HIPAA Breach News

2025 Healthcare Data Breach Report

Posted by Steve Alder

More than 700 healthcare data breaches affecting 500 or more individuals are being reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) each year. While that unwelcome trend didn’t change in 2025, there was a year-over-year reduction in healthcare data breaches. Based on the current data downloaded from OCR, data breaches have fallen by 4.3% year-over-year.

While that could signal a turn in the tide, it is perhaps a little early to draw such conclusions, as data breaches from 2025 are still being added to the OCR breach portal. When we compiled our 2024 healthcare data breach report in January 2025, 725 large healthcare data breaches were listed on the OCR breach portal. That total increased to 742 data breaches over the following few months. While a similar number of late additions would still mean an annual decrease in data breaches, there was a 43-day shutdown of the federal government in late 2025 due to the failure of Congress to pass appropriations legislation. During that period, no data breaches were added to the OCR breach portal. The late additions in 2026 could therefore be considerably higher than in previous years.

What is clear is that the large annual increases in data breaches between 2018 and 2021 appear to have come to an end, with data breaches plateauing in the 700 to 750 range, which is around two large healthcare data breaches a day – twice the rate in 2018.

Healthcare data breaches 2021-2025

While data breaches are only down slightly, there has been a massive reduction in the number of individuals affected by healthcare data breaches. In 2024, a new record was set for breached healthcare records, with 289,162,330 individuals having their protected health information exposed or impermissibly disclosed in 2024. In 2025, at least 61,556,256 individuals had their protected health information exposed or impermissibly disclosed, a 78.7% percentage decrease from 2024. Even if the 192,700,000 individuals affected by the Change Healthcare ransomware attack in 2024 are discounted entirely, last year’s would still be significantly down year-over-year, largely due to a fall in the number of mega data breaches affecting more than 1 million individuals. In 2024, there were 18 of these mega breaches, but only 9 mega breaches were reported in 2025.  The average data breach size fell from 389,707 individuals (median: 6,702 individuals) in 2024 to 86,699 individuals (median: 4,011 individuals) in 2025.

Individuals affected by healthcare data breaches 2021-2025

The Biggest Healthcare Data Breaches of 2025

The table below shows the top 20 healthcare data breaches of 2025, the biggest of which was a hacking incident at the insurance company Aflac, which affected more than 22.6 million individuals globally and involved unauthorized access to the protected health information of almost 14 million individuals in the United States. While the nature of the attack was not disclosed, the cyberattack is thought to be the work of the Scattered Spider hacking group, a financially-motivated English-speaking hacking group whose members are primarily located in the United States and the United Kingdom.

While most of the top 20 data breaches were hacking incidents, the data breach at Blue Shield of California involved the use of tracking tools on its website, which may have disclosed personal information and, in some cases, protected health information to third parties such as Meta Platforms and Google. The data breach at Serviceaide involved an improperly secured database, which could be freely accessed via the internet without any authentication, and two of the top 20 data breaches of 2025 involved compromised email accounts: Numotion and Onsite Mammography.

The table below could change over the coming few months as many investigations of 2025 healthcare data breaches have not yet concluded. For instance, the data breach at Covenant Health was reported to OCR as affecting just 7,864 individuals, but in January 2025, the Maine Attorney General was informed that 478,188 individuals were affected. The OCR data breach portal has yet to be updated with the new total.  Further, the OCR breach portal currently lists 64 data breaches with totals of 500 or 501 affected individuals – placeholder figures commonly used when data reviews have yet to conclude.

Rank Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
1 Aflac Incorporated (“Aflac”) GA Health Plan 13,924,906 Hacking incident
2 Yale New Haven Health System CT Healthcare Provider 5,556,702 Hacking incident
3 Episource, LLC CA Business Associate 5,418,866 Hacking incident
4 Blue Shield of California CA Business Associate 4,700,000 PHI disclosure due to website tracking tools
5 DaVita Inc. CO Healthcare Provider 2,689,826 Ransomware attack
6 Anne Arundel Dermatology MD Healthcare Provider 1,905,000 Hacking incident
7 Radiology Associates of Richmond, Inc. VA Healthcare Provider 1,419,091 Hacking incident
8 Southeast Series of Lockton Companies, LLC (Lockton) GA Business Associate 1,124,727 Hacking incident
9 Community Health Center, Inc. CT Healthcare Provider 1,060,936 Hacking incident
10 Frederick Health MD Healthcare Provider 934,326 Ransomware attack
11 McLaren Health Care MI Healthcare Provider 743,131 Ransomware attack
12 Medusind Inc. FL Business Associate 701,475 Hacking incident
13 Kelly & Associates Insurance Group, Inc. MD Business Associate 553,332 Hacking incident
14 Decisely Insurance Services, LLC GA Business Associate 537,603 Hacking incident
15 United Seating and Mobility, LLC d/b/a Numotion TN Healthcare Provider 529,004 Phishing attack
16 Serviceaide, Inc. CA Business Associate 483,126 Database exposed on the internet
17 Goshen Medical Center NC Healthcare Provider 456,385 Hacking incident
18 Ascension Health MO Healthcare Provider 437,329 Hacking incident at a business associate
19 Northwest Radiologists, Inc./Mount Baker Imaging WA Healthcare Provider 362,713 Hacking incident
20 Onsite Mammography MA Business Associate 357,265 Compromised email account

 

2025 Healthcare Data Breaches
Data Breach Size Number of breaches
10,000,000+ 1
1,000,000 – 9,999,999 8
500,000 – 999,999 6
100,000 – 499,000 64
10,000 – 99,999 176
1,000 – 9,999 309
500 – 999 146
Total 710

Average size of healthcare data breaches 2009-2025

Median size of healthcare data breaches 2009-2025

2025 Healthcare Data Breach Causes

Hacking and other IT incidents continue to dominate the breach reports. The majority of these incidents are hacking incidents, as has been the case for many years. There has been a growing trend in recent years of entities suffering data breaches failing to disclose the root cause of the data breach, such as if a hacking incident involved data theft, extortion, malware, or ransomware. The Identity Theft Resource Center reports that this is a problem across all industry sectors, not just healthcare.

Causes of 2025 healthcare data breaches

The problem with the lack of information in breach notices is that individuals are not given sufficient information to make an accurate determination about the level of risk they face. Most ransomware attacks involve data theft and extortion. If the ransom is not paid, the stolen data is leaked on the dark web or sold. According to the cybersecurity firm Black Fog, 96% of ransomware attacks involve data theft, and the ransomware remediation firm Coveware reports that in Q4, 2025, only 20% of ransomware victims paid the ransom. Those figures suggest that 76.8% of ransomware attacks result in data being leaked. If the breach victims are told that ransomware was involved, their data will likely be leaked, and it would be prudent to take steps to prevent data misuse. If they are only told that their data has been exposed, they may incorrectly assume that they do not face a high risk of data misuse and may choose to take no action.

Black Fog reports that ransomware attacks reached record levels in 2025, with 1,174 confirmed attacks across all industry sectors, and healthcare was the worst affected sector, accounting for 22% of attacks. There has also been a growing trend of data theft and extortion, with threat actors skipping file encryption. The PEAR threat group emerged in 2025 and only engages in data theft and extortion. The group claimed many healthcare victims in 2025. Other common IT incidents in 2025 include improperly secured databases, which exposed healthcare data via the internet, and phishing attacks that resulted in unauthorized access to email accounts.

Hacking incidents at HIPAA-regulated entities 2021-2025

Individuals affected by Hacking incidents at HIPAA-regulated entities 2021-2025

Hacking and other IT incidents tend to affect more individuals than other types of breaches. In 2025, these incidents affected an average of 105,623 individuals (median: 5,434 individuals), compared to an average of 9,909 individuals (median: 1,662 individuals) for unauthorized access/disclosure incidents, and an average of 4,402 individuals (median: 1,690 individuals) for loss/theft incidents.

While there were small decreases in hacking/IT incidents, loss/theft incidents, and improper disposal incidents year-over-year, there was a 17.4% increase in unauthorized access/disclosure incidents. These incidents include data theft by malicious insiders and inadvertent data exposures due to carelessness by employees. Staff HIPAA training can go a long way toward reducing these types of breaches. Making all staff members aware of their responsibilities under HIPAA and the consequences of HIPAA violations if they are discovered can help to reduce the risk of these types of breaches.

Unauthorized access/disclosure incidents at HIPAA-regulated entities 2021-2025

Individuals affected by Unauthorized access/disclosure incidents at HIPAA-regulated entities 2021-2025

Regular security awareness training can help to eradicate risky security practices that frequently result in data breaches. It is also important for regulated entities to have the software, policies, and procedures in place to allow them to identify and remediate insider incidents quickly. Loss and theft incidents are becoming far less common due to the shift to cloud storage of PHI, and easier-to-implement and more cost-effective encryption options. While these incidents were once a leading cause of healthcare data breaches, they are now relatively rare.

Loss and theft data breaches at HIPAA regulated entities 2021-2025

individuals affected by Loss and theft data breaches at HIPAA regulated entities 2021-2025

Improper disposal incidents are also something of a rarity. In 2025, there was only one such incident at a HIPAA-regulated entity, although it was a significant data breach, affecting more than 35,000 individuals.

improper disposal data breaches at HIPAA regulated entities 2021-2025

individuals affected by improper disposal data breaches at HIPAA regulated entities 2021-2025

Location of Breached Protected Health Information

A majority of the year’s data breaches involved exposed and stolen protected health information stored on network servers (61.5%), with almost a quarter of data breaches (24.9%) involving compromised email accounts. Physical PHI – paper and films – was compromised in 5.6% of the year’s data breaches, and 4.6% of data breaches involved unauthorized access to electronic medical records.

Location of breached protected health information in 2025

Data Breaches at HIPAA-Regulated Entities

The OCR data breach portal currently lists 523 data breaches at healthcare providers, 56 data breaches at health plans, and two data breaches at healthcare clearinghouses. A further 128 data breaches were reported by business associates of HIPAA-covered entities.

When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure compliance with the notification requirements of the HIPAA Breach Notification Rule. The covered entity may delegate the responsibility of issuing notifications to the business associate, or the covered entity may choose to issue notifications, or a combination of the two. Some healthcare data breach reports fail to take this into account, resulting in business associate data breaches being undercounted.

The charts below are based on the entity that experienced the data breach, rather than the entity that reported the breach. In 2025, 57.5% of data breaches occurred at healthcare providers, 35.8% at business associates, 6.5% at health plans, and 0.3% at healthcare clearinghouses.

Data breaches at HIPAA-regulated entities in 2025

Individuals affected by data breaches at HIPAA-regulated entities in 2025

Geographical Distribution of Healthcare Data Breaches

Data breaches affecting 500 or more individuals were reported by HIPAA-regulated entities in 49 U.S states, the District of Columbia, and Puerto Rico in 2025. The only state to avoid a large healthcare data breach in 2025 was Vermont.

State/Territory Data Breaches State/Territory Data Breaches
California 69 Kansas 8
Florida 47 Oklahoma 8
Texas 47 Arkansas 7
New York 44 Iowa 7
Ohio 37 Nebraska 7
Pennsylvania 32 South Carolina 7
Michigan 26 Alaska 6
Illinois 25 Alabama 6
Georgia 23 Colorado 6
North Carolina 22 Maine 6
Missouri 20 Utah 5
Indiana 18 Idaho 4
Massachusetts 17 Mississippi 4
Maryland 17 Montana 4
Minnesota 17 New Mexico 4
Tennessee 16 Nevada 4
Virginia 16 Rhode Island 4
Washington 16 West Virginia 4
Wisconsin 16 New Hampshire 3
Arizona 15 Delaware 2
Louisiana 13 Hawaii 2
New Jersey 12 South Dakota 2
Connecticut 11 Wyoming 2
Oregon 10 District of Columbia 1
Kentucky 9 North Dakota 1

While California was the worst-affected state in terms of data breaches, Georgia took top spot for affected individuals.

State/Territory Affected Individuals State/Territory Affected Individuals
Georgia 16,050,351 Minnesota 222,210
California 11,849,467 Iowa 218,559
Connecticut 7,048,122 Wisconsin 199,972
Maryland 3,809,252 Rhode Island 176,500
Florida 3,372,753 Maine 158,054
Colorado 2,708,292 Idaho 154,525
Virginia 1,900,219 South Dakota 132,161
Michigan 1,812,898 Louisiana 114,599
North Carolina 1,484,108 Nebraska 114,313
Texas 1,034,662 South Carolina 97,122
New York 1,032,819 Nevada 90,241
Tennessee 832,230 Alaska 90,073
Pennsylvania 811,816 Oregon 86,813
Missouri 787,413 New Mexico 86,235
Washington 628,651 West Virginia 76,191
Indiana 621,441 New Hampshire 73,816
Ohio 577,751 Mississippi 60,205
Illinois 513,672 Puerto Rico 50,000
Massachusetts 465,095 Utah 42,651
New Jersey 448,143 Oklahoma 38,342
Kansas 438,181 Montana 36,485
Arkansas 261,435 Wyoming 15,883
Arizona 243,894 Delaware 14,635
Kentucky 233,836 Hawaii 8,972
Alabama 228,199 District of Columbia 1,847

HIPAA Violation Penalties in 2025

HIPAA penalties 2009-2025

Last year, OCR almost set a new record for HIPAA enforcement actions, with 21 investigations of complaints and data breaches resolved with settlements or civil monetary penalties. While 2025 saw the second-highest-ever number of HIPAA cases resolved with financial penalties, OCR only collected $8,330,066 in fines, as the majority of penalties were imposed for violations of a single HIPAA provision.

HIPAA Penalties 2017-2025

In 2025, a key focus for OCR was compliance with the risk analysis provision of the HIPAA Security Rule. A comprehensive, organization-wide risk analysis is vital for security. If a risk analysis is not conducted or if it is incomplete, risks are likely to remain unaddressed and may be found and exploited by threat actors. OCR’s compliance audits and data breach investigations have frequently identified risk analysis failures, prompting OCR to launch a risk analysis enforcement initiative.

By focusing on this vital aspect of HIPAA compliance, rather than investigating data breaches more broadly for HIPAA noncompliance, OCR has been able to make significant inroads into addressing its backlog of data breach investigations. The consequence of this approach is that by focusing on violations of a single HIPAA provision, financial penalties are lower.

Area of Noncompliance Number of Enforcement Actions
Risk Analysis 16
Breach notifications 5
Impermissible disclosure of ePHI 4
Recording and monitoring activity in information systems 3
Right of Access 3
Risk management 3
Social media 1
Information access management 1
Procedures to create and maintain retrievable exact copies of ePHI 1

In 2025, 76% of all enforcement actions included a penalty for a risk analysis failure. OCR has also started to look closely at compliance with the Breach Notification Rule, which was the second most common reason for a financial penalty. The HIPAA Breach Notification Rule requires notices to OCR, individuals, and the media within 60 days of the discovery of a data breach. More than one-fifth of enforcement actions included a penalty for breach notification failures.

OCR has confirmed that its enforcement priorities in 2026 will be largely the same as in 2025. OCR will continue with its HIPAA Right of Access and risk analysis enforcement initiatives, with the latter being expanded to include risk management. In addition to demonstrating that risks have been identified, OCR will want to see evidence that the identified risks have been managed and reduced in a timely manner.

OCR HIPAA Settlements in 2025

HIPAA-Regulated Entity Penalty Amount Reason for Penalty
Elgon Information Systems $80,000 Risk analysis failure
Virtual Private Network Solutions $90,000 Risk analysis failure
USR Holdings $337,750 Risk analysis failure; recording activity in information systems; procedures to create and maintain retrievable exact copies of ePHI; impermissible disclosure of 2,903 individuals’ PHI
Solara Medical Supplies $3,000,000 Risk analysis failure; risk management failure; breach notification failure (individuals, media, HHS); impermissible disclosure of the PHI of 114,007 and 1,531 individuals,
South Broward Hospital District (Memorial Health System) $60,000 HIPAA Right of Access failure
Northeast Surgical Group $10,000 Risk analysis failure
Health Fitness Corporation $227,816 Risk analysis failure
Northeast Radiology, P.C. $350,000 Risk analysis failure
Guam Memorial Hospital Authority $25,000 Risk analysis failure
PIH Health $600,000 Risk analysis failure; breach notification failure (media notice, HHS notice); impermissible disclosure of PHI
Comprehensive Neurology, PC $25,000 Risk analysis failure
Vision Upright MRI $5,000 Risk analysis failure; breach notification failure
BayCare Health System $800,000 Information access management failure (minimum necessary standard); risk management failure; lack of information system activity reviews
Comstar, LLC $75,000 Risk analysis failure
Deer Oaks – The Behavioral Health Solution $225,000 Risk analysis failure; impermissible disclosure of ePHI
Syracuse ASC (Specialty Surgery Center of Central New York) $250,000 Risk analysis failure; breach notification failure (OCR, individuals)
BST & Co. CPAs, LLP $175,000 Risk analysis failure
Cadia Healthcare Facilities $182,000 Social media disclosure without authorization; breach notification failure
Concentra Inc. $112,500 HIPAA Right of Access failure

OCR HIPAA Civil Monetary Penalties in 2025

HIPAA-Regulated Entity Penalty Amount Reason for Penalty
Warby Parker $1,500,000 Risk analysis failure; risk management failure; lack of monitoring of activity in information systems containing ePHI.
Oregon Health & Science University $200,000 HIPAA Right of Access failure

State attorneys general also enforce HIPAA compliance and can impose financial penalties, although some state attorneys general impose fines for violations of state data privacy and security rules. In 2025, only one enforcement action was announced by a state attorney general. The New York attorney general imposed a $500,000 financial penalty on Orthopedics NY LLP for cybersecurity failures that led to a data breach affecting 656,086 individuals. The penalty was imposed for violations of New York laws, although the HIPAA Security Rule was undoubtedly also violated.

The post 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Data Breaches Announced by MedRevenu & EyeCare Partners

Posted by Steve Alder

Data breaches have been confirmed by the revenue cycle management company MedRevenu Inland Physicians Hospitalist Services, and the Missouri-based eye care provider, EyeCare Partners.

MedRevenu Inland Physicians Hospitalist Services

MedRevenu Inland Physicians Hospitalist Services, a Montclair, CA-based vendor that provides revenue cycle management services to healthcare providers, has recently notified the California Attorney General about a cybersecurity incident. The incident occurred on or around December 12, 2024, and caused disruption to its network. The forensic investigation determined that files containing personal and protected health information may have been accessed or acquired in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers/government identification numbers, health insurance information, medical information, financial account numbers, payment card numbers, and access information.

MedRevenu said it is reviewing and enhancing its cybersecurity measures and has offered the affected individuals complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months. The BianLian threat group claimed responsibility for the attack and added MedRevenu to its dark web data leak site on December 14, 2024. Since data has been leaked, the affected individuals should ensure that they sign up for the credit monitoring services being offered and carefully check their account statements for data misuse, going back to December 2024. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

EyeCare Partners

EyeCare Partners, LLC, a St. Louis, MO-based nationwide provider of eye care services, has recently announced an email security incident that was first identified on January 28, 2025. Suspicious email activity was identified, and an investigation was launched, which confirmed that an unauthorized third-party had accessed multiple managed email accounts between December 3, 2024, and January 28, 2025.

It took until November 11, 2025, to review the compromised accounts, and notifications were issued to appropriate state attorneys general in February 2026. Data compromised in the incident includes names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health plan information, and limited clinical information.

EyeCare Partners said it has no reason to believe that any of the exposed information has been misused for identity theft or fraud; however, out of an abundance of caution, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 24 months. EyeCare Partners said it has reviewed and enhanced its technical security measures and has provided further reminders to employees about how to recognize and avoid phishing attempts. The incident has been reported to the HHS’ Office for Civil Rights as affecting 17,110 individuals, including patients of The Ophthalmology Group, Ophthalmology Consultants, and Ophthalmology Associates.

The post Data Breaches Announced by MedRevenu & EyeCare Partners appeared first on The HIPAA Journal.

83,000 Clients Affected by Cyberattack on Ohio Counseling Center

Posted by Steve Alder

The Counseling Center of Wayne and Holmes Counties has experienced a cyberattack affecting 83,350 individuals. Data breaches have also been announced by Neurological Associates of Washington and Pecan Tree Dental.

Counseling Center of Wayne and Holmes Counties

The Counseling Center of Wayne and Holmes Counties (CCWHC) in Wooster, Ohio, has experienced a data security incident affecting 83,354 individuals. On March 3, 2025, CCWHC’s third-party service provider notified CCWHC about a cybersecurity incident, which caused disruption to its IT systems. An investigation was launched, and steps were taken to contain and remediate the incident. All impacted systems and accounts were removed, credentials were reset, and leading data privacy and security experts were engaged to assist with the investigation.

The forensic investigation determined that an unauthorized third party gained access to a single CCWHC server on March 2, 2025, and exfiltrated files on March 3, 2025. Based on the initial findings of the investigation, the general types of information compromised in the incident include names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health insurance information, medical condition information, treatment provider names, medical record numbers, treatment cost information, diagnoses, and treatment information.

CCWHC has worked with cybersecurity experts and privacy professionals to review and further strengthen system security. The file review was completed on December 9, 2025, and notification letters have now been mailed to the affected individuals.

Neurological Associates of Washington

Neurological Associates of Washington (NAW) has recently confirmed that the personal and protected health information of 13,500 individuals was stolen in a December 2025 cyberattack. It is now rare for a healthcare provider to disclose details about a hacking incident in its data breach notice; however, NAW has bucked that trend and disclosed that the Dragonforce ransomware group was behind the attack. NAW also confirmed that sensitive patient data was stolen and published on the dark web by Dragonforce.

NAW immediately alerted the Federal Bureau of Investigation (FBI), which investigated the incident and confirmed that the stolen data was published on the dark web on December 28, 2025. The FBI is conducting further investigations into the attack, but has confirmed that the data compromised in the incident related to patients from 2019 to 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnoses, disability codes, medical information, and other types of data. New patients from January 2025 onwards had their data added to a new cloud-based records system, which was not accessed in the attack.

NAW said it has implemented a deep reset and restructuring of its IT system in response to the incident and confirmed that the affected database is now stored in an offline environment. At the time of issuing notifications, NAW said it was unaware of any actual or attempted misuse of the stolen data. As a precaution against identity theft and fraud, the affected individuals have been offered 12 months of complimentary credit monitoring services.

Pecan Tree Dental

Pecan Tree Dental, PLLC, in Grand Prairie, Texas, has confirmed that it experienced a cybersecurity incident involving unauthorized access to its computer systems. The website notice is light on detail, only stating that steps have been taken to secure its systems, and cybersecurity and legal professionals have been engaged to assist with the investigation. At the time of uploading the notice to its website, it was unaware of any unauthorized access to patient information or data misuse. The OCR breach portal indicates that up to 13,300 individuals had their protected health information exposed in the incident.

The Texas attorney general was informed that data compromised in the incident includes names, addresses, dates of birth, medical information, and health information. This appears to have been a ransomware attack by the Sinobi threat group, which added Pecan Tree Dental to its dark web data leak site on January 11, 2026. Sinobi claims to have exfiltrated 250 Gb of data in the attack and has leaked the stolen data.

The post 83,000 Clients Affected by Cyberattack on Ohio Counseling Center appeared first on The HIPAA Journal.

Precipio; Pit River Health Service; Tulane University Medical Group Confirm Data Breaches

Posted by Steve Alder

Data breaches have been announced by the Connecticut diagnostic laboratory Precipio, Pit River Health Service in California, and Tulane University Medical Group in Louisiana.

Precipio, Inc.

Precipio, Inc., a Connecticut-based laboratory specializing in advanced hematopathology diagnostics, has discovered unauthorized access to an employee’s cloud-based storage account. Suspicious activity was identified within the email account on or around November 25, 2025, and the investigation confirmed that an unauthorized third party accessed the employee’s account from November 23, 2025, to November 25, 2025, during which time, files were copied from the account.

The affected files are currently being reviewed to determine the information involved, and that process is currently ongoing. Precipio has yet to disclose a final list of the affected data, but said that, based on its investigation so far, information compromised in the incident includes names, addresses, dates of birth, medical record numbers, clinical/treatment information, medical procedure information, medical provider names, prescription information, and health insurance information.

Since the file review has not yet concluded, the HHS’ Office for Civil Rights has been provided with an interim total of at least 501 affected individuals. The total will be updated when the file review is completed.

Pit River Health Service

Pit River Health Service, the operator of two healthcare clinics in Burney and Alturas in California, has recently announced a data breach affecting up to 1,800 individuals. An unauthorized third party hacked its systems and potentially copied data. Pit River Health Service has confirmed that no data was altered or deleted in the attack, and the Indian Health Service medical record system was not accessed.

In a website update, Pit River Health Service confirmed that some of the affected systems have been restored, although a more extensive security review has been conducted for other affected systems. As a result of the attack, some patient services have been delayed, but appointments and services are continuing. In response to the incident, security monitoring has been stepped up across all of its IT systems.

Tulane University Medical Group

A data breach has been reported to the HHS’ Office for Civil Rights by Administrators of the Tulane Educational Fund d/b/a Tulane University Medical Group. The Louisiana-based medical group experienced a ransomware attack that involved unauthorized access to the protected health information of 6,530 patients.

Tulane University Medical Group does not currently have a substitute data breach notice on its website, so it is unclear exactly what types of information were compromised in the incident. The Cl0p ransomware group claimed responsibility for the attack and added the medical group to its data leak site. Cl0p exploits vulnerabilities in mass attacks, typically vulnerabilities in file-sharing software. Sensitive data is stolen, and ransom demands are issued. Cl0p claims to have exploited a vulnerability on or around November 18, 2025.

The post Precipio; Pit River Health Service; Tulane University Medical Group Confirm Data Breaches appeared first on The HIPAA Journal.

Jefferson-Blount-St. Clair Mental Health Authority Data Breach Affects 30,000 Patients

Posted by Steve Alder

Jefferson-Blount-St. Clair Mental Health Authority in Alabama, Cottage Hospital in New Hampshire, WindRose Health Network in Indiana, and Iroquois Memorial Hospital in Illinois have announced that patient data has been exposed in hacking incidents.

Jefferson-Blount-St. Clair Mental Health Authority, Alabama

Jefferson-Blount-St. Clair (JBS) Mental Health Authority in Alabama has notified more than 30,000 individuals that some of their personal and protected health information was exposed and potentially acquired in a ransomware attack. Suspicious activity was identified within its computer network on or around November 25, 2026. The investigation confirmed that hackers gained access to its network on November 25, 2026, and potentially viewed or acquired information relating to individuals who were patients or employees between 2011 and 2025.

The file review has recently concluded and confirmed that the exposed data included names, Social Security numbers, health insurance information, dates of birth, and medical information, which may have included diagnoses, physician information, medical record numbers, Medicare/Medicaid information, prescription/medication information, diagnostic and treatment information, and billing or claims information.

The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements. The HHS’ Office for Civil Rights breach portal indicates 30,434 individuals were affected by the incident.

Cottage Hospital, New Hampshire

Cottage Hospital, a 35-bed critical access hospital in Woodsville, New Hampshire, has detected unauthorized access to its computer network. The forensic investigation confirmed that hackers had access to a single file server on its computer network from October 14, 2025, to October 21, 2025, and on December 8, 2025, the hospital confirmed that files had been exfiltrated in the incident.  The review of the files is ongoing, although it has been confirmed that the server contained current and former employees’ names, Social Security numbers, driver’s license numbers, and potentially bank account information.

The breach notice submitted to the Maine Attorney General indicates 2,156 individuals were affected, including 83 Maine residents. The affected individuals have been offered complimentary credit monitoring, identity theft restoration, and fraud consultation services. The hospital has confirmed that it will continue to implement and evaluate enhanced safeguards and security measures to better protect sensitive data on its network.

WindRose Health Network, Indiana

WindRose Health Network, a Federally Qualified Health Center with five health centers in Indiana, has notified certain patients about a security incident identified on August 22, 2025. The security breach was detected quickly, with the unauthorized access determined to have commenced on the morning of August 22, 2025. The compromised parts of the network contained personal and protected health information, which may have been accessed or acquired.

A data review firm was engaged to determine the types of information in the exposed files and the individuals affected. That process was recently completed, and the results were assessed to determine the individuals who required notifications. Data compromised in the incident vary from individual to individual and may include names in combination with one or more of the following: contact information, date of birth, patient identification number, date(s) of service, provider name(s), diagnosis, treatment information, prescription(s), medical history, lab reports, health insurance information, and limited number government identification numbers, such as driver’s license number or Social Security number.

Third-party cybersecurity experts were engaged to investigate the incident, review security, and further secure its systems. The affected individuals have been advised to remain vigilant against identity theft and fraud. The HHS’ Office for Civil Rights breach portal indicates 691 individuals were affected by the incident

Iroquois Memorial Hospital, Illinois

Iroquois Memorial Hospital in Watseka, Illinois, has recently reported a hacking incident to the HHS’ Office for Civil Rights involving unauthorized access or theft of patients’ protected health information. A substitute breach notice has yet to be posted to the hospital’s website, so it is unclear exactly what types of data were compromised in the incident. The Pear threat group claimed responsibility for the attack.

Pear engages in data theft and extortion but does not encrypt files. The group maintains a data leak site and added Iroquois Memorial Hospital to the site on December 11, 2025. The listing is still active, which suggests the ransom was not paid. The HHS’ Office for Civil Rights breach portal indicates 621 individuals were affected by the incident

The post Jefferson-Blount-St. Clair Mental Health Authority Data Breach Affects 30,000 Patients appeared first on The HIPAA Journal.

DOCS Dermatology Group; Center for Neuropsychology and Learning Disclose Data Breaches

Posted by Steve Alder

Central States Dermatology Services (DOCS Dermatology Group) in Ohio and The Center for Neuropsychology and Learning in Michigan have identified unauthorized access to patient data.

Central States Dermatology Services, Ohio

Central States Dermatology Services, LLC, doing business as DOCS Dermatology Group (DOCS), has disclosed a security incident that was identified on November 27, 2025. Suspicious activity was identified within its network, and, assisted by third-party cybersecurity experts, DOCS determined that an unauthorized third party had access to its network from November 19, 2025, to November 27, 2025.

The data review is ongoing, so the number of affected individuals had yet to be confirmed; however, DOCS has determined that the data compromised in the incident includes names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, treatment/diagnosis information, prescription/medication information, dates of service, provider name, medical record number, patient account number, Medicare/Medicaid ID number, health insurance information, and/or medical billing/claims information. DOCS is reviewing its policies and procedures related to data security and has engaged cybersecurity experts to review its security measures and make enhancements to strengthen security. At the time of the announcement, DOCS had not identified any misuse of the affected information.

The Center for Neuropsychology and Learning, Michigan

The Center for Neuropsychology and Learning in Ann Arbor, Michigan, has discovered that a malicious cyber actor accessed a server containing the sensitive data of 3,722 of its clients. The unauthorized access was detected on November 10, 2025, and the forensic investigation confirmed that the server was accessed at some point between October 14 and October 31, 2025.

The server was analyzed and found to contain protected health information such as names, dates of birth, contact information, service type(s), and or test reports. Highly sensitive information, such as Social Security numbers, financial information, and therapy notes, was not stored on the server. The Center for Neuropsychology and Learning has confirmed that the threat has been fully mitigated, and notifications have been mailed to the affected individuals, who have been offered 12 months of complimentary credit monitoring and identity theft protection services as a precaution.

The post DOCS Dermatology Group; Center for Neuropsychology and Learning Disclose Data Breaches appeared first on The HIPAA Journal.

Healthcare Technology Company Discloses Ransomware Attack

Posted by Steve Alder

Cyberattacks and data breaches have recently been announced by the healthcare technology company Insightin Health and the Colorado-based medical billing and practice management company, Clinic Service Corporation.

Insightin Health, Maryland

Insightin Health, a Baltimore, MD-based healthcare technology company that offers an AI-driven digital health platform to health insurers and payers, has experienced a cyberattack involving unauthorized access to patient data. Suspicious network activity was identified in September 2025, and the forensic investigation confirmed unauthorized access to its network between September 17, 2025, and September 23, 2025.

The data review revealed the exposed files included protected health information associated with its clients, such as names, dates of birth, contract numbers, health insurance providers’ non-unique identifiers, Medicare Beneficiary Identifiers, and information associated with attributed providers. The substitute data breach notice includes steps that the affected individuals can take to protect themselves against misuse of their information. While not stated in the substitute breach notice, the affected individuals should be aware that the Medusa ransomware group claimed responsibility for the attack and threatened to publish the stolen data. The group claims to have exfiltrated 378 GB of data from the Insightin Health network.

Clinic Service Corporation, Colorado

Clinic Service Corporation, a medical billing and practice management company based in Denver, Colorado, has experienced a hacking incident that exposed sensitive data. The intrusion was identified on August 17, 2025, and the forensic investigation confirmed that its network was accessed by an unauthorized third party from August 10, 2025, to August 17, 2025.

The data review has confirmed that personally identifiable information (PII) and protected health information (PHI) was compromised in the incident, including names, addresses, phone numbers, email addresses, dates of birth, diagnoses, treatment information, patient ID numbers, dates of service, medical record numbers, Medicare/Medicaid numbers, health insurance information, claims information, and treatment cost information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. Regulators have been notified, although the incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Healthcare Technology Company Discloses Ransomware Attack appeared first on The HIPAA Journal.

Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients

Posted by Steve Alder

Data breaches have recently been announced by Central Ozarks Medical Center in Missouri, AdventHealth Daytona Beach in Florida, and the Middlesex Sheriff’s Office in Massachusetts.

Central Ozarks Medical Center, Missouri

Central Ozarks Medical Center (COMC), a Federally Qualified Health Center (FQHC) in mid-Missouri, has notified 11,818 individuals that some of their personal and protected health information was compromised in a criminal cyberattack. The substitute breach notice on the COMC website does not state when the cyberattack was detected or for how long its network was compromised, only that it was determined on or around November 10, 2025, that personally identifiable information and protected health information may have been subject to unauthorized access or acquisition.

The types of information compromised in the incident included names, dates of birth, Social Security numbers, financial account information, medical treatment information, and health insurance information. COMC has provided the affected individuals with information on steps they can take to reduce the risk of identity theft and fraud, and at least 12 months of complementary credit monitoring and identity theft protection services have been offered. COMC has confirmed that it has implemented a series of cybersecurity enhancements and will continue to augment those measures to better protect patient information.

Middlesex Sheriff’s Office, Massachusetts

The Middlesex Sheriff’s Office in Massachusetts has announced a January 2025 security breach that involved unauthorized access to individuals’ protected health information.  The Sheriff’s Office launched an investigation to determine the extent and nature of the incident, and was assisted by the Federal Bureau of Investigation, the Massachusetts State Police, the Commonwealth Fusion Center, the Executive Office of Technology Services and Security, and two cybersecurity firms.

It took until November 19, 2025, to complete the review of the exposed files, when it was confirmed that they contained names, addresses, dates of birth, diagnoses, and/or other general health information. The Sheriff’s Office said it has not identified any misuse of the exposed information. The Middlesex Sheriff’s Office has implemented additional safeguards to prevent similar breaches in the future and has advised the affected individuals to review their bank statements and insurance records for signs of misuse. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals – a commonly used placeholder figure when the total number of affected individuals has not yet been confirmed.

AdventHealth Daytona Beach, Florida

AdventHealth Daytona Beach in Florida has notified 821 individuals about the loss of paperwork containing their protected health information. The loss of documentation was identified by its outpatient laboratory on November 25, 2025. Outpatient lab orders were determined to be missing for individuals who received outpatient services between September 1 and September 14, 2025.

AdventHealth Daytona Beach said the loss occurred during a departmental relocation from the first to the second floor. Construction activities were taking place to install a new tubing system, and the planned project location was changed by the construction workers, who accessed an area containing the lab orders without first notifying the laboratory team. The paperwork was discarded by the construction workers. AdventHealth Daytona Beach said no evidence was found to indicate the lab orders were or will be misused. The lab orders contained information such as names, addresses, dates of birth, telephone numbers, email addresses, diagnosis codes, health condition(s), and health insurance policy numbers.

The post Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients appeared first on The HIPAA Journal.

Patients Learn Their Health Data Was Compromised More Than a Year Ago

Posted by Steve Alder

Alpine Ear, Nose, and Throat in Colorado, The Phia Group in Massachusetts, and Community Health Northwest Florida have started notifying patients that their personal and health information was impermissibly accessed over a year ago.

Alpine Ear, Nose, and Throat, Colorado

Alpine Ear, Nose, and Throat in Fort Collins, Colorado, has mailed notification letters to 65,648 individuals warning them that some of their protected health information was exposed in a security incident identified by Alpine ENT on November 19, 2024. Alpine ENT engaged its managed service provider to investigate the incident, and it was confirmed that an unauthorized third party accessed and exfiltrated files containing patients’ protected health information.

Alpine ENT’s legal counsel explained in the notification letters that a substitute data breach notice was published on the Alpine ENT website on January 17, 2025, although at the time, the investigation was ongoing. The data mining and review processes were completed on October 9, 2025, and in the subsequent months, Alpine ENT worked to verify the impacted individuals and obtained up-to-date contact information. Notification letters were mailed to the affected individuals on January 30, 2026, 14 months after the breach was first identified.

The BianLian ransomware group claimed responsibility for the attack and added Alpine ENT to its data leak site in early December 2024. Data compromised in the incident included names, demographic information, dates of birth, medical information, health information, financial account information, credit card numbers, CVC, and expiration dates, and Social Security numbers. At the time of issuing notifications, Alpine ENT said it had not identified any instances of identity theft as a result of the incident; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The Phia Group, Massachusetts

The Phia Group, LLC, a Canton, Massachusetts-based provider of healthcare cost containment services to health benefit plans and their third-party administrators, has recently notified individuals about a July 2024 security incident that exposed personal and protected health information. According to The Phia Group, an intrusion was detected on July 9, 2024, and the investigation confirmed that its network had been subject to unauthorized access between July 8, 2024, and July 9, 2024. During that time, files containing sensitive data may have been acquired.

A review was conducted to identify the affected clients, the types of data involved, and the affected individuals. The affected clients were notified, and The Phia Group coordinated with them to issue notifications. Data potentially compromised in the incident included names, addresses, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, health insurance information, and medical information, including provider information, treatment information, prescriptions, and Medicare/Medicaid information. Data security has been enhanced to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Community Health Northwest Florida

On January 26, 2026, Community Health Northwest Florida (CHNF) started notifying individuals about a security incident that was identified on December 24, 2024. CHNF engaged third-party cybersecurity experts to investigate the activity, who confirmed that an unauthorized third party had accessed files on its network that contained patient information.

CHNF said it conducted a comprehensive and time-consuming review and engaged a data mining company to identify the affected individuals. It took until January 19, 2026, to obtain the full list of affected individuals, and notification letters were mailed 10 days later. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, financial account numbers, credit or debit card numbers, patient identification and medical record numbers, medical information, and health insurance information.

CHNF has updated its policies and procedures, implemented additional technical safeguards, and enhanced its security measures to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Patients Learn Their Health Data Was Compromised More Than a Year Ago appeared first on The HIPAA Journal.