Data breaches have recently been announced by the EHR vendor CareTracker (Amazing Charts) and the Wisconsin health system, Marshfield Clinic.

CareTracker (Amazing Charts)

CareTracker Inc., doing business as Amazing Charts, an electronic health record and practice management platform provider, has been affected by a security incident at one of its vendors. On June 19, 2025, Amazing Charts identified unusual activity within a system managed by a third-party vendor. Immediate action was taken to secure the vendor’s environment, and an investigation was launched to determine the nature and scope of the activity.

The investigation confirmed unauthorized access to the service provider’s network between June 15, 2025, and June 19, 2025. Files were then reviewed to determine the individuals affected and the types of data involved. Due to the complexity of the data review, that process has only recently been completed.

Data potentially compromised in the incident included names in combination with one or more of the following: diagnoses, treatment information, physician names, medical record numbers, and health insurance information. Notification letters have recently been mailed to the affected individuals, and complimentary credit monitoring services have been offered for 12 months. At the time of notification, no misuse of the affected information had been identified.

Marshfield Clinic Health System

Marshfield Clinic Health System, an integrated health system serving Wisconsin and Michigan’s Upper Peninsula, identified unauthorized access to certain employee email accounts on or around August 27, 2025. The forensic investigation confirmed that an unauthorized third party had access to the accounts from August 26 to August 27, 2025, and potentially accessed or copied emails containing patient information. The types of information compromised in the incident varied from individual to individual and may have included names, medical record numbers, health insurance information, diagnosis, and treatment information.

The affected individuals are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post EHR Vendor Identifies Business Associate Data Breach appeared first on The HIPAA Journal.

Wakefield & Associates, a Knoxville, Tennessee-based vendor that offers revenue cycle & collections services to healthcare providers, has recently announced a security incident that was identified on or around January 17, 2025.

Wakefield & Associates explained in a website data breach notice that suspicious activity was identified within its computer systems, and the forensic investigation confirmed unauthorized access to files containing the protected health information of patients of its healthcare clients. Some of those files were exfiltrated from its network on or before January 17, 2025. The breach notice issued to the Maine Attorney General states that initial access occurred on January 14, 2025.

Following an extensive review of the exposed data, Wakefield & Associates determined on September 24, 2025, that some of the exposed files contained protected health information that was provided to the company by its healthcare clients. The information potentially compromised in the incident was mostly limited to names and collection account information, although for some individuals, it included their Social Security number, financial account information, driver’s license number/state identification number, and/or health information.

Wakefield & Associates is issuing notification letters on behalf of its affected clients and is offering the affected individuals complimentary credit monitoring and identity theft protection services. Existing security policies and procedures have been reviewed, and additional safeguards implemented to prevent similar incidents in the future.

The breach notice does not state the nature of the cyberattack, but this appears to have been a ransomware attack by the Akira threat group. Akira claimed in a February 11, 2025, listing on its dark web data leak site that it stole 13 GB of data in the attack, including patient and employee information.

Wakefield & Associates said law enforcement was notified, and the data security incident has been reported to regulators. The HHS’ Office for Civil Rights (OCR) breach portal has not been updated since late September due to the government shutdown, so it is currently unclear how many individuals have been affected. The Montana Attorney General was informed that 26,624 state residents were affected, and the Maine Attorney General was notified that 41 Maine residents were affected. Northern Montana Health Care has confirmed that it was one of the affected clients.

The post Wakefield & Associates Announces Breach of Client Data appeared first on The HIPAA Journal.

In its first-quarter earnings report, Conduent said it did not experience any material impacts to its operating environment or costs from the January 2025 cyberattack itself; however, it did incur $25 million in non-recurring expenses from direct response costs. Those losses have continued to increase, with a further $9 million added to that total for breach notifications through the end of September, according to its third-quarter earnings report.

Conduent also anticipates incurring a further $16 million in costs related to breach notifications by the first quarter of 2026, but said it holds a cyber insurance policy and anticipates that any additional notification costs will be covered by the insurance policy.

Further costs may be incurred due to the impacted data, reputational harm, litigation, and regulatory actions, which could impact the company’s financial position. As reported below, several lawsuits have already been filed in response to the data breach, and Conduent is certain to be investigated by the HHS’ Office for Civil Rights and state attorneys general. Regulatory fines may be imposed if Conduent is found to have violated state or federal regulations.

November 7, 2025: Lawsuits Mount Over 10.5 Million-Record Conduent Data Breach

A data breach affecting more than 10.5 million individuals was certain to trigger a barrage of lawsuits, and litigation has been swift, with at least 9 class action lawsuits already filed in response to the Conduent data breach in New Jersey federal court. That total is certain to grow over the coming days and weeks, as many law firms have announced that they have opened investigations regarding potential class action litigation.

The lawsuits make similar claims – that Conduent was negligent by failing to adequately protect its network against unauthorized access and for its alleged failure to provide adequate notifications to the individuals affected by the data breach. The cyberattack was first detected by Conduent in January 2025, three months after hackers first gained access to its network. Conduent first announced the data breach three months later, confirming that sensitive data had been exposed and that the incident affected a substantial number of individuals.

It naturally takes time to investigate any data breach and to determine the number of individuals affected and the types of data involved; however, the lawsuits take issue with the length of that process. It has taken 10 months from when the cyberattack was first detected for the scale of the breach to become clear and for the affected individuals to be notified that their sensitive information has been compromised. Notification letters started to be sent in October 2025, one year after Conduent’s network was first accessed by unauthorized individuals.

In addition to negligence and negligence per se, the lawsuits assert claims such as breach of third-party beneficiary contract and unjust enrichment, and seek a jury trial, compensatory, statutory, and punitive damages, and injunctive relief, requiring the court to order Conduent to implement a range of security measures to ensure sensitive data is adequately protected.

The threat group behind the attack may have been the Safepay ransomware group, which added Conduent to its data leak site in January 2025, although Conduent is not currently listed on the Safepay data leak blog. That often means that a ransom has been paid or the stolen data has been sold, although ransomware groups have been known to fabricate claims.

Class action lawsuits are mounting, but Conduent is also likely to face regulatory scrutiny over the data breach. States are likely to investigate a data breach of this magnitude to determine whether appropriate cybersecurity measures had been implemented in line with state laws and the HIPAA Security Rule. Questions are likely to be asked about how the hackers were able to gain access to such a large amount of sensitive data.

Conduent will also face scrutiny from the HHS’ Office for Civil Rights, which will seek to establish whether the data breach was the result of HIPAA compliance failures. While OCR HIPAA compliance investigations often take many months or years, OCR has indicated it is prioritizing high-impact incidents, as it did with the cyberattack on Change Healthcare, which affected north of 190 million individuals. There is, at this stage, no indication that Conduent has violated any regulations at the federal or state level.

October 28, 2025: More Than 10.5 Million Patients Affected by Conduent Business Solutions Data Breach

A data breach at a business associate of several HIPAA-covered entities and government agencies has resulted in the exposure and potential theft of the protected health information of more than 10.5 million patients. The Conduent Business Solutions data breach is the largest healthcare data breach to be announced so far this year, affecting almost twice as many individuals as the second-largest data breach, which was reported earlier this year by Yale New Haven Health. It also ranks as the 8th largest healthcare data breach in history.

Conduent Business Solutions provides a range of back-office services, including printing, mailing, document processing, payment integrity services, and other support services to government agencies and healthcare organizations. It is currently unknown how many HIPAA-regulated entities have been affected by the data breach.

Blue Cross and Blue Shield of Montana recently announced that it had been affected and that notification letters are being mailed to 462,000 individuals. Blue Cross and Blue Shield of Texas has announced that approximately 310,000 UT Select and UT Care plan members have been affected. The incident is also known to have affected Humana customers and Premera Blue Cross members, although it is unclear how many. Conduent provides services to government agencies such as the Wisconsin Department of Children and Families and Oklahoma Human Services (OHS), which experienced temporary disruption to some of their services due to the outage in January, although OHS was informed that it did not have sensitive data exposed in the incident.

State regulators have been informed that 10,515,849 patients have been affected, including more than 4 million individuals in Texas. It is unclear if any non-healthcare clients had data compromised in the incident. The Conduent Business Solutions data breach was reported to the U.S. Securities and Exchange Commission (SEC) in April. In the SEC filing, Conduent explained that a threat actor gained access to a limited portion of its network IT environment and obtained the data of “a significant number” of people. The incident is not yet shown on the HHS’ Office for Civil Rights (OCR) breach portal, which has not been updated by OCR since September 24, 2025, due to the government shutdown.

The intrusion was detected on January 13, 2025. Assisted by third-party digital forensics experts, Conduent determined that initial access occurred on October 21, 2024, with the threat actor maintaining access for almost three months until Conduent secured its network on January 13, 2025. Conduent said it restored access to the affected systems within days, and in some cases, within hours, and the incident did not have any material impact on its operations.

The investigation confirmed that the threat actor exfiltrated files associated with some of its clients. Due to the complexity of the data involved, it has taken several months to complete the file review and determine the individuals affected and the types of data involved. Individual notifications are now being mailed to the affected individuals.

Information compromised in the incident varies from company to company and individual to individual, potentially involving names, dates of birth, Social Security numbers, treatment information, and claims information. Based on the notice provided to the California Attorney General, complimentary credit monitoring and identity theft protection services do not appear to have been offered.

While the total cost of the cyberattack is not yet known, Conduent said in its May 2025 first-quarter earnings report that it incurred $25 million in direct costs related to the breach response. A cyber insurance policy is held, which will cover a proportion of the cost.

This post will be updated when further information is released.

The post Conduent Anticipates Data Breach Cost to Rise to $50M by Q1, 2026 appeared first on The HIPAA Journal.

Approximately 462,000 current and former customers of Blue Cross Blue Shield of Montana (BCBSMT) have been affected by a cyberattack on its New Jersey-based business associate, Conduent Business Services. Conduent Business Services provides BCBSMT with payment, document processing, and other back office services, which require access to BCBSMT members’ protected health information. On January 13, 2025, Conduent Business Services identified a security incident that caused operational disruption – terminology typically used to describe a ransomware attack.

Conduent Business Services was able to restore access to the affected systems and return to normal business operations within a few days. The investigation confirmed unauthorized access to its IT environment commencing on October 21, 2024, and lasting for almost three months. During that time, files were exfiltrated from its network. On April 9, 2025, Conduent Business Services disclosed the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC). At the time, it was unclear exactly how many individuals had been affected.

On October 8, 2025, Conduent Business Services notified the California Attorney General about the data breach, which reportedly affected approximately 4.3 million individuals. It is unclear how many of the company’s clients were affected by the breach, and if the breach affected any other HIPAA-covered entity clients. The breach is not currently listed on the HHS’ Office for Civil Rights website.

BCBSMT notified the Montana State Auditor’s Office about the data breach in early October, almost one year after the breach was first detected by its business associate. BCBSMT claims to have been notified that it was affected earlier this year and has been conducting its own investigation and reviewing the affected data. The review was not completed until September 23, 2025. The BCBSMT data breach is not listed on the OCR breach portal, although the breach portal has not been updated by OCR since September 24, 2025, due to the government shutdown. The Montana State News Bureau learned about the data breach after submitting a records request. The obtained documents indicate that up to 462,000 Montanans have been affected, and that the compromised information included names, birth dates, Social Security numbers, treatment and diagnosis codes, provider names, and claims amounts.

The Montana Commissioner of Securities and Insurance has launched an investigation to determine if there has been a violation of state data breach notification laws, which require individuals to be notified about a data breach in a timely manner. Breached entities must also notify the Department of Justice about a data breach without unreasonable delay, but there is currently no listing on the DOJ consumer protection website about the data breach. The state auditor is seeking answers to questions about the data breach and has requested a copy of its privacy and security policies. Should BCBSMT be determined to have failed to comply with state laws, financial penalties may be imposed.

The post Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members appeared first on The HIPAA Journal.

Outcomes One, a Florida-based business associate of health plans, has disclosed a phishing incident that has affected almost 150,000 individuals. Emergency Responders Health Center in Idaho has experienced an email breach affecting more than 1,500 individuals.

Outcomes One, Inc., Florida

Outcomes One, Inc., a Florida-based provider of medication therapy management and medication adherence technology solutions to health plans, is notifying 149,094 individuals about a recent email security incident. An employee identified unusual activity in his Outcomes One email account on July 1, 2025, and reported it to the security team. The email account was immediately secured, and an investigation was launched to determine the cause of the activity. The investigation confirmed that the breach was limited to a single employee email account, which had been accessed by an unauthorized third party following a response to a phishing email. Outcomes One said the attack was identified and remediated within an hour.

The account was reviewed and found to contain names in combination with one or more of the following: demographic information, health insurance information, medication information, and medical provider names. The breach notice provided to the California Attorney General indicates the affected individuals had Aetna Health Insurance plans. Outcomes One has provided additional training for the workforce to help with phishing email identification, and additional safeguards have been implemented to reduce the risk of similar breaches in the future.

Emergency Responders Health Center

Emergency Responders Health Center in Boise, Idaho (EHRC), has recently disclosed an email security incident. Unusual activity was identified in an employee’s email account on April 11, 2025. The account was secured, and an investigation was launched to determine the nature and scope of the activity. Assisted by third-party cybersecurity experts, EHRC determined that several email accounts had been accessed by an unauthorized third party. All email accounts have now been secured.

EHRC published a substitute breach notice on its website on July 23, 2025; however, at the time, the investigation and review of the affected accounts were ongoing, so it was not possible to state how many individuals had been affected or the types of information involved. The list of affected individuals was finalized on September 16, 2025, when it was confirmed that a total of 1,528 individuals had been affected, including 526 residents of Washington state. The exposed information included names, dates of birth, driver’s license numbers, Social Security Numbers, medical information, and health insurance information.

Notification letters started to be mailed to the affected individuals on September 26, 2025. To date, EHRC has not identified any misuse of the impacted data, but as a precaution, has offered the affected individuals a complimentary 12-month membership to a credit monitoring and identity theft protection service. EHRC said several steps have been taken to prevent similar breaches in the future. Staff members have received additional security training, user credentials have been changed, and monitoring has been enhanced.

The post Florida Medication Management Provider Discloses 150K-record Data Breach appeared first on The HIPAA Journal.

Central Valley Regional Center, a Fresno, California-based state-funded provider of services to individuals with developmental disabilities, has notified patients about the recent exposure of physical documents containing their personal information. The number of affected individuals has yet to be announced.

Central Valley Regional Center employed a new vendor that provided janitorial services. In July, Central Valley Regional Center discovered that the company had been disposing of confidential documents along with regular trash. The documents had been placed in bins for confidential waste and should have been shredded. The vendor had been emptying the shredding bins and disposing of the documents in trash bags along with regular waste.

The investigation revealed that the improper disposal of documents occurred between March 2025 and July 2025 at one Central Valley Regional Center facility only. The documents likely included information such as names, addresses, dates of birth, other personal data, medical information, and Social Security numbers. The incident has been reported to law enforcement, the California Attorney General, the California State Department of Developmental Services, and all vendor contracts have been reviewed, along with policies relating to data privacy and security protocols.

Further, steps have been taken to prevent similar incidents in the future, including adding locks to all shredding bins, restricting access to shredding bits to its approved shredding service provider, revising janitorial service procedures to provide more explicit instructions on waste disposal, adding signage regarding proper waste disposal procedures, implementing routine audits to ensure compliance with internal policies and procedures, and affirming expectations regarding confidentiality and data protection with its vendors. The affected individuals have been notified by mail and have been offered identity protection services.

Improper disposal incidents are relatively rare, yet they can result in the exposure of large amounts of PHI. The incident should serve as a warning to other healthcare organizations about the importance of providing clear instructions to service providers about their responsibilities with respect to confidential information, including service providers who may encounter physical PHI.

The post California Business Associate Improperly Disposed of Patient Data appeared first on The HIPAA Journal.

A cyberattack on a business associate has resulted in unauthorized access to the protected health information of patients of Keys Pathology Associates in Texas. Assisted Living patients of Pharmacy Service in Wisconsin and the American Association of Critical-Care Nurses in California have also announced data breaches.

Keys Pathology Associates, Texas

In July 2025, Keys Pathology Associates in Marathon, Texas, reported a hacking-related data breach to the HHS’ Office for Civil Rights that affected up to 20,000 individuals. The Maine Attorney General has now been notified, and the breach report indicates fewer individuals were affected than the initial estimate: 13,756 individuals, including 26 Maine residents.

The incident did not occur at Keys Pathology, but rather at a business associate that Keys Pathology used for billing services.  The vendor, Genesis Billing Services in North Carolina, was provided with patient data, which was maintained on a third-party server outside the control of Keys Pathology. Keys Pathology was notified by its vendor on May 27, 2025, that an unauthorized third party had accessed the server on or around May 20, 2025, and deployed ransomware after downloading all data from the server.  On August 21, 2025, Keys Pathology was provided with an unstructured data file containing the copied data, and work commenced on deciphering patient names and contact information. Notification letters are now being sent, and complimentary single-bureau credit monitoring, credit score, and credit report services have been offered.

Data potentially stolen in the incident varies from individual to individual and may include first and last names, addresses, dates of birth, phone numbers, Social Security numbers, driver’s license numbers, and health information. Keys Pathology said it takes data security seriously, which was a major reason why a third-party vendor was used to host patient data. As a result of the data breach, Keys Pathology has stopped using Genesis for billing services.

Assisted Living Pharmacy Service, Wisconsin

Assisted Living Pharmacy Service LLC (ALPS) in Menomonee Falls, Wisconsin, has announced a cyberattack that was identified on or around June 26, 2025. According to its substitute breach notice, the investigation confirmed unauthorized access to its network between June 25, 2025, and June 27, 2025, during which time certain data on the network was either accessed or acquired.

A review of the affected files determined that they included faxes sent to ALPS in connection with the prescription services it provided between January 2024 and June 2025. The faxes contained names along with addresses, dates of birth, driver’s license/state identification numbers, other identifiers, Social Security numbers, diagnosis/condition information, lab test results, medications, other treatment information, claims information, financial account or payment card information, and/or other financial information.

The affected individuals have been advised to monitor their accounts, explanation of benefits statements, and free credit reports for suspicious activity. While not mentioned in the breach notice, the attack appears to have been conducted by the Qilin ransomware group, which claimed responsibility for the attack and added ALPS to its dark web data leak site on August 12, 2025. The listing includes limited examples of files stolen in the attack, some of which are face sheet profiles of residents. Currently, there has been no data dump. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The American Association of Critical-Care Nurses, California

The American Association of Critical-Care Nurses (AACN) in Aliso Viejo, California, has recently disclosed a data breach that has affected 57,526 individuals. AACN is a nonprofit specialty nursing organization that provides professional and personal support to its members. While not a HIPAA-regulated entity, AACN likely provides support services to some HIPAA Journal readers.

On July 31, 2025, AACN determined that its website payment system had been accessed by an unauthorized third party beginning on March 8, 2025. Payment card information associated with certain website transactions was accessed by an unauthorized third party. Since it was not possible to determine whose payment card information was accessed, notification letters were sent to all potentially affected individuals. Data potentially accessed included names, card numbers, expiry dates, CVVs, and contact information associated with transactions on the site, which may have included billing and shipping addresses, phone numbers, and email addresses. The affected individuals have been offered two years of complimentary credit and identity monitoring services, and security enhancements have been made to prevent similar incidents in the future.

The post Business Associate Hacking Incident Affects Keys Pathology Patients appeared first on The HIPAA Journal.