A ransomware attack on Sensata Technologies involved the theft of health and wellness plan data. A former Evoke Wellness employee has been accused of stealing patient data for identity theft, and limited PHI has been impermissibly disclosed due to mailing errors at Blue Shield of California and AffirmedRx PBC.

Sensata Technologies Hit with Ransomware Attack

Sensata Technologies, Inc., a leading industrial technology firm that makes sensor and control solutions, has been hit with a ransomware attack. The attack was identified on April 6, 2025, when files were encrypted on its network. Sensata implemented its response protocols to contain the incident, and an investigation was launched with assistance provided by a third-party cybersecurity firm. Law enforcement was also notified about the attack.

The forensic investigation confirmed that the ransomware group had access to its network between March 28, 2025, and April 6, 2025, during which time files were accessed and copied from its network. Over the past two months, Sensata reviewed the affected files and has confirmed that they contained the personal and protected health information of 15,630 members of the company’s Health and Welfare Benefit Plan.

In addition to names and addresses, one or more of the following data types were involved: date of birth, Social Security number, tax identification number, driver’s license number or state-issued identification card number, passport number, other government-issued identification number, financial account information, payment card information, medical information, and/or health insurance information. Individual notification letters have been mailed, and complimentary credit and identity monitoring have been offered to the affected individuals. Sensata has confirmed that it is taking steps to enhance security.

Former Evoke Wellness Employee Accused of PHI Theft, Identity Theft, And Fraud

A former employee of an Evoke Wellness addiction treatment center in Hilliard, Ohio, has been accused of stealing patients’ protected health information for identity theft and fraud. A police investigation was launched after police conducted a vehicle stop and found four fraudulent IDs and twenty-four pre-paid cards in the man’s possession. The man was employed by Evoke Wellness between November 2021 and July 2024, and allegedly accessed patient data and obtained names, contact information, dates of birth, and Social Security numbers without authorization. Evoke Wellness was unaware of the data theft until notified by law enforcement, and launched an internal investigation and confirmed the unauthorized access.

So far, the police investigation has identified 240 victims, although the actual number could be much higher. The man has also been accused of selling stolen data on the dark web to individuals who used the information to fraudulently obtain funds and rack up credit card charges in the victims’ names. Evoke Wellness has not yet listed the breach on its website, and there is no breach report on the HHS’ Office for Civil Rights breach portal. That said, media notices are only required for breaches affecting 500 or more individuals, and OCR does not list data breaches affecting fewer than 500 individuals on its data breach portal.

Blue Shield of California Data Merge Error Results in Impermissible PHI Disclosure

The health plan provider, Blue Shield of California (BSC), has notified 1,543 individuals about an impermissible disclosure of their protected health information. On April 4, 2025, BSC discovered that an incorrect data merge resulted in certain BSC members’ data being added to other members’ data, which could be viewed in the Member Health Record feature on its member portal.

An investigation was launched, which confirmed that the error involved an identifying key being assigned to two or more different individuals, even though they had different names, dates of birth, and Social Security numbers. The mail merge occurred on June 27, 2024, and was identified on April 4, 2025, when the data was immediately suppressed.

The data potentially viewed by other members was limited to member visit information, visit dates, medications, immunization records, lab results, diagnoses, and health conditions. The merged information did not involve another member’s name, date of birth, Subscriber identification number, address, phone number, email address, or highly sensitive information such as their Social Security number, driver’s license number, or financial information. Out of an abundance of caution, BSC has offered the affected individuals complimentary access to the Experian IdentityWorks identity theft protection service for 12 months.

AffirmedRx PBC Mailing Error Results in PHI Disclosure

AffirmedRx PBC, a Louisville, Kentucky-based pharmacy benefits management company, has notified 1,089 members about an impermissible disclosure of some of their protected health information. On May 16, 2025, AffirmedRx PBC identified an error with a mailing involving letters sent on May 14, 2025. The letters advised the recipient about a change in medication information.

The error resulted in a mismatch of names and addresses on the envelopes. The letters included an individual’s name and medication information only, and in each instance, were sent to the address of one other member. AffirmedRx PBC has advised anyone receiving a letter from AffirmedRx PBC dated May 14, 2025, to disregard the information in the letter and to destroy that letter, and if not yet opened, to mail the letter after clearly adding “return to sender” to the envelope.

AffirmedRx PBC has implemented additional safeguards to prevent similar incidents in the future and has provided additional training to appropriate personnel to reinforce its privacy protocols.

The post PHI Stolen in Sensata Technologies Ransomware Attack appeared first on The HIPAA Journal.

Ocuco Inc., a Dublin, Ireland-based provider of optical software solutions for eyecare businesses, has recently notified the HHS’ Office for Civil Rights about a data breach involving the protected health information of 240,961 individuals.

Ocuco claims to be the world’s largest provider of retail optical software solutions, with its US operations based in Florida. Ocuco’s software includes the Acuitas practice management and electronic health record system, which is used by thousands of eye care practices, clinics, and lens manufacturing labs.

Relatively little information has been released by Ocuco about the data breach at the time of writing, other than the information disclosed in the May 30, 2025, OCR breach report, which lists the incident as a network server hacking incident. This appears to have been a ransomware attack by a ransomware group known as Killsec, aka Kill Security.

Killsec claims to be a hacktivist group, but it is a financially motivated ransomware-as-a-service organization that targets government agencies and private sector businesses. On April 1, 2025, Killsec added Ocuco to its dark web data leak site, and the stolen data has since been listed for download, which suggests the ransom was not paid.

While the HIPAA Journal has not verified whether protected health information is available for download, the fact that the data breach has been reported to the HHS’ Office for Civil Rights shows that protected health information has been exposed and most likely stolen in the attack.

The dark web data leak site listing includes screenshots of the stolen data, including business files, appointment information, and several folders related to U.S. and Canadian eyecare clients, including Costco, HoustonEye, Kaiser, Mayo Clinic, Optos, Specsavers, and more. Several law firms have already opened investigations into potential class action lawsuits in response to the data breach.

This post will be updated when further information becomes available.

The post Optical Software Solution Provider Ocuco Reports 241K-Record Data Breach appeared first on The HIPAA Journal.

Episource LLC, a provider of medical coding, risk adjustment services, and software solutions for healthcare providers and health plans, has experienced a cyberattack involving the theft of customer data. A network intrusion was detected on February 6, 2025, after suspicious activity had been identified within its network. All computer systems were powered down to prevent further unauthorized access, law enforcement was notified, and third-party cybersecurity experts were engaged to assist with the investigation and determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed there had been unauthorized access to its computer systems between January 27, 2025, and February 6, 2025. The California Attorney General was notified about the breach on June 6, 2025, and at that time, Episource said it was unaware of any misuse of the compromised data. Individual notification letters have been issued on a rolling basis since April 23, 2025.

The review of the compromised files confirmed that they contained a range of data, which varied from individual to individual. Potentially compromised data included names and contact information (address, phone number, and email address), together with one or more of the following:

• Health information: diagnosis information, treatment information, prescriptions, test results, medical images, medical record numbers, and doctors’ names.
• Health plan information: health plan policies, company names, member/group ID numbers, and Medicaid/Medicare payor ID numbers
• Other personal information, such as date of birth

Episource said it is strengthening system security to prevent similar breaches in the future, and that the affected individuals are being offered two years of complimentary credit monitoring and identity theft protection services. Episource did not disclose the nature of the attack in its notification letters; however, this appears to be a ransomware attack. The group responsible is currently unknown.

Sharp Community Medical Group and Sharp HealthCare have confirmed that they have been affected by the incident, but it is currently unclear how many other clients have been impacted. The number of affected individuals is also currently unknown, as the data breach is not yet displayed on the OCR breach portal.

The post Episource Ransomware Attack Affects Multiple Healthcare Customers appeared first on The HIPAA Journal.

It has taken three weeks, but Kettering Health has confirmed that it has resumed normal operations for key services following its May 20, 2025, Interlock ransomware attack. Kettering Health has been releasing regular updates on the progress being made restoring its systems, confirming that the core components of its Epic EHR system were restored on the morning on June 2, 2025, which allowed patient data to be entered, and the backlog of data recorded on paper to start to be entered into patient records.

Interlock’s access to its network and system was immediately terminated when the attack was discovered, and Kettering Health confirmed on June 5, 2025, that all of the ransomware group’s tools and persistence mechanisms had been eradicated from its systems. Kettering Health also confirmed that all systems were fully up to date with the latest versions of software installed and patches applied, and security enhancements had been implemented, including network segmentation, enhanced monitoring, and updated access controls. Kettering Health said it is confident that its cybersecurity framework and employee security training are sufficient to mitigate future risks.

The primary purpose throughout the incident response has been to ensure quality care was still provided to patients while ensuring that all network-connected devices were secure and connections with its partners were fully protected. Kettering Health stated the main focus has now shifted from securing systems to ensuring that patient communication systems and scheduling systems are fully restored.

On June 9, 2025, Kettering Health confirmed that MyChart access for patients had been restored in a limited capacity and patients could view their upcoming appointments, schedule appointments, view prescriptions and fill refills, view test results, and message providers. All surgeries had also resumed. On June 10, 2025, Kettering Health announced that normal operations had been resumed for several key services, including surgery, imaging, retail pharmacy, and physician office visits. MyChart access had been fully restored, and its phone lines were functional and stable.

The recovery process continues to restore further systems, and the data analysis is progressing to determine the extent of data theft. No estimate has been provided so far on the number of individuals affected. Individual notification letters will be mailed to the affected individuals as soon as possible, including information about credit monitoring and fraud protection services.

June 5, 2025: Kettering Health Ransomware Attack: Interlock Ransomware Group Leaks Stolen Data

Kettering Health is continuing to make progress in recovering from its May 20, 2025, ransomware attack. While its EHR has been restored, other IT systems remain offline, with disruption continuing at its Ohio medical centers and outpatient facilities. Earlier this week, Kettering Health issued an update confirming that a small subset of patient data was stolen in the attack, although the extent of the data breach has yet to be confirmed.

Kettering Health has not named the ransomware group behind the incident, although CNN claimed to have viewed a copy of a ransom note indicating the Interlock ransomware group was responsible. This week, Interlock claimed responsibility for the attack and added Kettering Health to its dark web data leak site and listed the stolen data for download, indicating the ransom was not paid.

The Interlock claims to have stolen 941 GB of data from Kettering Health before ransomware was used to encrypt files. The stolen data includes 732,490 files spread across 20,418 folders. The HIPAA Journal has not downloaded any of the data, so it cannot confirm the extent to which patient and employee data has been compromised. Based on the folder and file names, the stolen data appears to include payroll information, employee files, scans of identity documents, police security personnel files, Medicaid application documents, pharmacy and blood bank documents, financial revenue reports, corporate insurance files, corporate tax information, budget reports, and patient files.

June 3, 2025: Kettering Health Restores EHR After Ransomware Attack

Kettering Health said it restored the core components of its Epic electronic health record (EHR) system on the morning of June 2, 2025, and it is now possible to enter patient information directly into electronic health records. Patient information that was recorded manually during the outage can now be added to patients’ digital health records. The restoration of the EHR will allow care teams to communicate more effectively and coordinate patient care with greater speed and clarity.

Kettering Health said more than 200 people from its information systems team, clinical team, and the software company Epic have been working around the clock over the past two weeks to get to this point. “This marks a major milestone in our broader restoration efforts and a vital step toward returning to normal operations,” explained Kettering Health. The restoration of other IT systems is continuing, including its MyChart patient portal and its inbound and outbound phone lines. Kettering Health has confirmed that its emergency departments are no longer on diversion, and its primary care locations are providing walk-in care to established patients.  Kettering Health CEO Michael Gentry has also confirmed that there has been unauthorized access to the data of “a small subset” of Kettering Health patients. The investigation into the data breach is ongoing, and notification letters will be mailed to the affected individuals when the investigation is concluded.

On May 30, 2025, Kettering Health provided an update to its staff, partners, and community members about scam communications, which may include phone calls, text messages, and emails. Gentry explained that these communications are “designed to intimidate, demand a response, or claim data exposure.” Gentry advised the public to exercise caution, not to click any links, open attachments, or respond to the communications, and if contacted by phone about the cyberattack, to hang up immediately. Any malicious or suspicious communications should be reported to the police.

May 21, 2025: Ransomware Attack Causes System-wide Outage at Kettering Health

Kettering Health, a large health system with 14 medical centers and 120 outpatient facilities in western Ohio, has experienced “a system-wide technology outage” that has affected all 14 of its medical centers and disrupted its call center. The outage occurred on the morning of Tuesday, May 20, 2025, and without access to critical IT systems, the decision was taken to cancel scheduled inpatient and outpatient procedures on Tuesday.

The medical centers remain open, and emergency rooms are continuing to accept patients. The staff is working on established downtime procedures and reverting to pen and paper to record patient information while IT systems are offline. The IT team is working around the clock to investigate the incident and bring systems back online safely and securely.  “We have procedures and plans in place for these types of situations and will continue to provide safe, high-quality care for patients currently in our facilities,” explained Kettering Health in a website announcement.

According to CNN, which obtained a copy of a ransom note, this was a ransomware attack by the Interlock ransomware group, a threat group with a history of double extortion attacks on the healthcare sector. The Interlock ransomware group breaches networks, identifies data of interest, exfiltrates files, and uses ransomware to encrypt files. The ransom must be paid to prevent the publication of the stolen data on its dark web data leak site and to obtain the keys to decrypt the data. Interlock was behind the recent ransomware attack on the kidney dialysis service giant Davita, Brockton Neighborhood Health Center in Massachusetts, the Drug and Alcohol Treatment Service in Pennsylvania, and Texas Tech University Health Sciences Center.

“Since it first emerged back in October 2024, we’ve tracked 16 confirmed attacks via this group, while a further 17 remain unconfirmed by the victims involved. Today, Interlock also came forward to claim a large-scale attack on West Lothian Council, UK, which has been disrupting its school network for over a week,” Rebecca Moody, Head of Data Research at Comparitech, told The HIPAA Journal. “While this attack on Kettering Health is in its early stages, it’s highly likely Interlock will have stolen data and will release this if its ransom demands aren’t met.”

The investigation is still in the early stages, and Kettering Health is not yet in a position to state to what extent, if any, patient data has been stolen. The healthcare system confirmed that the outage was caused by a cyberattack, but has not verified that this was a ransomware attack. The Interlock ransomware group claims to have “secured your most vital files” and has threatened to publish the stolen data if Kettering Health refuses to negotiate payment.

Within a few hours of the announcement, Kettering Health issued a warning about scam calls. “We have confirmed reports that scam calls have occurred from persons claiming to be Kettering Health team members requesting credit card payments for medical expenses,” explained Kettering Health. “While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice.”

This post will be updated as further information becomes available.

The post Kettering Health Resumes Normal Operations for Key Services Following Ransomware Attack appeared first on The HIPAA Journal.

Cyberattacks and data breaches have recently been announced by Weiser Memorial Hospital in Idaho and Minnesota Orthodontics and Dentofacial Orthopedics.

Weiser Memorial Hospital

Weiser Memorial Hospital in Idaho has recently informed the Maine Attorney General about a data breach that involved unauthorized access to the personal and protected health information of 34,249 individuals, including 14 Maine residents. Unusual network activity was identified on September 4, 2024, and after securing its network, Weiser Memorial Hospital engaged third-party cybersecurity experts to investigate and determine the nature and scope of the unauthorized activity.

The investigation confirmed that an unauthorized third party accessed its network and exfiltrated files containing sensitive data on or around September 4, 2024. The impacted files were reviewed to determine the patients affected and the types of data involved, and that process concluded on April 21, 2025. Weiser Memorial Hospital has confirmed that current and former patients had some or all of the following information stolen in the incident: name, date of birth, Social Security number, other government ID numbers, diagnoses, treatment/procedure information, Medicare/Medicaid numbers, and/or health insurance information.

Weiser Memorial Hospital said steps have been taken to improve security to prevent similar incidents in the future, and the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services.

Minnesota Orthodontics and Dentofacial Orthopedics

Minnesota Orthodontics and Dentofacial Orthopedics (MN Ortho) has alerted patients about a recent data security incident involving unauthorized access to sensitive patient data. On February 26, 2025, MN Ortho discovered unauthorized access to its network. Steps were taken to secure its systems and prevent further unauthorized access, and third-party cybersecurity specialists were engaged to investigate the activity.

On April 18, 2025, MN Ortho confirmed that an unauthorized third party copied files from its network that contained patient data such as names, dates of birth, financial information, health forms, insurance information, treatment information, and employment information. The investigation and data review are ongoing, and notification letters will be mailed to the affected individuals when the process is completed. MN Ortho said it is unaware of any misuse of the affected data. The security incident has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. The total will be updated when the file review is concluded.

The post Weiser Memorial Hospital Data Breach Affects 34,200 Patients appeared first on The HIPAA Journal.

Union Health System, a Terre Haute, Indiana-based integrated health system that operates two hospitals and a medical group, has been affected by a security incident at Oracle Health/Cerner. Oracle Health recently notified healthcare providers about a security incident involving legacy Cerner servers, which had yet to be migrated to Oracle Cloud. Oracle acquired Cerner in 2022. A hacker was able to access and obtain data hosted in the Oracle Health/Cerner data migration environment, and then tried to extort the affected companies.

Oracle Health has released little information about the incident and maintains it is the responsibility of its HIPAA-covered entity clients to determine if there has been a breach that warrants notifications under the HIPAA Breach Notification Rule. Union Health said it received confirmation of the data breach from Oracle Health/Cerner on March 15, 2024. Oracle Health explained that it detected a cybersecurity incident on February 20, 2025, and its forensic investigation confirmed that the unauthorized third party’s initial access occurred on or after January 22, 2025. Union Health received a list of the affected individuals from Oracle Health/Cerner on March 22, 2025.

The compromised data included names plus Social Security numbers, dates of birth, driver’s license numbers, treating physicians’ names, dates of service, medication information, health insurance information, and diagnostic and treatment information. The breach was recently reported to the HHS’ Office for Civil Rights by Union Health as affecting 262,831 individuals.

While the data breach was confirmed by Oracle Health/Cerner in March, that was not the first time that Union Health was made aware of the data breach. An “unknown party” contacted Union Health claiming to be in possession of patient data. Union Health verified the individual’s claims on February 24, 2025, and identified the information as likely having been obtained from Oracle Health/Cerner. Union Health then proactively reached out to Oracle Health about the incident for confirmation, which was obtained on March 15, 2025. Union Health made it clear in the notification letters that the breach occurred at Oracle Health/Cerner and no Union Health systems were accessed. Union Health said it is offering the affected individuals complimentary credit monitoring services.

A lawsuit has already been filed against Union Health and Oracle Health/Cerner over the data breach. The lawsuit, Cerner Corporation d/b/a Oracle Health, Inc. and Union Health System, Inc. – was filed in the U.S. District Court for the Western District of Missouri by plaintiff Shannon Smith, who is represented by John F. Garvey of Stranch, Jennings & Garvey, PLLC.

The lawsuit claims that the defendants’ inadequate security practices violated HIPAA and allowed cybercriminals to gain access to sensitive personally identifiable information (PII) and protected health information (PHI), and that the failure amounts to negligence. The lawsuit cites eight causes of action – negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of fiduciary duty, breach of confidence, and declaratory judgment.

The lawsuit also takes issue with the time taken to issue notification letters, which were not sent until 89 days after the breach occurred, keeping the affected individuals in the dark and depriving them of the opportunity to try to mitigate their injuries in a timely manner.  The lawsuit claims the data breach has placed the plaintiff and class members at a present, continuing, and significant risk of suffering identity theft. The lawsuit seeks a jury trial, compensatory, exemplary, punitive, and statutory damages, injunctive relief, attorneys’ fees, and legal costs and expenses.

This is one of two security incidents to be confirmed by Oracle in 2025. In a separate incident, a hacker obtained usernames, passkeys, and encrypted passwords of an undisclosed number of Oracle customers. “Oracle would like to state unequivocally that the Oracle Cloud – also known as Oracle Cloud Infrastructure or OCI – has not experienced a security breach. No OCI customer environment has been penetrated,” explained Oracle. “No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.” Oracle confirmed that a hacker gained access to two obsolete servers but did not obtain any usable passwords, as the passwords were either encrypted or hashed.

The post Union Health System: Almost 263,000 Individuals Affected by Oracle Health/Cerner Hack appeared first on The HIPAA Journal.

It has taken more than a year for current and former residents of the City of Long Beach in California to learn that some of their personally identifiable and protected health information was compromised in a cyberattack. Notifications have been sent to multiple U.S. states confirming that the information of 470,060 individuals was exposed and potentially stolen in the attack. That figure includes 258,191 individuals whose protected health information was compromised. No ransomware group is known to have claimed responsibility for the attack.

The cyberattack was detected on or around November 14, 2023, and the forensic investigation confirmed on March 18, 2024, that sensitive data had been accessed or acquired by the threat actor. It then took a further 13 months before notification letters were mailed to the affected individuals. City officials confirmed that notification letters started to be mailed on April 14, 2025.

City officials explained that most of the affected systems were restored and brought back online within a matter of weeks after the attack was detected, and while confirmation of unauthorized access to data was confirmed in March 2024, in an October 7, 2024, update, the city explained that third party cybersecurity professionals were still trying to determine the nature and scope of the data stolen in the attack. The city explained in the notice that complimentary credit monitoring and identity theft protection services would be offered to individuals whose Social Security numbers were involved. “This process of identifying specific individuals’ sensitive information is incredibly detailed, time-intensive, can be lengthy, and has been ongoing to date,” explained city officials in the October 2024 notice. “Progress is being made, and the process may be close to completion in the upcoming months.”

In the latest notification, city officials explained that between the attack and April 14, 2025, there have been no indications that any of the impacted information has been misused for the purpose of committing identity theft or fraud, and said the notification letters were being issued as required by law and out of an abundance of caution. Long Beach Mayor Rex Richardson said, “This has proven to be an unprecedented event for our organization, and we continue to take this investigation and its findings seriously.” The individual notifications confirm that credit monitoring and identity theft protection services are being provided for 12 months to individuals whose Social Security numbers were compromised.

The post City of Long Beach Notifies Individuals Affected by November 2023 Cyberattack appeared first on The HIPAA Journal.

Ascension in St. Louis, Missouri, has started notifying certain patients about a security incident at one of its former business partners. Ascension learned on December 5, 2024, that the business partner had experienced a hacking incident. An investigation was launched, and it was determined on January 21, 2025, that Ascension had inadvertently disclosed patient data to the former business partner, and that data had likely been stolen in the hacking incident. Ascension confirmed that its own systems were unaffected.

A hacker was able to exploit a vulnerability in third-party software to gain access to data held by the former business partner. The data review confirmed that the information likely stolen in the incident included names, addresses, phone numbers, dates of birth, email addresses, race/gender, Social Security numbers, medical record numbers, insurance company names, and clinical information related to inpatient visits, which may have included, service locations, physicians’ names, discharge dates, and diagnosis and billing codes.

Ascension said it has reviewed its policies, procedures, and processes and will implement enhanced safeguards to prevent similar incidents in the future. The affected individuals had previously received services at Ascension facilities in Alabama, Michigan, Indiana, Tennessee, and Texas. Individual notifications are being mailed, and the affected individuals have been offered two years of complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Carolina Anesthesiology Database Containing 21,344 Records Exposed Online

A database containing the personally identifiable and protected health information of 21,344 patients has been exposed online. The database was found by security researcher Jeremiah Fowler, who analyzed a sample of the data and confirmed it contained information such as names, addresses, phone numbers, health insurance information, emergency contact information, diagnoses, case summaries, medications, vital statistics, family and patient medical histories, antitheology summaries, and physicians’ notes. The database also contained software billing and compliance reports belonging to a medical software company.

Fowler notified the medical software company about the exposed database, which identified the database owner, and notified them. The database was secured the same day. It is unclear for how long the database was exposed and if it was accessed by any other individuals. Fowler also identified files related to Atrium Health and contacted them about the data breach. Atrium Health confirmed that an investigation had been initiated and, via databreaches.net, that the database belonged to Carolina Anesthesiology. Atrium Health said it immediately shut down its data feeds to Carolina Anesthesiology while the database was secured and the incident was investigated. Carolina Anesthesiology is located in High Point, North Carolina, and provides anesthesiology services to High Point Regional Health System and Atrium Health.

The post Ascension Notifying Patients About Data Breach at Former Business Partner appeared first on The HIPAA Journal.

Verisource Services, an employee benefits administration service provider, has determined that a previously announced data breach was far worse than initially thought and has affected up to 4 million individuals. The Houston, Texas-based company detected a hacking incident on February 28, 2024, that disrupted access to some of its systems. Third-party cybersecurity and incident response experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed hackers had access to its network and exfiltrated files on February 27, 2024. At the time of the initial announcement, Verisource Services said names, dates of birth, genders, and Social Security numbers had been stolen. The affected individuals included employees and dependents of clients who used its services, which include HR outsourcing, benefits enrollment, billing, and administrative services.

The data breach was initially reported as affecting 1,382 individuals, but as the investigation progressed, it became clear that the breach was worse than initially thought. In August 2024, the data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 112,726 individuals. The most recent notification to the Maine Attorney General indicates up to 4 million individuals have been affected, a sizeable increase from previous estimates. The OCR breach portal still lists the incident as affecting 112,726 patients and plan members of its HIPAA-regulated entity clients, although that total may well be updated in the coming days.

Verisource Services explained in the breach notice that the data review was not completed until April 17, 2025, almost 14 months after the security incident was detected. Verisource Services reported the security incident to the Federal Bureau of Investigation, and several additional security measures have been implemented to improve its security posture. Notification letters had previously been sent to some affected individuals; however, the bulk of the notification letters have only recently been mailed. Verisource Services said complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, who will also be protected with a $1,000,000 identity theft insurance policy.

Since sensitive data was stolen many months ago, data may already have been misused. In addition to signing up for the credit monitoring and identity theft protection services, affected individuals should also check their account statements for signs of data misuse going back to February 2024. Verisource Services was already facing several class action lawsuits over the data breach. Now that the breach total has been substantially increased, further lawsuits are expected to be filed. The lawsuits already filed alleged that Verisource Services was negligent due to the failure to implement reasonable and appropriate cybersecurity measures and follow industry-standard cybersecurity best practices. The lawsuits seek a jury trial, attorneys’ fees, and compensatory and punitive damages.

The post Verisource Services Increases Data Breach Victim Count to 4 Million appeared first on The HIPAA Journal.