Author Archives: Steve Alder

Esse Health Agrees to Pay 2.53M to Settle Data Breach Lawsuit

Posted by Steve Alder

American Multispecialty Group, doing business as Esse Health, a Missouri-based independent physician group serving the greater St. Louis area, experienced a cyberattack and data breach in April 2025. Esse Health faced multiple class action lawsuits in response to the data breach, and the consolidated class action lawsuit has recently been settled. Esse Health has agreed to pay $2,525,000 to resolve the lawsuit.

The cyberattack was detected by Esse Health on April 21, 2025, and the forensic investigation confirmed that the hackers obtained sensitive data such as names, addresses, birth dates, health information, and health insurance information. Around 5,000 individuals also had their Social Security numbers compromised in the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the electronic protected health information of 23,671 patients; however, the data breach was much more extensive. The Maine Attorney General was informed that the breach affected 263,601 individuals. The lawsuit states that approximately 521,167 individuals were affected.

The data breach was first announced by Esse Health on May 15, 2025, and shortly thereafter, a class action lawsuit was filed by Plaintiff Casten Clausner in the U.S. District Court for the Eastern District of Missouri. A further seven plaintiffs filed similar actions in state court in St. Louis County and the City of St. Louis. All actions were consolidated in the 22nd Judicial Circuit Court of St. Louis City, Missouri, in June 2025.

The consolidated lawsuit – Clausner et al. v. American Multispecialty Groupclaims that the data breach could have been prevented and was due to the failure of the defendant to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, breach of confidence, breach of fiduciary duty, invasion of privacy, unjust enrichment, violation of the Missouri Merchandise Practices Act, and declaratory and injunctive relief. Esse Health maintains that there was no wrongdoing and is no liability; however, following mediation, a settlement was agreed upon by all parties to avoid the costs and risks associated with continuing with the litigation.

Under the terms of the settlement, Esse Health has agreed to establish a $2,525,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the 8 class representatives, and benefits for the class members. After costs and expenses have been deducted from the settlement fund, the remainder will be used to pay for class member benefits. While most class action lawsuit settlements allow class members to submit a claim for reimbursement of losses, this settlement only provides a pro rata cash payment, which is expected to be $50 per class member. The payments may be higher or lower depending on the number of claims received.

In addition, class members are entitled to enroll in two years of medical identity protection services, which include a $1 million medical identity theft insurance policy. The cost of the medical identity protection will be paid separately by Esse Health. The settlement has received preliminary approval from the court. The deadline for objection and exclusion from the settlement is July 5, 2026. Claims must be submitted by August 4, 2026, and the final approval hearing has been scheduled for August 3, 2026.

The post Esse Health Agrees to Pay 2.53M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers

Posted by Steve Alder

Ransomware groups have claimed responsibility for attacks on Advanced Family Surgery Center in Tennessee, Orem Eye Clinic in Utah, and Belmont Aesthetic & Reconstructive Plastic Surgery in Virginia/Washington D.C.

Surgery Center of Oak Ridge (Advanced Family Surgery Center)

Surgery Center of Oak Ridge, LLC, doing business as Advanced Family Surgery Center in Oak Ridge, Tennessee, has notified certain patients about a network intrusion first identified on or around November 26, 2025. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that certain parts of its network were accessed by an unauthorized third party who potentially viewed or acquired files containing patient information.

The files were reviewed and found to contain names, addresses, dates of birth, dates of service, health insurance information, medical diagnosis information, medical record numbers, Medicare/Medicaid numbers, patient account numbers, prescription/treatment information, provider names, and Social Security numbers. Additional security measures have been implemented to prevent similar incidents in the future, and policies and procedures with respect to data security are being reviewed.

This appears to have been a ransomware attack with data theft. The Genesis ransomware group, a financially motivated threat group that has attacked many healthcare providers, claimed responsibility for the attack and added Advanced Family Surgery Center to its dark web data leak site. Genesis claims to have exfiltrated 100 GB of data in the attack, including files containing patient information.

Orem Eye Clinic

Orem Eye Clinic in Orem, Utah, has notified individuals and the HHS’ Office for Civil Rights about a cybersecurity incident involving unauthorized access to parts of its network that contained the protected health information of approximately 5,800 patients. No substitute breach notice has been added to the Orem Eye Clinic website at the time of publication of this article, so the exact details, such as the types of data involved and the nature of the incident, have yet to be confirmed. Individuals receiving a notification letter should be aware that a ransomware group called Nightspire claimed responsibility for the attack and added Orem Eye Clinic to its dark web data leak site. The group claims to have exfiltrated 1 terabyte of data in the attack.

Belmont Aesthetic & Reconstructive Plastic Surgery

Belmont Aesthetic & Reconstructive Plastic Surgery, a cosmetic and reconstructive surgery practice with locations in Washington, D.C., and Virginia, has reported a data breach to the HHS’ Office for Civil Rights that has affected 528 individuals. While there is currently no website notice, and no other information has been released about the data breach so far, this appears to have been a ransomware attack. The Insomnia ransomware group added Belmont Aesthetic & Reconstructive Plastic Surgery to its dark web data leak site in early March 2026 and threatened to publish the stolen data if the ransom was not paid.

The post Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers appeared first on The HIPAA Journal.

Verber Dental Group Notifies Patients About January Hacking Incident

Posted by Steve Alder

Data breaches have recently been announced by Verber Dental Group in Pennsylvania, Northwoods Surgery Center in Minnesota, Cunningham Prosthetic Care in Maine, Healthcare In Action in California, and Preakness Healthcare Center in New Jersey.

Verber Dental Group

Verber Dental Group, a Camp Hill, PA-based dental group comprising 14 dental practices, has recently notified patients of unauthorized network access that exposed patient data. Suspicious network activity was identified on January 27, 2026. The network was secured, and an investigation was launched, which revealed the threat actor had access to its network from January 26, 2026, to January 27, 2026. The investigation confirmed that patient information had been exposed, including names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, medical records, and health insurance information.

Verber Dental has not identified any misuse of patient information. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals as a precaution. At present, the incident is not shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Northwoods Surgery Center

Northwoods Surgery Center in Virginia, MN, identified unauthorized activity within its computer network on or around September 8, 2025. Its network was secured, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized network access over a two-month period between July 11, 2025, and September 8, 2025. The compromised parts of the network were reviewed, and it was confirmed that files containing patient information had been exposed and may have been accessed or acquired by the threat actor.

In total, 5,385 individuals were affected. Data potentially compromised in the incident included names, addresses, dates of birth, health insurance information, patient medical record numbers, doctor’s name, practice type, medical date of service, medication information, diagnosis and treatment information, and medical claims or billing information. While patient data was exposed, Northwoods Surgery Center has not identified any actual or attempted misuse of patient information. Notification letters are now being mailed, and complimentary credit monitoring services have been made available.

Cunningham Prosthetic Care

Cunningham Prosthetic Care, a Saco, ME-based prosthetic and orthotic practice, has notified the HHS’ Office for Civil Rights about a data breach affecting 2,523 patients. On or around October 22, 2025, suspicious activity was identified within its email environment. An investigation was launched that confirmed unauthorized access to an employee’s email account. The account was reviewed, and on March 4, 2026, Cunningham Prosthetic Care confirmed that the account contained patient information.

Data exposed and potentially acquired included names, dates of birth, Social Security numbers, medical record numbers, driver’s license numbers, diagnostic and treatment information, and health insurance information. The types of exposed data varied from individual to individual. Notification letters were mailed to the affected individuals on May 1, 2026. The practice has implemented additional security measures to enhance data privacy and security.

Healthcare in Action

Healthcare In Action, a medical group serving the homeless population in California, has recently identified unauthorized access to an employee’s email account between January 28, 2026, and January 30, 2026. The account was compromised using stolen credentials. The unauthorized access was limited to a single email account, which has now been secured. Third-party experts were engaged to investigate and determined that the account contained the information of 1,143 individuals, including patients and other individuals.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: date of birth, email address, phone number, driver’s license/state ID number, Social Security numbers, ethnicity, housing application case number/HMIS number, health plan information, mailing/ physical address, medical record number, diagnosis/condition information, date(s) of service, location(s) of service, treatment information, disability verification information, and/or medication information. For non-patients, the compromised data included names, addresses, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Preakness Healthcare Center

Preakness Healthcare Center, a Wayne, NJ-based skilled nursing facility, has recently identified unauthorized access to its computer network. Suspicious activity was first identified on March 4, 2026. The forensic investigation confirmed that an unauthorized third party had access to parts of its computer network from February 24, 2026, to March 4, 2026, during which time residents’ data may have been viewed or acquired. The exposed data included residents’ names, demographic information, and limited clinical information. The affected individuals had been admitted on or after January 1, 2019. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. At present, the number of affected individuals has not been publicly disclosed.

The post Verber Dental Group Notifies Patients About January Hacking Incident appeared first on The HIPAA Journal.

Atrium Health & Interim HealthCare Affected by Business Associate Data Breaches

Posted by Steve Alder

Atrium Health Navicent and Interim HealthCare of Lubbock/Amarillo have recently announced that they have been affected by data breaches at third-party vendors.

Atrium Health Navicent

Atrium Health Navicent is the latest healthcare provider to announce that it has been affected by the January 2025 data breach at Oracle Health. Oracle Health acquired the electronic medical record company Cerner, and was due to migrate patient records from legacy Cerner servers to Oracle Health’s systems. As early as January 22, 2025, a hacker gained access to two legacy servers and exfiltrated patient data. Oracle Health detected the breach in February 2025. Many healthcare providers were affected and issued notification letters last year.

According to Atrium Health Navicent, the delay in notification is due to the complexity of the data review, which has taken many months to complete. Atrium Health Navicent said it only recently learned from Oracle Health that it had been affected, and the review of the impacted data was not completed until March 12, 2026. The data compromised in the incident was stored in a legacy Cerner system that was historically used by Atrium Health.

The compromised data related to patients who received services from Atrium Health in the greater Charlotte (NC) area prior to August 6, 2022, or from Atrium Health Navicent prior to July 3, 2021. The compromised data includes names, addresses, dates of birth, medical record numbers, provider names, diagnoses, medications, test results, images, and other information included with patient medical records. For certain individuals, Social Security numbers were also compromised.

Notification letters are now being mailed, and the affected individuals have been offered complimentary credit monitoring services for two years. Atrium Health Navicent has yet to publicly announce how many patients have been affected. An estimated 2 million people across the country are thought to have been affected by the Oracle Health data breach in total.

Interim HealthCare of Lubbock/Amarillo

Interim HealthCare of Lubbock and Interim HealthCare of Amarillo have recently notified the HHS’ Office for Civil Rights about a data breach at a third-party vendor that affected 2,071 and 666 patients respectively. The incident occurred at the healthcare technology firm Doctor Alliance. Unauthorized individuals gained access to the Doctor Alliance web portal and intermittently accessed the portal between October 31, 2025, and November 17, 2025.

Interim HealthCare of Lubbock and Interim HealthCare of Amarillo completed their reviews of the affected data on March 18, 2026, and confirmed that data potentially viewed or obtained included names, dates of birth, addresses, diagnoses, treatment plans, medications, and provider information. There has been no known misuse of patient data; however, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring services.

The post Atrium Health & Interim HealthCare Affected by Business Associate Data Breaches appeared first on The HIPAA Journal.

Gandara Mental Health Center Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Gandara Mental Health Center in Springfield, Massachusetts, has agreed to settle class action litigation stemming from a June 2024 cyberattack and data breach that affected 17,543 individuals. The cyberattack was detected on June 20, 2024, and Gandara Mental Health Center determined that personal and protected health information, such as names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, treatment information, and health insurance information, had been compromised. The hackers claimed to have exfiltrated approximately 450 GB of data.

A class action lawsuit was filed in the Court in the Commonwealth of Massachusetts, Hampden County – Eugene Mitchell v. Gandara Mental Health Center, Inc. – in response to the data breach that alleged that the defendant failed to properly secure its network, leading to the theft of the plaintiffs’ personal and protected health information. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and breach of fiduciary duty. Gandara Mental Health Center denies all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability.

All parties agreed upon a settlement to avoid further legal costs and expenses and the uncertainty of a trial and any related appeals. Under the terms of the settlement, class members are entitled to enroll in three years of identity theft protection and medical data monitoring services. A claim may also be submitted for reimbursement of up to $500 in ordinary losses, including up to four hours of lost time at $25 per hour, and up to $5,000 in extraordinary losses incurred as a result of the data breach. If a claim is not submitted for reimbursement of losses and lost time, an alternative one-time cash payment of $60 can be claimed. Benefits for the class members have been capped at $900,000 and will be reduced pro rata if that total is exceeded.

The deadline for objection to and exclusion from the settlement is July 24, 2026. Claims must also be submitted before that date. The final approval hearing has been scheduled for August 25, 2026.

The post Gandara Mental Health Center Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Mt. Spokane Pediatrics Data Breach Affects 32,000 Patients

Posted by Steve Alder

A cyberattack on Mt. Spokane Pediatrics exposed the data of more than 32,000 patients. Data breaches have also been announced by Cornerstone Care Center in California and Michigan Medicine.

Mt. Spokane Pediatrics

Mt. Spokane Pediatrics in Washington state has started notifying 32,021 individuals about the theft of some of their personal and protected health information in a January 2026 cyberattack. According to its website breach notice, the attack occurred on or around January 1, 2026, and the threat actor was found to have exfiltrated files containing patients’ protected health information. The forensic investigation determined on April 22, 2026, that the data exfiltrated in the attack included full names, dates of birth, Social Security numbers, diagnoses, treatment information, patient numbers, medical record numbers, health plan beneficiary numbers, and dates of service.

Mt. Spokane Pediatrics said it is unaware of any actual or attempted fraud as a result of the data breach. Complementary single-bureau credit monitoring services have been offered to the affected individuals as a precaution. The breach notice does not mention ransomware; however, a ransomware group claimed responsibility for the attack. The Lockbit5 ransomware group added Mt. Spokane Pediatrics to its dark web data leak site on January 3, 2026, and threatened to leak the stolen data in 20 days if the ransom was not paid.

Sanger Skilled Care (Cornerstone Care Center)

Sanger Skilled Care, LLC, doing business as Cornerstone Care Center, a skilled nursing and long-term care facility in Sanger, California, has issued prompt notifications about a recent security incident identified on or around April 7, 2026. According to its substitute data breach notice, unauthorized network access was identified on April 7, 2026. Steps were taken to contain the incident, and an investigation was launched to determine the nature and scope of the activity. On April 16, 2026, the investigation was completed, and it was confirmed that the breach was confined to a single account, which contained some protected health information.

The data review confirmed that the exposed data includes names, dates of birth, lab results, diagnoses, prescription and treatment information, provider names, medical record numbers, patient identification numbers, Social Security numbers, health insurance information, and dates of services. Notification letters were mailed to the affected individuals on May 1, 2026, and 12 months of complimentary credit monitoring services have been offered. At present, the number of affected individuals has not been publicly disclosed.

University of Michigan (Michigan Medicine)

The University of Michigan (Michigan Medicine) has recently announced that it has been affected by a data breach involving its electronic medical record company, Epic Systems Corporation. Michigan Medicine was one of several healthcare providers to be affected by the incident, which involved unauthorized access to patient records through a nationwide health information exchange. Third-party companies accessed patient records for reasons unrelated to patient care. Those companies had been granted access after claiming they had a legitimate need to access patient records; however, patient information was accessed for reasons unrelated to the provision of healthcare services.

Michigan Medicine was informed about the breach by Epic Systems, and its internal review determined in March 2026 that 551 individuals had been affected. The types of information viewed or obtained included names, addresses, phone numbers, email addresses, dates of birth, medical record numbers, diagnoses, medications, allergies, test results, treatment information, and health insurance information. Michigan Medicine is working with Epic and the relevant exchange and network parties to investigate the incident and is monitoring the litigation initiated by Epic Systems in response to the unauthorized access.

The post Mt. Spokane Pediatrics Data Breach Affects 32,000 Patients appeared first on The HIPAA Journal.

Rhode Island Finalizes $12 Million Settlement With Deloitte Consulting Over RIBridges Cyberattack

Posted by Steve Alder

An agreement has been reached between the state of Rhode Island and Deloitte Consulting LLP that will see the professional services firm pay an additional $7 million in financial support to the state following the 2024 cyberattack on the state’s benefits administration system – RIBridges. RIBRidges is Rhode Island’s one-stop shop for public benefits for state residents, including applications and management of Medicaid, food stamps, and other benefits. In November 2024, Deloitte Consulting identified the intrusion and took steps to secure the system. The state was notified about the hack in early December.

The investigation confirmed that hackers had access to the system for around 5 months, during which time they gained access to around 28 of the 338 backend environments of the system and exfiltrated sensitive data, including the data of almost 650,000 Rhode Island benefits applicants and recipients – around 59% of the population of the state. The Brain Cipher ransomware group claimed responsibility for the attack, boasting that access was gained by cracking an 8-character password to gain access to a domain controller – a process Brain Cipher claimed took just 5 minutes. The stolen data was subsequently leaked on the dark web.

In early 2025, the state secured a $5 million payment from Deloitte Consulting to cover immediate costs associated with the incident, and now a settlement agreement has been finalized that will see the total financial recovery increase to $12 million. Deloitte Consulting has also agreed to invest $6 million to cover security enhancements, operational support, and business continuity services that were not covered by its contract with the state. The settlement brings the legal wrangles between the state and Deloitte Consulting to an end.

Deloitte Consulting also faced class action litigation over the data breach and opted to settle the litigation in October 2025. Deloitte Consulting agreed to pay $6.3 million to resolve all claims related to the cyberattack and data breach, with no admission of wrongdoing or liability. Class members were eligible to claim up to $5,000 as reimbursement for out-of-pocket losses and a pro rata cash payment.

May 20, 2025: Rhode Island Releases Details of RIBridges Hacking Investigation

The state of Rhode Island has released a summary of the findings of an investigation by the cybersecurity firm CrowdStrike into the hacking of the Rhode Island state benefit system, known as RIBridges, by the Brain Cipher threat group.

Brain Cipher members were able to gain access to 28 of the 338 environments that comprise the RIBridges system and stole sensitive data such as names, addresses, birth dates, Social Security numbers, and health information. The affected individuals had previously signed up to receive public benefits such as food stamps or private health insurance through the HealthSource RI portal. The state issued notification letters to around 657,000 individuals in January informing them that their sensitive data may have been compromised in the incident.

The forensic investigation determined that 114,879 individuals who received the notifications in January had not in fact been affected, although an additional 107,757 individuals had been affected but were not notified in January. They include approximately 30,000 individuals whose data was collected during employment checks or verifications through the child support system and the Department of Children, Youth, and Families. Notification letters are now being sent to those 107,757 individuals. The final total stands at 644,401 affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 5 years.

The investigation started on December 16, 2024, and concluded on January 31, 2025. According to state officials, Brain Cipher actors gained access to the RIBridges system through the RIBridges Virtual Private Network (VPN) using the credentials of a Deloitte employee. Deloitte is the vendor used by the state of Rhode Island to manage the RIBridges system. CrowdStrike was unable to determine how the credentials were obtained and whether multifactor authentication was bypassed or if it was in place.

Brain Cipher first accessed a non-production environment within the RIBRidges system on July 2, 2024; however, the intrusion was not detected until November 28, 2024. After authenticating with the RIBridges VPN, the threat actor performed initial reconnaissance and lateral movement from an application server to six other systems. Privileges were escalated on two systems via Image File Execution Options (IFEO) injection, and credential harvesting was performed on six systems within the RIBridges environment.

Commercially available remote monitoring and management (RMM) tools were used along with a reverse proxy tool to maintain access to the environment. During the five months of access, Brain Cipher performed data access, staging, and data exfiltration from 28 systems. Large data transfers were performed by Brain Cipher out of the RIBridges system in November.

It was not the data transfers that alerted Deloitte to the hack, but rather a post on the Brain Cipher data leak site on December 4, 2024, claiming data had been stolen. Deloitte investigated the claim and identified suspicious activity, although it took until December 13, 2024, for the breach of the RIBridges system to be confirmed. When it was confirmed that the RIBridges systems had been compromised, it was shut down and remained offline for around a month. No evidence was found of any ransomware on the system.

According to the Crowdstrike investigation, the RIBridges firewall denied traffic from an external cloud storage provider IP address to an internal IP address on September 10, 2024, and between November 11, 2024 and November 28, 2024, the firewall management portal generated 397 alerts from 15 systems about large data transfers to an external cloud storage provider. “Deloitte missed some issues that we certainly hold them responsible for,” said state Governor Dan McKee. “That this would be undetected for that period of time is something that is just unacceptable.” Governor McKee confirmed that the state will be pursuing all avenues in our efforts to ensure accountability and is considering legal action against Deloitte.

The state plans to choose a vendor to modernize the RIBridges system, but it is likely to take between 18 and 24 months to roll out the new system. In the meantime, Deloitte will continue to manage the RIBridges system. The state is also planning on increasing the size of its IT workforce and has requested the budget for an additional 15 hires, including an RIBridges Technical Lead.

February 5, 2025: Deloitte to Pay $5 Million to Rhode Island to Cover Ransomware Attack Expenses

Rhode Island Governor Dan McKee has announced that Deloitte has agreed to pay $5 million to the state of Rhode Island to cover expenses incurred as a result of a December 2024 ransomware attack. The ransomware attack caused a prolonged outage of the state’s RI Bridges system, which is used to manage eligibility for public benefits, including programs such as Medicaid, SNAP, HealthSource RI, and RI Works.

The cyberattack was detected on December 5, 2024, and resulted in the prolonged outage of the RI Bridges system. The personal information of more than 650,000 Rhode Islanders was stolen in the attack, and the data was added to the ransomware group’s data leak site when the ransom was not paid. Information stolen and published included names, contact information, employment details, and Social Security numbers.

For around 2 months, the outage of the RI Bridges system prevented approximately 2,000 Rhode Islanders from enrolling in state-paid healthcare coverage by Blue Cross & Blue Shield and Neighborhood Health. Lindsay Musser Hough, Principal at Deloitte Consulting, said the commitment to pay $5 million to the state was not an admission of wrongdoing or fault and is being provided “in the spirit of supporting the state and its constituents in their response to the bad actor’s cyberattack.” Announcing the payment, Governor McKee said, “Deloitte has recognized that the state has immediate and unexpected expenses related to the breach, and we appreciate their willingness to lend financial support.”

Deloitte has also paid for credit monitoring and identity theft protection services for the 650,000+ individuals who had their data stolen in the ransomware attack, and is also covering the cost of the data breach call center.

January 13, 2025: Rhode Island Starts Notifying Individuals Affected by RI Bridges Ransomware Attack

Rhode Island Governor Dan McKee has confirmed that individual notification letters started to be mailed to the individuals whose personal data was stolen in the December 2024 ransomware attack on the RI Bridges system on January 10, 2025.  Individuals affected by the incident have been offered 5 years of complimentary credit monitoring services through Experian and are being encouraged to take advantage of those services as soon as possible. The deadline for signing up for those free services is April 30, 2025.

The notification letters provide instructions for signing up for the credit monitoring services, including a required activation code. State residents can sign up for the credit monitoring services online or over the phone (833-918-6603). The phone lines are manned Monday through Friday from 9 a.m. to 9 p.m., and on weekends from 11 a.m. to 8 p.m.

The data breach is still being investigated by Deloitte and more individuals may have been affected than the initial review suggests. In such cases, notification letters will be promptly sent to those individuals. “We understand the concerns this breach has caused for our residents,” said Governor McKee. “We appreciate everyone’s patience as these letters are delivered.” State officials are confident that the source of the intrusion has been identified and steps have been taken to ensure the RI Bridges systems can be safely restored. The first phase of that process has been completed and the second phase is underway to restore the public-facing part of the system, which is expected to be brought back online in mid-January.

The state has yet to confirm exactly how many individuals have been affected but has previously indicated approximately 650,000 state residents had their personal data exposed or stolen in the ransomware attack.

December 31, 2025: Ransomware Group Behind RI Bridges Attack Starts Leaking Stolen Data

The ransomware group (Brain Cipher) behind the cyberattack on Rhode Island’s online health and human services platform has started to leak stolen files on the dark web, according to State Governor Daniel McKee. Deloitte has been monitoring the dark web and informed the state Attorney General about the data leak.

The Brain Cipher group promised to leak the stolen data if the ransom was not paid, and the data leak indicates the ransom has not been paid. Brain Ciper allegedly demanded a ransom payment of $23 million in cryptocurrency to prevent the stolen data from being leaked. “This is a scenario that the State has been preparing for, which is why earlier this month we launched a statewide outreach strategy to encourage potentially impacted Rhode Islanders to protect their personal information,” said AG McKee.

McKee said Deloitte is investigating and reviewing the impacted files to determine which individuals have been affected and is also looking to analyze the leaked data; however, the analysis of the leaked data has not yet been completed. The HIPAA Journal has been periodically monitoring the Brain Cipher dark web data leak site to determine if data has been released. The site has been largely inaccessible, which will limit the potential for unauthorized individuals to obtain the leaked data.

Dissent from databreaches.net reached out to the Brain Cipher group after receiving no response from Deloitte. The group confirmed they were behind the attack and provided a preview of the data they would be leaking, and said they have been experiencing a DDoS attack on their data leak site, indicating someone is trying to prevent the group from leaking the data. The identity of the third party or third parties is unknown.

December 27, 2024: Rhode Island Ransomware Attack May Affect Half of State Residents

The cyberattack that forced the shutdown of Rhode Island’s public benefits system (RI Bridges) has potentially exposed the personal data of more than half of the population of the state – approximately 650,000 individuals, according to state Governor Daniel McKee.

McKee said conversations between Deloitte and the Brain Cipher group are ongoing, he is being kept informed of any progress, and no sensitive data appears to have been publicly released so far. He did not provide any information about how much the attackers are demanding to prevent the release of the stolen data, or if there is any intention to pay the ransom. Deloitte is working on restoring the crippled RI Bridges system as soon as possible, although it is not expected to be brought back online until some point in January.

December 17, 2024: Brain Cipher Group Claims Responsibility for Rhode Island Ransomware Attack

The Brain Cipher ransomware group has claimed responsibility for the Rhode Island RI Bridges ransomware attack and is threatening to publish the stolen data if the ransom demand is not paid. Brain Cipher is a relatively new ransomware operation that first appeared in June 2024. The group has already conducted some major attacks, including an attack on the National Data Center in Indonesia, which disrupted operations at more than 200 government agencies and saw the group demand a $8 million ransom payment. The group engages in double extortion and maintains a data leak site where stolen data is published if the ransom is not paid.

Countdown clock on the Brain Ciper data leak siteBrain Cipher claimed responsibility for a ransomware attack earlier this month and added Deloitte to its data leak site. Deloitte has issued a statement confirming that only the RI Bridges system was affected by the ransomware attack. The Deloitte listing on the Brain Cipher data leak site has a countdown clock that indicated the data leak would occur on December 17, 2024, if the ransom was not paid; however, on December 19, 2024, the countdown clock was still ticking down and showed 13 hours remaining, after having been reset. The ransomware group appears to still be holding out for a ransom payment.

On December 16, 2024, State Governor Daniel McKee issued a public service announcement encouraging all state residents who have used any of the affected systems in the past to take immediate action to protect themselves against identity theft and fraud. The RI Bridges hack will almost certainly lead to attempted data misuse by cyber criminals if the ransomware group releases the stolen data.

December 15, 2024: Hundreds of Thousands of Rhode Island Residents Affected by RI Bridges Data Breach

Hundreds of thousands of Rhode Island residents have had their data stolen in a cyberattack on the state government’s RI Bridges system, an online portal used by state residents to obtain social services and health insurance. Vendor Deloitte identified a potential RI Bridges system breach on December 5, 2024, and after confirming the unauthorized access, the portal was shut down on December 13 as a precaution. Deloitte has been working with state officials, IT experts, and law enforcement to investigate the cyberattack and data breach and limit its impact.

While the cyberattack was not initially described as a ransomware attack, Rhode Island’s Chief Digital Officer, Brian Tardiff, confirmed that a threat actor had installed malware and issued a ransom demand, payment of which was required to prevent the publication of the stolen data. It has yet to be confirmed how many individuals have been affected or the exact types of data stolen in the attack. Deloitte said it is still evaluating the data theft incident and said it is likely that information such as names, addresses, dates of birth, Social Security numbers, and potentially bank account information was involved.

Any individuals who applied for or received benefits or health insurance through the RI Bridges system may have been affected. The programs and benefits managed through the RI Bridges system include ,but are not limited to:

  • Medicaid
  • Supplemental Nutrition Assistance Program (SNAP)
  • Temporary Assistance for Needy Families (TANF)
  • Child Care Assistance Program (CCAP)
  • Health insurance purchased through HealthSource RI
  • Rhode Island Works (RIW),
  • Long-Term Services and Supports (LTSS)
  • General Public Assistance (GPA) Program

Rhode Island Governor Daniel McKee confirmed on Friday that the number of Rhode Islanders potentially affected was in the hundreds of thousands. Individual notifications will be mailed to all individuals affected by the Rhode Island data breach when the data breach investigation is concluded. Due to the sensitivity of the data stolen in the ransomware attack, anyone who applied for or obtained benefits or health insurance through any of the above programs should be vigilant against identity theft and fraud, monitor the accounts closely, and take advantage of any available free credit monitoring services. They have also been advised to consider placing a credit freeze or fraud alert with one of the three main credit bureaus and to change any common or reused passwords. State officials have not detected any misuse of the impacted data so far. The hackers are still holding out for a ransom payment and are likely to release the stolen data in the coming week if the ransom is not paid. The state has set up a helpline for state residents to find out more about the Rhode Island data breach. The helpline – 833-918-6603 – will be added Mondays through Fridays from 9 a.m. to 9 p.m.

The post Rhode Island Finalizes $12 Million Settlement With Deloitte Consulting Over RIBridges Cyberattack appeared first on The HIPAA Journal.

OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2023

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has submitted a pair of reports to Congress on the state of compliance with the Health Insurance Portability and Accountability (HIPAA) Privacy, Security, and Breach Notification Rules, and breaches of unsecured protected health information for calendar year 2023, as required by Section 13424(a) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

OCR maintains a data breach portal, through which HIPAA-regulated entities must submit their reports of breaches of unsecured protected health information, and a web page through which individuals may submit a health information privacy complaint. There has been a general trend of increasing data breaches and complaints, which is placing greater pressure on OCR’s limited resources; however, OCR made progress in decreasing the backlog of complaint and data breach investigations in 2023.

The reports show data breaches affecting fewer than 500 individuals increased by 7% year-over-year, data breaches affecting 500 or more individuals increased by 17% year-over-year, complaints were up 2%, and there was a 14% increase in compliance reviews initiated by OCR. In total, OCR resolved 14 investigations in calendar year 2023 with settlements totalling $7,735,000. While that is 4 penalties fewer than in 2022, the total penalty amount increased by $6,932,500 year-over-year. OCR also conducted 182 outreach activities to improve public education about HIPAA rights and to advise regulated entities about compliance and trends in large data breaches reported to OCR.

Healthcare Data Breaches in 2023

In calendar year 2023, OCR received 732 reports of data breaches affecting 500 or more individuals. Across those data breaches, 113,173,613 individuals had their protected health information exposed, stolen, or impermissibly disclosed. The largest healthcare data breach of the year – HCA Healthcare – affected 11,270,000 individuals. The average data breach size in 2023 was 154,609 individuals.

Summary of Data Breaches Affecting 500 or More Individuals

HIPAA breaches affecting 500 or more individuals 2019-2023

OCR has five classifications for healthcare data breaches, and the majority of large healthcare data breaches fell into the hacking/IT incident category. Hacking and IT incidents accounted for 81% of the year’s data breaches and 96% of breached records.

Cause of Breach Number of Incidents Individuals Affected Largest Data Breach
Hacking/IT Incident 590 108,725,761 11,270,000 individuals
Unauthorized Access/Disclosure 120 4,359,037 3,179,835 individuals
Theft 14 69,893 34,016 individuals
Loss 4 16,247 13,184 individuals
Improper Disposal 4 2,675 1,005 individuals

Summary of Data Breaches Affecting Fewer Than 500 Individuals

HIPAA breaches fewer than 500 individuals 2019-2023

OCR received 68,315 reports of data breaches affecting fewer than 500 individuals in calendar year 2023. Smaller HIPAA breaches vastly outnumber large data breaches, but they typically affect only a few individuals. Across those HIPAA breaches, the protected health information of 269,290 individuals was exposed, stolen, or impermissibly disclosed, with an average breach size of fewer than 4 individuals.  The vast majority of smaller breaches were due to human error – employee mistakes and a lack of understanding about HIPAA requirements. The most common causes were misdirected communications (fax, email, mailing) and impermissibly accessing the medical records of co-workers, friends, family members, and other individuals.

Cause of Breach Number of Incidents Individuals Affected Percentage of Breaches
Unauthorized Access/Disclosure 64,231 178,031 66%
Loss 2,414 10,186 4%
Hacking/IT Incident 753 61,021 1%
Theft 714 15,742 1%
Improper Disposal 203 4,310 <1%

2023 Settlements to Resolve Alleged HIPAA Violations

OCR settled 14 investigations with financial penalties and corrective action plans in 2023. No civil monetary penalties were imposed.

HIPAA Regulated Entity Affected Individuals Settlement Amount
Montefiore Medical Center 12,517 $4,750,000
LA Care Health Plan 1,498 $1,300,000
Lafourche Medical Group 34,862 $480,000
MedEvolve Inc. 230,572 $350,000
Yakima Valley Memorial Hospital 415 $240,000
Optum Medical Care 1 $160,000
Doctors’ Management Services 206,695 $100,000
St. Joseph’s Medical Center 3 $80,000
UnitedHealthcare 1 $80,000
iHealth Solutions (Advantum Health) 267 $75,000
Green Ridge Behavioral Health 14,000 $40,000
Phoenix Healthcare (dba Green Country Care Center) 1 $35,000
Manasa Health Center, LLC 4 $30,000
David Mente, MA, LPC 1 $15,000

Keen readers of the HIPAA Journal may notice a discrepancy between these figures and those on pages such as our data breach statistics page, as the HIPAA Journal reports on the year the penalty was announced rather than the year it was agreed.

In 2023, OCR imposed financial penalties to resolve HIPAA failures in 11 areas. The most commonly identified HIPAA failure resulting in a financial penalty was the failure to conduct a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information, and the failure to review records of activity in information systems containing protected health information.

Area of HIPAA Noncompliance Cases
Risk Analysis 7
Review records of information system activity 5
HIPAA Right of Access 4
Impermissible Use or Disclosure of PHI 3
Risk Management 2
HIPAA Security Rule Policies and Procedures 2
Mechanisms for Recording/Examining Activity in Information Systems 2
Business Associate Agreements 1
HIPAA Privacy Rule Policies and Procedures 1
Security Measures to Reduce Risks/Vulnerabilities 1
Periodic Technical and Nontechnical Evaluations 1

HIPAA Complaints and Compliance Reviews in 2023

OCR investigates complaints submitted through the health information privacy complaint web page and initiates compliance reviews if complaints are substantiated. Compliance reviews are also initiated in response to data breaches.

Complaints submitted to OCR about HIPAA violations 2019-2023

Summary of HIPAA Complaints

  • 30,968 new complaints received alleging violations of the HIPAA Rules and the HITECH Act (+553 YOY)
  • 9,680 open complaints carried over from previous years (-10,497 YOY)
  • 38,601 complaints were resolved in calendar year 2023 (+6,351 YOY)
  • 30,464 complaints were resolved before an investigation was initiated (-2,357 YOY)
  • 6,749 complaints were resolved through technical assistance (+3,867 YOY)
  • 691 complaints were resolved through voluntary corrective action (+131 YOY)
  • 695 complaints had insufficient evidence of HIPAA violations (-9 YOY)
  • 2 complaints resulted in OCR providing technical assistance after an investigation (-13 YOY)
  • 5 complaints were resolved through resolution agreements, corrective action plans, and monetary settlements ($320,000), three more than in 2022, when $2,425,640 was collected in settlements/civil monetary penalties.

Summary of Compliance Reviews

  • 773 compliance reviews initiated to investigate allegations of HIPAA violations not stemming from complaints
  • 732 compliance reviews were due to large data breaches (affecting 500 or more individuals), 9 were in response to smaller breaches, and 32 were initiated for other reasons
  • OCR closed 737 of those compliance reviews in 2023 – 580 cases (79%) through voluntary compliance, 60 cases (8%) through technical assistance, 67 cases (9%) where there was insufficient evidence of a HIPAA violation, and 30 cases (4%) were closed due to a lack of jurisdiction to investigate.
  • OCR resolved nine compliance reviews with resolution agreements and corrective action plans, collecting $7,415,000 in financial penalties.

You can view a summary of the HIPAA reports for 2022 in this post. Click the following links to access the full OCR reports on HIPAA compliance in 2023 (PDF) and 2023 healthcare data breaches (PDF)

The post OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2023 appeared first on The HIPAA Journal.

March 2026 Healthcare Data Breach Report

Posted by Steve Alder

In March 2026, 44 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). More than 1.5 million individuals had their personal and protected health information exposed, stolen, or otherwise impermissibly disclosed.

Under the HITECH Act of 2009, OCR is required to publish a summary of large healthcare data breaches – incidents involving the exposure, theft, or impermissible disclosure of the electronic protected health information of 500 or more individuals. OCR checks all breach reports submitted through its data breach portal, then adds the data breaches to the public-facing section of the portal. Typically, there is a delay of up to 2 weeks from the receipt of a breach report to its addition to the breach portal. During the month of March, no data breaches were added to the portal for March. March data breaches started to be added to the portal in mid-April, hence the delay in publication of this breach report. Currently, the OCR breach portal shows 44 reported data breaches affecting 500 or more individuals for March, although there may be further additions over the coming weeks, as OCR finalizes its checks.

Healthcare data breaches in the past 12 months - March 2026

 

Across those 44 incidents, the protected health information of 1,523,376 individuals was exposed, stolen, or otherwise impermissibly disclosed – the lowest monthly total in the past 12 months, and an 81% reduction from February 2026, although those figures may increase as further data breaches are added and data breach investigations are concluded.

Individuals affected by healthcare data breaches in the past 12 months

 

Biggest Healthcare Data Breaches in March 2026

Eleven healthcare data breaches affecting 10,000 or more individuals were reported to OCR in March. The biggest data breach of March 2026 by some distance was reported by the telehealth platform provider OpenLoop Health. OpenLoop Health discovered the hacking incident in January 2026, and the investigation confirmed that a threat actor accessed its systems and exfiltrated patient data. A threat actor – Stuckin2019 – claimed responsibility for the attack and said the records of 1.6 million patients were exfiltrated, although OpenLoop Health reported the incident as affecting 716,000 individuals. While the breach was large and involved personal and health information, Social Security numbers and financial information were not stolen.

North Texas Behavioral Health Authority (NTBHA), a provider of mental health and substance use treatment and services in Texas, experienced a hacking incident that exposed the protected health information of 285,086 individuals. Few details have been published about the nature of the incident, other than hackers breaching its network in October 2025. NTBHA confirmed that protected health information was exposed and may have been stolen.

Saint Anthony Hospital in Chicago reported a breach of its email system. The breach occurred on February 27, 2026, and the threat actor obtained unstructured data from its email system, including names, dates of birth, and Social Security numbers. More than 146,000 individuals had data stolen in the incident. The hacking incident at Defense Health Agency affected almost 100,000 individuals, but the HIPAA Journal has been unable to find any details about the data breach, other than what is shown on the HHS’ Office for Civil Rights breach portal. The portal states that a business associate was involved and that the breach involved unauthorized access to electronic medical records.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Incident
OpenLoop Health, Inc. IA Business Associate 716,000 Hack and extortion incident – data theft confirmed
North Texas Behavioral Health Authority TX Healthcare Provider 285,086 Hacking incident
Saint Anthony Hospital IL Healthcare Provider 146,108 Unauthorized access to the email system
Defense Health Agency VA Health Plan 96,271 Hacking of a third-party electronic medical record system
Exclusive Physicians PLLC MI Healthcare Provider 58,000 Hacking incident
Woodfords Family Services ME Healthcare Provider 38,061 Ransomware attack
MedPeds Associates of Sarasota FL Healthcare Provider 22,017 Ransomware attack
Barrio Comprehensive Family Health Care Center TX Healthcare Provider 19,971 Unauthorized access to the email system
Longevity Health Plan FL Health Plan 15,000 Hacking incident
Cedar Valley Hospice IA Healthcare Provider 10,666 Hacking incident
Good Samaritan Health Center GA Healthcare Provider 10,000 Ransomware attack

Three incidents were reported to OCR using totals of 500 or 501 individuals. These figures are often used as “placeholder” estimates to meet the reporting requirements of the HIPAA Breach Notification Rule when investigations and data reviews are ongoing. These data breaches could turn out to affect substantially more individuals than the breach portal suggests.

Regulated Entity State Covered Entity Type Individuals Affected Type of Breach
Community Health Action of Staten Island NY Healthcare Provider 501 Hacking incident
Securian Financial MN Health Plan 500 Hacking incident at a business associate
Kin Counseling Services PLLC CO Healthcare Provider 500 Hacking incident

Causes of March 2026 Healthcare Data Breaches

As has been the case for many months, the majority of data breaches are hacking/IT incidents, with hacking accounting for most of the reported data breaches. Unauthorized access/disclosure incidents are less common but a regular cause of data breaches, while loss, theft, and improper disposal incidents are now a rarity, typically being reported in extremely low numbers.

Causes of March 2026 healthcare data breaches

In March, 40 of the month’s 44 data breaches were hacking/IT incidents (90.9%), 3 were unauthorized access/disclosure incidents (6.8%), and there was one theft incident (2.3%). Across the 40 hacking incidents, 1,523,376 individuals had their protected health information exposed or stolen – 99.7% of all individuals affected by healthcare data breaches in March. The average breach size was 37,953 individuals (median: 5,080 individuals). The unauthorized access/disclosure incidents affected 4,710 individuals, 0.3% for the month’s affected individuals. The average breach size was 1,570 individuals (Median: 1,283 individuals), and the theft incident affected 538 individuals, 0.04% of the month’s affected individuals.

location of breaches PHI - march 2026

States Affected by March 2026 Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 23 U.S. states in March, with Florida and Texas the worst-affected states with four breaches per state.

State Data Breaches
Florida & Texas 4
California, Massachusetts, Minnesota & Oklahoma 3
Colorado, Iowa, Illinois, Louisiana, Michigan, New York & Washington 2
Arizona, Georgia, Indiana, Maine, North Carolina, Ohio, Pennsylvania, Tennessee, Virginia & Wisconsin 1

In terms of affected individuals, Iowa topped the list with 726,666 affected individuals, followed by Texas and Illinois.

State Individuals Affected
Iowa 726,666
Texas 309,416
Illinois 152,194
Virginia 96,271
Michigan 60,740
Florida 43,811
Maine 38,061
Louisiana 17,755
California 12,700
Minnesota 10,958
Georgia 10,000
Indiana 8,941
Massachusetts 7,925
Oklahoma 5,777
New York 5,587
Ohio 4,234
Tennessee 3,171
Colorado 2,563
Washington 1,821
North Carolina 1,575
Wisconsin 1,574
Arizona 949
Pennsylvania 687

Data Breaches at HIPAA-Regulated Entities

In March, data breaches were reported by 33 healthcare providers (672,387 affected individuals), 6 health plans (121,639 affected individuals), and 5 business associates (729,350 affected individuals). When a data breach occurs at a business associate, the business associate must notify each affected entity, and then a decision must be made by the covered entity about who reports the data breach. The affected covered entity may choose to issue notifications – they are ultimately responsible for ensuring that notifications are issued – but many delegate that responsibility to the business associate. Taking that into account, the following charts show where the breach occurred rather than the reporting entity. All 6 health plan breaches occurred at business associates, as did half of the data breaches reported by healthcare providers.

Data breaches at HIPAA-regulated entities - March 2026

Individuals affected by data breaches at HIPAA-regulated entities - March 2026

HIPAA Enforcement Activity in March 2026

OCR investigates all large healthcare data breaches to determine if they occurred as a result of HIPAA noncompliance. The OCR breach portal shows that the majority of data breach investigations are closed with no further action taken or with OCR providing technical assistance to address HIPAA noncompliance. OCR currently has two main enforcement initiatives in place, one targeting noncompliance with the HIPAA Right of Access, and one targeting noncompliance with the risk analysis/risk management requirements of the HIPAA Security Rule. Violations of these provisions are likely to result in financial penalties.

OCR announced one enforcement action in March involving a financial penalty, after OCR discovered multiple violations of the HIPAA Rules – A risk analysis failure, breach notification failure, and an impermissible disclosure of the electronic protected health information of 15 million individuals. MMG Fusion, a Maryland-based provider of software solutions to oral healthcare providers, settled the case and paid a $10,000 financial penalty – one of the lowest financial penalties ever imposed by OCR. OCR said that when determining the settlement amount, consideration was given to MMG’s financial position.

The post March 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.