HIPAA Breach News

Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine

Posted March 11, 2026 by Steve Alder

Centerwell, a provider of senior healthcare services in 30 U.S. states, has experienced a cyberattack and data breach. Lakeside Pediatric & Adolescent Medicine has recently notified individuals affected by an October 2024 data breach.

Centerwell

Centerwell, a Louisville, Kentucky-based provider of healthcare services to seniors, has recently reported a data breach to the Texas Attorney General that involved unauthorized access to patient information.

The scale of the breach is currently unclear, other than the personal and protected health information of 4,618 Texas residents was compromised in the incident. The breach could be substantially larger, as Centerwell provides senior healthcare services in 30 U.S. states. The Texas Attorney General was informed on March 6, 2026, that data compromised in the incident includes names, addresses, dates of birth, and medical information. At the time of writing, the affected individuals have not been informed by mail, and no known threat group has publicly claimed responsibility for the incident.

This post will be updated when further information about the incident is released.

Lakeside Pediatric & Adolescent Medicine

Lakeside Pediatric & Adolescent Medicine (Lakeside), a Coeur d’Alene, Idaho-based healthcare provider, has started notifying patients about an October 2024 data security incident. Lakeside identified unauthorized access to its computer systems in late 2024. The forensic investigation confirmed that an unauthorized third party accessed its computer systems on November 1, 2024, and on December 15, 2024, Lakeside confirmed that there had been unauthorized access and potential acquisition of files containing patient information.

On January 1, 2025, Lakeside confirmed in a website breach notice that personal and protected health information had been compromised in the incident, although the data review was ongoing at that time. On or around December 26, 2025, Lakeside confirmed the data types involved, although the website notice has not been updated to state what those data types are.

In a breach notice submitted to the Washington Attorney General, Lakeside confirmed that single-bureau credit monitoring and identity theft protection services are being offered to the affected individuals, and that 1,314 Washington residents were affected. The incident has not yet been listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals in total have been affected.

The post Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine appeared first on The HIPAA Journal.

February 2025 Cyberattack Affected More Than 230K Bell Ambulance Patients

Posted March 10, 2026 by Steve Alder

Bell Ambulance has confirmed that the protected health information of more than 230,000 patients was compromised in a February 2025 cyberattack. Data breaches have also been reported by Northwest Medical Homes in Oregon, and the New York Plastic surgeon, Alexes Hazen, MD.

Bell Ambulance, Wisconsin

Bell Ambulance, a Milwaukee, Wisconsin-based ambulance service, has notified the Maine Attorney General that a hacking incident identified in February 2025 has affected 237,830 individuals. Bell Ambulance detected unauthorized activity within its network on February 13, 2025. Third party cybersecurity experts were engaged to investigate the data breach, and confirmed that the protected health information of 114,000 individuals had been compromised in the incident. Notification letters were sent to those individuals on April 18, 2025; however, the data review had not yet concluded.

It has taken a year to review all data potentially compromised in the incident. On January 15, 2026, additional individuals were notified that they had been affected, and the data review concluded on February 20, 2026. Additional notification letters were mailed on March 9, 2026. Data compromised in the incident included first and last names, birth dates, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information. Bell Ambulance has offered the affected individuals complimentary credit monitoring and identity theft protection services for 12 or 24 months as a precaution. Bell Ambulance said it is unaware of any misuse of the impacted data at the time of issuing notification letters.

Northwest Medical Homes, Oregon

Springfield, Oregon-based Northwest Medical Homes, LLC, has notified certain patients about a cybersecurity incident first identified on May 13, 2025. Third party cybersecurity experts were engaged to help secure its systems, investigate the incident, and harden and enhance system security. The investigation confirmed that patients’ protected health information may have been compromised in the incident.

The breach notice submitted to the California Attorney General does not state what types of data were compromised in the incident, other than names and addresses. The individual notification letters state the exact types of data compromised for each patient.

Law enforcement has been notified, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 or 24 months as a precaution. Northwest Medical Homes said it was unaware of any data misuse at the time of issuing notifications. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Alexes Hazen, MD, PLLC, New York

Alexes Hazen, MD, PLLC, a New York-based board-certified plastic surgeon, has recently announced a cybersecurity incident and data breach. The practice learned about the incident on or around January 20, 2026, and started working with law enforcement and third-party cybersecurity experts to determine the nature and scope of the incident.

The investigation confirmed that an unauthorized third party accessed certain computer systems between June 23, 2025, and July 15, 2025, and may have exfiltrated a limited amount of patient data. The review of the affected data is ongoing, but it has been confirmed that the types of information compromised in the incident include names, dates of birth, demographic information, Social Security numbers, government-issued ID numbers, medical histories, conditions, procedure/diagnosis information, medical information, insurance information, payment information, and photographs.

Notification letters are being mailed to the affected individuals, and steps have been taken to harden security to prevent similar incidents in the future. The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals. The total will be updated when the file review is concluded.

The post February 2025 Cyberattack Affected More Than 230K Bell Ambulance Patients appeared first on The HIPAA Journal.

Alabama Hospital Recently Informed About 2024 Data Breach

Posted March 9, 2026 by Steve Alder

Jackson Hospital and Clinic in Montgomery, Alabama, has notified 14,485 individuals about a July 2024 data breach at one of its former vendors, the debt collection agency Nationwide Recovery Services.

Nationwide Recovery Services first identified suspicious activity within its computer network in July 2024. The forensic investigation confirmed that an unauthorized third party accessed its network between July 5, 2024, and July 15, 2024. Nationwide Recovery Services notified the affected HIPAA-regulated entity clients between February 2025 and March 2025; however, Jackson Hospital and Clinic said it was not informed that it was one of the affected clients until January 27, 2026. Notification letters started to be mailed to the affected individuals on February 27, 2026, more than 19 months after the data breach occurred.

Jackson Hospital and Clinic said the incident involved data provided to Nationwide Recovery Services to allow the company to perform its contracted duties. None of Jackson Hospital and Clinic’s information technology systems were affected. Data potentially compromised in the incident includes names, phone numbers, addresses, dates of birth, Social Security numbers, account information, health insurance information, and/or dates of service. Jackson Hospital and Clinic said it no longer uses Nationwide Recovery Services for debt recovery.

As a precaution against data misuse, the affected individuals have been offered complementary credit monitoring and identity theft protection services. Due to the lengthy delay between the data breach and notification, the affected individuals should check their accounts and explanation of benefits statements for potential data misuse going back to July 2024, in addition to signing up for the complimentary credit monitoring services.

The total number of individuals affected by the Nationwide Recovery Services is unknown. Nationwide Recovery Services reported the breach to the HHS’ Office for Civil Rights (OCR) on September 9, 2024, using a placeholder figure of at least 501 affected individuals. That total has not been updated since the initial breach report. Many clients chose to issue their own notifications about the data breach. Based on breach notifications to state attorneys general and OCR, the data breach affected more than 560,000 individuals.

The post Alabama Hospital Recently Informed About 2024 Data Breach appeared first on The HIPAA Journal.

PIH Health Notifies Patients About 2024 Hacking Incident

Posted March 4, 2026 by Steve Alder

PIH Health, a healthcare provider serving patients in Orange County and the San Gabriel Valley in California, has started notifying patients affected by a December 2024 ransomware attack. The attack disrupted systems used by Downey Hospital, Good Samaritan Hospital, Whittier Hospital, as well as urgent care clinics, home health, hospice services, and physicians’ offices.

The ransomware attack was detected on December 1, 2024, and the forensic investigation confirmed that the threat actor had access to its network between November 14, 2024, and December 23, 2024. As detailed in our December 16, 2024, coverage below, the threat actor claimed to have exfiltrated around 2 terabytes of data in the attack, and claimed the data included around 17 million patient records. A ransom demand was issued, and some of the stolen data was leaked online. PIH Health learned of the hacker’s claims but said at the time that it was unable to verify the authenticity of the ransom note or the data theft claims.

PIH Health has been reviewing the exposed data with the help of third-party specialists, and on or around December 16, 2025, more than a year after the attack was detected, PIH Health confirmed that patient information was present in files on the compromised parts of its network, and the files may have been accessed or acquired by the threat actor.

PIH Health said its detailed review of the affected data was time-intensive, hence the time taken to complete the review. After obtaining the full list of affected individuals in December 2025, PIH Health worked to gather contact information to allow notification letters to be mailed. That process was completed on February 25, 2026, and individuals affected by the breach are now learning that their data was compromised in the attack.

PIH Health said the types of data involved vary from individual to individual and, at the time of issuing notification letters, no evidence has been found of any misuse or attempted misuse of the affected information. The breach included personally identifiable information and protected health information such as names, addresses, medical information, health insurance information, Social Security numbers, taxpayer identification numbers, driver’s license numbers, financial account information, and credit/debit card numbers. PIH Health has offered the affected individuals complimentary credit monitoring and identity theft protection services, and has taken steps to minimize the risk of similar incidents occurring in the future.

What has yet to be confirmed is the scale of the data breach. While there has been a claim that 17 million records were stolen, that claim may have been exaggerated, and if the claim is correct, those records may not relate to unique patients. The data breach is not yet showing on the HHS’ Office for Civil Rights website, and the California Attorney General does not publish details about the scale of a data breach. Most of the affected individuals are likely to reside in California, but we have confirmed that the Texas Attorney General has been notified that 8,434 Texas residents were affected.

Last year, the HHS’ Office for Civil Rights announced that it had agreed to a $600,000 settlement with PIH Health to resolve potential HIPAA violations related to a 2020 phishing attack that affected 189,763 individuals. OCR determined that the HIPAA Security Rule had been violated as PIH Health failed to conduct a comprehensive and accurate risk analysis, as well as the HIPAA Breach Notification Rule, as PIH Health failed to issue timely notifications to OCR, the affected individuals, and the media.

December 16, 2024: Hackers Claim to Have Stolen 17 Million Patient Records from PIH Health

The hacking group behind the cyberattack on the Californian healthcare provider PIH Health on December 1, 2024, claims to have exfiltrated a huge amount of sensitive data before encrypting files. If the hackers are to be believed, they exfiltrated 17 million patient records.

Southern California News Group obtained a copy of a ransom note that had allegedly been faxed to PIH Health. The hackers claimed to have exfiltrated around 2 terabytes of sensitive data in the attack. The note states that the stolen data includes 17 million patient records, data for more than 8.1 million “medical episodes” that include patients’ home addresses, cancer patients’ treatment records, private emails including test results and treatments, confidentiality agreements with employees, and around 100 active nondisclosure agreements between PIH Health and other medical organizations. The hackers also provided a link where screenshots of the stolen data had been uploaded.

Southern California News Group said no hacking group had claimed responsibility for the attack. PIH Health was unable to verify the authenticity of the ransom note or the data theft claims. The PIH website notice states, “PIH Health is working with cyber forensic specialists to assess the issue. Impacted individuals will be notified if protected health information is found to be compromised.”

Multiple systems were taken offline as a result of the incident, and phone lines were also disrupted. The phone system used by PIH Health’s Good Samaritan Hospital in Los Angeles was unaffected, and lines from its Whittier and Downey hospitals have been rerouted there. While the attack has caused major disruption to its computer systems, staff are working on downtime procedures, and care continues to be provided to patients, with patient data recorded manually; however, staff members are struggling with the additional workload that this creates, and delays are being experienced by patients.

PIH Health updated its website FAQ about the incident on December 13, 2024, but was still not able to provide a timeline on when its systems are likely to be restored. PIH Health said local police departments have been notified, and the Federal Bureau of Investigation (FBI) has been engaged and is involved in the criminal investigation. PIH Health said it is doing everything possible to rectify the situation.

Hackers have been known to exaggerate the extent of data theft, and even if 17 million records were stolen, there may be duplicate records in the dataset. If it turns out that 17 million current and former patients have been affected, this would be the second-largest data breach of the year, behind the 100-million-record data breach at Change Healthcare in February.

The post PIH Health Notifies Patients About 2024 Hacking Incident appeared first on The HIPAA Journal.

Two California Medical Groups Announce Data Breaches

Posted March 4, 2026 by Steve Alder

Data breaches have recently been announced by two California medical groups – Valley Radiology Consultants Medical Group, which serves San Diego County, and Nephrology Associates Medical Group, which serves the Riverside and San Bernardino counties.

Valley Radiology Consultants Medical Group

Valley Radiology Consultants Medical Group in California has announced a security incident and data breach that was first identified on September 15, 2025. Immediate action was taken to secure its network, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized access to its network and files containing patient information. On February 18, 2026, the file review was concluded, and Valley Radiology Consultants Medical Group obtained the final list of individuals to notify.

There is currently no substitute data breach notice on its website, and the notice submitted to the California Attorney General has the types of data involved redacted. Individual notices include the types of information compromised in the incident. Valley Radiology Consultants Medical Group said it has changed passwords, enhanced systems security, and taken steps to reduce the risk of future harm. Notification letters are now being mailed, and the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months. The incident is not yet shown on the HHS’ Office for Civil Rights data breach portal, so it is currently unclear how many individuals have been affected.

Nephrology Associates Medical Group

Nephrology Associates Medical Group in California has started notifying patients about a cyberattack and data breach that was first identified on May 20, 2025. Nephrology Associates Medical Group identified suspicious activity within its network and took immediate action to secure its systems and prevent further unauthorized access. Assisted by third-party cybersecurity experts, Nephrology Associates Medical Group confirmed that an unauthorized third party had accessed its network and exfiltrated files, including files containing patient information.

The file review has recently been completed, and Nephrology Associates Medical Group has confirmed that names, dates of birth, Social Security numbers, medical/health information, diagnoses, treatment information, health insurance information, billing/payment information, and credentialing information were involved. The impacted data varies from individual to individual. The substitute data breach notice makes no mention of credit monitoring and identity theft protection services.

Nephrology Associates Medical Group has taken several steps in response to the data breach to strengthen security, including enforcing stronger password requirements, mandating more frequent required password changes, reducing access permissions, and switching to offline storage of older data. The incident is not yet shown on the HHS’ Office for Civil Rights data breach portal, so it is currently unclear how many individuals have been affected.

The post Two California Medical Groups Announce Data Breaches appeared first on The HIPAA Journal.

Insight Hospital and Medical Center Announces Cyberattack & Data Breach

Posted March 3, 2026 by Steve Alder

Data breaches have been announced by Insight Hospital and Medical Center in Chicago and Community Health Action of Staten Island. BlueCross BlueShield of Tennessee has confirmed it was one of the healthcare organizations affected by the Conduent Business Services data breach.

Insight Hospital and Medical Center

Insight Hospital and Medical Center in Chicago has announced a data security incident that was first identified in September 2025. Unusual activity was identified within its IT environment, and the forensic investigation confirmed unauthorized access to its network between August 22, 2025, and September 11, 2025.

The data review is ongoing to determine the individuals affected and the data involved; however, the likely information compromised in the incident may include names, dates of birth, Social Security numbers, passport numbers, financial account information, treatment-related information, and health insurance information. Notification letters will be mailed to the affected individuals when the data review is completed.

Two threat groups have claimed attacks on Insight Hospital and Medical Center. The LockBit5 group added the Chicago hospital and medical center to its data leak site on December 4, 2025, along with data allegedly stolen in the attack. LockBit claimed to have stolen “almost 200 gigabytes of medical secrets.” More recently, a group called Termite added Insight Hospital and Medical Center to its data leak site. Termite claims to have exfiltrated 360 GB of data in the attack and leaked the stolen data in late February 2026.

Community Health Action of Staten Island

Community Health Action of Staten Island, the operator of programs and social services for vulnerable individuals in Staten Island, New York, has notified certain individuals about a recent data security incident that may have involved unauthorized access and/or the theft of sensitive data.

The breach notice provided to the Massachusetts Attorney General on February 25, 2026, provides limited information about the incident, only confirming that names, Social Security numbers, driver’s license numbers/non-driver identification card numbers, bank account and routing numbers, medical information, and/or health insurance information were potentially impacted. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for two years.

The nature of the incident was not disclosed in the letters, but this appears to have been a ransomware attack by the Genesis ransomware group, which added Community Health Action of Staten Island to its dark web data leak site. Genesis claims to have exfiltrated around 200,000 records containing sensitive personal and medical data, including approximately 60,000 records from HIV-tested patient databases, HIPAA-covered data, and employee information.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, and Community Health Action of Staten Island has not confirmed how many individuals have been affected. The notice to the Massachusetts Attorney General only states that 2 state residents have been affected.

BlueCross BlueShield of Tennessee

BlueCross BlueShield of Tennessee has confirmed that some of its members have been affected by the data breach at business associate Conduent Business Services. The Conduent data breach is one of the largest healthcare data breaches ever discovered, with current figures indicating that more than 25 million individuals across the United States have been affected. A ransomware group gained access to its network on October 21, 2024, maintained access until January 13, 2025, exfiltrated data, and encrypted files.

Data compromised in the incident included name, Social Security number, medical information, and health insurance information. You can read more about the data breach in this post. BlueCross BlueShield of Tennessee reported the breach to the HHS’ Office for Civil Rights as affecting 1,670 members.

The post Insight Hospital and Medical Center Announces Cyberattack & Data Breach appeared first on The HIPAA Journal.

January 2026 Healthcare Data Breach Report

Posted February 27, 2026 by Steve Alder

The HHS’ Office for Civil Rights (OCR) healthcare data breach portal shows a slight month-over-month decline in large healthcare data breaches, which fell by 13.2% from December 2025 to 46 data breaches in January 2026.

Healthcare data breaches in the past 12 months - January 2026

The OCR breach portal lists healthcare data breaches affecting 500 or more individuals, which have been reported far less frequently during the past 5 months than in the first half of 2025. From September 2025 to January 2026, an average of 46.2 large data breaches were reported to OCR each month, compared to an average of 68.6 breaches per month in the preceding 5 months (April to August). Should this trend continue, 2026 could well see the lowest number of data breaches reported for several years.

We previously suggested that there may be a delay in adding data breaches to the OCR breach portal due to the government shutdown in late 2025, which lasted for 43 days between October 1 and November 12, 2025, during which time no healthcare data breaches were added to the OCR data breach portal. Since we last compiled breach data in January, a further two breaches have been added for October, and 7 data breaches for November. Since relatively few data breaches have been added for those months, it suggests that OCR has largely cleared the backlog of breach reports. The reason for the decline in large data breaches since September 2025 is unclear. Data breaches are also down compared to previous years, with this year’s total being the lowest January total since 2023.

January healthcare data breaches - 2022-2026

Across the 46 large healthcare data breaches reported in January, the protected health information of 1,441,182 individuals was exposed or impermissibly disclosed. While that represents a 178% increase in affected individuals compared to December 2025, January’s total is well below the 12-month average of 5,107,388 affected individuals per month, and it is the lowest January total since 2020.

Individuals affected by healthcare data breaches in the past 12 months - January 2026

In addition to reduced breach numbers, there has also been a reduction in data breach size over the past 5 months. In the 5 months from April 2025 to August 2025, 48.1 million individuals had their health information exposed or impermissibly disclosed in healthcare data breaches. During the following 5 months from September 2025 to January 2026, only 7.2 million individuals had data exposed or impermissibly disclosed, an 85% reduction from the preceding 5 months.

Individuals affected by January healthcare data breaches - 2022-2026

While the reduction in affected individuals is good news, two massive healthcare data breaches occurred last year at business associates of HIPAA-covered entities that are not yet reflected in the OCR breach data. A data breach at Trizetto Provider Solutions last year is now known to have affected at least 3.6 million individuals, and a far worse data breach was experienced by Conduent Business Solutions. According to breach reports to state Attorneys General, at least 25 million individuals were affected by that breach in Oregon and Texas alone. Given the fact that Condusent overrated in many U.S. states, the data breach is likely to have affected many more individuals, and it could rank as one of the top 3 healthcare data breaches of all time.

Biggest Healthcare Data Breaches Reported in January 2026

In January, 11 healthcare data breaches were reported to OCR that affected 10,000 or more individuals. Those 11 data breaches accounted for 92.5% of the affected individuals in January. While data breaches of 10,000 or more records are usually mostly due to hacking and other IT incidents, three of the four largest data breaches of the month were unauthorized access/disclosure incidents, and the top two breaches occurred at state Departments of Human Services.

The largest data breach was reported by the Illinois Department of Human Services, which exposed the protected health information of more than 700K state residents. A website created for internal use to help with resource allocation and decision-making was inadvertently made accessible over the public Internet. The second-largest data breach was reported by the Minnesota Department of Human Services, which affected more than 303K individuals. The breach involved unauthorized access to its MnChoices system, which is used by counties, Tribal Nations, and managed care organizations to support their assessment and planning work for state residents requiring long-term services and support. The system was accessed by a user associated with a licensed healthcare provider, who had no legitimate reason to access the data.

As the table below shows, ransomware groups continue to target the healthcare industry and were behind 6 of the top 11 data breaches in January.

HIPAA-Regulated Entity	State	Covered Entity Type	Individuals Affected	Data Breach Cause
Illinois Department of Human Services	IL	Health Plan	705,017	An internal website was inadvertently accessible over the public internet
Minnesota Department of Human Services	MN	Health Plan	303,965	Unauthorized access to an internal resource by a user associated with a licensed healthcare provider.
Clinic Service Corporation	CO	Business Associate	82,331	Hacking incident
LifeLong Medical Care	CA	Healthcare Provider	70,000	Hacking incident at business associate (Trizetto Provider Solutions)
Avosina Healthcare Solutions	VA	Business Associate	44,425	Ransomware attack (Qilin)
Wakefield & Associates, LLC	TN	Business Associate	31,751	Ransomware attack (Akira)
Jefferson-Blount-St. Clair Mental Health Authority	AL	Healthcare Provider	30,434	Ransomware attack (Medusa)
Mid Michigan Medical Billing Service, Inc.	MI	Business Associate	28,185	Ransomware attack (Qilin)
Pecan Tree Dental, PLLC	TX	Healthcare Provider	13,300	Ransomware attack (Sinobi)
Central Ozarks Medical Center	MO	Healthcare Provider	11,818	Hacking incident
360 Dental PC	PA	Healthcare Provider	11,273	Ransomware attack

The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to the OCR within 60 days of discovery. If the number of affected individuals is not known by the reporting deadline, an estimate of the number of affected individuals should be provided to OCR. It is common for estimates of 500 or 501 affected individuals to be used as placeholders in such cases. In January, three such breaches were reported. The number of affected individuals could be substantially higher for these data breaches.

Regulated Entity	State	Covered Entity Type	Individuals Affected	Type of Breach
Precipio, Inc.	CT	Healthcare Provider	501	Hacking/IT Incident
Middlesex Sheriff’s Office	MA	Healthcare Provider	501	Hacking/IT Incident
Central Texas MHMR Center dba Center for Life Resource	TX	Healthcare Provider	501	Hacking/IT Incident

Causes of January 2025 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports and were listed as the cause of 36 of the month’s 46 data breaches (78.3%). The protected health information of 343,359 individuals was exposed or stolen in those incidents. Atypically, the number of individuals affected by those incidents was relatively low, as they accounted for just 23.8% of the month’s breach victims. The average breach size was 9,810 individuals, and the median breach size was 3,722 individuals.

Causes of January 2026 healthcare data breaches

While there were only 10 unauthorized access/disclosure incidents in January (21.7%), those incidents accounted for 76.1% of the month’s breach victims. The average breach size was 109,700 individuals, and the median breach size was 3,188 individuals. One loss incident was reported involving the paper records of 821 individuals, but there were no theft or improper disposal incidents. The most common location of breached protected health information in January was network servers (30 incidents), followed by email accounts (8 incidents).

Location of breached PHI in January 2026 healthcare data breaches

HIPAA-Regulated Entities Affected by Data Breaches

The OCR breach portal data includes 36 data breaches reported by healthcare providers (236,462 affected individuals), 6 data breaches were reported by business associates (190,015 affected individuals), and four data breaches were reported by health plans (1,014,705 affected individuals).

When a data breach occurs at a business associate, it is ultimately the responsibility of each affected HIPAA-covered entity to ensure that the breach is reported in compliance with the HIPAA Breach Notification Rule. Covered entities may delegate the responsibility of reporting the data breach to the business associate, or they may choose to report the breach themselves.

That means that data breaches at business associates are often underrepresented in healthcare data breach reports. The charts below show where the data breaches occurred rather than the reporting entity. As you can see, there is a stark difference this month, as 21 of the month’s data breaches occurred at business associates of HIPAA-covered entities.

Healthcare data breaches at HIPAA-regulated entities in January 2026

Individuals affected by data breaches at HIPAA-regulated entities - January 2026

Geographical Distribution of Healthcare Data Breaches

In January, HIPAA-regulated entities in 24 U.S. states reported data breaches affecting 500 or more individuals. California topped the list with 8 data breaches, although 7 of those breach reports related to the same incident – The data breach at Trizetto Provider Solutions, which was a business associate or subcontractor of the business associate OCHIN.

State	Breaches
California	8
Maryland & Texas	4
Alabama & Indiana	3
Idaho, Illinois, Michigan, Oregon & Tennessee	2
Alaska, Colorado, Connecticut, Florida, Kentucky, Louisiana, Massachusetts, Minnesota, Missouri, New Jersey, New York, Pennsylvania, South Carolina & Virginia	1

While California topped the list for data breaches, Illinois and Minnesota were the worst-affected states in terms of affected individuals.

State	Individuals Affected
Illinois	705,638
Minnesota	303,965
California	98,241
Colorado	82,331
Virginia	44,425
Alabama	39,287
Tennessee	33,092
Michigan	31,907
Texas	17,951
Missouri	11,818
Pennsylvania	11,273
Idaho	9,721
New Jersey	9,526
Maryland	8,134
Kentucky	7,990
South Carolina	7,020
Lopuisiana	6,530
New York	4,725
Oregon	2,781
Indiana	2,481
Florida	821
Alaska	523
Connecticut	501
Massachusetts	501

HIPAA Enforcement Activity in January 2025

Two enforcement actions were announced in January to resolve alleged violations of the HIPAA Rules. The HHS’ Office for Civil Rights announced a settlement with Top of the World Ranch Treatment Center to resolve an alleged HIPAA Security Rule violation. The behavioral healthcare provider was investigated over a phishing attack that exposed the protected health information of 1,980 individuals.

OCR determined that Top of the World Ranch Treatment Center had not complied with the risk analysis provision of the HIPAA Security Rule, which requires a comprehensive and accurate risk analysis to be conducted to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was resolved with a $103,000 financial penalty, and Top of the World Ranch Treatment Center agreed to adopt a corrective action plan. This was the 11^th HIPAA case to be resolved with a financial penalty under OCR’s risk analysis enforcement initiative.

OCR Director Paula M. Stannard has confirmed that the risk analysis enforcement initiative will continue in 2026 and will be expanded to also cover risk management. The enforcement initiative targeting noncompliance with the HIPAA Right of Access will also continue this year.

The other penalty was imposed following an investigation by the Massachusetts Attorney General, in partnership with the Connecticut Attorney General. Comstar LLC, a Massachusetts-based ambulance billing and collections company, was investigated over a March 2022 cyberattack and data breach that affected 585,621 individuals.

The investigation determined that Comstar had violated the HIPAA Security Rule and the Massachusetts Data Security Regulations by failing to maintain an adequate Written Information Security Program (WISP). The case was resolved with a $515,000 financial penalty, which will be shared between the two states. The settlement also includes several cybersecurity requirements. Comstar had previously settled an OCR HIPAA investigation launched in response to the same data breach and paid a $75,000 financial penalty.

The post January 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Apex Spine & Neurosurgery & North Central Behavioral Health Systems Announce Data Breaches

Posted February 27, 2026 by Steve Alder

Data breaches have been announced by Apex Spine & Neurosurgery in Georgia and North Central Behavioral Health Systems in Illinois.

Apex Spine & Neurosurgery

Apex Spine & Neurosurgery in Georgia has notified 2,500 individuals that some of their electronic protected health information has likely been stolen in a ransomware attack. Apex Spine & Neurosurgery said it learned on December 23, 2025, that a cyber threat actor had accessed its network and used ransomware to encrypt files. The forensic investigation confirmed that the cyber actor accessed its network and copied files on December 9, 2025; however, its electronic medical record system was not involved, as it is maintained in a logically separate computer environment.

The stolen files are still being reviewed; however, they contained information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, other government identifiers, location of health services, dates of service, treatment or condition information, diagnosis/diagnosis codes, prescription information, history information, assigned physician names; health services payment information, such as financial account number without a security code, access code, or password to access an account, patient account numbers, and health insurance information subscriber or identification numbers. The information copied in the attack varies from individual to individual. Apex Spine & Neurosurgery said it is evaluating further technical safeguards to better protect sensitive data on its network.

The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements for suspicious activity. While the ransomware group was not mentioned in the breach notice, the Interlock ransomware group claimed responsibility for the attack and said 20 GB of data was exfiltrated. Interlock proceeded to leak the stolen data as the ransom was not paid. Apex Spine & Neurosurgery said it was able to securely recover the encrypted data from backups.

North Central Behavioral Health Systems

North Central Behavioral Health Systems, a mental health and substance abuse treatment center with locations in La Salle and Ottawa, Illinois, has identified unauthorized access to an employee’s email account. Suspicious activity was identified in a single email account on or around December 2, 2025. The account was secured to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the activity.

The investigation confirmed that the breach was limited to a single email account. The account is currently being reviewed to determine the types of information involved and the individuals affected. Notification letters will be mailed to the affected individuals as soon as the review is concluded. Currently, no misuse of patient data has been identified; however, patients have been advised to remain vigilant against data misuse by monitoring their bank accounts and financial statements for suspicious activity. Email security has been enhanced in response to the incident, and complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Apex Spine & Neurosurgery & North Central Behavioral Health Systems Announce Data Breaches appeared first on The HIPAA Journal.

Carolina Foot & Ankle Associates Notifies Patients About December 2025 Cyberattack

Posted February 26, 2026 by Steve Alder

Cyberattacks and data breaches have been announced by the healthcare providers Carolina Foot & Ankle Associates, New Age Dermatology, and Marin Cancer Care.

Carolina Foot & Ankle Associates

The North Carolina podiatry practice, Carolina Foot & Ankle Associates, is notifying patients that some of their personal and protected health information was exposed in a December 2025 cybersecurity incident. The incident was detected on December 8, 2025, when it experienced a network disruption. Third-party cybersecurity experts were engaged to investigate the incident and confirmed that an unauthorized third party had accessed its network and exfiltrated files containing patient data.

The file review has recently been completed, and confirmed that patient data had been compromised, including first and last names, phone numbers, dates of birth, medical record numbers, health insurance information, diagnostic/CPT codes, and dates of service. The types of data involved varied from individual to individual. Carolina Foot & Ankle Associates said Social Security numbers and financial information were not compromised in the incident, and there was no unauthorized access to its electronic medical record system.

When the breach was detected, immediate enhancements were made to security to prevent further data security incidents, and law enforcement was notified. As a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The breach has been reported to the HHS’ Office for Civil Rights using a placeholder estimate of at least 501 affected individuals.

New Age Dermatology

New Age Dermatology LLC has notified the Massachusetts Attorney General about a ransomware attack that was identified on or around December 20, 2025. According to the notice, the ransomware attack affected an internal server, which has been rendered inoperable and inaccessible. Law enforcement has been notified, and an investigation has been launched, with assistance provided by third-party cybersecurity professionals.

At this stage of the investigation, New Age Dermatology has yet to determine the specific types of information involved or the number of individuals affected, but explained that information likely compromised in the incident includes personal and protected health information typically found in patient records, including names, dates of birth, medial and treatment information, diagnostic images, photographs, and Social Security numbers may have been compromised. New Age Dermatology has found no evidence to suggest that its electronic medical record system was compromised in the incident. At the time of writing, no ransomware group appears to have claimed responsibility for the attack.

New Age Dermatology is unaware of any data misuse, but as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Marin Cancer Care

Marin Cancer Care, a provider of cancer treatment in Larkspur, California, has alerted patients to an incident involving unauthorized access to its computer network. An intrusion was detected on or around December 8, 2025, and assisted by third-party investigators, Marin Cancer Center learned that an unauthorized third party had access to its computer network between November 22, 2025, and December 6, 2025, during which time files containing patient information may have been viewed or acquired.

The investigation and file review are ongoing to determine the affected individuals and the types of information involved. Marin Cancer Care has confirmed that names, medical information, and health insurance information were likely involved. Patients have been advised to remain vigilant against incidents of identity theft and fraud by reviewing their account statements and monitoring their free credit reports for suspicious activity.

The post Carolina Foot & Ankle Associates Notifies Patients About December 2025 Cyberattack appeared first on The HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information