Author Archives: Steve Alder

More Than Half of Healthcare Orgs Attacked with Ransomware Last Year

A new report from the cybersecurity firm Semperis suggests ransomware attacks have decreased year-over-year, albeit only slightly. The ransomware risk report indicates healthcare is still a major target for ransomware gangs, with 77% of healthcare organizations targeted with ransomware in the past 12 months. 53% of those attacks were successful.

The report is based on a Censuswide survey of 1,500 IT and security professionals across multiple sectors. While attacks are down slightly, 60% of attacked healthcare organizations report suffering multiple attacks. In 30% of cases, they were attacked more than once in the same month, 35% were attacked in the same week, 14% were attacked multiple times on the same day, and 12% faced simultaneous attacks.

A general trend in recent years, as reported by several firms, is fewer victims of ransomware attacks paying ransoms, although across all industry sectors in the U.S., 81% attacked companies paid the ransom, an increase from last year. Ransom payment was far less common in healthcare. According to Semperis, 53% of healthcare victims paid a ransom to either prevent the publication of stolen data, obtain decryption keys, or both. The ransom paid was less than $500,000 for 55% of companies, 39% paid between $500,000 and $1 million, and 5% paid more than $1 million.

The lower rate of ransom payment in healthcare may be due to genuine concerns that the attackers will not be true to their word. The ransomware attack on Change Healthcare last year made that clear. A $22 million ransom was paid to the BlackCat ransomware group to delete the stolen data; however, after pulling an exit scam, the affiliate behind the attack retained a copy of the data and attempted extortion a second time through a different group, RansomHub. Further, law enforcement operations against LockBit found the group lied about data deletion. Copies of stolen data were found on servers after the ransom was paid. Payment of a ransom is also no guarantee that data can be recovered. On average, 15% of companies that paid the ransom did not receive usable decryption keys, and a further 3% found that their data had been published or misused even when payment was made.

Ransomware groups have been observed adopting more aggressive tactics to increase pressure on victims. Falling profits have prompted some groups to start contacting patients of an attacked healthcare provider directly to increase pressure and get the ransom paid, or in some cases, patients have been extorted. Ransomware groups have threatened to file complaints with regulators, such as the Securities and Exchange Commission (SEC). According to Semperis, 47% of attacks involved threats of regulatory complaints, and 41% of attacks on healthcare organizations. In 62% of healthcare attacks, the threat actor threatened to release private or proprietary data. There is also a growing trend of physical threats against staff members, which occurred in 40% of attacks across all sectors, and 31% of attacks on healthcare organizations.

“With the introduction of generative AI and the fast development of agentic AI attacks, creating more advanced tools with more destructive impact is easier, so threat actors no longer need a lot of money and resources to create those tools,” said Yossi Rachman, Semperis Director of Security Research. “As a result, even a drop in ransom payments will not necessarily stop attack groups from proliferating and conducting more effective and frequent attacks.”

Semperis found that organizations are getting better at detecting and blocking attacks, but when attacks occur, they can cause considerable harm. For 53% of healthcare victims, recovery took from a day to a week, with 31% of attacked healthcare organizations taking between one week and one month to fully return to normal operations. The main business disruptions were data loss/compromise, reputational damage, and job losses. In one attack this year, a healthcare provider permanently closed the business after a ransomware attack.

The biggest challenges faced in healthcare were the frequency and sophistication of threats, attacks on identity systems, and regulatory compliance. 78% of victims said attacks compromised their identity infrastructure, yet only 61% maintained a dedicated AD-specific backup system. Semperis strongly advises companies to implement technology to protect IAM infrastructure, since this is the #1 target. It is also important to document, train, and test to improve the response to a ransomware attack, as an attack is almost inevitable.

“Train for the day you are attacked,” advises Rachman. “See that everybody knows exactly what they should do, which systems, processes, and tools need to be involved, and do that every six months.” Further, when cybersecurity has been improved, it is necessary to evaluate the security of partners and supply chain vendors, as even with excellent security, supply chain vulnerabilities could easily be exploited.

The post More Than Half of Healthcare Orgs Attacked with Ransomware Last Year appeared first on The HIPAA Journal.

Trump Administration Announces Plan to Improve Patient Data Sharing

This week, the Trump Administration announced a new initiative aimed at improving interoperability and the exchange of healthcare data, and has obtained pledges from leading healthcare and technology firms to create a foundation for a next-generation digital health ecosystem, which will improve patient outcomes, reduce provider burden, and drive value.

The initiative was announced during a HHS’ Centers for Medicare & Medicaid Services (CMS) hosted White House event dubbed “Make Health Tech Great Again,” and follows years of bipartisan efforts to improve interoperability and eradicate information blocking to improve the quality of care and eliminate waste. “For decades, bureaucrats and entrenched interests buried health data and blocked patients from taking control of their health,” said HHS Secretary Robert F. Kennedy, Jr. “That ends today. We’re tearing down digital walls, returning power to patients, and rebuilding a health system that serves the people. This is how we begin to Make America Healthy Again.”

At the event, the CMS fleshed out its plan, which includes voluntary criteria for trusted, patient-centered, and practical data exchange for all network types: health information networks, exchanges, electronic health records (EHR), and tech platforms. The effort is focused on two key areas: promoting a voluntary CMS Interoperability Framework that will allow data to be easily shared between patients and providers, and making personalized tools available to give patients the information and resources they need to make better health decisions. Under the initiative, more than 60 companies have pledged to work collaboratively to deliver results by the first quarter of 2026, including tech firms such as Amazon, Anthropic, Apple, Google, and OpenAI.

The initiative has been welcomed by the HHS’ Office for Civil Rights (OCR), which for several years has had a HIPAA enforcement initiative targeting noncompliance with the HIPAA Right of Access. Under that initiative, more than 50 healthcare providers have paid financial penalties for failing to provide patients with timely access to their medical records, as required by the HIPAA Privacy Rule. While patients can receive copies of their health records under HIPAA, there are still barriers to sharing that information with others. Under this initiative, tools will be made available to make data sharing as simple as providing a QR code to a new healthcare provider to transfer medical records.

“[OCR] supports actions that improve the timeliness in providing individuals with access to their electronic protected health information, without sacrificing health information privacy and security,” said OCR Director Paula M. Stannard. “If an individual receives another individual’s electronic protected health information in error, generally, OCR’s primary HIPAA enforcement interests are ensuring that the affected individual and HHS receive timely HIPAA breach notification.”

More than 21 networks have agreed to adopt the voluntary criteria to become CMS-aligned networks, and 30 companies have pledged to provide apps that will use secure digital identity credentials to obtain electronic medical records from CMS alligned networks and facilitate data sharing. Apps will be developed to help in key areas, such as helping patients with diabetes and obesity management, conversational AI assistants will be available for checking symptoms, scheduling appointments, and navigating care options, and “kill the clipboard” tools will be made available to replace intake forms with secure digital check-in methods.

One of the tech companies participating in the effort is CLEAR, a secure identity platform provider. “We are excited that identity services – like CLEAR – are making it possible for patients and providers to use verified, secure identity as part of CMS’s Health Tech Ecosystem,” said Amy Gleason, Acting Administrator for the U.S. DOGE Service and Strategic Advisor to the CMS. “Checking in at the doctor’s office should be the same as boarding a flight. Patients should be able to scan a QR code to instantly and safely share their identity, insurance, and medical history”.

The HHS has confirmed that all of the proposals will be compliant with the HIPAA Privacy and Security Rules. While that is no doubt true, once a healthcare provider has provided a patient with a copy of their records, those records are no longer protected by HIPAA. Patients must ensure they exercise caution when sharing their records with any third party, as uses and disclosures of the shared information may not be subject to HIPAA protections.

“Improving health tech interoperability can eliminate frustrating inefficiencies and empower patients and providers. But health data is some of the most sensitive information people can share — and it must be protected responsibly,” said Andrew Crawford, Senior Counsel, Privacy & Data, and the Center for Democracy & Technology. “The U.S. doesn’t have a general-purpose privacy law, and HIPAA only protects data held by certain people like healthcare providers and insurance companies. Many health and AI apps, including some being promoted by the Trump Administration, are typically not covered by HIPAA. That could put sensitive information in real danger.”

The post Trump Administration Announces Plan to Improve Patient Data Sharing appeared first on The HIPAA Journal.

Florida Internal Medicine Practices Discloses November 2024 Data Breach

Hacking-related data breaches have been announced by Mid Florida Primary Care, Northwest Denture Center in Washington, Forward, The National Databank for Rheumatic Diseases in Kansas, and Equilibria Mental Health Services in Massachusetts. Inc Ransom claims to have attacked the West Virginia Primary Care Association.

Mid Florida Primary Care

On July 29, 2025, Mid Florida Primary Care, a specialized internal medicine practice in Leesburg, Florida, disclosed a cyberattack and data breach that was identified on or around January 23, 2025. An investigation was launched to determine the nature and scope of the activity, which confirmed that an unauthorized third party accessed its network and copied files between November 29, 2024, and December 11, 2024. The data review was completed on June 19, 2025.

The information compromised in the incident includes names, addresses, dates of birth, email addresses, Social Security numbers, driver’s license numbers, health insurance information, Medicare/Medicaid numbers, health insurance information, diagnosis and/or treatment information, medical histories, allergies, prescription information, test results, and treatment locations.

Mid Florida Primary Care has confirmed that the affected individuals will be offered at least 12 months of complimentary credit monitoring and identity theft restoration services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Northwest Denture Center, Washington

Northwest Denture Center in Burlington, Washington, has confirmed that the protected health information of 12,209 individuals has been exposed in a recent hacking incident. Suspicious network activity was identified on or around May 28, 2025, and action was taken to isolate the network to prevent further unauthorized access. The investigation confirmed that an unauthorized third party first gained access to its network on May 27, 2025.

The review of the affected files was completed on June 27, 2025, and notification letters started to be sent to the affected individuals on July 25, 2025. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Additional training is being provided to the workforce, and additional security measures are being implemented. Complimentary credit monitoring services have been provided to the affected individuals for 12 months.

Equilibria Mental Health Services, Massachusetts

Equilibria Mental Health Services in Massachusetts has discovered that the personal and protected health information of up to 2,000 individuals was potentially compromised in a phishing attack. The incident was identified on June 24, 2025, when two employee email accounts were discovered to have been compromised following responses to phishing emails. The email accounts were accessed by an unauthorized third party for a short period on June 24, 2025.

There was unauthorized access to the email addresses of multiple clients, and individuals who had previously contacted Equilibria Mental Health Services to inquire about mental health services. Some of those individuals have reported receiving phishing emails from a compromised Equilibria email account.

The compromised accounts were reviewed and found to contain mailing addresses, physical addresses, telephone numbers, health insurance plan information, and reasons for making contact. The aim of the attack appears to have been to use the compromised accounts for further phishing attempts. Equilibria Mental Health Services said it is evaluating its cybersecurity protocols and taking action to strengthen email security.

Forward, The National Databank for Rheumatic Diseases

Forward, The National Databank for Rheumatic Diseases in Wichita, Kansas, has announced a security incident that was detected on March 21, 2025. Suspicious activity was identified within certain systems, and the forensic investigation confirmed unauthorized access between March 17, 2025, and March 22, 2025. During that time, files containing sensitive information were potentially viewed and copied from its network.

The file review was completed on June 22, 2025, when it was confirmed that personally identifiable information (PII) and protected health information (PHI) had been compromised, including names, contact information, dates of birth, Social Security numbers, medical information/histories, disability information, mental and physical treatment information, diagnoses, prescription information, treating or referring physicians, and medical record numbers. Forward is reviewing its policies, procedures, and processes to reduce the likelihood of a similar future event, and notification letters are being mailed to the affected individuals.

It is currently unclear how many individuals have been affected. The Maine Attorney General was informed that the breach involved the personal information of 38 Maine residents, but the total size of the data breach was not disclosed.

Ransomware Group Claims Attack on West Virginia Primary Care Association

West Virginia Primary Care Association (WVPCA), in Charleston, West Virginia, has recently been added to the dark web data leak site of the Inc Ransom ransomware group. In Ransom is a prolific hacking group that engages in double extortion ransomware attacks, stealing data, encrypting files, and demanding payment for the decryptors and to prevent publication of the stolen data. Inc Ransom claims to have exfiltrated 296 GB of data.

The addition of an entity on a dark web data leak site does not necessarily mean data has been stolen. There have been several cases where claims of attacks have been partially or entirely fabricated. West Virginia Primary Care Association has yet to announce any cyberattack or data breach, or issue a statement about the posting. The HIPAA Journal has not accessed any of the leaked data, so is unable to verify whether the claim is legitimate.

The post Florida Internal Medicine Practices Discloses November 2024 Data Breach appeared first on The HIPAA Journal.

Dermatology Clinics Affected by Practice Management Company Data Breach

Several dermatology practices have recently announced data breaches following an attack on their management company. The number of attacks reported this year by dermatology practices suggests they are being targeted by one or more threat actors.

In May 2025, DermCare Management, a Florida-based company that provides support services for dermatologists and dermatology specialists, notified the HHS’ Office for Civil Rights (OCR) about a network server hacking/IT incident, using a placeholder estimate of 501 affected individuals as the number of affected individuals had yet to be established. Several of the affected practices have now issued substitute breach notifications about the incident.

DermCare Management has more than 60 locations in Florida, Texas, California, and Virginia, and primarily provides services related to platform building and development, revenue growth, operational improvement, and improving the patient experience. At least 10 practices are known to have been affected. The list of affected providers is not exhaustive and mostly consists of practices in Florida. Further practices may announce that they have been affected in the coming days and weeks. None of the practices below are currently listed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Confirmed Affected Practices

  • Miami Plastic Surgery, Florida
  • Keys Dermatology, Florida
  • Hollywood Dermatology, Florida
  • Jacksonville Beach Dermatology, Florida
  • Skin Center of South Miami, Florida
  • Florida West Coast Skin Center, Florida
  • Dania Dermatology, Florida
  • Florida Academic Dermatology Center, Florida
  • Rendon Center, Florida
  • Dermatology Treatment and Research Center, Texas

According to the substitute breach notices on the websites of the above practices, the attack was identified on February 26, 2025. Suspicious network activity was identified, and networks were rapidly secured. The investigation confirmed on March 3, 2025, that patient information may have been copied from the network. Files are still being reviewed to determine the number of affected individuals and the types of data involved; however, the compromised information likely includes names, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their account statements and free credit reports.

String of Cyberattacks Affecting Dermatology Practices

Major data breaches have been reported by other dermatology practices in recent weeks. One hacking incident that stands out is Anne Arundel Dermatology, which recently reported a hacking-related data breach affecting 1,905,000 individuals. Shelby Dermatology (Dermatologists of Birmingham) has reported a hacking incident affecting 86,414 individuals, Mountain Laurel Dermatology has reported a data breach affecting 3,324 individuals, and a hacking incident has been announced by U.S. Dermatology Partners, a network of 100 dermatology practices. That incident occurred in June and is not yet shown on the HHS’ Office for Civil Rights breach portal, although one of the affected practices appears to be Oliver Street Dermatology Management LLC, which reported that 13,717 individuals were affected.

The post Dermatology Clinics Affected by Practice Management Company Data Breach appeared first on The HIPAA Journal.

HCA Healthcare Multi-Million Dollar Data Breach Settlement Approved

HCA Healthcare Inc. has agreed to settle class action litigation stemming from a July 2023 data breach that was reported to the HHS’ Office for Civil Rights as affecting 11,270,000 patients. The affected individuals had received healthcare services at HCA hospitals and doctors’ offices in 20 U.S. states.

HCA Healthcare was targeted by hackers who accessed and stole data from an external storage location, which was used to automate the formatting of email messages. A database was stolen that contained 27.7 million records. The hackers listed the database for sale when the ransom was not paid. Data compromised in the incident included names, contact information, dates of birth, and appointment information.

HCA Healthcare announced the data breach on or around July 10, 2024, and the first class action lawsuit was filed within a couple of days of the announcement. In total, 27 putative class action lawsuits were filed against HCA Healthcare in response to the data breach, which alleged negligence for inadequate cybersecurity practices and for failing to properly safeguard patient data. The lawsuits were consolidated – In re HCA Healthcare, Inc. Data Security Litigation – in the U.S. District Court for the Middle District of Tennessee.

HCA Healthcare denies the claims and contentions in the lawsuit; however, it negotiated a settlement to resolve the litigation, with no admission of liability or wrongdoing. While the total settlement amount has not been disclosed, attorneys for the plaintiffs may claim up to $3.1 million in fees. Attorneys usually claim one-third of the total settlement amount, which suggests the total settlement fund is greater than $9 million. The fifteen class representatives will each be paid a service award of up to $5,000.

Claims from class members will be paid once attorneys’ fees, expenses, settlement administration costs, and service awards have been deducted from the settlement fund. Class members may claim a one-year membership to a credit monitoring, fraud consultation, and identity theft restoration service, which includes a $1 million identity theft insurance policy. Class members may also submit a claim for reimbursement of documented, unreimbursed losses fairly traceable to the data breach up to a maximum of $5,000 per class member. HCA Healthcare has also confirmed that it will adopt, implement, and maintain security commitments to prevent similar incidents for at least two years from the settlement date. Those commitments have been filed under seal.

The deadline for exclusion from and objection to the settlement is August 25, 2025. Claims must be submitted by September 25, 2025, and the final fairness hearing is scheduled for October 27, 2025.

The post HCA Healthcare Multi-Million Dollar Data Breach Settlement Approved appeared first on The HIPAA Journal.

HCA Healthcare Multi-Million Dollar Data Breach Settlement Approved

HCA Healthcare Inc. has agreed to settle class action litigation stemming from a July 2023 data breach that was reported to the HHS’ Office for Civil Rights as affecting 11,270,000 patients. The affected individuals had received healthcare services at HCA hospitals and doctors’ offices in 20 U.S. states.

HCA Healthcare was targeted by hackers who accessed and stole data from an external storage location, which was used to automate the formatting of email messages. A database was stolen that contained 27.7 million records. The hackers listed the database for sale when the ransom was not paid. Data compromised in the incident included names, contact information, dates of birth, and appointment information.

HCA Healthcare announced the data breach on or around July 10, 2024, and the first class action lawsuit was filed within a couple of days of the announcement. In total, 27 putative class action lawsuits were filed against HCA Healthcare in response to the data breach, which alleged negligence for inadequate cybersecurity practices and for failing to properly safeguard patient data. The lawsuits were consolidated – In re HCA Healthcare, Inc. Data Security Litigation – in the U.S. District Court for the Middle District of Tennessee.

HCA Healthcare denies the claims and contentions in the lawsuit; however, it negotiated a settlement to resolve the litigation, with no admission of liability or wrongdoing. While the total settlement amount has not been disclosed, attorneys for the plaintiffs may claim up to $3.1 million in fees. Attorneys usually claim one-third of the total settlement amount, which suggests the total settlement fund is greater than $9 million. The fifteen class representatives will each be paid a service award of up to $5,000.

Claims from class members will be paid once attorneys’ fees, expenses, settlement administration costs, and service awards have been deducted from the settlement fund. Class members may claim a one-year membership to a credit monitoring, fraud consultation, and identity theft restoration service, which includes a $1 million identity theft insurance policy. Class members may also submit a claim for reimbursement of documented, unreimbursed losses fairly traceable to the data breach up to a maximum of $5,000 per class member. HCA Healthcare has also confirmed that it will adopt, implement, and maintain security commitments to prevent similar incidents for at least two years from the settlement date. Those commitments have been filed under seal.

The deadline for exclusion from and objection to the settlement is August 25, 2025. Claims must be submitted by September 25, 2025, and the final fairness hearing is scheduled for October 27, 2025.

The post HCA Healthcare Multi-Million Dollar Data Breach Settlement Approved appeared first on The HIPAA Journal.

Healthcare Organizations Settle Website Tracking Class Action Lawsuits

Settlements have been reached with two healthcare entities to resolve allegations that they used pixels and other tracking tools on their websites, which disclosed sensitive data to third parties without the knowledge or consent of website users.

Tracking tools such as Meta Pixel and Google Analytics code are used on websites to track user behavior, such as the pages visited, actions taken on web pages, time spent on the site, and other information. These tools transmit the collected information to third parties along with unique identifiers. Website owners can use the information collected by these tools to improve their websites, and the collected data can be used for advertising purposes. For instance, if a web user visited a page about stopping smoking, they could be targeted with adverts for smoking cessation products on other websites.

Aspen Dental Management Settlement – $18.5 Million

Aspen Dental Management, a Chicago, IL-based dental support organization serving approximately 1,100 Aspen Dental offices across the United States, was sued over its use of tracking tools that transmitted web user data to Meta (Facebook) and Google without users’ knowledge or consent between 2022 and 2025.

Several lawsuits were filed in response to the impermissible disclosures, which were consolidated into a single complaint, Donnelly, et al. v. Aspen Dental Management, Inc., in the United States District Court for the Northern District of Illinois. The lawsuit alleged negligence and violations of the Electronic Communications Privacy Act, Florida Security of Communications Act, California Invasion of Privacy Act, California Confidentiality of Medical Information Act, and the Pennsylvania Wiretap Act.

Aspen Dental Management maintains there was no wrongdoing and denies all of the claims and contentions in the lawsuit; however, the decision was made to settle the lawsuit as the litigation was likely to be protracted and expensive, with an uncertain outcome. Class counsel and the class representatives believe the settlement is in the best interests of the class members.

Under the terms of the settlement, Aspen Dental Management will establish settlement funds totaling approximately $18.5 million to cover attorneys’ fees, expenses, settlement administration costs, class representative awards, and claims from class members.  There are two subclasses in the settlement. Group 1 consists of individuals who booked an appointment via the website between February 20, 2022, and June 1, 2023, and Group 2 consists of individuals who booked an appointment on the website between June 2, 2023, and January 1, 2025.

There are approximately 621,370 individuals in Group 1 and 1,625,000 individuals in Group 2. Aspen Dental Management will establish a fund of $2,796,169.50 for Group 1 and a fund of $15,673,220 for Group 2. Class members in Group 1 will receive a pro rata cash payment once attorneys’ fees, expenses, service awards, and settlement administration costs have been deducted from the settlement fund. Class members in Group 2 will receive a cash payment of $15, subject to a pro rata reduction depending on the number of claims received.

The deadline for exclusion from the settlement, opting out, and submitting a claim is September 15, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for October 20, 2025.

Southern Mono Healthcare District (Mammoth Hospital)

Southern Mono Healthcare District, doing business as Mammoth Hospital, was also sued over the use of pixels on its website. The lawsuit, Doe v. Southern Mono Healthcare District, was filed on August 9, 2023, in the Mono County Court in Mono County, California. The lawsuit survived a motion to dismiss and was moved to the Superior Court of California, Mono County. The lawsuit claimed the use of the tracking tools violated California privacy laws.

The defendants maintain there is no liability and no wrongdoing, but chose to settle the lawsuit to avoid the costs and risks of trial. The settlement covers Mammoth Hospital patients who used the Mammoth Web Properties to access the “Your Medical Record” section on the website (mammothhospital.org) between August 9, 2022, through August 9, 2023.

Class members can claim two benefits. All class members may claim a 12-month membership to CyEx Privacy Shield Pro, which includes dark web monitoring for personal information, plus a one-time cash payment of $20. The deadline for opting out and objecting to the settlement is September 15, 2025, and the deadline for submitting a claim is October 14, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for November 6, 2025.

There has been a flurry of settlements in recent weeks to resolve pixel-related lawsuits against healthcare providers, including MarinHealth, University of Rochester Medical Center, BJC Healthcare, Henry Ford Health, and Eisenhower Health.

The post Healthcare Organizations Settle Website Tracking Class Action Lawsuits appeared first on The HIPAA Journal.

Data Breaches Announced by Florida & Colorado Mental Health Clinics

Two mental healthcare providers have recently announced cybersecurity incidents that exposed patient data: Eleos Wellness in Florida and Clinica Family Health & Wellness in Colorado.

Eleos Wellness, Florida

Eleos Wellness, a Pinellas Park, FL-based provider of mental health services, has recently announced a data security incident that potentially involved unauthorized access to client information. Unauthorized network activity was detected on June 11, 2025, and third-party cybersecurity experts were engaged to investigate the activity. The investigation is ongoing; however, it has been confirmed that an unauthorized third party had access to names, addresses, dates of birth, Social Security numbers, and health insurance information. No evidence has been found to indicate that its electronic medical record system was involved.

No fraudulent activity related to the incident has been identified; however, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their personal accounts and explanation of benefits statements. Eleos Wellness has confirmed that steps are being taken to improve security to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Clinica Family Health & Wellness, Colorado

Clinica Family Health & Wellness, a Colorado-based network of mental health clinics, has announced a security breach affecting the Mental Health Partners environment. An intrusion was identified and rapidly contained on March 25, 2025, and third-party cybersecurity experts were engaged to investigate the nature and scope of the unauthorized activity.

No evidence was found to indicate that any data was removed from its network; however, it is possible that patient data may have been accessed. Clinica Family Health & Wellness said a comprehensive and thorough investigation is ongoing, and it has yet to be determined exactly how many individuals have been affected or the types of information involved. Notification letters will be mailed to the affected individuals when the review is concluded.

The post Data Breaches Announced by Florida & Colorado Mental Health Clinics appeared first on The HIPAA Journal.

Florida Practice Management Company Announces June 2025 Data Breach

Think Big Health Care Solutions, a Florida-based practice management company, and Minnesota Epilepsy Group have recently confirmed cyberattacks and data breaches. Ransomware groups have claimed responsibility for attacks on Emerson Chiropractic in Indiana and El Paso Quality Dentistry in Texas.

Think Big Health Care Solutions, Florida

Think Big Health Care Solutions, a Wellington, FL-based practice management company that provides billing, contracting, and credentialing services to medical practices, has identified unauthorized access to an employee’s email account. Suspicious activity within the account was identified on June 20, 2025, and third-party cybersecurity specialists were engaged to investigate the incident.

Evidence was found that suggested some emails and files in the account had been accessed by an unauthorized third party. A review was conducted to determine the types of information involved and the individuals affected, and notification letters will be mailed to those individuals when that process has been completed. Think Big Health Care Solutions has confirmed that the account contained information such as first names, initials, and last names, addresses, telephone/fax numbers, email addresses, dates of birth, Social Security numbers, tax identification numbers, passport numbers, admission dates, health insurance policy numbers, bank/financial account numbers and routing numbers, credit/debit card information, diagnoses/conditions, lab results, medications, claims information, medical record numbers, other medical/health information, CPT codes, and referring provider names.

Additional technical and administrative measures have been implemented to prevent similar incidents in the future, and enhanced training is being provided to the workforce on phishing detection, secure data handling, and incident response procedures.

Minnesota Epilepsy Group

Roseville, MN-based Minnesota Epilepsy Group (MEG) has experienced a cybersecurity incident that affected certain systems within its network and caused some disruption to business operations. According to the April 25, 2025, substitute breach notice, MEG identified the incident on February 27, 2025. Immediate action was taken to secure its systems, and third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the unauthorized activity. The investigation is ongoing, but it has been confirmed that client and employee data were exposed in the incident.

The exact types of data involved have yet to be confirmed, but likely include individuals’ names, addresses, dates of birth, medical record numbers, EEG summaries, neuropsychology reports, medication records, and health insurance information. No evidence of misuse of that information has been identified to date; however, the affected individuals have been advised to remain vigilant and should review their financial account statements for signs of fraudulent activity. MEG said it continually evaluates and modifies its practices to enhance privacy and security and is taking steps to augment existing cybersecurity measures to prevent similar incidents in the future.

Ransomware Groups Claim Responsibility for Attacks on Two Healthcare Providers

Ransomware groups have recently claimed responsibility for attacks on two healthcare providers, Emerson Chiropractic in Indiana and El Paso Quality Dentistry in Texas. The Dragonforce ransomware group claims to have stolen 96 GB of data from Emerson Chiropractic, which provides chiropractic services to individuals in the Southside of Indianapolis. Stolen data has been published on the data leak site, indicating the ransom was not paid.

The Beast ransomware group has added El Paso Quality Dentistry to its data leak site and claims to have stolen approximately 700 GB of data. Screenshots have been uploaded to the data leak site, indicating a broad range of data has been stolen, with some folder names suggesting patient data was involved. Currently, the stolen data has not been leaked. Neither healthcare provider has publicly announced a cyberattack or data breach at the time of writing.

The post Florida Practice Management Company Announces June 2025 Data Breach appeared first on The HIPAA Journal.