Data breaches have recently been announced by Central Maine Healthcare, Dermatology Associates in Kentucky, and Reproductive Medicine Associates of Michigan. The Central Maine Healthcare data breach has affected 145,000 individuals.

Central Maine Healthcare

Central Maine Healthcare, an integrated nonprofit healthcare system serving around 400,000 residents in central and western Maine, has announced a major data breach involving the electronic protected health information of up to 145,000 patients.

Suspicious activity was identified within its IT systems on June 1, 2025, and immediate action was taken to secure its systems while an investigation sought to determine the nature and scope of the activity. The investigation determined that between March 19, 2025, and June 1, 2025, an unauthorized third party had access to its network and accessed or acquired files containing sensitive patient data.

The file review confirmed that names and Social Security numbers were compromised, in combination with one or more of the following: address, date(s) of service, provider names, treatment information, and health insurance information. Notification letters started to be mailed to the affected individuals in late December 2025, and single-bureau credit monitoring, credit report, and credit score services have been offered.

Dermatology Associates, Kentucky

Dermatology Associates in Louisville, Kentucky, has recently announced an August 2025 security incident that may have resulted in unauthorized access to patient data. Suspicious activity was identified within its computer systems on August 4, 2025, and third-party cybersecurity experts were engaged to investigate the activity.

The investigation confirmed unauthorized access to its network for a period of two months from June 4, 2025, to August 4, 2025. The data review is ongoing, so the types of information involved have yet to be confirmed. Dermatology Associates said the information likely exposed in the incident included names, addresses, dates of birth, driver’s license numbers, telephone numbers, physician names, billing/claims information, patient ID/account numbers, and health insurance information.

Steps have been taken to improve security, and notification letters will be sent by mail when the investigation is concluded. The data breach is currently shown on the HHS’ Office for Civil Rights breach portal with a placeholder figure of at least 501 affected individuals. The total will be updated when the file review is concluded.

Reproductive Medicine Associates of Michigan

Reproductive Medicine Associates of Michigan (RMAM), a fertility clinic in Troy, MI, has started notifying patients about a recent cybersecurity incident that involved the theft of sensitive data from its network. Suspicious network activity was identified on October 22, 2025, and immediate action was taken to secure its IT environment. Third-party cybersecurity specialists were engaged to investigate the activity, who confirmed that data had been exfiltrated.

On December 19, 2025, a substitute data breach notice was added to the RMAM website that states that the file review is ongoing, and notification letters will be mailed to the affected individuals when that process is completed. The notifications will provide information on the exact types of information involved for each individual. At present, the total number of individuals affected has yet to be confirmed.

The post Central Maine Healthcare Data Breach Affects 145,000 Individuals appeared first on The HIPAA Journal.

The Minnesota Department of Human Services (DHS) has notified almost 304,000 individuals about unauthorized access to their demographic records. The records were stored in the MnChoices system, which is used by counties, Tribal Nations, and managed care organizations to support their assessment and planning work for state residents requiring long-term services and support.

The system is managed by the third-party vendor, FEI Systems, which notified the Minnesota DHS in November about unauthorized access to data in the system by a user associated with a licensed healthcare provider. While there was a legitimate reason to access limited information in the system, some data was accessed without authorization by the user. The unauthorized access ceased on September 21, 2025, and the user’s access to the system was fully removed on October 30, 2025.

For the majority of affected individuals, the information accessed was limited to demographic information, although for 1,206 individuals, additional information was also accessed. Some medical information was accessed, and for certain individuals, the last four digits of their Social Security numbers. While the forensic investigation identified the categories of information accessed, it was not possible to determine, on a record-by-record basis, exactly what information was accessed for each individual. Due to the limited nature of the data accessed, Minnesota DHS is not providing the affected individuals with free credit monitoring services.

A forensic investigation was ordered to determine the exact types of information accessed and the individuals affected. At the time of issuing notification letters on January 16, 2026, no data misuse had been identified. Minnesota DHS has confirmed that the user no longer has access to the system, and additional safeguards have been implemented to prevent similar unauthorized access incidents in the future.

The DHS Office of Inspector General was made aware of the incident and has developed data-driven processes to monitor and evaluate billing information to determine whether there has been inappropriate or fraudulent use of the accessed data. Should any fraudulent use be identified, a thorough investigation will be conducted, and the matter will be reported to law enforcement. In that regard, the Minnesota DHS has requested that all individuals who receive a notification letter about the incident carefully review their health care statements and report any suspicious charges or services.

The post Minnesota Department of Human Services Data Breach Affects Over 300K Individuals appeared first on The HIPAA Journal.

Valley Eye Associates has fallen victim to a ransomware attack in which sensitive patient data was exfiltrated from its network. Imperial Beach Community Clinic has started notifying patients about unauthorized access to its email environment.

Valley Eye Associates, Wisconsin

Valley Eye Associates, an ophthalmology, optometry, and LASIK eye surgery center in Appleton, WI, has recently announced that it fell victim to a ransomware attack on or around October 8, 2025. Third-party cybersecurity specialists were engaged to assist with the investigation and determined that the ransomware group had access to its network between October 8, 2025, and October 9, 2025, during which time files were exfiltrated from its network.

While data was stolen, Valley Eye Associates said there are no indications that the stolen data has been or will be used inappropriately. It is unclear how that determination was made. The ransomware group behind the attack was not mentioned in the breach notice, although the Qilin ransomware group claimed responsibility for the attack and published the stolen data, indicating the ransom was not paid. The group claimed to have exfiltrated 139 GB of data.

Valley Eye Associates is still reviewing the affected data and will notify the affected individuals when that process is completed. Valley Eye Associates said it has taken steps to improve security to prevent similar incidents in the future, including implementing additional security protections for its email environment, which suggests that email was used for initial access.

Imperial Beach Community Clinic, California

Imperial Beach Community Clinic, a California community healthcare serving the San Diego South Bay area, has notified the California Attorney General about a cybersecurity incident and data breach that was first identified almost a year ago. According to the breach notice, unusual activity was identified within its email environment on April 15, 2025. An investigation was launched to determine the nature and scope of the activity, and it was confirmed that an unauthorized individual had access to certain email accounts from February 4, 2025, to May 2, 2025. During that time, certain information in the accounts may have been acquired.

The affected data set was reviewed, and on December 30, 2025, the file review was concluded. Data compromised in the incident included name, age, appointment date, claim number, date of birth, encounter ID number, gender, insurance information, insurance name, patient ID number, procedure type, provider name, service date, and visit type. Imperial Beach Community Clinic has reviewed and enhanced its data privacy and security policies and procedures to prevent similar incidents in the future. The California Attorney General breach notice does not state how many individuals were affected, and the data breach is not yet shown on the HHS’ Office for Civil Rights breach portal.

The post Valley Eye Associates Confirms Patient Data Stolen in Ransomware Attack appeared first on The HIPAA Journal.

Monroe University, a for-profit university with campuses in the Bronx and La Rochelle in New York, and Saint Lucia in the Caribbean, has recently confirmed that a cyberattack has resulted in unauthorized access to the personal and health information of approximately 320,973 individuals.

The cyberattack was detected more than a year ago on December 23, 2024. When the intrusion was detected, immediate action was taken to secure its systems to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that an unauthorized third party had access to its network from December 9, 2024, to December 23, 2024, and exfiltrated files containing sensitive data.

It has taken nine months to review the affected files to determine the individuals affected and the types of data involved. On September 30, 2025, Monroe University confirmed that the data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, government identification numbers, medical information, health insurance information, electronic account or email usernames and passwords, financial account information, and/or student data.

The university started issuing notification letters to the affected individuals on January 2, 2026, and had advised all individuals to remain vigilant against potential fraud and identity theft by monitoring their credit reports, accounts, and explanation of benefits statements for suspicious activity. At the time of issuing notification letters, the university had not identified any misuse of the stolen data. Based on the notification letter seen by The HIPAA Journal, credit monitoring services do not appear to have been offered.

Universities, like healthcare organizations, are an attractive target for hackers, who can gain access to vast amounts of sensitive data, which in this case included student data and health information. Other universities that have recently experienced cyberattacks include Harvard and Columbia.

The post Monroe University: 320,000 Individuals Affected by December 2024 Cyberattack appeared first on The HIPAA Journal.

The University of Hawai’i Cancer Center (UHCC) has confirmed that up to 1.24 million individuals may have been affected by its August 2025 ransomware attack. The HIPAA Journal previously reported on the incident in January 2026 (see below), when the attack and data breach were first announced; however, at the time, the file review was ongoing, and the number of affected individuals had yet to be announced.

UHCC explained that the notification delay was due to the volume of data impacted, the complexity of the encrypted data, and the age of the studies and records. In a report to the state legislature, UHCC provided additional information about the attack and data breach, confirming that the ransomware attack had no impact on patient care, clinical trials operations, its Basic Science and Prevention Division, and there was no unauthorized access to student records.

The forensic investigation determined that the threat actor accessed the UHCC Epidemiology Division’s research files, exfiltrated files, and encrypted data. The initial findings of the investigation found that a majority of the affected files related to its decades-long Multi Ethnic Cohort (DEC) Study, which mostly contained research data with no personal information about the study participants.

Further investigation determined that some of the files in the impacted data contained Social Security numbers and driver’s license numbers of individuals recruited for that study between 1993 and 1996. UHCC recruited more than 215,000 individuals from Hawai’i and Los Angeles, CA, for that study. UHCC began compiling a list of names and obtained mailing addresses for all potentially affected individuals and has now mailed 87,493 notification letters to the affected study participants. They have been offered 12 months of complimentary credit monitoring and identity theft protection services.

As the review of the impacted files continued, UHCC identified names and Hawaiʻi State driver’s license numbers in the impacted data. They had been collected in the year 2000 from the State Department of Transportation, plus voter registration information collected in the year 1998 from the City & County of Honolulu. At that time, Social Security numbers were commonly used as driver’s license numbers and voter registration numbers, and government departments freely provided those lists. The lists were used by its researchers to recruit study participants and for associated research purposes. UHCC also identified Social Security numbers and health-related information obtained for epidemiological studies of diet and cancer. Across these additional files, UHCC identified 1,153,527 potentially affected individuals, in addition to the 87,493 individuals who were notified by mail.

Under state law, if more than 200,000 individuals are affected by a data breach, if the cost of mailing notifications exceeds $100,000, or in cases where sufficient contact information is not held, electronic notifications are permitted. UHCC located email addresses for approximately 900,000 individuals out of the 1,153,527 potentially affected individuals, and has emailed notifications to those individuals. A substitute breach notice has been added to the UHCC website to serve as notice for the individuals who could not be emailed, and statewide media has been notified.

UHCC has established a dedicated call center for individuals to make contact for further information about the impacted data and to request credit monitoring services. The call center – (844) 443-0842 – is manned Monday to Friday, 8:30 a.m. to 9 p.m. Central Time (excluding holidays). The data review is not yet concluded; however, UHCC is confident that any further personal or protected health information that has yet to be identified will be minimal. Should further individuals be identified, they will be notified separately.

UHCC has confirmed that it has implemented “extensive cybersecurity and governance enhancements” in response to the ransomware attack and data breach and has shared information about those measures in its detailed breach notice. UHCC lists several technical measures that have been implemented or enhanced, and to improve information security oversight, a new Information Security Governance Council for Research has been established to coordinate with research-related cybersecurity, and a new Information Security Task Force has been established, which is responsible for updating policies, strengthening cyber roles and responsibilities, and recommending enterprise‑level controls and investments.

“This cyberattack requires a comprehensive, systemwide response. I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed,” said UH President Wendy Hensel. “We will take a holistic approach, identify areas requiring additional investment, and move forward with those improvements. Safeguarding the data entrusted to us is essential to our mission and our responsibility to the people of Hawaiʻi.”

January 15, 2026: University of Hawai’i Cancer Center Confirms Patient Data Stolen in Ransomware Attack

The University of Hawai’i Cancer Center has recently disclosed an August 2025 ransomware attack involving the acquisition of the sensitive data of study participants. University of Hawai’i Cancer Center, part of the University of Hawai’i (UH) System, is located in the Kakaʻako district of Honolulu and is the only National Cancer Institute-designated center in the state. According to the cancer center’s press release and breach reports to state attorneys general, unauthorized access to its computer network was discovered on or around August 31, 2025.

The affected servers were isolated, and an investigation was launched to determine the nature and scope of the unauthorized activity. University of Hawai’i Cancer Center confirmed that a ransomware group had breached its network, encrypted files, and exfiltrated research files containing patient information. The University of Hawai’i Cancer Center said its electronic medical record system was unaffected; however, files were obtained that contained patients’ protected health information.

The majority of the stolen files related to a single research project. The review of those files revealed that some contained the Social Security numbers of research participants dating back to the 1990s. The University of Hawai’i Cancer Center said that in the 1990s, Social Security numbers were used as patient identifiers; however, that practice has since been halted, and alternative identifiers are now used.

Due to the highly sensitive nature of the stolen data, UH made the difficult decision to engage with the threat actor. University of Hawai’i Cancer Center said it worked with third-party cybersecurity experts to obtain a decryption tool to recover the encrypted data, and paid a ransom to prevent the publication of the stolen data. Assurances have been received that all of the stolen data has been deleted.

Files unrelated to the research study are still being reviewed to determine if they contain any patient data. Notification letters have yet to be sent to the affected individuals, but they will be mailed once up-to-date contact information has been obtained.  The University of Hawai’i Cancer Center said the affected individuals will be offered complimentary credit monitoring and identity theft protection services.

Even though the ransom was paid, due to the extent of file encryption, it has taken some time to recover the encrypted files and restore the affected systems. Additional security measures have been implemented to strengthen security, including replacing its existing firewall with a new firewall with additional security controls and installing new endpoint protection software with 24/7 monitoring. The University of Hawai’i Cancer Center said third-party cybersecurity experts have assessed and validated the cancer center’s security controls.

The incident has been reported to regulators; however, since the file review has not yet concluded, the number of affected individuals has yet to be disclosed.

The post University of Hawai’i Cancer Center: 1.24 Million Individuals Affected by 2025 Ransomware Attack appeared first on The HIPAA Journal.

It has been more than four months since TriZetto Provider Solutions discovered unauthorized access to its IT environment, and it has now been confirmed that the protected health information of 3,433,965 individuals was exposed or compromised in the incident. The data breach has recently been added to the HHS’ Office for Civil Rights breach portal, suggesting the data breach investigation and data review have been completed. At more than 3.4 million affected individuals, it ranks as one of the largest healthcare data breaches of 2025.

January 26, 2026: Trizetto Data Breach Victim Count Swells

Based on previous estimates of the scale of the Trizetto data breach, more than 700,000 individuals were thought to have been affected. It is now clear that the data breach was significantly bigger. The Oregon Attorney General has recently been informed that the personal and protected health information of 3,433,965 individuals was exposed or compromised in the incident, plus a further 304 individuals in Trizetto’s capacity as a business associate of Columbia River Health.

Attorneys General in other U.S. states have also received breach notices, although few publicly disclose the number of state residents affected. Two states that do are Texas and South Carolina. The Texas Attorney General was informed that the personal and protected health information of 171,158 Texas residents was compromised in the incident, while South Carolina was informed that 3,562 individuals in the state were affected. Other states that have been notified but have not published the number of affected individuals include California, Massachusetts, New Hampshire, and Vermont. Based on the disclosures to the Oregon, Texas, and New Hampshire Attorneys General alone, the data breach is known to have affected more than 3.6 million individuals, making it one of the largest healthcare data breaches of 2025.

Trizetto has yet to confirm whether the review of the affected data has been completed, and there is currently no Trizetto data breach listed on the HHS’ Office for Civil Rights breach portal. It is not unusual for the number of affected individuals to be increased several times as a data breach investigation and data review progress. For instance, the massive data breach at Change Healthcare in 2024 was first reported as affecting 500 individuals. The total number of affected individuals was updated to 100 million, and the final estimate provided to regulators was 192,700,000 individuals.

While the Trizetto Provider Solutions data breach is unlikely to match the scale of the Change Healthcare data breach, it should be noted that Trizetto handles more than 4 billion payment, enrollment, and claims transactions each year in its capacity as a HIPAA business associate. The data breach could therefore be substantially higher than the 3.6 million individuals currently known to have been affected.

Notification letters have started to be mailed to the affected individuals. The HIPAA Journal has been contacted by individuals who have been confused after receiving a breach notice from Trizetto, as they had no direct dealings with the company. This is a common occurrence when data breaches occur at business associates of HIPAA-covered entities. One California resident claimed the letter she received did not state the name of the healthcare provider that provided Trizetto with her data, which made her question whether the notification letter could be a scam.

January 15, 2026: TriZetto Provider Solutions Issues Data Breach Notifications to HIPAA Covered Entities (Update)

TriZetto Provider Solutions, a Cognizant-owned provider of revenue management services to physicians, hospitals, and health systems, has started notifying certain healthcare clients about a recently identified cybersecurity incident.

On October 2, 2025, suspicious activity was identified within a web portal used by some of its healthcare provider customers to access TriZetto systems. Immediate action was taken to secure the web portal and mitigate the incident, and the cybersecurity firm Mandiant was engaged to investigate the activity, review the security of the web portal application, and ensure that the incident is fully remediated. TriZetto is satisfied that the threat actor has been eradicated from its system. No further unauthorized web portal activity has been detected since October 2, 2025.

While the cybersecurity incident was only recently detected, the unauthorized access has been ongoing for a considerable period of time. The forensic investigation determined that an unauthorized third party first started accessing historical eligibility transaction reports within the TriZetto system in November 2024, almost a year before the unauthorized access was detected. The reports within its storage system contained the protected health information of patients of certain healthcare provider clients.

Between October 2, 2025, and the end of November 2025, Trizetto reviewed the data within the compromised system to determine the types of data involved and the individuals affected. Information compromised in the incident includes the names of patients and primary insureds, in combination with some or all of the following: address, date of birth, Social Security number, health insurance member number (in some cases, Medicare beneficiary number), health insurer name, information about the primary insured or beneficiary, and other demographic health and health insurance information. TriZetto said no financial information was involved.

Notifications have been issued to the affected healthcare clients, who have been provided with a list of the affected individuals and a copy of the affected data. The HIPAA Breach Notification Rule requires notifications to be issued to the affected individuals within 60 days of a HIPAA-covered entity being notified about a data breach at a business associate. Assuming the affected healthcare providers comply with that HIPAA requirement, individual notifications for the affected individuals should be mailed within 60 days.

TriZetto has offered to handle the breach notifications on behalf of the affected clients, should they determine that breach notifications are required under HIPAA. TriZetto has also offered to notify the HHS’ Office for Civil Rights, state regulators, and media outlets on behalf of its covered entity clients, and will also cover the cost of complimentary credit monitoring, fraud consultation, and identity theft restoration services.

It is currently unclear how many of its healthcare provider clients have been affected. Trizetto informed one of the affected clients that the protected health information of more than 700,000 individuals was likely compromised in the attack.

A majority of the affected covered entities are based in California and did not contract with Trizetto as a business associate. Trizetto was a subcontractor used by OCHIN, a provider of HealthIT solutions, workforce, and operational solutions to rural and community health centers. OCHIN was provided with certain patient data as required to perform its contracted services, and OCHIN subcontracted certain functions to TriZetto Provider Solutions. The incident highlights the wide-reaching effects of a cyberattack on a business associate or one of its vendors.

The HIPAA Journal is tracking breach reports, and confirmed data breaches are listed in the table below when each affected entity reports the breach to state attorneys general, the HHS’ Office for Civil Rights, makes a media announcement, or has contacted the HIPAA Journal directly. The list below is not exhaustive.

This post was first published on December 11, 2025, and it will continue to be updated as further information about the TriZetto data breach is released. 

The post Trizetto Data Breach: PHI of 3.4 Million Individuals Exposed appeared first on The HIPAA Journal.

Data breaches have recently been announced by Vida Y Salud-Health Systems in Crystal City, Texas, and Dublin Medical Center in Georgia.

Vida Y Salud-Health Systems, Texas

Vida Y Salud-Health Systems, a Crystal City, TX-based Federally Qualified Health Center, has recently reported a data breach to the Texas Attorney General involving unauthorized access to the protected health information of 34,504 Texas residents. On October 8, 2025, suspicious activity was identified within its network. The forensic investigation confirmed that an unauthorized third party gained access to its network on October 7, 2025, and exfiltrated data.

The investigation and data review have recently concluded, and it was confirmed that names, addresses, dates of birth, Social Security numbers, driver’s license numbers, account numbers, and claim numbers had been stolen. Vida Y Salud-Health Systems has notified the HHS’ Office for Civil Rights; however, the data breach is not currently shown on the OCR data breach portal, so it is unclear how many individuals in total have been affected. Vida Y Salud-Health Systems said steps have been taken to strengthen security to prevent similar breaches in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Dublin Medical Center, Georgia

Dublin Medical Center in Georgia has recently started notifying individuals affected by an October 2025 cybersecurity incident. Suspicious activity was identified within its computer network on October 17, 2025. The substitute data breach notice on Dublin Medical Center’s website does not state when the unauthorized access started.

The review of the files on the affected parts of its network confirmed that patient data was compromised in the incident. The data types varied from individual to individual and may have included names in combination with some or all of the following: contact information, date of birth, patient status, provider name, diagnosis and treatment information, prescriptions, medical history, radiology imaging and reports, medical consent forms, lab reports, patient identification number, dates of service, and health insurance information.

The investigation is continuing; however, notification letters started to be mailed to the affected individuals on December 17, 2025. The affected individuals have been advised to remain vigilant against misuse of their data by reviewing their account statements, free credit reports, and explanation of benefits statements. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Vida Y Salud-Health Systems & Dublin Medical Center Confirm Data Breaches appeared first on The HIPAA Journal.

CareOregon and Health Share of Oregon have notified certain patients about a data breach and potential insurance fraud. Andover Eye Associates has identified a breach of its email environment.

CareOregon and Health Share of Oregon

CareOregon and Health Share of Oregon have notified certain patients about unauthorized access to some of their protected health information. It is unclear from the phrasing of the notice whether this was an insider breach or if data was accessed by an external actor. The data breach notice states that, “On October 27, 2025, we learned that one or more people looked at your information without permission.” Social Security numbers and financial information were not accessed. The data viewed and potentially obtained was limited to first and last names, dates of birth, health plan information, Medicaid/Medicare numbers, and primary care provider office.

The notice states that there may have been data misuse, warning that the information may have been used to create fake insurance claims. CareOregon and Health Share of Oregon said they were unable to determine if any specific patient’s information had been misused. The affected individuals have been reminded that CareOregon and Health Share of Oregon do not bill for covered health care services, and informed the affected individuals that they will not receive a bill even if their data has been misused to file a fake insurance claim. Individuals who receive a letter detailing the services that they should have received should check the letter carefully and report back if there are any listed services that have not been provided.

Law enforcement has been notified, an investigation has been conducted, and the identified issue has been fixed. Further, CareOregon and Health Share of Oregon have changed how individuals’ information can be viewed, and the staff have been retrained. There is currently no breach report on the HHS’ Office for Civil Rights breach portal at present, so it is unclear how many individuals have been affected.

Andover Eye Associates

Andover Eye Associates in Andover, Massachusetts, has experienced an email security incident that exposed the data of 1,638 patients. Suspicious activity was identified in two employee email accounts on June 10, 2025. An investigation was launched, which confirmed that an unauthorized third party gained access to the accounts on May 28, 2025. No other employee email accounts were affected.

The email accounts were reviewed, and on November 4, 2025, Andover Eye Associates confirmed that the accounts contained patient names and Social Security numbers. Additional training has been provided to the workforce, and additional safeguards are being implemented to improve email security. Notification letters have been mailed to the affected individuals who have been offered complimentary credit monitoring services for 12 months.

The post CareOregon and Health Share of Oregon Warn of Potential Insurance Fraud After Data Breach appeared first on The HIPAA Journal.