Ransomware groups have claimed responsibility for attacks on Advanced Family Surgery Center in Tennessee, Orem Eye Clinic in Utah, and Belmont Aesthetic & Reconstructive Plastic Surgery in Virginia/Washington D.C.

Surgery Center of Oak Ridge (Advanced Family Surgery Center)

Surgery Center of Oak Ridge, LLC, doing business as Advanced Family Surgery Center in Oak Ridge, Tennessee, has notified certain patients about a network intrusion first identified on or around November 26, 2025. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that certain parts of its network were accessed by an unauthorized third party who potentially viewed or acquired files containing patient information.

The files were reviewed and found to contain names, addresses, dates of birth, dates of service, health insurance information, medical diagnosis information, medical record numbers, Medicare/Medicaid numbers, patient account numbers, prescription/treatment information, provider names, and Social Security numbers. Additional security measures have been implemented to prevent similar incidents in the future, and policies and procedures with respect to data security are being reviewed.

This appears to have been a ransomware attack with data theft. The Genesis ransomware group, a financially motivated threat group that has attacked many healthcare providers, claimed responsibility for the attack and added Advanced Family Surgery Center to its dark web data leak site. Genesis claims to have exfiltrated 100 GB of data in the attack, including files containing patient information.

Orem Eye Clinic

Orem Eye Clinic in Orem, Utah, has notified individuals and the HHS’ Office for Civil Rights about a cybersecurity incident involving unauthorized access to parts of its network that contained the protected health information of approximately 5,800 patients. No substitute breach notice has been added to the Orem Eye Clinic website at the time of publication of this article, so the exact details, such as the types of data involved and the nature of the incident, have yet to be confirmed. Individuals receiving a notification letter should be aware that a ransomware group called Nightspire claimed responsibility for the attack and added Orem Eye Clinic to its dark web data leak site. The group claims to have exfiltrated 1 terabyte of data in the attack.

Belmont Aesthetic & Reconstructive Plastic Surgery

Belmont Aesthetic & Reconstructive Plastic Surgery, a cosmetic and reconstructive surgery practice with locations in Washington, D.C., and Virginia, has reported a data breach to the HHS’ Office for Civil Rights that has affected 528 individuals. While there is currently no website notice, and no other information has been released about the data breach so far, this appears to have been a ransomware attack. The Insomnia ransomware group added Belmont Aesthetic & Reconstructive Plastic Surgery to its dark web data leak site in early March 2026 and threatened to publish the stolen data if the ransom was not paid.

The post Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers appeared first on The HIPAA Journal.

Data breaches have recently been announced by Verber Dental Group in Pennsylvania, Northwoods Surgery Center in Minnesota, Cunningham Prosthetic Care in Maine, Healthcare In Action in California, and Preakness Healthcare Center in New Jersey.

Verber Dental Group

Verber Dental Group, a Camp Hill, PA-based dental group comprising 14 dental practices, has recently notified patients of unauthorized network access that exposed patient data. Suspicious network activity was identified on January 27, 2026. The network was secured, and an investigation was launched, which revealed the threat actor had access to its network from January 26, 2026, to January 27, 2026. The investigation confirmed that patient information had been exposed, including names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, medical records, and health insurance information.

Verber Dental has not identified any misuse of patient information. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals as a precaution. At present, the incident is not shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Northwoods Surgery Center

Northwoods Surgery Center in Virginia, MN, identified unauthorized activity within its computer network on or around September 8, 2025. Its network was secured, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized network access over a two-month period between July 11, 2025, and September 8, 2025. The compromised parts of the network were reviewed, and it was confirmed that files containing patient information had been exposed and may have been accessed or acquired by the threat actor.

In total, 5,385 individuals were affected. Data potentially compromised in the incident included names, addresses, dates of birth, health insurance information, patient medical record numbers, doctor’s name, practice type, medical date of service, medication information, diagnosis and treatment information, and medical claims or billing information. While patient data was exposed, Northwoods Surgery Center has not identified any actual or attempted misuse of patient information. Notification letters are now being mailed, and complimentary credit monitoring services have been made available.

Cunningham Prosthetic Care

Cunningham Prosthetic Care, a Saco, ME-based prosthetic and orthotic practice, has notified the HHS’ Office for Civil Rights about a data breach affecting 2,523 patients. On or around October 22, 2025, suspicious activity was identified within its email environment. An investigation was launched that confirmed unauthorized access to an employee’s email account. The account was reviewed, and on March 4, 2026, Cunningham Prosthetic Care confirmed that the account contained patient information.

Data exposed and potentially acquired included names, dates of birth, Social Security numbers, medical record numbers, driver’s license numbers, diagnostic and treatment information, and health insurance information. The types of exposed data varied from individual to individual. Notification letters were mailed to the affected individuals on May 1, 2026. The practice has implemented additional security measures to enhance data privacy and security.

Healthcare in Action

Healthcare In Action, a medical group serving the homeless population in California, has recently identified unauthorized access to an employee’s email account between January 28, 2026, and January 30, 2026. The account was compromised using stolen credentials. The unauthorized access was limited to a single email account, which has now been secured. Third-party experts were engaged to investigate and determined that the account contained the information of 1,143 individuals, including patients and other individuals.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: date of birth, email address, phone number, driver’s license/state ID number, Social Security numbers, ethnicity, housing application case number/HMIS number, health plan information, mailing/ physical address, medical record number, diagnosis/condition information, date(s) of service, location(s) of service, treatment information, disability verification information, and/or medication information. For non-patients, the compromised data included names, addresses, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Preakness Healthcare Center

Preakness Healthcare Center, a Wayne, NJ-based skilled nursing facility, has recently identified unauthorized access to its computer network. Suspicious activity was first identified on March 4, 2026. The forensic investigation confirmed that an unauthorized third party had access to parts of its computer network from February 24, 2026, to March 4, 2026, during which time residents’ data may have been viewed or acquired. The exposed data included residents’ names, demographic information, and limited clinical information. The affected individuals had been admitted on or after January 1, 2019. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. At present, the number of affected individuals has not been publicly disclosed.

The post Verber Dental Group Notifies Patients About January Hacking Incident appeared first on The HIPAA Journal.

Atrium Health Navicent and Interim HealthCare of Lubbock/Amarillo have recently announced that they have been affected by data breaches at third-party vendors.

Atrium Health Navicent

Atrium Health Navicent is the latest healthcare provider to announce that it has been affected by the January 2025 data breach at Oracle Health. Oracle Health acquired the electronic medical record company Cerner, and was due to migrate patient records from legacy Cerner servers to Oracle Health’s systems. As early as January 22, 2025, a hacker gained access to two legacy servers and exfiltrated patient data. Oracle Health detected the breach in February 2025. Many healthcare providers were affected and issued notification letters last year.

According to Atrium Health Navicent, the delay in notification is due to the complexity of the data review, which has taken many months to complete. Atrium Health Navicent said it only recently learned from Oracle Health that it had been affected, and the review of the impacted data was not completed until March 12, 2026. The data compromised in the incident was stored in a legacy Cerner system that was historically used by Atrium Health.

The compromised data related to patients who received services from Atrium Health in the greater Charlotte (NC) area prior to August 6, 2022, or from Atrium Health Navicent prior to July 3, 2021. The compromised data includes names, addresses, dates of birth, medical record numbers, provider names, diagnoses, medications, test results, images, and other information included with patient medical records. For certain individuals, Social Security numbers were also compromised.

Notification letters are now being mailed, and the affected individuals have been offered complimentary credit monitoring services for two years. Atrium Health Navicent has yet to publicly announce how many patients have been affected. An estimated 2 million people across the country are thought to have been affected by the Oracle Health data breach in total.

Interim HealthCare of Lubbock/Amarillo

Interim HealthCare of Lubbock and Interim HealthCare of Amarillo have recently notified the HHS’ Office for Civil Rights about a data breach at a third-party vendor that affected 2,071 and 666 patients respectively. The incident occurred at the healthcare technology firm Doctor Alliance. Unauthorized individuals gained access to the Doctor Alliance web portal and intermittently accessed the portal between October 31, 2025, and November 17, 2025.

Interim HealthCare of Lubbock and Interim HealthCare of Amarillo completed their reviews of the affected data on March 18, 2026, and confirmed that data potentially viewed or obtained included names, dates of birth, addresses, diagnoses, treatment plans, medications, and provider information. There has been no known misuse of patient data; however, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring services.

The post Atrium Health & Interim HealthCare Affected by Business Associate Data Breaches appeared first on The HIPAA Journal.

A cyberattack on Mt. Spokane Pediatrics exposed the data of more than 32,000 patients. Data breaches have also been announced by Cornerstone Care Center in California and Michigan Medicine.

Mt. Spokane Pediatrics

Mt. Spokane Pediatrics in Washington state has started notifying 32,021 individuals about the theft of some of their personal and protected health information in a January 2026 cyberattack. According to its website breach notice, the attack occurred on or around January 1, 2026, and the threat actor was found to have exfiltrated files containing patients’ protected health information. The forensic investigation determined on April 22, 2026, that the data exfiltrated in the attack included full names, dates of birth, Social Security numbers, diagnoses, treatment information, patient numbers, medical record numbers, health plan beneficiary numbers, and dates of service.

Mt. Spokane Pediatrics said it is unaware of any actual or attempted fraud as a result of the data breach. Complementary single-bureau credit monitoring services have been offered to the affected individuals as a precaution. The breach notice does not mention ransomware; however, a ransomware group claimed responsibility for the attack. The Lockbit5 ransomware group added Mt. Spokane Pediatrics to its dark web data leak site on January 3, 2026, and threatened to leak the stolen data in 20 days if the ransom was not paid.

Sanger Skilled Care (Cornerstone Care Center)

Sanger Skilled Care, LLC, doing business as Cornerstone Care Center, a skilled nursing and long-term care facility in Sanger, California, has issued prompt notifications about a recent security incident identified on or around April 7, 2026. According to its substitute data breach notice, unauthorized network access was identified on April 7, 2026. Steps were taken to contain the incident, and an investigation was launched to determine the nature and scope of the activity. On April 16, 2026, the investigation was completed, and it was confirmed that the breach was confined to a single account, which contained some protected health information.

The data review confirmed that the exposed data includes names, dates of birth, lab results, diagnoses, prescription and treatment information, provider names, medical record numbers, patient identification numbers, Social Security numbers, health insurance information, and dates of services. Notification letters were mailed to the affected individuals on May 1, 2026, and 12 months of complimentary credit monitoring services have been offered. At present, the number of affected individuals has not been publicly disclosed.

University of Michigan (Michigan Medicine)

The University of Michigan (Michigan Medicine) has recently announced that it has been affected by a data breach involving its electronic medical record company, Epic Systems Corporation. Michigan Medicine was one of several healthcare providers to be affected by the incident, which involved unauthorized access to patient records through a nationwide health information exchange. Third-party companies accessed patient records for reasons unrelated to patient care. Those companies had been granted access after claiming they had a legitimate need to access patient records; however, patient information was accessed for reasons unrelated to the provision of healthcare services.

Michigan Medicine was informed about the breach by Epic Systems, and its internal review determined in March 2026 that 551 individuals had been affected. The types of information viewed or obtained included names, addresses, phone numbers, email addresses, dates of birth, medical record numbers, diagnoses, medications, allergies, test results, treatment information, and health insurance information. Michigan Medicine is working with Epic and the relevant exchange and network parties to investigate the incident and is monitoring the litigation initiated by Epic Systems in response to the unauthorized access.

The post Mt. Spokane Pediatrics Data Breach Affects 32,000 Patients appeared first on The HIPAA Journal.

Data breaches have recently been announced by Hematology Oncology Consultants in Michigan, Cunningham Prosthetic Care in Maine, and Southcoast Health System in Massachusetts.

Hematology Oncology Consultants

Hematology Oncology Consultants in Michigan have started notifying individuals affected by a September 20, 2025, security incident. Upon detection, immediate action was taken to secure its network and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity. On or around February 12, 2026, Hematology Oncology Consultants confirmed that files containing personal and protected health information were likely exfiltrated from its network.

The review of the affected files was completed on April 7, 2026, and notification letters started to be mailed to the affected individuals on April 24, 2026. Data compromised in the incident includes names, medical records, health insurance information, and Social Security numbers. While not described as a ransomware attack, the Rhysida ransomware group claimed responsibility for the attack. Rhysida threatens to sell or publish the stolen data if the ransom is not paid. The group claims to have sold some of the stolen data and has leaked 40% of the data exfiltrated in the attack. The incident has been reported to regulators, although it is currently unclear how many individuals have been affected.

Cunningham Prosthetic Care

The Saco, Maine-based orthotic and prosthetic service provider Cunningham Prosthetic Care has started notifying patients about a data security incident first identified on October 22, 2025. Suspicious activity was identified within an employee’s email account, and upon investigation, unauthorized access to the account was confirmed as occurring on October 22, 2025. The account was reviewed, and after around 4 months, it was confirmed that the account contained personal and protected health information, including names, health insurance information, diagnostic information, medical treatment information, and medical record numbers. The affected individuals started to be notified by mail on May 1, 2026. The data breach has been reported to the appropriate authorities, but at present, the number of affected individuals has yet to be publicly disclosed.

Southcoast Health

Southcoast Health System, a nonprofit community health system with more than 55 locations in Southeastern Massachusetts and Rhode Island, has identified unauthorized access to a single user account on February 16, 2026. The security incident was identified on the same day, and unauthorized access was immediately blocked. While the incident was detected quickly, it is possible that sensitive data such as names and Social Security numbers were viewed or acquired. As a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring and identity theft protection services. At the time of publication, the number of affected individuals had not been publicly disclosed.

The post Hematology Oncology Consultants; Southcoast Health; Cunningham Prosthetic Care Announce Data Breaches appeared first on The HIPAA Journal.

Data breaches have recently been announced by Western Orthopaedics in Colorado, Community Health Systems in California, Tri-Cities Gastroenterology in Tennessee, and Integrated Pain Associates in Texas.

Western Orthopaedics

Western Orthopaedics, an Englewood, Colorado-based healthcare provider with locations throughout Colorado, has disclosed a security incident that was first identified on October 2, 2025. Assisted by third-party cybersecurity experts, Western Orthopaedics confirmed unauthorized access to its network between September 17, 2025, and September 25, 2025, during which time files containing personal and protected health information may have been viewed or acquired.

The analysis of those files was completed on March 3, 2026, when it was confirmed that the following data elements were potentially compromised: full name, address, phone number, Social Security number, date of birth, password, and/or financial account information, which may include credit/debit card number with or without security or access code, and protected health information such as health insurance information, health insurance plan or subscriber identification number, medical provider name, medical dates of service, and medical cost or billing information.

Additional measures have been taken to improve security, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. At present, it is unclear how many individuals have been affected. The PEAR cyber extortion group claimed responsibility for the attack and proceeded to leak the stolen data when the ransom was not paid.

Community Health Systems

Community Health Systems Inc., a California healthcare provider serving patients in San Bernardino, Riverside, and San Diego Counties, has recently disclosed a data security incident. According to its April 28, 2026, media notice, suspicious activity was identified within its computer network on or around February 28, 2026. Assisted by third-party security experts, Community Health Systems confirmed unauthorized access to parts of the network where patient data was stored.

The review of the exposed files confirmed that they contained information such as names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, treatment/diagnosis information, prescription information, dates of service, provider names, medical record numbers, patient ID numbers, Medicare/Medicaid ID numbers, health insurance information, and/or medical billing/claims information. Community Health Systems said it is reviewing its policies and procedures related to data protection. At present, it is unclear how many individuals have been affected.

Tri-Cities Gastroenterology

Tri-Cities Gastroenterology, a gastroenterology practice with five locations in Tennessee, has announced a data security incident that occurred on or around December 11, 2025. External cybersecurity professionals assisted with the investigation and confirmed that files were exfiltrated from its network on or around December 11, 2026. The file review confirmed on or around April 22, 2026, that the files contained information such as full names, Social Security numbers, dates of birth, addresses, email addresses, telephone numbers, gender, and medical record numbers.

Notification letters started to be mailed to the affected individuals on April 29, 2026. At that time, no misuse of the stolen data had been identified. Tri-Cities Gastroenterology said it will continue to evaluate and modify its cybersecurity practices and is taking steps to strengthen security. The Insomnia threat group claimed responsibility for the attack and added Tri-Cities Gastroenterology to its dark web data leak site in December. The group proceeded to leak the stolen data, indicating the ransom was not paid.

Integrated Pain Associates

On April 30, 2026, Integrated Pain Associates, a Killeen, Texas-based team of spine and pain specialists, announced a data security incident that was identified in February 2026. The forensic review confirmed unauthorized network access on or around February 24, 2026, and that patient data may have been accessed or acquired.

The review of the affected files is ongoing; however, Integrated Pain Associates has confirmed that the types of data involved include names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnosis/condition information, medication information, health insurance information, provider names, other treatment information, and/or financial account information. Integrated Pain Associates has confirmed that it is offering complimentary credit monitoring and identity theft protection services to the affected individuals. Additional security measures have been implemented to reduce the risk of similar incidents in the future. At present, the breach is not shown on the website of the Office of the Texas Attorney General nor the HHS’ Office for Civil Rights breach portal.

The post Data Breaches Announced by Four Healthcare Providers appeared first on The HIPAA Journal.

The health insurance company Starr Insurance has disclosed a ransomware attack and data breach. Data breaches have also been reported by the medical imaging company Green Imaging and the AI-based care coordination provider Lena Health.

Starr Insurance

Starr Insurance, a Chambersburg, Pennsylvania-based insurance agency, has recently confirmed that hackers accessed parts of its computer network and potentially obtained a range of sensitive data. Suspicious network activity was identified on November 18, 2025. Assisted by third-party cybersecurity experts, Starr Insurance determined that an unauthorized actor accessed and copied files from its network on November 28, 2025.

The review of the affected data confirmed that the hacker obtained information such as names, addresses, Social Security numbers, driver’s license numbers, financial account information, payment card information, medical information, health insurance information, and online account access information.  Regulators have been notified, and individual notification letters are being sent to the affected individuals. Starr Insurance has enhanced its policies and procedures relating to data protection and security.

At the time of issuing notifications, no attempted or actual misuse of patient data had been identified. Starr Insurance did not state if this was a ransomware attack; however, a ransomware group claimed responsibility for the breach. Akira, one of the most active ransomware groups, claimed to have stolen 15 gigabytes of data in the attack. Akira engages in double extortion, stealing data, encrypting files, and demanding a ransom be paid to obtain the decryption keys and prevent the publication of the stolen data. The stolen data was listed for download, indicating that the ransom was not paid. Based on the breach notice issued by Starr Insurance, complimentary credit monitoring and identity theft protection services do not appear to have been offered to the affected individuals. At the time of publication, the number of affected individuals has yet to be publicly disclosed.

Green Imaging

Green Imaging LLC, a full-service virtual medical imaging network with locations in all 50 U.S. states, has started notifying patients about a data security incident first identified on October 17, 2025. Suspicious activity was identified within its email environment, and the investigation confirmed unauthorized access to a single user’s email account between October 7, 2025, and October 17, 2025.

The review of the account has recently been completed, and the results have been validated. The types of information compromised in the incident vary from individual to individual and may include names in combination with one or more of the following: address, date of birth, Social Security number, driver’s license number, other government issued identification number, clinical/treatment information, diagnosis/condition, procedure type, physician information, medication, and other health and/or health insurance information.

Green Imaging has reviewed its policies and procedures related to data privacy and security and has taken steps to reduce the risk of similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Bloom Circle, Inc. – Lena Health

Bloom Circle, Inc., doing business as Lena Health, a Houston, TX-based provider of an AI-based care coordination platform, has recently notified the HHS’ Office for Civil Rights about a data security incident involving the electronic protected health information of up to 3,651 patients. The exposed data was stored in a public cloud storage container (Amazon S3 bucket). A hacker exploited a vulnerability in December 2025, allowing data to be exfiltrated. A patch was available to address the vulnerability; however, it had not been applied quickly enough to prevent exploitation.

Data compromised in the incident included names, dates of birth, phone numbers, medical record numbers, health information, and recordings of phone calls between patients and providers, in which patients discussed their health issues. A threat actor – FulcrumSec – who engages in data theft and extortion, claimed responsibility for the hack. According to databreaches.net, most of the stolen data related to patients of its client, Houston Methodist Hospital in Texas.

The post Starr Insurance Discloses Ransomware Attack appeared first on The HIPAA Journal.

Further information has come to light about the RXNT data breach, reported by the HIPAA Journal on May 6, 2026. As detailed below, hackers had access to RXNT’s systems for two days in March and stole patient data. While the extent of the data breach has yet to be publicly disclosed, the breach is now known to have involved Congress members’ prescription data.

RXNT’s medical software is used by the Office of the Attending Physician (OAP) to manage care for members of Congress. The software is used to securely transmit prescription information to pharmacies for fulfillment, and some of that information was stolen in the attack, including names, addresses, dates of birth, physician names, and prescription and pharmacy information. Attending physician Brian Monahan has notified the affected members of Congress this week about the exposure of their personal and health data. Congress members’ medical records, Social Security numbers, and financial information were not involved, as the only information entered into the RXNT software is what is required for prescription fulfillment. While the types of information involved have been disclosed, OAP has yet to publicly announce how many individuals have been affected.

Under the HIPAA Breach Notification Rule, business associates such as RXNT have to notify the affected HIPAA-covered entity clients of a breach of unsecured electronic protected health information within 60 days of discovery. Only then does the clock start ticking for issuing individual notifications and notifying the HHS’ Office for Civil Rights. The affected covered entities are ultimately responsible for issuing notifications, which must be issued within 60 days of learning about a breach from their business associate. Covered entities must ensure that those notifications are issued within 60 days of being informed, although they may delegate that responsibility to the business associate. It could therefore take up to two months before the full scale of the data breach is known.

May 6, 2026: RXNT Notifies Customers About Cybersecurity Incident and Data Breach

Networking Technology, Inc., doing business as RXNT, a healthcare software technology company that provides electronic health record software, has started sending notification letters to organizations that use its software to inform them about a recent security incident that exposed patient data. A copy of one of the notification letters was shared with The HIPAA Journal, which states that unauthorized activity was identified within an RXNT solution used by some of its customers. An investigation was immediately launched to determine the nature and scope of the unauthorized activity, with assistance provided by third-party cybersecurity experts.

RXNT has confirmed that an unauthorized actor accessed the solution between March 1, 2026, and March 3, 2026, and obtained a copy of the data stored within the system, which included patient data associated with its customers. The data was reviewed between March 3, 2026, and April 17, 2026, and RXNT can now confirm that patient names, dates of birth, and demographic information such as addresses, contact information, and patient IDs were stolen. Each customer was informed about how many patients were affected.

RXNT said it is taking steps to strengthen security to prevent similar incidents in the future and has offered to handle all breach reporting requirements on behalf of the affected clients (OCR notifications, media notices, individual notifications, and state attorneys general notifications). The affected clients have been given a rather short window to respond and sign up to receive further information about the cybersecurity incident. The notification letters are dated May 1, 2026, and providers are required to register by May 15, 2026. A website has been established specifically for that purpose – RXNTnotification[dot]com.

RXNT has only recently notified the affected organizations and offered to handle breach reporting requirements; therefore, the number of affected individuals has not yet been publicly disclosed. It is clear that multiple clients have been affected, and this has been a significant data breach.

This is a developing data breach story, and further information will be published on this page as it becomes available.

The post Congress Members’ Prescription Information Compromised in RXNT Data Breach appeared first on The HIPAA Journal.