Author Archives: Steve Alder

Vision Care Providers Settle Data Breach Class Actions

Settlements have been agreed to resolve class action lawsuits against two vision care providers: Total Vision in California and Naper Grove Vision Care in Illinois. Both providers fell victim to hacking incidents that exposed patient data.

Total Vision Settlement

A settlement has been agreed to resolve class action litigation against Total Vision LLC, which owns and operates a network of optometry centers throughout California. Total Vision experienced a hacking incident on or around October 30, 2020, in which hackers accessed a database server. The server contained sensitive patient information such as names, addresses, dates of birth, Social Security numbers, and prescription information. The data breach was reported to the HHS’ Office for Civil Rights as affecting 138,402 current and former patients.

Total Vision faced two class action lawsuits over the data breach, which were consolidated into a single complaint – Ramey, et al. v. Total Vision, LLC, et al. – in the Superior Court of California, County of San Diego, naming Anjanette Ramey and Jane Doe as class representatives. In addition to Total Vision, John C. Pack, O.D., and Beverly Bianes, O.D., Inc., and John C. Pack, O.D., and Beverly Bianes, O.D., were named as defendants.

The lawsuit alleged the data breach occurred as a result of the negligence of the defendants, who failed to properly secure the server and protect patient information, then failed to issue adequate breach notices. The plaintiffs allege that they experienced numerous instances of attempted data misuse and identity theft as a result of the security incident. The lawsuit asserted claims for negligence, breach of implied contract, and violations of California’s unfair competition law, the Confidentiality of Medical Information Act, and California security notification laws, all of which were denied by the defendants, along with the allegations of wrongdoing and liability.

During mediation on November 21, 2023, the terms of a settlement were agreed by all parties, and the settlement has now been finalized and has received preliminary approval from the court. The defendants have agreed to establish a $475,000 settlement fund, from which attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives will be deducted. The remaining funds will be used to pay for class member benefits.

Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $1,000 per class member, and/or a claim may be submitted for a pro rata cash payment, the value of which will depend on the number of valid claims received. The defendants have also agreed to implement improved data security measures, valued at $224,000. The exclusion/objection deadline is September 4, 2026. Claims must be submitted by October 5, 2026, and the final fairness hearing has been scheduled for December 18, 2026.

Naper Grove Vision Care Settlement

Naper Grove Vision Care in Naperville, Illinois, has settled class action litigation stemming from a May 2025 security incident that involved unauthorized access to the protected health information of 20,093 individuals. On May 24, 2025, Naper Grove Vision Care identified unauthorized network access. The Interlock ransomware group claimed responsibility for the attack and obtained patient information such as names, addresses, birth dates, driver’s license numbers, patient numbers, health insurance information, explanation of benefits documents, and medical condition and treatment information. Some Social Security numbers were also among the accessed data.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated – In re Naper Grove Data Breach Litigation – in the Circuit Court of the Eighteenth Judicial Circuit, Dupage County, Illinois. The consolidated lawsuit names Ashley Fett and Paul Mifsud as class representatives. The lawsuit alleged that the data breach occurred due to the failure to implement reasonable and appropriate cybersecurity measures, and asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act. All claims and contentions continue to be denied by Naper Grove Vision Care.

All parties have agreed to settle the litigation, with no admission of fault, liability, or wrongdoing. The defendant will cover the cost of attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives.  Claims may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member.

If a claim for reimbursement of losses is not submitted, class members may submit a claim for an alternative cash payment. The cash payments will be paid pro rata from a $50,000 settlement fund. Regardless of which option is chosen, class members qualify for a one-year membership to a credit and medical data monitoring service. The deadline for objection/exclusion is September 18, 2026. Claims must be submitted by September 18, 2026, and the final approval hearing has been scheduled for October 20, 2026.

The post Vision Care Providers Settle Data Breach Class Actions appeared first on The HIPAA Journal.

Ohio Living; Erlanger; Heart of America Eye Care Announce Data Breaches

Data breaches have recently been announced by the senior living company Ohio Living, Erlinger Health System in Tennessee, and Heart of America Eye Care in Missouri.

Ohio Living

The Westerville, Ohio-based nonprofit senior living company Ohio Living has identified unauthorized access to its network. Suspicious activity was identified within its computer network on April 17, 2026. Its network was secured, and an investigation was launched to determine the nature and scope of the activity, with assistance provided by third-party cybersecurity experts.

The forensic investigation confirmed unauthorized network access between April 16, 2026, and April 17, 2026, and the exfiltration of files containing patient information. While the specific types of information involved for each individual have yet to be determined, Ohio Living states that the categories of data likely involved include names, addresses, birth dates, Social Security numbers, medical histories, disability information, diagnostic and treatment information, prescription information, physician information, medical record numbers, health insurance information, and financial account/payment card information.

Ohio Living is reviewing its security policies and procedures and is implementing enhanced cybersecurity safeguards to prevent similar incidents in the future. The data review is ongoing, so the total number of affected individuals has yet to be determined. The HHS’ Office for Civil Rights has been informed that the data breach affected at least 500 individuals. The total will be updated when the data review is concluded.

Erlanger Health System

Erlanger Health System, a Chattanooga, Tennessee-based health system and operator of six hospitals and multiple healthcare facilities, has announced a security incident affecting a limited number of patients. The incident was detected on May 13, 2026, and affected 4,237 Erlanger Western California patients.

The investigation revealed that patient information was inadvertently sent to a billing partner that provides services for its Erlanger Tennessee campuses. The information was disclosed between July 1, 2025, and May 27, 2026, and related to individuals who had received anesthesia care. Those patients of Erlanger Western California received anesthesia care from a different anesthesia group.

The billing partner was a business associate and was therefore aware of its responsibilities with respect to HIPAA; however, it was an impermissible disclosure warranting breach notifications. The data transmitted included names, birth dates, medical record numbers, mailing addresses, email addresses, telephone numbers, internal hospital account numbers, insurance information, guarantor names, guarantor addresses, guarantor telephone numbers, dates of service, and limited medical information associated with surgical care, including operative notes.

Heart of America Eye Care

MVP VIP Holdco, doing business as Heart of America Eye Care, an ophthalmology and optometry services provider at its locations in Overland Park, Prairie Village and Shawnee Mission, KS, and Belton, MO, has notified regulators and patients about a hacking incident that exposed patient data.

The website breach notice does not state when the hacking incident was detected; however, the forensic investigation determined that patient information was viewed or copied from its systems between April 1, 2026, and April 6, 2026. The notice states that the investigation is underway to determine the extent to which protected health information was involved. The HHS’ Office for Civil Rights has been informed that the data breach affected at least 500 individuals. The total will be updated when the data review is concluded.

The post Ohio Living; Erlanger; Heart of America Eye Care Announce Data Breaches appeared first on The HIPAA Journal.

Community Health Center of Buffalo & Greenbaum Rowe Smith & Davis Confirm Data Breaches

Data breaches have been announced by Community Health Center of Buffalo in New York and the New Jersey law firm Greenbaum Rowe Smith & Davis.

Community Health Center of Buffalo, New York

Community Health Center of Buffalo (CHCB) in New York has identified a cybersecurity incident in which sensitive data was potentially accessed or acquired. Suspicious activity was identified within its computer network on April 21, 2026. Assisted by digital forensics experts, unauthorized network access was confirmed between April 20 and April 21, 2026.

The files are currently being reviewed to determine the types of data involved and the affected individuals. That process is ongoing; however, CHCB reports that the types of data likely involved includes names in combination with one or more of the following: address, date of birth, Social Security number, driver’s license, medical information such as diagnoses, treatment information, prescriptions/medications, treatment locations, lab results, medical record numbers, provider names, patient medical histories, and health insurance information

Data privacy and security practices are being reviewed, and steps are being taken to improve security. Credit monitoring and identity theft protection services will be made available. The data breach has been reported to the HHS’ Office for Civil Rights using an interim total of at least 501 affected individuals. The total will be updated when the investigation and file review are concluded.

Greenbaum Rowe Smith & Davis, New Jersey

Greenbaum Rowe Smith & Davis LLP, a New Jersey-based law firm, has started notifying 12,801 individuals about a breach of their protected health information. The practice provides legal services to healthcare practices in the state of New Jersey, which require access to certain patient data. The practice has confirmed that it experienced a cybersecurity incident involving unauthorized access to systems containing the data of patients of Atlantic Health System, Hackensack Meridian Health, and Trinitas Regional Medical Center.

Data exposed in the incident included names, Social Security numbers, medical information, health insurance information, and other personal data. At the time of issuing notifications, the practice was unaware of any public release of the impacted data. The practice is offering the affected individuals complimentary credit monitoring and identity theft protection services and has taken steps to improve security to prevent similar incidents in the future.

The post Community Health Center of Buffalo & Greenbaum Rowe Smith & Davis Confirm Data Breaches appeared first on The HIPAA Journal.

Physicians Primary Care of Southwest Florida Agrees to Data Breach Settlement

Physicians Primary Care of Southwest Florida was the victim of a targeted cyberattack in September 2024 that exposed patient data. The data breach sparked a class action lawsuit alleging the breach could have been prevented, as Physicians Primary Care of Southwest Florida failed to implement reasonable and appropriate security measures to prevent unauthorized access to patient data in its possession.

Physicians Primary Care of Southwest Florida is a medical facility with offices in Fort Myers, Cape Coral, Estero, and Lehigh Acres, Florida, that specializes in internal medicine, obstetrics, gynecology, family practice, and pediatrics. On or around September 17, 2024, unauthorized access to its network was identified. The hackers behind the attack had access to the network from September 15, 2024, to September 17, 2024, and potentially viewed or obtained patient data such as names, health information, and Social Security numbers. The data breach was reported to the HHS’ Office for Civil Rights as affecting 170,653 individuals.

The first lawsuit over the data breach was filed on December 3, 2024, in the Circuit Court of the Twentieth Judicial Circuit. An amended complaint was filed on March 7, 2025, in the Circuit Court for Lee County, Florida, naming two alternative plaintiffs, as the plaintiff who filed the initial complaint was determined not to be a putative class member.

The lawsuit – Cirillo et al. v. Physicians Primary Care of Southwest Florida, P.L. – asserted claims for negligence, breach of implied contract, breach of fiduciary duty, violation of the Florida Deceptive and Unfair Trade Practices Act, and declaratory judgment. Physicians Primary Care of Southwest Florida denies wrongdoing and liability and disagrees with the claims and contentions asserted by the lawsuit.

Shortly after the amended complaint was filed, the parties began exploring the possibility of an early resolution. A settlement was not agreed upon during mediation, but after several months of negotiations, terms were agreed that were acceptable to all parties. The settlement class consists of all living adults in the United States who received a notification that the data breach involved their information.

Under the terms of the settlement, class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $5,000 per class member. There is no alternative cash payment; however, all individuals are eligible to enroll in two years of medical monitoring services, which include a $1 million identity theft insurance policy.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for September 14, 2026. Individuals wishing to object to the settlement or opt out must do so by August 30, 2026. Claims must be submitted by September 29, 2026

The post Physicians Primary Care of Southwest Florida Agrees to Data Breach Settlement appeared first on The HIPAA Journal.

Why Medical Device Compliance Is Growing More Important Every Year

You don’t have to look very far to see the everyday applications of the medical device industry. They’re in the new technology and equipment in doctors’ offices, hospitals, and medical clinics. They surface in the expanding repertoire of devices that patients can use at home, expanding healthcare access and convenience. And they’re in the medical implants that often address serious health problems, including everything from pacemakers to stents to hip replacements to spinal fusion.

All these products are considered part of the medical device industry, which academic database ScienceDirect defines as a sector focused on the development, manufacturing, and distribution of devices that provide medical support and improve health outcomes, leveraging advances in biotechnology and bioengineering. A rapidly growing segment of the global economy, the medical device industry was valued at around $570 billion in 2025. It is expected to surpass $600 billion in 2026, before touching one trillion dollars sometime over the next decade.

Medical Device Compliance Defined

Like many large, lucrative industries, medical device manufacturers must adhere to a range of regulations imposed by the markets in which they operate. These regulations are developed and implemented to ensure that the industry’s products are safe, effective, and regularly monitored over the course of their lifetimes in the marketplace.

Due to the inherent risks involved, medical device manufacturing is an extensively regulated industry. Patients’ health, physical capabilities, and even lives are at stake when it comes to these technologies, and because of this, manufacturers have considerable legal responsibilities in countries like the U.S., the U.K., and Canada, as well as economic blocs like the European Union. Violating these regulations can trigger serious consequences, too, including penalties of $100,000 or more and imprisonment in cases of criminal negligence.

The World’s Major Medical Device Regulations

While the medical device sector spans the entire globe, industry regulations, and the legal obligations they impose, differ from one country to the next.

The U.S.: FDA and QSMR

The U.S. regulates medical devices through the Food and Drug Administration (FDA), which determines legal obligations based on three different risk categories. In addition to these classifications, medical device manufacturers must obtain FDA clearance to sell and market their devices, adhere to a Quality Management System Regulation (QSMR) harmonized to ISO 13485, and carry out post-market surveillance by monitoring defects, malfunctions, and other adverse events.

The EU: the MDR

In 2021, the EU replaced its Medical Device Directive (MDD) with the Medical Device Regulation (MDR), a change many describe as the largest shift in medical device compliance in years. The MDR imposes stricter requirements than its predecessor, with a higher threshold for clinical evidence and an expectation that manufacturers carry out post-market clinical follow-up to confirm that devices are working as intended and marketed.

In addition, the EU strengthened its requirements for the notifying bodies that certify devices for CE markings, reducing the number of organizations authorized to issue certifications.

The U.K. and the MHRA

To sell medical devices in the United Kingdom, manufacturers and importers must obtain a UKCA marking. Prior to 2021, products were classified into three different categories, with specific directives regulating each of them:

  • Directive 90/385/EEC applies to active implantable medical devices.
  • Directive 93/42/EEC applies to medical devices.
  • Directive 98/79/EC applies to in vitro diagnostic medical devices.

Today, businesses must get their devices registered and certified through the Medicines and Healthcare products Regulatory Agency (MHRA), the government body responsible for post-market surveillance.

Canada’s CMDR

Canada regulates medical devices through the nation’s Medical Devices Directorate (MDD), a government agency responsible for evaluating the safety and effectiveness of medical technology. Devices are classified into four different risk categories, and products that are categorized in Class II, Class III, or Class IV must all obtain licenses to sell their products.

Products in these three classes must undergo a rigorous review process. During this process, the manufacturer submits a completed application for a license; the MDD reviews the application; and the MDD then issues a license where applicable. In addition to issuing licenses, the directorate also conducts post-market surveillance. According to the Canadian government, if a medical device is found to no longer meet safety and effectiveness requirements, the MDD may suspend its license or ask the manufacturer to recall or refit the medical device.

An Evolving Compliance Landscape

In recent years, medical device compliance has grown more demanding all over the world. In many countries, manufacturers are now responsible for a range of regulatory responsibilities, including but not limited to:

  • Ensuring the safety of their devices.
  • Adhering to material regulations, including substance bans, maximum thresholds, and other restrictions.
  • Communicating and disclosing information to the public.
  • Carrying out post-market surveillance in accordance with regulatory requirements.

According to scientific publisher Elsevier, the number of regulations for medical device manufacturers increased 64% between 2015 and 2022, and the landscape has continued expanding since. One statistic that puts the sector’s regulatory obligations in perspective: U.S. manufacturers spend, on average, around $24 million on FDA-related requirements when bringing a single medical device from initial concept to market. For devices classified in the highest-risk Class III by the FDA, that figure rises to $75 million. In the EU, research suggests that the recent transition from the MDD to the MDR has increased regulatory costs on manufacturers up to tenfold.

Medical device compliance is not only becoming more costly. It is also becoming more time-intensive. Manufacturers operating in the U.S. can expect to spend anywhere between a few weeks and eight months working through the FDA’s regulatory approval process, with significant variance depending on the complexity and potential risks of the device. In other countries and regions, this path takes longer. Companies operating in the EU should prepare to commit a year or longer to the compliance process, while businesses in Japan spend between one and three years working to gain regulatory approval for new medical devices, placing Japan among the countries with the longest medical device approval timelines.

Given the time and financial resources required for regulatory adherence, manufacturers need to fully understand and meet their legal obligations to access the large, expanding global marketplace for medical devices.

How Medical Device Manufacturers Can Achieve Regulatory Compliance

Given the stakes associated with products that impact individual health and well-being, medical device manufacturers need to treat regulatory compliance as a major priority. Violations of the MDD, the QSMR, or the MHRA, among other directives, carry substantial financial and legal consequences.

Understand All Regulations That Apply To Your Business

In order to practice effective compliance, manufacturers first need to understand the scope of their responsibilities. The first step in doing that is identifying what specific regulations apply to them and their products. Organizations should review all the countries where their product is manufactured, imported, or sold, and what those nations’ legal obligations are for medical devices.

Medical device regulations remain in an early stage of development. The landscape remains fragmented and heterogeneous, with little harmonization between nations. Businesses must remember that achieving adherence with one directive does not prevent them from violating another.

Carry Out Necessary Steps for Certification

After establishing the scope of their obligations, manufacturers must then begin the process of gathering all the information required to achieve certification with the applicable regulatory bodies. For the more demanding national directives, this may include a number of individual steps:

  • Confirm product classification.
  • Reach out to a notified body or other accredited third-party organization.
  • Work with the notified body to compile all necessary documentation, including device descriptions, bills of materials (BOMs), general safety and performance requirements (GSPR), and risk management standards set by the International Organization for Standardization (ISO 14971).
  • Prepare a clinical evaluation report that pulls together clinical data, risks and benefits, and the intended purpose of the device.
  • Establish a plan for carrying out post-market clinical follow-up and implementing a post-market surveillance system.

While these steps vary from one regulation to the next, companies operating in multiple national markets should be prepared to fulfill most or all of them.

Foster Expertise and Develop Resources for Post-Market Surveillance

The post-market responsibilities imposed by directives like the MDD cannot be haphazard or ad-hoc. Organizations should have an established framework in place, with dedicated compliance professionals and a clear process for reviewing market data, issuing safety reports, and summarizing clinical performance. Post-market clinical follow-up (PMCF) and post-market surveillance (PMS) are strict obligations that can derail a product’s rollout or longevity when neglected, even after a device has reached the marketplace.

Leverage Third-Party Compliance Tools

The medical device and technology industry is comprised of many small and midsized businesses (SMBs), plenty of whom do not have the internal resources or bandwidth to effectively manage all the compliance obligations the sector imposes. In these cases, manufacturers can utilize a compliance tool that helps them understand their legal responsibilities, collects all the necessary compliance data, and submits technical documentation and clinical evaluations to the appropriate regulatory body. These software tools can support organizations through a regulatory process that is otherwise complex, lengthy, and difficult for smaller companies with limited bandwidth.

The post Why Medical Device Compliance Is Growing More Important Every Year appeared first on The HIPAA Journal.

May 2026 Healthcare Data Breach Report

Based on the current data on the HHS’ Office for Civil Rights (OCR) breach portal, 61 healthcare data breaches affecting 500 or more individuals were reported in May 2026. May’s current total represents a 27.1% month-over-month increase in data breaches. Over the past 12 months, an average of 64 large healthcare data breaches were reported each month.

Healthcare data breaches in the past 12 months - May 2026

From January 1, 2026, to May 31, 2026, 319 data breaches affecting 500 or more individuals have been reported to OCR. This time last year, the total stood at 342 large data breaches.

HEalthcare data breaches - January 1 - May 31 - 2022-2026

While data breaches increased from April, the number of affected individuals fell by 34.8% to 879,447 individuals. In May, an average of 14,417 individuals were affected by healthcare data breaches, down from an average of 28,116 individuals in April. Over the past 12 months, an average of 10.6 million individuals have been affected by healthcare data breaches each month.

Individuals affected by healthcare data breaches in the past 12 months - May 2026

Data breaches are down slightly year-over-year, but there has been a massive reduction in the number of affected individuals. Very large data breaches have not been reported to OCR in the numbers seen in previous years. From January 1, 2026, to May 31, 2026, across the 319 data breaches, at least 21,085,405 individuals have been affected. The OCR breach portal shows that from January 2025 to May 2025, 33,116,809 individuals were affected by data breaches.

Individuals affected by healthcare data breaches - jan 1 - May 31, 2022-2026

Biggest Healthcare Data Breaches of May 2026

In May 2026, 17 data breaches affecting 10,000 or more individuals were reported to OCR, all of which were hacking incidents. The biggest data breach of the month was reported by Radiology Associates of Richmond, affecting more than 266,000 individuals, followed by a hacking incident at Western Orthopaedics which affected more than 113,000 individuals.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Radiology Associates of Richmond VA Healthcare Provider 266,183 Hacking incident
Western Orthopaedics, P.C. CO Healthcare Provider 113,330 Hacking incident
ERMI LLC GA Healthcare Provider 74,074 Hacking incident
Singing River Health System MS Healthcare Provider 53,888 Hacking incident
Southern Illinois Ob-Gyn Associates, S.C. IL Healthcare Provider 38,700 Hacking incident
Gastro Health FL Healthcare Provider 35,632 Unauthorized access to email accounts
Eyemart Express, LLC TX Healthcare Provider 25,000 Hacking incident
Connecticut Department of Social Services CT Health Plan 22,500 Unauthorized access to provider portal website
Bridle Trails Family Dentistry WA Healthcare Provider 20,976 Unauthorized access to email account
Community Connections DC Healthcare Provider 18,943 Ransomware attack (INCRansom)
Virta Medical PC CO Healthcare Provider 14,636 Hacking incident (Lapsus$)
Saurabh N. Patel, M.D – Florida Retina Center LA Healthcare Provider 13,652 Hacking incident
Greenbaum Rowe Smith & Davis LLP NJ Business Associate 12,801 Hacking incident
Wellpoint Washington, Inc. IN Health Plan 12,020 Unauthorized access to email account
Defense Health Agency (TriWest) VA Health Plan 11,848 Hacking incident
IKRON Corporation OH Healthcare Provider 11,845 Hacking incident
Elara Caring TX Healthcare Provider 10,490 Hacking incident at third-party vendor

May’s total number of affected individuals may increase considerably over the coming weeks and months, as healthcare organizations complete their data breach investigations. HIPAA-regulated entities have 60 days from the date of discovery of a data breach to issue notifications to the HHS’ Office for Civil Rights and the affected individuals. HIPAA requires OCR to be notified even if the total number of individuals has yet to be determined by the 60-day deadline. In such cases, an estimate should be provided. Many regulated entities use a placeholder estimate of 500 or 501 individuals in such cases, and in May, 7 regulated entities appear to have used these placeholder figures.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
United Medical Doctors CA Healthcare Provider 501 Hacking/IT Incident
NJ Pain Care Specialists, LLC NJ Healthcare Provider 501 Hacking/IT Incident
Palomar Health Medical Group CA Healthcare Provider 501 Hacking/IT Incident
Aroostook Mental Health Center ME Healthcare Provider 501 Hacking/IT Incident
Campbell University NC Healthcare Provider 500 Hacking/IT Incident
BAYADA Home Health Care, Inc. NJ Healthcare Provider 500 Hacking/IT Incident
Integrated Pain Associates TX Healthcare Provider 500 Hacking/IT Incident

Causes of May 2026 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in May, as has been the case each month for several years. Out of the month’s 61 large healthcare data breaches, 54 were classed as hacking/IT incidents – 88.5% of the month’s data breaches. Across those incidents, the protected health information of 853,532 individuals was compromised- 88.5% of the month’s total affected individuals. On average, hacking/IT incidents affected 15,806 individuals in May, with a median breach size of 3,619 individuals.

Causes of May 2026 healthcare data breaches

There were 7 data breaches classed as unauthorized access/disclosure incidents, representing 11.5% of the month’s breaches. Across those incidents, the protected health information of 25,915 individuals was unlawfully accessed or disclosed. On average, 3,702 individuals were affected by each incident in May. The median breach size was 3,086 individuals. There were no reported theft, loss, or improper disposal incidents in May.

Given the large number of hacking incidents, it is no surprise that the most common location of breached protected health information was network servers. Email incidents were also reported in high numbers.

Location of breached PHI in May 2026 healthcare data breaches

States Affected by May 2026 Healthcare Data Breaches

Large healthcare data breaches were reported by HIPAA-regulated entities in 26 U.S. states and the District of Columbia. California was the worst affected state with 6 breaches.

State Breaches
California 6
Florida, New Jersey, New York, North Carolina, Ohio, Texas & Virginia 4
Colorado 3
Indiana, Maine, Michigan, Pennsylvania, South Carolina & the District of Columbia 2
Arizona, Connecticut, Georgia, Illinois, Iowa, Louisiana, Massachusetts, Mississippi, Oregon, Tennessee, Washington & Wisconsin 1

In terms of affected individuals, Virginia topped the list with almost 300,000 state residents affected.

State Individuals Affected State Individuals Affected
Virginia 290,254 Louisiana 13,652
Colorado 128,661 Pennsylvania 7,095
Georgia 74,074 South Carolina 6,946
Mississippi 53,888 Iowa 6,666
Florida 44,649 Michigan 6,456
Texas 40,045 California 5,303
Illinois 38,700 North Carolina 4,949
Ohio 28,540 Massachusetts 3,086
Connecticut 22,500 Maine 3,024
Washington 20,976 Oregon 2,856
District of Columbia 20,014 Arizona 2,316
New York 19,674 Tennessee 1,807
Indiana 17,325 Wisconsin 1,080
New Jersey 14,911

Data Breaches at HIPAA -Regulated Entities

In May 2026, 42 data breaches were reported by healthcare providers, 9 breaches were reported by health plans, and 10 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.

The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 22 of the 61 breaches (rather than 10) occurred at business associates in May.

May 2026 data breaches at HIPAA-regulated entities

Individuasl affected by data breaches at HIPAA-regulated entities in May 2026

HIPAA Enforcement Activity in May 2026

No enforcement actions were announced by OCR or state attorneys general in May.

The post May 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation

A settlement has been agreed to resolve a class action lawsuit against the Nashville, TN-based health plan administration service provider, Lucent Health Solutions. The litigation stems from an October 2023 phishing attack that allowed a threat actor to obtain credentials for an email account.

Lucent Health Solutions said the threat actor only had a 90-minute window to access the account, and no evidence was found of data theft; however, the account contained the protected health information of approximately 37,000 individuals, including their names, dates of birth, Social Security numbers, and health, dental, and vision group and/or plan numbers.  The affected individuals were notified about the data breach in  January 2025, 15 months after the breach occurred.

A putative class action lawsuit was filed by plaintiff Royal Corralejo – Royal Corralejo v. Lucent Health Solutions, LLC Litigation – in the Circuit Court for Davidson County, Tennessee, which was removed to the United States District Court for the Middle District of Tennessee. The lawsuit alleged that the defendant had failed to implement reasonable and appropriate cybersecurity measures, resulting in the data breach. The defendant denies all claims and contentions in the lawsuit and maintains that there was no wrongdoing.

After considering the costs and risks associated with a trial and related appeals, all parties agreed to discuss settling the lawsuit. During mediation on August 29, 2025, the material terms of a settlement were agreed by all parties, with no admission of liability or wrongdoing by the defendant. The settlement provides several benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $550 per class member, and a claim for up to $5,500 reimbursement for extraordinary losses from fraud or identity theft. A claim may also be submitted for up to 5 hours of lost time at $25 per hour.

Individuals who chose not to claim those benefits may instead claim a one-time cash payment of $80. Regardless of whether a claim is submitted for reimbursement of losses or the cash payment, class members may also claim a three-year membership to the CyEx Medical Shield Complete medical data monitoring service.

The defendant has agreed to pay up to $1,950,000 to resolve the lawsuit, which includes attorneys’ fees and expenses, settlement administration and notification costs, and a service award for the plaintiff. Should claims exceed that total, claims will be subject to a pro rata reduction. The deadline for objection and opting out of the settlement is August 21, 2026. The deadline for submitting a claim is September 5, 2026, and the final fairness hearing has been scheduled for September 9, 2026.

The post Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack

A settlement has been agreed to resolve a class action lawsuit against the Pinehurst, North Carolina-based molecular, cytology, and pathology service provider Marlboro-Chesterfield Pathology, P.C. The lawsuit was filed in response to a January 2025 ransomware attack by the SafePay ransomware group.

Unauthorized network access was identified on January 16, 2025, and the forensic investigation confirmed that 235,911 individuals had their data compromised in the attack, including their names, dates of birth, Social Security numbers, and protected health information. The affected individuals were notified about the incident on or around May 7, 2025.

A class action lawsuit – Cox v. Marlboro-Chesterfield Pathology, P.C – was filed in the County of Moor Superior Court by plaintiff Cox, individually and on behalf of similarly affected individuals. Plaintiff Cox alleged that her personal and protected health information was in the hands of cybercriminals as a result of the attack, and that the ransomware attack occurred as a result of the failure of Marlboro-Chesterfield Pathology to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network.

Marlboro-Chesterfield Pathology maintains there was no wrongdoing and disagrees with the claims and contentions in the lawsuit, including claims of fault and liability, and plaintiff Cox believes her claims are valid. After arms-length negotiations, and after the parties considered the costs and risks associated with continuing with the litigation, they entered into settlement discussions, and the material terms of a settlement were agreed on November 21, 2025.

The settlement has now been finalized and has received preliminary approval from the court. The defendant has agreed to pay attorneys’ fees and expenses, settlement administration and notice costs, and a service award for the class representative. Attorneys’ fees and costs have been capped at $100,000.

Class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member. Individuals who had their Social Security numbers compromised in the incident may submit a claim for an alternative cash payment of $10, should they choose not to submit a claim for reimbursement of losses.

All individuals, regardless of whether they submit a claim for reimbursement of losses or the cash payment, are entitled to a one-year membership to a credit monitoring and identity theft protection service, which includes a $1 million identity theft insurance policy. The deadline for objection, opting out, and submitting a claim is August 21, 2026. The final fairness hearing has been scheduled for October 12, 2026.

The post Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack appeared first on The HIPAA Journal.

California Gay & Lesbian Services Center Data Breach Affects 75,500 Individuals

Gay & Lesbian Community Services Center of Orange County, California, a provider of mental health, HIV testing, education and outreach, has identified unauthorized access to its network and the exposure of the personal and protected health information of up to 75,532 individuals.

Suspicious network activity was identified on or around December 26, 2025, and third-party cybersecurity experts were engaged to investigate the incident. They confirmed that there had been unauthorized access to the network from December 25 to December 26, 2025, and files containing sensitive information may have been viewed or acquired.

The review of the impacted data was completed on May 6, 2026, when it was confirmed that the following types of information were stored on the compromised parts of the network: full names, dates of birth, Social Security numbers, diagnosis information, prescription information, medical histories and treatment information, medical record numbers, health insurance information, driver’s license numbers, government identification numbers, state identification numbers, passport numbers, taxpayer identification numbers, financial account information, biometric identifiers, financial account information, and payment card information. The types of information involved varied from individual to individual.

Gay & Lesbian Community Services Center of Orange County said it is committed to maintaining the privacy of personal information in its possession and continually evaluates and modifies its security practices to enhance data privacy and security. The affected individuals have been advised to remain vigilant and monitor their account statements and free credit reports for suspicious activity. The website breach notice makes no mention of free credit monitoring or identity theft protection services.

Alta Orthopaedics

Alta Orthopaedics, a Santa Barbara, CA-based orthopedics practice with six locations in Santa Barbara, Santa Maria, Solvang, and Oxnard, has started mailing notification letters to patients affected by a recent security incident.

On March 10, 2026, the practice identified suspicious activity within its computer network. The forensic investigation determined that there had been unauthorized access to certain information on its network between February 3, 2026, and February 6, 2026. The review of the exposed files confirmed that they contained personal and protected health information such as names, addresses, phone numbers, Social Security numbers, driver’s license/state ID numbers, birth dates, billing codes, dates of service, reasons for visits, treatment costs, provider names, diagnoses, treatment information, clinical information, treatment location, medical record numbers, patient account numbers, and health insurance information.

The incident was reported to law enforcement, policies and procedures related to data privacy and security have been reviewed, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Regulators have been notified; however, the number of affected individuals has yet to be publicly disclosed.

Lake Region Healthcare

Lake Region Healthcare, a nonprofit rural health system based in Fergus Falls, Minnesota, has notified individuals affected by a recent cybersecurity incident. Unauthorized access to its network was first identified on May 19, 2025. Law enforcement was notified, and an investigation was launched to determine the nature and scope of the unauthorized activity.

No evidence was found to indicate any unauthorized access to electronic medical records; however, files containing patient information may have been viewed or acquired on or around May 19, 2025. It has taken more than a year to review the affected data. That process was completed on June 5, 2026, when it was confirmed that names were exposed, along with one or more of the following: date of birth, Social Security number, medical record number, patient account number, health insurance information, contact information, medical and/or treatment information, government-issued identification, and/or financial information.

Lake Region Healthcare said it is unaware of any actual or attempted misuse of that data; however, as a precaution, the affected individuals have been offered complimentary identity theft protection services. The scale of the breach has yet to be publicly disclosed, although according to notifications to state attorneys general, 294 Texas residents and 20 Massachusetts residents are among the affected individuals.

The post California Gay & Lesbian Services Center Data Breach Affects 75,500 Individuals appeared first on The HIPAA Journal.