Two mental healthcare providers have recently announced cybersecurity incidents that exposed patient data: Eleos Wellness in Florida and Clinica Family Health & Wellness in Colorado.

Eleos Wellness, Florida

Eleos Wellness, a Pinellas Park, FL-based provider of mental health services, has recently announced a data security incident that potentially involved unauthorized access to client information. Unauthorized network activity was detected on June 11, 2025, and third-party cybersecurity experts were engaged to investigate the activity. The investigation is ongoing; however, it has been confirmed that an unauthorized third party had access to names, addresses, dates of birth, Social Security numbers, and health insurance information. No evidence has been found to indicate that its electronic medical record system was involved.

No fraudulent activity related to the incident has been identified; however, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their personal accounts and explanation of benefits statements. Eleos Wellness has confirmed that steps are being taken to improve security to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Clinica Family Health & Wellness, Colorado

Clinica Family Health & Wellness, a Colorado-based network of mental health clinics, has announced a security breach affecting the Mental Health Partners environment. An intrusion was identified and rapidly contained on March 25, 2025, and third-party cybersecurity experts were engaged to investigate the nature and scope of the unauthorized activity.

No evidence was found to indicate that any data was removed from its network; however, it is possible that patient data may have been accessed. Clinica Family Health & Wellness said a comprehensive and thorough investigation is ongoing, and it has yet to be determined exactly how many individuals have been affected or the types of information involved. Notification letters will be mailed to the affected individuals when the review is concluded.

The post Data Breaches Announced by Florida & Colorado Mental Health Clinics appeared first on The HIPAA Journal.

Think Big Health Care Solutions, a Florida-based practice management company, and Minnesota Epilepsy Group have recently confirmed cyberattacks and data breaches. Ransomware groups have claimed responsibility for attacks on Emerson Chiropractic in Indiana and El Paso Quality Dentistry in Texas.

Think Big Health Care Solutions, Florida

Think Big Health Care Solutions, a Wellington, FL-based practice management company that provides billing, contracting, and credentialing services to medical practices, has identified unauthorized access to an employee’s email account. Suspicious activity within the account was identified on June 20, 2025, and third-party cybersecurity specialists were engaged to investigate the incident.

Evidence was found that suggested some emails and files in the account had been accessed by an unauthorized third party. A review was conducted to determine the types of information involved and the individuals affected, and notification letters will be mailed to those individuals when that process has been completed. Think Big Health Care Solutions has confirmed that the account contained information such as first names, initials, and last names, addresses, telephone/fax numbers, email addresses, dates of birth, Social Security numbers, tax identification numbers, passport numbers, admission dates, health insurance policy numbers, bank/financial account numbers and routing numbers, credit/debit card information, diagnoses/conditions, lab results, medications, claims information, medical record numbers, other medical/health information, CPT codes, and referring provider names.

Additional technical and administrative measures have been implemented to prevent similar incidents in the future, and enhanced training is being provided to the workforce on phishing detection, secure data handling, and incident response procedures.

Minnesota Epilepsy Group

Roseville, MN-based Minnesota Epilepsy Group (MEG) has experienced a cybersecurity incident that affected certain systems within its network and caused some disruption to business operations. According to the April 25, 2025, substitute breach notice, MEG identified the incident on February 27, 2025. Immediate action was taken to secure its systems, and third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the unauthorized activity. The investigation is ongoing, but it has been confirmed that client and employee data were exposed in the incident.

The exact types of data involved have yet to be confirmed, but likely include individuals’ names, addresses, dates of birth, medical record numbers, EEG summaries, neuropsychology reports, medication records, and health insurance information. No evidence of misuse of that information has been identified to date; however, the affected individuals have been advised to remain vigilant and should review their financial account statements for signs of fraudulent activity. MEG said it continually evaluates and modifies its practices to enhance privacy and security and is taking steps to augment existing cybersecurity measures to prevent similar incidents in the future.

Ransomware Groups Claim Responsibility for Attacks on Two Healthcare Providers

Ransomware groups have recently claimed responsibility for attacks on two healthcare providers, Emerson Chiropractic in Indiana and El Paso Quality Dentistry in Texas. The Dragonforce ransomware group claims to have stolen 96 GB of data from Emerson Chiropractic, which provides chiropractic services to individuals in the Southside of Indianapolis. Stolen data has been published on the data leak site, indicating the ransom was not paid.

The Beast ransomware group has added El Paso Quality Dentistry to its data leak site and claims to have stolen approximately 700 GB of data. Screenshots have been uploaded to the data leak site, indicating a broad range of data has been stolen, with some folder names suggesting patient data was involved. Currently, the stolen data has not been leaked. Neither healthcare provider has publicly announced a cyberattack or data breach at the time of writing.

The post Florida Practice Management Company Announces June 2025 Data Breach appeared first on The HIPAA Journal.

Data incidents have recently been announced by Wood River Health in Rhode Island, Jack L Marcus in Wisconsin, and Avala and Primary Health Services Center in Louisiana.

Wood River Health, Rhode Island

Wood River Health, a provider of medical, dental, and social services to communities in southwestern Rhode Island and southeastern Connecticut, has recently announced a data breach that has affected 54,926 individuals. Suspicious activity was identified in an employee’s email account on or around September 6, 2024. Assisted by third-party cybersecurity experts, Wood River Health investigated the activity and confirmed that an unauthorized third party had access to the email account between August 8, 2024, and September 6, 2024, and may have viewed or acquired names and Social Security numbers.

The review of the affected account was completed on or around May 29, 2025, and notification letters were mailed to the affected individuals on or around July 28, 2025. The affected individuals have been offered 12 months of complimentary credit monitoring services, additional safeguards have been implemented to improve security, and employees have been provided with further security awareness training.

Avala, Louisiana

Avala, a Covington, LA-based physician-led health network that operates a 21-bed hospital in St. Tammany Parish, a surgery center in Metairie, and a medical imaging center in Covington, has recently announced a cybersecurity incident, discovered on May 30, 2025, that impacted its IT systems. Third-party cybersecurity experts were engaged to assist with containment and remediation and determine if patient data was exposed. No instances of identity theft or fraud have been identified; however, the investigation confirmed on July 23, 2025, that patient data had been exposed and was potentially exfiltrated from its network.

The exposed data varied from individual to individual and may have included names, addresses, birth dates, treatment information, health insurance information, and Social Security numbers. Notification letters are now being sent to the affected individuals. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Primary Health Services Center, Louisiana

Primary Health Services Center (PHSC), a Monroe, LA-based non-profit healthcare provider that operates several clinics serving the Ouachita, Morehouse, and Lincoln Parishes, has started notifying individuals affected by a recent cybersecurity incident. The nature of the incident was not detailed in the website data breach announcement, nor was the date the incident was detected.

Third-party cybersecurity professionals were engaged to investigate the incident, and the investigation and file review are ongoing. The number of affected individuals and the types of exposed data have yet to be publicly disclosed. PHSC is currently unaware of any misuse of patient information as a result of the incident and said data security policies and procedures have been enhanced to reduce the risk of similar incidents in the future.

The security breach appears to be a ransomware attack by the Inc Ransom ransomware group, which added PHSC to its dark web data leak site on December 24, 2024. Inc Ransom uploaded the stolen data on January 15, 2025, which includes user data, employee data, and financial information.

Jack L Marcus Inc.

Jack L Marcus Inc., a Milwaukee, WI-based retailer that allows orders to be placed for incarcerated individuals under an agreement with the Wisconsin Department of Corrections, has announced a data breach affecting 712 individuals. According to the substitute breach notice, a website misconfiguration allowed limited information to be displayed that should have been hidden.

Between August 15, 2024, and May 16, 2025, the name of the treatment facility where an individual was located was displayed to individuals placing orders for that individual. The facility address was masked, but the name of the treatment facility was displayed.  No other information was impermissibly disclosed. The error was identified on March 15, 2025, and was corrected the following day.  Jack L Marcus has reviewed and updated its processes and technology to prevent similar incidents in the future.

The post Wood River Health Notifies 54K Patients About August 2024 Data Breach appeared first on The HIPAA Journal.

Ransomware groups have attacked three healthcare providers: Gastroenterology Consultants of South Texas, Infinite Services in New York, and High Point Treatment Center in Massachusetts.

Gastroenterology Consultants of South Texas (Texas Digestive Specialists)

Gastroenterology Consultants of South Texas, which does business as Texas Digestive Specialists, has recently disclosed a May 2025 cybersecurity incident and data breach. According to the substitute data breach notice, an unauthorized third party gained access to its network in late May 2025 and may have obtained files containing personally identifiable information (PII) and protected health information (PHI). The Texas Attorney General was informed that the exposed information may have included names, addresses, dates of birth, medical records, and health insurance information.

The breach notification does not state when the attack was detected or for how long the hackers had access to the network. Third-party cybersecurity experts assisted with the investigation, and the lessons learned will be used to enhance the security of its IT systems. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that the PII and PHI of 41,521 Texans was exposed in the incident. The affected individuals have been offered complimentary credit monitoring services.

The breach notification letters do not mention ransomware; however, the Interlock ransomware group claimed responsibility for the attack and added the practice to its dark web data leak site. The group claims to have stolen 263 GB of data, which has been leaked online. Interlock was recently the subject of a joint alert from the FBI, CISA, HHS, and MS-ISAC following an increase in attacks on critical infrastructure entities.

Infinite Services, New York

Infinite Services, a New York-based provider of physical therapy, occupational therapy, speech therapy, and home health services, has fallen victim to a ransomware attack that exposed patient and employee data. The attack was detected on May 5, 2025, when employees were prevented from accessing the network. Third-party cybersecurity experts were engaged to investigate the incident and confirmed there was unauthorized access to one of its servers.

Ransomware was used to encrypt files, although the server was powered off, interrupting the encryption process. On June 23, 2025, Infinite Services determined that the affected server contained patient and employee information, and the decision was made to send notification letters to all potentially affected individuals, rather than wait for data mining to determine exactly which individuals had been affected.  That decision ensured that notification letters were mailed promptly.

The ransomware group was not named; however, Infinite Services said no ransom was paid, and at the time notification letters were issued, none of the stolen data had been published online. Since data may be leaked, the affected individuals should take advantage of the complimentary credit monitoring and identity theft protection services that have been offered. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals were affected or notified.

High Point Treatment Center, Massachusetts

High Point Treatment Center in New Bedford, Massachusetts, a provider of mental health and substance abuse treatment, has been added to the dark web data leak site of the Abyss ransomware group. The group claims to have exfiltrated 1.8 TB of data, although it has not listed any of the stolen data on its data leak site so far. High Point Treatment Center has yet to announce the attack or data breach.

The post Texas Gastroenterology Clinic Falls Victim to Interlock Ransomware Attack appeared first on The HIPAA Journal.

McKenzie Memorial Hospital in Michigan has reported a hacking incident affecting more than 54,000 patients. Arbor Associates in Massachusetts has reported a 17K-record data breach, and data breaches have been confirmed by Blue Shield of California and Human Development Services of Westchester.

McKenzie Memorial Hospital, Michigan

McKenzie Memorial Hospital in Sandusky, Michigan, has recently disclosed a cybersecurity incident that was detected on or around April 15, 2025, when suspicious activity was identified within its network. McKenzie Memorial did not state whether ransomware was used, only that the forensic investigation confirmed that its network was accessed by an unauthorized third party between April 14, 2025, and April 15, 2025. During that time, files containing patients’ protected health information may have been accessed.

The investigation and file review were completed on June 19, 2025, and confirmed that the potentially compromised information included names, Social Security numbers, and financial account information. The data breach was recently reported to the Maine Attorney General as affecting 54,016 individuals. Credit monitoring and identity theft protection services have been offered for 12 months, and the hospital is strengthening network security and reviewing its data security policies and procedures.

Arbor Associates, Massachusetts

Arbor Associates, a business associate that helps healthcare organizations collect patient survey analytics, has recently announced a data security incident that involved unauthorized access to patient data. Unusual network activity was detected on April 17, 2025, and independent cybersecurity experts were engaged to investigate the activity. They confirmed that there was unauthorized access to its network between April 15, 2025, and April 17, 2025, during which time files containing patient information may have been acquired.

The file review was completed in May 2025, and the affected healthcare partners were notified. Data potentially compromised in the incident includes first and last name, contact information, age, biological sex, date of birth, service date, CPT or diagnosis code, medical record number, name of insurance, and/or doctor’s name. Arbor Associates started mailing notification letters on behalf of the affected clients on July 3, 2025. The data breach was reported to the HHS’ Office for Civil Rights as a network server incident affecting 17,040 individuals.

Blue Shield of California

The health insurer Blue Shield of California (BSC) has recently notified the California Attorney General about a recent HIPAA breach. On May 22, 2025, BSC learned that a broker with Harmon Insurance Services had passed away, and the late broker’s husband had accessed her online client list after her death. He then asked a friend, who was also a broker, to assist her clients. A former employee of the late broker may also have accessed the client list and client applications between March 25, 2025, and May 22, 2025.

The access was unauthorized, and upon discovery, the login credentials were revoked to prevent further unauthorized access. No evidence was found to indicate any acquisition of members’ information. Information potentially accessed included names, member IDs, Social Security numbers, birth dates, addresses, phone numbers, group ID numbers, and Medicare numbers.

The affected individuals have been notified by mail and offered a one-year membership to an identity theft protection service. The OCR data breach portal lists the incident as affecting 1,543 individuals. A later breach report indicates that an email breach also occurred that affected 673 individuals.

Human Development Services of Westchester, New York

Human Development Services of Westchester, a provider of community-based direct-care services for vulnerable populations in New York State, has recently announced unauthorized access to its email tenant. Suspicious activity was identified within a single email account, and the forensic investigation confirmed unauthorized access between May 19, 2025, and May 20, 2025. The review of the account and attachments is ongoing, so it is not yet possible to determine the exact types of information involved or the number of affected individuals. The account likely contained employee and patient information.

Email security is currently being reviewed, and new cybersecurity tools are being assessed. The breach has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals. The total will be updated when the review concludes.

The post McKenzie Memorial Hospital Announces Data Breach Affecting 54,000 Patients appeared first on The HIPAA Journal.

While compiling data for last month’s data breach report, the HIPAA Journal identified a data breach that had previously been missed. On June 2, 2025, Cumberland County Hospital Association in Kentucky notified the HHS’ Office for Civil Rights about a hacking-related data breach that affected 36,659 individuals. Cumberland County Hospital detected the hacking incident on April 3, 2025. According to its substitute breach notice, an unauthorized third party had access to its network between February 21, 2025, and April 3, 2025. While its electronic medical record system was not accessed, files on the compromised parts of the network were discovered to include patient information, and some of those files were accessed during the attack.

The review of the files confirmed they contained demographic information (name, date of birth, address, phone number(s), email address, race, and ethnicity), along with Social Security numbers, medications, diagnoses, treatment notes, dates of service, medical record numbers, health plan numbers, and claims and billing information. Some employee data was also compromised in the attack, which may have included additional information such as driver’s license, birth certificate, background check information, W-4s and W-2s, and bank account numbers. Notification letters were mailed to the affected individuals on June 2, 2025, and credit monitoring and identity theft protection services have been offered for 12 months.

Ellis Medicine Discovers Unauthorized Access to Employee Email Account

Ellis Medicine, a Schenectady, NY-based health system serving the Capital District in New York State, has notified the Maine Attorney General about a data incident that involved unauthorized access to an employee’s email account. Suspicious activity was identified in the account, which was immediately secured. Third-party digital forensics specialists were engaged to investigate the activity and confirmed that the account was accessed “for a limited period” between January 17, 2025, through January 24, 2025, and again between March 27, 2025, through April 5, 2025.

The account was reviewed to identify the types of information potentially accessed, and that review was completed on May 14, 2025. Emails and attachments were discovered to include the personal and protected health information of 13,383 individuals. The Notification to the Maine Attorney General includes mail merge fields rather than a list of potentially compromised data, and there is currently no substitute breach notice on the Ellis Medicine website, so the types of information compromised are unknown.

Notification letters are being mailed to the affected individuals, which will state the exact types of information involved for each patient. Ellis Medicine has offered single-bureau credit monitoring, credit report, and credit score services to the affected individuals for 12 months.

The post Cumberland County Hospital Data Breach Affects Almost 37,000 Individuals appeared first on The HIPAA Journal.

Naper Grove Vision Care in Naperville, Illinois, has recently announced a cybersecurity incident that was detected on May 24, 2025. Independent cybersecurity experts were engaged to investigate unusual network activity and confirmed that an unauthorized third party accessed its network and exfiltrated files containing patient information.

The file review revealed the stolen files contained names, addresses, birth dates, driver’s license numbers, patient numbers, health insurance information, explanation of benefits documents, and medical condition and treatment information. A limited number of patients also had their Social Security numbers stolen.

Naper Grove Vision Care has advised the affected patients to monitor their account statements and credit reports closely and report any suspicious activity to law enforcement. There is no mention of complimentary credit monitoring services in the substitute data breach notice. The data breach has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals.

While ransomware was not mentioned in the notice, a ransomware group has claimed responsibility for the attack. The Interlock ransomware group has added Naper Grove Vision Care to its data leak site and claims to have stolen 214 GB of data in the attack across 32,971 folders and 656,891 files. The full data has been leaked, indicating the ransom was not paid.

Florida Lung, Asthma & Sleep Specialists Cyberattack Affects Up to 10,000 Patients

Florida Lung, Asthma & Sleep Specialists (FLASS), which has offices in Orlando, Kissimmee, Winter Garden, and Poinciana, has notified 10,000 patients about a recent data breach. Unauthorized network activity was identified on May 11, 2025, and the forensic investigation indicated that the medical records of certain patients may have been accessed.

Data potentially compromised in the incident includes patient names, birth dates, contact information, and limited medical and billing information. The investigation is ongoing, and notification letters will soon be mailed to the affected individuals. FLASS has not uncovered any evidence to suggest that any of the exposed information has been misused; however, the affected individuals have been advised to remain vigilant and monitor their medical accounts and statements for unusual activity. The affected systems have been secured, and cybersecurity experts have been engaged to review security measures and recommend areas for improvement.

The post Naper Grove Vision Care Falls Victim to Interlock Ransomware Attack appeared first on The HIPAA Journal.

A law firm that provides legal counsel and assistance to Durham County Hospital Corporation in North Carolina has experienced a data breach involving the personal and protected health information of 2,150 individuals.

Manning, Fulton & Skinner, P.A. (MFS), identified suspicious activity within its email system on February 6, 2025. An investigation was launched to determine the cause of the activity, and it was confirmed that certain MFS email accounts had been accessed by an unauthorized individual between September 19, 2024, and February 6, 2025.

Third-party data review specialists were engaged to review the affected accounts and completed the review on May 14, 2025. Durham County Hospital Corporation was notified about the data breach on May 29, 2025, and provided MFS with the necessary information for mailing notifications on July 14, 2025. The law firm has implemented additional email security measures and has offered the affected individuals 12 months of complimentary credit monitoring and identity theft protection services.

The Brien Center for Mental Health and Substance Abuse Services Announces May 2025 Hacking Incident

The Brien Center for Mental Health and Substance Abuse Services in Pittsfield, Massachusetts, has notified state attorneys general about a recent security incident involving unauthorized access to patient information.  The intrusion was identified on May 21, 2025, and third-party cybersecurity specialists were engaged to investigate the incident. The Brien Center learned there was unauthorized network access between May 19, 2025, and May 21, 2025, during which time files containing patient information may have been copied from the network.

The file review confirmed that the data potentially compromised in the incident included names, dates of birth, addresses, phone numbers, email addresses, client IDs, dates and times of recent visits, and clinical diagnostic information. Credit monitoring and identity restoration services have been offered to the affected individuals. Currently, there is no breach report on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Business Associate Data Breach Affects Duke Regional Hospital Patients appeared first on The HIPAA Journal.