HIPAA Breach News

Tri Century Eye Care & Pittsburgh Gastroenterology Associates Announce Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by Tri Century Eye Care in Pennsylvania, Pittsburgh Gastroenterology Associates, NAHGA Claims Services, and the Texas revenue cycle management company, Legacy Health.

Tri Century Eye Care

Tri Century Eye Care, P.C., in Pennsylvania, has recently started notifying patients about a September 2025 data security incident involving the theft of files containing sensitive data. Suspicious network activity was identified on September 3, 2025, and immediate steps were taken to secure its network. Third-party cybersecurity specialists were engaged to investigate and determine the nature and scope of the activity, and on September 19, 2025, Tri Century Eye Care learned that an unknown actor had accessed its network and acquired files. There was no unauthorized access to its electronic medical record system.

The files were reviewed and found to contain personal and protected health information of patients and employees. The types of information involved varied from individual to individual and may have included names in combination with one or more of the following: Social Security number, date of birth, medical or health information, diagnostic and treatment information, health insurance information, billing or payment information, and/or tax/financial information.

Tri Century Eye Care has implemented additional security measures to reduce the risk of similar incidents in the future, including enforcing stronger password requirements, requiring more frequent password changes, reducing access permissions, and ensuring older data is stored offline. The HHS’ Office for Civil Rights has been notified about the incident, as has the FBI. The OCR breach portal is not currently showing the data breach, so it is unclear how many individuals have been affected.

The Pear threat group claimed responsibility for the incident. Pear (Pure Extraction And Ransom) is a private hacking group that does not engage in data encryption. While no specific industry is targeted, the group has claimed several healthcare victims. Pear claims to have exfiltrated 3.3 GB of data, and appears to have leaked the full dataset.

Pittsburgh Gastroenterology Associates

Pittsburgh Gastroenterology Associates has notified patients about an August 2025 cyberattack that involved unauthorized access to patient information. This appears to have been a ransomware attack, based on the description in its breach notification letters. Network disruption was experienced on August 12, 2025, and after taking steps to secure its IT systems, an investigation was launched to determine the nature and scope of the activity. Assisted by digital forensics specialists, Pittsburgh Gastroenterology Associates determined on August 28, 2025, that a threat actor had accessed its network and may have exfiltrated files containing patient information.

The exposed files were reviewed and found to contain first and last names, birth dates, treatment and procedure information, and health insurance information. Social Security numbers and financial information were not involved, and there was no unauthorized access to its electronic medical record system. Third-party experts have been engaged to conduct a full review of its security practices, and enhancements have been made to improve network and data security.

The Sinobi ransomware group claimed responsibility for the attack and added Pittsburgh Gastroenterology Associates to its dark web data leak site. The dark web leak site appears to list the full 198 Gb of data stolen in the attack.

NAHGA Claims Services

The National Accident Health General Agency (NAHGA) Claims Servicers, a Bridgton, Maine-based third-party administrator specializing in accident and health insurance claims, has recently notified state attorneys general about a recent security incident involving unauthorized access to its computer network. Suspicious network activity was identified on April 13, 2025, and third-party cybersecurity experts were engaged to investigate the activity.

The investigation revealed that its computer network had been accessed by an unauthorized third party between April 8, 2025, and April 10, 2025, during which time certain files on its network may have been acquired. A review was conducted to determine the types of information compromised in the incident, and that process was completed in October. NAHGA has been working with the affected clients to issue notifications to the affected individuals.

At present, it is unclear how many individuals have been affected; however, given that NAHGA provides services nationally, the data breach has the potential to be significant. NAHGA is offering the affected individuals complimentary credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy. NAHGA has also taken steps to improve network and data security to prevent similar data breaches in the future.

Legacy Health

Legacy Health, a Texas revenue cycle management company that works with more than 12,000 healthcare providers, has recently disclosed a security incident that has exposed patient data.  Little is currently known about the data breach, other than it potentially involves unauthorized access to individuals’ names, medical information, and health insurance information. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected in total, although the Texas Attorney General was informed that 4,031 Texas residents have been affected.

The post Tri Century Eye Care & Pittsburgh Gastroenterology Associates Announce Data Breaches appeared first on The HIPAA Journal.

New Jersey Medical Center Suffers Ransomware Attack

Posted by Steve Alder

Central Jersey Medical Center in New Jersey has experienced a ransomware attack. David A. Nover, M.D, is notifying patients about a hacking incident, and Goglia Nutrition (FuturHealth) has announced an October 2024 data breach.

Central Jersey Medical Center, New Jersey

Central Jersey Medical Center, Inc., a Federally Qualified Health Center with locations in Perth Amboy, Newark, and Carteret, New Jersey, has started notifying dental patients about a recent security incident. On August 25, 2025, a cybercriminal actor gained access to its dental server’s network and used ransomware to encrypt files.

An investigation was launched to determine the nature and scope of the activity, and a review was conducted to identify the patients affected and the types of information that were exposed. The electronic medical record system was unaffected; however, files containing patient information were potentially accessed or obtained. At the time of issuing notification letters, Central Jersey Medical Center had not found any evidence to indicate any misuse of the exposed data. The Sinobi ransomware group claimed responsibility for the attack and added the healthcare provider to its data leak site. Sinobi claims to have exfiltrated 930 GB of data.

The types of information involved varied from patient to patient and may have included names in combination with one or more of the following: address, telephone number, email address, date of birth, race/ethnicity, Social Security number, dental record number, health insurance information, dental diagnosis, treatment history, and/or billing information.

Third-party cybersecurity experts were engaged to investigate the incident and review and enhance security, and internal procedures have been strengthened to prevent similar incidents in the future. The data breach has been reported to regulators; however, it is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

David A. Nover, M.D., P.C., Pennsylvania

David A. Nover, M.D., P.C., a psychiatry and psychotherapy practice in Warrington, Pennsylvania, is notifying patients about a recent security incident that exposed patient information. On or around June 3, 2025, unusual activity was identified within the practice’s computer network. An investigation was launched, with assistance provided by legal counsel and third-party digital forensics specialists. The investigation confirmed unauthorized access to the network on June 3, 2025, and some files containing patient information were copied from the network. The exposed files have been reviewed, and that process was completed on October 29, 2025.

Information potentially compromised in the incident included names, dates of birth, Social Security numbers, payment card information (number, expiration date, access information), medical record numbers, patient IDs or account numbers, Medicare numbers, health insurance ID numbers, health insurance group numbers, medical diagnosis information, medical treatment information, medical treatment location, doctors’ names, treatment dates, and medical lab or test results. Credit monitoring and identity protection services have been offered to the affected individuals. The data breach is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

FuturHealth, California

Goglia Nutrition, doing business as FuturHealth, Inc., a California-based health and wellness company specializing in nutrition plans and weight management, has experienced a data security incident. According to the notification letters mailed on October 17, 2025, the data breach occurred in October 2024.

According to the notification letters, on October 16, 2024, an unknown actor gained access to a data storage environment containing G-Plan data. The review of the affected storage environment has recently concluded and confirmed that the data compromised in the incident included names and information provided by customers as part of their subscription. Highly sensitive information such as Social Security numbers, driver’s license numbers, and financial information was not involved. The number of affected individuals has yet to be publicly disclosed.

The post New Jersey Medical Center Suffers Ransomware Attack appeared first on The HIPAA Journal.

Oglethorpe Hacking Incident Affects More Than 92,000 Patients

Posted by Steve Alder

A Tampa, FL-based network of mental health and addiction recovery treatment facilities has recently disclosed a security incident that involved unauthorized access to patient data. Oglethorpe offers management solutions for health centers, wellness clinics, and hospitals that specialize in psychiatric services, substance abuse treatment programs, and behavioral health counseling, and has facilities in Florida, Louisiana, and Ohio.

In June 2025, Oglethorpe experienced a hacking incident that rendered its systems inoperable for a limited time.  Third-party cybersecurity experts were engaged to help contain, investigate, and remediate the incident. The investigation revealed that the hackers first gained access to its network on May 15, 2025, and maintained access until June 6, 2025. The investigation concluded on September 16, 2025, when it was confirmed that files containing patient information had been exfiltrated from its network. Those files were reviewed, and that process was completed on October 23, 2025, when Oglethorpe learned that first and last names, birth dates, Social Security numbers, driver’s license numbers, and medical information were involved.

Oglethorpe said no evidence has been found to indicate any misuse of the impacted information; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months.

In response to the breach, all systems were wiped and rebuilt, and data was restored from backups. Steps have also been taken to improve network security to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights website; however, the Maine Attorney General was informed that the breach affected 92,332 individuals, including 85 Maine residents.

Northern Montana Health Care Affected by Business Associate Hacking Incident

Havre, MT-based Northern Montana Health Care (NMHC) has been affected by a data breach at one of its business associates. NMHC contracted with Wakefield & Associates, LLC, which provides debt collection services. On October 29, 2025, NMHC published a notice warning patients about a security incident at Wakefield & Associates, which involved unauthorized access to certain files. The incident was confined to the Wakefield & Associates network. No NMHC systems were affected.

Wakefield & Associates is notifying the affected individuals directly, and the individual letters state the types of information involved. NMHC has confirmed that Wakefield & Associates is offering the affected individuals complimentary credit monitoring and identity theft protection services. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Oglethorpe Hacking Incident Affects More Than 92,000 Patients appeared first on The HIPAA Journal.

OB-GYN Associates & Beverly Hills Oncology Medical Group Issue Breach Notifications

Posted by Steve Alder

OB-GYN Associates in Nevada and Beverly Hills Oncology Medical Group in California have recently started notifying patients affected by hacking incidents.

OB-GYN Associates, Nevada

OB-GYN Associates, a women’s health clinic in Reno, Nevada, has recently mailed notification letters to 62,238 individuals warning them that some of their protected health information has been exposed in a recent security incident. On or around August 7, 2025, suspicious activity was identified within its IT environment. Third-party cybersecurity experts were engaged to investigate the activity and confirmed that there had been unauthorized access to parts of its network where patient data was stored.

The review of the affected data was completed on September 29, 2025. While no evidence of data misuse has been identified, patients have been informed that their first and last names, Social Security numbers, driver’s license numbers, and medical information have been exposed and may have been stolen. As a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit reporting, and credit score services. Data security policies and procedures have been reviewed and updated, network security protections have been upgraded, and changes have been made to how data is stored and managed to protect against similar incidents in the future.

Beverly Hills Oncology Medical Group

Beverly Hills Oncology Medical Group in California has notified certain patients about a security incident in February that may have resulted in the theft of patient information.  According to the breach notices provided to the Maine and California Attorneys General, unauthorized network access was identified and blocked on February 11, 2025.

An investigation was launched, with assistance provided by third-party cybersecurity experts, who confirmed unauthorized access to its network between February 7 and February 11, 2025.  The exposed files have been reviewed, and on October 13, 2025, Beverly Hills Oncology Medical Group confirmed that the exposed information included names, Social Security numbers, driver’s license numbers/other government identification numbers, financial account information, credit/debit card information, health insurance policy information, diagnoses, treatment information, prescriptions, and/or other clinical information.

Beverly Hills Oncology Medical Group said that, at the time of issuing notification letters in October, no evidence had been found to indicate any misuse of the exposed data; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post OB-GYN Associates & Beverly Hills Oncology Medical Group Issue Breach Notifications appeared first on The HIPAA Journal.

George E. Weems & Virba Hospitals Announce Data Breaches

Posted by Steve Alder

Data security incidents have recently been announced by George E. Weems Memorial Hospital in Florida, Vibra Hospital of Sacramento in California, the California-based plastic surgeon Michael R. Schwartz, MD, and the California-based biopharmaceutical company Travere Therapeutics.

George E. Weems Memorial Hospital

On October 20, 2025, George E. Weems Memorial Hospital in Apalachicola, Florida, started mailing notification letters to patients affected by a recent security incident involving unauthorized access to two employee email accounts. The intrusion was detected on May 12, 2025, and the investigation confirmed that the email accounts were subject to unauthorized access from May 6, 2025, to May 12, 2025.

The email accounts were reviewed, and on September 22, 2025, the hospital learned that the accounts contained patients’ protected health information, including names, addresses, phone numbers, email addresses, Social Security numbers, driver’s license numbers, account information, patient ID numbers, diagnoses and medical histories, provider names, dates of service, and health insurance information.

No evidence was found to indicate that any of the exposed information has been or will be misused, but as a precaution, individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring services. George E. Weems Memorial Hospital said it had taken many precautions to protect the privacy of patient information and will continue to review and enhance its measures to ensure privacy and security. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Vibra Hospital of Sacramento

On October 3, 2025, Vibra Hospital of Sacramento in California started notifying patients about a security incident involving unauthorized access to six employee email accounts. Suspicious activity was identified within certain email accounts on or around March 13, 2025. Assisted by third-party cybersecurity experts, Vibra Hospital determined that the email accounts were accessed by an unauthorized third party from March 11, 2025, to March 22, 2025.

The review of the affected accounts was completed on August 4, 2025, when it was confirmed that protected health information had been exposed. The types of data involved vary from individual to individual and may have included names in combination with addresses, birth dates, Social Security numbers, dates of service, diagnoses, treatment information, physician/facility names, Medicare/Medicaid numbers, patient account numbers, and/or financial account numbers.

No evidence was found to indicate any misuse of the exposed data. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their financial accounts, free credit reports, and explanation of benefits statements, and as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Vibra Hospital has also taken steps to improve email security to prevent similar incidents in the future.

Michael R. Schwartz, MD, FACS

Michael R. Schwartz, MD, FACS, a plastic surgeon based in Westlake Village, California, has recently disclosed a security incident that involved unauthorized access to patient information.  The intrusion was identified on or around August 25, 2025, and it was later confirmed that an unauthorized third party had remote access to a single computer from January 20, 2025, to August 26, 2025.

The review revealed that the threat actor may have accessed patients’ personal and protected health information, including names, addresses, email addresses, phone numbers, Social Security numbers, medical record numbers, and patient photographs. As a precaution, all office computers and servers have been replaced, security controls have been strengthened, and additional data security training has been provided to the workforce. The affected individuals have also been offered 12 months of complimentary identity theft protection services.  The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Travere Therapeutics

The San Diego, CA-based biopharmaceutical company, Travere Therapeutics, has recently notified the Massachusetts Attorney General about a recent security incident in which sensitive patient data may have been stolen. The notification letter does not include details of the incident, such as when it was detected, how long the unauthorized access lasted, or how many individuals have been affected, only that the information potentially compromised in the incident included names, addresses, phone numbers, email addresses, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring services for 24 months.

The post George E. Weems & Virba Hospitals Announce Data Breaches appeared first on The HIPAA Journal.

Sedgebrook & Heartland Health Center Hit with Ransomware Attacks

Posted by Steve Alder

Ransomware attacks have recently been announced by the Illinois retirement village and skilled nursing provider Sedgebrook, and the Nebraska healthcare provider Heartland Health Center.

Sedgebrook

Sedgebrook, a retirement village and skilled nursing facility in Lincolnshire, Illinois, has recently announced a ransomware attack that involved unauthorized access to files containing individuals’ personal and protected health information. The attack was detected on May 5, 2025, when network disruption was experienced. Assisted by third-party digital forensics experts, Sedgebrook determined that a ransomware group had access to its network from May 4 to May 5, 2025, and used ransomware to encrypt files. During that time, data may have been exfiltrated from its network.

The exposed files were reviewed, and on August 26, 2025, it was confirmed that some of those files contained protected health information, including names, addresses, birth dates, Social Security numbers, driver’s license numbers, financial account information, medical treatment information, medical record numbers, and health insurance information. Notification letters started to be mailed to the affected individuals on October 24, 2025.

While no evidence was found to indicate any misuse of the exposed information, individuals whose Social Security numbers or driver’s license numbers were exposed have been offered complimentary credit monitoring and identity theft protection services. Steps have also been taken to improve security to prevent similar incidents in the future. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Heartland Health Center

Heartland Health Center, a provider of medical, dental, and behavioral health services at clinics in Ravenna and Hastings in Nebraska, has recently disclosed a security breach that was first identified on February 4, 2025. An investigation was launched, with assistance provided by third-party cybersecurity experts, to determine if any sensitive data had been exposed. Following an exhaustive review, Heartland Health Center determined on June 3, 2025, that sensitive data had been exposed and may have been acquired in the attack.

The types of information involved vary from individual to individual and may have include names plus one or more of the following: date of birth, Social Security number, driver license number, financial account number, username and access information for a non-financial account, dates of service, diagnosis information, health insurance information, physician/medical facility information, medical condition/treatment information, medical record number, Medicare or Medicaid number, patient account number, certificate or license number, full face photo, and referral information.

Heartland Health Center said it already had robust cybersecurity measures in place, and they will continue to be reviewed and enhanced as necessary. As a precaution against misuse of patient information, the affected individuals have been offered complimentary single-bureau credit monitoring, credit score, and credit report services. While not described as a ransomware attack, the Medusa ransomware group claimed responsibility for the incident. Medusa is known to exfiltrate and either sell or publish the stolen data, so the affected individuals should ensure that they take advantage of the credit monitoring services on offer. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

The post Sedgebrook & Heartland Health Center Hit with Ransomware Attacks appeared first on The HIPAA Journal.

Missouri Regulators Claim Conduent is Stonewalling State’s Data Breach Investigation

Posted by Steve Alder

An investigation by regulators in Missouri into the 2024 hacking incident at Conduent Business Services has stalled. The Missouri Department of Commerce claims it is being stonewalled by Conduent, which has not provided the information it requires about the data breach.

Conduent, a provider of printing, mailroom, document processing, payment integrity, and other back-office support services, discovered in January 2025 that hackers accessed parts of its network between October 21, 2024, and January 13, 2025, and potentially exfiltrated files containing electronic protected health information. Data potentially compromised in the incident included names, addresses, social security numbers, and medical records. Conduent has taken steps to notify insurers, members, and law enforcement about the cybersecurity breach and has offered the affected individuals 12 months of complimentary credit monitoring services.

The breach was significant, affecting tens of millions of individuals. In a February 2025 filing with the Wisconsin Department of Agriculture, Trade, and Consumer Protection, Conduent estimated that 25 million individuals were affected; however, 16 months after the discovery of the data breach, the full scale of the data breach has yet to be confirmed.

On March 17, 2026, the Missouri Department of Commerce issued an insurance bulletin seeking information about the data breach, in which it strongly encouraged all insurers and other entities regulated by the department to determine if their members had been affected and, if so, to ensure that they are notified by Conduent. The Department of Commerce said it has been in direct contact with Conduent since it issued the bulletin; however, Conduent has been unwilling to provide the department with the information it requires to fully assess the impact of the data breach. While the Department of Commerce claims Conduent has been unwilling to answer the questions, Conduent may not be able to provide those answers.

“We are concerned and disappointed that Conduent has not provided sufficient information for regulators to fully assess the potential impact of this breach,” DCI Director Angela Nelson said. “Clear and timely communication is critical in these situations, and we are continuing to seek the details needed to evaluate any risk to Missouri insurance consumers.” The matter has now been escalated by the Department of Commerce, which issued another bulletin requesting insurers share information directly with the department about any Conduent services used, or those of its affiliates, prior to or during the period of the breach, along with information about the nature of those services. “We are committed to using every tool available to understand the scope of this incident and to ensure Missourians have the information and resources needed to protect themselves,” Director Nelson said.

“Because of Conduent’s failure to provide information, the Department asks that any insurer or other entity regulated by the Department that utilized the services of Conduent or any of its affiliates prior to or during the time period of the cybersecurity breach, either directly or indirectly, contact the Department’s Market Conduct Section,” states the Department of Commerce in the bulletin.

Conduent issued a statement confirming that it is cooperating with the Department of Commerce to the full extent possible without violating any laws, regulations, or contractual obligations, and said it will continue to respond to the department’s requests. “The cybersecurity incident affected Conduent Business Services, which is not a licensee with DCI. Conduent agreed to provide notice on behalf of its clients; however, Conduent does not have visibility regarding which of its clients are licensees with DCI, and it has no authority to speak with DCI on behalf of any clients.” Conduent has contacted all of its clients and advised them about the Department of Commerce bulletin, and asked licensees with affected Missouri residents to submit a report directly to the Department of Commerce.

In addition to requesting information from the affected clients, the Department of Commerce is encouraging all consumers who were notified that they have been affected to review the communications they receive carefully, and suggests that they should continue to monitor their financial and credit activity. The deadline for signing up for the complimentary credit monitoring services has passed, so the Department of Commerce recommends that consumers check their free credit reports and consider placing a fraud alert or credit freeze with credit reference agencies.

February 13, 2026: Texas Attorney General Investigates 25M+ Conduent Business Services Data Breach

Texas Attorney General Ken Paxton has announced that his office has launched an investigation into the data breach at Conduent Business Services, stating that this could potentially be the largest healthcare data breach in U.S. history. While it is certain that the data breach is one of the largest, the 2024 data breach at Change Healthcare will take some beating. That data breach affected 192.7 million individuals.

The U.S. list of confirmed victims has continued to grow, with Premera Blue Cross, Humana, Volvo Group North America (17,000 employees), and various Blue Cross and Blue Shield (BCBS) branches (Texas, Montana, Illinois) known to have been affected. The full list of affected entities has not been disclosed.

As reported below, the Conduent data breach involved unauthorized access to information such as names, birthdates, addresses, Social Security numbers, medical information, and health insurance information. Hackers had access to its systems from October 21, 2024, to January 13, 2025, and more than a year after the incident was detected, the total number of affected individuals has yet to be confirmed.

“The Conduent data breach was likely the largest breach in U.S. history,” Mr. Paxton said in a statement. “If any insurance giant cut corners or has information that could help us prevent breaches like this in the future, I will work to uncover it.”

Attorney General Paxton is seeking information on the security policies, practices, and protocols at Conduent to determine if the company complied with state law, and has requested evidence from one of the victims: Blue Cross Blue Shield of Texas. Conduent provides mailroom, payment, and back-office support to BCBS of Texas, which requires access to certain types of member information. BCBS of Texas has yet to disclose how many of its members were affected, but overall, Attorney General Paxton has been informed that more than 15.49 million individuals in Texas have been affected. That total has increased at least twice since the initial notification was issued.

“From the outset of this incident, we acted promptly and in alignment with incident‑response protocols to contain and investigate the issue. We engaged leading third‑party cybersecurity experts, disclosed the incident through an 8-K filing, notified clients and relevant authorities, and worked to support those impacted by the event, including most recently sending notifications on clients’ behalf. To date, there is no evidence that any underlying data has been misused, posted, or made publicly available, and we continue to monitor closely,” a spokesperson for Conduent said in a statement provided to The HIPAA Journal. “We look forward to working cooperatively with the Texas Attorney General’s Office to provide the relevant information, consistent with our longstanding practice of constructive engagement with regulators.”

February 4, 2026: Conduent Business Services Data Breach Victim Count Swells to Over 25M

Conduent Business Services in New Jersey had previously confirmed in a breach report to the Oregon Attorney General that a 2024 hacking incident affected 10.5 million individuals. While already a massive data breach and one of the largest healthcare data breaches to be announced in 2025, the victim count has grown considerably.

A breach report submitted to the Texas attorney general indicated that almost 14.8 million individuals in Texas alone (14,791,500) had their personal and protected health information compromised in the incident. That total has since been updated to 15,494,592 individuals as the investigation and data review have progressed. The initial breach report to the Texas attorney general in October 2025 indicated that around 4 million individuals were affected. In addition to Oregon and Texas, notifications have been sent to state attorneys general in California, Delaware, Indiana, Maine, Massachusetts, New Hampshire, and Vermont. Out of those, Indiana (5,892 affected individuals) and Maine (374 individuals) have published figures on the number of affected individuals.

Conduent Business Services has sent several notifications to the New Hampshire attorney general confirming that data was compromised connected with one or more covered entities and data owners. Since the initial notification to the New Hampshire Attorney General on October 8, 2025, Conduent explained in the letters that a further 67,555 state residents have been confirmed as affected.

The SafePay ransomware group claimed responsibility for the attack on Conduent Business Services in February 2025, adding the company to its dark web data leak site. SafePay claimed to have stolen 8.5 terabytes of data in the attack and threatened to publish the stolen data if the ransom was not paid. Conduent is no longer listed on the site.

Many HIPAA-covered entities and government agencies contract with Conduent Business Services, which provides mailroom and other back-office services. Conduent’s client list includes health insurance giants such as Humana – a top 5 U.S. health insurer, Premera Blue Cross – the largest health insurer in the Pacific Northwest, Blue Cross and Blue Shield of Texas – the largest health insurer in Texas, and Blue Cross and Blue Shield of Montana – the largest health insurer in Montana.

Conduent Business Services has offered to issue notification letters to the affected individuals on behalf of its HIPAA-covered entity clients, but has yet to confirm the total number of affected individuals. The HHS’ Office for Civil Rights breach portal still lists the breach as affecting 42,616 individuals. Gold Coast Health Plan has confirmed that it was affected, although only 540 of its plan members had their data compromised in the incident.

While it may appear straightforward to determine the data compromised in an incident and the number of individuals affected, data breach investigations and data reviews can be complicated, and it can take many weeks or months to obtain an accurate list of the affected individuals. Conduent has been providing regular updates to state attorneys general as the investigation and data review have progressed, although it may be some time before the true scale of the data breach is confirmed. Conduent has issued a statement confirming that it plans to finish issuing notifications in early 2026.

November 11, 2025: Conduent Anticipates $25M Data Breach Cost by Q1, 2026

In its first-quarter earnings report, Conduent said it did not experience any material impacts to its operating environment or costs from the January 2025 cyberattack itself; however, it did incur $9 million in breach costs related to notifications by the end of September 2025 and anticipates a further $16 million in costs will be uincurred by the first quarter of 2026, according to its third-quarter earnings report. Conduent said it holds a cyber insurance policy and anticipates that any additional notification costs will be covered by the insurance policy.

Further costs may be incurred due to the impacted data, reputational harm, litigation, and regulatory actions, which could impact the company’s financial position. As reported below, several lawsuits have already been filed in response to the data breach, and Conduent is certain to be investigated by the HHS’ Office for Civil Rights and state attorneys general. Regulatory fines may be imposed if Conduent is found to have violated state or federal regulations.

November 7, 2025: Lawsuits Mount Over 10.5 Million-Record Conduent Data Breach

A data breach affecting more than 10.5 million individuals was certain to trigger a barrage of lawsuits, and litigation has been swift, with at least 9 class action lawsuits already filed in response to the Conduent data breach in New Jersey federal court. That total is certain to grow over the coming days and weeks, as many law firms have announced that they have opened investigations regarding potential class action litigation.

The lawsuits make similar claims – that Conduent was negligent by failing to adequately protect its network against unauthorized access and for its alleged failure to provide adequate notifications to the individuals affected by the data breach. The cyberattack was first detected by Conduent in January 2025, three months after hackers first gained access to its network. Conduent first announced the data breach three months later, confirming that sensitive data had been exposed and that the incident affected a substantial number of individuals.

It naturally takes time to investigate any data breach and to determine the number of individuals affected and the types of data involved; however, the lawsuits take issue with the length of that process. It has taken 10 months from when the cyberattack was first detected for the scale of the breach to become clear and for the affected individuals to be notified that their sensitive information has been compromised. Notification letters started to be sent in October 2025, one year after Conduent’s network was first accessed by unauthorized individuals.

In addition to negligence and negligence per se, the lawsuits assert claims such as breach of third-party beneficiary contract and unjust enrichment, and seek a jury trial, compensatory, statutory, and punitive damages, and injunctive relief, requiring the court to order Conduent to implement a range of security measures to ensure sensitive data is adequately protected.

The threat group behind the attack may have been the Safepay ransomware group, which added Conduent to its data leak site in January 2025, although Conduent is not currently listed on the Safepay data leak blog. That often means that a ransom has been paid or the stolen data has been sold, although ransomware groups have been known to fabricate claims.

Class action lawsuits are mounting, but Conduent is also likely to face regulatory scrutiny over the data breach. States are likely to investigate a data breach of this magnitude to determine whether appropriate cybersecurity measures had been implemented in line with state laws and the HIPAA Security Rule. Questions are likely to be asked about how the hackers were able to gain access to such a large amount of sensitive data.

Conduent will also face scrutiny from the HHS’ Office for Civil Rights, which will seek to establish whether the data breach was the result of HIPAA compliance failures. While OCR HIPAA compliance investigations often take many months or years, OCR has indicated it is prioritizing high-impact incidents, as it did with the cyberattack on Change Healthcare, which affected north of 190 million individuals. There is, at this stage, no indication that Conduent has violated any regulations at the federal or state level.

October 28, 2025: More Than 10.5 Million Patients Affected by Conduent Business Services Data Breach

A data breach at a business associate of several HIPAA-covered entities and government agencies has resulted in the exposure and potential theft of the protected health information of more than 10.5 million patients. The Conduent Business Services data breach is the largest healthcare data breach to be announced so far this year, affecting almost twice as many individuals as the second-largest data breach, which was reported earlier this year by Yale New Haven Health. It also ranks as the 8th largest healthcare data breach in history.

Conduent Business Services provides a range of back-office services, including printing, mailing, document processing, payment integrity services, and other support services to government agencies and healthcare organizations. It is currently unknown how many HIPAA-regulated entities have been affected by the data breach.

Blue Cross and Blue Shield of Montana recently announced that it had been affected and that notification letters are being mailed to 462,000 individuals. Blue Cross and Blue Shield of Texas has announced that approximately 310,000 UT Select and UT Care plan members have been affected. The incident is also known to have affected Humana customers and Premera Blue Cross members, although it is unclear how many. Conduent provides services to government agencies such as the Wisconsin Department of Children and Families and Oklahoma Human Services (OHS), which experienced a temporary disruption to some of their services due to the outage in January, although OHS was informed that it did not have sensitive data exposed in the incident.

State regulators have been informed that 10,515,849 patients have been affected, including more than 4 million individuals in Texas. It is unclear if any non-healthcare clients had data compromised in the incident. The Conduent Business Services data breach was reported to the U.S. Securities and Exchange Commission (SEC) in April. In the SEC filing, Conduent explained that a threat actor gained access to a limited portion of its network IT environment and obtained the data of “a significant number” of people. The incident is not yet shown on the HHS’ Office for Civil Rights (OCR) breach portal, which has not been updated by OCR since September 24, 2025, due to the government shutdown.

The intrusion was detected on January 13, 2025. Assisted by third-party digital forensics experts, Conduent determined that initial access occurred on October 21, 2024, with the threat actor maintaining access for almost three months until Conduent secured its network on January 13, 2025. Conduent said it restored access to the affected systems within days, and in some cases, within hours, and the incident did not have any material impact on its operations.

The investigation confirmed that the threat actor exfiltrated files associated with some of its clients. Due to the complexity of the data involved, it has taken several months to complete the file review and determine the individuals affected and the types of data involved. Individual notifications are now being mailed to the affected individuals.

Information compromised in the incident varies from company to company and individual to individual, potentially involving names, dates of birth, Social Security numbers, treatment information, and claims information. Based on the notice provided to the California Attorney General, complimentary credit monitoring and identity theft protection services do not appear to have been offered.

While the total cost of the cyberattack is not yet known, Conduent said in its May 2025 first-quarter earnings report that it incurred $25 million in direct costs related to the breach response. A cyber insurance policy is held, which will cover a proportion of the cost.

This post will be updated when further information is released.

The post Missouri Regulators Claim Conduent is Stonewalling State’s Data Breach Investigation appeared first on The HIPAA Journal.

Data Breaches Announced by ModMed, LifeBridge Health & Right at Home

Posted by Steve Alder

Data breaches have been announced by the EHR provider Modernizing Medicine (ModMed), the Baltimore healthcare provider LifeBridge Health, and the home health care provider Right at Home.

Modernizing Medicine

Modernizing Medicine (ModMed), a provider of specialty-specific electronic health record software, has recently notified state attorneys general about a July 2025 security incident involving theft of data from its systems. Suspicious activity was identified on its computer servers on July 21, 2025. An investigation was launched to determine the cause of the activity, and on July 29, 2025, it was unauthorized access to its servers was confirmed between July 9, 2025, and July 10, 2025, during which time, files containing sensitive data were copied from the servers.

The files were reviewed and found to contain personal and protected health information such as full names, dates of birth, addresses, phone numbers, email addresses, Social Security numbers, medical record numbers, patient account numbers, provider and practice names, billing and diagnostic codes, prescriptions/medications, diagnosis and treatment information, bank/financial account information, driver’s license numbers/government ID cards, and health insurance information. ModMed said full medical records were not involved, and the types of information compromised vary from individual to individual.

The affected healthcare providers were notified on September 19, 2025, and notification letters started to be mailed to the affected individuals on October 17, 2025. ModMed is offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were compromised in the incident, and steps have been taken to improve security to prevent similar incidents in the future. Due to the government shutdown, the HHS’ Office for Civil Rights breach portal has not been updated in a month, so it is currently unclear how many individuals have been affected.

LifeBridge Health

LifeBridge Health, a non-profit healthcare corporation serving patients in and around Baltimore, Maryland, has recently informed patients that some of their protected health information was compromised in a data breach earlier this year. The breach involved one of its vendors, Oracle Health (formerly Cerner). LifeBridge Health was one of many healthcare providers to be affected. Hackers gained access to a legacy system as early as January 22, 2025, and obtained patient information such as names, medical record numbers, Social Security numbers, physician names, diagnoses, test results, medications, medical images, and treatment information. LifeBridge Health said the breach was confined to Oracle Health servers, and its own systems were unaffected.

Oracle Health notified LifeBridge Health about the data breach in March 2025, with notifications reportedly delayed at the request of law enforcement. Oracle Health provided LifeBridge Health with a final list of the affected individuals on September 19, 2025. The data breach was announced by LifeBridge Health on October 16, when notification letters started to be mailed to the affected individuals. Two years of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. It is currently unclear how many individuals have been affected.

Right at Home

Ever Care Corporation, which does business as Right at Home, a provider of in-home care to seniors and adults with disabilities, experienced a hacking incident that likely involved the theft of sensitive patient information. Suspicious network activity was identified on September 3, 2025, and an investigation was launched to determine the cause of the activity. Right at Home confirmed that the activity was due to an unauthorized actor, who is thought to have acquired files from its network on September 3, 2025. The review of the affected files was completed on October 6, 2025. There is currently no substitute data breach notice on the Right at Home website, and the types of information involved are not shown on the notifications published on attorneys’ general websites. The exact types of information involved are detailed in the individual notification letters. Right at Home is paying for single-bureau credit monitoring, credit score, and credit report services for the affected individuals.  It is currently unclear how many individuals have been affected.

While not described by Right at Home as a ransomware attack, a ransomware group claimed responsibility for the attack. The Sinobi ransomware group, which has attacked several healthcare providers in recent months, claimed to have exfiltrated around 50 GB of data and encrypted files. Right at Home was listed on its data leak site on October 8, 2025. As such, any individual receiving a notification letter should sign up for the credit services being offered.

The post Data Breaches Announced by ModMed, LifeBridge Health & Right at Home appeared first on The HIPAA Journal.

Yale New Haven Health Agrees to $18 Million Data Breach Settlement

Posted by Steve Alder

An $18 million settlement proposed by Yale New Haven Health to resolve claims stemming from a 2025 data breach has been granted preliminary approval by a federal court judge. Yale New Haven Health is a non-profit health system that operates five acute care hospitals, including the main teaching hospital for the Yale School of Medicine, as well as a medical foundation and several outpatient facilities in Connecticut, New York, and Rhode Island. The health system employs more than 12,000 people, including 4,500 university and community physicians.

The data breach in question was reported to the HHS’ Office for Civil Rights on April 11, 2025, as involving the protected health information of up to 5,556,702 individuals. The New Haven, Connecticut-based health system identified suspicious network activity on March 8, 2025, and the breach was announced via its website three days later. Yale New Haven Health later confirmed that hackers accessed its network on March 8, 2025, and exfiltrated files containing patient information.

While its electronic medical record system was not accessed, the stolen files contained patient information, including names, addresses, telephone numbers, email addresses, dates of birth, race/ethnicity information, patient types, medical record numbers, and Social Security numbers. At more than 5.5 million affected individuals, the data breach was, and still is, the largest healthcare data breach of the year.

The cyberattack was announced quickly, reported to OCR well within the breach reporting deadline, and notification letters were issued promptly. Yale New Haven Health has also agreed to settle the resultant litigation quickly. Data breach lawsuits can take many months and even years to resolve, yet in this case, a settlement has been approved to resolve the litigation in just 7 months. The first lawsuit over the data breach was filed in March 2025, followed by 17 additional complaints, which were consolidated into a single action in June 2025 – In Re: Yale New Haven Health Services Corp. Data Breach – in the U.S. District Court for the District of Connecticut.

The plaintiffs alleged in the consolidated lawsuit that Yale New Haven Health had failed to implement reasonable and appropriate cybersecurity measures to secure the data stored on its network, and had reasonable measures been implemented, the data breach could have been prevented. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and declaratory judgment.

Yale New Haven Health denied all claims in the lawsuit and filed a motion to dismiss in July, with the plaintiffs filing their opposition in August. At the end of August, all parties attended mediation, and the material terms of a settlement were agreed upon. The details of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Yale New Haven Health has agreed to establish an $18,000,000 settlement fund to cover all costs associated with the litigation – Attorneys’ fees and expenses, service awards for the lead plaintiffs, and settlement administration costs. The remainder of the settlement fund will be used to pay benefits to the class members. The attorneys are seeking one-third of the settlement, and the service awards are likely to be $2,500 per named plaintiff.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may claim an alternative cash payment. The cash payments are anticipated to be approximately $100 per class member. The pro rata cash payments may increase or decrease depending on the number of valid claims received, and will exhaust the settlement fund. In addition to either of those benefits, class members may also claim a two-year complimentary membership to a medical data monitoring service. Yale New Haven Health has also agreed to implement security enhancements.  The final approval hearing has been scheduled for March 3, 2026.

April 24, 2025: Yale New Haven Health System Announces 5.5-Million Record Data Breach

Yale New Haven Health System has announced a data security incident that has affected more than 5.5 million individuals. The breach report to the HHS’ Office for Civil Rights indicates up to 5,556,702 individuals had their protected health information compromised in the incident, making it the largest healthcare data breach to be reported so far this year, beating the previous record of 4.7 million individuals set this month by Blue Shield of California.

Yale New Haven Health is a nonprofit health system in New Haven, Connecticut, that includes five acute-care hospitals, a medical foundation, and multiple outpatient facilities and multispecialty centers in Connecticut, New York, and Rhode Island. On March 8, 2025, anomalous activity was identified within its information technology systems. Immediate action was taken to contain the incident, and an investigation was launched to assess the nature and scope of the unauthorized activity. Yale New Haven Health announced the security incident on its website 3 days after it was detected.

Yale New Haven Health engaged the cybersecurity firm Mandiant to assist with the investigation and said the rapid response helped to ensure it was contained and prevented disruption to patient care. Yale New Haven Health has confirmed that an unauthorized third party gained access to its network on March 8, 2025, and exfiltrated files, some of which included patient information. There was no unauthorized access to its electronic medical record system, and no financial information was compromised in the incident. The types of data stolen in the cyberattack varied from individual to individual and may have included names in combination with one or more of the following: address, telephone number, email address, date of birth, race/ethnicity, patient type, medical record number, and/or Social Security number.

Yale New Haven Health said it continuously updates and enhances its systems to protect sensitive data and will continue to do so. Individual notification letters started to be mailed to the affected individuals on April 14, 2025, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were compromised.

While questions will be asked about how hackers managed to access such a vast amount of patient data, Yale New Haven Health should at least be commended for the rapid response, transparency, and prompt breach notifications, which started to be sent on April 14, 2025.

The post Yale New Haven Health Agrees to $18 Million Data Breach Settlement appeared first on The HIPAA Journal.