Cyberattacks and data breaches have recently been announced by the national gastroenterology medical group Gastro Health and Spokane Digestive Disease Center in Washington.

Gastro Health

Gastro Health, a gastroenterology medical group with more than 200 locations in Florida, Alabama, Washington, Virginia, Ohio, Massachusetts, and Maryland, has announced an email security incident that exposed the protected health information of some of its patients.

The incident was detected on February 25, 2026, when the company learned that some of its employees had responded to phishing emails, resulting in unauthorized access to their email accounts. A separate phishing incident was identified on March 2, 2026, resulting in a further email account being subject to unauthorized access.

The review of the affected email accounts confirmed that they contained information such as names, dates of birth, Social Security numbers, and state or government-issued ID numbers. Protected health information in the accounts included diagnosis and treatment information, prescription information, provider/clinic information, medical record numbers, patient account numbers, Medicare/Medicaid numbers, and health insurance or group account numbers. The types of information involved varied from individual to individual.

Notification letters are being mailed to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 24 months. The number of affected individuals has yet to be publicly disclosed, although the Washington Attorney General has been informed that more than 1,800 state residents have been affected.

Spokane Digestive Disease Center

Spokane Digestive Disease Center in Washington has notified certain patients about unauthorized access to an employee’s email account. Suspicious activity was identified within the account on February 19, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to the account on various dates between January 22, 2026, and February 18, 2026.

The account was reviewed, and on May 8, 2026, it was confirmed that information in the account included names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, credit card information, financial account information, electronic signatures, and medical information.

The affected individuals have been offered 12 months of complimentary credit monitoring services, and steps have been taken to improve email security. The HHS’ Office for Civil Rights currently lists the data breach with a placeholder estimate of at least 501 individuals. The Washington attorney general was informed that the information of 2,093 state residents was involved.

The post Data Breaches Announced by Two Digestive Health Companies appeared first on The HIPAA Journal.

Data breaches have been announced by several dental practices: Bayside Dental (TX/WA), Aldrich Pediatric Dentistry (IN), Stafford Oral Surgery (VA), Garrisonville Dental (VA), and Drs. Abdelbaky, Boes, Cameron & Associates of Wake Forest and Cary Park (NC).

Bayside Dental

Bayside Dental, a dental practice with locations in Rowlett, Texas, and Anacortes, Washington, has experienced a cybersecurity incident. Unauthorized network access was identified on or around January 5, 2026, and the forensic investigation confirmed on March 13, 2026, that there had been unauthorized access to files containing patient data on January 5, 2026.

Data potentially viewed or obtained in the incident included full names, dates of birth, Social Security numbers, medical treatment information, medical diagnostic information, prescription information, patient numbers, health insurance information, health insurance plan beneficiaries, and dates of service. Bayside Dental determined that the protected health information of up to 10,216 patients was potentially compromised in the incident. Bayside Dental has offered the affected individuals complimentary single-bureau credit monitoring, credit score, and credit report services for 12 months.

While not described by Bayside Dental as a ransomware attack, the Sinobi ransomware group claimed responsibility and added Bayside Dental to its dark web data leak site. The group claims to have stolen 580 gigabytes of data in the attack, including files containing patient data. Patients should therefore ensure that they sign up for the credit monitoring services being offered.

Aldrich Pediatric Dentistry

Aldrich Pediatric Dentistry in Indianapolis, IN, has also recently announced the exposure of patient data as a result of an email incident. On February 26, 2026, the practice learned that an employee’s email account was compromised on January 16, 2026, as a result of a response to a phishing email on January 16, 2026. The account was immediately secured, and an investigation was launched, which confirmed that the account contained the protected health information of 5,900 individuals.

Data potentially obtained in the attack included names, addresses, email addresses, telephone numbers, dates of service, procedures, and insurance information. Social Security numbers and financial information were not involved. The practice has implemented additional security measures to strengthen email security, and notification letters were mailed to the affected individuals around April 24, 2026.

Vendor Incident Affects Multiple Dental Practices

Several dental practices have recently disclosed data breaches involving a third-party vendor. The practices were contacted by the unnamed vendor on March 19, 2025, and were informed that limited patient data had been accessed by an unauthorized individual in a security incident. The vendor identified the unauthorized access on October 24, 2025, and the forensic investigation confirmed that some of the vendor’s email accounts and files were accessed between October 15 and October 23, 2025, as a result of a phishing attack.

The investigation found no evidence to suggest that the unauthorized third party accessed or copied any files containing patient information; however, unauthorized data access and acquisition could not be ruled out. The breach was limited to the vendor’s email accounts and associated files. There was no unauthorized access to patient medical or dental records. The compromised data varied from individual to individual and may have included names, addresses, dates of birth, medical information, health insurance information, and Social Security numbers. The affected individuals have been notified by mail and offered complimentary credit monitoring and identity theft protection services.

The HIPAA Journal has not yet been able to confirm how many dental practices have been affected; however, the following dental practices have issued breach notices confirming that patient data was potentially compromised in the incident.

Spate of Attacks on Dental Practices

There has been a spate of data breaches reported by dental practices recently, including Bridle Trails Family Dentistry in Washington (20,976 individuals), Verber Dental Group PC in New York (8,598 individuals), Bronsky Orthodontics in New York (3,183 individuals) – covered here, and Totem Lake Family Dentistry in Washington (3,464 individuals). Apart from the Verber Dental Group data breach, these incidents involved unauthorized access to email accounts.

Dental practices should ensure that they set strong, unique passwords for employee email accounts, protect accounts with multifactor authentication, implement an email security solution, and provide security awareness training to the workforce to raise awareness of phishing and social engineering.

The post Cybersecurity Incidents Reported by Multiple Dental Practices appeared first on The HIPAA Journal.