Hacking-related data breaches have been reported by Meridian Valley Laboratories in Washington, and College Parkside Pharmacy and College Hometown Pharmacy in New York state.

College Parkside Pharmacy & College Hometown Pharmacy

Certain patients who received services from College Parkside Pharmacy and/or College Hometown Pharmacy in New York state are being notified about a recent security incident that potentially involved unauthorized access to their protected health information. The pharmacies are operated by Albany College of Pharmacy and Health Sciences, which previously announced the security breach; however, the HHS’ Office for Civil Rights has only recently been notified. The OCR breach portal indicates the incident affected 9,742 individuals who received services from College Hometown Pharmacy and 5,736 individuals who received services from College Parkside Pharmacy.

According to the breach notice, unusual activity was identified within its computer network on or around September 14, 2024. External cybersecurity specialists were engaged to assist with the investigation and confirmed unauthorized network access between August 31, 2024, and September 14, 2024.  A limited amount of data was exfiltrated during that time, in what was described as “a sophisticated cybersecurity incident”.

The delay in issuing notifications was due to the time taken to review the affected files. That process was completed on May 30, 2025, and notification letters started to be mailed on June 16, 2025. No evidence of data misuse has been identified; however, the following data was exposed and potentially stolen: First and last name, plus one or more of the following: date of birth, birth certificate, account number, routing number, security code, marriage certificate, mother’s maiden name, digital signature, passport number, government identification number, Social Security number, taxpayer ID number, driver’s license number, payment card number, payment card expiration date, alien registration number, username and password, health insurance information, medical record number, mental or physical condition, diagnosis/treatment information, procedure type, provider name, prescription information, biometric data, and student information.  Albany College of Pharmacy and Health Sciences said additional cybersecurity safeguards are being implemented to prevent similar incidents in the future.

Meridian Valley Laboratories

Meridian Valley Laboratories in Tukwila, Washington, is investigating a security incident that was discovered on July 3, 2025. The investigation has so far revealed that there was unauthorized access to its network between May 30, 2025, and July 3, 2025. During that time, files were copied from its network. They are currently being reviewed to determine the individuals affected and the types of information involved.

At this stage of the investigation, it is too early to tell how many individuals have been affected. The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. Meridian Valley Laboratories said notification letters will be mailed to the affected individuals as quickly as possible when the file review is completed, and they will be informed about the exact types of information involved.

In the meantime, all individuals who used Meridian Valley Laboratories have been advised to remain vigilant against identity theft and fraud by reviewing their accounts, explanation of benefits statements, and credit reports for suspicious activity.

The post Cybercriminals Hit Washington Laboratory and New York Pharmacies appeared first on The HIPAA Journal.

Pediatric Otolaryngology Head & Neck Surgery Associates has reported a data breach affecting almost 44,000 patients. Anchorage Neighborhood Health Clinic in Alaska is investigating a potential security breach that may have affected up to 10,000 patients, and Valley Mountain Regional Center has exposed data over the Internet.

Pediatric Otolaryngology Head & Neck Surgery Associates, Florida

Pediatric Otolaryngology Head & Neck Surgery Associates (POHNS) in Florida recently reported a data breach to the HHS Office for Civil Rights affecting 43,446 individuals. POHNS first announced the data breach on April 25, 2025. Unusual activity was identified within its computer network on February 24, 2025. The forensic investigation confirmed unauthorized access between February 19 and February 24, 2025, including access to patients’ protected health information. The file review confirmed that a range of patient data had been exposed, although the information involved varied from individual to individual.

Data potentially compromised in the incident included names in combination with one or more of the following: address, email address, phone number, Social Security number, driver’s license/state ID number, financial account information, taxpayer ID number, digital signature, date of birth, medical diagnosis/treatment information, prescription information, date of service, patient ID number, provider name, medical record number, Medicare/Medicaid number, health insurance information, health insurance claim number, health insurance policy number, and/or treatment cost information. Notification letters have been mailed to the affected individuals who have been offered complimentary credit monitoring and identity protection services.

Anchorage Neighborhood Health Clinic, Alaska

Anchorage Neighborhood Health Clinic, a Federally Qualified Health Center in Alaska, has confirmed to local media that it is investigating a claim from a hacker about unauthorized access to the personal and health information of 10,000 patients.

Notifications have been issued to patients warning them about a potential security incident after the health center learned that the hacker had contacted certain patients directly. In some cases, the emails sent to patients included information such as their name, address, Social Security number, date of birth, phone number, driver’s license, and health insurance information. Patients have been advised not to interact with any communications they receive from the hacker.

On August 26, 2025, the health center posted a notice on its Facebook page explaining that technical difficulties are being experienced with computer systems, which prevent appointment scheduling, and that phone lines are down. Some progress has been made restoring the affected systems; however, a follow-up post on September 2, 2025, warned that there was only limited computer access due to ongoing technical difficulties, and the phone lines had not been restored by September 9, 2025. The Facebook posts suggest that this was a ransomware attack. The investigation is ongoing, and the extent of any data theft has yet to be confirmed.

Valley Mountain Regional Center

Valley Mountain Regional Center, a Stockton, CA-based provider of support services to individuals with intellectual and developmental disabilities and their families, has recently notified 529 individuals about the accidental exposure of some of their protected health information. On July 14, 2025, a list of State Supplemental Payment (SSP) vendors was posted on its website.

An SSP is an additional payment from the state government that is used to help individuals with disabilities who are living independently. Valley Mountain Regional Center said it discovered that the list contained consumer information such as name, address, city, state, zip code, phone number, vendor name, service code, and service description.

The error was identified quickly, and the list was removed within 18 hours of posting. Valley Mountain Regional Center said it is unaware of any misuse of the exposed information and stressed that Social Security numbers and financial account information were not exposed. Steps have been taken to improve policies and protocols to ensure that similar errors are not made in the future.

The post Florida Pediatric ENT Specialists Confirm Data Breach Affecting 44,000 Individuals appeared first on The HIPAA Journal.

New York Blood Center Enterprises, the operator of 19 blood donor centers in New York and New Jersey, has notified the Maine Attorney General about its January 2025 ransomware attack and has provided further information on the findings of its investigation. As previously announced and reported below, the attack was detected on January 26, 2025. The forensic investigation confirmed that an unauthorized third party had access to its computer network between January 20 and January 26, 2025, and obtained a copy of a subset of files stored on the network.

The files were reviewed, and New York Blood Center Enterprises obtained a preliminary list of individuals whose names and sensitive data were involved on June 30, 2025. The draft list was reviewed, and “an extensive analysis” was conducted to develop a final list of the individuals to notify. The final list was obtained on August 12, 2025. The types of information involved vary from individual to individual and may include names in combination with Social Security numbers, driver’s license numbers, other government identification card numbers, and/or financial account information.

New York Blood Center Enterprises started mailing notification letters to the affected individuals on September 5, 2025, and individuals whose Social Security number or driver’s license number was involved have been offered one year of complimentary credit monitoring and identity theft protection services. New York Blood Center Enterprises said it has enhanced its security protocols and technical safeguards to further protect and monitor its systems.

The notification letters do not mention ransomware, although New York Blood Center Enterprises previously stated that ransomware was involved. The threat group responsible for the attack has not been disclosed, and no group is known to have claimed responsibility for the attack. The notification letter to the Maine Attorney General states that 8 Maine residents were affected, but the breach report does not state how many individuals were affected in total. The HHS’ Office for Civil Rights does not yet show the breach, so it is currently unclear how many individuals have been affected in total.

January 31, 2025: New York Blood Center Enterprises Grappling with Ransomware Attack

A ransomware group has attacked another U.S. blood donation organization. New York Blood Center Enterprises (NYBCe) is one of the largest community-based, non-profit blood collection and distribution organizations in the United States. NYBCe operates 19 donor centers in New York and New Jersey and provides blood and stem cell products to around 70 hospitals in the area. Through its operating divisions in Connecticut, Delaware, Kansas, Minnesota, Missouri, Nebraska, Rhode Island, and Wisconsin, transfusion-related services are provided to more than 500 hospitals nationwide serving around 75 million people.

On Sunday, January 26, 2025, suspicious activity was identified in its IT systems. Third-party cybersecurity experts were engaged to investigate, and it was confirmed that the suspicious activity was due to a ransomware attack. Steps were taken to contain the threat and eject the threat actor from its network, and work is underway to restore its systems as quickly and safely as possible. Law enforcement has been notified, workarounds are being implemented to restore its services and fulfill orders, and NYBCe has been in regular communication with its hospital partners and is working on minimizing disruption to blood supplies.

At this stage, NYBCe is unable to provide a timeline for when its systems will be restored. While the incident has affected the functionality of its IT systems, all blood donor centers remain operational and its community blood drives are continuing with donations being accepted; however, the IT issues caused by the ransomware attack mean processing times are likely to be longer than normal at its donation centers and blood drives and some donation center activities and blood drives may need to be rescheduled. The attack could not have come at a worse time. On January 21, 2025, just a few days before the attack, NYBCe declared a blood emergency due to a 30% reduction in blood donations in recent weeks that has caused a blood shortage in the region. Some blood drives have had to be canceled as a result of the attack.

It is currently unclear which ransomware group is behind the attack and whether donor information was stolen. NYBCe has been providing updates on its website and will issue notifications to any affected individuals if it is confirmed that personal information has been stolen. Ransomware attacks on blood collection and distribution organizations can cause serious disruption to blood supplies. A July 2024 ransomware attack on the Florida-based blood organization, OneBlood, disrupted blood supplies to the 350 hospitals it serves in Alabama, Florida, Georgia, and North and South Carolina, forcing them to implement their critical blood shortage protocols.

A ransomware attack on a pathology service provider to the UK’s NHS in June 2024 caused major disruption to blood transfusions in London and prolonged blood shortages due to the significant reduction in capacity.  A ransomware attack on the Swiss pharma firm OctaPharma in April 2024 resulted in the closure of all blood plasma donation centers in the United States for several weeks.

The post New York Blood Center Enterprises Notifies Individuals Affected by January Ransomware Attack appeared first on The HIPAA Journal.

Senate Finance Committee Ranking Member Ron Wyden (D-OR) and Senate Banking Committee Ranking Member Elizabeth Warren (D-MA) have demanded answers from UnitedHealth Group about the alleged aggressive tactics being used to recover the funds lent to healthcare providers following the ransomware attack on Change Healthcare last year.

Change Healthcare fell victim to a ransomware attack in February 2024, causing a prolonged outage of Change Healthcare’s systems, which handled approximately 45% of all healthcare transactions at the time of the attack. Providers were reliant on those systems for obtaining authorization and payment from health insurers, and the outage caused severe payment and reimbursement problems, with providers having to cover the costs of treatment, tests, vaccinations, and even prescriptions. Patients also faced disruptions, especially those unable to afford to pay for their medications without copay assistance.

UnitedHealth Group, through its industrial bank subsidiary Optum Financial, established a temporary funding assistance program, which provided interest-free loans to hospitals and medical practices experiencing financial difficulties due to the outage. More than $9 billion in loans were paid to struggling providers. Systems were brought back online after several months; however, the financial difficulties have continued for many providers, who are now having to repay the loans. There have been multiple reports that UnitedHealth Group has been adopting aggressive tactics to recover funds, including withholding payments or health insurance claims through its insurance subsidiary UnitedHealthcare.

“These reports are particularly troubling because they underscore the extraordinary market power of United’s massive, vertically-integrated conglomerate: the problem was caused by a breach of United’s payment clearinghouse, Change; the loans were offered by United’s industrial bank, Optum Financial; and now the company is using its insurance arm as a collection tool,” explained the senators in the August 27, 2025 letter to UnitedHealth Group CEO, Stephen J. Hemsley, and Optum Financial CEO, Dhivya Suryadevara.

UnitedHealth Group has been accused of using loan shark tactics to recover the loans, including refusing to negotiate payment plans. Providers have claimed they were told to immediately repay the loans in full, which in some cases runs to hundreds of thousands of dollars. Some have been threatened with withholding all current claims payments if the debt is not repaid within five business days, and funds will be withheld until the debt is repaid in full. Further, claims have allegedly been rejected for failing to meet the filing deadline from the period after the cyberattack, when Change Healthcare’s systems were offline.

UnitedHealth had previously told the Senate Committee on Banking, Housing, and Urban Affairs and the Senate Committee on Finance that loan recipients were given 45 days to repay the loans, and UnitedHealth Group contacted each multiple times during those 45 days. If no response was received after the 45-day period, providers were contacted and told to pay within five business days. Then, if no response is received, claims will be offset and moved into recoupment. If providers cannot repay within that time frame, UnitedHealth Group suggested that they would work out a mutually agreeable repayment plan.

The senators have demanded answers from UnitedHealth Group and Optum Financial on the loan repayment process and have requested answers to the following questions by September 12, 2025.

1. Provide data indicating the total number of loans lent to providers from March 2024 to present.
2. Provide documents detailing the process and criteria that Optum Financial used to distribute funds to providers who were adversely impacted by the February 2024 attack.
3. Provide documents detailing Optum Financial’s repayment process.
4. Provide a copy of any and all written agreements that were given to providers when they accepted funds.
5. Provide any and all copies of express repayment plans that Optum Financial offers to health care providers who accepted funds.
6. Provide documents detailing redress options that Optum Financial makes available to providers who are unable to repay funds within 45 days of initial notification.
7. Does Optum Financial plan to outsource collection efforts to a third-party?
8. Provide documents related to any intercompany loans that were made to Optum Financial, if applicable.
9. Did United Health or Optum Financial solicit or use third-party financing for the purposes of making either loans to providers or intercompany loans? If yes, provide details.

The post Senators Demand Answers from UHG on Aggressive Loan Repayment Tactics Following Cyberattack appeared first on The HIPAA Journal.

Absolute Dental, a Nevada dental practice with over 50 locations in Las Vegas, Carson City, Reno, Sparks, and Minden, has completed its investigation of a February 2025 cyberattack and has confirmed that more than 1.2 million individuals had some of their personal and protected health information exposed.

Absolute Dental reported the data breach to the HHS’ Office for Civil Rights in May 2025 using a placeholder figure of 501 affected individuals. At the time, it was unclear how many individuals had been affected. While the breach portal has not yet been updated with the new total, the Oregon Attorney General was informed that 1,223,635 individuals have been affected.

Absolute Dental explained in its substitute breach notice that an issue was identified within its information systems on February 26, 2025. Steps were taken to secure its systems and investigate the nature and scope of the activity. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that an unauthorized third party had access to its network between February 26, 2025, and March 5, 2025.

The file review was completed on July 28, 2025, when it was confirmed that sensitive personal data was exposed and potentially stolen. The affected individuals had their name exposed along with one or more of the following: contact information, date of birth, Social Security number, driver’s license or state-issued ID information, passport or other governmental ID information, and health information. Health information may have included health history, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN number or patient identification number. A small subset of the affected individuals also had their financial account and/or payment card information exposed.

Absolute Dental said the third-party forensic investigation revealed that initial access to its network occurred via the execution of a malicious version of a legitimate software tool through an account associated with its managed services provider. Absolute Dental did not state which legitimate software tool was involved. The description suggests that a threat actor breached the network of its managed services provider, then either tricked an Absolute Dental employee into executing a malicious version of the software tool or the threat actor abused the privileged access of the managed services provider to install the tool, thus providing access to Absolute Dental’s information systems.

Absolute Dental has reported the data breach to regulators, notified law enforcement, and has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Notification letters are being mailed to the affected individuals who have been offered two years of complimentary credit monitoring services.

The post Absolute Dental Confirmed Data Breach Affecting Over 1.2 Million Individuals appeared first on The HIPAA Journal.

On Friday last week, University of Iowa Health Care and its affiliated UI Community HomeCare, a home infusion and medical equipment service provider, announced a hacking incident that was identified on July 3, 2025.

Immediate action was taken to contain the threat, and its systems were safely restored within one business day. Third-party cybersecurity experts were engaged to conduct a forensic investigation to determine the nature and scope of the unauthorized activity, and it was confirmed that a cybercriminal hacker had access to the UI Community HomeCare network on July 3, 2025.

While the networks of University of Iowa Health Care and affiliated UI Community HomeCare are separate, both entities share some patients, employees, and data files. Some of those data files were exfiltrated by the hacker, although the investigation confirmed that there was no unauthorized access to its electronic medical record system.

The review of the affected data revealed that the files contained the personal and protected health information of approximately 211,000 individuals. Notification letters were mailed to those individuals last week. Information compromised in the incident varies from individual to individual and may include an individual’s name in combination with some or all of the following: address, phone number, date of birth, provider name, medical record number, visit type, date(s) of service, insurance information, and Social Security number.

At the time of issuing the notification letters, no evidence of misuse of any of the affected information had been identified; however, the affected individuals have been encouraged to closely monitor their account statements, credit reports, and explanation of benefits statements, and should report any suspicious activity.

UI Health Care and Health Care and UI Community HomeCare said several steps have been taken to improve security and prevent similar incidents in the future, and monitoring for unauthorized access to its computer systems has been enhanced.

The post UI Community HomeCare Hacking Incident Affects 211,000 Patients appeared first on The HIPAA Journal.

Family Counseling Services of the Finger Lakes in New York and the Cancer Care Center of North Florida have confirmed that patient data was compromised in recent hacking incidents.

Family Counseling Services of the Finger Lakes

Family Counseling Services of the Finger Lakes in New York has discovered unauthorized access to its email environment. Suspicious activity was identified on or around February 4, 2025, and the forensic investigation confirmed that a limited number of email accounts had been accessed by an unauthorized third party between January 14, 2025, and February 4, 2025.

The email accounts were immediately secured, and a review was conducted to determine the extent of data exposure. The file review was completed on June 30, 2025, and confirmed that the exposed data included full names, in combination with one or more of the following: date of birth, Social Security number, driver’s license number, bank account number, medical information, and health insurance information.

Family Counseling Service is unaware of any misuse of the exposed data; however, the affected individuals have been advised to remain vigilant against identity theft and fraud. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Cancer Care Center of North Florida

Cancer Care Center of North Florida has been affected by two security incidents, one involving unauthorized access to email accounts and a network server hacking incident. Both incidents involved the Integrated Oncology Network (ION).

As previously reported by the HIPAA Journal, the phishing incident affected multiple ION members. Between December 13, 2024, and December 16, 2024, an unauthorized third party gained access to certain emails and SharePoint files. The files contained names, addresses, dates of birth, financial account information, diagnosis, lab results, medication, treatment information, health insurance and claims information, provider names, and/or dates of treatment, and for a limited number of individuals, their Social Security numbers. Cancer Care Center of North Florida notified the HHS’ Office for Civil Rights that 976 patients of its Lake Butler location were affected.

The hacking incident involved unauthorized access to certain ION systems between March 31, 2025, and April 10, 2025.  ION discovered the intrusion on April 11, 2025, and said only limited systems were affected. The review of the affected files is ongoing, but it has been confirmed that the compromised information includes names, address, date of birth, medical record number, diagnoses/conditions, diagnostic imaging, diagnostic test results, lab results, medications, treatment information, health insurance information, provider names, dates of treatment, driver’s license numbers, and/or financial account information.

The breach has affected multiple ION practices, which were notified between July 11, 2025, and August 6, 2025. Cancer Care Center of North Florida has confirmed that 1,789 of its patients were affected.

The post New York Counseling Provider and Florida Cancer Center Announce Data Breaches appeared first on The HIPAA Journal.