HIPAA Breach News

Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company

Posted by Steve Alder

Florida Retina Center has identified unauthorized access to systems containing the protected health information of more than 13,600 patients. Acadia Healthcare Company has experienced a breach affecting 1,800 patients.

Florida Retina Center

Bonita Springs-based Florida Retina Center has announced a cybersecurity incident that was first identified on January 30, 2026. Immediate action was taken to secure its network, and an investigation was launched to determine the nature and scope of the unauthorized activity. On May 19, 2026, Florida Retina Center confirmed unauthorized access to parts of its network containing patient data.

The file review confirmed that the data of 13,652 patients was exposed and potentially acquired in the incident. The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Notification letters have been mailed to the affected individuals, and 12 months of complimentary credit monitoring and identity theft protection services have been made available. At the time of issuing notification letters, no misuse of the affected data had been identified.

Acadia Healthcare Company

Franklin, Tennessee-based Acadia Healthcare Company, Inc., a provider of psychiatric and chemical dependency services, has announced a data breach affecting 1,807 individuals. Unusual activity was identified within an employee’s email account on March 25, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to a single employee’s email account and associated SharePoint files between March 21, 2026, and March 25, 2026. There was no unauthorized access to any other email accounts, other systems, or the electronic medical record system.

The types of data involved varied from individual to individual, and for the majority of affected individuals, involved one or more of the following data elements in addition to their names: address, date of birth, treatment information, dates of treatment, type of treatment, and health insurance information. Certain individuals also had their Medicare Health Insurance Claim Number (HICN) exposed, which may include their Social Security number. Notification letters were mailed to the affected individuals on May 22, 2026, and additional safeguards have been implemented to prevent similar incidents in the future.

The post Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company appeared first on The HIPAA Journal.

April 2026 Healthcare Data Breach Report

Posted by Steve Alder

In April 2026, 47 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). That represents a 33.8% reduction in large healthcare data breaches from the 71 large data breaches reported in March 2026, and well below the 12-month average of 62.4 data breaches per month.

healthcare data breaches in the past 12 months - April 2026

The year-to-date figures also show a reduction in large healthcare data breaches. From January 1 to April 30, 252 large healthcare data breaches have been reported by HIPAA-regulated entities, compared to 276 (-8.7%) for the corresponding period in 2025 and 299 (-15.7%) for the corresponding period in 2024.

Healthcare data breaches - January 1 to April 30 (2022-2026)

Across the 47 data breaches, the protected health information of 1,336,264 individuals was exposed or impermissibly disclosed – the second lowest monthly total in the past 12 months, and currently an 84.9% reduction from March 2026. The number of affected individuals is likely to increase, as some regulated entities have reported breaches with placeholder estimates of 500 or 501 affected individuals.

Individuals affected by healthcare data breaches in the past 12 months (April 2026)

The year-to-date figures for affected individuals are encouraging. From January 1 to April 30, the protected health information of 20.1 million individuals has been breached, and while that is a sizeable figure, it is a reduction of 25.5% from the corresponding period in 2025 and a reduction of 48.8% from the corresponding period in 2024.

Individuals affected by healthcare data breaches - january 1 to April 30 (2022-2026)

The Biggest Healthcare Data Breaches Reported in April 2026

In April, 15 data breaches affecting 10,000 or more individuals were reported to the HHS’ Office for Civil Rights, all but one of which were hacking incidents. The biggest data breach of the month was reported by the medical group Florida Physician Specialists, involving unauthorized access to the protected health information of 276,498 individuals.  Two of the 15 data breaches were confirmed ransomware attacks, and one incident involved unauthorized access by “a business counterparty” after access was thought to have been terminated.

Regulated Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Cause of Breach
Florida Physician Specialists FL Healthcare Provider 276,498 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Southern Illinois Dermatology IL Healthcare Provider 160,312 Hacking/IT Incident Network Server Hacking incident
Laurel Eye Clinic PA Healthcare Provider 145,221 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Innovative Scientific Solutions, LLC SC Healthcare Provider 143,842 Hacking/IT Incident Network Server Hacking incident
Hospital Caribbean Medical Center PR Healthcare Provider 92,000 Hacking/IT Incident Network Server Ransomware attack (The Gentlemen) – Data theft confirmed
Tri-Cities Gastroenterology TN Healthcare Provider 67,115 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
City Health, a medical corporation CA Healthcare Provider 65,000 Unauthorized Access/Disclosure Electronic Medical Record Access to its electronic medical record system by a former business counterparty after termination
Hematology Oncology Consultants MI Healthcare Provider 62,972 Hacking/IT Incident Network Server Hacking incident – Data theft likely
GrayRobinson, P.A. FL Business Associate 54,131 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Rocky Mountain Associated Physicians, P.C. UT Healthcare Provider 50,640 Hacking/IT Incident Network Server Hacking incident
Heart South Cardiovascular Group AL Healthcare Provider 46,666 Hacking/IT Incident Network Server Hacking incident
Mt. Spokane Pediatrics WA Healthcare Provider 32,021 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
University of Nebraska Medical Center NE Healthcare Provider 26,937 Hacking/IT Incident Network Server Hacking of a third-party software application
Liberty Bankers Life Ins. Co. TX Health Plan 20,202 Hacking/IT Incident Network Server Hacking incident at a business associate
Bayside Dental WA Healthcare Provider 10,216 Hacking/IT Incident Network Server Ransomware attack (Sinobi) – Data theft claimed

Three data breaches were reported in April before data reviews had been completed. Placeholder figures of 500 or 501 affected individuals were used and will be updated when the file reviews are concluded.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Spokane Digestive Disease Center, P.S. WA Healthcare Provider 501 Unauthorized access to its email environment
FMRS Health Systems, Inc. WV Healthcare Provider 500 Hacking incident – data theft confirmed
CARE Clinic MN Healthcare Provider 500 Unauthorized access to its email environment

Causes of April 2026 Healthcare Data Breaches

Hacking and other types of IT incidents dominated the breach reports in April, accounting for 36 (76.6%) of the 47 reported large data breaches. Across those incidents, the protected health information of 1,240,571 individuals was exposed or impermissibly disclosed. Hacking/IT incidents accounted for 92.8% of the affected individuals in April. The average breach size was 32,883 individuals, and the median breach size was 4,547 individuals.

Causes of APril 2026 healthcare data breaches

There were 9 unauthorized access/disclosure incidents in April, which accounted for 19.1% of the month’s data breaches. Across those incidents, the protected health information of 86,717 individuals was accessed without authorization or was impermissibly disclosed – 6.5% of the month’s affected individuals. The average breach size was 9,635 individuals, and the median breach size was 1,467 individuals. There were no loss, theft, or improper disposal incidents in April.

Location of breached PHI in April 2026

States Affected by April 2026 Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 25 states, the District of Columbia, and Puerto Rico in April. California was the worst-affected state in terms of data breaches, while Florida was the worst-affected state in terms of the number of individuals affected.

April 2026 Healthcare Data Breaches

State Breaches
California 6
Texas & Washington 4
Florida & Virginia 3
Illinois, Minnesota, Oklahoma, Pennsylvania & West Virginia 2
Alabama, Delaware, Iowa, Indiana, Kentucky, Maryland, Michigan, Missouri, Nebraska, New Jersey, New York, South Carolina, Tennessee, Utah, Vermont, the District of Columbia & Puerto Rico 1

Individuals Affected by April 2026 Healthcare Data Breaches

State Individuals Affected State Individuals Affected
Florida 331,316 Oklahoma 8,233
Illinois 162,203 Maryland 7,213
Pennsylvania 145,976 Iowa 6,717
South Carolina 143,842 Indiana 5,900
Pouerto Rico 92,000 Vermont 5,892
California 78,846 Minnesota 5,885
Tennessee 67,115 Kentucky 3,677
Michigan 62,972 Virginia 2,552
Utah 50,640 New York 2,123
Alabama 46,666 Missouri 2,027
Washington 46,202 West Virginia 1,500
Nebraska 26,937 District of Columbia 1,467
Texas 26,648

April 2026 Data Breaches at HIPAA Regulated Entities

In April 2026, 36 data breaches were reported by healthcare providers, 8 breaches were reported by health plans, and 3 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.

The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 11 of the 47 breaches (rather than 3) occurred at business associates in April.

Data breaches at HIPAA-regulated entities in April 2026

Individuals affected by healthcare data breaches at HIPAA-regulated entities in April 2026

HIPAA Enforcement Activity in April 2026

The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, announced 4 settlements with HIPAA-regulated entities in April to resolve alleged violations of the HIPAA Rules. When alleged HIPAA violations are settled, the settlement agreement includes a corrective action plan to address the areas of noncompliance identified by OCR. When a civil monetary penalty is imposed, OCR cannot compel the regulated entity to adopt a corrective action plan.

All four of the settlements related to ransomware attacks, and in all cases, OCR identified a risk analysis failure. The HIPAA Security Rule requires regulated entities to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to electronic protected health information. It is the most commonly identified HIPAA Security Rule violation.  You can read more about each enforcement action in this post. No state attorneys general announced any HIPAA penalties in April.

HIPAA -Regulated Entity Entity Type Reason for Investigation Alleged HIPAA violation(s) Settlement Amount
Regional Women’s Health Group (Axia Women’s Health) Healthcare Provider Reported ransomware attack involving the protected health information of 37,989 individuals Risk analysis failure; impermissible disclosure of ePHI $320,000
Assured Imaging Affiliated Covered Entities Healthcare Provider Reported ransomware attack involving the protected health information of 244,813 individuals Risk analysis failure (never conducted); breach notification failure $375,000
Consociate, Inc. (Consociate Health) Business Associate Reported ransomware attack involving the protected health information of 136,539 individuals Risk analysis failure $225,000
Star Group, L.P. Health Benefits Plan Health Plan Reported ransomware attack involving the protected health information of 9,316 individuals Risk analysis failure $245,000

 

The post April 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches

Posted by Steve Alder

Data breaches have been announced by Lifepoint Health, Southwest Behavioral & Health Services, and Nottingham Village.

Lifepoint Health

Lifepoint Health Inc., a healthcare delivery network that operates more than 60 hospital campuses in 28 U.S. states, more than 30 rehabilitation and behavioral health hospitals, and over 170 acute rehabilitation units, discovered unauthorized activity within its network on February 23, 2026. The forensic investigation traced the activity to a compromised user account. Assisted by third-party cybersecurity experts, Lifepoint Health determined that an unauthorized third party gained limited access to certain internal databases on February 22, 2026. The incident was fully contained within 24 hours.

Lifepoint Health determined that the data breach was limited in scope and was restricted to employees of contracted vendors. Direct employees of the company and patients were not affected. The affected employees had their names, addresses, phone numbers, dates of birth, and Social Security numbers compromised in the incident. Notification letters were sent to those individuals on April 23, 2026, and complimentary credit monitoring and identity theft protection services have been made available.

Southwest Behavioral & Health Services

Southwest Behavioral & Health Services, a Phoenix, AZ-based non-profit behavioral health organization, has identified a breach of its email environment. Suspicious activity was identified within its email environment on April 1, 2026, and the forensic investigation determined that six employee email accounts were compromised.

The review of the affected email accounts was completed on April 30, 2026, and notification letters have now been sent to the 2,316 affected individuals. Southwest Behavioral & Health Services has published a substitute breach notice on its website, but it does not state the types of information exposed in the incident. No evidence has been identified to suggest any misuse of the exposed data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services, and steps have been taken to improve email security to prevent similar incidents in the future.

Nottingham Village

Nottingham Village, a skilled nursing and assisted living facility in Northumberland, Pennsylvania, has notified 5,240 individuals about a security incident that was identified on November 9, 2025. After securing its network, an investigation was launched, and on May 12, 2026, it was confirmed that the exposed data included names, birth dates, Social Security numbers, driver’s license numbers/state government IDs, financial account information, medical information, and health insurance information. Nottingham Village said it continually evaluates and modifies its security practices and will continue to do so in the future.

The post LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches appeared first on The HIPAA Journal.

Xsolis Data Breach Affects 1.4M Individuals

Posted by Steve Alder

Xsolis, a business associate of HIPAA-covered entities that provides AI-powered solutions for improving case and utilization management to achieve more efficient outcomes, has experienced a major data breach as a result of a phishing attack.

According to the data breach notification filed with the California Attorney General, unauthorized activity was identified within the Xsolis environment on January 22, 2026, as a result of a targeted phishing attack. The incident has been contained, unauthorized access has been terminated, no evidence has been found of unauthorized access since January 22, 2026, and Xsolis has found no evidence to suggest any of the exposed data has been misused.

An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that patient data had been exposed and may have been copied. Xsolis engaged digital specialists to review the affected data, and that process has now been completed. Xsolis is notifying the affected individuals and has offered them complementary credit monitoring and identity theft protection services through Kroll for 12 months.

The Kroll website notice about the security incident states that an unauthorized third party had access to a limited portion of the Xsolis environment from January 20, 2026, to January 22, 2026. Data exposed in the incident included names, dates of birth, Social Security numbers, health insurance information, and medical treatment information.

The data breach has been reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 1,396,519 patients of its healthcare provider clients. A list of the affected clients has not been published; however, VHC Health, a healthcare provider serving patients in Northern Virginia and the Washington D.C. Metro area, has confirmed that it has been affected, as has Rochester Regional Health in New York.

Additional security measures have been implemented to prevent similar incidents in the future, system monitoring has been increased, all passwords for key users have been reset, new protective technologies have been deployed, security awareness training for employees has been accelerated, and credential management processes have been strengthened.

The post Xsolis Data Breach Affects 1.4M Individuals appeared first on The HIPAA Journal.

Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients

Posted by Steve Alder

Blue Fish Pediatrics in Texas has announced a July 2025 cyberattack that affected more than 41,000 Texas patients. Data breaches have also been announced by Cherry Health in Michigan, Coastal Carolina Centers of Urology and Surgery in South Carolina, and Regence in Oregon.

Blue Fish Pediatrics, Texas

Blue Fish Pediatrics, a Houston, Texas-based network of pediatric medical practices, has notified the Texas Attorney General about a cybersecurity incident last year that exposed the personal and protected health information of its patients.

In a substitute breach notice on its website, Blue Fish Pediatrics explained that unauthorized access to its IT systems was identified on or around July 17, 2025. After securing its systems, an investigation was conducted to determine the nature and scope of the unauthorized activity. The forensic investigation confirmed that a threat actor had access to a limited number of files between July 11, 2025, and July 17, 2025. Some of those files contained personally identifiable information and protected health information and may have been acquired in the incident.

The files have now been reviewed and found to contain full names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, medical record numbers, diagnosis/condition information, lab results, medications, claims information, and clinical/treatment information. Notification letters are now being mailed to the affected individuals, and complementary credit monitoring have been made available to individuals whose Social Security numbers were exposed.

The total number of affected individuals has yet to be disclosed; however, the bulk of the affected individuals reside in Texas. The Texas Attorney General was informed that 41,485 Texas residents were affected.

Cherry Health, Michigan

Cherry Health, Michigan’s largest non-profit Federally Qualified Health Center serving six counties in the state, announced a breach of patients’ protected health information on June 18, 2026. Suspicious network activity was identified on or around April 19, 2026. The forensic investigation confirmed unauthorized access to its network and the copying of files containing patient information.

The file review is ongoing; however, information likely stolen in the incident includes names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID numbers, patient ID numbers, provider names, service dates, and, for a limited number of individuals, Social Security numbers. Cherry Health said it has not identified any misuse of the impacted data. Cherry Health is working on implementing additional safeguards to prevent similar incidents in the future. At present, it is unclear how many individuals have been affected.

Coastal Carolina Centers of Urology and Surgery, South Carolina

Coastal Carolina Centers of Urology and Surgery, LLC, doing business as Rivertown Surgery Center in Conway, South Carolina, has notified the HHS’ Office for Civil Rights about a network server hacking incident involving unauthorized access to the electronic protected health information of 2,886 individuals.

Only limited information has been made public about the breach, such as it involved unauthorized access to names and health records; however, this appears to have been a ransomware attack by the Qilin ransomware group. Qilin added Coastal Carolina Centers of Urology and Surgery to its dark web data leak site on September 4, 2025, along with screenshots of files allegedly stolen in the attack.  According to the notice sent to the Indiana Attorney General, the breach occurred on August 26, 2025, and notifications were mailed on or around May 22, 2026.

Regence, Oregon

Regence Blue Cross Blue Shield of Oregon has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 2,856 individuals. According to a notice on the Regence website, unauthorized actors registered and accessed some Regence digital member accounts between January 1, 2026, and April 15, 2026, and redeemed wellness rewards for gift cards. Information in the accounts may have been accessed.

The post Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients appeared first on The HIPAA Journal.

ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data

Posted by Steve Alder

One Medical, the Amazon-owned primary care provider, has recently announced a cybersecurity incident in which an unauthorized third party gained access to a third-party file storage system containing archived information for One Medical Seniors patients. Last week, the ShinyHunters threat group added One Medical to its dark web data leak site and claimed to have exfiltrated 8.8 terabytes of data.

According to the One Medical website data breach notice, the unauthorized access was identified on June 13, 2026, and was limited to the file storage system, which contained legacy data of One Medical Seniors patients. One Medical Seniors is the new name for Iora Health, which One Medical acquired in 2021. When the breach was discovered, the affected system was immediately secured, and all access was revoked. An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that the file storage system was accessed by an unauthorized third party between June 8 and June 11, 2026. While it has only been a few days since the breach was discovered, One Medical has confirmed that the breach was limited to the file storage platform, which only contained legacy data of certain Iora Health/One Medical Seniors patients. No other One Medical clinics, services, or the One Medical electronic medical record system were accessed.

The data review has begun, and One Medical has confirmed that the system contained demographic information and the clinical records of Iora Health/One Medical Seniors patients in Atlanta, Cape Cod, Charlotte, Piedmont Triad, Denver, Houston, Phoenix, Tucson, and Seattle. The exact data types involved have yet to be made public.  In response to the breach, One Medical said it has revoked all user access and is rotating credentials for all employees with access to the system, and has implemented additional safeguards to prevent similar incidents in the future. The number of affected individuals has yet to be publicly disclosed. One Medical has not confirmed the name of the group behind the attack.

ShinyHunters is a prolific data extortion group that targets large companies, breaches their networks, exfiltrates sensitive data, and demands a ransom to prevent a data leak. The group’s previous healthcare victims include dental benefits administrator DentaQuest, and the medical device manufacturer Medtronic. Last week, ShinyHunters claimed it had stolen 8.8 TB of data from One Medical and threatened to publish the stolen data unless One Medical entered ransom negotiations. One Medical was given until June 22, 2026, to do so, or the data would be leaked. The claim has not been verified by One Medical, and currently, no samples of the stolen data have been provided as proof of data theft. “This is a final warning to reach out by 22 June 2026 before we leak along with several annoying (digital) problems that’ll come your way,” states ShinyHunters on its dark web data leak site.

The post ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data appeared first on The HIPAA Journal.

Heart Monitoring Device Manufacturer Discloses Cyberattack; Data Breach

Posted by Steve Alder

iRhythm Holdings Inc., a publicly traded heart monitoring device manufacturer, has notified the U.S. Securities and Exchange Commission (SEC) about a cybersecurity incident that was first identified on June 8, 2026.

According to the SEC filing, iRhythm identified unauthorized access to certain business applications that are hosted on a third-party platform. The company activated its cybersecurity incident response plan and launched an investigation to determine the nature and scope of the unauthorized activity. On June 9, 2026, one day after the unauthorized access was identified, the company received communications from a threat actor who claimed to have exfiltrated sensitive data from its applications and demanded payment to prevent the data from being publicly released.

San Francisco, CA-based iRhythm makes cardiac monitoring devices that are used by approximately 8 million patients in the United States and Europe, and cloud-based data analytics for diagnosing and tracking patients with heart arrhythmias. The threat actor claimed to have exfiltrated proprietary data and patient data from iRhythm applications.

The internal investigation confirmed that the threat actor had exfiltrated sensitive data, including personal and protected health information. While the number of individuals affected by the incident has yet to be confirmed by iRhythm, the company said in the Form 8-K filing that this was a material incident due to the volume of data potentially stolen in the attack.

iRhythm has not identified any impact on its products, clinical, or medical device systems as a result of the incident. The incident has not had any impact on patient safety, manufacturing, its distribution operations, financial reporting systems, or the company’s ability to meet patient needs.

The threat actor gained access to certain third-party hosted business applications through social engineering. The company’s medical device systems and connections to customers were not affected, and the company does not retain any individual financial account information or payment card information. iRhythm is still investigating the data breach and has yet to announce the number of affected individuals or the types of data compromised in the incident.

The SEC filing does not state whether payment was made to the attacker or if the company is negotiating payment. While this was a material cybersecurity incident, the company does not believe it will have a material impact on its financial condition or results of operations, although the company warned that the attack could cause significant harm to the company’s brand, reputation, and patient trust in its devices. The company holds a cyber insurance policy, which may cover certain losses incurred as a result of the incident.

Several cyberattacks have recently been reported by medical device manufacturers, including UFP Technologies in February 2026, which involved either the theft or destruction of company data; Stryker, which involved the exfiltration of around 50 terabytes of data in March; and Medtronic experienced a major data theft incident in March, involving around 9 million patient records.

The post Heart Monitoring Device Manufacturer Discloses Cyberattack; Data Breach appeared first on The HIPAA Journal.

Data Breaches Announced by Open Arms Care; Elmwood Home Care

Posted by Steve Alder

Data breaches have been announced by the Tennessee-based disability care provider Open Arms Care Corporation and the Rhode Island and Massachusetts home healthcare provider, Elmwood Home Care.

Open Arms Care, Tennessee

Open Arms Care Corporation, a Brentwood, TN-based nonprofit provider of residential and therapeutic care services to individuals with disabilities, has recently disclosed a breach of its email tenant. Suspicious activity was identified in August 2025, indicative of unauthorized access to an email account. The forensic investigation confirmed that the account had been accessed by an unauthorized third party between June 2025 and August 2025.

The account was reviewed to determine the individuals affected and the types of data involved, and that process was completed on April 30, 2026. Up-to-date contact information was obtained, and notification letters were mailed to the affected individuals on June 9, 2026. The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: Medical diagnosis, treatment information, Social Security number, and/or health insurance information. The number of affected individuals has not been publicly disclosed at the time of writing.

Elmwood Home Care, Rhode Island/Massachusetts

Elmwood Home Care, a home healthcare provider serving patients in Rhode Island and Massachusetts, has recently announced a cybersecurity incident that resulted in unauthorized access to its computer systems between January 24, 2026, and February 13, 2026.

The forensic investigation determined that a threat group viewed or acquired files containing patient data such as names, dates of birth, Social Security numbers, driver’s license numbers, other demographic information, medical information, and health insurance information. Elmwood Home Care said it is reviewing its data security policies and procedures and is implementing additional administrative and technical safeguards to better protect its systems and sensitive data.

At the time of publication, the number of affected individuals had not been publicly disclosed. This appears to have been a ransomware attack, for which the LockBit5 ransomware group claimed responsibility.

The post Data Breaches Announced by Open Arms Care; Elmwood Home Care appeared first on The HIPAA Journal.

Clinical Registry Solutions; Jason R Egbert OD PC; VNC Health Announce Data Breaches

Posted by Steve Alder

Data breaches have been announced by Clinical Registry Solutions in New York, First Sight Family Vision in Washington, and VHC Health in Virginia.

Clinical Registry Solutions, New York

Clinical Registry Solutions, a Brooklyn, New York-based provider of clinical data abstraction and registry support services to healthcare providers, is notifying patients of Dignity Health’s St. Mary’s Medical Center that some of their protected health information has potentially been compromised in an April 2026 cybersecurity incident.

Suspicious activity was identified within its computer network on April 9, 2026. The forensic investigation identified unauthorized access to its computer network, and evidence was found indicating that files containing patient data were copied by the attackers. The data review determined that patient names, procedure dates, and medical record numbers were involved; however, Social Security numbers and diagnosis and treatment information were not involved. Company data was also stolen in the attack.

Clinical Registry Solutions has not identified any misuse of the impacted data; however, as a precaution, complimentary credit monitoring and identity theft protection services have been made available. While not mentioned in the notification letters, the threat group behind the attack appears to be the Akira ransomware group. Akira claimed to have exfiltrated 41 GB of data, including employee information such as passports, Social Security numbers, and driver’s license numbers.

First Sight Family Vision (Jason R Egbert OD PC)

First Sight Family Vision, a Battle Ground, Washington-based optometry practice that used to operate under the name Jason R Egbert OD PC, has been affected by a data breach at vendor Networking Technology Inc, which does business as RXNT.

RXNT, a provider of cloud-based electronic prescribing, practice management, and electronic health records software to healthcare organizations, discovered unauthorized access to systems used by some of its customers on March 3, 2026. The forensic investigation confirmed unauthorized access between March 1, 2026, and March 3, 2026, during which time files containing patient information were potentially accessed or acquired.

Data potentially compromised in the incident include names, birth dates, contact information, patient ID’s, prescription information, and Social Security numbers. RXNT has offered the affected individuals complimentary credit monitoring and identity theft protection services. While it is unclear how many individuals have been affected in total, the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 1,225 patients of Jason R Egbert OD PC.

VHC Health

VHC Health, a healthcare provider serving patients in Northern Virginia and the Washington D.C. Metro area, has been affected by a cybersecurity incident at one of its vendors. VHC Health contracted with a company called Xsolis, Inc., which provides utilization management services to healthcare organizations.

On January 22, 2026, Xsolis identified unauthorized access to parts of its environment as a result of a response to a phishing attempt on January 20, 2026. The incident was contained, its environment was secured, and an investigation was launched to determine the impact of the incident. The investigation confirmed that files containing names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance information were exposed.

Xsolis has implemented additional security measures to protect against similar incidents in the future, and complimentary credit monitoring and identity theft protection services have been made available. Notification letters started to be mailed to the affected individuals by Xsolis on April 23, 2026. At present, it is unclear how many VHC patients have been affected or how many individuals have been affected in total.

The post Clinical Registry Solutions; Jason R Egbert OD PC; VNC Health Announce Data Breaches appeared first on The HIPAA Journal.