewart Home & School.
Medenet Inc.
Medenet Inc., a Florida-based medical billing, EMR software, and revenue cycle management service provider to physician practices, has started issuing notifications about a cyberattack identified on December 26, 2025. Assisted by third party cybersecurity experts, Medenet determined that personal and protected health information was likely compromised in the incident, including medical records and Social Security numbers.
Medenet said it is unaware of any misuse of the impacted data; however, as a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services. The data breach has yet to be added to the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.
United Medical Doctors
United Medical Doctors, a Murrieta, California-based multi-specialty medical and surgical group, has discovered unauthorized access to its computer systems. Suspicious activity was identified within its computer systems on March 26, 2026, and the forensic investigation determined that a threat actor had access to its systems for around three and a half months, between December 12, 2025, and March 31, 2026. During that time, files containing patient information may have been viewed or acquired.
The May 20, 2026, substitute breach notice states that the types of information compromised in the incident have yet to be determined, and the number of affected individuals has yet to be publicly disclosed.
Stewart Home & School
Stewart Home & School (formerly Stewart Home School), a residential school in Franklin County, Kentucky, has recently announced that it was the victim of a criminal cyberattack on its computer network. The attack occurred in the early hours of August 4, 2025, with the threat actor gaining access to its network using stolen credentials.
Those credentials allowed the threat actor to access two of its internal electronic drives. Data on those drives was accessed and exfiltrated, then ransomware was used to encrypt the data. Stewart Home & School said the nature of the attack and the design of its electronic network meant it has taken a significant amount of time to determine the types of data involved and the individuals affected.
The data analysis has recently concluded, and confirmed that 3,677 individuals potentially had data stolen in the incident, including personal information and protected health information. That information included names, demographic information such as phone numbers, email addresses, addresses, and Social Security numbers, financial information, and protected health information such as health insurance information, diagnoses, medical conditions, test results, and medications, and education-related information, including evaluation and testing information.
The affected individuals were notified about the incident in April 2026 and have been offered 24 months of complimentary credit monitoring and identity theft protection services. The Sinobi ransomware group claimed responsibility for the attack.
The post PHI Compromised in Cyber Incidents at Medenet; United Medical Doctors; Stewart Home & School appeared first on The HIPAA Journal.
Florida Law Firm Data Breach Affects 65,000 Individuals – The HIPAA Journal
Florida Law Firm Data Breach Affects 65,000 Individuals The HIPAA Journal
Florida Law Firm Data Breach Affects 65,000 Individuals
A cyberattack at the law firm GrayRobinson has affected 65,000 individuals. Data breaches have also been announced by C2N Diagnostics in Missouri and Virta Health in Colorado.
GrayRobinson
The Orlando, Florida-based law firm GrayRobinson, P.A., has notified the Maine Attorney General about a data breach affecting 65,113 individuals, including 52 Maine residents. Among those individuals, 54,131 people had their protected health information exposed in the incident. In its substitute data breach notice, GrayRobinson explained that unauthorized access to its network was detected on or around March 24, 2025. Immediate steps were taken to secure its network, and assisted by third-party cybersecurity specialists, the incident was investigated to determine the extent to which sensitive information had been compromised.
The investigation confirmed that its network was accessed by an unauthorized third party between March 5, 2025, and March 24, 2025, and during that time, files containing personal and protected health information were exfiltrated from its network. The data was reviewed, and on April 13, 2026, the file review concluded and determined that full names, dates of birth, Social Security numbers, driver’s license numbers, state and government ID numbers, financial account information, medical information, and health insurance information were involved.
GrayRobinson said it had taken many precautions to protect against unauthorized access to its systems and data, and continually evaluates and modifies its practices and internal controls to enhance security and ensure the privacy of sensitive information. Complimentary credit monitoring and identity theft protection services have been made available. Notification letters started to be sent to the affected individuals on April 24, 2026.
C2N Diagnostics, Missouri
C2N Diagnostics, a St. Louis, MO-based specialty diagnostics company providing lab services and products related to brain health, has disclosed a cybersecurity incident that was identified on March 6, 2026. C2N Diagnostics said it was targeted by a cybercriminal actor who gained access to a small number of stored employee communications, some of which contained personal information.
The data was reviewed and found to include names, dates of birth, contact information, health information, blood test analysis results, health insurance information, and Social Security numbers. The affected individuals have been notified by mail and offered complimentary credit monitoring and identity theft protection services for at least 12 months as a precaution against data misuse. At the time of issuing notification letters, C2N Diagnostics was unaware of any misuse of the exposed data. C2N Diagnostics reported the breach to the HHS’ Office for Civil Rights on April 27, 2026, as affecting 2,027 individuals.
Virta Health
Virta Health Corp & Virta Medical PC, a Denver, CO-based provider of digital health services to help individuals manage type 2 diabetes, prediabetes, and obesity, has identified unauthorized access to one of its data repositories. The unauthorized access was identified on March 24, 2026, and the investigation confirmed that it had been compromised between March 19, 2026, and March 22, 2026.
The data repository was separate from its current production platform and contained personal information, the details of which were not disclosed in its data breach notice. Virta Health said its investigation confirmed that data had been exposed, and “could not rule out the possibility that an unknown actor may have accessed [personal information].” The Lapsus$ threat group claimed responsibility for the attack and added Virta Health to its data leak site on March 23, 2026, one day prior to the breach being detected. It is unclear if the ransom was paid or how many individuals were affected by the incident.
The post Florida Law Firm Data Breach Affects 65,000 Individuals appeared first on The HIPAA Journal.
While Telehealth Giants Face Federal Scrutiny, Ivia Health Has Been Quietly Getting It Right – PR.com
Duke University Health System; Derick Dermatology Settle Class Action Pixel Lawsuits – The HIPAA Journal
Duke University Health System; Derick Dermatology Settle Class Action Pixel Lawsuits
Two more healthcare providers have settled lawsuits over their use of website tracking technologies: Duke University Health System and Derick Dermatology.
Duke University Health System Pixel Settlement
A lawsuit filed against North Carolina’s Duke University Health System over the use of tracking tools on its website has been settled. Like many healthcare providers, Duke University Health System had added tracking tools such as pixels to its website. These tools collect information about website users, which can be used to improve web services. These tools can also transmit the collected information to third parties, and when placed on healthcare websites, that information may include health information, depending on a user’s interactions on the website.
A lawsuit was filed against Meta Platforms, Duke University Health System, WakeMed, and a defendant class of Facebook partner medical providers by plaintiffs Kim Naugle and Afrika Williams over the use of these tools. The claims against Meta Platforms were transferred to a separate class action lawsuit in California – In re Meta Pixel Healthcare Litigation – and the claims against WakeMed were consolidated into an existing state court case against the company. After voluntarily dismissing the lawsuit, plaintiff Afrika Williams filed a new lawsuit against Duke University Health System – Afrika Williams v. Duke University Health System, Inc. – in the U.S. District Court for the Middle District of North Carolina.
The lawsuit alleged that tracking tools had been added to its website by Duke University Health System without users’ knowledge or consent and resulted in personally identifiable information being transmitted to third parties, such as Meta. The lawsuit survived a motion to dismiss, and the claims against a defendant class of medical providers were dropped, along with several claims against Duke University Health System. The lawsuit proceeded against Duke University Health System for breach of contract and negligence.
Duke University Health System denies any wrongdoing, fault, and liability; however, following mediation, Duke University Health System agreed to a settlement. Duke University Health System will establish a $3,743,600 settlement fund to cover attorneys’ fees ($1,235,388) and expenses (up to $30,000), notification and settlement costs, and a $7,500 service award for the class representative. The remainder of the settlement fund will be used to pay pro rata cash payments to class members who submit a claim.
The deadline for objection and exclusion is July 20, 2026. The deadline for submitting a claim is August 16, 2026, and the final fairness hearing has been scheduled for August 27, 2026.
Derick Dermatology Pixel Settlement
Derick Dermatology, a dermatology practice with locations in Chicago, IL, and Tampa Bay, FL, has agreed to settle class action litigation over its use of pixels, cookies, code, and/or tracking or analytics, which are alleged to have disclosed website users’ personal information to third parties without their knowledge or consent.
The lawsuit – Jeffries v. Derick Dermatology PLLC – was filed in the Seventeenth Judicial Circuit in and for Broward County, Florida, and alleged that the use of these tools violated the Federal Wiretap Act, and that the actions of the defendant constituted a breach of fiduciary duty/confidentiality, invasion of privacy, breach of implied contract, unjust enrichment, and negligence. The defendant denied and continues to deny any wrongdoing, and that they committed, or threatened or attempted to commit, any wrongful act or violation of law or duty alleged in the action.
After considering the likely costs, distraction, disruption to business operations, and risks associated with any litigation, the defendant agreed to settle the lawsuit. Derik Dermatology has agreed to pay up to $1,000,000 to settle the lawsuit. From that amount, attorneys’ fees and expenses, settlement administration and notification costs, and a service award for the class representative will be deducted.
Class members are entitled to claim a one-year subscription to a privacy shield product, and may submit a claim for a one-time cash payment, which is expected to be up to $12.50 per class member. The deadline for objection and exclusion is June 22, 2026. The deadline for submitting a claim is July 21, 2026, and the final fairness hearing has been scheduled for August 17, 2026.
The post Duke University Health System; Derick Dermatology Settle Class Action Pixel Lawsuits appeared first on The HIPAA Journal.
Data Breaches Announced by Two Digestive Health Companies – The HIPAA Journal
Data Breaches Announced by Two Digestive Health Companies The HIPAA Journal
Data Breaches Announced by Two Digestive Health Companies
Cyberattacks and data breaches have recently been announced by the national gastroenterology medical group Gastro Health and Spokane Digestive Disease Center in Washington.
Gastro Health
Gastro Health, a gastroenterology medical group with more than 200 locations in Florida, Alabama, Washington, Virginia, Ohio, Massachusetts, and Maryland, has announced an email security incident that exposed the protected health information of some of its patients.
The incident was detected on February 25, 2026, when the company learned that some of its employees had responded to phishing emails, resulting in unauthorized access to their email accounts. A separate phishing incident was identified on March 2, 2026, resulting in a further email account being subject to unauthorized access.
The review of the affected email accounts confirmed that they contained information such as names, dates of birth, Social Security numbers, and state or government-issued ID numbers. Protected health information in the accounts included diagnosis and treatment information, prescription information, provider/clinic information, medical record numbers, patient account numbers, Medicare/Medicaid numbers, and health insurance or group account numbers. The types of information involved varied from individual to individual.
Notification letters are being mailed to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 24 months. The number of affected individuals has yet to be publicly disclosed, although the Washington Attorney General has been informed that more than 1,800 state residents have been affected.
Spokane Digestive Disease Center
Spokane Digestive Disease Center in Washington has notified certain patients about unauthorized access to an employee’s email account. Suspicious activity was identified within the account on February 19, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to the account on various dates between January 22, 2026, and February 18, 2026.
The account was reviewed, and on May 8, 2026, it was confirmed that information in the account included names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, credit card information, financial account information, electronic signatures, and medical information.
The affected individuals have been offered 12 months of complimentary credit monitoring services, and steps have been taken to improve email security. The HHS’ Office for Civil Rights currently lists the data breach with a placeholder estimate of at least 501 individuals. The Washington attorney general was informed that the information of 2,093 state residents was involved.
The post Data Breaches Announced by Two Digestive Health Companies appeared first on The HIPAA Journal.