HIPAA Breach News

Three Healthcare Providers Affected by Ransomware Attacks

Posted by Steve Alder

Issaqueena Pediatric Dentistry in South Carolina, Enhabit Home Health & Hospice in Texas, and AltaMed Health Services in California have announced that patient data has potentially been compromised in ransomware attacks.

Issaqueena Pediatric Dentistry, South Carolina

Issaqueena Pediatric Dentistry in Seneca, South Carolina, has recently reported a hacking incident to the HHS’ Office for Civil Rights that involved unauthorized access to personally identifiable information and protected health information. The incident is still being investigated, so the number of affected individuals has yet to be confirmed. The OCR breach portal currently lists the incident as affecting at least 501 individuals.

In a substitute breach notice on its website, Issaqueena Pediatric Dentistry confirmed that an unauthorized third party gained access to certain files on its system between November 9 and November 11, 2025. Issaqueena Pediatric Dentistry discovered the intrusion on November 11, 2025, when ransomware was used to encrypt files. Its incident response protocols were activated, steps were taken to contain the incident, and law enforcement was notified.

Issaqueena Pediatric Dentistry said files are being reviewed to determine the affected individual and the types of data involved, warning that it is a time-intensive process. Notification letters will be mailed to the affected individuals as soon as possible. The Interlock ransomware group claimed responsibility for the attack, said it exfiltrated 118 GB of data, and listed the data for download on its dark web data leak site, which suggests the ransom was not paid.

Issaqueena Pediatric Dentistry said its network has been secured, and it is working with third-party security experts to implement measures to harden security. Issaqueena Pediatric Dentistry has confirmed that the affected individuals will be offered complimentary credit monitoring and identity theft protection services.

Advanced Homecare Management (Enhabit Home Health & Hospice), Texas

Advanced Homecare Management, LLC, doing business as Enhabit Home Health & Hospice in Dallas, Texas, has notified 22,552 patients that some of their protected health information was compromised in a data breach at one of its business associates.

My 485, Inc., which does business as Doctor Alliance, provides a platform that facilitates the sharing of medical information between doctors and home health agencies and hospices. Enhabit Home Health & Hospice said one or more medical providers may have used the Doctor Alliance platform to facilitate care at entities affiliated with Enhabit, and the platform contained patients’ protected health information.

On December 5, 2025, Doctor Alliance informed Enhabit about a potential security incident involving the data of certain Enhabit patients. Doctor Alliance determined that the platform was subject to unauthorized access between October 31, 2025, and November 6, 2025, and again between November 14, 2025, and November 17, 2025. The platform was accessed by an unauthorized individual using valid credentials for a user account, which allowed access to protected health information such as names, addresses, dates of birth, patients’ gender, physician names, medical record numbers, clinical information, and health plan numbers. Enhabit said financial information and Social Security numbers were not compromised in the incident.

Doctor Alliance has implemented additional authentication mechanisms in the affected software and has notified regulators about the breach. The incident is not yet shown on the OCR breach portal, so the scale of the breach is currently unknown. This appears to have been a ransomware attack. The Kazu ransomware group claimed responsibility.

AltaMed Health Services Corporation, California

AltaMed Health Services Corporation, a provider of primary care, senior care, and health and human services in California, has alerted patients about a cybersecurity incident on December 14, 2025. The incident limited access to some of its computer systems; language often used to describe a ransomware attack.

AltaMed said it immediately initiated its incident response protocols when the cyberattack was detected and worked quickly to contain the incident. Third-party cybersecurity experts were engaged to assist with the investigation, and law enforcement was notified. Under its emergency protocols, AltaMed continued to provide care to patients as scheduled and remained operational throughout the recovery.

The investigation into the incident is ongoing; however, it has been determined that the compromised systems contained some patient information, including names, dates of service, and payment information. Additional safeguards and technical security measures have been implemented to further protect and monitor its systems. The affected individuals have been advised to review their statements and explanation of benefits statements and should report any charges for services that they have not received. Regulators have been notified; however, the incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Three Healthcare Providers Affected by Ransomware Attacks appeared first on The HIPAA Journal.

Academic Urology & Urogynecology of Arizona Data Breach Affects 73K Patients

Posted by Steve Alder

Academic Urology & Urogynecology of Arizona, a division of Palo Verde Hematology and Oncology that serves patients throughout Arizona, has announced a significant data breach, potentially affecting 73,281 current and former patients.

Unauthorized access to its computer network was detected on or around May 22, 2025. Steps were taken to secure its network to prevent further unauthorized access, and third-party cybersecurity experts were engaged to conduct a forensic investigation. On January 30, 2026, it was confirmed that there had been unauthorized access to its network between May 18, 2025, and May 22, 2025, during which time, files containing patient data may have been viewed or acquired.

The data involved varies from individual to individual and may include some or all of the following: full names, dates of birth, Social Security numbers, account numbers, account types, routing numbers, medical record numbers, mental or physical conditions, diagnoses/diagnosis codes, treatment locations, procedure types, provider names, dates of service, other medical benefits/entitlements, prescription information, health insurance group numbers, health insurance claim numbers, subscriber member numbers, patient account numbers and patient identification numbers.

Notification letters were mailed to the affected individuals on or around February 12, 2026. At the time of issuing notifications, no evidence had been found to indicate misuse of patient data. As a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Livingston HealthCare, Montana

Livingston HealthCare in Livingston, Montana, has warned patients about a recent cybersecurity incident that may have resulted in unauthorized access to patient data. Livingston HealthCare, which operates a critical access hospital serving the greater Park County area, announced on February 13, 2026, that it was experiencing disruption to its phone systems and network due to a suspected cybersecurity incident.

Certain systems were taken offline while the incident was assessed, and it is working to restore the affected systems and will bring them back online when it is safe to do so. The phone system has been restored, and while network services are still limited, care continues to be provided to patients uninterrupted. At this stage of the investigation, it is not possible to determine the extent to which patient data has been compromised. Livingston HealthCare said it will continue to provide updates on the incident, recovery, and any data breach via its website.

Livingston HealthCare said it has learned of advertisements and communications suggesting patients could be entitled to compensation as a result of the incident. Patients have been warned not to disclose any sensitive information, such as Social Security numbers, banking information, or other confidential details, unless they are certain of the recipient’s identity and legitimacy.

The post Academic Urology & Urogynecology of Arizona Data Breach Affects 73K Patients appeared first on The HIPAA Journal.

Managed Care Advisors / Sedgwick Notify Patients of Ransomware Attack

Posted by Steve Alder

Managed Care Advisors and Sedgwick Government Solutions recently announced a cybersecurity incident involving unauthorized access to a corporate Secure File Transfer Protocol (SFTP) server that contained personal and protected health information. Files on the server were encrypted with ransomware.

Sedgwick Government Solutions, which acquired Managed Care Advisors in 2021, is a Bethesda, MD-based federal government contractor that provides workers’ compensation and managed care solutions. Sedgwick is also the manager of the Nationwide Provider Network for the World Trade Center Health Program.

Data breach notices often fail to disclose the exact nature of hacking incidents, which makes it difficult for victims to accurately gauge the level of risk they face. Sedgwick bucked that trend, opting for transparency over the data breach. Sedgwick explained that the incident was detected on December 4, 2025, and it immediately implemented its incident response processes. All connections to the SFTP server were disabled to prevent further unauthorized access, and the encrypted data was restored from a secure system backup the following day.

A leading cybersecurity firm, Mandiant, was engaged to assist with the investigation and forensic analysis. The investigation confirmed that an unauthorized third party first accessed the server on November 16, 2025, by exploiting a vulnerability in the SFTP application. Access was only gained to a single server. No other systems were compromised.

The investigation confirmed on January 15, 2026, that the compromised server contained first and last names, addresses, Social Security numbers, dates of birth, and protected health information. The types of data varied from individual to individual. Sedgwick said that on January 2, 2026, a threat group identifying itself as TridentLocker claimed responsibility for the incident and published approximately 3.4 GB of data on a dark web data leak site.

Since stolen data has been published, the affected individuals should ensure that they sign up for the complimentary credit monitoring and identity theft protection services being offered. Those services include an identity theft insurance policy. Sedgwick said it had implemented cybersecurity measures prior to the incident to protect its systems and data, and has taken further steps to enhance privacy protections. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Managed Care Advisors / Sedgwick Notify Patients of Ransomware Attack appeared first on The HIPAA Journal.

2025 Healthcare Data Breach Report

Posted by Steve Alder

More than 700 healthcare data breaches affecting 500 or more individuals are being reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) each year. While that unwelcome trend didn’t change in 2025, there was a year-over-year reduction in healthcare data breaches. Based on the current data downloaded from OCR, data breaches have fallen by 4.3% year-over-year.

While that could signal a turn in the tide, it is perhaps a little early to draw such conclusions, as data breaches from 2025 are still being added to the OCR breach portal. When we compiled our 2024 healthcare data breach report in January 2025, 725 large healthcare data breaches were listed on the OCR breach portal. That total increased to 742 data breaches over the following few months. While a similar number of late additions would still mean an annual decrease in data breaches, there was a 43-day shutdown of the federal government in late 2025 due to the failure of Congress to pass appropriations legislation. During that period, no data breaches were added to the OCR breach portal. The late additions in 2026 could therefore be considerably higher than in previous years.

What is clear is that the large annual increases in data breaches between 2018 and 2021 appear to have come to an end, with data breaches plateauing in the 700 to 750 range, which is around two large healthcare data breaches a day – twice the rate in 2018.

Healthcare data breaches 2021-2025

While data breaches are only down slightly, there has been a massive reduction in the number of individuals affected by healthcare data breaches. In 2024, a new record was set for breached healthcare records, with 289,162,330 individuals having their protected health information exposed or impermissibly disclosed in 2024. In 2025, at least 61,556,256 individuals had their protected health information exposed or impermissibly disclosed, a 78.7% percentage decrease from 2024. Even if the 192,700,000 individuals affected by the Change Healthcare ransomware attack in 2024 are discounted entirely, last year’s would still be significantly down year-over-year, largely due to a fall in the number of mega data breaches affecting more than 1 million individuals. In 2024, there were 18 of these mega breaches, but only 9 mega breaches were reported in 2025.  The average data breach size fell from 389,707 individuals (median: 6,702 individuals) in 2024 to 86,699 individuals (median: 4,011 individuals) in 2025.

Individuals affected by healthcare data breaches 2021-2025

The Biggest Healthcare Data Breaches of 2025

The table below shows the top 20 healthcare data breaches of 2025, the biggest of which was a hacking incident at the insurance company Aflac, which affected more than 22.6 million individuals globally and involved unauthorized access to the protected health information of almost 14 million individuals in the United States. While the nature of the attack was not disclosed, the cyberattack is thought to be the work of the Scattered Spider hacking group, a financially-motivated English-speaking hacking group whose members are primarily located in the United States and the United Kingdom.

While most of the top 20 data breaches were hacking incidents, the data breach at Blue Shield of California involved the use of tracking tools on its website, which may have disclosed personal information and, in some cases, protected health information to third parties such as Meta Platforms and Google. The data breach at Serviceaide involved an improperly secured database, which could be freely accessed via the internet without any authentication, and two of the top 20 data breaches of 2025 involved compromised email accounts: Numotion and Onsite Mammography.

The table below could change over the coming few months as many investigations of 2025 healthcare data breaches have not yet concluded. For instance, the data breach at Covenant Health was reported to OCR as affecting just 7,864 individuals, but in January 2025, the Maine Attorney General was informed that 478,188 individuals were affected. The OCR data breach portal has yet to be updated with the new total.  Further, the OCR breach portal currently lists 64 data breaches with totals of 500 or 501 affected individuals – placeholder figures commonly used when data reviews have yet to conclude.

Rank Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
1 Aflac Incorporated (“Aflac”) GA Health Plan 13,924,906 Hacking incident
2 Yale New Haven Health System CT Healthcare Provider 5,556,702 Hacking incident
3 Episource, LLC CA Business Associate 5,418,866 Hacking incident
4 Blue Shield of California CA Business Associate 4,700,000 PHI disclosure due to website tracking tools
5 DaVita Inc. CO Healthcare Provider 2,689,826 Ransomware attack
6 Anne Arundel Dermatology MD Healthcare Provider 1,905,000 Hacking incident
7 Radiology Associates of Richmond, Inc. VA Healthcare Provider 1,419,091 Hacking incident
8 Southeast Series of Lockton Companies, LLC (Lockton) GA Business Associate 1,124,727 Hacking incident
9 Community Health Center, Inc. CT Healthcare Provider 1,060,936 Hacking incident
10 Frederick Health MD Healthcare Provider 934,326 Ransomware attack
11 McLaren Health Care MI Healthcare Provider 743,131 Ransomware attack
12 Medusind Inc. FL Business Associate 701,475 Hacking incident
13 Kelly & Associates Insurance Group, Inc. MD Business Associate 553,332 Hacking incident
14 Decisely Insurance Services, LLC GA Business Associate 537,603 Hacking incident
15 United Seating and Mobility, LLC d/b/a Numotion TN Healthcare Provider 529,004 Phishing attack
16 Serviceaide, Inc. CA Business Associate 483,126 Database exposed on the internet
17 Goshen Medical Center NC Healthcare Provider 456,385 Hacking incident
18 Ascension Health MO Healthcare Provider 437,329 Hacking incident at a business associate
19 Northwest Radiologists, Inc./Mount Baker Imaging WA Healthcare Provider 362,713 Hacking incident
20 Onsite Mammography MA Business Associate 357,265 Compromised email account

 

2025 Healthcare Data Breaches
Data Breach Size Number of breaches
10,000,000+ 1
1,000,000 – 9,999,999 8
500,000 – 999,999 6
100,000 – 499,000 64
10,000 – 99,999 176
1,000 – 9,999 309
500 – 999 146
Total 710

Average size of healthcare data breaches 2009-2025

Median size of healthcare data breaches 2009-2025

2025 Healthcare Data Breach Causes

Hacking and other IT incidents continue to dominate the breach reports. The majority of these incidents are hacking incidents, as has been the case for many years. There has been a growing trend in recent years of entities suffering data breaches failing to disclose the root cause of the data breach, such as if a hacking incident involved data theft, extortion, malware, or ransomware. The Identity Theft Resource Center reports that this is a problem across all industry sectors, not just healthcare.

Causes of 2025 healthcare data breaches

The problem with the lack of information in breach notices is that individuals are not given sufficient information to make an accurate determination about the level of risk they face. Most ransomware attacks involve data theft and extortion. If the ransom is not paid, the stolen data is leaked on the dark web or sold. According to the cybersecurity firm Black Fog, 96% of ransomware attacks involve data theft, and the ransomware remediation firm Coveware reports that in Q4, 2025, only 20% of ransomware victims paid the ransom. Those figures suggest that 76.8% of ransomware attacks result in data being leaked. If the breach victims are told that ransomware was involved, their data will likely be leaked, and it would be prudent to take steps to prevent data misuse. If they are only told that their data has been exposed, they may incorrectly assume that they do not face a high risk of data misuse and may choose to take no action.

Black Fog reports that ransomware attacks reached record levels in 2025, with 1,174 confirmed attacks across all industry sectors, and healthcare was the worst affected sector, accounting for 22% of attacks. There has also been a growing trend of data theft and extortion, with threat actors skipping file encryption. The PEAR threat group emerged in 2025 and only engages in data theft and extortion. The group claimed many healthcare victims in 2025. Other common IT incidents in 2025 include improperly secured databases, which exposed healthcare data via the internet, and phishing attacks that resulted in unauthorized access to email accounts.

Hacking incidents at HIPAA-regulated entities 2021-2025

Individuals affected by Hacking incidents at HIPAA-regulated entities 2021-2025

Hacking and other IT incidents tend to affect more individuals than other types of breaches. In 2025, these incidents affected an average of 105,623 individuals (median: 5,434 individuals), compared to an average of 9,909 individuals (median: 1,662 individuals) for unauthorized access/disclosure incidents, and an average of 4,402 individuals (median: 1,690 individuals) for loss/theft incidents.

While there were small decreases in hacking/IT incidents, loss/theft incidents, and improper disposal incidents year-over-year, there was a 17.4% increase in unauthorized access/disclosure incidents. These incidents include data theft by malicious insiders and inadvertent data exposures due to carelessness by employees. Staff HIPAA training can go a long way toward reducing these types of breaches. Making all staff members aware of their responsibilities under HIPAA and the consequences of HIPAA violations if they are discovered can help to reduce the risk of these types of breaches.

Unauthorized access/disclosure incidents at HIPAA-regulated entities 2021-2025

Individuals affected by Unauthorized access/disclosure incidents at HIPAA-regulated entities 2021-2025

Regular security awareness training can help to eradicate risky security practices that frequently result in data breaches. It is also important for regulated entities to have the software, policies, and procedures in place to allow them to identify and remediate insider incidents quickly. Loss and theft incidents are becoming far less common due to the shift to cloud storage of PHI, and easier-to-implement and more cost-effective encryption options. While these incidents were once a leading cause of healthcare data breaches, they are now relatively rare.

Loss and theft data breaches at HIPAA regulated entities 2021-2025

individuals affected by Loss and theft data breaches at HIPAA regulated entities 2021-2025

Improper disposal incidents are also something of a rarity. In 2025, there was only one such incident at a HIPAA-regulated entity, although it was a significant data breach, affecting more than 35,000 individuals.

improper disposal data breaches at HIPAA regulated entities 2021-2025

individuals affected by improper disposal data breaches at HIPAA regulated entities 2021-2025

Location of Breached Protected Health Information

A majority of the year’s data breaches involved exposed and stolen protected health information stored on network servers (61.5%), with almost a quarter of data breaches (24.9%) involving compromised email accounts. Physical PHI – paper and films – was compromised in 5.6% of the year’s data breaches, and 4.6% of data breaches involved unauthorized access to electronic medical records.

Location of breached protected health information in 2025

Data Breaches at HIPAA-Regulated Entities

The OCR data breach portal currently lists 523 data breaches at healthcare providers, 56 data breaches at health plans, and two data breaches at healthcare clearinghouses. A further 128 data breaches were reported by business associates of HIPAA-covered entities.

When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure compliance with the notification requirements of the HIPAA Breach Notification Rule. The covered entity may delegate the responsibility of issuing notifications to the business associate, or the covered entity may choose to issue notifications, or a combination of the two. Some healthcare data breach reports fail to take this into account, resulting in business associate data breaches being undercounted.

The charts below are based on the entity that experienced the data breach, rather than the entity that reported the breach. In 2025, 57.5% of data breaches occurred at healthcare providers, 35.8% at business associates, 6.5% at health plans, and 0.3% at healthcare clearinghouses.

Data breaches at HIPAA-regulated entities in 2025

Individuals affected by data breaches at HIPAA-regulated entities in 2025

Geographical Distribution of Healthcare Data Breaches

Data breaches affecting 500 or more individuals were reported by HIPAA-regulated entities in 49 U.S states, the District of Columbia, and Puerto Rico in 2025. The only state to avoid a large healthcare data breach in 2025 was Vermont.

State/Territory Data Breaches State/Territory Data Breaches
California 69 Kansas 8
Florida 47 Oklahoma 8
Texas 47 Arkansas 7
New York 44 Iowa 7
Ohio 37 Nebraska 7
Pennsylvania 32 South Carolina 7
Michigan 26 Alaska 6
Illinois 25 Alabama 6
Georgia 23 Colorado 6
North Carolina 22 Maine 6
Missouri 20 Utah 5
Indiana 18 Idaho 4
Massachusetts 17 Mississippi 4
Maryland 17 Montana 4
Minnesota 17 New Mexico 4
Tennessee 16 Nevada 4
Virginia 16 Rhode Island 4
Washington 16 West Virginia 4
Wisconsin 16 New Hampshire 3
Arizona 15 Delaware 2
Louisiana 13 Hawaii 2
New Jersey 12 South Dakota 2
Connecticut 11 Wyoming 2
Oregon 10 District of Columbia 1
Kentucky 9 North Dakota 1

While California was the worst-affected state in terms of data breaches, Georgia took top spot for affected individuals.

State/Territory Affected Individuals State/Territory Affected Individuals
Georgia 16,050,351 Minnesota 222,210
California 11,849,467 Iowa 218,559
Connecticut 7,048,122 Wisconsin 199,972
Maryland 3,809,252 Rhode Island 176,500
Florida 3,372,753 Maine 158,054
Colorado 2,708,292 Idaho 154,525
Virginia 1,900,219 South Dakota 132,161
Michigan 1,812,898 Louisiana 114,599
North Carolina 1,484,108 Nebraska 114,313
Texas 1,034,662 South Carolina 97,122
New York 1,032,819 Nevada 90,241
Tennessee 832,230 Alaska 90,073
Pennsylvania 811,816 Oregon 86,813
Missouri 787,413 New Mexico 86,235
Washington 628,651 West Virginia 76,191
Indiana 621,441 New Hampshire 73,816
Ohio 577,751 Mississippi 60,205
Illinois 513,672 Puerto Rico 50,000
Massachusetts 465,095 Utah 42,651
New Jersey 448,143 Oklahoma 38,342
Kansas 438,181 Montana 36,485
Arkansas 261,435 Wyoming 15,883
Arizona 243,894 Delaware 14,635
Kentucky 233,836 Hawaii 8,972
Alabama 228,199 District of Columbia 1,847

HIPAA Violation Penalties in 2025

HIPAA penalties 2009-2025

Last year, OCR almost set a new record for HIPAA enforcement actions, with 21 investigations of complaints and data breaches resolved with settlements or civil monetary penalties. While 2025 saw the second-highest-ever number of HIPAA cases resolved with financial penalties, OCR only collected $8,330,066 in fines, as the majority of penalties were imposed for violations of a single HIPAA provision.

HIPAA Penalties 2017-2025

In 2025, a key focus for OCR was compliance with the risk analysis provision of the HIPAA Security Rule. A comprehensive, organization-wide risk analysis is vital for security. If a risk analysis is not conducted or if it is incomplete, risks are likely to remain unaddressed and may be found and exploited by threat actors. OCR’s compliance audits and data breach investigations have frequently identified risk analysis failures, prompting OCR to launch a risk analysis enforcement initiative.

By focusing on this vital aspect of HIPAA compliance, rather than investigating data breaches more broadly for HIPAA noncompliance, OCR has been able to make significant inroads into addressing its backlog of data breach investigations. The consequence of this approach is that by focusing on violations of a single HIPAA provision, financial penalties are lower.

Area of Noncompliance Number of Enforcement Actions
Risk Analysis 16
Breach notifications 5
Impermissible disclosure of ePHI 4
Recording and monitoring activity in information systems 3
Right of Access 3
Risk management 3
Social media 1
Information access management 1
Procedures to create and maintain retrievable exact copies of ePHI 1

In 2025, 76% of all enforcement actions included a penalty for a risk analysis failure. OCR has also started to look closely at compliance with the Breach Notification Rule, which was the second most common reason for a financial penalty. The HIPAA Breach Notification Rule requires notices to OCR, individuals, and the media within 60 days of the discovery of a data breach. More than one-fifth of enforcement actions included a penalty for breach notification failures.

OCR has confirmed that its enforcement priorities in 2026 will be largely the same as in 2025. OCR will continue with its HIPAA Right of Access and risk analysis enforcement initiatives, with the latter being expanded to include risk management. In addition to demonstrating that risks have been identified, OCR will want to see evidence that the identified risks have been managed and reduced in a timely manner.

OCR HIPAA Settlements in 2025

HIPAA-Regulated Entity Penalty Amount Reason for Penalty
Elgon Information Systems $80,000 Risk analysis failure
Virtual Private Network Solutions $90,000 Risk analysis failure
USR Holdings $337,750 Risk analysis failure; recording activity in information systems; procedures to create and maintain retrievable exact copies of ePHI; impermissible disclosure of 2,903 individuals’ PHI
Solara Medical Supplies $3,000,000 Risk analysis failure; risk management failure; breach notification failure (individuals, media, HHS); impermissible disclosure of the PHI of 114,007 and 1,531 individuals,
South Broward Hospital District (Memorial Health System) $60,000 HIPAA Right of Access failure
Northeast Surgical Group $10,000 Risk analysis failure
Health Fitness Corporation $227,816 Risk analysis failure
Northeast Radiology, P.C. $350,000 Risk analysis failure
Guam Memorial Hospital Authority $25,000 Risk analysis failure
PIH Health $600,000 Risk analysis failure; breach notification failure (media notice, HHS notice); impermissible disclosure of PHI
Comprehensive Neurology, PC $25,000 Risk analysis failure
Vision Upright MRI $5,000 Risk analysis failure; breach notification failure
BayCare Health System $800,000 Information access management failure (minimum necessary standard); risk management failure; lack of information system activity reviews
Comstar, LLC $75,000 Risk analysis failure
Deer Oaks – The Behavioral Health Solution $225,000 Risk analysis failure; impermissible disclosure of ePHI
Syracuse ASC (Specialty Surgery Center of Central New York) $250,000 Risk analysis failure; breach notification failure (OCR, individuals)
BST & Co. CPAs, LLP $175,000 Risk analysis failure
Cadia Healthcare Facilities $182,000 Social media disclosure without authorization; breach notification failure
Concentra Inc. $112,500 HIPAA Right of Access failure

OCR HIPAA Civil Monetary Penalties in 2025

HIPAA-Regulated Entity Penalty Amount Reason for Penalty
Warby Parker $1,500,000 Risk analysis failure; risk management failure; lack of monitoring of activity in information systems containing ePHI.
Oregon Health & Science University $200,000 HIPAA Right of Access failure

State attorneys general also enforce HIPAA compliance and can impose financial penalties, although some state attorneys general impose fines for violations of state data privacy and security rules. In 2025, only one enforcement action was announced by a state attorney general. The New York attorney general imposed a $500,000 financial penalty on Orthopedics NY LLP for cybersecurity failures that led to a data breach affecting 656,086 individuals. The penalty was imposed for violations of New York laws, although the HIPAA Security Rule was undoubtedly also violated.

The post 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Data Breaches Announced by MedRevenu & EyeCare Partners

Posted by Steve Alder

Data breaches have been confirmed by the revenue cycle management company MedRevenu Inland Physicians Hospitalist Services, and the Missouri-based eye care provider, EyeCare Partners.

MedRevenu Inland Physicians Hospitalist Services

MedRevenu Inland Physicians Hospitalist Services, a Montclair, CA-based vendor that provides revenue cycle management services to healthcare providers, has recently notified the California Attorney General about a cybersecurity incident. The incident occurred on or around December 12, 2024, and caused disruption to its network. The forensic investigation determined that files containing personal and protected health information may have been accessed or acquired in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers/government identification numbers, health insurance information, medical information, financial account numbers, payment card numbers, and access information.

MedRevenu said it is reviewing and enhancing its cybersecurity measures and has offered the affected individuals complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months. The BianLian threat group claimed responsibility for the attack and added MedRevenu to its dark web data leak site on December 14, 2024. Since data has been leaked, the affected individuals should ensure that they sign up for the credit monitoring services being offered and carefully check their account statements for data misuse, going back to December 2024. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

EyeCare Partners

EyeCare Partners, LLC, a St. Louis, MO-based nationwide provider of eye care services, has recently announced an email security incident that was first identified on January 28, 2025. Suspicious email activity was identified, and an investigation was launched, which confirmed that an unauthorized third-party had accessed multiple managed email accounts between December 3, 2024, and January 28, 2025.

It took until November 11, 2025, to review the compromised accounts, and notifications were issued to appropriate state attorneys general in February 2026. Data compromised in the incident includes names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health plan information, and limited clinical information.

EyeCare Partners said it has no reason to believe that any of the exposed information has been misused for identity theft or fraud; however, out of an abundance of caution, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 24 months. EyeCare Partners said it has reviewed and enhanced its technical security measures and has provided further reminders to employees about how to recognize and avoid phishing attempts. The incident has been reported to the HHS’ Office for Civil Rights as affecting 17,110 individuals, including patients of The Ophthalmology Group, Ophthalmology Consultants, and Ophthalmology Associates.

The post Data Breaches Announced by MedRevenu & EyeCare Partners appeared first on The HIPAA Journal.

83,000 Clients Affected by Cyberattack on Ohio Counseling Center

Posted by Steve Alder

The Counseling Center of Wayne and Holmes Counties has experienced a cyberattack affecting 83,350 individuals. Data breaches have also been announced by Neurological Associates of Washington and Pecan Tree Dental.

Counseling Center of Wayne and Holmes Counties

The Counseling Center of Wayne and Holmes Counties (CCWHC) in Wooster, Ohio, has experienced a data security incident affecting 83,354 individuals. On March 3, 2025, CCWHC’s third-party service provider notified CCWHC about a cybersecurity incident, which caused disruption to its IT systems. An investigation was launched, and steps were taken to contain and remediate the incident. All impacted systems and accounts were removed, credentials were reset, and leading data privacy and security experts were engaged to assist with the investigation.

The forensic investigation determined that an unauthorized third party gained access to a single CCWHC server on March 2, 2025, and exfiltrated files on March 3, 2025. Based on the initial findings of the investigation, the general types of information compromised in the incident include names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health insurance information, medical condition information, treatment provider names, medical record numbers, treatment cost information, diagnoses, and treatment information.

CCWHC has worked with cybersecurity experts and privacy professionals to review and further strengthen system security. The file review was completed on December 9, 2025, and notification letters have now been mailed to the affected individuals.

Neurological Associates of Washington

Neurological Associates of Washington (NAW) has recently confirmed that the personal and protected health information of 13,500 individuals was stolen in a December 2025 cyberattack. It is now rare for a healthcare provider to disclose details about a hacking incident in its data breach notice; however, NAW has bucked that trend and disclosed that the Dragonforce ransomware group was behind the attack. NAW also confirmed that sensitive patient data was stolen and published on the dark web by Dragonforce.

NAW immediately alerted the Federal Bureau of Investigation (FBI), which investigated the incident and confirmed that the stolen data was published on the dark web on December 28, 2025. The FBI is conducting further investigations into the attack, but has confirmed that the data compromised in the incident related to patients from 2019 to 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnoses, disability codes, medical information, and other types of data. New patients from January 2025 onwards had their data added to a new cloud-based records system, which was not accessed in the attack.

NAW said it has implemented a deep reset and restructuring of its IT system in response to the incident and confirmed that the affected database is now stored in an offline environment. At the time of issuing notifications, NAW said it was unaware of any actual or attempted misuse of the stolen data. As a precaution against identity theft and fraud, the affected individuals have been offered 12 months of complimentary credit monitoring services.

Pecan Tree Dental

Pecan Tree Dental, PLLC, in Grand Prairie, Texas, has confirmed that it experienced a cybersecurity incident involving unauthorized access to its computer systems. The website notice is light on detail, only stating that steps have been taken to secure its systems, and cybersecurity and legal professionals have been engaged to assist with the investigation. At the time of uploading the notice to its website, it was unaware of any unauthorized access to patient information or data misuse. The OCR breach portal indicates that up to 13,300 individuals had their protected health information exposed in the incident.

The Texas attorney general was informed that data compromised in the incident includes names, addresses, dates of birth, medical information, and health information. This appears to have been a ransomware attack by the Sinobi threat group, which added Pecan Tree Dental to its dark web data leak site on January 11, 2026. Sinobi claims to have exfiltrated 250 Gb of data in the attack and has leaked the stolen data.

The post 83,000 Clients Affected by Cyberattack on Ohio Counseling Center appeared first on The HIPAA Journal.

Precipio; Pit River Health Service; Tulane University Medical Group Confirm Data Breaches

Posted by Steve Alder

Data breaches have been announced by the Connecticut diagnostic laboratory Precipio, Pit River Health Service in California, and Tulane University Medical Group in Louisiana.

Precipio, Inc.

Precipio, Inc., a Connecticut-based laboratory specializing in advanced hematopathology diagnostics, has discovered unauthorized access to an employee’s cloud-based storage account. Suspicious activity was identified within the email account on or around November 25, 2025, and the investigation confirmed that an unauthorized third party accessed the employee’s account from November 23, 2025, to November 25, 2025, during which time, files were copied from the account.

The affected files are currently being reviewed to determine the information involved, and that process is currently ongoing. Precipio has yet to disclose a final list of the affected data, but said that, based on its investigation so far, information compromised in the incident includes names, addresses, dates of birth, medical record numbers, clinical/treatment information, medical procedure information, medical provider names, prescription information, and health insurance information.

Since the file review has not yet concluded, the HHS’ Office for Civil Rights has been provided with an interim total of at least 501 affected individuals. The total will be updated when the file review is completed.

Pit River Health Service

Pit River Health Service, the operator of two healthcare clinics in Burney and Alturas in California, has recently announced a data breach affecting up to 1,800 individuals. An unauthorized third party hacked its systems and potentially copied data. Pit River Health Service has confirmed that no data was altered or deleted in the attack, and the Indian Health Service medical record system was not accessed.

In a website update, Pit River Health Service confirmed that some of the affected systems have been restored, although a more extensive security review has been conducted for other affected systems. As a result of the attack, some patient services have been delayed, but appointments and services are continuing. In response to the incident, security monitoring has been stepped up across all of its IT systems.

Tulane University Medical Group

A data breach has been reported to the HHS’ Office for Civil Rights by Administrators of the Tulane Educational Fund d/b/a Tulane University Medical Group. The Louisiana-based medical group experienced a ransomware attack that involved unauthorized access to the protected health information of 6,530 patients.

Tulane University Medical Group does not currently have a substitute data breach notice on its website, so it is unclear exactly what types of information were compromised in the incident. The Cl0p ransomware group claimed responsibility for the attack and added the medical group to its data leak site. Cl0p exploits vulnerabilities in mass attacks, typically vulnerabilities in file-sharing software. Sensitive data is stolen, and ransom demands are issued. Cl0p claims to have exploited a vulnerability on or around November 18, 2025.

The post Precipio; Pit River Health Service; Tulane University Medical Group Confirm Data Breaches appeared first on The HIPAA Journal.

Jefferson-Blount-St. Clair Mental Health Authority Data Breach Affects 30,000 Patients

Posted by Steve Alder

Jefferson-Blount-St. Clair Mental Health Authority in Alabama, Cottage Hospital in New Hampshire, WindRose Health Network in Indiana, and Iroquois Memorial Hospital in Illinois have announced that patient data has been exposed in hacking incidents.

Jefferson-Blount-St. Clair Mental Health Authority, Alabama

Jefferson-Blount-St. Clair (JBS) Mental Health Authority in Alabama has notified more than 30,000 individuals that some of their personal and protected health information was exposed and potentially acquired in a ransomware attack. Suspicious activity was identified within its computer network on or around November 25, 2026. The investigation confirmed that hackers gained access to its network on November 25, 2026, and potentially viewed or acquired information relating to individuals who were patients or employees between 2011 and 2025.

The file review has recently concluded and confirmed that the exposed data included names, Social Security numbers, health insurance information, dates of birth, and medical information, which may have included diagnoses, physician information, medical record numbers, Medicare/Medicaid information, prescription/medication information, diagnostic and treatment information, and billing or claims information.

The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements. The HHS’ Office for Civil Rights breach portal indicates 30,434 individuals were affected by the incident.

Cottage Hospital, New Hampshire

Cottage Hospital, a 35-bed critical access hospital in Woodsville, New Hampshire, has detected unauthorized access to its computer network. The forensic investigation confirmed that hackers had access to a single file server on its computer network from October 14, 2025, to October 21, 2025, and on December 8, 2025, the hospital confirmed that files had been exfiltrated in the incident.  The review of the files is ongoing, although it has been confirmed that the server contained current and former employees’ names, Social Security numbers, driver’s license numbers, and potentially bank account information.

The breach notice submitted to the Maine Attorney General indicates 2,156 individuals were affected, including 83 Maine residents. The affected individuals have been offered complimentary credit monitoring, identity theft restoration, and fraud consultation services. The hospital has confirmed that it will continue to implement and evaluate enhanced safeguards and security measures to better protect sensitive data on its network.

WindRose Health Network, Indiana

WindRose Health Network, a Federally Qualified Health Center with five health centers in Indiana, has notified certain patients about a security incident identified on August 22, 2025. The security breach was detected quickly, with the unauthorized access determined to have commenced on the morning of August 22, 2025. The compromised parts of the network contained personal and protected health information, which may have been accessed or acquired.

A data review firm was engaged to determine the types of information in the exposed files and the individuals affected. That process was recently completed, and the results were assessed to determine the individuals who required notifications. Data compromised in the incident vary from individual to individual and may include names in combination with one or more of the following: contact information, date of birth, patient identification number, date(s) of service, provider name(s), diagnosis, treatment information, prescription(s), medical history, lab reports, health insurance information, and limited number government identification numbers, such as driver’s license number or Social Security number.

Third-party cybersecurity experts were engaged to investigate the incident, review security, and further secure its systems. The affected individuals have been advised to remain vigilant against identity theft and fraud. The HHS’ Office for Civil Rights breach portal indicates 691 individuals were affected by the incident

Iroquois Memorial Hospital, Illinois

Iroquois Memorial Hospital in Watseka, Illinois, has recently reported a hacking incident to the HHS’ Office for Civil Rights involving unauthorized access or theft of patients’ protected health information. A substitute breach notice has yet to be posted to the hospital’s website, so it is unclear exactly what types of data were compromised in the incident. The Pear threat group claimed responsibility for the attack.

Pear engages in data theft and extortion but does not encrypt files. The group maintains a data leak site and added Iroquois Memorial Hospital to the site on December 11, 2025. The listing is still active, which suggests the ransom was not paid. The HHS’ Office for Civil Rights breach portal indicates 621 individuals were affected by the incident

The post Jefferson-Blount-St. Clair Mental Health Authority Data Breach Affects 30,000 Patients appeared first on The HIPAA Journal.

DOCS Dermatology Group; Center for Neuropsychology and Learning Disclose Data Breaches

Posted by Steve Alder

Central States Dermatology Services (DOCS Dermatology Group) in Ohio and The Center for Neuropsychology and Learning in Michigan have identified unauthorized access to patient data.

Central States Dermatology Services, Ohio

Central States Dermatology Services, LLC, doing business as DOCS Dermatology Group (DOCS), has disclosed a security incident that was identified on November 27, 2025. Suspicious activity was identified within its network, and, assisted by third-party cybersecurity experts, DOCS determined that an unauthorized third party had access to its network from November 19, 2025, to November 27, 2025.

The data review is ongoing, so the number of affected individuals had yet to be confirmed; however, DOCS has determined that the data compromised in the incident includes names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, treatment/diagnosis information, prescription/medication information, dates of service, provider name, medical record number, patient account number, Medicare/Medicaid ID number, health insurance information, and/or medical billing/claims information. DOCS is reviewing its policies and procedures related to data security and has engaged cybersecurity experts to review its security measures and make enhancements to strengthen security. At the time of the announcement, DOCS had not identified any misuse of the affected information.

The Center for Neuropsychology and Learning, Michigan

The Center for Neuropsychology and Learning in Ann Arbor, Michigan, has discovered that a malicious cyber actor accessed a server containing the sensitive data of 3,722 of its clients. The unauthorized access was detected on November 10, 2025, and the forensic investigation confirmed that the server was accessed at some point between October 14 and October 31, 2025.

The server was analyzed and found to contain protected health information such as names, dates of birth, contact information, service type(s), and or test reports. Highly sensitive information, such as Social Security numbers, financial information, and therapy notes, was not stored on the server. The Center for Neuropsychology and Learning has confirmed that the threat has been fully mitigated, and notifications have been mailed to the affected individuals, who have been offered 12 months of complimentary credit monitoring and identity theft protection services as a precaution.

The post DOCS Dermatology Group; Center for Neuropsychology and Learning Disclose Data Breaches appeared first on The HIPAA Journal.