Author Archives: Steve Alder

HHS-OIG Identifies Web Application Security Weaknesses at Large U.S. Hospital

Posted by Steve Alder

An audit of a large Southeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) identified security weaknesses in internet-facing applications, which could potentially be exploited by threat actors for initial access. Similar security weaknesses are likely to exist at many U.S. hospitals. The aim of the audit was to assess whether the hospital had implemented adequate cybersecurity controls to prevent and detect cyberattacks, if processes were in place to ensure the continuity of care in the event of a cyberattack, and whether sufficient measures had been implemented to protect Medicare enrollee data.

The audited hospital had more than 300 beds and was part of a network of providers who share patients’ protected health information for treatment, payment, and healthcare operations. The hospital had adopted the HITRUST Common Security Framework (CSF) version 9.4 as its main cybersecurity framework, used that framework for regulatory compliance and risk management, and had implemented physical, technical, and administrative safeguards as required by the HIPAA Rules.

HHS-OIG reviewed the hospital’s policies and procedures to assess its cybersecurity practices concerning data protection, data loss prevention, network management, and incident response, and interviewed appropriate staff members to gain further cybersecurity and risk mitigation insights. HHS-OIG conducted penetration tests and external vulnerability assessments on four of the hospital’s internet-facing applications.

The hospital had implemented cybersecurity controls to protect Medicare enrollee data and ensure the continuity of care in the event of a cyberattack, and the cybersecurity controls detected most of HHS-OIG’s simulated cyberattacks; however, weaknesses were found that allowed the HHS-OIG to capture login credentials and use them to access the account management web application, and a security weakness in its input validation controls allowed manipulation of the application.

HHS-OIG sent 2,171 phishing emails, but only the last 500 were blocked. A total of 108 users clicked the link in the email (6% click rate), and one user entered their login credentials in the HHS-OIG phishing website. The captured login credentials allowed HHS-OIG to access the account, although it did not appear to contain patient information. Once the web application was accessed, HHS-OIG was able to view the user’s devices associated with the account, as well as a list with options to deactivate multifactor authentication and add/remove devices from the account. If it were a real cyberattack, a threat actor could use the access for a more extensive compromise. HHS-OIG said strong user identification and authentication (UIA) controls for the account management web application had not been implemented; however, the click rate and login rate were relatively low, therefore, no recommendations were made regarding its anti-phishing controls.

Another internet-facing application was found to lack strong input validation controls, which made the application vulnerable to an injection attack. An attacker could inject malicious code into weak input fields, alter commands sent to the website, and access sensitive data or manipulate the system. While the hospital had conducted vulnerability scans and third-party penetration tests, the vulnerability failed to be identified. Further, the web application did not have a web application firewall for filtering, monitoring, and blocking malicious web traffic, such as injection attacks.

HHS-OIG made four recommendations: Implement strong user identification and authentication controls for the account management web application; periodically assess and update user identification and authentication controls across all systems; assess all web applications to determine if an automated technical solution, such as a web application firewall, is required; and utilize a wider array of testing tools for identifying vulnerabilities in applications, such as dynamic application testing tools, static application testing tools, and manual, interactive testing.

HHS-OIG did not name the audited hospital due to the risk that it could be targeted by threat actors. Further audits of this nature will be conducted on other healthcare providers to determine whether similar security issues exist and if there are any opportunities for the HHS to improve guidance and outreach to help hospitals improve their security controls.

“This report highlights the need for healthcare organizations to adapt their security programs to reflect a fundamental shift: sensitive data now resides not just in on-prem, internal apps, but also in web-based SaaS applications,” Russell Spitler, CEO of Nudge Security, told the HIPAA Journal. “Traditional network-focused security controls cannot adequately protect cloud applications where data flows across organizational boundaries. This makes identity security controls—particularly MFA and SSO—essential for protecting this dynamic attack surface.”

Spitler suggests “healthcare organizations should take a systematic approach that prioritizes comprehensive visibility and strong authentication controls across their entire application ecosystem.” Key steps recommended by Spitler include:

  • Conducting a comprehensive inventory of all SaaS and web applications to understand the full picture of the organization’s attack surface
  • Prioritizing MFA implementation for applications with privileged access or sensitive data, starting with internet-facing systems
  • Deploying SSO solutions that can enforce MFA centrally while improving user experience and reducing password-related security risks
  • Using conditional access policies that require MFA for any access from outside the corporate network or from unmanaged devices
  • Regularly testing authentication controls through penetration testing and phishing simulations, as HHS OIG did in this audit

The post HHS-OIG Identifies Web Application Security Weaknesses at Large U.S. Hospital appeared first on The HIPAA Journal.

Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients

Posted by Steve Alder

Data breaches have recently been announced by Central Ozarks Medical Center in Missouri, AdventHealth Daytona Beach in Florida, and the Middlesex Sheriff’s Office in Massachusetts.

Central Ozarks Medical Center, Missouri

Central Ozarks Medical Center (COMC), a Federally Qualified Health Center (FQHC) in mid-Missouri, has notified 11,818 individuals that some of their personal and protected health information was compromised in a criminal cyberattack. The substitute breach notice on the COMC website does not state when the cyberattack was detected or for how long its network was compromised, only that it was determined on or around November 10, 2025, that personally identifiable information and protected health information may have been subject to unauthorized access or acquisition.

The types of information compromised in the incident included names, dates of birth, Social Security numbers, financial account information, medical treatment information, and health insurance information. COMC has provided the affected individuals with information on steps they can take to reduce the risk of identity theft and fraud, and at least 12 months of complementary credit monitoring and identity theft protection services have been offered. COMC has confirmed that it has implemented a series of cybersecurity enhancements and will continue to augment those measures to better protect patient information.

Middlesex Sheriff’s Office, Massachusetts

The Middlesex Sheriff’s Office in Massachusetts has announced a January 2025 security breach that involved unauthorized access to individuals’ protected health information.  The Sheriff’s Office launched an investigation to determine the extent and nature of the incident, and was assisted by the Federal Bureau of Investigation, the Massachusetts State Police, the Commonwealth Fusion Center, the Executive Office of Technology Services and Security, and two cybersecurity firms.

It took until November 19, 2025, to complete the review of the exposed files, when it was confirmed that they contained names, addresses, dates of birth, diagnoses, and/or other general health information. The Sheriff’s Office said it has not identified any misuse of the exposed information. The Middlesex Sheriff’s Office has implemented additional safeguards to prevent similar breaches in the future and has advised the affected individuals to review their bank statements and insurance records for signs of misuse. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals – a commonly used placeholder figure when the total number of affected individuals has not yet been confirmed.

AdventHealth Daytona Beach, Florida

AdventHealth Daytona Beach in Florida has notified 821 individuals about the loss of paperwork containing their protected health information. The loss of documentation was identified by its outpatient laboratory on November 25, 2025. Outpatient lab orders were determined to be missing for individuals who received outpatient services between September 1 and September 14, 2025.

AdventHealth Daytona Beach said the loss occurred during a departmental relocation from the first to the second floor. Construction activities were taking place to install a new tubing system, and the planned project location was changed by the construction workers, who accessed an area containing the lab orders without first notifying the laboratory team. The paperwork was discarded by the construction workers. AdventHealth Daytona Beach said no evidence was found to indicate the lab orders were or will be misused. The lab orders contained information such as names, addresses, dates of birth, telephone numbers, email addresses, diagnosis codes, health condition(s), and health insurance policy numbers.

The post Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients appeared first on The HIPAA Journal.

Capital Health Data Breach Litigation Settled for $4.5M

Posted by Steve Alder

Capital Health has agreed to pay $4.5 million to settle a class action lawsuit stemming from a 2023 ransomware attack. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell Township – as well as many primary care clinics in New Jersey and Pennsylvania.

On or around November 26, 2023, Capital Health identified unauthorized activity within its computer systems. The forensic investigation confirmed that a criminal cyber actor had access to its network between November 11, 2023, and November 26, 2023, and used ransomware to encrypt files. The investigation determined that files containing patient data had been exposed and may have been stolen. The LockBit ransomware group claimed responsibility for the attack and said it exfiltrated 7 TB of data. LockBit threatened to publish the stolen data on January 9, 2024, if the ransom was not paid. It is unclear if any payment was made.

Capital Health’s investigation confirmed that the hackers potentially accessed patient data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and medical information. The data breach was reported to the HHS’ Office for Civil Rights as affecting 503,071 individuals. Capital Health announced the cyberattack in December 20223, and the first class action lawsuit over the attack was filed on December 19, 2023. Further class action lawsuits were filed by other affected patients, which were consolidated in May 2025 – Bruce Graycar, et al. v. Capital Health Systems, Inc. – in the United States District Court for the District of New Jersey, as the lawsuits had overlapping claims. The consolidated class action lawsuit alleged claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, declaratory judgment, and Violation of the New Jersey Consumer Fraud Act.

All parties discussed the option of settling the lawsuit, and a settlement was agreed upon by all parties, with no admission of liability, fault, or wrongdoing by Capital Health. Under the terms of the settlement, class members may submit claims for up to $5,000 per class member as reimbursement for documented, unreimbursed losses resulting from the data breach. Alternatively, class members may submit a claim for a cash payment, estimated to be $100 per class member. The cash payments may be increased or decreased, depending on the number of valid claims received. In addition to the cash payments, class members may also submit a claim for three years of credit monitoring services, valued at $90 per year.

Capital Health has also confirmed to class counsel that a range of additional security measures have been implemented and will be maintained to better protect patient data in the future. The deadline for objection to and opting out of the settlement is March 9, 2026. The deadline for submitting a claim is April 6, 2026, and the final fairness hearing has been scheduled for July 14, 2026.

The post Capital Health Data Breach Litigation Settled for $4.5M appeared first on The HIPAA Journal.

Gryphon Healthcare Agrees to Pay $2.87M to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

Gryphon Healthcare, a Houston, TX-based revenue cycle, coding, compliance, consultancy, and management services vendor, faced multiple class action lawsuits over a July 2024 cyberattack involving a partner for which it provides billing services. Gryphon Healthcare learned about the incident in August 2024, and its investigation found that files may have been viewed or obtained. Those files contained the protected health information of 393,358 patients, including names, dates of birth, addresses, Social Security numbers, dates of service, diagnoses, medical treatment information, prescriptions, medical record numbers, and health insurance information.

On or around October 11, 2024, Gryphon Healthcare started sending notification letters to the affected individuals, and shortly thereafter, the first class action lawsuit was filed. A further eight lawsuits were subsequently filed, which were consolidated into a single complaint – Morris et al., v. Gryphon Healthcare, LLC – in the District Court for Harris County, Texas. The lawsuit asserted claims of negligence/negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, unjust enrichment, bailment, a failure to provide adequate notice pursuant to any breach notification statute or common law duty, and violations of state consumer protection laws.

While Gryphon Healthcare denies wrongdoing, fault, and liability for the cyberattack and data breach, after considering the cost and distraction of continuing the litigation and the uncertainty of trial, the decision was taken to settle. Under the terms of the settlement, Gryphon Healthcare will establish a $2,800,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the nine named plaintiffs. After those costs have been deducted, the remainder of the fund will be used to pay benefits to the class members.

Class members may choose one of two cash payments. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, they may choose to receive a cash payment, which is estimated to be $100, but may increase or decrease depending on the number of valid claims received. All class members who submit a valid claim are entitled to a two-year membership to an identity theft protection and medical data monitoring service, which includes a $1 million identity theft insurance policy. The deadline for objecting to the settlement and opting out is March 17, 2026. Claims must be submitted by April 16, 2026, and the final fairness hearing has been scheduled for August 31, 2026.

Nov 4, 2024: Gryphon Healthcare Facing Multiple Lawsuits Over 400,000-Record Data Breach

Gryphon Healthcare, a Houston, TX-based provider of revenue cycle management and medical billing services to healthcare providers, is facing multiple class action lawsuits over an August 2024 data breach that involved unauthorized access to the protected health information of almost 400,000 individuals. The compromised information included names, contact information, Social Security numbers, diagnosis and treatment information, health insurance information, and medical record numbers. The intrusion occurred via an unnamed IT service provider.

At least seven lawsuits have now been filed by individuals who were recently notified about the exposure of their protected health information. The plaintiffs allege that Gryphon Healthcare failed to implement reasonable and appropriate cybersecurity measures to protect the sensitive information it stored and also failed to monitor its network for unauthorized activity. The lawsuits assert that if appropriate defenses had been implemented and if industry standards had been adhered to, the data breach could have been prevented. Proper monitoring would have allowed the intrusion to be detected much more promptly.

The lawsuits make similar claims, including a violation of duties under common law, contract law, the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Trade Commission (FTC) Act. The plaintiffs allege that the theft of their personal and protected health information has resulted in them suffering and continuing to suffer injuries, including financial harm due to the misuse of their information, lost time due to the detection and prevention of identity theft and fraud, and the loss or diminished value of their private information.

The plaintiffs make claims of negligence, negligence per se, invasion of privacy, breach of confidence, breach of fiduciary duty, breach of implied contract, breach of third-party beneficiary contract, and unjust enrichment. The lawsuits were filed in Texas federal court and seek class action certification for a nationwide class of individuals affected by the data breach, a jury trial, actual, compensatory, statutory, and punitive damages, and injunctive relief, including an order from the court requiring Gryphon Healthcare to implement a host of security measures to safeguard the personal and protected health information stored by the company.

The post Gryphon Healthcare Agrees to Pay $2.87M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

CISA Issues Guidance for Proactively Defending Against Insider Threats

Posted by Steve Alder

Insider threats are one of the leading causes of data breaches in healthcare, more so than in many other industry sectors. A 2018 study by Verizon found insider incidents outnumbered incidents involving external parties, with 56% of healthcare data breaches due to insiders and 43% due to external actors. A study by the cybersecurity firm Metomic found that the percentage of healthcare organizations reporting no insider incidents has declined from 34% in 2019 to 24% in 2024.

Insider incidents can stem from a lack of knowledge about HIPAA or disregard for patient privacy, such as when healthcare employees snoop on medical records. Negligent insiders can easily expose patient data by failing to follow the organization’s policies and procedures, and malicious insiders steal patient information for financial gain or revenge. Copying patient information to take to a new practice or employer is also common.

Due to the high risk of insider threats in healthcare and other critical infrastructure sectors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging critical infrastructure organizations to take decisive action against insider threats, and has published a new resource specifically developed for critical infrastructure organizations and state, local, tribal, and territorial (SLTT) governments to help them assemble a multi-disciplinary insider threat management team. The guidance includes proven strategies for proactively preventing, detecting, mitigating, and responding to insider threats.

Insiders have institutional knowledge and legitimate access rights, allowing them to easily access and steal sensitive data, and detecting insider breaches can be a challenge. Insider incidents can cause significant harm to healthcare organizations, including reputational damage, revenue loss, and harm to people and key assets. “Whether driven by intent or accident, insider threats pose one of the most serious risks to organizational security and resilience- demanding proactive measures to detect, prevent, and respond,” explained CISA.

“Insider threats remain one of the most serious challenges to organizational security because they can erode trust and disrupt critical operations,” said Acting CISA Director Dr. Madhu Gottumukkala. “CISA is committed to helping organizations confront this risk head-on by delivering practical strategies, expert guidance, and actionable resources that empower leaders to act decisively — building resilient, multi-disciplinary teams, fostering accountability, and safeguarding the systems Americans rely on every day.”

Combating insider threats requires an insider threat mitigation program that includes physical security, cybersecurity, personnel awareness, and partnerships with the community, and assembling a multi-disciplinary insider threat management team is a critical part of that process. The threat management team should oversee the insider threat management program, monitor for potential threats, and act quickly to mitigate the consequences of negligent and malicious insider actions. With an effective insider threat management team in place, organizations can reduce the damage and frequency of insider threat incidents.

A threat management team will be far more effective than any one individual, with teams able to be scaled and adjusted in scope and capability as the organization matures and evolves. Having a range of insider threat subject matter experts will allow the organization to obtain varied perspectives and generate more accurate and holistic threat assessments. Team members should include threat analysts, general counsel, human resources, the CISO, CSO, as well as external parties, including investigators, law enforcement, and medical or mental health counselors.

In the guidance, CISA offers a framework consisting of four stages – Plan, Organize, Execute, and Maintain (POEM). The Plan stage allows the organization to structure and scope the role of the threat management team. The Organize phase involves the team guiding employee awareness, creating a culture of reporting, and providing the necessary support to relevant departments to identify potential insider threat activity. The Execute phase involves upholding the insider threat mitigation program, and the Maintain phase is concerned with developing the threat management team to ensure it remains effective over time.

“Insider threats can disrupt operations, compromise safety, and cause reputational damage without warning. Organizations with mature insider threat programs are more resilient to disruptions, should they occur. People are the first and best line of defense against malicious insider threats, and organizations should act now to safeguard their people and assets,” said CISA Executive Assistant Director for Infrastructure Security Steve Casapulla.

The post CISA Issues Guidance for Proactively Defending Against Insider Threats appeared first on The HIPAA Journal.

Patients Learn Their Health Data Was Compromised More Than a Year Ago

Posted by Steve Alder

Alpine Ear, Nose, and Throat in Colorado, The Phia Group in Massachusetts, and Community Health Northwest Florida have started notifying patients that their personal and health information was impermissibly accessed over a year ago.

Alpine Ear, Nose, and Throat, Colorado

Alpine Ear, Nose, and Throat in Fort Collins, Colorado, has mailed notification letters to 65,648 individuals warning them that some of their protected health information was exposed in a security incident identified by Alpine ENT on November 19, 2024. Alpine ENT engaged its managed service provider to investigate the incident, and it was confirmed that an unauthorized third party accessed and exfiltrated files containing patients’ protected health information.

Alpine ENT’s legal counsel explained in the notification letters that a substitute data breach notice was published on the Alpine ENT website on January 17, 2025, although at the time, the investigation was ongoing. The data mining and review processes were completed on October 9, 2025, and in the subsequent months, Alpine ENT worked to verify the impacted individuals and obtained up-to-date contact information. Notification letters were mailed to the affected individuals on January 30, 2026, 14 months after the breach was first identified.

The BianLian ransomware group claimed responsibility for the attack and added Alpine ENT to its data leak site in early December 2024. Data compromised in the incident included names, demographic information, dates of birth, medical information, health information, financial account information, credit card numbers, CVC, and expiration dates, and Social Security numbers. At the time of issuing notifications, Alpine ENT said it had not identified any instances of identity theft as a result of the incident; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The Phia Group, Massachusetts

The Phia Group, LLC, a Canton, Massachusetts-based provider of healthcare cost containment services to health benefit plans and their third-party administrators, has recently notified individuals about a July 2024 security incident that exposed personal and protected health information. According to The Phia Group, an intrusion was detected on July 9, 2024, and the investigation confirmed that its network had been subject to unauthorized access between July 8, 2024, and July 9, 2024. During that time, files containing sensitive data may have been acquired.

A review was conducted to identify the affected clients, the types of data involved, and the affected individuals. The affected clients were notified, and The Phia Group coordinated with them to issue notifications. Data potentially compromised in the incident included names, addresses, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, health insurance information, and medical information, including provider information, treatment information, prescriptions, and Medicare/Medicaid information. Data security has been enhanced to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Community Health Northwest Florida

On January 26, 2026, Community Health Northwest Florida (CHNF) started notifying individuals about a security incident that was identified on December 24, 2024. CHNF engaged third-party cybersecurity experts to investigate the activity, who confirmed that an unauthorized third party had accessed files on its network that contained patient information.

CHNF said it conducted a comprehensive and time-consuming review and engaged a data mining company to identify the affected individuals. It took until January 19, 2026, to obtain the full list of affected individuals, and notification letters were mailed 10 days later. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, financial account numbers, credit or debit card numbers, patient identification and medical record numbers, medical information, and health insurance information.

CHNF has updated its policies and procedures, implemented additional technical safeguards, and enhanced its security measures to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Patients Learn Their Health Data Was Compromised More Than a Year Ago appeared first on The HIPAA Journal.

Bayada Home Health Care Affected by Doctor Alliance Data Breach

Posted by Steve Alder

Bayada Home Health Care, a New Jersey-based home healthcare provider serving 22 U.S. states, has recently announced a data breach involving a third-party vendor, Doctor Alliance. Doctor Alliance provides services that facilitate physician signatures on clients’ Home Health Certifications and Plans of Care, which involve access to patients’ protected health information.

On December 4, 2025, Doctor Alliance notified Bayada Home Health Care about a cybersecurity incident involving access and potential acquisition of client data by an unauthorized third party. According to Doctor Alliance, an unauthorized third party had access to the Doctor Alliance network between October 31 and November 6, 2025, and November 14 and 17, 2025. During that time, Home Health Certification and Plan of Care forms may have been acquired.

Bayada Home Health Care said it is not aware that any of its forms were copied; however, unauthorized data access could not be ruled out. The exposed forms contained a range of sensitive patient information, including names, dates of birth, diagnoses, medical/physical treatment information, provider information, health insurance plan information, prescription information, hospital admissions/discharges, and disability information, and for a subset of individuals, Social Security numbers.

Bayada Home Health Care said it has discontinued using Doctor Alliance as a vendor in response to the data breach. A review has been conducted of its policies and procedures relating to third-party vendors, and steps have been taken to minimize the risk of similar incidents in the future. The data breach has been reported to state attorneys general and the HHS’ Office for Civil Rights. The incident is not currently listed on the OCR data breach portal, so it is unclear how many individuals have been affected.

Marion County Public Health Department, Indiana

Marion County Public Health Department in Indiana has identified an insider incident involving unauthorized access to the protected health information of 792 clients. An employee was discovered to have accessed more than the necessary patient information to complete their job duties, including names, addresses, dates of birth, and lab test results for clients who received tests that were processed by the Marion County Public Health Department lab.

Marion County Public Health Department said it has found no evidence to suggest that any of the accessed information has been misused and stressed that no financial information was accessed by the employee. In response to the incident, further training has been provided to staff members on the HIPAA minimum necessary standard and its internal policies, and technical safeguards have been enhanced to limit access to protected health information to the minimum necessary for job duties.

The post Bayada Home Health Care Affected by Doctor Alliance Data Breach appeared first on The HIPAA Journal.

December 2025 Healthcare Data Breach Report

Posted by Steve Alder

In the final month of 2025, a further 41 healthcare data breaches affecting 500 or more individuals were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) by HIPAA-regulated entities. December’s total was the joint second-lowest monthly total of the year and the fourth month in a row where data breaches have been reported in unusually low numbers. Over the past four months, an average of 40.75 large data breaches have been reported per month, compared to an average of 66.5 large data breaches per month for the preceding four months. December 2025’s total is the lowest December total since 2019.

Healthcare data breaches in 2025

One possible explanation for the unusually low total is the 43-day government shutdown, due to the failure of Congress to pass appropriations legislation. All but non-essential staff at the HHS were furloughed, during which time no breach reports were added to the OCR breach portal. While data breach reports have now been added to the breach portal for that period, it is possible that OCR has yet to fully clear the backlog, and the totals for September to December may increase over the coming weeks.

December healthcare data breaches 2021-2025

As it stands, there are currently 697 data breaches listed for 2025, a 6% reduction from the 742 large data breaches reported in 2024. The 697 total will almost certainly increase. When we compiled our December 2024 healthcare data breach report on January 20, 2025, 721 large healthcare data breaches were listed. A further 21 were added to the breach portal for 2024 in the following weeks and months.

Individuals affected by healthcare data breaches in 2025

Across the 41 healthcare data breaches currently listed for December 2025, the protected health information of only 345,564 individuals was exposed or impermissibly disclosed. The number of affected individuals in each of the past four months has also been atypically low, with an average of 1,336,061 individuals affected each month. For the preceding four months (May to August), the average monthly total was 8,181,449 individuals. The totals for the past four months will certainly increase, as many data breach investigations are ongoing, and it has yet to be determined how many individuals have been affected.

Individuals affected by December healthcare data breaches 2021-2025

December 2025’s 346,564 affected individuals is the lowest monthly total since December 2017, when 343,260 individuals were affected. Currently, 60,976,942 individuals are known to have been affected by healthcare data breaches in 2025, a 78.9% reduction from 2024, although 2024’s total includes the gargantuan data breach at Change Healthcare, which affected 192,700,000 individuals.

Largest Healthcare Data Breaches Reported in December 2025

Only five data breaches were reported in December that affected 10,000 or more individuals, the largest of which was a hacking incident at the Rochester, NY-based medical supply fulfillment organization, Fieldtex Products. While Fiedtex Products reported a breach affecting 104,071 individuals, in December, a total of four separate breach reports were filed with OCR by Fieldtex Products, affecting a total of 139,009 individuals, plus a further breach report was filed in November, affecting 35,748 individuals. These five incidents are thought to be due to the same hacking incident detected by Fieldtex Products on August 19, 2025.

AllerVie Health, a Texas-based network of allergy and asthma centers, fell victim to a ransomware attack in November 2025, with the hackers found to have had access to its network from October 24, 2025, to November 3, 2025. The Anubis ransomware group claimed responsibility for the attack. Medical Center LLP, doing business as Dublin Medical Center in Georgia, experienced a hacking incident that affected 20,641 individuals, and Variety Care in Oklahoma was affected by a cyberattack on its business associate TriZetto, a provider of administrative services to HIPAA-regulated entities. Variety Care was one of many covered entities affected by the data breach. While the total number of affected individuals has yet to be confirmed, the Trizetto data breach is now known to have affected more than 700,000 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Fieldtex Products, Inc. NY Business Associate 104,071 Hacking incident
AllerVie Health TX Healthcare Provider 80,521 Ransomware attack (Anubis)
Medical Center, LLP GA Healthcare Provider 32,090 Hacking incident
Fieldtex Products, Inc. NY Business Associate 20,641 Hacking incident
Variety Care OK Healthcare Provider 17,163 Hacking incident at business associate (TriZetto Provider Solutions)

Six data breaches were reported in December 2025, with totals of 500 or 501 affected individuals. These are commonly used ‘placeholder’ estimates when the investigation is still ongoing as the deadline for reporting the data breach to OCR approaches. These totals will almost certainly increase and will be updated when the data breach investigations are concluded.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Associated Radiologists of the Finger Lakes, P.C. NY Business Associate 501 Hacking Incident
Glendale Obstetrics & Gynecology PCA AZ Healthcare Provider 501 Hacking Incident
Reproductive Medicine Associates of Michigan MI Healthcare Provider 501 Hacking incident – Data theft confirmed
Mitchell County Department of Social Services NC Healthcare Provider 501 Ransomware attack – Data theft confirmed
Greater St. Louis Oral & Maxillofacial Surgery PC MO Healthcare Provider 501 Compromised email account in a phishing attack
Madison Healthcare Services MN Healthcare Provider 500 Hacking incident – Worldleaks threat group claimed responsibility

Causes of December 2025 Healthcare Data Breaches

Hacking and other IT incidents accounted for 80.5% of the month’s data breaches, with 33 such incidents reported, affecting 327,095 individuals – 94.4% of the month’s total. The average breach size was 9,912 individuals, and the median breach size was 2,511 individuals. There were 8 unauthorized access/disclosure incidents in December, affecting 19,469 individuals. The average breach size was 2,434 individuals, and the median breach size was 1,469 individuals. No loss, theft, or improper disposal incidents were reported in December.

Causes of December 2025 healthcare data breaches

The most common location of breached protected health information was network servers, followed by six incidents involving compromised email accounts.

Location of breached PHI in December 2025

Where did the Data Breaches Occur?

Healthcare providers were the worst-affected regulated entities in December, reporting 29 of the month’s 41 data breaches (191,900 individuals). Six data breaches were reported by health plans (12,272 individuals) and six by business associates (142,392 individuals). When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure that breach notifications are sent and OCR is notified. The covered entities may choose to delegate the notification responsibilities to the business associate, although oftentimes, the affected HIPAA-covered entities report the breach. For instance, covered entities affected by the data breach at Trizetto Provider Solutions reported the breach, even though it occurred at their business associate (or subcontractor of their business associate). To better reflect business associates, the charts below show data breach figures based on where the data breach occurred, rather than the entity reporting the data breach.

Data breaches at HIPAA-regulated entities in December 2025

 

Data breaches at HIPAA-regulated entities in December 2025 - individuals affected

Geographic Distribution of Healthcare Data Breaches

California was the worst-affected state in December in terms of data breaches, with nine HIPAA-regulated entities known to have been affected. The high total is due to the data breach at Trizetto Provider Solutions, which was either a business associate of a subcontractor of a business associate of six of the nine affected entities. New York ranked second, but four of its five data breaches were reported by the same entity, Fieldtex Products.

State Data Breaches
California 9
New York 5
Texas 4
Maryland, Michigan, Minnesota, Missouri, Oklahoma, Oregon & Tennessee 2
Arizona, Florida, Georgia, Illinois, Louisiana, Maine, Massachusetts, North Carolina & Ohio 1

While California topped the list for data breaches, New York was the worst state in terms of the number of affected individuals, followed by Texas.

State Individuals Affected
New York 140,320
Texas 85,728
Georgia 32,090
California 31,013
Oklahoma 18,275
Missouri 9,343
Oregon 6,473
Louisiana 4,519
Maryland 4,027
Tennessee 3,138
Illinois 2,511
Massachusetts 1,638
Ohio 1,629
Michigan 1,560
Maine 1,259
Florida 1,036
Minnesota 1,003
Arizona 501
North Carolina 501

HIPAA Enforcement Activity in December 2025

In December, OCR announced one HIPAA enforcement action that involved a financial penalty. Texas-based Concentra, Inc., was investigated after OCR received a complaint from an individual who had not been provided with timely access to his medical and billing records. Concentra agreed to settle the alleged HIPAA Right of Access violation and paid a $112,500 penalty. This was the 54th financial penalty under the HIPAA Right of Access enforcement initiative, which commenced in late 2019 and is ongoing. It has been a busy year of HIPAA enforcement, with OCR resolving 21 HIPAA violation cases with regulated entities in 2025 with a financial penalty. OCR collected $8,330,066 in penalties from those enforcement actions.

State attorneys general also enforce the HIPAA Rules, although 2025 was a quiet year, with only one financial penalty imposed to resolve a data breach investigation. Orthopedics NY LLP (OrthoNY) paid $500,000 to settle alleged cybersecurity failures that led to a breach of the protected health information of more than 656,000 individuals. The New York Attorney General cited violations of HIPAA and state cybersecurity laws.

The post December 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

U.S. Data Compromises Hit Record High in 2025

Posted by Steve Alder

An unwanted new record was set in 2025 for data compromises, which increased by 4% from the record-breaking total in 2024, according to the Identity Theft Resource Center (ITRC). The ITRC is a non-profit organization dedicated to helping victims of data breaches, scams, and identity theft. ITRC also offers education to help consumers protect themselves against identity theft and fraud. ITRC tracks data compromises, which include data breaches, data leaks, and accidental exposures of sensitive consumer data.

The record total of 3,332 data compromises in a year represents a 79% increase in just five years, and the third successive year when more than 3,000 data compromises have been identified. While the historic high is concerning, there is at least some good news, as the number of individuals affected by data compromises has fallen sharply to the lowest annual total since 2014. Across the 3,332 data compromises, 278.8 million individuals were affected, down from 2024’s shockingly high total of 1.36 billion. The relatively low total is due to a lack of mega data breaches, which have been a regular feature over the past few years.

An ITRC poll of 1,000 U.S. consumers revealed 80% received at least one breach notice in the past year, and two-fifths received between three and five different notices. Out of the individuals who received a notice about a data breach, 88% said they experienced one or more negative consequences, such as an account takeover, an increase in spam emails and phishing attempts, or mental health issues.

Worryingly, the frequency with which data breach notices are being received is leading to breach fatigue. Out of the people who did nothing after receiving a notice, 48.3% said they had breach fatigue from so many notices, 46.1% said they had feelings of helplessness because they felt they couldn’t do anything about it, 41.6% said they did nothing because they felt from the language of the notification that the breach was not serious to warrant any action, and 36% said they didn’t trust the notice and thought it was a scam.

Out of the 3,332 data compromises, 2,928 were data breaches, involving 232,726,796 victim notices, 24 were data exposures involving 527,894 victim notices, and there were 366 unknown compromises, involving 1,584,024 victim notices. Four of the data compromises involved previously compromised data. The largest confirmed data compromises of the year (based on victim notices) occurred at PowerSchool (71.9 million), AT&T (44 million), Aflac (22.7 million), Prosper Funding (17.6 million), and Conduent Business Services. The number of individuals affected by the Conduent data breach has yet to be confirmed, but it was a massive data breach, affecting 14.7 million individuals in Texas alone.

Financial services remained the most targeted sector, with 739 confirmed data compromises, and the healthcare sector took second spot, with 534 confirmed compromises, down slightly from 2024’s 537 compromises. Professional services was the third most targeted sector with 478 compromises, followed by manufacturing (299) and education (188).

ITRC draws attention to a five-year trend of threat actors increasingly targeting static identifiers, which facilitate long-term fraud. Social Security numbers were involved in two-thirds of data breach reports in 2025, with one-third involving either bank accounts or driver’s license numbers. Between 2021 and 2025, the number of compromises involving Social Security numbers almost doubled, driver’s license data breaches increased by 139% over the same period, and bank account information breaches increased by 168%.

ITRC warns of the increasing risk from supply chain data breaches, which in the space of a year almost doubled from 660 affected entities in 2024 to 1,251 affected entities in 2025, despite the number of attacks only increasing by one year-over-year. From 2021 to 2025, supply chain breaches doubled and now account for 30% of all breaches involving at least one third party.

For several years, ITRC has highlighted the growing trend of breached entities failing to provide consumers with adequate information about a data breach, preventing them from making an informed decision about the amount of risk they face from their data being exposed. For instance, a healthcare provider states in a breach notice that there has been a data incident involving protected health information, which was potentially subject to unauthorized access, when the reality is that a ransomware group has not only exfiltrated their data, but also posted the data on the dark web, where it can be downloaded free of charge by anyone.

ITRC said that in 2020, almost 100% of data breach notifications provided the root cause of the data breach in their notices, whereas in 2025, only 30% did. In the space of a year, the percentage of notices withholding the attack vector details increased from 65% in 2024 to 70% in 2025. “Businesses should prioritize transparency over liability mitigation,” urged James Lee, ITRC president.

The post U.S. Data Compromises Hit Record High in 2025 appeared first on The HIPAA Journal.