BA Breach & Fines Examples

Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach

Posted by Steve Alder

Orthopaedic Institute of Western Kentucky has notified patients that their PHI was compromised in two security incidents at their managed IT services provider. Supportive Home Health Care and Patriot Outpatient has identified unauthorized access to an employee’s email account.

Orthopaedic Institute of Western Kentucky

Orthopaedic Institute of Western Kentucky (now Mercy Health — Western Kentucky Orthopedics) in Paducah, Kentucky, has been affected by two security incidents at one of its business associates, the managed IT services provider Keystone Technologies.

Keystone Technologies notified the orthopedic institute about unauthorized access to Keystone systems on two occasions: the first between April 21, 2025, and April 26, 2025, and the second between July 19, 2025, and August 1, 2025. During both periods, unauthorized individuals exfiltrated files containing patient information. The affected files were reviewed, and the affected individuals were identified in December 2025 and January 2026. Data compromised in the incident included names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment information, and health insurance information. Electronic medical records were not subject to unauthorized access, nor were any of Mercy Health’s systems.

The affected individuals have now been notified and offered a complimentary 12-month membership to a credit monitoring and identity theft protection service. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Supportive Home Health Care and Patriot Outpatient

Superior Care Plus, LLC, doing business as Supportive Home Health Care and Patriot Outpatient, LLC (Patriot), a provider of home healthcare services in Northeast Ohio, has announced a data breach affecting 1,415 of its patients.

On November 17, 2025, suspicious activity was identified within an employee’s email account. An investigation was launched to determine the nature and scope of the activity, and Patriot confirmed that the email account was compromised as a result of the employee responding to a phishing email. No other email accounts or systems were compromised in the incident.

On January 9, 2026, the forensic investigation was completed, and Patriot confirmed that the compromised account contained first and last names, city/ZIP codes, email addresses, health insurance policy numbers, medical treatment information, admission/discharge dates, patient logs, referring facility, start care date, policy name, and referring primary care physician name. A limited number of individuals also had their Social Security numbers and/or Medicare numbers exposed.

Patriot has taken several steps to prevent further unauthorized access to email data. The affected email account was deleted, and the individual, and a new account was created, rather than reactivating the account after a password change. Further training has been provided to the workforce on email security and phishing email identification, and third-party cybersecurity experts have helped Patriot enhance its technical security measures and procedures.

The post Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach appeared first on The HIPAA Journal.

Alabama Hospital Recently Informed About 2024 Data Breach

Posted by Steve Alder

Jackson Hospital and Clinic in Montgomery, Alabama, has notified 14,485 individuals about a July 2024 data breach at one of its former vendors, the debt collection agency Nationwide Recovery Services.

Nationwide Recovery Services first identified suspicious activity within its computer network in July 2024. The forensic investigation confirmed that an unauthorized third party accessed its network between July 5, 2024, and July 15, 2024. Nationwide Recovery Services notified the affected HIPAA-regulated entity clients between February 2025 and March 2025; however, Jackson Hospital and Clinic said it was not informed that it was one of the affected clients until January 27, 2026. Notification letters started to be mailed to the affected individuals on February 27, 2026, more than 19 months after the data breach occurred.

Jackson Hospital and Clinic said the incident involved data provided to Nationwide Recovery Services to allow the company to perform its contracted duties. None of Jackson Hospital and Clinic’s information technology systems were affected. Data potentially compromised in the incident includes names, phone numbers, addresses, dates of birth, Social Security numbers, account information, health insurance information, and/or dates of service. Jackson Hospital and Clinic said it no longer uses Nationwide Recovery Services for debt recovery.

As a precaution against data misuse, the affected individuals have been offered complementary credit monitoring and identity theft protection services. Due to the lengthy delay between the data breach and notification, the affected individuals should check their accounts and explanation of benefits statements for potential data misuse going back to July 2024, in addition to signing up for the complimentary credit monitoring services.

The total number of individuals affected by the Nationwide Recovery Services is unknown.  Nationwide Recovery Services reported the breach to the HHS’ Office for Civil Rights (OCR) on September 9, 2024, using a placeholder figure of at least 501 affected individuals. That total has not been updated since the initial breach report. Many clients chose to issue their own notifications about the data breach. Based on breach notifications to state attorneys general and OCR, the data breach affected more than 560,000 individuals.

The post Alabama Hospital Recently Informed About 2024 Data Breach appeared first on The HIPAA Journal.

Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its second enforcement action of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). MMG Fusion LLC, a Maryland-based company that provides software solutions to oral healthcare providers, has agreed to settle the alleged violations and pay a financial penalty. The case is significant, as it involves an unreported data breach that affected 15 million individuals.

An unauthorized actor gained access to MMG’s internal network on December 21, 2020, and accessed patients’ protected health information, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. The threat actor exfiltrated data from MMG’s network and subsequently posted that information on the dark web.

A data breach of that magnitude would have attracted considerable media attention; however, it slipped under the radar as the breach was not reported to OCR, and the affected covered entities were not notified about the data breach. OCR’s investigation was launched not in response to a breach report, but a complaint about an unreported data breach. OCR received the complaint on January 6, 2023, and initiated an investigation in March 2023.

OCR determined that MMG had failed to comply with multiple provisions of the HIPAA Rules. Prior to the data breach, MMG had not conducted a comprehensive and accurate risk assessment to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by the HIPAA Security Rule.

OCR determined that MMG failed to ensure that ePHI was not used or disclosed for reasons not expressly permitted by the HIPAA Privacy Rule, and MMG failed to issue notifications to the affected covered entity clients that there had been a breach of unsecured protected health information, in violation of the HIPAA Breach Notification Rule. Rather than pursue a civil monetary penalty to resolve the alleged HIPAA violations, OCR agreed to a settlement. MMG has agreed to pay a financial penalty of $10,000 to resolve the alleged HIPAA violations and will adopt a comprehensive corrective action plan.

The corrective action plan requires MMG to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI. An enterprise-wide risk management plan must be developed and implemented to address and mitigate any risks and vulnerabilities identified by the risk analysis. Policies and procedures must be developed to ensure compliance with the HIPAA Rules, and those policies and procedures must be distributed to members of the workforce. MMG must provide training to its workforce and provide OCR with a copy of the training materials used to train its workforce for them to be assessed.

OCR will provide MMG with feedback on the thoroughness and accuracy of its risk assessment, and MMG must incorporate that feedback into its risk assessment and resubmit it to HHS for additional feedback. That process will continue until HHS is satisfied that the risk assessment is comprehensive and accurate. OCR must also be provided with a comprehensive list of all clients affected by the data breach, and once the risk assessment has been approved by OCR, MMG must notify all affected covered entity clients about the data breach, along with the identities of all patients whose ePHI is reasonably believed to have been impacted.

While not stated in the corrective action plan, the requirements of the HIPAA Breach Notification Rule are that each covered entity must determine if breach notifications are required and must ensure that those notifications are issued within 60 days after receiving a breach notice from a business associate. They are permitted to delegate the notification responsibilities to MMG, per the terms of their business associate agreements. The cost of notification for such a colossal data breach would be high, and if that cost is to be borne by MMG, that could explain why the penalty imposed to resolve multiple violations of the HIPAA Rules is so low.

OCR currently has an enforcement initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule and the HIPAA Right of Access of the HIPAA Privacy Rule; however, in 2025, the second-most common reason for a financial penalty behind risk analysis failures was breach notification failures. HIPAA covered entities and their business associates must ensure that timely breach notifications are issued to OCR, the affected individuals, and the media, and in the event of a breach at a business associate, that all affected covered entity clients are notified within 60 days of the discovery of a data breach.

“When a breach occurs, business associates must notify affected covered entities without unreasonable delay and within 60 calendar days of discovery,” said OCR Director Paula M. Stannard. “This timeliness is crucial for a covered entity to meet its own breach notification obligations, such as timely notification to HHS and to individuals. As hacking becomes more ubiquitous, HIPAA Security Rule requirements, such as the need to have an accurate and thorough HIPAA risk analysis, are imperative for strengthening cybersecurity before a breach occurs.”

The post Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals appeared first on The HIPAA Journal.

Medical Device Manufacturer UFP Technologies Confirms Data Stolen in Cyberattack

Posted by Steve Alder

The U.S. medical device manufacturer UFP Technologies has submitted a FORM 8-K filing to the U.S Securities and Exchange Commission (SEC) to notify the SEC and investors about a cyberattack and data breach that could potentially impact its financial condition or operations.

UFP Technologies is a publicly traded contract manufacturer based in Newburyport, Massachusetts, that makes single-use medical devices and highly engineered components for the aerospace, automotive, healthcare, and defense industries. The company produces a wide range of medical devices and medical components for products used in wound care, implants, and orthopedic and surgical products. UFP Technologies has an annual revenue of $600 million and employs 4,300 people.

According to the filing, UFP Technologies detected an IT systems intrusion on February 14, 2026. Immediate action was taken to assess, contain, and remediate the threat, and third-party cybersecurity experts were engaged to assist with the investigation. UFP Technologies said it believes the cyber threat actor responsible for the attack has been eradicated from its IT environment and confirmed that it has restored access to systems and information impacted by the incident in all material respects. While the attack did not impact all of its IT systems, many were affected, including the systems used for billing and label-making. UFP Technologies implemented its incident response and contingency plans, and since the incident was detected, it was able to continue operations in all material respects.

Some company and company-related data was either stolen or destroyed in the attack, which suggests this was a ransomware attack or that wiper malware was used. No threat group appears to have claimed responsibility for the attack. UFP Technologies explained in the filing that data has been recovered from backups. The company has confirmed that some data was exfiltrated from its system, although it is too early to determine the extent of the data theft, such as whether any personal or protected health information was stolen. The investigation to determine the nature and scope of the incident is ongoing, and the company is exploring the legal and regulatory notifications and filings that may be required.

As of the date of the filing (February 19, 2026), UFP Technologies said the incident has not had any material impact on its financial systems, operations, or financial condition. While costs have naturally been incurred, the company expects a significant proportion of the costs of containment, investigation, and mitigation will be covered by its cyber insurance policy.

The post Medical Device Manufacturer UFP Technologies Confirms Data Stolen in Cyberattack appeared first on The HIPAA Journal.

Vikor Scientific Affected by Ransomware Attack on Revenue Cycle Management Vendor

Posted by Steve Alder

Vikor Scientific (now rebranded as Vanta Diagnostics), a molecular diagnostics company based in Charleston, South Carolina, has been affected by a security incident at one of its vendors – the revenue cycle management company, Catalyst RCM. The breach also affected the Vikor Scientific-owned molecular testing laboratory KorGene,  and KorPath, a Tampa, Florida-based anatomical pathology lab, which partners with Vanta Diagnostics. Vikor Scientific has reported the data breach to the HHS’ Office for Civil Rights as involving the electronic protected health information (ePHI) of 139,964 individuals.

Catalyst RCM has published a substitute breach notice on its website and is issuing notification letters to the affected individuals on behalf of its affected HIPAA-covered entity clients. While it is ultimately the responsibility of each affected HIPAA-covered entity to issue notification letters when there has been a data breach at a vendor, the notification responsibilities are often delegated to the vendor.

In the breach notice, Catalyst RCM explains that suspicious activity was identified within its secure file management system on or around November 13, 2025. An investigation was launched, which identified an unauthorized login to a system used to access one of its servers. The server was accessed without authorization between November 8, 2025, and November 9, 2025. The affected system was reviewed to determine whether any protected health information had been exposed or stolen, and the review concluded on December 12, 2025. Catalyst RCM confirmed that the threat actor exfiltrated data in the attack.

Data potentially compromised in the incident varies from individual to individual and may include names plus one or more of the following: date of birth, diagnosis information, medical treatment information, history, health insurance information, and/or payment card information with access code.

Catalyst RCM has updated its security policies, procedures, and protocols to reduce the likelihood of similar incidents in the future, and has advised the affected individuals to remain vigilant against identity theft and fraud by monitoring their free credit reports. While no misuse of the affected data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

While the incident was not described as a ransomware attack, the Everest ransomware group claimed responsibility for the attack and added Vikor Scientific to its dark web data leak site, along with samples of data allegedly stolen in the attack. Everest threatened to leak the stolen data if contact was not made. Everest claims to have leaked all data exfiltrated in the attack, indicating the ransom was not paid.

The post Vikor Scientific Affected by Ransomware Attack on Revenue Cycle Management Vendor appeared first on The HIPAA Journal.

Healthcare Technology Company Discloses Ransomware Attack

Posted by Steve Alder

Cyberattacks and data breaches have recently been announced by the healthcare technology company Insightin Health and the Colorado-based medical billing and practice management company, Clinic Service Corporation.

Insightin Health, Maryland

Insightin Health, a Baltimore, MD-based healthcare technology company that offers an AI-driven digital health platform to health insurers and payers, has experienced a cyberattack involving unauthorized access to patient data. Suspicious network activity was identified in September 2025, and the forensic investigation confirmed unauthorized access to its network between September 17, 2025, and September 23, 2025.

The data review revealed the exposed files included protected health information associated with its clients, such as names, dates of birth, contract numbers, health insurance providers’ non-unique identifiers, Medicare Beneficiary Identifiers, and information associated with attributed providers. The substitute data breach notice includes steps that the affected individuals can take to protect themselves against misuse of their information. While not stated in the substitute breach notice, the affected individuals should be aware that the Medusa ransomware group claimed responsibility for the attack and threatened to publish the stolen data. The group claims to have exfiltrated 378 GB of data from the Insightin Health network.

Clinic Service Corporation, Colorado

Clinic Service Corporation, a medical billing and practice management company based in Denver, Colorado, has experienced a hacking incident that exposed sensitive data. The intrusion was identified on August 17, 2025, and the forensic investigation confirmed that its network was accessed by an unauthorized third party from August 10, 2025, to August 17, 2025.

The data review has confirmed that personally identifiable information (PII) and protected health information (PHI) was compromised in the incident, including names, addresses, phone numbers, email addresses, dates of birth, diagnoses, treatment information, patient ID numbers, dates of service, medical record numbers, Medicare/Medicaid numbers, health insurance information, claims information, and treatment cost information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. Regulators have been notified, although the incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Healthcare Technology Company Discloses Ransomware Attack appeared first on The HIPAA Journal.

Gryphon Healthcare Agrees to Pay $2.87M to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

Gryphon Healthcare, a Houston, TX-based revenue cycle, coding, compliance, consultancy, and management services vendor, faced multiple class action lawsuits over a July 2024 cyberattack involving a partner for which it provides billing services. Gryphon Healthcare learned about the incident in August 2024, and its investigation found that files may have been viewed or obtained. Those files contained the protected health information of 393,358 patients, including names, dates of birth, addresses, Social Security numbers, dates of service, diagnoses, medical treatment information, prescriptions, medical record numbers, and health insurance information.

On or around October 11, 2024, Gryphon Healthcare started sending notification letters to the affected individuals, and shortly thereafter, the first class action lawsuit was filed. A further eight lawsuits were subsequently filed, which were consolidated into a single complaint – Morris et al., v. Gryphon Healthcare, LLC – in the District Court for Harris County, Texas. The lawsuit asserted claims of negligence/negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, unjust enrichment, bailment, a failure to provide adequate notice pursuant to any breach notification statute or common law duty, and violations of state consumer protection laws.

While Gryphon Healthcare denies wrongdoing, fault, and liability for the cyberattack and data breach, after considering the cost and distraction of continuing the litigation and the uncertainty of trial, the decision was taken to settle. Under the terms of the settlement, Gryphon Healthcare will establish a $2,800,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the nine named plaintiffs. After those costs have been deducted, the remainder of the fund will be used to pay benefits to the class members.

Class members may choose one of two cash payments. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, they may choose to receive a cash payment, which is estimated to be $100, but may increase or decrease depending on the number of valid claims received. All class members who submit a valid claim are entitled to a two-year membership to an identity theft protection and medical data monitoring service, which includes a $1 million identity theft insurance policy. The deadline for objecting to the settlement and opting out is March 17, 2026. Claims must be submitted by April 16, 2026, and the final fairness hearing has been scheduled for August 31, 2026.

Nov 4, 2024: Gryphon Healthcare Facing Multiple Lawsuits Over 400,000-Record Data Breach

Gryphon Healthcare, a Houston, TX-based provider of revenue cycle management and medical billing services to healthcare providers, is facing multiple class action lawsuits over an August 2024 data breach that involved unauthorized access to the protected health information of almost 400,000 individuals. The compromised information included names, contact information, Social Security numbers, diagnosis and treatment information, health insurance information, and medical record numbers. The intrusion occurred via an unnamed IT service provider.

At least seven lawsuits have now been filed by individuals who were recently notified about the exposure of their protected health information. The plaintiffs allege that Gryphon Healthcare failed to implement reasonable and appropriate cybersecurity measures to protect the sensitive information it stored and also failed to monitor its network for unauthorized activity. The lawsuits assert that if appropriate defenses had been implemented and if industry standards had been adhered to, the data breach could have been prevented. Proper monitoring would have allowed the intrusion to be detected much more promptly.

The lawsuits make similar claims, including a violation of duties under common law, contract law, the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Trade Commission (FTC) Act. The plaintiffs allege that the theft of their personal and protected health information has resulted in them suffering and continuing to suffer injuries, including financial harm due to the misuse of their information, lost time due to the detection and prevention of identity theft and fraud, and the loss or diminished value of their private information.

The plaintiffs make claims of negligence, negligence per se, invasion of privacy, breach of confidence, breach of fiduciary duty, breach of implied contract, breach of third-party beneficiary contract, and unjust enrichment. The lawsuits were filed in Texas federal court and seek class action certification for a nationwide class of individuals affected by the data breach, a jury trial, actual, compensatory, statutory, and punitive damages, and injunctive relief, including an order from the court requiring Gryphon Healthcare to implement a host of security measures to safeguard the personal and protected health information stored by the company.

The post Gryphon Healthcare Agrees to Pay $2.87M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

The healthcare technology company Veradigm Inc. (formerly Allscripts) has agreed to settle a class action lawsuit that was filed in response to a 2024 data breach that compromised sensitive patient data. The Illinois-based company provides software tools to healthcare organizations, including electronic medical record software and practice management tools. In December 2024, cybercriminals accessed its network and potentially obtained patient data belonging to its healthcare clients. More than 2 million patients were affected. Data compromised in the incident included names, contact information, dates of birth, health record information, insurance claim data, payment information, and other identifiers, such as Social Security numbers and copies of their driver’s licenses.

The first class action lawsuit in response to the data breach was filed in June 2025 by plaintiffs Tony Goodrum and Jason Mixton, individually and on behalf of similarly situated individuals. A second class action lawsuit was subsequently filed, and the two actions were consolidated into a single action in the U.S. District Court for the Northern District of Illinois, since they had overlapping claims.

The consolidated lawsuit – Goodrum, et al. v. Veradigm Inc.– alleged that the data breach was the result of negligence, and could have been prevented had reasonable and appropriate cybersecurity measures been implemented. In addition to negligence, the lawsuit asserted claims for negligence per se, breach of implied contract, unjust enrichment, declaratory judgment, and injunctive relief.

Veradigm denies all claims of wrongdoing and liability; however, shortly after the two lawsuits were filed, the company explored the prospect of early resolution. Following mediation after the consolidated lawsuit was filed, an agreement in principle was reached to settle the litigation, with no admission of liability or wrongdoing. Class counsel and the class representatives believe the negotiated settlement is fair and in the best interests of the class members.

Under the terms of the settlement agreement, Veradigm has agreed to establish a $10,500,000 settlement fund to cover claims for benefits for the class members, settlement administration costs, and attorneys’ fees and costs, as approved by the court. Class members are entitled to submit a claim for up to $5,000 as reimbursement of documented, unreimbursed losses due to the data breach or, alternatively, may claim a cash payment, which is expected to be $50, but will be adjusted based on the number of valid claims received. Regardless of the option chosen, class members are also entitled to claim a two-year membership to a medical data monitoring product. Further information on what may be claimed can be found on the settlement website: https://veradigmdatasettlement.com/

The deadline for objection and opting out of the settlement is February 17, 2026. Claims must be submitted by March 3, 2026, and the final fairness hearing has been scheduled for March 18, 2026.

The post Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Tens of Thousands of Patients Affected by Two Business Associate Data Breaches

Posted by Steve Alder

Mid Michigan Medical Billing Service, a Flint, MI-based revenue cycle management company that provides billing support services to HIPAA-covered entities, has fallen victim to a cyberattack that exposed the sensitive data of patients of its healthcare clients.

Suspicious network activity was identified on March 27, 2025, and the forensic investigation confirmed that an unauthorized third party accessed and copied data from its network. The affected data was reviewed to determine the types of information involved and the affected individuals. Mid Michigan Medical Billing Service then notified the affected covered entity clients and worked with them to provide notice to the affected individuals.

The file review confirmed that the protected health information of 28,185 individuals had been exposed in the cyberattack. The compromised data varied from individual to individual and may have included names in combination with one or more of the following: date of birth, driver’s license/ government issued identification number, Medicare/Medicaid identification number, diagnosis/treatment information, medical record number/patient account number, health insurance information, payment card number, employer identification number, passport number, treating/referring provider name, and biometric data. For a limited number of individuals, Social Security numbers were involved.

VillageCareMAX, New York

VillageCareMAX, a New York, NY-based provider of health plans and community healthcare services to seniors and individuals with chronic diseases, has announced a data breach involving one of its business associates, TMG Health.

VillageCareMAX uses the Cognizant-owned TMG Health to assist with the administration of its members’ health plans. TMG Health identified unauthorized activity within its information system on September 19, 2025. The unauthorized access was immediately terminated, and an investigation was launched to determine the nature and scope of the unauthorized activity. TMG Health determined that an unauthorized third party had access to its network for 10 months from November 20, 2024, to September 19, 2025. During that time, VillageCareMAX members’ protected health information may have been accessed and acquired.

The affected data included names, member identification numbers, health information, and Social Security numbers. While no misuse of that data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft recovery services. VillageCareMAX has received assurances that TMG Health has implemented technological and procedural enhancements to prevent similar incidents in the future.

VillageCareMAX provides services to more than 35,000 individuals each year. It is currently unclear how many of those individuals have been affected.

The post Tens of Thousands of Patients Affected by Two Business Associate Data Breaches appeared first on The HIPAA Journal.