Author Archives: Steve Alder

Hacking Group Claims Responsibility for Multi-Million-Record DentaQuest Data Breach

Posted by Steve Alder

Wellesley, MA-based DentaQuest, a dental benefits administrator that manages the benefits for 32 million Americans, has announced it is actively managing a cybersecurity incident involving unauthorized access to a limited part of its network. According to its website notice, immediate action was taken to contain and mitigate the threat, and the company is working with a leading cybersecurity expert, forensic investigators, and law enforcement authorities.

DentaQuest, part of Sun Life U.S. Dental, is the largest Medicaid and Children’s Health Insurance Program dental benefits administrator in the country, operating in 50 U.S. states. The company has yet to determine the exact scope of the incident and the extent to which sensitive data has been compromised. The company has promised to update clients and ensure that they receive information as quickly and transparently as possible.

The digital extortion group ShinyHunters has claimed responsibility for the incident and has added DentaQuest to its dark web data leak site. The group specializes in data theft and extortion and claims to have exfiltrated 234 GB of data from DentaQuest systems. ShinyHunters explained on its data leak site that it has attempted to negotiate a ransom payment with DentaQuest to prevent the publication of stolen data, but despite exercising considerable patience and making multiple offers, it failed to reach an agreement with DentaQuest. As a result of the failure, ShinyHunters proceeded to leak the stolen data.

Have I Been Pwned (HIBP) has analyzed the leaked data, which contains the unique email addresses of 2.6 million individuals, along with names, addresses, phone numbers, dates of birth, and genders. HIBP said the leaked data appears in healthcare enrollment files (ASC X12 transaction sets), some of which include information such as Medicaid IDs, other government-issued IDs, and health insurance information. Around 66% of the records exposed were already in its database, having been breached in previous incidents.

Social Security numbers do not appear to have been stolen or leaked, so the affected individuals do not face an immediate threat of identity theft; however, since email addresses and contact information have been leaked, they do face an increased risk of social engineering and phishing attacks. If the data breach is confirmed as affecting 2.6 million individuals, it will rank as one of the largest healthcare data breaches of the year to date.

The post Hacking Group Claims Responsibility for Multi-Million-Record DentaQuest Data Breach appeared first on The HIPAA Journal.

Onsite Women’s Health $2.5M Data Breach Settlement

Posted by Steve Alder

A breach of the email account of an employee of Onsite Women’s Health that exposed the protected health information of 357,265 individuals has resulted in a $2,525,000 settlement. Onsite Mammography, LLC, which does business as Onsite Women’s Health, a Westfield, Massachusetts-based provider of medical imaging services to hospitals, identified unauthorized access to an employee’s email account in October 2024.

The email account was compromised as a result of a response to a phishing email, and while the account was only accessible for a short period of time, sensitive data was exfiltrated, including names, dates of birth, Social Security numbers, driver’s license numbers, credit card numbers, and information related to patients’ mental or physical conditions, and any care they received.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated – Clarkson, et al. v. Onsite Mammography, LLC, d/b/a Onsite Women’s Health – in the United States District Court District of Massachusetts.  The consolidated lawsuit alleged that inadequate security measures had been implemented to prevent attacks on employee email accounts, and if those measures had been implemented, the data breach could have been prevented or at least the attack could have been detected more quickly, limiting the harm caused.

While the affected individuals were offered 12 months of complimentary credit monitoring services, the plaintiffs argue that the offer was insufficient considering the level of risk they face. They also claim that the defendant provided no reassurances that the stolen data had been deleted or that security had been sufficiently strengthened to prevent similar incidents in the future.

The lawsuit asserted claims for negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and declaratory judgment. The defendant maintains there was no wrongdoing and disagrees with the claims and contentions asserted by the plaintiffs. Despite disagreeing with the claims, after considering the likely costs and risks associated with continuing with the litigation, Onsite Women’s Health agreed to settle the lawsuit.

Under the terms of the settlement, Onsite Women’s Health will establish a $2,525,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the eight class representatives. The remainder of the settlement fund will be used to cover benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses incurred as a result of the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for three years of credit and medical data monitoring and insurance services. Class members may also claim a pro rata cash payment, which will be paid after all costs and claims have been paid and will exhaust the settlement fund. The deadline for objection and exclusion is July 13, 2026. Claims must be submitted by August 11, 2026, and the final fairness hearing has been scheduled for September 9, 2026.

The post Onsite Women’s Health $2.5M Data Breach Settlement appeared first on The HIPAA Journal.

Clarinda Regional Health Center Reports Data Breach Affecting 24K Patients

Posted by Steve Alder

Data breaches have been announced by Clarinda Regional Health Center in Iowa, Community Connections in DC, Waveny Lifecare Network in Connecticut, and NJ Pain Care Specialists in New Jersey.

Clarinda Regional Health Center

Clarinda Regional Health Center, a Clarinda, IA-based non-profit hospital, has started notifying 24,341 individuals about a recent cybersecurity incident that exposed sensitive data. Suspicious activity was identified within its computer network on December 15, 2026, and the forensic investigation determined that files containing patient data may have been accessed or acquired without authorization in October 2025. The LockBit5 ransomware group claimed responsibility for the incident.

The file review confirmed that the exposed data included first and last names, dates of birth, medical information, health insurance information, financial account numbers, Social Security numbers, driver’s license numbers, and taxpayer identification numbers. The types of data varied from individual to individual.

The review of the affected files was completed on May 21, 2026, and notification letters started to be mailed to the affected individuals on June 2, 2026. Individuals whose Social Security numbers were exposed in the incident have been offered complimentary credit monitoring and identity theft protection services. Clarinda Regional Health Center has confirmed that additional security measures have been implemented to reduce the risk of similar incidents in the future.

Community Connections

Community Connections, a Washington D.C.-based non-profit provider of behavioral health, residential, and primary health care coordination services, has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 18,943 individuals.

The breach was reported to OCR on May 18, 2026. Details about the data breach have yet to be publicly disclosed; however, a ransomware group – Inc Ransom – claimed responsibility for the incident and listed Community Connections to its dark web data leak site in late March, although it does not appear to have leaked the stolen data.

A similarly sized data breach was experienced in 2024, affecting 18,943 individuals. According to the notifications issued on August 27, 2025. The incident was detected on October 21, 2024, and full names, addresses, dates of birth, Social Security numbers, financial information, driver’s license or state identification information, medical information, and health insurance information were potentially involved. Following that incident, multiple steps were taken to reduce the risk of similar incidents in the future, including implementing new technical safeguards and retraining members of its workforce.

Waveny Lifecare Network

Waveny Lifecare Network, a New Canaan, CT-based community-focused non-profit providing residential care, skilled nursing, and in-home care services to seniors, has recently reported a data security incident to the Maine Attorney General that has affected 8,548 individuals. Suspicious activity was identified within its computer systems on May 28, 2025. Third-party cybersecurity specialists were engaged to investigate the incident and confirmed that a limited amount of data was accessed by an unauthorized third party on May 28, 2025.

Waveny Lifecare Network conducted a time-consuming review of the affected data, and that process was completed on March 23, 2026. Up-to-date contact information was then obtained to allow notification letters to be mailed, which were sent on June 2, 2026. The notification letter to the Maine AG has the data types redacted, although they are detailed in the individual notification letters. As a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

NJ Pain Care Specialists

NJ Pain Care Specialists, LLC, an interventional spine and pain management practice in Ocean Township, New Jersey, has announced a data security incident. Unauthorized activity was identified within its computer network on or around February 28, 2026. The investigation confirmed unauthorized access to its network occurred between February 25, 2026, and February 28, 2026, during which time, files may have been removed from its network.

The investigation to date has determined that data compromised in the incident includes names, addresses, dates of birth, medical record numbers, driver’s license numbers or other ID numbers, clinical or treatment information, medical procedure information, medical provider names, prescription information, and health insurance information.

NJ Pain Care Specialists said it has reviewed and enhanced its data security policies and procedures, and its technical, administrative, and physical safeguards. The investigation is ongoing, and the number of individuals has yet to be determined. The breach has been reported to the HHS’ Office for Civil Rights using an interim total of at least 501 individuals. The total will be updated when the investigation is concluded.

The post Clarinda Regional Health Center Reports Data Breach Affecting 24K Patients appeared first on The HIPAA Journal.

$3.3M Settlement Resolves Data Breach Lawsuit Against Mt. Baker Imaging & Northwest Radiologists

Posted by Steve Alder

Mt. Baker Imaging and Northwest Radiologists have agreed to pay $3,300,000 to settle a consolidated class action lawsuit stemming from a January 2025 ransomware attack and data breach affecting hundreds of thousands of patients.

Mt. Baker Imaging is a Washington-based medical imaging provider that uses Northwest Radiologists for interpreting medical images. In January 2025, a cyberattack was identified, and the forensic investigation determined that an unauthorized third party accessed its network between January 20, 2025, and January 25, 2025, and obtained files containing names, contact information, dates of birth, Social Security numbers, driver’s license or state identification card numbers, treatment or diagnosis information, and health insurance information. The data breach was reported to the Washington Attorney General as affecting 348,118 state residents, and the HHS’ Office for Civil Rights was informed that the protected health information of up to 362,713 individuals was compromised in the incident.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated in a single complaint – In re: Mt. Baker Imaging, LLC, Data Security Litigation – in the Superior Court of the State of Washington for Whatcom County. The lawsuit alleged that the defendants failed to implement and maintain necessary data security safeguards, and asserted claims for negligence, breach of implied contract, invasion of privacy-intrusion upon seclusion, unjust enrichment, and violations of the Uniform Health Care Information Act, Washington Consumer Protection Act, Washington Data Breach Notification Disclosure Law, and Washington My Health My Data Act.

The defendants and the plaintiffs disagree about the legal claims made in the litigation; however, all parties agreed that a settlement was the best outcome, due to the benefits provided to the class members and the avoidance of the costs, risks, and uncertainty of continuing with the litigation. The defendants have agreed to establish a $3,300,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the nine class representatives. The remainder of the settlement fund will be used to pay benefits to approximately 340,184 class members.

All class members are entitled to claim a two-year membership to a medical identity theft protection and monitoring service, and may submit claims for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and claim a pro rata cash payment. The pro rata cash payments will distribute the net amount of the settlement fund after costs, expenses, claims, and medical identity theft protection and monitoring costs have been paid.

The deadline for objection and exclusion is July 20, 2026, and claims must be submitted by August 19, 2026. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 21, 2026.

The post $3.3M Settlement Resolves Data Breach Lawsuit Against Mt. Baker Imaging & Northwest Radiologists appeared first on The HIPAA Journal.

Singing River Health System: 54K Individuals Affected by December Cyberattack

Posted by Steve Alder

Singing River Health System in Mississippi has issued an update on a cybersecurity incident that was first announced in December 2025, shortly after the attack was detected. In the updated breach notice, Singing River Health System explained that its investigation revealed an unauthorized third party had access to certain computer systems between December 19, 2025, and December 21, 2025. On February 10, 2026, Singing River Health System confirmed that the unauthorized individual had access to files containing patient information.

The file review has recently concluded and revealed that the exposed data included names in combination with one or more of the following: contact information, Social Security numbers, driver’s license numbers, dates of birth, diagnostic/treatment information, medication information, dates of service, bank account information, health insurance information, provider names, and internal patient identification numbers.

Singing River Health System said it will continue to implement and evaluate enhanced safeguards and security measures to further protect its systems. The affected individuals have been advised to review the statements they receive from their healthcare providers and insurers for any services that have not been received. The incident has recently been reported to the HHS’ Office for Civil Rights as affecting 53,888 individuals.

Adams County Memorial Hospital

Adams County Memorial Hospital has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 5,305 individuals. The data was exposed as a result of an employee responding to a phishing email, which allowed an unauthorized third party to gain access to the employee’s email account on December 22, 2026. The breach was confined to the email account. The electronic medical record system was not affected. The investigation confirmed that the account contained personal and protected health information such as names, addresses, dates of birth, Social Security numbers, dates of service, diagnoses, charges, and health insurance information.

In response to the incident, additional security protocols have been implemented to protect against future phishing incidents, and additional education has been provided to employees on phishing and malicious email identification. As a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Central Kansas Mental Health Center

Central Kansas Mental Health Center in Salina, KS, has experienced a cybersecurity incident that exposed patient data. The incident was first identified on September 26, 2025, when suspicious activity was observed within its computer network. Immediate action was taken to contain the incident, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed that an unauthorized third party accessed its network and likely exfiltrated files containing patient data. The files are being reviewed to determine the types of data involved and the individuals affected. Central Kansas Mental Health Center first announced the data breach via its website in November 2025, confirming that credit monitoring and identity theft protection services are being made available.  Central Kansas Mental Health Center has not identified any misuse of the exposed data to date. The incident has yet to be added to the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Singing River Health System: 54K Individuals Affected by December Cyberattack appeared first on The HIPAA Journal.

Parents Sue Minnesota Hospital to Enforce HIPAA Right of Access for Minor Child’s Medical Records

Posted by Steve Alder

The parents of a 15-year-old child have filed a lawsuit against a Minnesota hospital for failing to provide them with full access to their minor child’s medical records. Under federal law – The HIPAA Privacy Rule – parents have the right to obtain a copy of the medical records of their minor children in the form and format requested. While there are exceptions to the HIPAA Right of Access concerning parental access to the medical records of minor children, none apply in this case.

The daughter of Shaun and Katherine Johnson was diagnosed with a rare chromosomal condition called mosaic Turner syndrome when she was aged 11. The condition requires lifelong heart monitoring due to elevated cardiovascular risks, and the parents require real-time access to their child’s medical records to help them effectively manage her care.

The parents lost access to their daughter’s medical records when she turned 12, when Fairview Health Services applied its policy of shutting off parental access to children’s MyChart medical records. Under the hospital’s policy, which is based on an interpretation of state law, access can only be continued if hospital staff conduct a private interview with the child, and the child and staff agree to restore full MyChart access to the child’s parents.  The parents declined to sign the consent form and have therefore been refused access to their child’s medical records through MyChart.

The parents submitted a request for access to their minor child’s records via an Authorization for Release of Protected Health Information, and were provided with a copy of some of their daughter’s records; however, the request took three weeks to process, and the copy lacked important details required for the management of the child’s care. For instance, medical images can only be provided in electronic form via the MyChart portal.

“When your child is diagnosed with a serious condition, every appointment, test result, and next step matters,” said father Shaun Johnson. “Instead of allowing us to manage her care through the normal MyChart system, Fairview forced us into a delayed, inadequate, and burdensome workaround.”

The Center for Individual Rights (CIR), a Washington D.C.-based non-profit, public interest law firm dedicated to defending individual liberties, filed a complaint with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), alleging the refusal to provide parents with access to the MyChart portal for their minor children over 12 years of age was a violation of the HIPAA Privacy Rule.

OCR responded, confirming in a letter to the Privacy Officer of Fairview Health Services and CIR that parents are permitted access to their minor child’s medical records under HIPAA. OCR recommended filing a second complaint if the matter was not resolved, which CIR did six weeks later when the parents’ access had not been restored. The second complaint is still pending with OCR. OCR subsequently issued a “Dear Colleague” letter to the medical community confirming that, under HIPAA, and absent special circumstances, healthcare providers may not place additional limitations on parental access to their minor children’s medical records. In this case, the special circumstances do not apply.

Under Minnesota law, children have the right to decide who has access to their medical records related to pregnancy, sexually transmitted diseases, physical and sexual abuse, and substance abuse diagnosis and treatment. Fairview Health Services allows parents or legal guardians to have partial proxy access, excluding those areas, for minor children aged 12-17 years of age. Full proxy access is only granted with the child’s consent. Since the parents object to an intrusive, unsupervised interview with their daughter, they are prevented from having timely and complete access to their daughter’s medical records to the extent required to engage effectively in her care.

The lawsuit alleges federal law preempts state law and that Fairview Health’s policy is inconsistent with Minnesota law. The lawsuit seeks a declaratory judgment and permanent injunction ordering that the Minnesota Health Records Act requires providing the parents with unrestricted access to their daughter’s medical records. “A hospital cannot apply state law to lock parents out of their own child’s medical records,” said CIR Litigation Director Caleb Kruckenberg. “Federal law is supreme. Our federalist system is built to better protect individual rights—in this case, the parental right to supervise and participate in a minor child’s medical care.”

The post Parents Sue Minnesota Hospital to Enforce HIPAA Right of Access for Minor Child’s Medical Records appeared first on The HIPAA Journal.

Family Medicine Centers Pays $2.15M to Resolve Data Breach Lawsuit

Posted by Steve Alder

FMC Services, LLC, which does business as Family Medicine Centers in Texas, has agreed to a $2,150,000 settlement to resolve claims related to a July 2022 data breach. Amarillo, TX-based Family Medicine Centers is a network of four primary care clinics in Amarillo and Canyon, and urgent care clinics operating under the name of CareXpress.

On or around July 26, 2022, a data security incident was identified. Unauthorized individuals accessed its network systems, which contained personally identifiable information (PII) and protected health information (PHI) such as names, mailing addresses, birth dates, and Social Security numbers, and health information. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 233,948 individuals. According to the lawsuit, notification letters were sent to 266,540 individuals.

Multiple lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Sharber, et al. v. FMC Services, LLC – in the District Court of Potter County, Texas. The consolidated lawsuit alleged that the defendant had implemented inadequate data security measures, resulting in an intrusion and the theft of sensitive data. The lawsuit asserted claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, and unjust enrichment, and sought declaratory relief, injunctive relief, monetary damages, statutory damages, punitive damages, and equitable relief.

Family Medicine Centers denied and continues to deny all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability. In mid-2024, the parties began discussing the prospect of a settlement to bring the litigation to an end. A mediation session was scheduled but ended without a settlement being reached. Following extensive discovery and litigation, and a failed defendant’s Motion for Summary Judgment, the parties agreed to a second attempt at mediation, and the material terms of a settlement were agreed upon.

The terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court. The final fairness hearing has been scheduled for September 15, 2026. The defendant has agreed to establish a $2,150,000 settlement fund, which will be used to pay benefits to the class members, once attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the four class representatives have been deducted.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. If a claim for reimbursement of losses is not submitted, class members may instead file a claim for an alternative cash payment, which is estimated to be $75 per class member, although the amount depends on the remaining funds once the reimbursement claims have been paid.

In addition to one of the cash payments, a claim may be submitted for a two-year membership to a medical data monitoring service. Class members wishing to object to or exclude themselves from the settlement must do so by August 17, 2026. Claims must be submitted by August 31, 2026.

The post Family Medicine Centers Pays $2.15M to Resolve Data Breach Lawsuit appeared first on The HIPAA Journal.

Patient Data Exposed in Cyberattacks on Dental Practices

Posted by Steve Alder

Data breaches have been announced by Bridle Trails Family Dentistry, Verber Dental Group, and Bronsky Orthodontics. Across the three incidents, the protected health information of more than 32,700 individuals was exposed and potentially stolen.

Bridle Trails Family Dentistry

Bridle Trails Family Dentistry, a dental practice in Kirkland, Washington, has notified 20,976 current and former patients about a cybersecurity incident that occurred in the Fall of 2024 that exposed some of their personal and protected health information. According to the April 10, 2026, breach notification letters, an investigation was launched into a potential breach of its email environment, which confirmed that an employee’s email account was accessed by an unauthorized individual between November 19, 2024, and November 25, 2024. The account was reviewed, and Bridle Trails Family Dentistry learned on March 12, 2026, that the account contained a limited amount of personal and health information.

Data potentially compromised in the incident included full names, birth dates, Social Security numbers, reason for visit, medical provider name, clinical/treatment information, driver’s license numbers, taxpayer ID numbers, medical record numbers, and health insurance information. The impacted information varied from individual to individual. At the time of issuing notifications, Bridle Trails Family Dentistry was unaware of any misuse of data as a direct result of the incident. Bridle Trails Family Dentistry said it has taken many precautions to safeguard the personal and protected health information in its possession and continually evaluates and modifies its practices and internal controls.

Verber Dental Group

Verber Dental Group PC, a Camp Hill, Pennsylvania-based network of 14 dental practices, has announced a breach of the protected health information of up to 8,598 individuals. Suspicious activity was identified within its network environment on January 27, 2026. Immediate action was taken to ensure its network environment was secure, and an investigation was launched to determine whether sensitive data had been exposed.

The forensic investigation determined that an unauthorized third party had access to files containing patient data, which may have been viewed or acquired between January 26, 2026, and January 27, 2026. The files on the compromised parts of its network were reviewed and found to contain names, Social Security numbers, dates of birth, driver’s license numbers, medical information, and health insurance information. Notification letters are being mailed to the affected individuals, and steps have been taken to reduce the risk of similar incidents in the future.

Bronsky Orthodontics

Bronsky Orthodontics, an orthodontic practice in New York City, has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 3,183 individuals. Suspicious activity was identified within an employee’s email account on October 16, 2025. The account was immediately secured, and an investigation was launched to determine the nature and scope of the activity. Assisted by third-party cybersecurity specialists, Bronsky Orthodontics determined that a limited number of email accounts had been accessed by an unknown actor between August 18, 2025, and October 16, 2025.

The accounts were reviewed, and on March 11, 2026, Bronsky Orthodontics determined that they contained patient information such as names, dates of birth, contact information, dental and orthodontic treatment information, and insurance information. A limited number of individuals also had their financial account information, Social Security numbers, driver’s licenses, and/or other government-issued identification numbers exposed.   Policies and procedures related to data privacy and security are being reviewed as a result of the incident.

The post Patient Data Exposed in Cyberattacks on Dental Practices appeared first on The HIPAA Journal.

Medical Billing Company Data Breach Affects 7 Medical Groups

Posted by Steve Alder

The Las Vegas medical billing and coding management company, La Perouse, has announced a data breach that has affected seven of its medical group clients. Data breaches have also been announced by Acadia Healthcare Company, Harbor Regional Center, United Medical Systems, and Ohio ENT & Allergy Physicians.

La Perouse

La Perouse LLC, a Las Vegas, NV-based medical billing and coding management company, has notified the California Attorney General about a breach of one of its third-party billing platforms. Potential unauthorized activity was first identified on July 8, 2025. The platform and its network environment were secured, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed that the unauthorized access was confined to the third-party billing platform and that sensitive data stored within that platform had been copied by the attacker. The review of the affected data was completed in the Spring of 2026, and notification letters were mailed to the affected individuals on April 17, 2026. The data compromised in the incident varies from individual to individual and may have included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, patient identification and medical record numbers, medical information, and health insurance information.

La Perouse worked with its third-party billing platform provider to implement additional technical safeguards, enhance security measures, and update security policies and procedures. The affected individuals have been offered at least 12 months of complimentary credit monitoring services. The affected individuals had received medical services from one or more of the following healthcare providers;

  • Beach Emergency Medical Associates
  • Centinela Freeman Emergency Medical Associates
  • Chino Emergency Medical Associates
  • Hollywood Presbyterian Emergency Medical Associates
  • Montclair Emergency Medical Associates
  • Tarzana Emergency Medical Associates
  • Temecula Valley Hospitalist Medical Group

The incident was reported to the HHS’ Office for Civil Rights in September 2025 using a placeholder estimate of at least 501 individuals. The total has yet to be updated.

Acadia Healthcare Company

Acadia Healthcare Company, the operator of a network of almost 280 behavioral healthcare facilities in 40 U.S. states and Puerto Rico, has recently disclosed a data security incident that was first identified in March 2026. Suspicious activity was observed within an employee’s email account. The email account was secured, and an investigation was launched to determine the nature and scope of the activity. The forensic investigation determined that the account and an associated SharePoint account were accessed by an unauthorized third party between March 21 and March 25, 2026, as a result of social engineering attacks. No other systems were involved.

The data review was completed on May 15, 2026, and confirmed that the information compromised in the incident included names, addresses, dates of birth, treatment information, health insurance information, admission dates, diagnosis codes, patient statuses, Medicare insurance claim numbers, and, for some individuals, Social Security numbers. Notification letters started to be mailed to the affected individuals on May 22, 2026. Acadia Healthcare Company said additional cybersecurity measures have been implemented to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Harbor Regional Center

Harbor Developmental Disabilities Foundation, doing business as Harbor Regional Center, a Long Beach, CA-based provider of services to individuals with developmental disorders, identified suspicious activity within its computer network on or around March 7, 2026. The forensic investigation confirmed unauthorized access to its computer network between March 6 and March 7, during which time, files may have been viewed or copied from the network.

On May 15, 2026, Harbor Regional Center completed its review of the exposed files. The exact types of information involved are detailed in the individual notification letters that have recently been mailed to the affected individuals. The number of affected individuals has yet to be publicly disclosed. The affected individuals have been offered single-bureau credit monitoring and identity theft protection services, and steps have been taken to improve security to prevent similar breaches in the future.

Ohio ENT & Allergy Physicians

Ohio ENT & Allergy Physicians in Columbus, Ohio, has recently reported a data breach to the Maine Attorney General that involved unauthorized access to the personal and protected health information of 324 individuals, including 1 Maine resident. A cybersecurity incident was detected on March 30, 2026, when suspicious activity was identified on a workstation within its network environment. The forensic investigation confirmed unauthorized access between March 29, 2026, and March 30, 2026. The review of all potentially exposed files was completed on May 18, 2026. Data exposed in the incident included full names and Social Security numbers. Notification letters were mailed to the affected individuals on May 29, 2026.

Ohio ENT & Allergy Physicians has implemented additional technical safeguards and has enhanced its security measures to prevent similar incidents in the future, and complementary credit monitoring services have been offered to the affected individuals.

United Medical Systems

Westborough, Massachusetts-based mobile specialty healthcare service provider United Medical Systems has disclosed a data breach affecting 485 individuals. According to the notification letters, which were mailed to the affected individuals on May 20, 2026. The forensic investigation confirmed that names, driver’s license numbers, and Social Security numbers were exposed in the incident. As a precaution against identity theft and fraud, the affected individuals have been offered complimentary single-bureau credit monitoring and identity theft protection services for 24 months, and steps have been taken to enhance security to prevent similar incidents in the future.

The post Medical Billing Company Data Breach Affects 7 Medical Groups appeared first on The HIPAA Journal.