Data incidents have recently been announced by Wood River Health in Rhode Island, Jack L Marcus in Wisconsin, and Avala and Primary Health Services Center in Louisiana.

Wood River Health, Rhode Island

Wood River Health, a provider of medical, dental, and social services to communities in southwestern Rhode Island and southeastern Connecticut, has recently announced a data breach that has affected 54,926 individuals. Suspicious activity was identified in an employee’s email account on or around September 6, 2024. Assisted by third-party cybersecurity experts, Wood River Health investigated the activity and confirmed that an unauthorized third party had access to the email account between August 8, 2024, and September 6, 2024, and may have viewed or acquired names and Social Security numbers.

The review of the affected account was completed on or around May 29, 2025, and notification letters were mailed to the affected individuals on or around July 28, 2025. The affected individuals have been offered 12 months of complimentary credit monitoring services, additional safeguards have been implemented to improve security, and employees have been provided with further security awareness training.

Avala, Louisiana

Avala, a Covington, LA-based physician-led health network that operates a 21-bed hospital in St. Tammany Parish, a surgery center in Metairie, and a medical imaging center in Covington, has recently announced a cybersecurity incident, discovered on May 30, 2025, that impacted its IT systems. Third-party cybersecurity experts were engaged to assist with containment and remediation and determine if patient data was exposed. No instances of identity theft or fraud have been identified; however, the investigation confirmed on July 23, 2025, that patient data had been exposed and was potentially exfiltrated from its network.

The exposed data varied from individual to individual and may have included names, addresses, birth dates, treatment information, health insurance information, and Social Security numbers. Notification letters are now being sent to the affected individuals. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Primary Health Services Center, Louisiana

Primary Health Services Center (PHSC), a Monroe, LA-based non-profit healthcare provider that operates several clinics serving the Ouachita, Morehouse, and Lincoln Parishes, has started notifying individuals affected by a recent cybersecurity incident. The nature of the incident was not detailed in the website data breach announcement, nor was the date the incident was detected.

Third-party cybersecurity professionals were engaged to investigate the incident, and the investigation and file review are ongoing. The number of affected individuals and the types of exposed data have yet to be publicly disclosed. PHSC is currently unaware of any misuse of patient information as a result of the incident and said data security policies and procedures have been enhanced to reduce the risk of similar incidents in the future.

The security breach appears to be a ransomware attack by the Inc Ransom ransomware group, which added PHSC to its dark web data leak site on December 24, 2024. Inc Ransom uploaded the stolen data on January 15, 2025, which includes user data, employee data, and financial information.

Jack L Marcus Inc.

Jack L Marcus Inc., a Milwaukee, WI-based retailer that allows orders to be placed for incarcerated individuals under an agreement with the Wisconsin Department of Corrections, has announced a data breach affecting 712 individuals. According to the substitute breach notice, a website misconfiguration allowed limited information to be displayed that should have been hidden.

Between August 15, 2024, and May 16, 2025, the name of the treatment facility where an individual was located was displayed to individuals placing orders for that individual. The facility address was masked, but the name of the treatment facility was displayed.  No other information was impermissibly disclosed. The error was identified on March 15, 2025, and was corrected the following day.  Jack L Marcus has reviewed and updated its processes and technology to prevent similar incidents in the future.

The post Wood River Health Notifies 54K Patients About August 2024 Data Breach appeared first on The HIPAA Journal.

Ransomware groups have attacked three healthcare providers: Gastroenterology Consultants of South Texas, Infinite Services in New York, and High Point Treatment Center in Massachusetts.

Gastroenterology Consultants of South Texas (Texas Digestive Specialists)

Gastroenterology Consultants of South Texas, which does business as Texas Digestive Specialists, has recently disclosed a May 2025 cybersecurity incident and data breach. According to the substitute data breach notice, an unauthorized third party gained access to its network in late May 2025 and may have obtained files containing personally identifiable information (PII) and protected health information (PHI). The Texas Attorney General was informed that the exposed information may have included names, addresses, dates of birth, medical records, and health insurance information.

The breach notification does not state when the attack was detected or for how long the hackers had access to the network. Third-party cybersecurity experts assisted with the investigation, and the lessons learned will be used to enhance the security of its IT systems. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that the PII and PHI of 41,521 Texans was exposed in the incident. The affected individuals have been offered complimentary credit monitoring services.

The breach notification letters do not mention ransomware; however, the Interlock ransomware group claimed responsibility for the attack and added the practice to its dark web data leak site. The group claims to have stolen 263 GB of data, which has been leaked online. Interlock was recently the subject of a joint alert from the FBI, CISA, HHS, and MS-ISAC following an increase in attacks on critical infrastructure entities.

Infinite Services, New York

Infinite Services, a New York-based provider of physical therapy, occupational therapy, speech therapy, and home health services, has fallen victim to a ransomware attack that exposed patient and employee data. The attack was detected on May 5, 2025, when employees were prevented from accessing the network. Third-party cybersecurity experts were engaged to investigate the incident and confirmed there was unauthorized access to one of its servers.

Ransomware was used to encrypt files, although the server was powered off, interrupting the encryption process. On June 23, 2025, Infinite Services determined that the affected server contained patient and employee information, and the decision was made to send notification letters to all potentially affected individuals, rather than wait for data mining to determine exactly which individuals had been affected.  That decision ensured that notification letters were mailed promptly.

The ransomware group was not named; however, Infinite Services said no ransom was paid, and at the time notification letters were issued, none of the stolen data had been published online. Since data may be leaked, the affected individuals should take advantage of the complimentary credit monitoring and identity theft protection services that have been offered. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals were affected or notified.

High Point Treatment Center, Massachusetts

High Point Treatment Center in New Bedford, Massachusetts, a provider of mental health and substance abuse treatment, has been added to the dark web data leak site of the Abyss ransomware group. The group claims to have exfiltrated 1.8 TB of data, although it has not listed any of the stolen data on its data leak site so far. High Point Treatment Center has yet to announce the attack or data breach.

The post Texas Gastroenterology Clinic Falls Victim to Interlock Ransomware Attack appeared first on The HIPAA Journal.

McKenzie Memorial Hospital in Michigan has reported a hacking incident affecting more than 54,000 patients. Arbor Associates in Massachusetts has reported a 17K-record data breach, and data breaches have been confirmed by Blue Shield of California and Human Development Services of Westchester.

McKenzie Memorial Hospital, Michigan

McKenzie Memorial Hospital in Sandusky, Michigan, has recently disclosed a cybersecurity incident that was detected on or around April 15, 2025, when suspicious activity was identified within its network. McKenzie Memorial did not state whether ransomware was used, only that the forensic investigation confirmed that its network was accessed by an unauthorized third party between April 14, 2025, and April 15, 2025. During that time, files containing patients’ protected health information may have been accessed.

The investigation and file review were completed on June 19, 2025, and confirmed that the potentially compromised information included names, Social Security numbers, and financial account information. The data breach was recently reported to the Maine Attorney General as affecting 54,016 individuals. Credit monitoring and identity theft protection services have been offered for 12 months, and the hospital is strengthening network security and reviewing its data security policies and procedures.

Arbor Associates, Massachusetts

Arbor Associates, a business associate that helps healthcare organizations collect patient survey analytics, has recently announced a data security incident that involved unauthorized access to patient data. Unusual network activity was detected on April 17, 2025, and independent cybersecurity experts were engaged to investigate the activity. They confirmed that there was unauthorized access to its network between April 15, 2025, and April 17, 2025, during which time files containing patient information may have been acquired.

The file review was completed in May 2025, and the affected healthcare partners were notified. Data potentially compromised in the incident includes first and last name, contact information, age, biological sex, date of birth, service date, CPT or diagnosis code, medical record number, name of insurance, and/or doctor’s name. Arbor Associates started mailing notification letters on behalf of the affected clients on July 3, 2025. The data breach was reported to the HHS’ Office for Civil Rights as a network server incident affecting 17,040 individuals.

Blue Shield of California

The health insurer Blue Shield of California (BSC) has recently notified the California Attorney General about a recent HIPAA breach. On May 22, 2025, BSC learned that a broker with Harmon Insurance Services had passed away, and the late broker’s husband had accessed her online client list after her death. He then asked a friend, who was also a broker, to assist her clients. A former employee of the late broker may also have accessed the client list and client applications between March 25, 2025, and May 22, 2025.

The access was unauthorized, and upon discovery, the login credentials were revoked to prevent further unauthorized access. No evidence was found to indicate any acquisition of members’ information. Information potentially accessed included names, member IDs, Social Security numbers, birth dates, addresses, phone numbers, group ID numbers, and Medicare numbers.

The affected individuals have been notified by mail and offered a one-year membership to an identity theft protection service. The OCR data breach portal lists the incident as affecting 1,543 individuals. A later breach report indicates that an email breach also occurred that affected 673 individuals.

Human Development Services of Westchester, New York

Human Development Services of Westchester, a provider of community-based direct-care services for vulnerable populations in New York State, has recently announced unauthorized access to its email tenant. Suspicious activity was identified within a single email account, and the forensic investigation confirmed unauthorized access between May 19, 2025, and May 20, 2025. The review of the account and attachments is ongoing, so it is not yet possible to determine the exact types of information involved or the number of affected individuals. The account likely contained employee and patient information.

Email security is currently being reviewed, and new cybersecurity tools are being assessed. The breach has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals. The total will be updated when the review concludes.

The post McKenzie Memorial Hospital Announces Data Breach Affecting 54,000 Patients appeared first on The HIPAA Journal.

While compiling data for last month’s data breach report, the HIPAA Journal identified a data breach that had previously been missed. On June 2, 2025, Cumberland County Hospital Association in Kentucky notified the HHS’ Office for Civil Rights about a hacking-related data breach that affected 36,659 individuals. Cumberland County Hospital detected the hacking incident on April 3, 2025. According to its substitute breach notice, an unauthorized third party had access to its network between February 21, 2025, and April 3, 2025. While its electronic medical record system was not accessed, files on the compromised parts of the network were discovered to include patient information, and some of those files were accessed during the attack.

The review of the files confirmed they contained demographic information (name, date of birth, address, phone number(s), email address, race, and ethnicity), along with Social Security numbers, medications, diagnoses, treatment notes, dates of service, medical record numbers, health plan numbers, and claims and billing information. Some employee data was also compromised in the attack, which may have included additional information such as driver’s license, birth certificate, background check information, W-4s and W-2s, and bank account numbers. Notification letters were mailed to the affected individuals on June 2, 2025, and credit monitoring and identity theft protection services have been offered for 12 months.

Ellis Medicine Discovers Unauthorized Access to Employee Email Account

Ellis Medicine, a Schenectady, NY-based health system serving the Capital District in New York State, has notified the Maine Attorney General about a data incident that involved unauthorized access to an employee’s email account. Suspicious activity was identified in the account, which was immediately secured. Third-party digital forensics specialists were engaged to investigate the activity and confirmed that the account was accessed “for a limited period” between January 17, 2025, through January 24, 2025, and again between March 27, 2025, through April 5, 2025.

The account was reviewed to identify the types of information potentially accessed, and that review was completed on May 14, 2025. Emails and attachments were discovered to include the personal and protected health information of 13,383 individuals. The Notification to the Maine Attorney General includes mail merge fields rather than a list of potentially compromised data, and there is currently no substitute breach notice on the Ellis Medicine website, so the types of information compromised are unknown.

Notification letters are being mailed to the affected individuals, which will state the exact types of information involved for each patient. Ellis Medicine has offered single-bureau credit monitoring, credit report, and credit score services to the affected individuals for 12 months.

The post Cumberland County Hospital Data Breach Affects Almost 37,000 Individuals appeared first on The HIPAA Journal.

Naper Grove Vision Care in Naperville, Illinois, has recently announced a cybersecurity incident that was detected on May 24, 2025. Independent cybersecurity experts were engaged to investigate unusual network activity and confirmed that an unauthorized third party accessed its network and exfiltrated files containing patient information.

The file review revealed the stolen files contained names, addresses, birth dates, driver’s license numbers, patient numbers, health insurance information, explanation of benefits documents, and medical condition and treatment information. A limited number of patients also had their Social Security numbers stolen.

Naper Grove Vision Care has advised the affected patients to monitor their account statements and credit reports closely and report any suspicious activity to law enforcement. There is no mention of complimentary credit monitoring services in the substitute data breach notice. The data breach has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals.

While ransomware was not mentioned in the notice, a ransomware group has claimed responsibility for the attack. The Interlock ransomware group has added Naper Grove Vision Care to its data leak site and claims to have stolen 214 GB of data in the attack across 32,971 folders and 656,891 files. The full data has been leaked, indicating the ransom was not paid.

Florida Lung, Asthma & Sleep Specialists Cyberattack Affects Up to 10,000 Patients

Florida Lung, Asthma & Sleep Specialists (FLASS), which has offices in Orlando, Kissimmee, Winter Garden, and Poinciana, has notified 10,000 patients about a recent data breach. Unauthorized network activity was identified on May 11, 2025, and the forensic investigation indicated that the medical records of certain patients may have been accessed.

Data potentially compromised in the incident includes patient names, birth dates, contact information, and limited medical and billing information. The investigation is ongoing, and notification letters will soon be mailed to the affected individuals. FLASS has not uncovered any evidence to suggest that any of the exposed information has been misused; however, the affected individuals have been advised to remain vigilant and monitor their medical accounts and statements for unusual activity. The affected systems have been secured, and cybersecurity experts have been engaged to review security measures and recommend areas for improvement.

The post Naper Grove Vision Care Falls Victim to Interlock Ransomware Attack appeared first on The HIPAA Journal.

A law firm that provides legal counsel and assistance to Durham County Hospital Corporation in North Carolina has experienced a data breach involving the personal and protected health information of 2,150 individuals.

Manning, Fulton & Skinner, P.A. (MFS), identified suspicious activity within its email system on February 6, 2025. An investigation was launched to determine the cause of the activity, and it was confirmed that certain MFS email accounts had been accessed by an unauthorized individual between September 19, 2024, and February 6, 2025.

Third-party data review specialists were engaged to review the affected accounts and completed the review on May 14, 2025. Durham County Hospital Corporation was notified about the data breach on May 29, 2025, and provided MFS with the necessary information for mailing notifications on July 14, 2025. The law firm has implemented additional email security measures and has offered the affected individuals 12 months of complimentary credit monitoring and identity theft protection services.

The Brien Center for Mental Health and Substance Abuse Services Announces May 2025 Hacking Incident

The Brien Center for Mental Health and Substance Abuse Services in Pittsfield, Massachusetts, has notified state attorneys general about a recent security incident involving unauthorized access to patient information.  The intrusion was identified on May 21, 2025, and third-party cybersecurity specialists were engaged to investigate the incident. The Brien Center learned there was unauthorized network access between May 19, 2025, and May 21, 2025, during which time files containing patient information may have been copied from the network.

The file review confirmed that the data potentially compromised in the incident included names, dates of birth, addresses, phone numbers, email addresses, client IDs, dates and times of recent visits, and clinical diagnostic information. Credit monitoring and identity restoration services have been offered to the affected individuals. Currently, there is no breach report on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Business Associate Data Breach Affects Duke Regional Hospital Patients appeared first on The HIPAA Journal.

Complete Care Rehab, a small physical therapy practice in East Pointe, Michigan, has been targeted by cybercriminals who gained access to its network and potentially viewed or acquired patient information. Suspicious activity was identified within its IT environment on or around May 11, 2025. Third-party cybersecurity experts were engaged to investigate the activity, and the forensic investigation confirmed that patient data was exposed and potentially stolen, including names, phone numbers, addresses, email addresses, dates of birth, diagnoses, treatment information, dates of service, and health insurance information may have been compromised. For a limited number of patients, Social Security numbers were also involved.

It is unclear from the substitute data breach notice whether ransomware was used in the attack. Data had to be restored from backups, but the restoration process failed, and all patient information was lost. Since it was not possible to determine exactly which patients were affected, the decision was taken to send notification letters to all 4,764 current and former patients.

Notification letters were mailed to the affected individuals on July 2, 2025. Complete Care Rehab said it is reviewing and enhancing its existing policies and procedures related to data privacy and security to prevent similar incidents in the future. The incident demonstrates the importance of testing backups to ensure that file recovery is possible.

Susan B. Allen Memorial Hospital Investigating Potential Cyberattack

Susan B. Allen Memorial Hospital in El Dorado, Kansas, is investigating a cybersecurity incident after receiving complaints from patients who were unable to access its online appointment scheduling system. The investigation identified anomalous activity within its network, which resulted in a system outage. Third-party cybersecurity experts have been engaged to assist with the investigation and support its recovery efforts. At such an early stage of the investigation, it has yet to be determined if patient information has been exposed or stolen. A spokesperson for the hospital confirmed that patients will be notified if their data has been exposed or stolen.

The post Small Michigan Physical Therapy Practice Reports Loss of Patient Data Due to Cyberattack appeared first on The HIPAA Journal.

A ransomware attack on Sensata Technologies involved the theft of health and wellness plan data. A former Evoke Wellness employee has been accused of stealing patient data for identity theft, and limited PHI has been impermissibly disclosed due to mailing errors at Blue Shield of California and AffirmedRx PBC.

Sensata Technologies Hit with Ransomware Attack

Sensata Technologies, Inc., a leading industrial technology firm that makes sensor and control solutions, has been hit with a ransomware attack. The attack was identified on April 6, 2025, when files were encrypted on its network. Sensata implemented its response protocols to contain the incident, and an investigation was launched with assistance provided by a third-party cybersecurity firm. Law enforcement was also notified about the attack.

The forensic investigation confirmed that the ransomware group had access to its network between March 28, 2025, and April 6, 2025, during which time files were accessed and copied from its network. Over the past two months, Sensata reviewed the affected files and has confirmed that they contained the personal and protected health information of 15,630 members of the company’s Health and Welfare Benefit Plan.

In addition to names and addresses, one or more of the following data types were involved: date of birth, Social Security number, tax identification number, driver’s license number or state-issued identification card number, passport number, other government-issued identification number, financial account information, payment card information, medical information, and/or health insurance information. Individual notification letters have been mailed, and complimentary credit and identity monitoring have been offered to the affected individuals. Sensata has confirmed that it is taking steps to enhance security.

Former Evoke Wellness Employee Accused of PHI Theft, Identity Theft, And Fraud

A former employee of an Evoke Wellness addiction treatment center in Hilliard, Ohio, has been accused of stealing patients’ protected health information for identity theft and fraud. A police investigation was launched after police conducted a vehicle stop and found four fraudulent IDs and twenty-four pre-paid cards in the man’s possession. The man was employed by Evoke Wellness between November 2021 and July 2024, and allegedly accessed patient data and obtained names, contact information, dates of birth, and Social Security numbers without authorization. Evoke Wellness was unaware of the data theft until notified by law enforcement, and launched an internal investigation and confirmed the unauthorized access.

So far, the police investigation has identified 240 victims, although the actual number could be much higher. The man has also been accused of selling stolen data on the dark web to individuals who used the information to fraudulently obtain funds and rack up credit card charges in the victims’ names. Evoke Wellness has not yet listed the breach on its website, and there is no breach report on the HHS’ Office for Civil Rights breach portal. That said, media notices are only required for breaches affecting 500 or more individuals, and OCR does not list data breaches affecting fewer than 500 individuals on its data breach portal.

Blue Shield of California Data Merge Error Results in Impermissible PHI Disclosure

The health plan provider, Blue Shield of California (BSC), has notified 1,543 individuals about an impermissible disclosure of their protected health information. On April 4, 2025, BSC discovered that an incorrect data merge resulted in certain BSC members’ data being added to other members’ data, which could be viewed in the Member Health Record feature on its member portal.

An investigation was launched, which confirmed that the error involved an identifying key being assigned to two or more different individuals, even though they had different names, dates of birth, and Social Security numbers. The mail merge occurred on June 27, 2024, and was identified on April 4, 2025, when the data was immediately suppressed.

The data potentially viewed by other members was limited to member visit information, visit dates, medications, immunization records, lab results, diagnoses, and health conditions. The merged information did not involve another member’s name, date of birth, Subscriber identification number, address, phone number, email address, or highly sensitive information such as their Social Security number, driver’s license number, or financial information. Out of an abundance of caution, BSC has offered the affected individuals complimentary access to the Experian IdentityWorks identity theft protection service for 12 months.

AffirmedRx PBC Mailing Error Results in PHI Disclosure

AffirmedRx PBC, a Louisville, Kentucky-based pharmacy benefits management company, has notified 1,089 members about an impermissible disclosure of some of their protected health information. On May 16, 2025, AffirmedRx PBC identified an error with a mailing involving letters sent on May 14, 2025. The letters advised the recipient about a change in medication information.

The error resulted in a mismatch of names and addresses on the envelopes. The letters included an individual’s name and medication information only, and in each instance, were sent to the address of one other member. AffirmedRx PBC has advised anyone receiving a letter from AffirmedRx PBC dated May 14, 2025, to disregard the information in the letter and to destroy that letter, and if not yet opened, to mail the letter after clearly adding “return to sender” to the envelope.

AffirmedRx PBC has implemented additional safeguards to prevent similar incidents in the future and has provided additional training to appropriate personnel to reinforce its privacy protocols.

The post PHI Stolen in Sensata Technologies Ransomware Attack appeared first on The HIPAA Journal.