Two sleep specialists, Persante Health Care in New Jersey and SomnoSleep Consultants in Virginia, have recently disclosed security incidents that exposed patient information.

Persante Health Care Patients Informed About January 2025 Cyberattack

Persante Health Care, a Mount Laurel Township, NJ-based national provider of sleep and balance center management services to hospitals and physician practices, has announced a security incident that was detected on or around January 28, 2025.

Unusual activity was identified within its computer network and, assisted by third-party cybersecurity experts, it was determined that an unauthorized third party accessed its network between January 23 and January 28, 2025. During that time, files containing patient information may have been accessed or acquired. It took more than 8 months to review the affected files to determine whether patient data had been exposed. On October 3, 2025, the data review confirmed that personal and protected health information was involved.

The exposed data varied from individual to individual and may have included names in combination with one or more of the following: date of birth, Social Security number, driver’s license number, state identification number, passport number, government identification number, taxpayer identification number, date(s) of service, physician or facility name, patient account number, medical record number, financial account information, payment card number, medical device identifier(s), and/or biometric identifier(s).

The Federal Bureau of Investigation was informed about the cyberattack, and Persante Health Care is assisting with the investigation. Additional measures have been implemented to reduce the risk of similar incidents in the future, and the affected individuals were notified by mail on November 26, 2025. The number of affected individuals has yet to be publicly disclosed.

SomnoSleep Consultants’ Patients Affected by Business Associate Data Breach

Patients of Annadale, VA-based SomnoSleep Consultants have been notified about a security incident at a third-party billing vendor, Avosina Healthcare Solutions. The vendor detected unauthorized access to its network on July 29, 2025, in what appears to have been a ransomware attack. Avosina said it was able to restore its services from backups; therefore, no ransom was paid. The FBI was notified, and third-party cybersecurity experts were engaged to determine the nature and scope of the incident and implement additional security measures to protect against further attacks.

The investigation confirmed that some documents were exfiltrated from its network. The analysis of those files confirmed that they contained patients’ names, addresses, medical information, and health insurance information. SomnoSleep said there was no unauthorized access to any files part of its electronic medical record system.

Avosina notified SomnoSleep about the attack on September 29, 2025, and on November 17, 2025, SomnoSleep provided additional information on the affected patients and delegated the responsibility for sending notification letters to its business associate. SomnoSleep said that no evidence has been found to indicate that any of the impacted patient data has been misused.

Avosina confirmed to SomnoSleep that steps have been taken to correct the vulnerability that was exploited by the threat actor, and other security measures have been implemented to protect against any further unauthorized network access. Internal data management protocols have also been reviewed.

The post Patient Data Compromised in Cyberattacks on Sleep Specialists appeared first on The HIPAA Journal.

The Danville, Pennsylvania-based healthcare provider Geisinger Health and its former IT vendor Nuance Communications, Inc., have agreed to a $5 million settlement to resolve class action litigation over a 2023 insider data breach involving a former Nuance Communications employee.

On or around November 29, 2023, Geisinger Health learned that a former Nuance Communications employee, Andre J. Burk (also known as Max Vance), accessed the sensitive data of Geisinger Health patients two days after he was terminated by Nuance Communications. The data had been provided to Nuance Communications in connection with the services the IT company was contracted to provide. The breach was detected by Geisinger Health, rather than Nuance Communications, and it alerted its IT vendor about the breach.

Under HIPAA, business associates of HIPAA-regulated entities must comply with the HIPAA Security Rule, one of the requirements of which is to ensure that access rights are immediately revoked when employees are terminated. When notified about the unauthorized access, Nuance Communications terminated the former employee’s access rights and launched an investigation, which revealed that the former employee had potentially obtained the protected health information of more than 1.2 million Geisinger Health patients, including names, dates of birth, Social Security numbers, medical information, and health insurance information.

The affected individuals started to be notified about the data breach on June 24, 2024. The delay in notification was at the request of law enforcement. The HHS’ Office for Civil Rights was informed that the protected health information of 1,276,026 individuals was involved. Max Vance is now facing criminal charges over the data theft – one count of obtaining information from a protected computer – and his trial is scheduled for early January 2026.

Several lawsuits were filed against Geisinger Health and Nuance Communications, Inc. in response to the data breach, which were consolidated into a single action in July 2024 – In re: Geisinger Health Data Security Incident Litigation – in the U.S. District Court for the Middle District of Pennsylvania. The consolidated lawsuit alleged that the defendants failed to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard the plaintiffs’ and class members’ personal and protected health information.

The lawsuit alleged that Geisinger Health failed to ensure that its vendors employed reasonable security measures, that Nuance Communications failed to properly monitor systems for intrusions, there was insufficient network segmentation, and a failure to comply with FTC guidelines, the HIPAA Rules, and the defendants did not adhere to industry standard cybersecurity measures. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and declaratory judgment and injunctive relief against both defendants, and breach of fiduciary duty against defendant Geisinger Health.

The defendants disagree with the claims in the lawsuit; however, they chose to settle with no admission of wrongdoing to avoid the expense and uncertainty of a trial and related appeals. The settlement received preliminary approval from District Court Judge Matthew W. Brann on November 18, 2025. Under the terms of the settlement, the defendants will establish a $5,000,000 settlement fund, from which attorneys’ fees and expenses, service awards, and settlement administration costs will be deducted. The remainder of the funds will be used to pay benefits to the class members.

The class consists of 1,308,363 class members who may choose to receive a one-year membership to a credit monitoring and identity theft protection service. In addition, a claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to $5,000 per class member. Alternatively, instead of a claim for reimbursement of losses, class members may choose to receive a pro rata cash payment. The final approval hearing has been scheduled for March 16, 2026, and claims must be submitted by March 18, 2026.

June 24, 2024: Geisinger: Former Business Associate Employee Unlawfully Accessed PHI of More Than 1.2 Million Patients

More than one million Geisinger patients are being notified that their protected health information has been unlawfully accessed by a former employee of one of its business associates, Nuance Communications.

Nuance Communications provides information technology services to Geisinger, which requires access to systems containing patient information. On November 29, 2023, Geisinger detected unauthorized access to patient data by a former Nuance employee and immediately notified Nuance about the incident. Nuance immediately terminated the former employee’s access and launched an investigation, which confirmed that the former employee accessed patient data two days after they were terminated.

The former employee may have viewed and acquired the data of more than one million Geisinger patients. The data varied from patient to patient and may have included names, addresses, phone numbers, dates of birth, admission/discharge/transfer codes, medical record numbers, facility name abbreviations, and race and gender information. Nuance has confirmed that the employee did not have access to Social Security numbers, financial information, or claims/insurance information.

The Department of Justice can pursue criminal charges for HIPAA violations under the Social Security Act when individuals knowingly violate HIPAA. When an employee of a HIPAA-covered entity or business associate has their employment terminated, HIPAA still applies. The penalties for accessing and obtaining protected health information are severe and can include a hefty fine and jail time. A tier 1 violation carries a maximum penalty of up to a year in jail, a tier 2 violation carries a jail term of up to 5 years, and a sentence of up to 10 years in jail is possible for a tier 3 violation – obtaining PHI for personal gain or with malicious intent. Geisinger has confirmed that the unauthorized access was reported to law enforcement and the former Nuance employee has been arrested and is facing federal criminal charges.

Due to the high risk of unauthorized access to patient data by former employees, HIPAA-covered entities and their business associates are required to develop and implement procedures for terminating access to electronic protected health information when employment comes to an end under the workforce security standard of the HIPAA Security Rule – 45 CFR § 164.308 (3)(ii)(C). This incident clearly shows why it is vital to revoke access immediately upon termination of employment. The HHS’ Office for Civil Rights has taken action over violations of this Security Rule provision in 2020 (City of New Haven) and 2018 (Pagosa Springs Medical Center).

The Risant Health-owned health system has confirmed that Nuance Communications is mailing notifications to the affected individuals. Patients have been advised to review the statements they receive from their health plans and contact their health insurer if any services appear on their statements that they have not received. A helpline has been set up for individuals requiring further information about the breach – 855-575-8722. The helpline is manned from 9 a.m. to 9 p.m. ET Monday to Friday. Callers should quote engagement number B124651.

The breach was reported to the HHS’ Office for Civil Rights as affecting 1,276,026 individuals.

This article has been updated to state the number of people affected by the breach, as that information was unavailable at the time of the initial post.

The post Geisinger Health & Nuance Communications Data Breach Litigation Settled for $5 Million appeared first on The HIPAA Journal.

Data breaches have recently been announced by the EHR vendor CareTracker (Amazing Charts) and the Wisconsin health system, Marshfield Clinic.

CareTracker (Amazing Charts)

CareTracker Inc., doing business as Amazing Charts, an electronic health record and practice management platform provider, has been affected by a security incident at one of its vendors. On June 19, 2025, Amazing Charts identified unusual activity within a system managed by a third-party vendor. Immediate action was taken to secure the vendor’s environment, and an investigation was launched to determine the nature and scope of the activity.

The investigation confirmed unauthorized access to the service provider’s network between June 15, 2025, and June 19, 2025. Files were then reviewed to determine the individuals affected and the types of data involved. Due to the complexity of the data review, that process has only recently been completed.

Data potentially compromised in the incident included names in combination with one or more of the following: diagnoses, treatment information, physician names, medical record numbers, and health insurance information. Notification letters have recently been mailed to the affected individuals, and complimentary credit monitoring services have been offered for 12 months. At the time of notification, no misuse of the affected information had been identified.

Marshfield Clinic Health System

Marshfield Clinic Health System, an integrated health system serving Wisconsin and Michigan’s Upper Peninsula, identified unauthorized access to certain employee email accounts on or around August 27, 2025. The forensic investigation confirmed that an unauthorized third party had access to the accounts from August 26 to August 27, 2025, and potentially accessed or copied emails containing patient information. The types of information compromised in the incident varied from individual to individual and may have included names, medical record numbers, health insurance information, diagnosis, and treatment information.

The affected individuals are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post EHR Vendor Identifies Business Associate Data Breach appeared first on The HIPAA Journal.

Wakefield & Associates, a Knoxville, Tennessee-based vendor that offers revenue cycle & collections services to healthcare providers, has recently announced a security incident that was identified on or around January 17, 2025.

Wakefield & Associates explained in a website data breach notice that suspicious activity was identified within its computer systems, and the forensic investigation confirmed unauthorized access to files containing the protected health information of patients of its healthcare clients. Some of those files were exfiltrated from its network on or before January 17, 2025. The breach notice issued to the Maine Attorney General states that initial access occurred on January 14, 2025.

Following an extensive review of the exposed data, Wakefield & Associates determined on September 24, 2025, that some of the exposed files contained protected health information that was provided to the company by its healthcare clients. The information potentially compromised in the incident was mostly limited to names and collection account information, although for some individuals, it included their Social Security number, financial account information, driver’s license number/state identification number, and/or health information.

Wakefield & Associates is issuing notification letters on behalf of its affected clients and is offering the affected individuals complimentary credit monitoring and identity theft protection services. Existing security policies and procedures have been reviewed, and additional safeguards implemented to prevent similar incidents in the future.

The breach notice does not state the nature of the cyberattack, but this appears to have been a ransomware attack by the Akira threat group. Akira claimed in a February 11, 2025, listing on its dark web data leak site that it stole 13 GB of data in the attack, including patient and employee information.

Wakefield & Associates said law enforcement was notified, and the data security incident has been reported to regulators. The HHS’ Office for Civil Rights (OCR) breach portal has not been updated since late September due to the government shutdown, so it is currently unclear how many individuals have been affected. The Montana Attorney General was informed that 26,624 state residents were affected, and the Maine Attorney General was notified that 41 Maine residents were affected. Northern Montana Health Care has confirmed that it was one of the affected clients.

The post Wakefield & Associates Announces Breach of Client Data appeared first on The HIPAA Journal.

In its first-quarter earnings report, Conduent said it did not experience any material impacts to its operating environment or costs from the January 2025 cyberattack itself; however, it did incur $25 million in non-recurring expenses from direct response costs. Those losses have continued to increase, with a further $9 million added to that total for breach notifications through the end of September, according to its third-quarter earnings report.

Conduent also anticipates incurring a further $16 million in costs related to breach notifications by the first quarter of 2026, but said it holds a cyber insurance policy and anticipates that any additional notification costs will be covered by the insurance policy.

Further costs may be incurred due to the impacted data, reputational harm, litigation, and regulatory actions, which could impact the company’s financial position. As reported below, several lawsuits have already been filed in response to the data breach, and Conduent is certain to be investigated by the HHS’ Office for Civil Rights and state attorneys general. Regulatory fines may be imposed if Conduent is found to have violated state or federal regulations.

November 7, 2025: Lawsuits Mount Over 10.5 Million-Record Conduent Data Breach

A data breach affecting more than 10.5 million individuals was certain to trigger a barrage of lawsuits, and litigation has been swift, with at least 9 class action lawsuits already filed in response to the Conduent data breach in New Jersey federal court. That total is certain to grow over the coming days and weeks, as many law firms have announced that they have opened investigations regarding potential class action litigation.

The lawsuits make similar claims – that Conduent was negligent by failing to adequately protect its network against unauthorized access and for its alleged failure to provide adequate notifications to the individuals affected by the data breach. The cyberattack was first detected by Conduent in January 2025, three months after hackers first gained access to its network. Conduent first announced the data breach three months later, confirming that sensitive data had been exposed and that the incident affected a substantial number of individuals.

It naturally takes time to investigate any data breach and to determine the number of individuals affected and the types of data involved; however, the lawsuits take issue with the length of that process. It has taken 10 months from when the cyberattack was first detected for the scale of the breach to become clear and for the affected individuals to be notified that their sensitive information has been compromised. Notification letters started to be sent in October 2025, one year after Conduent’s network was first accessed by unauthorized individuals.

In addition to negligence and negligence per se, the lawsuits assert claims such as breach of third-party beneficiary contract and unjust enrichment, and seek a jury trial, compensatory, statutory, and punitive damages, and injunctive relief, requiring the court to order Conduent to implement a range of security measures to ensure sensitive data is adequately protected.

The threat group behind the attack may have been the Safepay ransomware group, which added Conduent to its data leak site in January 2025, although Conduent is not currently listed on the Safepay data leak blog. That often means that a ransom has been paid or the stolen data has been sold, although ransomware groups have been known to fabricate claims.

Class action lawsuits are mounting, but Conduent is also likely to face regulatory scrutiny over the data breach. States are likely to investigate a data breach of this magnitude to determine whether appropriate cybersecurity measures had been implemented in line with state laws and the HIPAA Security Rule. Questions are likely to be asked about how the hackers were able to gain access to such a large amount of sensitive data.

Conduent will also face scrutiny from the HHS’ Office for Civil Rights, which will seek to establish whether the data breach was the result of HIPAA compliance failures. While OCR HIPAA compliance investigations often take many months or years, OCR has indicated it is prioritizing high-impact incidents, as it did with the cyberattack on Change Healthcare, which affected north of 190 million individuals. There is, at this stage, no indication that Conduent has violated any regulations at the federal or state level.

October 28, 2025: More Than 10.5 Million Patients Affected by Conduent Business Solutions Data Breach

A data breach at a business associate of several HIPAA-covered entities and government agencies has resulted in the exposure and potential theft of the protected health information of more than 10.5 million patients. The Conduent Business Solutions data breach is the largest healthcare data breach to be announced so far this year, affecting almost twice as many individuals as the second-largest data breach, which was reported earlier this year by Yale New Haven Health. It also ranks as the 8th largest healthcare data breach in history.

Conduent Business Solutions provides a range of back-office services, including printing, mailing, document processing, payment integrity services, and other support services to government agencies and healthcare organizations. It is currently unknown how many HIPAA-regulated entities have been affected by the data breach.

Blue Cross and Blue Shield of Montana recently announced that it had been affected and that notification letters are being mailed to 462,000 individuals. Blue Cross and Blue Shield of Texas has announced that approximately 310,000 UT Select and UT Care plan members have been affected. The incident is also known to have affected Humana customers and Premera Blue Cross members, although it is unclear how many. Conduent provides services to government agencies such as the Wisconsin Department of Children and Families and Oklahoma Human Services (OHS), which experienced temporary disruption to some of their services due to the outage in January, although OHS was informed that it did not have sensitive data exposed in the incident.

State regulators have been informed that 10,515,849 patients have been affected, including more than 4 million individuals in Texas. It is unclear if any non-healthcare clients had data compromised in the incident. The Conduent Business Solutions data breach was reported to the U.S. Securities and Exchange Commission (SEC) in April. In the SEC filing, Conduent explained that a threat actor gained access to a limited portion of its network IT environment and obtained the data of “a significant number” of people. The incident is not yet shown on the HHS’ Office for Civil Rights (OCR) breach portal, which has not been updated by OCR since September 24, 2025, due to the government shutdown.

The intrusion was detected on January 13, 2025. Assisted by third-party digital forensics experts, Conduent determined that initial access occurred on October 21, 2024, with the threat actor maintaining access for almost three months until Conduent secured its network on January 13, 2025. Conduent said it restored access to the affected systems within days, and in some cases, within hours, and the incident did not have any material impact on its operations.

The investigation confirmed that the threat actor exfiltrated files associated with some of its clients. Due to the complexity of the data involved, it has taken several months to complete the file review and determine the individuals affected and the types of data involved. Individual notifications are now being mailed to the affected individuals.

Information compromised in the incident varies from company to company and individual to individual, potentially involving names, dates of birth, Social Security numbers, treatment information, and claims information. Based on the notice provided to the California Attorney General, complimentary credit monitoring and identity theft protection services do not appear to have been offered.

While the total cost of the cyberattack is not yet known, Conduent said in its May 2025 first-quarter earnings report that it incurred $25 million in direct costs related to the breach response. A cyber insurance policy is held, which will cover a proportion of the cost.

This post will be updated when further information is released.

The post Conduent Anticipates Data Breach Cost to Rise to $50M by Q1, 2026 appeared first on The HIPAA Journal.

Approximately 462,000 current and former customers of Blue Cross Blue Shield of Montana (BCBSMT) have been affected by a cyberattack on its New Jersey-based business associate, Conduent Business Services. Conduent Business Services provides BCBSMT with payment, document processing, and other back office services, which require access to BCBSMT members’ protected health information. On January 13, 2025, Conduent Business Services identified a security incident that caused operational disruption – terminology typically used to describe a ransomware attack.

Conduent Business Services was able to restore access to the affected systems and return to normal business operations within a few days. The investigation confirmed unauthorized access to its IT environment commencing on October 21, 2024, and lasting for almost three months. During that time, files were exfiltrated from its network. On April 9, 2025, Conduent Business Services disclosed the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC). At the time, it was unclear exactly how many individuals had been affected.

On October 8, 2025, Conduent Business Services notified the California Attorney General about the data breach, which reportedly affected approximately 4.3 million individuals. It is unclear how many of the company’s clients were affected by the breach, and if the breach affected any other HIPAA-covered entity clients. The breach is not currently listed on the HHS’ Office for Civil Rights website.

BCBSMT notified the Montana State Auditor’s Office about the data breach in early October, almost one year after the breach was first detected by its business associate. BCBSMT claims to have been notified that it was affected earlier this year and has been conducting its own investigation and reviewing the affected data. The review was not completed until September 23, 2025. The BCBSMT data breach is not listed on the OCR breach portal, although the breach portal has not been updated by OCR since September 24, 2025, due to the government shutdown. The Montana State News Bureau learned about the data breach after submitting a records request. The obtained documents indicate that up to 462,000 Montanans have been affected, and that the compromised information included names, birth dates, Social Security numbers, treatment and diagnosis codes, provider names, and claims amounts.

The Montana Commissioner of Securities and Insurance has launched an investigation to determine if there has been a violation of state data breach notification laws, which require individuals to be notified about a data breach in a timely manner. Breached entities must also notify the Department of Justice about a data breach without unreasonable delay, but there is currently no listing on the DOJ consumer protection website about the data breach. The state auditor is seeking answers to questions about the data breach and has requested a copy of its privacy and security policies. Should BCBSMT be determined to have failed to comply with state laws, financial penalties may be imposed.

The post Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members appeared first on The HIPAA Journal.

Outcomes One, a Florida-based business associate of health plans, has disclosed a phishing incident that has affected almost 150,000 individuals. Emergency Responders Health Center in Idaho has experienced an email breach affecting more than 1,500 individuals.

Outcomes One, Inc., Florida

Outcomes One, Inc., a Florida-based provider of medication therapy management and medication adherence technology solutions to health plans, is notifying 149,094 individuals about a recent email security incident. An employee identified unusual activity in his Outcomes One email account on July 1, 2025, and reported it to the security team. The email account was immediately secured, and an investigation was launched to determine the cause of the activity. The investigation confirmed that the breach was limited to a single employee email account, which had been accessed by an unauthorized third party following a response to a phishing email. Outcomes One said the attack was identified and remediated within an hour.

The account was reviewed and found to contain names in combination with one or more of the following: demographic information, health insurance information, medication information, and medical provider names. The breach notice provided to the California Attorney General indicates the affected individuals had Aetna Health Insurance plans. Outcomes One has provided additional training for the workforce to help with phishing email identification, and additional safeguards have been implemented to reduce the risk of similar breaches in the future.

Emergency Responders Health Center

Emergency Responders Health Center in Boise, Idaho (EHRC), has recently disclosed an email security incident. Unusual activity was identified in an employee’s email account on April 11, 2025. The account was secured, and an investigation was launched to determine the nature and scope of the activity. Assisted by third-party cybersecurity experts, EHRC determined that several email accounts had been accessed by an unauthorized third party. All email accounts have now been secured.

EHRC published a substitute breach notice on its website on July 23, 2025; however, at the time, the investigation and review of the affected accounts were ongoing, so it was not possible to state how many individuals had been affected or the types of information involved. The list of affected individuals was finalized on September 16, 2025, when it was confirmed that a total of 1,528 individuals had been affected, including 526 residents of Washington state. The exposed information included names, dates of birth, driver’s license numbers, Social Security Numbers, medical information, and health insurance information.

Notification letters started to be mailed to the affected individuals on September 26, 2025. To date, EHRC has not identified any misuse of the impacted data, but as a precaution, has offered the affected individuals a complimentary 12-month membership to a credit monitoring and identity theft protection service. EHRC said several steps have been taken to prevent similar breaches in the future. Staff members have received additional security training, user credentials have been changed, and monitoring has been enhanced.

The post Florida Medication Management Provider Discloses 150K-record Data Breach appeared first on The HIPAA Journal.