Senate Finance Committee Ranking Member Ron Wyden (D-OR) and Senate Banking Committee Ranking Member Elizabeth Warren (D-MA) have demanded answers from UnitedHealth Group about the alleged aggressive tactics being used to recover the funds lent to healthcare providers following the ransomware attack on Change Healthcare last year.

Change Healthcare fell victim to a ransomware attack in February 2024, causing a prolonged outage of Change Healthcare’s systems, which handled approximately 45% of all healthcare transactions at the time of the attack. Providers were reliant on those systems for obtaining authorization and payment from health insurers, and the outage caused severe payment and reimbursement problems, with providers having to cover the costs of treatment, tests, vaccinations, and even prescriptions. Patients also faced disruptions, especially those unable to afford to pay for their medications without copay assistance.

UnitedHealth Group, through its industrial bank subsidiary Optum Financial, established a temporary funding assistance program, which provided interest-free loans to hospitals and medical practices experiencing financial difficulties due to the outage. More than $9 billion in loans were paid to struggling providers. Systems were brought back online after several months; however, the financial difficulties have continued for many providers, who are now having to repay the loans. There have been multiple reports that UnitedHealth Group has been adopting aggressive tactics to recover funds, including withholding payments or health insurance claims through its insurance subsidiary UnitedHealthcare.

“These reports are particularly troubling because they underscore the extraordinary market power of United’s massive, vertically-integrated conglomerate: the problem was caused by a breach of United’s payment clearinghouse, Change; the loans were offered by United’s industrial bank, Optum Financial; and now the company is using its insurance arm as a collection tool,” explained the senators in the August 27, 2025 letter to UnitedHealth Group CEO, Stephen J. Hemsley, and Optum Financial CEO, Dhivya Suryadevara.

UnitedHealth Group has been accused of using loan shark tactics to recover the loans, including refusing to negotiate payment plans. Providers have claimed they were told to immediately repay the loans in full, which in some cases runs to hundreds of thousands of dollars. Some have been threatened with withholding all current claims payments if the debt is not repaid within five business days, and funds will be withheld until the debt is repaid in full. Further, claims have allegedly been rejected for failing to meet the filing deadline from the period after the cyberattack, when Change Healthcare’s systems were offline.

UnitedHealth had previously told the Senate Committee on Banking, Housing, and Urban Affairs and the Senate Committee on Finance that loan recipients were given 45 days to repay the loans, and UnitedHealth Group contacted each multiple times during those 45 days. If no response was received after the 45-day period, providers were contacted and told to pay within five business days. Then, if no response is received, claims will be offset and moved into recoupment. If providers cannot repay within that time frame, UnitedHealth Group suggested that they would work out a mutually agreeable repayment plan.

The senators have demanded answers from UnitedHealth Group and Optum Financial on the loan repayment process and have requested answers to the following questions by September 12, 2025.

1. Provide data indicating the total number of loans lent to providers from March 2024 to present.
2. Provide documents detailing the process and criteria that Optum Financial used to distribute funds to providers who were adversely impacted by the February 2024 attack.
3. Provide documents detailing Optum Financial’s repayment process.
4. Provide a copy of any and all written agreements that were given to providers when they accepted funds.
5. Provide any and all copies of express repayment plans that Optum Financial offers to health care providers who accepted funds.
6. Provide documents detailing redress options that Optum Financial makes available to providers who are unable to repay funds within 45 days of initial notification.
7. Does Optum Financial plan to outsource collection efforts to a third-party?
8. Provide documents related to any intercompany loans that were made to Optum Financial, if applicable.
9. Did United Health or Optum Financial solicit or use third-party financing for the purposes of making either loans to providers or intercompany loans? If yes, provide details.

The post Senators Demand Answers from UHG on Aggressive Loan Repayment Tactics Following Cyberattack appeared first on The HIPAA Journal.

Absolute Dental, a Nevada dental practice with over 50 locations in Las Vegas, Carson City, Reno, Sparks, and Minden, has completed its investigation of a February 2025 cyberattack and has confirmed that more than 1.2 million individuals had some of their personal and protected health information exposed.

Absolute Dental reported the data breach to the HHS’ Office for Civil Rights in May 2025 using a placeholder figure of 501 affected individuals. At the time, it was unclear how many individuals had been affected. While the breach portal has not yet been updated with the new total, the Oregon Attorney General was informed that 1,223,635 individuals have been affected.

Absolute Dental explained in its substitute breach notice that an issue was identified within its information systems on February 26, 2025. Steps were taken to secure its systems and investigate the nature and scope of the activity. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that an unauthorized third party had access to its network between February 26, 2025, and March 5, 2025.

The file review was completed on July 28, 2025, when it was confirmed that sensitive personal data was exposed and potentially stolen. The affected individuals had their name exposed along with one or more of the following: contact information, date of birth, Social Security number, driver’s license or state-issued ID information, passport or other governmental ID information, and health information. Health information may have included health history, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN number or patient identification number. A small subset of the affected individuals also had their financial account and/or payment card information exposed.

Absolute Dental said the third-party forensic investigation revealed that initial access to its network occurred via the execution of a malicious version of a legitimate software tool through an account associated with its managed services provider. Absolute Dental did not state which legitimate software tool was involved. The description suggests that a threat actor breached the network of its managed services provider, then either tricked an Absolute Dental employee into executing a malicious version of the software tool or the threat actor abused the privileged access of the managed services provider to install the tool, thus providing access to Absolute Dental’s information systems.

Absolute Dental has reported the data breach to regulators, notified law enforcement, and has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Notification letters are being mailed to the affected individuals who have been offered two years of complimentary credit monitoring services.

The post Absolute Dental Confirmed Data Breach Affecting Over 1.2 Million Individuals appeared first on The HIPAA Journal.

On Friday last week, University of Iowa Health Care and its affiliated UI Community HomeCare, a home infusion and medical equipment service provider, announced a hacking incident that was identified on July 3, 2025.

Immediate action was taken to contain the threat, and its systems were safely restored within one business day. Third-party cybersecurity experts were engaged to conduct a forensic investigation to determine the nature and scope of the unauthorized activity, and it was confirmed that a cybercriminal hacker had access to the UI Community HomeCare network on July 3, 2025.

While the networks of University of Iowa Health Care and affiliated UI Community HomeCare are separate, both entities share some patients, employees, and data files. Some of those data files were exfiltrated by the hacker, although the investigation confirmed that there was no unauthorized access to its electronic medical record system.

The review of the affected data revealed that the files contained the personal and protected health information of approximately 211,000 individuals. Notification letters were mailed to those individuals last week. Information compromised in the incident varies from individual to individual and may include an individual’s name in combination with some or all of the following: address, phone number, date of birth, provider name, medical record number, visit type, date(s) of service, insurance information, and Social Security number.

At the time of issuing the notification letters, no evidence of misuse of any of the affected information had been identified; however, the affected individuals have been encouraged to closely monitor their account statements, credit reports, and explanation of benefits statements, and should report any suspicious activity.

UI Health Care and Health Care and UI Community HomeCare said several steps have been taken to improve security and prevent similar incidents in the future, and monitoring for unauthorized access to its computer systems has been enhanced.

The post UI Community HomeCare Hacking Incident Affects 211,000 Patients appeared first on The HIPAA Journal.

Family Counseling Services of the Finger Lakes in New York and the Cancer Care Center of North Florida have confirmed that patient data was compromised in recent hacking incidents.

Family Counseling Services of the Finger Lakes

Family Counseling Services of the Finger Lakes in New York has discovered unauthorized access to its email environment. Suspicious activity was identified on or around February 4, 2025, and the forensic investigation confirmed that a limited number of email accounts had been accessed by an unauthorized third party between January 14, 2025, and February 4, 2025.

The email accounts were immediately secured, and a review was conducted to determine the extent of data exposure. The file review was completed on June 30, 2025, and confirmed that the exposed data included full names, in combination with one or more of the following: date of birth, Social Security number, driver’s license number, bank account number, medical information, and health insurance information.

Family Counseling Service is unaware of any misuse of the exposed data; however, the affected individuals have been advised to remain vigilant against identity theft and fraud. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Cancer Care Center of North Florida

Cancer Care Center of North Florida has been affected by two security incidents, one involving unauthorized access to email accounts and a network server hacking incident. Both incidents involved the Integrated Oncology Network (ION).

As previously reported by the HIPAA Journal, the phishing incident affected multiple ION members. Between December 13, 2024, and December 16, 2024, an unauthorized third party gained access to certain emails and SharePoint files. The files contained names, addresses, dates of birth, financial account information, diagnosis, lab results, medication, treatment information, health insurance and claims information, provider names, and/or dates of treatment, and for a limited number of individuals, their Social Security numbers. Cancer Care Center of North Florida notified the HHS’ Office for Civil Rights that 976 patients of its Lake Butler location were affected.

The hacking incident involved unauthorized access to certain ION systems between March 31, 2025, and April 10, 2025.  ION discovered the intrusion on April 11, 2025, and said only limited systems were affected. The review of the affected files is ongoing, but it has been confirmed that the compromised information includes names, address, date of birth, medical record number, diagnoses/conditions, diagnostic imaging, diagnostic test results, lab results, medications, treatment information, health insurance information, provider names, dates of treatment, driver’s license numbers, and/or financial account information.

The breach has affected multiple ION practices, which were notified between July 11, 2025, and August 6, 2025. Cancer Care Center of North Florida has confirmed that 1,789 of its patients were affected.

The post New York Counseling Provider and Florida Cancer Center Announce Data Breaches appeared first on The HIPAA Journal.

Data breaches have recently been announced by Black Hills Regional Eye Institute in South Dakota and the Children’s Center of Hamden in New York.

Black Hills Regional Eye Institute

The Black Hills Regional Eye Institute in Rapid City, South Dakota, has fallen victim to a cyberattack that was identified on or around January 8, 2025. Systems were rapidly taken offline to prevent further unauthorized access and to contain the incident, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed on or around February 7, 2025, that patient information had been accessed and acquired by the threat actor, who had access to certain systems from January 4, 2025, to January 8, 2025.

A comprehensive file review was conducted to determine the individuals affected and the types of data involved, which concluded on July 30, 2025. Black Hills Regional Eye Institute determined that the compromised data included patients’ first and last names in combination with one or more of the following: date of birth, Social Security number, driver’s license number, diagnoses, treatment information, medical history, medical record number, medications, provider name, surgical information, insurance information, and/or credit card information.

While sensitive data was acquired, Black Hills Regional Eye Institute has not found any evidence to indicate any misuse of that information. All staff and patients affected by the incident have been advised to remain vigilant against identity theft and fraud, and individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. Regulators have been notified, although the incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The Children’s Center of Hamden

The Children’s Center of Hamden (TCCOH), a nonprofit behavioral health organization in Connecticut, has notified more than 5,000 individuals about the exposure of some of their personal and health information. Potential unauthorized activity was identified within its computer network on December 28, 2024. Assisted by third-party cybersecurity experts, TCCOH confirmed that files containing patient information had been exposed and were potentially acquired by the attackers.

The file review was completed on June 29, 2025, and it was confirmed that employee and client data were compromised in the incident, including first and last names, Social Security numbers, and protected health information. Notification letters were mailed to the affected individuals on August 28, 2025. The incident is not yet shown on the HHS’ Office for Civil Rights portal; however, the Maine Attorney General was informed that 5,213 individuals have been affected.  Complimentary credit monitoring services are being offered for 12 months.

The post Data Breaches Announced by The Black Hills Regional Eye Institute & The Children’s Center of Hamden appeared first on The HIPAA Journal.

Vital Imaging Medical Diagnostic Centers in Florida has disclosed a February 2025 hacking incident involving unauthorized access and potential acquisition of patient data. The HHS’ Office for Civil Rights has been informed that the protected health information of up to 260,000 patients was compromised in the incident.

In its August 22, 2025, substitute data breach notice, Vital Imaging explained that the intrusion was discovered on February 13, 2025. Cybersecurity experts were engaged to investigate the activity, and the investigation is ongoing. Vital Imaging said there is a reasonable belief that personally identifiable information and protected health information were accessed and acquired by the attackers.

An independent data mining team was retained to assist with the investigation and review the files on the compromised parts of its network to determine the individuals affected and the types of data involved, and has confirmed that medical information, insurance information, and demographic information were compromised, including names, dates of birth, and contact information was involved.

Notification letters will be mailed to the affected individuals when the file review is concluded. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their credit reports, financial account statements, and explanation of benefits statements.

ESHYFT

Security researcher Jeremiah Fowler has identified an exposed database linked to ESHYFT, a provider of a platform that allows nurses to find available per diem shifts at long-term care facilities across the country. The 100 GB database could be accessed without authorization and contained 86,341 records, including sensitive data such as names, IDs, medical reports, profile information, facial images, work schedule logs, professional certificates, work assignment information, CVs/resumes, and other information.

Fowler was unable to determine if the database was maintained by ESHYFT or a third-party service provider, nor how long the database was exposed online, or if it was accessed by any unauthorized individuals. The exposed database was reported to ESHYFT and was secured around a month later. Since ESHYFT works with nurses rather than patients, it is unlikely to be a HIPAA-covered entity, and its website does not include a Notice of Privacy Practices, further indicating the data was not HIPAA-protected.

The post Florida Medical Imaging Provider Notifies 260,000 Patients About February Data Breach appeared first on The HIPAA Journal.

A bipartisan pair of senators has written to Aflac Chairman and CEO Daniel P. Amos seeking further information about a recently disclosed cyberattack and data breach. Sen. Bill Cassidy (R-La.), chairman of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Margaret Wood Hassan (D-N.H.), are requesting greater transparency about the incident.

Aflac disclosed the incident on June 12, 2025, in a filing with the U.S. Securities and Exchange Commission (SEC), and subsequently issued a press release confirming that customers’ personal and protected health information was compromised in the incident. The senators have requested further information about the incident, including the security measures in place prior to the cyberattack, how cybersecurity best practices implemented by other critical infrastructure sectors have been incorporated at Aflac, which federal agencies were notified about the incident, and when those notifications were issued.

Aflac has stated that claims and health information were compromised in the incident. The senators want to know what steps have been taken to identify the information that was compromised, when the steps to identify the affected information will be finalized, how Aflac is proactively communicating with the individuals potentially affected by the incident, and what steps have been taken or will be taken in response to the cyberattack to improve its security protocols.

The senators also want to know what additional reporting, beyond the requirements of the Health Insurance Portability and Accountability Act, Aflac commits to doing for individuals whose information was impermissibly disclosed in the incident. Aflac has been given until September 5, 2025, to respond and provide answers to the questions.

June 23, 2025: Aflac Latest Insurer to Suffer Cyberattack and Data Breach

The Columbus, Georgia-based insurance giant Aflac has recently announced that it has fallen victim to a cyberattack. Aflac is the largest provider of supplemental insurance in the United States and claims to provide financial protection for more than 50 million people worldwide.

Aflac disclosed the cyberattack in a June 12, 2025, filing with the U.S. Securities and Exchange Commission (SEC), explaining it had initiated its cybersecurity incident response protocols and contained the intrusion within hours. The attack did not affect business operations, and it has continued to underwrite policies, review claims, and otherwise service customers as usual.

Aflac has engaged the services of leading cybersecurity experts to support its own breach response efforts, and the investigation into the attack is ongoing. Aflac said ransomware was not deployed in the incident; however, data does appear to have been exposed. A review of the potentially exposed files is underway. At this early stage of the file review, it is not possible to determine how many individuals have been affected.

Aflac said the exposed data likely includes names, claims information, health information, Social Security numbers, and other personal information related to customers, beneficiaries, employees, agents, and other individuals in its U.S. business. Complimentary credit monitoring and identity theft protection services will be offered to the affected individuals, and regulators will be notified about the extent of the data breach. “This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group,” explained Aflac in a press release about the cybersecurity incident. “This was part of a cybercrime campaign against the insurance industry.” The data breach was reported to the HHS’ Office for Civil Rights on August 8, 2025, although a placeholder figure of 500 was used for the number of affected individuals. That figure will be updated when the file review is completed and all affected individuals have been identified.

The cybercrime campaign has involved attacks on other large insurers in the United States, including the Pennsylvania-based insurers Erie Insurance Group and Philadelphia Insurance Companies. Similar to the Aflac attack, these two incidents did not involve file encryption, only data theft. There has been no attribution so far, although the timing of these attacks suggests a single threat actor is behind all three incidents.

The likely culprit is a threat group known as Scattered Spider, which is known to target large companies in one sector at a time. Recently, Scattered Spider has targeted the retail sector, with its attacks including the UK retailers Marks & Spencer, Co-op, and the Harrods luxury department store, and U.S. attacks on Victoria’s Secret and United Natural Foods, which supplies the Amazon-owned grocery chain Whole Foods.

Researchers at the Google Threat Intelligence Group issued a warning early last week that the group has pivoted to the insurance industry, and ReliaQuest warned that the group is targeting IT service providers and Managed Service providers to attack their downstream clients. Google Threat Intelligence Group researchers recently confirmed that the recent attacks on the insurance sector show the hallmarks of a targeted Scattered Spider campaign.

Scattered Spider typically breaches company networks and deploys ransomware after data exfiltration, but ransomware was not deployed in these attacks. It is possible that the attacks were detected and blocked before ransomware was deployed, but the group may have simply changed tactics, focusing on data theft and extortion alone. While the perpetrator has yet to be confirmed, it is clear that the insurance industry is being targeted. All insurers should remain on high alert as there could well be further attempted cyberattacks on the sector.

The post Senators Demand Answers from Aflac About June 2025 Cyberattack appeared first on The HIPAA Journal.

Data breaches have recently been confirmed by Legacy Treatment Services/Community Treatment Solutions in New Jersey, Washington Gastroenterology, Woodlawn Hospital in Indiana, and Children’s Home & Aid (Brightpoint) in Illinois.

Legacy Treatment Services

Legacy Treatment Services, a New Jersey provider of behavioral health and addiction treatment services, has notified the Maine Attorney General about an October 2024 cybersecurity incident involving the personal and protected health information of 41,826 individuals. Some of the affected individuals had received services from Community Treatment Solutions (CTS) in Moorestown, New Jersey.

The incident was identified on or around October 11, 2024, when connectivity to its network was disrupted. The forensic investigation confirmed unauthorized access to its network between October 6, 2024, and October 11, 2024. A file review was initiated, and on July 18, 2025, confirmation was received that employee and patient data were accessed and acquired in the incident.

The data involved varied from individual to individual and included first and last names along with one or more of the following: addresses, phone numbers, email addresses, Social Security numbers, birth dates, driver’s license numbers/state ID numbers, passport numbers, financial account numbers, routing numbers, bank names, credit/debit card numbers/CVV/expiration dates/PIN or security codes, login information, diagnoses, clinical information, treatment/procedure Information, treatment types/locations, treatment cost information, doctors’ names, medical record numbers, patient account numbers, health insurance information, prescription information, and/or biometric information.

While no evidence has been found to indicate any misuse of that information, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Washington Gastroenterology

Washington Gastroenterology has recently started notifying patients about a cybersecurity incident detected on or around March 10, 2025. The exact nature of the incident was not disclosed in its substitute breach notice, only that certain data was accessed by an unknown third party. The affected data was reviewed, and it was confirmed that the breach was limited to a legacy system, which contained names, Social Security numbers, and medical information. No current networks or affiliate systems were involved.

Individual notification letters started to be mailed to the affected individuals on May 23, 2025; however, it later emerged that further individuals were affected, and notification letters are now being mailed to those individuals. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals. The data breach has been reported to regulators, but the incident is not currently shown on the OCR data breach portal or the Washington Attorney General website, so it is currently unclear how many individuals have been affected.

Woodlawn Hospital

Woodlawn Hospital in Rochester, Indiana, has identified unauthorized access to its computer network. The intrusion was identified on June 30, 2025, and the forensic investigation confirmed unauthorized access between June 25, 2025, and June 30, 2025. During that time, files containing patient data were copied from its network.

The files are currently being reviewed, but it has been confirmed that they contain names, addresses, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, medical information, and health insurance information. Notification letters will be mailed to the affected individuals when the file review is concluded. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Children’s Home & Aid (Brightpoint)

Children’s Home & Aid, doing business as Brightpoint in Illinois, has identified unauthorized access to an employee’s email account. The security incident was detected on or around February 27, 2025, and the forensic investigation confirmed unauthorized access to the account between January 12, 2025, and February 27, 2025. Following a programmatic and manual review of the account, it was determined on June 16, 2025, that the account contained the personal and protected health information of 1,051 individuals.

The data involved varied from individual to individual and may have included names, Social Security numbers, driver’s license numbers/ government-issued identification numbers, financial account information, health insurance information, and/or medical information.  Brightpoint has reviewed its security policies and procedures and has taken steps to reduce the risk of similar incidents in the future.

The post Legacy Treatment Services Data Breach Affects 42,000 Individuals appeared first on The HIPAA Journal.

Healthcare Services Group, Inc. (HSG), a Bensalem, PA-based provider of environmental, dining, and nutritional support services to healthcare facilities, has recently notified the Maine Attorney General about a major data breach involving unauthorized access to systems containing the personal and protected health information of 624,496 individuals, including 3,871 Maine residents.

HCSG provides its services to more than 3,000 healthcare facilities in 48 U.S. states and employs more than 45,000 individuals. HSG first disclosed the security incident on October 16, 2024, in a FORM 8-K filing with the U.S. Securities and Exchange Commission (SEC), explaining that a cybersecurity incident was identified on October 9, 2024, when unauthorized activity was identified within some of its systems.

HSG initiated its cybersecurity incident response process, and an investigation was launched to determine the cause of the activity, with assistance provided by third-party cybersecurity specialists. At the time, the full nature of the incident was unknown, although it was not expected to have a material impact on its financial condition or the results of operations. The breach report indicates initial access to its network occurred on September 27, 2024, twelve days before the intrusion was detected. HSG has been reviewing the exposed files and determined on June 3, 2025, that personal and protected health information was potentially stolen.

Notification letters started to be mailed to the affected individuals on August 25, 2025, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, in Maine at least. While the Maine Attorney General has published a copy of the breach notification letter, a website error means it is not currently viewable, and there is currently no substitute breach notice on the HSG website, so the types of information exposed in the incident and the nature of the cyberattack are currently unknown.

This post will be updated when further information becomes available.

The post Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach appeared first on The HIPAA Journal.