HIPAA Breach News

Florida Medical Imaging Provider Notifies 260,000 Patients About February Data Breach

Posted by Steve Alder

Vital Imaging Medical Diagnostic Centers in Florida has disclosed a February 2025 hacking incident involving unauthorized access and potential acquisition of patient data. The HHS’ Office for Civil Rights has been informed that the protected health information of up to 260,000 patients was compromised in the incident.

In its August 22, 2025, substitute data breach notice, Vital Imaging explained that the intrusion was discovered on February 13, 2025. Cybersecurity experts were engaged to investigate the activity, and the investigation is ongoing. Vital Imaging said there is a reasonable belief that personally identifiable information and protected health information were accessed and acquired by the attackers.

An independent data mining team was retained to assist with the investigation and review the files on the compromised parts of its network to determine the individuals affected and the types of data involved, and has confirmed that medical information, insurance information, and demographic information were compromised, including names, dates of birth, and contact information was involved.

Notification letters will be mailed to the affected individuals when the file review is concluded. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their credit reports, financial account statements, and explanation of benefits statements.

ESHYFT

Security researcher Jeremiah Fowler has identified an exposed database linked to ESHYFT, a provider of a platform that allows nurses to find available per diem shifts at long-term care facilities across the country. The 100 GB database could be accessed without authorization and contained 86,341 records, including sensitive data such as names, IDs, medical reports, profile information, facial images, work schedule logs, professional certificates, work assignment information, CVs/resumes, and other information.

Fowler was unable to determine if the database was maintained by ESHYFT or a third-party service provider, nor how long the database was exposed online, or if it was accessed by any unauthorized individuals. The exposed database was reported to ESHYFT and was secured around a month later. Since ESHYFT works with nurses rather than patients, it is unlikely to be a HIPAA-covered entity, and its website does not include a Notice of Privacy Practices, further indicating the data was not HIPAA-protected.

The post Florida Medical Imaging Provider Notifies 260,000 Patients About February Data Breach appeared first on The HIPAA Journal.

Senators Demand Answers from Aflac About June 2025 Cyberattack

Posted by Steve Alder

A bipartisan pair of senators has written to Aflac Chairman and CEO Daniel P. Amos seeking further information about a recently disclosed cyberattack and data breach. Sen. Bill Cassidy (R-La.), chairman of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Margaret Wood Hassan (D-N.H.), are requesting greater transparency about the incident.

Aflac disclosed the incident on June 12, 2025, in a filing with the U.S. Securities and Exchange Commission (SEC), and subsequently issued a press release confirming that customers’ personal and protected health information was compromised in the incident. The senators have requested further information about the incident, including the security measures in place prior to the cyberattack, how cybersecurity best practices implemented by other critical infrastructure sectors have been incorporated at Aflac, which federal agencies were notified about the incident, and when those notifications were issued.

Aflac has stated that claims and health information were compromised in the incident. The senators want to know what steps have been taken to identify the information that was compromised, when the steps to identify the affected information will be finalized, how Aflac is proactively communicating with the individuals potentially affected by the incident, and what steps have been taken or will be taken in response to the cyberattack to improve its security protocols.

The senators also want to know what additional reporting, beyond the requirements of the Health Insurance Portability and Accountability Act, Aflac commits to doing for individuals whose information was impermissibly disclosed in the incident. Aflac has been given until September 5, 2025, to respond and provide answers to the questions.

June 23, 2025: Aflac Latest Insurer to Suffer Cyberattack and Data Breach

The Columbus, Georgia-based insurance giant Aflac has recently announced that it has fallen victim to a cyberattack. Aflac is the largest provider of supplemental insurance in the United States and claims to provide financial protection for more than 50 million people worldwide.

Aflac disclosed the cyberattack in a June 12, 2025, filing with the U.S. Securities and Exchange Commission (SEC), explaining it had initiated its cybersecurity incident response protocols and contained the intrusion within hours. The attack did not affect business operations, and it has continued to underwrite policies, review claims, and otherwise service customers as usual.

Aflac has engaged the services of leading cybersecurity experts to support its own breach response efforts, and the investigation into the attack is ongoing. Aflac said ransomware was not deployed in the incident; however, data does appear to have been exposed. A review of the potentially exposed files is underway. At this early stage of the file review, it is not possible to determine how many individuals have been affected.

Aflac said the exposed data likely includes names, claims information, health information, Social Security numbers, and other personal information related to customers, beneficiaries, employees, agents, and other individuals in its U.S. business. Complimentary credit monitoring and identity theft protection services will be offered to the affected individuals, and regulators will be notified about the extent of the data breach. “This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group,” explained Aflac in a press release about the cybersecurity incident. “This was part of a cybercrime campaign against the insurance industry.” The data breach was reported to the HHS’ Office for Civil Rights on August 8, 2025, although a placeholder figure of 500 was used for the number of affected individuals. That figure will be updated when the file review is completed and all affected individuals have been identified.

The cybercrime campaign has involved attacks on other large insurers in the United States, including the Pennsylvania-based insurers Erie Insurance Group and Philadelphia Insurance Companies. Similar to the Aflac attack, these two incidents did not involve file encryption, only data theft. There has been no attribution so far, although the timing of these attacks suggests a single threat actor is behind all three incidents.

The likely culprit is a threat group known as Scattered Spider, which is known to target large companies in one sector at a time. Recently, Scattered Spider has targeted the retail sector, with its attacks including the UK retailers Marks & Spencer, Co-op, and the Harrods luxury department store, and U.S. attacks on Victoria’s Secret and United Natural Foods, which supplies the Amazon-owned grocery chain Whole Foods.

Researchers at the Google Threat Intelligence Group issued a warning early last week that the group has pivoted to the insurance industry, and ReliaQuest warned that the group is targeting IT service providers and Managed Service providers to attack their downstream clients. Google Threat Intelligence Group researchers recently confirmed that the recent attacks on the insurance sector show the hallmarks of a targeted Scattered Spider campaign.

Scattered Spider typically breaches company networks and deploys ransomware after data exfiltration, but ransomware was not deployed in these attacks. It is possible that the attacks were detected and blocked before ransomware was deployed, but the group may have simply changed tactics, focusing on data theft and extortion alone. While the perpetrator has yet to be confirmed, it is clear that the insurance industry is being targeted. All insurers should remain on high alert as there could well be further attempted cyberattacks on the sector.

The post Senators Demand Answers from Aflac About June 2025 Cyberattack appeared first on The HIPAA Journal.

Legacy Treatment Services Data Breach Affects 42,000 Individuals

Posted by Steve Alder

Data breaches have recently been confirmed by Legacy Treatment Services/Community Treatment Solutions in New Jersey, Washington Gastroenterology, Woodlawn Hospital in Indiana, and Children’s Home & Aid (Brightpoint) in Illinois.

Legacy Treatment Services

Legacy Treatment Services, a New Jersey provider of behavioral health and addiction treatment services, has notified the Maine Attorney General about an October 2024 cybersecurity incident involving the personal and protected health information of 41,826 individuals. Some of the affected individuals had received services from Community Treatment Solutions (CTS) in Moorestown, New Jersey.

The incident was identified on or around October 11, 2024, when connectivity to its network was disrupted. The forensic investigation confirmed unauthorized access to its network between October 6, 2024, and October 11, 2024. A file review was initiated, and on July 18, 2025, confirmation was received that employee and patient data were accessed and acquired in the incident.

The data involved varied from individual to individual and included first and last names along with one or more of the following: addresses, phone numbers, email addresses, Social Security numbers, birth dates, driver’s license numbers/state ID numbers, passport numbers, financial account numbers, routing numbers, bank names, credit/debit card numbers/CVV/expiration dates/PIN or security codes, login information, diagnoses, clinical information, treatment/procedure Information, treatment types/locations, treatment cost information, doctors’ names, medical record numbers, patient account numbers, health insurance information, prescription information, and/or biometric information.

While no evidence has been found to indicate any misuse of that information, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Washington Gastroenterology

Washington Gastroenterology has recently started notifying patients about a cybersecurity incident detected on or around March 10, 2025. The exact nature of the incident was not disclosed in its substitute breach notice, only that certain data was accessed by an unknown third party. The affected data was reviewed, and it was confirmed that the breach was limited to a legacy system, which contained names, Social Security numbers, and medical information. No current networks or affiliate systems were involved.

Individual notification letters started to be mailed to the affected individuals on May 23, 2025; however, it later emerged that further individuals were affected, and notification letters are now being mailed to those individuals. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals. The data breach has been reported to regulators, but the incident is not currently shown on the OCR data breach portal or the Washington Attorney General website, so it is currently unclear how many individuals have been affected.

Woodlawn Hospital

Woodlawn Hospital in Rochester, Indiana, has identified unauthorized access to its computer network. The intrusion was identified on June 30, 2025, and the forensic investigation confirmed unauthorized access between June 25, 2025, and June 30, 2025. During that time, files containing patient data were copied from its network.

The files are currently being reviewed, but it has been confirmed that they contain names, addresses, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, medical information, and health insurance information. Notification letters will be mailed to the affected individuals when the file review is concluded. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Children’s Home & Aid (Brightpoint)

Children’s Home & Aid, doing business as Brightpoint in Illinois, has identified unauthorized access to an employee’s email account. The security incident was detected on or around February 27, 2025, and the forensic investigation confirmed unauthorized access to the account between January 12, 2025, and February 27, 2025. Following a programmatic and manual review of the account, it was determined on June 16, 2025, that the account contained the personal and protected health information of 1,051 individuals.

The data involved varied from individual to individual and may have included names, Social Security numbers, driver’s license numbers/ government-issued identification numbers, financial account information, health insurance information, and/or medical information.  Brightpoint has reviewed its security policies and procedures and has taken steps to reduce the risk of similar incidents in the future.

The post Legacy Treatment Services Data Breach Affects 42,000 Individuals appeared first on The HIPAA Journal.

Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach

Posted by Steve Alder

Healthcare Services Group, Inc. (HSG), a Bensalem, PA-based provider of environmental, dining, and nutritional support services to healthcare facilities, has recently notified the Maine Attorney General about a major data breach involving unauthorized access to systems containing the personal and protected health information of 624,496 individuals, including 3,871 Maine residents.

HCSG provides its services to more than 3,000 healthcare facilities in 48 U.S. states and employs more than 45,000 individuals. HSG first disclosed the security incident on October 16, 2024, in a FORM 8-K filing with the U.S. Securities and Exchange Commission (SEC), explaining that a cybersecurity incident was identified on October 9, 2024, when unauthorized activity was identified within some of its systems.

HSG initiated its cybersecurity incident response process, and an investigation was launched to determine the cause of the activity, with assistance provided by third-party cybersecurity specialists. At the time, the full nature of the incident was unknown, although it was not expected to have a material impact on its financial condition or the results of operations. The breach report indicates initial access to its network occurred on September 27, 2024, twelve days before the intrusion was detected. HSG has been reviewing the exposed files and determined on June 3, 2025, that personal and protected health information was potentially stolen.

Notification letters started to be mailed to the affected individuals on August 25, 2025, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, in Maine at least. While the Maine Attorney General has published a copy of the breach notification letter, a website error means it is not currently viewable, and there is currently no substitute breach notice on the HSG website, so the types of information exposed in the incident and the nature of the cyberattack are currently unknown.

This post will be updated when further information becomes available.

The post Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach appeared first on The HIPAA Journal.

Michigan Rural Health System Notifies 140,000 About Hacking Incident

Posted by Steve Alder

Aspire Rural Health in Michigan is notifying almost 140,000 patients about unauthorized access to its network and the theft of their personal and healthcare data. Aspire Rural Health consists of more than 70 providers and serves patients in rural areas in Huron County, Sanilac County, Tuscola County, and Lapeer County. Aspire detected the intrusion on or around January 6, 2025, and third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.  The forensic investigation confirmed that an unauthorized third party had access to its network for more than two months from November 4, 2024, to January 6, 2025.

According to the substitute data breach notice on the Aspire website, files containing patients’ protected health information were accessed and/or acquired in the incident. Following a manual review of the affected files, Aspire confirmed that a wide range of data types were compromised in the incident.

Current and former patients had their first and last names stolen, in combination with one or more of the following: date of birth, Social Security number, financial account number and routing number, diagnosis information, medical treatment information, prescription information, health insurance information, payment card number/PIN/expiry date, lab results, provider information, driver’s license number, username/password, biometric identifiers, patient identification number, medical record number, and passport number.

Aspire is unaware of any misuse of the affected data; however, as a precaution, complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. The data breach is not yet listed on the HHS’ Office for Civil Rights breach portal; however, the Maine Attorney General has been informed that 138,386 individuals have been affected, including 4 Maine residents. While not described as a ransomware attack, the BianLian threat group claimed responsibility for the attack and added Aspire to its dark web data leak site.

The post Michigan Rural Health System Notifies 140,000 About Hacking Incident appeared first on The HIPAA Journal.

July 2025 Healthcare Data Breach Report

Posted by Steve Alder

U.S. healthcare data breaches are down 34.1% month-over-month, and 44.5% fewer individuals had their healthcare data exposed. HIPAA-regulated entities reported 48 data breaches affecting 500 or more individuals in July, 12 fewer than the monthly average over the past 12 months.

Healthcare data breaches in the past 12 months - July 2025

July saw the lowest number of reported healthcare data breaches since September 2024, although the monthly total is likely to increase as there is often a delay between an entity reporting a data breach to the HHS’ Office for Civil Rights (OCR) and it being added to the OCR breach portal. For instance, in August 2024, when we compiled the July 2024 healthcare data breach report, there were 43 data breaches, with the total increasing to 49 over the next few months.

July healthcare data breaches 2020-2025

July’s total is therefore likely to be slightly higher than July 2024, and data breaches are up slightly year-over-year. When we compiled our July 2024 data breach report on July 20, 2024, 435 data breaches affecting 500 or more individuals had been reported to OCR. This year’s total for January 1, 2025, to July 31, 2025, stands at 444 data breaches – a 2% year-over-year increase.

Individuals affected by healthcare data breaches in the past 12 months

There has also been a fall in the number of individuals affected by healthcare data breaches. Across the 48 reported data breaches, 4,397,900 individuals had their healthcare data exposed or impermissibly disclosed – a 44.5% month-over-month reduction, and 1.37 million fewer individuals than the 12-month average of 5,769,912 individuals a month.

Individuals affected by july data breaches 2020 - 2025

While there has been a month-over-month fall in affected individuals based on current data, July’s total will increase further as breached organizations complete their data breach investigations and file reviews. As it stands, the number of affected individuals is down 97.8% from the 200 million+ individuals affected by data breaches last year. It should be noted that the July 2024 total includes the data breach at Change Healthcare, which affected 192.7 million individuals. When we compiled the data for last July’s data breach report, the OCR breach portal only showed 1.2 million affected individuals.

Biggest Healthcare Data Breaches in July 2025

In July, 16 HIPAA-regulated entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates reported data breaches affecting 10,000 or more individuals, all of which were hacking incidents. Two data breaches stand out in terms of the number of affected individuals – the hacking incident at Anne Arundel Dermatology and Radiology Associates of Richmond (RAR), which combined affected more than 3.3 million individuals, 75.6% of the month’s total affected individuals.

It is unclear from the breach reports whether ransomware was used in either of these incidents. Hackers had access to the RAR network for four days in April 2024, but were camped in the Anne Arundel network for three months before the intrusion was detected. Several dermatology practices and medical imaging providers have reported data breaches in recent months, which suggests these types of entities may have been targeted specifically by threat actors.

Three of the top 16 data breaches were reported as ransomware attacks, although ransomware may have been used in more attacks. It is now common for data breach notification letters to omit the cause of the breach, and relatively few mention ransomware, even when ransomware groups have claimed responsibility for an attack.

Name of Regulated Entity State Entity Type Individuals Affected Cause of Breach
Anne Arundel Dermatology MD Healthcare Provider 1,905,000 Hacking incident
Radiology Associates of Richmond, Inc. VA Healthcare Provider 1,419,091 Hacking incident
Zumpano Patricios, P.A. FL Business Associate 279,275 Hacking incident
Cierant Corporation CT Business Associate 232,506 Hacking incident (Cleo VL Trader MFT)
Alera Group, Inc. IL Business Associate 155,567 Hacking incident
McKenzie Memorial Hospital MI Healthcare Provider 58,839 Hacking incident
Wood River Health RI Healthcare Provider 54,926 Hacking incident (Email accounts)
Gastroenterology Consultants of South Texas TX Healthcare Provider 44,579 Ransomware attack (Interlock)
Infinite Services, Inc. NY Healthcare Provider 31,742 Ransomware attack
Self Regional Healthcare SC Healthcare Provider 26,696 Hacking incident at business associate (Nationwide Recovery Service)
Dr. Michael Bilikas and Associates d.b.a. 32 Pearls WA Healthcare Provider 23,517 Ransomware attack
AVALA Holdings LA Healthcare Provider 22,732 Hacking incident
Keys Pathology Associates, PA FL Healthcare Provider 20,000 Hacking incident
Northwest Denture Center, Inc. WA Healthcare Provider 19,419 Hacking incident
Arbor Associates, Inc. MI Business Associate 17,040 Hacking incident
Florida Lung, Asthma & Sleep Specialists (FLASS) FL Healthcare Provider 10,000 Hacking incident

The above list could grow as data breach investigations conclude. The HIPAA Breach Notification Rule requires HIPAA-regulated entities to report a data breach within 60 days of discovery, and when that deadline is reached, data breach investigations may not have concluded. In such cases, many regulated entities submit a breach report with a placeholder figure of 500 or 501 affected individuals as an interim total. In July, five regulated entities reported data breaches using a 500 or 501 figure.

Name of Regulated Entity State Entity Type Breach Size Cause of Breach
Kettering Adventist Healthcare OH Healthcare Provider 501 Hacking/IT Incident (Network server)
Human Development Services of Westchester NY Healthcare Provider 501 Hacking/IT Incident (Email)
Naper Grove Vision Care IL Healthcare Provider 501 Hacking/IT Incident (Network server)
Doctors’ Memorial Hospital FL Healthcare Provider 500 Hacking/IT Incident (Network server)
Northwest Medical Homes, LLC OR Healthcare Provider 500 Hacking/IT Incident (Network server)

Causes of July 2025 Healthcare Data Breaches

Hacking is now the leading cause of data breaches, with July seeing 83.3% of incidents involving hacking or other IT-related issues. On average, 109,620 individuals were affected by these types of data breaches (median: 5,137 individuals).  Hacking/IT incidents accounted for 99.7% of breached healthcare records in July (4,384,794 individuals).

causes of July 2025 healthcare data breaches

There were 8 unauthorized access/disclosure incidents in July, affecting just 13,638 individuals. The average breach size was 1,638 individuals, and the median breach size was 892 individuals. There were no theft incidents, loss incidents, or improper disposal incidents in July, as was the case in June 2025. The most common location of breached protected health information was network servers, followed by email accounts, with just 6 breaches involving protected health information stored in other locations.

Location of breached healthcare data - July 2025

Affected HIPAA Regulated Entities

In July, large data breaches were reported by 37 healthcare providers (3,700,390 affected individuals), 10 business associates (696,727 affected individuals), and one health plan (783 affected individuals). Under HIPAA, it is ultimately the responsibility of each covered entity to ensure the requirements of the HIPAA Breach Notification Rule are met, and some covered entities report breaches that occur at business associates. Many healthcare data breach reports are based on the reporting entity, rather than the entity that suffered the data breach. The charts below show where the breach occurred rather than the entity reporting the data breach.

Data breaches at HIPAA-regulated entities in July 2025

Individuals affected by healthcare data breaches at HIPAA-regulated entities - July 2025

Geographical Distribution of July 2025 Healthcare Data Breaches

HIPAA-regulated entities in 22 U.S. states reported data breaches in July. Florida was the worst-affected state with 9 entities reporting data breaches, although three of those reports were about the same incident, which affected multiple skilled nursing facilities. Texas was the second-worst affected state with 4 data breaches, followed by California, Massachusetts & Michigan, which each had three breaches.

State Individuals Affected
Florida 9
Texas 4
California, Massachusetts & Michigan 3
Georgia, Illinois, New York, Ohio, South Carolina, Virginia & Washington 2
Colorado, Connecticut, Louisiana, Maryland, North Carolina, Pennsylvania, Rhode Island, Tennessee, Wisconsin & West Virginia 1

In terms of affected individuals, Maryland topped the list with 1,905,000 individuals affected by a single data breach, followed by Virginia with 1,421,658 individuals affected by two data breaches. Florida was the third-worst-affected state, with 328,471 individuals affected by its 9 data breaches.

HIPAA Enforcement Activity in July 2025

It has been a busy year of HIPAA enforcement, with 18 settlements and civil monetary penalties announced by OCR up to July 31, 2025. Based on the announcements so far, 2025 looks set to be a record-breaking year for HIPAA penalties.

In October 2024, OCR announced a new enforcement initiative looking at compliance with the risk analysis provision of the HIPAA Security Rule. OCR has targeted this HIPAA provision as it is the most commonly identified HIPAA Security Rule violation, and is a foundational requirement that arguably has the biggest impact on security posture. Two enforcement actions were announced in July, both of which resolved risk analysis failures.

Deer Oaks – The Behavioral Health Solution was investigated over an August 2023 ransomware attack that involved the exfiltration of files containing the protected health information of 171,871 individuals. OCR determined that there had been an impermissible disclosure of patients’ electronic protected health information, and Deer Oaks was unable to provide evidence to show that a thorough and accurate risk analysis had been conducted. The case was settled with a $225,000 penalty and a corrective action plan.

Syracuse ASC (Specialty Surgery Center of Central New York) was investigated over a 2021 ransomware attack that exposed the data of 24,891 current and former patients. Syracuse ASC was unable to provide evidence to show that it had ever conducted a risk analysis to identify risks and vulnerabilities to protected health information. Further, the data breach was identified on March 31, 2021, but OCR and the affected individuals were not notified for six and a half months, four and a half months later than the maximum reporting time under the HIPAA Breach Notification Rule. The case was settled with a $250,000 financial penalty and a corrective action plan. Across the 18 HIPAA penalties in 2025, OCR has collected $7,860,566 to resolve alleged violations of the HIPAA Rules.

The post July 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Mower County, MN Confirms HIPAA-Data Compromised in June Ransomware Attack

Posted by Steve Alder

Data breaches have recently been announced by Mower County in Minnesota, Seasons Living in Oregon, Dr. Doug’s Pediatric Dentistry in Utah, and Provail in Washington State.

Mower County, Minnesota

Officials in Mower County, Minnesota, have confirmed that HIPAA-protected data was acquired by hackers in a June 2025 ransomware attack. The ransomware attack was identified on June 18, 2025, and an investigation is underway to determine the types of data involved and the individuals affected. The stolen data related to individuals who have previously received services from the County Health and Human Services Department.

Individual notification letters will be mailed to the affected individuals when the investigation is concluded, and County officials have confirmed that complimentary credit monitoring and identity theft protection services will be provided. In the meantime, anyone who has previously received services from the Health and Human Services Department has been advised to be vigilant against identity theft and fraud by reviewing their account statements, explanation of benefits statements, and free credit reports.

Seasons Living

Seasons Living, an assisted living facility in Lake Oswego, Oregon, has disclosed a security incident involving the theft of sensitive data. The security breach was identified on March 4, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network and acquired files containing information related to its vendors, applicants, tenants, owners, and current and former employees.

In a press release about the incident, Seasons Living CEO Eric Jacobsen said the incident has been fully contained, unauthorized access to its network has been blocked, and additional security measures have been implemented to prevent similar incidents in the future. He also confirmed that complimentary credit monitoring services are being provided to all affected individuals.

The press release does not mention the types of data involved; however, a hacker has taken credit for the attack and claims to have stolen information such as names, addresses, birthdates, Social Security and driver’s license numbers, health insurance information, medical records, and financial information. The data breach is not currently listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Dr. Doug’s Pediatric Dentistry

Dr. Doug’s Pediatric Dentistry in Logan, Utah, has recently announced a data security incident that was detected in September 2024. Unusual activity was identified in an employee’s email account. The password was reset, and an investigation was launched, which confirmed that the breach was confined to a single email account and no other systems were affected.

The account was reviewed to determine whether any patient information was present, and contact information was verified to allow notification letters to be mailed. Those processes were concluded in June 2025. The information potentially compromised in the incident includes names, dates of birth, diagnosis or dental treatment information, and Medicaid numbers/health insurance information. A very limited number of patients also had their Social Security numbers and/or driver’s license numbers exposed. The incident has been reported to regulators, although it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals were affected.

Provail

Provail, a nonprofit provider of disability services in Washington State, has recently disclosed a cybersecurity incident that was detected on or around June 8, 2025. Suspicious network activity was identified, and the forensic investigation confirmed that an unauthorized actor had access to its network between June 7, 2025, and June 9, 2025, and viewed or acquired files containing sensitive client data.

The investigation and file review are ongoing; however, it has been confirmed that the data compromised in the incident included names in combination with one or more of the following: diagnosis/condition information, lab results, medications, other treatment information, addresses, dates of birth, driver’s license numbers, Social Security numbers, other identifying information, claims information, credit card numbers, bank account numbers, and other financial information.

Individual notification letters will be mailed to the affected individuals when the investigation and file review are concluded. The OCR breach portal includes a placeholder figure of at least 501 affected individuals.

The post Mower County, MN Confirms HIPAA-Data Compromised in June Ransomware Attack appeared first on The HIPAA Journal.

Business Associate Data Breach Affects 87 Skilled Nursing Facilities

Posted by Steve Alder

Fundamental Administrative Services, LLC, a healthcare management services company in Sparks, Maryland, that manages more than 85 skilled nursing facilities and rehabilitation centers in Indiana, Maryland, Nevada, New Mexico, South Carolina, Texas, and Wisconsin, has confirmed that the protected health information of 56,235 individuals has potentially been compromised in a cyberattack.

Suspicious network activity was identified on or around January 13, 2025, and immediate action was taken to secure its systems and contain the incident. A forensic investigation was launched to determine the nature and scope of the activity, which confirmed unauthorized access to its network for around two and a half months from October 27, 2024, to January 13, 2025. During that time, files were exfiltrated from the network that contained HIPAA-protected data.

The file review confirmed that the information compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, financial account information, medical treatment information, health insurance information, and Medicare/Medicaid plan names. Fundamental Administrative Services said it is reviewing its policies, procedures, and processes related to the storage and access to information.

The data breach was initially reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals, but has been updated now that the file review has concluded. The skilled nursing facilities and rehabilitation centers affected by the incident are listed in the table below:

Affected Facilities
Alamo Heights Health and Rehabilitation Center Harmon Hospital Restore Health Rehabilitation Center
Allegany Health Nursing and Rehabilitation Hearthstone of Northern Nevada Retama Manor Nursing Center/Victoria South
BellTower Health & Rehabilitation Center Hillside Heights Rehabilitation Suites Riverside Health and Rehab
Bennettsville Health & Rehabilitation Center Horizon Health & Rehab Center San Gabriel Rehabilitation and Care Center
Berlin Nursing and Rehabilitation Center Horizon Specialty Hospital of Henderson Sandy Lake Rehabilitation and Care Center
Bremond Nursing and Rehabilitation Center Horizon Specialty Hospital of Las Vegas Sedona Trace Health and Wellness
Bridgecrest Rehabilitation Suites Julia Manor Nursing and Rehabilitation Center Sierra Ridge Health and Wellness Suites
Brownfield Rehabilitation and Care Center Kirkland Court Health and Rehabilitation Center Solidago Health and Rehabilitation
Calhoun Convalescent Center Lake Emory Post Acute Care Southpointe Healthcare and Rehabilitation
Canton Oaks Lancaster Health and Rehabilitation Spanish Hills Wellness Suites
Casa Arena Blanca Nursing Center Las Brisas Rehabilitation and Wellness Suites Spanish Trails Rehabilitation Suites
Casa Maria Health Care Center and Pecos Valley Rehabilitation Suites Las Ventanas de Socorro St. George Healthcare Center
Cedar Pointe Health and Wellness Suites Los Arcos del Norte Care Center Sterling Oaks Rehabilitation
Central Desert Behavioral Health Hospital Magnolia Manor of Greenville Sunset Villa Care Center
College Park Rehabilitation Center Magnolia Manor of Greenwood Terra Bella Health and Wellness Suites
Corinth Rehabilitation Suites on the Parkway Magnolia Manor of Inman The Brazos of Waco
Courtyards at Pasadena Magnolia Manor of Rock Hill The Casitas at Las Brisas ALF
Creekside Terrace Rehabilitation Magnolia Manor of Spartanburg The Hillcrest of North Dallas
Crimson Heights Health & Wellness ALF Meadowbrook Care Center The Pavilion at Creekwood
Crimson Heights Health and Wellness Midlands Behavioral Health Hospital The Pavilion at Glacier Valley
Crosbyton Nursing and Rehabilitation Center Midlands Health & Rehabilitation Center The Terrace at Denison
Devlin Manor Nursing and Rehabilitation Center Mira Vista Court The Village at Richardson
Edgewood Rehabilitation and Care Center Monarch Pavilion Rehabilitation Suites Valley Falls Terrace
Fairfield Nursing and Rehabilitation Center Moran Nursing and Rehabilitation Center Villa Haven Health and Rehabilitation Center
Falcon Ridge Rehabilitation North Las Vegas Care Center Villa Rosa Nursing and Rehabilitation
Forest Haven Nursing and Rehabilitation Center Northampton Manor Nursing and Rehabilitation Center Willow Springs Health & Rehabilitation Center
Founders Plaza Nursing & Rehab Oakbrook Health and Rehabilitation Center Woodlands Place Rehabilitation Suites
Fruitvale Healthcare Center Oakland Nursing and Rehabilitation Center  
Green Valley Health and Wellness Suites Physical Rehabilitation and Wellness Center of Spartanburg  
Hallmark Healthcare Center Rehab Center of Cheraw  

The post Business Associate Data Breach Affects 87 Skilled Nursing Facilities appeared first on The HIPAA Journal.

Cyberattack on Medical Equipment Provider Affects 90,000 Patients

Posted by Steve Alder

Data breaches have been announced by medical equipment provider CPAP Medical Supplies and Services, a Miracle Ear franchisee, and a 20-bed critical access hospital in Washington State.

CPAP Medical Supplies and Services Inc.

CPAP Medical Supplies and Services Inc. (CPAP Medical) has announced a major data breach, potentially involving unauthorized access to the personal and protected health information of up to 90,133 patients. CPAP Medical is a Jacksonville, FL-based medical equipment provider that specializes in sleep therapy products for military families and active duty/retired service members. According to the breach notice provided to the Maine Attorney General, hackers had access to its network between December 13, 2024, and December 21, 2024, and files containing sensitive data may have been viewed or exfiltrated from its network.

After securing its systems, a forensic investigation was conducted, followed by a document review to determine the types of data involved and the individuals affected. The document review was complex and took until June 27, 2025, to complete, when it was confirmed that the compromised data included full names, dates of birth, Social Security numbers, financial and banking information, medical information, and health insurance information. CPAP Medical is unaware of any misuse of patient data as a result of the incident; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Health Services LLC (Miracle Ear)

Health Services LLC has started notifying individuals affected by a security incident that was identified on or around January 28, 2025. Suspicious network activity was detected, and the forensic investigation confirmed that an unauthorized actor had breached its security defenses and had access to its network from January 2, 2025, and January 28, 2025.

Health Services LLC operates a franchise of Miracle Ear, and the data relates to individuals who interacted with the company concerning hearing aid products. On or around May 14, 2025, the data review was completed, and confirmed that the exposed data included full names, phone numbers, email addresses, postal addresses, dates of birth, patient ID numbers, Social Security numbers, health insurance information, and diagnosis and treatment information.

The data breach was initially reported to the HHS’ Office for Civil Rights in April as an incident affecting 2,400 individuals; however, the breach portal has since been updated to 75,906 affected individuals.

East Adams Rural Healthcare

East Adams Rural Healthcare, the operator of a 20-bed critical access hospital in Ritzville, Washington, has recently notified the Washington State Attorney General about a data breach that has affected 8,896 state residents. Suspicious network activity was identified on September 12, 2024, and an investigation was launched to determine the cause of the activity.

Forensic evidence was found to indicate its network had been accessed by an unauthorized third party between September 7, 2024, and September 14, 2024, and patient data may have been viewed or acquired. East Adams Rural Healthcare published a substitute notice on its website about the incident on October 4, 2025; however, at the time, the investigation and data review were ongoing, so it was not possible to confirm how many individuals were affected or the specific information involved.

The file review has now been completed, and it has been confirmed that the compromised information included names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information. No evidence has been found to indicate that any patient data has been misused; however, as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Cyberattack on Medical Equipment Provider Affects 90,000 Patients appeared first on The HIPAA Journal.