BA Breach & Fines Examples

April 2026 Healthcare Data Breach Report

In April 2026, 47 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). That represents a 33.8% reduction in large healthcare data breaches from the 71 large data breaches reported in March 2026, and well below the 12-month average of 62.4 data breaches per month.

healthcare data breaches in the past 12 months - April 2026

The year-to-date figures also show a reduction in large healthcare data breaches. From January 1 to April 30, 252 large healthcare data breaches have been reported by HIPAA-regulated entities, compared to 276 (-8.7%) for the corresponding period in 2025 and 299 (-15.7%) for the corresponding period in 2024.

Healthcare data breaches - January 1 to April 30 (2022-2026)

Across the 47 data breaches, the protected health information of 1,336,264 individuals was exposed or impermissibly disclosed – the second lowest monthly total in the past 12 months, and currently an 84.9% reduction from March 2026. The number of affected individuals is likely to increase, as some regulated entities have reported breaches with placeholder estimates of 500 or 501 affected individuals.

Individuals affected by healthcare data breaches in the past 12 months (April 2026)

The year-to-date figures for affected individuals are encouraging. From January 1 to April 30, the protected health information of 20.1 million individuals has been breached, and while that is a sizeable figure, it is a reduction of 25.5% from the corresponding period in 2025 and a reduction of 48.8% from the corresponding period in 2024.

Individuals affected by healthcare data breaches - january 1 to April 30 (2022-2026)

The Biggest Healthcare Data Breaches Reported in April 2026

In April, 15 data breaches affecting 10,000 or more individuals were reported to the HHS’ Office for Civil Rights, all but one of which were hacking incidents. The biggest data breach of the month was reported by the medical group Florida Physician Specialists, involving unauthorized access to the protected health information of 276,498 individuals.  Two of the 15 data breaches were confirmed ransomware attacks, and one incident involved unauthorized access by “a business counterparty” after access was thought to have been terminated.

Regulated Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Cause of Breach
Florida Physician Specialists FL Healthcare Provider 276,498 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Southern Illinois Dermatology IL Healthcare Provider 160,312 Hacking/IT Incident Network Server Hacking incident
Laurel Eye Clinic PA Healthcare Provider 145,221 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Innovative Scientific Solutions, LLC SC Healthcare Provider 143,842 Hacking/IT Incident Network Server Hacking incident
Hospital Caribbean Medical Center PR Healthcare Provider 92,000 Hacking/IT Incident Network Server Ransomware attack (The Gentlemen) – Data theft confirmed
Tri-Cities Gastroenterology TN Healthcare Provider 67,115 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
City Health, a medical corporation CA Healthcare Provider 65,000 Unauthorized Access/Disclosure Electronic Medical Record Access to its electronic medical record system by a former business counterparty after termination
Hematology Oncology Consultants MI Healthcare Provider 62,972 Hacking/IT Incident Network Server Hacking incident – Data theft likely
GrayRobinson, P.A. FL Business Associate 54,131 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Rocky Mountain Associated Physicians, P.C. UT Healthcare Provider 50,640 Hacking/IT Incident Network Server Hacking incident
Heart South Cardiovascular Group AL Healthcare Provider 46,666 Hacking/IT Incident Network Server Hacking incident
Mt. Spokane Pediatrics WA Healthcare Provider 32,021 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
University of Nebraska Medical Center NE Healthcare Provider 26,937 Hacking/IT Incident Network Server Hacking of a third-party software application
Liberty Bankers Life Ins. Co. TX Health Plan 20,202 Hacking/IT Incident Network Server Hacking incident at a business associate
Bayside Dental WA Healthcare Provider 10,216 Hacking/IT Incident Network Server Ransomware attack (Sinobi) – Data theft claimed

Three data breaches were reported in April before data reviews had been completed. Placeholder figures of 500 or 501 affected individuals were used and will be updated when the file reviews are concluded.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Spokane Digestive Disease Center, P.S. WA Healthcare Provider 501 Unauthorized access to its email environment
FMRS Health Systems, Inc. WV Healthcare Provider 500 Hacking incident – data theft confirmed
CARE Clinic MN Healthcare Provider 500 Unauthorized access to its email environment

Causes of April 2026 Healthcare Data Breaches

Hacking and other types of IT incidents dominated the breach reports in April, accounting for 36 (76.6%) of the 47 reported large data breaches. Across those incidents, the protected health information of 1,240,571 individuals was exposed or impermissibly disclosed. Hacking/IT incidents accounted for 92.8% of the affected individuals in April. The average breach size was 32,883 individuals, and the median breach size was 4,547 individuals.

Causes of APril 2026 healthcare data breaches

There were 9 unauthorized access/disclosure incidents in April, which accounted for 19.1% of the month’s data breaches. Across those incidents, the protected health information of 86,717 individuals was accessed without authorization or was impermissibly disclosed – 6.5% of the month’s affected individuals. The average breach size was 9,635 individuals, and the median breach size was 1,467 individuals. There were no loss, theft, or improper disposal incidents in April.

Location of breached PHI in April 2026

States Affected by April 2026 Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 25 states, the District of Columbia, and Puerto Rico in April. California was the worst-affected state in terms of data breaches, while Florida was the worst-affected state in terms of the number of individuals affected.

April 2026 Healthcare Data Breaches

State Breaches
California 6
Texas & Washington 4
Florida & Virginia 3
Illinois, Minnesota, Oklahoma, Pennsylvania & West Virginia 2
Alabama, Delaware, Iowa, Indiana, Kentucky, Maryland, Michigan, Missouri, Nebraska, New Jersey, New York, South Carolina, Tennessee, Utah, Vermont, the District of Columbia & Puerto Rico 1

Individuals Affected by April 2026 Healthcare Data Breaches

State Individuals Affected State Individuals Affected
Florida 331,316 Oklahoma 8,233
Illinois 162,203 Maryland 7,213
Pennsylvania 145,976 Iowa 6,717
South Carolina 143,842 Indiana 5,900
Pouerto Rico 92,000 Vermont 5,892
California 78,846 Minnesota 5,885
Tennessee 67,115 Kentucky 3,677
Michigan 62,972 Virginia 2,552
Utah 50,640 New York 2,123
Alabama 46,666 Missouri 2,027
Washington 46,202 West Virginia 1,500
Nebraska 26,937 District of Columbia 1,467
Texas 26,648

April 2026 Data Breaches at HIPAA Regulated Entities

In April 2026, 36 data breaches were reported by healthcare providers, 8 breaches were reported by health plans, and 3 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.

The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 11 of the 47 breaches (rather than 3) occurred at business associates in April.

Data breaches at HIPAA-regulated entities in April 2026

Individuals affected by healthcare data breaches at HIPAA-regulated entities in April 2026

HIPAA Enforcement Activity in April 2026

The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, announced 4 settlements with HIPAA-regulated entities in April to resolve alleged violations of the HIPAA Rules. When alleged HIPAA violations are settled, the settlement agreement includes a corrective action plan to address the areas of noncompliance identified by OCR. When a civil monetary penalty is imposed, OCR cannot compel the regulated entity to adopt a corrective action plan.

All four of the settlements related to ransomware attacks, and in all cases, OCR identified a risk analysis failure. The HIPAA Security Rule requires regulated entities to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to electronic protected health information. It is the most commonly identified HIPAA Security Rule violation.  You can read more about each enforcement action in this post. No state attorneys general announced any HIPAA penalties in April.

HIPAA -Regulated Entity Entity Type Reason for Investigation Alleged HIPAA violation(s) Settlement Amount
Regional Women’s Health Group (Axia Women’s Health) Healthcare Provider Reported ransomware attack involving the protected health information of 37,989 individuals Risk analysis failure; impermissible disclosure of ePHI $320,000
Assured Imaging Affiliated Covered Entities Healthcare Provider Reported ransomware attack involving the protected health information of 244,813 individuals Risk analysis failure (never conducted); breach notification failure $375,000
Consociate, Inc. (Consociate Health) Business Associate Reported ransomware attack involving the protected health information of 136,539 individuals Risk analysis failure $225,000
Star Group, L.P. Health Benefits Plan Health Plan Reported ransomware attack involving the protected health information of 9,316 individuals Risk analysis failure $245,000

 

The post April 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Xsolis Data Breach Affects 1.4M Individuals

Xsolis, a business associate of HIPAA-covered entities that provides AI-powered solutions for improving case and utilization management to achieve more efficient outcomes, has experienced a major data breach as a result of a phishing attack.

According to the data breach notification filed with the California Attorney General, unauthorized activity was identified within the Xsolis environment on January 22, 2026, as a result of a targeted phishing attack. The incident has been contained, unauthorized access has been terminated, no evidence has been found of unauthorized access since January 22, 2026, and Xsolis has found no evidence to suggest any of the exposed data has been misused.

An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that patient data had been exposed and may have been copied. Xsolis engaged digital specialists to review the affected data, and that process has now been completed. Xsolis is notifying the affected individuals and has offered them complementary credit monitoring and identity theft protection services through Kroll for 12 months.

The Kroll website notice about the security incident states that an unauthorized third party had access to a limited portion of the Xsolis environment from January 20, 2026, to January 22, 2026. Data exposed in the incident included names, dates of birth, Social Security numbers, health insurance information, and medical treatment information.

The data breach has been reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 1,396,519 patients of its healthcare provider clients. A list of the affected clients has not been published; however, VHC Health, a healthcare provider serving patients in Northern Virginia and the Washington D.C. Metro area, has confirmed that it has been affected, as has Rochester Regional Health in New York.

Additional security measures have been implemented to prevent similar incidents in the future, system monitoring has been increased, all passwords for key users have been reset, new protective technologies have been deployed, security awareness training for employees has been accelerated, and credential management processes have been strengthened.

The post Xsolis Data Breach Affects 1.4M Individuals appeared first on The HIPAA Journal.

Vendor Data Breaches Announced by Six HIPAA-Regulated Entities

There have been several announcements about data breaches at business associates of HIPAA-regulated entities recently, including Providence St. Joseph Orange and Skin & Beauty Center in California, Management-ILA Managed Health Care Trust Fund in New York, and Ideal Home Care, Duncan Regional Home Care, and Chisholm Trail Hospice in Oklahoma.

Providence St. Joseph Orange, California

Providence St. Joseph Orange, a catholic general hospital in Orange, California, has been affected by a data security incident at its vendor, Pinnacle Holdings, LTD, a health care consulting company. Pinnacle experienced a network disruption in November 2024, and the forensic investigation confirmed unauthorized access to its network between November 11, 2024, and November 25, 2024, during which time files containing protected health information may have been exfiltrated from Pinnacle’s network.

Data potentially compromised in the incident included patients’ first and last name, address, email address, date of birth, encounter ID number, health insurance claim number, health insurance policy number, medical record number, patient account number, patient ID number, phone number, email address, prescription information, social security number, Medicare/Medicaid number, provider name, date of service, health insurance information, treatment cost information, and/or medical/diagnostic information.

It has taken a considerable amount of time for individual notifications to be issued. It took Pinnacle more than a year to notify Providence St. Joseph Orange that it had been affected, with the notification issued on December 30, 2025. On February 27, 2026, Providence St. Joseph Orange notified the HHS’ Office for Civil Rights that the protected health information of 11,329 patients was potentially compromised in the incident. Pinnacle has notified the affected individuals directly and has offered them 2 years of complimentary credit monitoring and identity theft protection services.

Skin & Beauty Center, California (DermCare Management)

Skin & Beauty Center in California has announced that it has been affected by a data breach at its management company, DermCare Management. Dermcare Management is a Hollywood, Florida-based full-service practice management company for more than 70 skincare and dermatology clinics in Florida, Texas, Virginia, and California, that serve more than 600,000 patients.

Suspicious activity was identified on February 26, 2025, and on March 3, 2025, it was confirmed that patient data had been compromised. It has taken a year to review the affected data. On March 2, 2026, it was confirmed that names, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information were impacted. The types of data vary from individual to individual.

The notification letters make no mention of complimentary credit monitoring and identity protection services. The affected individuals have been advised to monitor their free credit reports, financial accounts, and explanation of benefits statements, and should report any suspicious activity to the appropriate institution. It is currently unclear how many patients have been affected.

Other clinics affected by the data breach include:

  • Berman Skin Institute, California
  • Dania Dermatology, Florida
  • Dermatology Treatment and Research Center, Texas
  • Florida Academic Dermatology Center, Florida
  • Hillcrest Plastic Surgery & Dermatology, Florida
  • Hollywood Dermatology, Florida
  • Keys Dermatology, Florida
  • Miami Plastic Surgery, Florida
  • Rendon Center for Dermatology & Aesthetic Medicine, Florida
  • Skin Center of South Miami, Florida

Management-ILA Managed Health Care Trust Fund

Management-ILA Managed Health Care Trust Fund, a provider of medical, behavioral health, and prescription drug benefits, has been affected by a data breach at the New York law firm, Mazzola Mardon, P.C. According to the law firm, the protected health information of 2,123 individuals was potentially compromised in the incident. Mazzola Mardon explained in its April 15, 2026, substitute breach notice, that unusual activity was detected within its network, and third-party cybersecurity specialists confirmed that a hacker accessed its network and downloaded files on August 8, 2025. The review of those files was completed on January 27, 2026, and the affected individuals were notified by mail on March 23, 2026.

In addition to names, data compromised in the incident included one or more of the following: address, date of birth, Social Security number, drivers’ license and/or state identification number, financial account information, mental or physical condition, treatment/diagnosis information, dates of service, provider name, procedure type, prescription information, medical record number, Medicare identification number, health insurance information, and/or billing/claim information. Mazzola Mardon said it is reviewing and enhancing its cybersecurity posture to prevent similar incidents in the future.

Ideal Home Care & Duncan Regional Hospital (DRH Health), Oklahoma

Two more healthcare providers have recently confirmed that they were affected by the data breach at vendor, Doctor Alliance, a healthcare technology firm that provides a software platform that physicians use to review and sign clinical documentation. Doctor Alliance experienced a breach of its platform, with unauthorized access occurring between October 31, 2025, and November 17, 2025. The review of the affected data was completed on April 6, 2026.

  • Ideal Home Care, a home health care service provider in Oklahoma, has confirmed that 1,331 individuals were affected. The information potentially accessed included names, addresses, dates of birth, medical record numbers, dates of care, and diagnosis and treatment information.
  • Duncan Regional Hospital (DRH Health) in Oklahoma was also affected, with the breach affecting patients of Duncan Regional Home Care and Chisholm Trail Hospice. The breach was reported to the HHS’ Office for Civil Rights as affecting 724 patients.  Data compromised included names, addresses, dates of birth, dates of service, health insurance information, medical diagnosis & treatment information, and prescription information.

Other healthcare providers affected by the data breach include Bayada Home Health Care in New Jersey, A Path of Care Home Health and Hospice in Oklahoma, Team Select in Arizona, Community Nurse in Massachusetts, and Enhabit Home Health & Hospice and AccentCare in Texas.

The post Vendor Data Breaches Announced by Six HIPAA-Regulated Entities appeared first on The HIPAA Journal.

Data Breaches Announced by Corewell Health & Rocky Mountain Care

Rocky Mountain Care in Utah has announced a January 2026 data breach, and Corewell Health in Michigan has confirmed that more than 19,000 patients have been affected by a data breach at business associate Pinnacle Holdings.

Corewell Health, Michigan

Corewell Health, a non-profit Michigan health system, has recently confirmed that the protected health information of more than 19,000 of its patients has been exposed in a data breach at one of its business associates, Colorado-based Pinnacle Holdings, LTD. Pinnacle Holdings, a provider of consulting services, experienced a network disruption on November 25, 2024, that affected some of its IT systems, including systems containing the protected health information of patients of its clients.

Pinnacle Holdings said immediate action was taken to secure its systems; however, the detailed data review has taken many months to complete due to the complexity of the impacted data. The company has now confirmed that patient names, phone numbers, birth dates, Social Security numbers, driver’s license numbers, health insurance information, prescription information, and dates of service were compromised. The affected Corewell Health patients have been offered complimentary credit monitoring and identity theft protection services, and Pinnacle Holdings has implemented additional safeguards to prevent similar incidents in the future.

The data breach at Pinnacle Holdings affected several of the company’s clients, including the Chicago-based Catholic health system, CommonSpirit Health, as previously reported by The HIPAA Journal. It is currently unclear how many clients were affected in total or the number of individuals whose data was compromised in the incident.

Rocky Mountain Care, Utah

Rocky Mountain Care, a Woods Cross, Utah-based provider of skilled nursing care and home health services to seniors in Utah and Wyoming, has announced a January 2026 cybersecurity incident that involved unauthorized access to parts of its network that contained patient information. The forensic investigation determined that a hacker gained access to files on its network between January 30, 2026, and February 2, 2026. The review of the impacted data is ongoing, so the full impact of the incident has yet to be determined. Rocky Mountain Care said notification letters will be mailed to the affected individuals when the review is concluded

While further details about the attack have not been disclosed, a threat actor has claimed responsibility for the incident. The Qilin threat group added Rocky Mountain Care to its dark web data leak site on February 23, 2026, and issued a ransom demand along with a threat to publish the stolen data if the ransom was not paid. Samples of data allegedly stolen in the attack were also added to the listing. Qilin claimed to have exfiltrated 33 GB of data in the attack and later published the stolen data, indicating the ransom was not paid.

The post Data Breaches Announced by Corewell Health & Rocky Mountain Care appeared first on The HIPAA Journal.

Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach

Orthopaedic Institute of Western Kentucky has notified patients that their PHI was compromised in two security incidents at their managed IT services provider. Supportive Home Health Care and Patriot Outpatient has identified unauthorized access to an employee’s email account.

Orthopaedic Institute of Western Kentucky

Orthopaedic Institute of Western Kentucky (now Mercy Health — Western Kentucky Orthopedics) in Paducah, Kentucky, has been affected by two security incidents at one of its business associates, the managed IT services provider Keystone Technologies.

Keystone Technologies notified the orthopedic institute about unauthorized access to Keystone systems on two occasions: the first between April 21, 2025, and April 26, 2025, and the second between July 19, 2025, and August 1, 2025. During both periods, unauthorized individuals exfiltrated files containing patient information. The affected files were reviewed, and the affected individuals were identified in December 2025 and January 2026. Data compromised in the incident included names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment information, and health insurance information. Electronic medical records were not subject to unauthorized access, nor were any of Mercy Health’s systems.

The affected individuals have now been notified and offered a complimentary 12-month membership to a credit monitoring and identity theft protection service. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Supportive Home Health Care and Patriot Outpatient

Superior Care Plus, LLC, doing business as Supportive Home Health Care and Patriot Outpatient, LLC (Patriot), a provider of home healthcare services in Northeast Ohio, has announced a data breach affecting 1,415 of its patients.

On November 17, 2025, suspicious activity was identified within an employee’s email account. An investigation was launched to determine the nature and scope of the activity, and Patriot confirmed that the email account was compromised as a result of the employee responding to a phishing email. No other email accounts or systems were compromised in the incident.

On January 9, 2026, the forensic investigation was completed, and Patriot confirmed that the compromised account contained first and last names, city/ZIP codes, email addresses, health insurance policy numbers, medical treatment information, admission/discharge dates, patient logs, referring facility, start care date, policy name, and referring primary care physician name. A limited number of individuals also had their Social Security numbers and/or Medicare numbers exposed.

Patriot has taken several steps to prevent further unauthorized access to email data. The affected email account was deleted, and the individual, and a new account was created, rather than reactivating the account after a password change. Further training has been provided to the workforce on email security and phishing email identification, and third-party cybersecurity experts have helped Patriot enhance its technical security measures and procedures.

The post Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach appeared first on The HIPAA Journal.

Alabama Hospital Recently Informed About 2024 Data Breach

Jackson Hospital and Clinic in Montgomery, Alabama, has notified 14,485 individuals about a July 2024 data breach at one of its former vendors, the debt collection agency Nationwide Recovery Services.

Nationwide Recovery Services first identified suspicious activity within its computer network in July 2024. The forensic investigation confirmed that an unauthorized third party accessed its network between July 5, 2024, and July 15, 2024. Nationwide Recovery Services notified the affected HIPAA-regulated entity clients between February 2025 and March 2025; however, Jackson Hospital and Clinic said it was not informed that it was one of the affected clients until January 27, 2026. Notification letters started to be mailed to the affected individuals on February 27, 2026, more than 19 months after the data breach occurred.

Jackson Hospital and Clinic said the incident involved data provided to Nationwide Recovery Services to allow the company to perform its contracted duties. None of Jackson Hospital and Clinic’s information technology systems were affected. Data potentially compromised in the incident includes names, phone numbers, addresses, dates of birth, Social Security numbers, account information, health insurance information, and/or dates of service. Jackson Hospital and Clinic said it no longer uses Nationwide Recovery Services for debt recovery.

As a precaution against data misuse, the affected individuals have been offered complementary credit monitoring and identity theft protection services. Due to the lengthy delay between the data breach and notification, the affected individuals should check their accounts and explanation of benefits statements for potential data misuse going back to July 2024, in addition to signing up for the complimentary credit monitoring services.

The total number of individuals affected by the Nationwide Recovery Services is unknown.  Nationwide Recovery Services reported the breach to the HHS’ Office for Civil Rights (OCR) on September 9, 2024, using a placeholder figure of at least 501 affected individuals. That total has not been updated since the initial breach report. Many clients chose to issue their own notifications about the data breach. Based on breach notifications to state attorneys general and OCR, the data breach affected more than 560,000 individuals.

The post Alabama Hospital Recently Informed About 2024 Data Breach appeared first on The HIPAA Journal.

Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its second enforcement action of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). MMG Fusion LLC, a Maryland-based company that provides software solutions to oral healthcare providers, has agreed to settle the alleged violations and pay a financial penalty. The case is significant, as it involves an unreported data breach that affected 15 million individuals.

An unauthorized actor gained access to MMG’s internal network on December 21, 2020, and accessed patients’ protected health information, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. The threat actor exfiltrated data from MMG’s network and subsequently posted that information on the dark web.

A data breach of that magnitude would have attracted considerable media attention; however, it slipped under the radar as the breach was not reported to OCR, and the affected covered entities were not notified about the data breach. OCR’s investigation was launched not in response to a breach report, but a complaint about an unreported data breach. OCR received the complaint on January 6, 2023, and initiated an investigation in March 2023.

OCR determined that MMG had failed to comply with multiple provisions of the HIPAA Rules. Prior to the data breach, MMG had not conducted a comprehensive and accurate risk assessment to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by the HIPAA Security Rule.

OCR determined that MMG failed to ensure that ePHI was not used or disclosed for reasons not expressly permitted by the HIPAA Privacy Rule, and MMG failed to issue notifications to the affected covered entity clients that there had been a breach of unsecured protected health information, in violation of the HIPAA Breach Notification Rule. Rather than pursue a civil monetary penalty to resolve the alleged HIPAA violations, OCR agreed to a settlement. MMG has agreed to pay a financial penalty of $10,000 to resolve the alleged HIPAA violations and will adopt a comprehensive corrective action plan.

The corrective action plan requires MMG to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI. An enterprise-wide risk management plan must be developed and implemented to address and mitigate any risks and vulnerabilities identified by the risk analysis. Policies and procedures must be developed to ensure compliance with the HIPAA Rules, and those policies and procedures must be distributed to members of the workforce. MMG must provide training to its workforce and provide OCR with a copy of the training materials used to train its workforce for them to be assessed.

OCR will provide MMG with feedback on the thoroughness and accuracy of its risk assessment, and MMG must incorporate that feedback into its risk assessment and resubmit it to HHS for additional feedback. That process will continue until HHS is satisfied that the risk assessment is comprehensive and accurate. OCR must also be provided with a comprehensive list of all clients affected by the data breach, and once the risk assessment has been approved by OCR, MMG must notify all affected covered entity clients about the data breach, along with the identities of all patients whose ePHI is reasonably believed to have been impacted.

While not stated in the corrective action plan, the requirements of the HIPAA Breach Notification Rule are that each covered entity must determine if breach notifications are required and must ensure that those notifications are issued within 60 days after receiving a breach notice from a business associate. They are permitted to delegate the notification responsibilities to MMG, per the terms of their business associate agreements. The cost of notification for such a colossal data breach would be high, and if that cost is to be borne by MMG, that could explain why the penalty imposed to resolve multiple violations of the HIPAA Rules is so low.

OCR currently has an enforcement initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule and the HIPAA Right of Access of the HIPAA Privacy Rule; however, in 2025, the second-most common reason for a financial penalty behind risk analysis failures was breach notification failures. HIPAA covered entities and their business associates must ensure that timely breach notifications are issued to OCR, the affected individuals, and the media, and in the event of a breach at a business associate, that all affected covered entity clients are notified within 60 days of the discovery of a data breach.

“When a breach occurs, business associates must notify affected covered entities without unreasonable delay and within 60 calendar days of discovery,” said OCR Director Paula M. Stannard. “This timeliness is crucial for a covered entity to meet its own breach notification obligations, such as timely notification to HHS and to individuals. As hacking becomes more ubiquitous, HIPAA Security Rule requirements, such as the need to have an accurate and thorough HIPAA risk analysis, are imperative for strengthening cybersecurity before a breach occurs.”

The post Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals appeared first on The HIPAA Journal.

Medical Device Manufacturer UFP Technologies Confirms Data Stolen in Cyberattack

The U.S. medical device manufacturer UFP Technologies has submitted a FORM 8-K filing to the U.S Securities and Exchange Commission (SEC) to notify the SEC and investors about a cyberattack and data breach that could potentially impact its financial condition or operations.

UFP Technologies is a publicly traded contract manufacturer based in Newburyport, Massachusetts, that makes single-use medical devices and highly engineered components for the aerospace, automotive, healthcare, and defense industries. The company produces a wide range of medical devices and medical components for products used in wound care, implants, and orthopedic and surgical products. UFP Technologies has an annual revenue of $600 million and employs 4,300 people.

According to the filing, UFP Technologies detected an IT systems intrusion on February 14, 2026. Immediate action was taken to assess, contain, and remediate the threat, and third-party cybersecurity experts were engaged to assist with the investigation. UFP Technologies said it believes the cyber threat actor responsible for the attack has been eradicated from its IT environment and confirmed that it has restored access to systems and information impacted by the incident in all material respects. While the attack did not impact all of its IT systems, many were affected, including the systems used for billing and label-making. UFP Technologies implemented its incident response and contingency plans, and since the incident was detected, it was able to continue operations in all material respects.

Some company and company-related data was either stolen or destroyed in the attack, which suggests this was a ransomware attack or that wiper malware was used. No threat group appears to have claimed responsibility for the attack. UFP Technologies explained in the filing that data has been recovered from backups. The company has confirmed that some data was exfiltrated from its system, although it is too early to determine the extent of the data theft, such as whether any personal or protected health information was stolen. The investigation to determine the nature and scope of the incident is ongoing, and the company is exploring the legal and regulatory notifications and filings that may be required.

As of the date of the filing (February 19, 2026), UFP Technologies said the incident has not had any material impact on its financial systems, operations, or financial condition. While costs have naturally been incurred, the company expects a significant proportion of the costs of containment, investigation, and mitigation will be covered by its cyber insurance policy.

The post Medical Device Manufacturer UFP Technologies Confirms Data Stolen in Cyberattack appeared first on The HIPAA Journal.

Vikor Scientific Affected by Ransomware Attack on Revenue Cycle Management Vendor

Vikor Scientific (now rebranded as Vanta Diagnostics), a molecular diagnostics company based in Charleston, South Carolina, has been affected by a security incident at one of its vendors – the revenue cycle management company, Catalyst RCM. The breach also affected the Vikor Scientific-owned molecular testing laboratory KorGene,  and KorPath, a Tampa, Florida-based anatomical pathology lab, which partners with Vanta Diagnostics. Vikor Scientific has reported the data breach to the HHS’ Office for Civil Rights as involving the electronic protected health information (ePHI) of 139,964 individuals.

Catalyst RCM has published a substitute breach notice on its website and is issuing notification letters to the affected individuals on behalf of its affected HIPAA-covered entity clients. While it is ultimately the responsibility of each affected HIPAA-covered entity to issue notification letters when there has been a data breach at a vendor, the notification responsibilities are often delegated to the vendor.

In the breach notice, Catalyst RCM explains that suspicious activity was identified within its secure file management system on or around November 13, 2025. An investigation was launched, which identified an unauthorized login to a system used to access one of its servers. The server was accessed without authorization between November 8, 2025, and November 9, 2025. The affected system was reviewed to determine whether any protected health information had been exposed or stolen, and the review concluded on December 12, 2025. Catalyst RCM confirmed that the threat actor exfiltrated data in the attack.

Data potentially compromised in the incident varies from individual to individual and may include names plus one or more of the following: date of birth, diagnosis information, medical treatment information, history, health insurance information, and/or payment card information with access code.

Catalyst RCM has updated its security policies, procedures, and protocols to reduce the likelihood of similar incidents in the future, and has advised the affected individuals to remain vigilant against identity theft and fraud by monitoring their free credit reports. While no misuse of the affected data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

While the incident was not described as a ransomware attack, the Everest ransomware group claimed responsibility for the attack and added Vikor Scientific to its dark web data leak site, along with samples of data allegedly stolen in the attack. Everest threatened to leak the stolen data if contact was not made. Everest claims to have leaked all data exfiltrated in the attack, indicating the ransom was not paid.

The post Vikor Scientific Affected by Ransomware Attack on Revenue Cycle Management Vendor appeared first on The HIPAA Journal.