HIPAA Breach News

Community Health Center of Buffalo & Greenbaum Rowe Smith & Davis Confirm Data Breaches

Data breaches have been announced by Community Health Center of Buffalo in New York and the New Jersey law firm Greenbaum Rowe Smith & Davis.

Community Health Center of Buffalo, New York

Community Health Center of Buffalo (CHCB) in New York has identified a cybersecurity incident in which sensitive data was potentially accessed or acquired. Suspicious activity was identified within its computer network on April 21, 2026. Assisted by digital forensics experts, unauthorized network access was confirmed between April 20 and April 21, 2026.

The files are currently being reviewed to determine the types of data involved and the affected individuals. That process is ongoing; however, CHCB reports that the types of data likely involved includes names in combination with one or more of the following: address, date of birth, Social Security number, driver’s license, medical information such as diagnoses, treatment information, prescriptions/medications, treatment locations, lab results, medical record numbers, provider names, patient medical histories, and health insurance information

Data privacy and security practices are being reviewed, and steps are being taken to improve security. Credit monitoring and identity theft protection services will be made available. The data breach has been reported to the HHS’ Office for Civil Rights using an interim total of at least 501 affected individuals. The total will be updated when the investigation and file review are concluded.

Greenbaum Rowe Smith & Davis, New Jersey

Greenbaum Rowe Smith & Davis LLP, a New Jersey-based law firm, has started notifying 12,801 individuals about a breach of their protected health information. The practice provides legal services to healthcare practices in the state of New Jersey, which require access to certain patient data. The practice has confirmed that it experienced a cybersecurity incident involving unauthorized access to systems containing the data of patients of Atlantic Health System, Hackensack Meridian Health, and Trinitas Regional Medical Center.

Data exposed in the incident included names, Social Security numbers, medical information, health insurance information, and other personal data. At the time of issuing notifications, the practice was unaware of any public release of the impacted data. The practice is offering the affected individuals complimentary credit monitoring and identity theft protection services and has taken steps to improve security to prevent similar incidents in the future.

The post Community Health Center of Buffalo & Greenbaum Rowe Smith & Davis Confirm Data Breaches appeared first on The HIPAA Journal.

May 2026 Healthcare Data Breach Report

Based on the current data on the HHS’ Office for Civil Rights (OCR) breach portal, 61 healthcare data breaches affecting 500 or more individuals were reported in May 2026. May’s current total represents a 27.1% month-over-month increase in data breaches. Over the past 12 months, an average of 64 large healthcare data breaches were reported each month.

Healthcare data breaches in the past 12 months - May 2026

From January 1, 2026, to May 31, 2026, 319 data breaches affecting 500 or more individuals have been reported to OCR. This time last year, the total stood at 342 large data breaches.

HEalthcare data breaches - January 1 - May 31 - 2022-2026

While data breaches increased from April, the number of affected individuals fell by 34.8% to 879,447 individuals. In May, an average of 14,417 individuals were affected by healthcare data breaches, down from an average of 28,116 individuals in April. Over the past 12 months, an average of 10.6 million individuals have been affected by healthcare data breaches each month.

Individuals affected by healthcare data breaches in the past 12 months - May 2026

Data breaches are down slightly year-over-year, but there has been a massive reduction in the number of affected individuals. Very large data breaches have not been reported to OCR in the numbers seen in previous years. From January 1, 2026, to May 31, 2026, across the 319 data breaches, at least 21,085,405 individuals have been affected. The OCR breach portal shows that from January 2025 to May 2025, 33,116,809 individuals were affected by data breaches.

Individuals affected by healthcare data breaches - jan 1 - May 31, 2022-2026

Biggest Healthcare Data Breaches of May 2026

In May 2026, 17 data breaches affecting 10,000 or more individuals were reported to OCR, all of which were hacking incidents. The biggest data breach of the month was reported by Radiology Associates of Richmond, affecting more than 266,000 individuals, followed by a hacking incident at Western Orthopaedics which affected more than 113,000 individuals.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Radiology Associates of Richmond VA Healthcare Provider 266,183 Hacking incident
Western Orthopaedics, P.C. CO Healthcare Provider 113,330 Hacking incident
ERMI LLC GA Healthcare Provider 74,074 Hacking incident
Singing River Health System MS Healthcare Provider 53,888 Hacking incident
Southern Illinois Ob-Gyn Associates, S.C. IL Healthcare Provider 38,700 Hacking incident
Gastro Health FL Healthcare Provider 35,632 Unauthorized access to email accounts
Eyemart Express, LLC TX Healthcare Provider 25,000 Hacking incident
Connecticut Department of Social Services CT Health Plan 22,500 Unauthorized access to provider portal website
Bridle Trails Family Dentistry WA Healthcare Provider 20,976 Unauthorized access to email account
Community Connections DC Healthcare Provider 18,943 Ransomware attack (INCRansom)
Virta Medical PC CO Healthcare Provider 14,636 Hacking incident (Lapsus$)
Saurabh N. Patel, M.D – Florida Retina Center LA Healthcare Provider 13,652 Hacking incident
Greenbaum Rowe Smith & Davis LLP NJ Business Associate 12,801 Hacking incident
Wellpoint Washington, Inc. IN Health Plan 12,020 Unauthorized access to email account
Defense Health Agency (TriWest) VA Health Plan 11,848 Hacking incident
IKRON Corporation OH Healthcare Provider 11,845 Hacking incident
Elara Caring TX Healthcare Provider 10,490 Hacking incident at third-party vendor

May’s total number of affected individuals may increase considerably over the coming weeks and months, as healthcare organizations complete their data breach investigations. HIPAA-regulated entities have 60 days from the date of discovery of a data breach to issue notifications to the HHS’ Office for Civil Rights and the affected individuals. HIPAA requires OCR to be notified even if the total number of individuals has yet to be determined by the 60-day deadline. In such cases, an estimate should be provided. Many regulated entities use a placeholder estimate of 500 or 501 individuals in such cases, and in May, 7 regulated entities appear to have used these placeholder figures.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
United Medical Doctors CA Healthcare Provider 501 Hacking/IT Incident
NJ Pain Care Specialists, LLC NJ Healthcare Provider 501 Hacking/IT Incident
Palomar Health Medical Group CA Healthcare Provider 501 Hacking/IT Incident
Aroostook Mental Health Center ME Healthcare Provider 501 Hacking/IT Incident
Campbell University NC Healthcare Provider 500 Hacking/IT Incident
BAYADA Home Health Care, Inc. NJ Healthcare Provider 500 Hacking/IT Incident
Integrated Pain Associates TX Healthcare Provider 500 Hacking/IT Incident

Causes of May 2026 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in May, as has been the case each month for several years. Out of the month’s 61 large healthcare data breaches, 54 were classed as hacking/IT incidents – 88.5% of the month’s data breaches. Across those incidents, the protected health information of 853,532 individuals was compromised- 88.5% of the month’s total affected individuals. On average, hacking/IT incidents affected 15,806 individuals in May, with a median breach size of 3,619 individuals.

Causes of May 2026 healthcare data breaches

There were 7 data breaches classed as unauthorized access/disclosure incidents, representing 11.5% of the month’s breaches. Across those incidents, the protected health information of 25,915 individuals was unlawfully accessed or disclosed. On average, 3,702 individuals were affected by each incident in May. The median breach size was 3,086 individuals. There were no reported theft, loss, or improper disposal incidents in May.

Given the large number of hacking incidents, it is no surprise that the most common location of breached protected health information was network servers. Email incidents were also reported in high numbers.

Location of breached PHI in May 2026 healthcare data breaches

States Affected by May 2026 Healthcare Data Breaches

Large healthcare data breaches were reported by HIPAA-regulated entities in 26 U.S. states and the District of Columbia. California was the worst affected state with 6 breaches.

State Breaches
California 6
Florida, New Jersey, New York, North Carolina, Ohio, Texas & Virginia 4
Colorado 3
Indiana, Maine, Michigan, Pennsylvania, South Carolina & the District of Columbia 2
Arizona, Connecticut, Georgia, Illinois, Iowa, Louisiana, Massachusetts, Mississippi, Oregon, Tennessee, Washington & Wisconsin 1

In terms of affected individuals, Virginia topped the list with almost 300,000 state residents affected.

State Individuals Affected State Individuals Affected
Virginia 290,254 Louisiana 13,652
Colorado 128,661 Pennsylvania 7,095
Georgia 74,074 South Carolina 6,946
Mississippi 53,888 Iowa 6,666
Florida 44,649 Michigan 6,456
Texas 40,045 California 5,303
Illinois 38,700 North Carolina 4,949
Ohio 28,540 Massachusetts 3,086
Connecticut 22,500 Maine 3,024
Washington 20,976 Oregon 2,856
District of Columbia 20,014 Arizona 2,316
New York 19,674 Tennessee 1,807
Indiana 17,325 Wisconsin 1,080
New Jersey 14,911

Data Breaches at HIPAA -Regulated Entities

In May 2026, 42 data breaches were reported by healthcare providers, 9 breaches were reported by health plans, and 10 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.

The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 22 of the 61 breaches (rather than 10) occurred at business associates in May.

May 2026 data breaches at HIPAA-regulated entities

Individuasl affected by data breaches at HIPAA-regulated entities in May 2026

HIPAA Enforcement Activity in May 2026

No enforcement actions were announced by OCR or state attorneys general in May.

The post May 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

California Gay & Lesbian Services Center Data Breach Affects 75,500 Individuals

Gay & Lesbian Community Services Center of Orange County, California, a provider of mental health, HIV testing, education and outreach, has identified unauthorized access to its network and the exposure of the personal and protected health information of up to 75,532 individuals.

Suspicious network activity was identified on or around December 26, 2025, and third-party cybersecurity experts were engaged to investigate the incident. They confirmed that there had been unauthorized access to the network from December 25 to December 26, 2025, and files containing sensitive information may have been viewed or acquired.

The review of the impacted data was completed on May 6, 2026, when it was confirmed that the following types of information were stored on the compromised parts of the network: full names, dates of birth, Social Security numbers, diagnosis information, prescription information, medical histories and treatment information, medical record numbers, health insurance information, driver’s license numbers, government identification numbers, state identification numbers, passport numbers, taxpayer identification numbers, financial account information, biometric identifiers, financial account information, and payment card information. The types of information involved varied from individual to individual.

Gay & Lesbian Community Services Center of Orange County said it is committed to maintaining the privacy of personal information in its possession and continually evaluates and modifies its security practices to enhance data privacy and security. The affected individuals have been advised to remain vigilant and monitor their account statements and free credit reports for suspicious activity. The website breach notice makes no mention of free credit monitoring or identity theft protection services.

Alta Orthopaedics

Alta Orthopaedics, a Santa Barbara, CA-based orthopedics practice with six locations in Santa Barbara, Santa Maria, Solvang, and Oxnard, has started mailing notification letters to patients affected by a recent security incident.

On March 10, 2026, the practice identified suspicious activity within its computer network. The forensic investigation determined that there had been unauthorized access to certain information on its network between February 3, 2026, and February 6, 2026. The review of the exposed files confirmed that they contained personal and protected health information such as names, addresses, phone numbers, Social Security numbers, driver’s license/state ID numbers, birth dates, billing codes, dates of service, reasons for visits, treatment costs, provider names, diagnoses, treatment information, clinical information, treatment location, medical record numbers, patient account numbers, and health insurance information.

The incident was reported to law enforcement, policies and procedures related to data privacy and security have been reviewed, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Regulators have been notified; however, the number of affected individuals has yet to be publicly disclosed.

Lake Region Healthcare

Lake Region Healthcare, a nonprofit rural health system based in Fergus Falls, Minnesota, has notified individuals affected by a recent cybersecurity incident. Unauthorized access to its network was first identified on May 19, 2025. Law enforcement was notified, and an investigation was launched to determine the nature and scope of the unauthorized activity.

No evidence was found to indicate any unauthorized access to electronic medical records; however, files containing patient information may have been viewed or acquired on or around May 19, 2025. It has taken more than a year to review the affected data. That process was completed on June 5, 2026, when it was confirmed that names were exposed, along with one or more of the following: date of birth, Social Security number, medical record number, patient account number, health insurance information, contact information, medical and/or treatment information, government-issued identification, and/or financial information.

Lake Region Healthcare said it is unaware of any actual or attempted misuse of that data; however, as a precaution, the affected individuals have been offered complimentary identity theft protection services. The scale of the breach has yet to be publicly disclosed, although according to notifications to state attorneys general, 294 Texas residents and 20 Massachusetts residents are among the affected individuals.

The post California Gay & Lesbian Services Center Data Breach Affects 75,500 Individuals appeared first on The HIPAA Journal.

Aitkin County Health and Human Services Data Breach Affects 81,000 Individuals

Aitkin County Health and Human Services in Minnesota has identified a breach of its email environment. Data breaches have also been confirmed by Decatur Diagnostic Laboratory in Alabama and Gem State Dermatology in Idaho.

Aitkin County Health and Human Services, Minnesota

Aitkin County Health and Human Services in Minnesota has identified a breach of its email environment. On April 8, 2026, an email account was found to be sending phishing emails. Immediate action was taken to secure its email system, and an investigation was launched to determine the scope of the breach. Assisted by third-party digital forensics experts, Aitkin County HHS determined that there had been unauthorized access to three employee email accounts between April 7, 2026, and April 8, 2026. The investigation confirmed that the contents of one of the accounts had been downloaded.

The accounts were reviewed and found to contain the protected health information of 83,114 individuals, including names, addresses, dates of birth, Social Security numbers, dates of service, locations of service, individual case identifying numbers, PMI numbers, medical or health information, diagnosis and/or treatment information, healthcare provider names, medications, health insurance identification numbers, information regarding the type and status of forms filed with MnCHOICES, the date forms were last modified, health insurance claims information and/or information related to services received by Aitkin County HHS. A report containing some of the above data types relating to individuals not associated with the County was also found in the email account.

Passwords have been changed, employees have received additional training on email cybersecurity practices, and efforts are continuing to raise awareness of phishing emails. The email retention policy has also been updated to reduce the impact of any future incidents, and additional cybersecurity measures and monitoring partnerships are being considered to strengthen security.

Decatur Diagnostic Laboratory, Alabama

Decatur Diagnostic Laboratory Inc., in Alabama, has recently reported a data breach to the HHS’ Office for Civil Rights using a placeholder estimate of at least 500 affected individuals. The clinical laboratory has added a breach notice to its website, which confirms that this was a hacking incident involving data exfiltration. The notice does not state when the breach was detected, or for how long the hacker had access to its network.

Decatur Diagnostic Laboratory has confirmed that the data exfiltrated in the attack included names in combination with one or more of the following: date of birth, Social Security number, driver’s license number, medical record number, and/or patient code. The affected individuals have been advised to remain vigilant against incidents of identity theft and fraud over the next 24 months. The notice does not mention free credit monitoring and identity theft protection services. While this was not confirmed as a ransomware attack, a ransomware group has claimed responsibility. The LockBit 5 group claims it exfiltrated data in the attack and added the lab to its dark web data leak site.

Gem State Dermatology, Idaho

Improper disposal incidents are the rarest category of data breach. The first such incident of the year to date affects Gem State Dermatology in Boise, Idaho. On July 8, 2026, patient documents containing HIPAA-protected data were found in a dumpster three miles from the dermatology practice. A member of the public identified boxes of paperwork that appeared to be billing statements containing medical and personal information of patients of the dermatology practice. In addition to paperwork, what appeared to be thousands of microscope slides containing patient information, and presumably biological samples, were also found in the dumpster.

The material has now been collected by the practice, and an internal investigation has been launched to determine how the incident happened. At this early stage of the investigation, the practice is unable to confirm how any patients have been affected by the incident.

The post Aitkin County Health and Human Services Data Breach Affects 81,000 Individuals appeared first on The HIPAA Journal.

Drug and Alcohol Treatment Services Settles Data Breach Litigation

Drug and Alcohol Treatment Services, Inc., a Scranton, Pennsylvania-based provider of drug and alcohol addiction services, has agreed to settle class action litigation stemming from an October 2024 ransomware attack.

The attack resulted in the theft of the personal and protected health information of employees and patients. The HHS’ Office for Civil Rights was informed that 22,215 patients were affected. Data exposed or stolen in the incident included names, dates of birth, Social Security numbers, health insurance information, medical billing/claims information, patient account numbers, prescription/medication information, and diagnosis/treatment information.

Eight class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Leo Woytach, et al v. Drug and Alcohol Treatment Services, Inc. – in the Court of Common Pleas of Lackawanna County, Pennsylvania. The consolidated lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, and unjust enrichment. The defendant denies all claims and contentions in the lawsuit and maintains there was no wrongdoing.

Following negotiations about a potential settlement and a full day of mediation, settlement terms were agreed upon that were acceptable to all parties. By settling, all parties avoid the costs, distraction, burden, and risks of a trial and related appeals. The defendant will establish a $549,000 settlement fund, from which attorneys’ fees and expenses, settlement administration/notification costs, and service awards for the eight class representatives will be paid. The remainder will be used to pay benefits to the class members.

The settlement covers individuals who were notified about the data breach and provides cash payments to individuals who submit a valid claim. Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or a claim may be submitted for a pro rata cash payment. The value of the cash payments will be determined by the number of valid claims received.  In addition, class members qualify for a free 12-month membership to a medical data monitoring service.

The deadline for filing an objection and opting out of the settlement is August 25, 2026. Claims must be submitted by September 24, 2026, and the final fairness hearing has been scheduled for November 24, 2026.

June 9, 2025: Drug and Alcohol Treatment Services Facing Multiple Class Action Data Breach Lawsuits

A Pennsylvania non-profit provider of drug and alcohol addiction services is facing multiple class action lawsuits over an October 2024 ransomware attack. Drug and Alcohol Treatment Services, Inc. (DATS), based at 441 Wyoming Avenue in Scranton, PA, identified unauthorized access to its computer network on October 6, 2024. The forensic investigation confirmed that an unauthorized third party had access to the protected health information of 22,215 individuals between October 5 and October 6, 2024. Data compromised in the incident included patient names, dates of birth, medical histories, treatment information, health insurance information, medical claims information, billing information, Social Security numbers, and financial information.

The data breach was confirmed by DATS on December 5, 2024; however, notification letters were not sent to the affected individuals until May 2, 2025. DATS said it was unaware of any misuse of the stolen data at the time of issuing notification letters and offered the affected individual complimentary credit monitoring and identity theft protection services. The notification letters did not state the exact nature of the cyberattack; however, the Interlock ransomware group claimed responsibility for the attack and said 150 GB of data was stolen. The ransom was not paid, so the group published the stolen data on its data leak site. The group claims the leaked files include the personal data of employees and patients.

Currently, at least eight class action lawsuits have been filed against DATS over the data breach. The lawsuits make similar claims, including negligence for failing to protect its information technology systems and sensitive patient and employee data. The lawsuits claim the data breach could have been prevented if DATS had implemented reasonable security measures and adhered to industry-standard data security practices. The lawsuits also claim that DATS did not provide timely notifications to the affected individuals, who were informed that their sensitive data had been stolen seven months after the data breach. The lawsuits claim the notification delay deprived the plaintiffs and class members of the opportunity to take action to mitigate the harmful effects of the data breach. The lawsuits also assert claims of breach of confidence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and invasion of privacy.

The lawsuits seek class certification, a jury trial, damages, attorneys’ fees, reimbursement of legal costs and expenses, and injunctive relief, including an order from the court compelling DATS to implement measures to improve security.

The post Drug and Alcohol Treatment Services Settles Data Breach Litigation appeared first on The HIPAA Journal.

ERMI; McLeod Physician Associates; Centers for Dialysis Care Announce Data Breaches

Data breaches have been announced by the Georgia-based medical equipment company ERMI, McLeod Physician Associates in South Carolina, and the Centers for Dialysis Care in Ohio. More than 101,000 individuals have been affected by these three incidents.

ERMI LLC, Georgia

ERMI LLC, A Georgia manufacturer of medical equipment for orthopedic patients, has experienced a significant data breach involving unauthorized access to systems containing the electronic protected health information of 74,074 patients. Unauthorized access to its systems was identified on or around August 14, 2025. Assisted by third-party cybersecurity experts, ERMI determined that certain systems had been accessed by an unauthorized third party between February 15, 2025, and August 14, 2025, during which time files containing patient information may have been viewed or acquired.

An extensive manual review of the affected data was completed on or around April 17, 2026, and confirmed that the exposed data included names in combination with one or more of the following: Social Security number, driver’s license number, veteran identification number, passport number, username and password, email address with password and security question, date of birth, date of death, taxpayer/employer identification number, financial account information, payment card information, medical information, and health insurance information. The affected individuals have been notified and informed about the steps that can be taken to reduce the risk of data misuse, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were impacted.

McLeod Physician Associates Li, South Carolina

McLeod Physician Associates li, a Florence, SC-based healthcare group practice, has recently reported a data breach to the HHS’ Office for Civil Rights involving unauthorized access to the protected health information of up to 19,553 patients. The affected patients started to be notified about the incident on June 4, 2026. According to the substitute breach notice on the McLeod Health website, on March 5, 2026, a suspicious file was found on a Dillon Family Medicine server that was in the process of being decommissioned. An investigation was launched, which determined that an unauthorized party had accessed the server between October 17 and October 18, 2025.

The investigation confirmed that the incident was limited to the single server, and no McLeod Health systems were involved, including the practice’s current electronic medical record system. The server was reviewed and found to contain patient information such as names, dates of birth, Social Security numbers, and information related to patient care, which may have included diagnoses, medications, test results, medical images, treatment information, and health insurance information.

Steps have been taken to prevent similar incidents in the future, and the practice will continue to implement and evaluate enhanced safeguards. McLeod Health has confirmed that the affected server has been decommissioned and is no longer in use.

Centers for Dialysis Care, Ohio

Centers for Dialysis Care in Shaker Heights, Ohio, has identified a data security incident that potentially involved unauthorized access to the protected health information of up to 8,000 individuals.  Suspicious activity was identified within its computer network on or around March 20, 2026. Assisted by third-party cybersecurity experts, Centers for Dialysis Care confirmed on April 11, 2026, that there had been unauthorized access to its network, and files containing personal and protected health information had been accessed.

The personal and protected health information of current and former patients and employees was involved, including names, dates of birth, Social Security numbers, medical and health information, diagnostic and treatment information, health insurance information, and/or tax/financial information. Centers for Dialysis Care said additional security measures have been implemented to reduce the risk of similar incidents in the future.

The post ERMI; McLeod Physician Associates; Centers for Dialysis Care Announce Data Breaches appeared first on The HIPAA Journal.

Data Security Incidents Announced by Park Dental Research Corp; Wabi Sabi Behavioral Health Center

Employee data has been compromised in data security incidents at Park Dental Research Corporation in Oklahoma and Wabi Sabi Behavioral Health Center in Nebraska.

Park Dental Research Corporation

Park Dental Research Corporation, an Ardmore, OK-based dental implant company, has notified individuals about a security incident it experienced on or around April 29, 2026. The investigation confirmed that an unauthorized third party had access to systems containing information such as names, dates of birth, addresses, Social Security numbers, driver’s license numbers, bank account information, passports, and I-9 forms.

There has been no known misuse of the affected information; however, as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services, which include a $1,000,000 identity theft insurance policy. Notification letters were mailed to the affected individuals on June 24, 2026.

While ransomware was not mentioned in the notification letters, a ransomware group called Interlock took responsibility for the cyberattack and claimed to have exfiltrated 260 gigabytes of data from the company’s systems.

Wabi Sabi Behavioral Health Center

Hastings, NE-based Wabi Sabi Behavioral Health Center, a multidisciplinary mental health provider serving patients in South Central Nebraska, has identified unauthorized access to parts of its network containing employee payroll records. On June 15, 2026, an unauthorized third party gained access to a QuickBooks Online account using compromised credentials. The purpose of the attack was to make changes to employees’ account details in order to divert payments to attacker-controlled accounts. The unauthorized access was detected on the same day, and changes to payroll were identified.

While the affected accounts have been secured, employee information such as names, addresses, and Social Security numbers may have been viewed or copied. The affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services. No misuse of employee data has been identified as a result of the incident. The Nebraska Attorney General has been informed about the data breach, but the number of affected individuals has not been publicly disclosed.

The post Data Security Incidents Announced by Park Dental Research Corp; Wabi Sabi Behavioral Health Center appeared first on The HIPAA Journal.

North Los Angeles County Regional Center Notifies Individuals About November 2024 Ransomware Attack

North Los Angeles County Regional Center has started mailing notification letters to individuals affected by a November 2024 ransomware attack, and Midland Care Connection in Kansas has announced a March 2026 hacking incident.

North Los Angeles County Regional Center

North Los Angeles County Regional Center has started notifying individuals about a cybersecurity incident and data breach that was first identified 17 months ago on November 28, 2024. Suspicious activity was identified within its computer network, and the forensic investigation confirmed unauthorized access from November 20, 2024, to December 1, 2024.

North Los Angeles County Regional Center determined that sensitive data was exfiltrated from its systems before ransomware was used to encrypt files. The files exfiltrated from its systems included names, addresses, dates of birth, telephone numbers, Social Security numbers, passport numbers, driver’s license or other state-issued ID numbers, U.S. federal issued ID numbers, email addresses, usernames/passwords, financial account information, payment card information, health plan information, CI and patient ID numbers, medical record numbers, lab results, medications, physical and/or mental conditions, diagnosis and/or treatment information, prescription or medication information, treatment cost information, disability codes, certificate/license numbers, and certain other medical and health insurance-related information.

North Los Angeles County Regional Center said it first announced the incident on its website on January 6, 2025, to allow individuals to take steps to protect themselves against data misuse; however, it has taken time to review the affected data to allow notification letters to be issued. North Los Angeles County Regional Center said it implemented additional technical security measures shortly after the attack and is continuing to work with data security experts to further enhance the security of its systems. The Medusa ransomware group claimed responsibility for the attack, in which more than 600 gigabytes of data was allegedly stolen.

The incident is shown on the HHS’ Office for Civil Rights website as affecting 500 individuals. That is a placeholder figure, as the breach was reported to OCR on January 6, 2025, well before the investigation had concluded.  The total should be updated in the coming days, now that the data review has concluded.

Midland Care Connection

Midland Care Connection Inc., a Topeka, Kansas-based non-profit provider of patient care, hospice, and community health support services, has experienced a cybersecurity incident that may have resulted in the theft of sensitive data. Suspicious network activity was identified on March 31, 2026, and legal counsel and third-party digital forensics experts were engaged to investigate the activity. They confirmed network access by an unauthorized third party starting on March 30, 2026, and initiated a data review to determine the individuals affected and the types of information. The data review was completed on June 12, 2026.

The affected information varied from individual to individual and may have included names, birth dates, medical treatment information, medical health information, health insurance information, financial account information, and, for certain individuals, Social Security numbers. Data privacy and security policies have been reviewed and enhanced to reduce the risk of similar incidents in the future, and the affected individuals have been notified by mail and offered 12 months of complimentary single-bureau credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post North Los Angeles County Regional Center Notifies Individuals About November 2024 Ransomware Attack appeared first on The HIPAA Journal.

Almost 30,000 Texas Residents Affected by Data Breach at The Texas Hearing Institute

The Texas Hearing Institute has notified the Texas Attorney General about a data breach impacting more than 29, 000 state residents. Data breaches have also been announced by Family Health Centers of Southern Indiana, the Wisconsin Department of Health Services, and Stephen W. Brown & Radiology Associates of Augusta.

Texas Hearing Institute

The Texas Hearing Institute, a pediatric hearing center in Houston, Texas, has started notifying at least 29,498 individuals about a March 2026 cyberattack that resulted in unauthorized access to its network and the exposure of patients’ personal and health data.

Unauthorized network access was identified on March 20, 2026, and immediate steps were taken to contain the incident and secure its systems. Assisted by third-party digital forensics experts, the Texas Hearing Institute determined on April 22, 2026, that there had been unauthorized access to personal information on its systems. The data review confirmed that names, Social Security numbers, financial information, and medical records were compromised in the incident.

The affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. While the notification letters do not provide further information about the nature of the attack, this appears to have been a ransomware incident. The interlock ransomware group added the Texas Hearing Institute to its dark web data leak site in early April, claiming to have stolen 540 gigabytes of data. As such, the affected individuals should ensure that they take advantage of the free identity theft protection services being offered. The Texas Attorney General was informed that 29,498 Texas residents were affected. It is currently unclear how many individuals were affected in total.

Family Health Centers of Southern Indiana

Family Health Centers of Southern Indiana, a network of health centers in Jeffersonville, New Albany, Corydon, and Clarksville in Indiana, announced a data security incident on June 22, 2026, that may have resulted in unauthorized access to patient data.

Unauthorized network activity was identified on or around January 16, 2026. Its incident response plan was immediately initiated, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had access to parts of its network containing patient data, including names, dates of birth, contact information, demographic information, Social Security numbers, medical information, and health insurance information.

Family Health Centers of Southern Indiana has implemented additional technical safeguards, enhanced security measures, and updated its procedures related to data privacy and security. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved.

The data breach is not yet shown on the HHS’ Office for Civil Rights website; however, the Indiana Attorney General was informed that the protected health information of 7,037 Indiana residents was compromised in the incident. The Termine threat group took responsibility for the incident and added Family Health Centers of Southern Indiana to its dark web data leak site, including samples of the stolen data. The group claims to have exfiltrated around 250 gigabytes of data.

Stephen W. Brown & Radiology Associates of Augusta

Stephen W. Brown & Radiology Associates of Augusta have been affected by a data breach at their third-party billing vendor, MCBS, LLC. MCBS was provided with patient information as part of its contracted duties, and discovered on or around September 26, 2025, that an unauthorized third party had gained access to systems containing that information.

After an extensive forensic analysis, MCBS determined that its systems were accessed by an unauthorized third party between September 22 and September 26, 2025. Individuals affected by the incident may have had some or all of the following data stolen in the incident: name, address, date of birth, Social Security number, diagnosis, treatment information, mental or physical condition, medical history, health plan beneficiary number, health insurance policy number/subscriber identification number, and other health insurance information.

MCBS said it is unaware of any misuse of the affected data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. It is currently unclear how many patients of Stephen W. Brown & Radiology Associates of Augusta have been affected, or how many individuals were affected in total.

Wisconsin Department of Health Services

The Wisconsin Department of Health Services has recently reported a HIPAA breach to the HHS’ Office for Civil Rights that involved unauthorized access to the protected health information of 8,157 individuals. The affected individuals were Medicaid recipients who received benefits from the Wisconsin Supplementary Security Income program.

Letters were mailed to those individuals that contained personal and private information regarding an increase in their benefits. Some of those letters were inadvertently sent to outdated addresses. The error was identified on April 30, 2026, and further mailings to the incorrect addresses have been prevented. Up to 8,157 individuals were affected and have now been notified that their information may have been accessed by unauthorized individuals as a result of the error. Complimentary credit monitoring services have been offered to those individuals for 12 months.

The post Almost 30,000 Texas Residents Affected by Data Breach at The Texas Hearing Institute appeared first on The HIPAA Journal.