Data breaches have been confirmed by the revenue cycle management company MedRevenu Inland Physicians Hospitalist Services, and the Missouri-based eye care provider, EyeCare Partners.

MedRevenu Inland Physicians Hospitalist Services

MedRevenu Inland Physicians Hospitalist Services, a Montclair, CA-based vendor that provides revenue cycle management services to healthcare providers, has recently notified the California Attorney General about a cybersecurity incident. The incident occurred on or around December 12, 2024, and caused disruption to its network. The forensic investigation determined that files containing personal and protected health information may have been accessed or acquired in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers/government identification numbers, health insurance information, medical information, financial account numbers, payment card numbers, and access information.

MedRevenu said it is reviewing and enhancing its cybersecurity measures and has offered the affected individuals complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months. The BianLian threat group claimed responsibility for the attack and added MedRevenu to its dark web data leak site on December 14, 2024. Since data has been leaked, the affected individuals should ensure that they sign up for the credit monitoring services being offered and carefully check their account statements for data misuse, going back to December 2024. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

EyeCare Partners

EyeCare Partners, LLC, a St. Louis, MO-based nationwide provider of eye care services, has recently announced an email security incident that was first identified on January 28, 2025. Suspicious email activity was identified, and an investigation was launched, which confirmed that an unauthorized third-party had accessed multiple managed email accounts between December 3, 2024, and January 28, 2025.

It took until November 11, 2025, to review the compromised accounts, and notifications were issued to appropriate state attorneys general in February 2026. Data compromised in the incident includes names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health plan information, and limited clinical information.

EyeCare Partners said it has no reason to believe that any of the exposed information has been misused for identity theft or fraud; however, out of an abundance of caution, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 24 months. EyeCare Partners said it has reviewed and enhanced its technical security measures and has provided further reminders to employees about how to recognize and avoid phishing attempts. The incident has been reported to the HHS’ Office for Civil Rights as affecting 17,110 individuals, including patients of The Ophthalmology Group, Ophthalmology Consultants, and Ophthalmology Associates.

The post Data Breaches Announced by MedRevenu & EyeCare Partners appeared first on The HIPAA Journal.

The Counseling Center of Wayne and Holmes Counties has experienced a cyberattack affecting 83,350 individuals. Data breaches have also been announced by Neurological Associates of Washington and Pecan Tree Dental.

Counseling Center of Wayne and Holmes Counties

The Counseling Center of Wayne and Holmes Counties (CCWHC) in Wooster, Ohio, has experienced a data security incident affecting 83,354 individuals. On March 3, 2025, CCWHC’s third-party service provider notified CCWHC about a cybersecurity incident, which caused disruption to its IT systems. An investigation was launched, and steps were taken to contain and remediate the incident. All impacted systems and accounts were removed, credentials were reset, and leading data privacy and security experts were engaged to assist with the investigation.

The forensic investigation determined that an unauthorized third party gained access to a single CCWHC server on March 2, 2025, and exfiltrated files on March 3, 2025. Based on the initial findings of the investigation, the general types of information compromised in the incident include names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health insurance information, medical condition information, treatment provider names, medical record numbers, treatment cost information, diagnoses, and treatment information.

CCWHC has worked with cybersecurity experts and privacy professionals to review and further strengthen system security. The file review was completed on December 9, 2025, and notification letters have now been mailed to the affected individuals.

Neurological Associates of Washington

Neurological Associates of Washington (NAW) has recently confirmed that the personal and protected health information of 13,500 individuals was stolen in a December 2025 cyberattack. It is now rare for a healthcare provider to disclose details about a hacking incident in its data breach notice; however, NAW has bucked that trend and disclosed that the Dragonforce ransomware group was behind the attack. NAW also confirmed that sensitive patient data was stolen and published on the dark web by Dragonforce.

NAW immediately alerted the Federal Bureau of Investigation (FBI), which investigated the incident and confirmed that the stolen data was published on the dark web on December 28, 2025. The FBI is conducting further investigations into the attack, but has confirmed that the data compromised in the incident related to patients from 2019 to 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnoses, disability codes, medical information, and other types of data. New patients from January 2025 onwards had their data added to a new cloud-based records system, which was not accessed in the attack.

NAW said it has implemented a deep reset and restructuring of its IT system in response to the incident and confirmed that the affected database is now stored in an offline environment. At the time of issuing notifications, NAW said it was unaware of any actual or attempted misuse of the stolen data. As a precaution against identity theft and fraud, the affected individuals have been offered 12 months of complimentary credit monitoring services.

Pecan Tree Dental

Pecan Tree Dental, PLLC, in Grand Prairie, Texas, has confirmed that it experienced a cybersecurity incident involving unauthorized access to its computer systems. The website notice is light on detail, only stating that steps have been taken to secure its systems, and cybersecurity and legal professionals have been engaged to assist with the investigation. At the time of uploading the notice to its website, it was unaware of any unauthorized access to patient information or data misuse. The OCR breach portal indicates that up to 13,300 individuals had their protected health information exposed in the incident.

The Texas attorney general was informed that data compromised in the incident includes names, addresses, dates of birth, medical information, and health information. This appears to have been a ransomware attack by the Sinobi threat group, which added Pecan Tree Dental to its dark web data leak site on January 11, 2026. Sinobi claims to have exfiltrated 250 Gb of data in the attack and has leaked the stolen data.

The post 83,000 Clients Affected by Cyberattack on Ohio Counseling Center appeared first on The HIPAA Journal.

Data breaches have been announced by the Connecticut diagnostic laboratory Precipio, Pit River Health Service in California, and Tulane University Medical Group in Louisiana.

Precipio, Inc.

Precipio, Inc., a Connecticut-based laboratory specializing in advanced hematopathology diagnostics, has discovered unauthorized access to an employee’s cloud-based storage account. Suspicious activity was identified within the email account on or around November 25, 2025, and the investigation confirmed that an unauthorized third party accessed the employee’s account from November 23, 2025, to November 25, 2025, during which time, files were copied from the account.

The affected files are currently being reviewed to determine the information involved, and that process is currently ongoing. Precipio has yet to disclose a final list of the affected data, but said that, based on its investigation so far, information compromised in the incident includes names, addresses, dates of birth, medical record numbers, clinical/treatment information, medical procedure information, medical provider names, prescription information, and health insurance information.

Since the file review has not yet concluded, the HHS’ Office for Civil Rights has been provided with an interim total of at least 501 affected individuals. The total will be updated when the file review is completed.

Pit River Health Service

Pit River Health Service, the operator of two healthcare clinics in Burney and Alturas in California, has recently announced a data breach affecting up to 1,800 individuals. An unauthorized third party hacked its systems and potentially copied data. Pit River Health Service has confirmed that no data was altered or deleted in the attack, and the Indian Health Service medical record system was not accessed.

In a website update, Pit River Health Service confirmed that some of the affected systems have been restored, although a more extensive security review has been conducted for other affected systems. As a result of the attack, some patient services have been delayed, but appointments and services are continuing. In response to the incident, security monitoring has been stepped up across all of its IT systems.

Tulane University Medical Group

A data breach has been reported to the HHS’ Office for Civil Rights by Administrators of the Tulane Educational Fund d/b/a Tulane University Medical Group. The Louisiana-based medical group experienced a ransomware attack that involved unauthorized access to the protected health information of 6,530 patients.

Tulane University Medical Group does not currently have a substitute data breach notice on its website, so it is unclear exactly what types of information were compromised in the incident. The Cl0p ransomware group claimed responsibility for the attack and added the medical group to its data leak site. Cl0p exploits vulnerabilities in mass attacks, typically vulnerabilities in file-sharing software. Sensitive data is stolen, and ransom demands are issued. Cl0p claims to have exploited a vulnerability on or around November 18, 2025.

The post Precipio; Pit River Health Service; Tulane University Medical Group Confirm Data Breaches appeared first on The HIPAA Journal.

Jefferson-Blount-St. Clair Mental Health Authority in Alabama, Cottage Hospital in New Hampshire, WindRose Health Network in Indiana, and Iroquois Memorial Hospital in Illinois have announced that patient data has been exposed in hacking incidents.

Jefferson-Blount-St. Clair Mental Health Authority, Alabama

Jefferson-Blount-St. Clair (JBS) Mental Health Authority in Alabama has notified more than 30,000 individuals that some of their personal and protected health information was exposed and potentially acquired in a ransomware attack. Suspicious activity was identified within its computer network on or around November 25, 2026. The investigation confirmed that hackers gained access to its network on November 25, 2026, and potentially viewed or acquired information relating to individuals who were patients or employees between 2011 and 2025.

The file review has recently concluded and confirmed that the exposed data included names, Social Security numbers, health insurance information, dates of birth, and medical information, which may have included diagnoses, physician information, medical record numbers, Medicare/Medicaid information, prescription/medication information, diagnostic and treatment information, and billing or claims information.

The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements. The HHS’ Office for Civil Rights breach portal indicates 30,434 individuals were affected by the incident.

Cottage Hospital, New Hampshire

Cottage Hospital, a 35-bed critical access hospital in Woodsville, New Hampshire, has detected unauthorized access to its computer network. The forensic investigation confirmed that hackers had access to a single file server on its computer network from October 14, 2025, to October 21, 2025, and on December 8, 2025, the hospital confirmed that files had been exfiltrated in the incident.  The review of the files is ongoing, although it has been confirmed that the server contained current and former employees’ names, Social Security numbers, driver’s license numbers, and potentially bank account information.

The breach notice submitted to the Maine Attorney General indicates 2,156 individuals were affected, including 83 Maine residents. The affected individuals have been offered complimentary credit monitoring, identity theft restoration, and fraud consultation services. The hospital has confirmed that it will continue to implement and evaluate enhanced safeguards and security measures to better protect sensitive data on its network.

WindRose Health Network, Indiana

WindRose Health Network, a Federally Qualified Health Center with five health centers in Indiana, has notified certain patients about a security incident identified on August 22, 2025. The security breach was detected quickly, with the unauthorized access determined to have commenced on the morning of August 22, 2025. The compromised parts of the network contained personal and protected health information, which may have been accessed or acquired.

A data review firm was engaged to determine the types of information in the exposed files and the individuals affected. That process was recently completed, and the results were assessed to determine the individuals who required notifications. Data compromised in the incident vary from individual to individual and may include names in combination with one or more of the following: contact information, date of birth, patient identification number, date(s) of service, provider name(s), diagnosis, treatment information, prescription(s), medical history, lab reports, health insurance information, and limited number government identification numbers, such as driver’s license number or Social Security number.

Third-party cybersecurity experts were engaged to investigate the incident, review security, and further secure its systems. The affected individuals have been advised to remain vigilant against identity theft and fraud. The HHS’ Office for Civil Rights breach portal indicates 691 individuals were affected by the incident

Iroquois Memorial Hospital, Illinois

Iroquois Memorial Hospital in Watseka, Illinois, has recently reported a hacking incident to the HHS’ Office for Civil Rights involving unauthorized access or theft of patients’ protected health information. A substitute breach notice has yet to be posted to the hospital’s website, so it is unclear exactly what types of data were compromised in the incident. The Pear threat group claimed responsibility for the attack.

Pear engages in data theft and extortion but does not encrypt files. The group maintains a data leak site and added Iroquois Memorial Hospital to the site on December 11, 2025. The listing is still active, which suggests the ransom was not paid. The HHS’ Office for Civil Rights breach portal indicates 621 individuals were affected by the incident

The post Jefferson-Blount-St. Clair Mental Health Authority Data Breach Affects 30,000 Patients appeared first on The HIPAA Journal.

Central States Dermatology Services (DOCS Dermatology Group) in Ohio and The Center for Neuropsychology and Learning in Michigan have identified unauthorized access to patient data.

Central States Dermatology Services, Ohio

Central States Dermatology Services, LLC, doing business as DOCS Dermatology Group (DOCS), has disclosed a security incident that was identified on November 27, 2025. Suspicious activity was identified within its network, and, assisted by third-party cybersecurity experts, DOCS determined that an unauthorized third party had access to its network from November 19, 2025, to November 27, 2025.

The data review is ongoing, so the number of affected individuals had yet to be confirmed; however, DOCS has determined that the data compromised in the incident includes names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, treatment/diagnosis information, prescription/medication information, dates of service, provider name, medical record number, patient account number, Medicare/Medicaid ID number, health insurance information, and/or medical billing/claims information. DOCS is reviewing its policies and procedures related to data security and has engaged cybersecurity experts to review its security measures and make enhancements to strengthen security. At the time of the announcement, DOCS had not identified any misuse of the affected information.

The Center for Neuropsychology and Learning, Michigan

The Center for Neuropsychology and Learning in Ann Arbor, Michigan, has discovered that a malicious cyber actor accessed a server containing the sensitive data of 3,722 of its clients. The unauthorized access was detected on November 10, 2025, and the forensic investigation confirmed that the server was accessed at some point between October 14 and October 31, 2025.

The server was analyzed and found to contain protected health information such as names, dates of birth, contact information, service type(s), and or test reports. Highly sensitive information, such as Social Security numbers, financial information, and therapy notes, was not stored on the server. The Center for Neuropsychology and Learning has confirmed that the threat has been fully mitigated, and notifications have been mailed to the affected individuals, who have been offered 12 months of complimentary credit monitoring and identity theft protection services as a precaution.

The post DOCS Dermatology Group; Center for Neuropsychology and Learning Disclose Data Breaches appeared first on The HIPAA Journal.

Data breaches have recently been announced by Central Ozarks Medical Center in Missouri, AdventHealth Daytona Beach in Florida, and the Middlesex Sheriff’s Office in Massachusetts.

Central Ozarks Medical Center, Missouri

Central Ozarks Medical Center (COMC), a Federally Qualified Health Center (FQHC) in mid-Missouri, has notified 11,818 individuals that some of their personal and protected health information was compromised in a criminal cyberattack. The substitute breach notice on the COMC website does not state when the cyberattack was detected or for how long its network was compromised, only that it was determined on or around November 10, 2025, that personally identifiable information and protected health information may have been subject to unauthorized access or acquisition.

The types of information compromised in the incident included names, dates of birth, Social Security numbers, financial account information, medical treatment information, and health insurance information. COMC has provided the affected individuals with information on steps they can take to reduce the risk of identity theft and fraud, and at least 12 months of complementary credit monitoring and identity theft protection services have been offered. COMC has confirmed that it has implemented a series of cybersecurity enhancements and will continue to augment those measures to better protect patient information.

Middlesex Sheriff’s Office, Massachusetts

The Middlesex Sheriff’s Office in Massachusetts has announced a January 2025 security breach that involved unauthorized access to individuals’ protected health information.  The Sheriff’s Office launched an investigation to determine the extent and nature of the incident, and was assisted by the Federal Bureau of Investigation, the Massachusetts State Police, the Commonwealth Fusion Center, the Executive Office of Technology Services and Security, and two cybersecurity firms.

It took until November 19, 2025, to complete the review of the exposed files, when it was confirmed that they contained names, addresses, dates of birth, diagnoses, and/or other general health information. The Sheriff’s Office said it has not identified any misuse of the exposed information. The Middlesex Sheriff’s Office has implemented additional safeguards to prevent similar breaches in the future and has advised the affected individuals to review their bank statements and insurance records for signs of misuse. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals – a commonly used placeholder figure when the total number of affected individuals has not yet been confirmed.

AdventHealth Daytona Beach, Florida

AdventHealth Daytona Beach in Florida has notified 821 individuals about the loss of paperwork containing their protected health information. The loss of documentation was identified by its outpatient laboratory on November 25, 2025. Outpatient lab orders were determined to be missing for individuals who received outpatient services between September 1 and September 14, 2025.

AdventHealth Daytona Beach said the loss occurred during a departmental relocation from the first to the second floor. Construction activities were taking place to install a new tubing system, and the planned project location was changed by the construction workers, who accessed an area containing the lab orders without first notifying the laboratory team. The paperwork was discarded by the construction workers. AdventHealth Daytona Beach said no evidence was found to indicate the lab orders were or will be misused. The lab orders contained information such as names, addresses, dates of birth, telephone numbers, email addresses, diagnosis codes, health condition(s), and health insurance policy numbers.

The post Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients appeared first on The HIPAA Journal.

Alpine Ear, Nose, and Throat in Colorado, The Phia Group in Massachusetts, and Community Health Northwest Florida have started notifying patients that their personal and health information was impermissibly accessed over a year ago.

Alpine Ear, Nose, and Throat, Colorado

Alpine Ear, Nose, and Throat in Fort Collins, Colorado, has mailed notification letters to 65,648 individuals warning them that some of their protected health information was exposed in a security incident identified by Alpine ENT on November 19, 2024. Alpine ENT engaged its managed service provider to investigate the incident, and it was confirmed that an unauthorized third party accessed and exfiltrated files containing patients’ protected health information.

Alpine ENT’s legal counsel explained in the notification letters that a substitute data breach notice was published on the Alpine ENT website on January 17, 2025, although at the time, the investigation was ongoing. The data mining and review processes were completed on October 9, 2025, and in the subsequent months, Alpine ENT worked to verify the impacted individuals and obtained up-to-date contact information. Notification letters were mailed to the affected individuals on January 30, 2026, 14 months after the breach was first identified.

The BianLian ransomware group claimed responsibility for the attack and added Alpine ENT to its data leak site in early December 2024. Data compromised in the incident included names, demographic information, dates of birth, medical information, health information, financial account information, credit card numbers, CVC, and expiration dates, and Social Security numbers. At the time of issuing notifications, Alpine ENT said it had not identified any instances of identity theft as a result of the incident; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The Phia Group, Massachusetts

The Phia Group, LLC, a Canton, Massachusetts-based provider of healthcare cost containment services to health benefit plans and their third-party administrators, has recently notified individuals about a July 2024 security incident that exposed personal and protected health information. According to The Phia Group, an intrusion was detected on July 9, 2024, and the investigation confirmed that its network had been subject to unauthorized access between July 8, 2024, and July 9, 2024. During that time, files containing sensitive data may have been acquired.

A review was conducted to identify the affected clients, the types of data involved, and the affected individuals. The affected clients were notified, and The Phia Group coordinated with them to issue notifications. Data potentially compromised in the incident included names, addresses, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, health insurance information, and medical information, including provider information, treatment information, prescriptions, and Medicare/Medicaid information. Data security has been enhanced to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Community Health Northwest Florida

On January 26, 2026, Community Health Northwest Florida (CHNF) started notifying individuals about a security incident that was identified on December 24, 2024. CHNF engaged third-party cybersecurity experts to investigate the activity, who confirmed that an unauthorized third party had accessed files on its network that contained patient information.

CHNF said it conducted a comprehensive and time-consuming review and engaged a data mining company to identify the affected individuals. It took until January 19, 2026, to obtain the full list of affected individuals, and notification letters were mailed 10 days later. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, financial account numbers, credit or debit card numbers, patient identification and medical record numbers, medical information, and health insurance information.

CHNF has updated its policies and procedures, implemented additional technical safeguards, and enhanced its security measures to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Patients Learn Their Health Data Was Compromised More Than a Year Ago appeared first on The HIPAA Journal.

Bayada Home Health Care, a New Jersey-based home healthcare provider serving 22 U.S. states, has recently announced a data breach involving a third-party vendor, Doctor Alliance. Doctor Alliance provides services that facilitate physician signatures on clients’ Home Health Certifications and Plans of Care, which involve access to patients’ protected health information.

On December 4, 2025, Doctor Alliance notified Bayada Home Health Care about a cybersecurity incident involving access and potential acquisition of client data by an unauthorized third party. According to Doctor Alliance, an unauthorized third party had access to the Doctor Alliance network between October 31 and November 6, 2025, and November 14 and 17, 2025. During that time, Home Health Certification and Plan of Care forms may have been acquired.

Bayada Home Health Care said it is not aware that any of its forms were copied; however, unauthorized data access could not be ruled out. The exposed forms contained a range of sensitive patient information, including names, dates of birth, diagnoses, medical/physical treatment information, provider information, health insurance plan information, prescription information, hospital admissions/discharges, and disability information, and for a subset of individuals, Social Security numbers.

Bayada Home Health Care said it has discontinued using Doctor Alliance as a vendor in response to the data breach. A review has been conducted of its policies and procedures relating to third-party vendors, and steps have been taken to minimize the risk of similar incidents in the future. The data breach has been reported to state attorneys general and the HHS’ Office for Civil Rights. The incident is not currently listed on the OCR data breach portal, so it is unclear how many individuals have been affected.

Marion County Public Health Department, Indiana

Marion County Public Health Department in Indiana has identified an insider incident involving unauthorized access to the protected health information of 792 clients. An employee was discovered to have accessed more than the necessary patient information to complete their job duties, including names, addresses, dates of birth, and lab test results for clients who received tests that were processed by the Marion County Public Health Department lab.

Marion County Public Health Department said it has found no evidence to suggest that any of the accessed information has been misused and stressed that no financial information was accessed by the employee. In response to the incident, further training has been provided to staff members on the HIPAA minimum necessary standard and its internal policies, and technical safeguards have been enhanced to limit access to protected health information to the minimum necessary for job duties.

The post Bayada Home Health Care Affected by Doctor Alliance Data Breach appeared first on The HIPAA Journal.