Highlands Oncology Group, a comprehensive cancer care provider with six locations in Northwest Arkansas, has recently disclosed a cyberattack that was first identified on June 2, 2025. A hacker gained access to its network on January 21, 2025, and remained within the network undetected until June 2, 2025, when ransomware was used to encrypt files. Between those dates, there was intermittent access to the network, and patient data may have been viewed or acquired.

The files were reviewed and found to contain protected health information such as names, dates of birth, Social Security numbers, driver’s license/state identification numbers, passport numbers, credit/debit card numbers, financial account numbers, medical treatment information, medical record numbers, patient account numbers, and/or health insurance policy information. The types of data exposed or stolen varied from individual to individual.

The data breach was recently reported to the Maine Attorney General as involving the personal information of 113,575 individuals. Notification letters started to be mailed on August 1, 2025, and individuals whose Social Security numbers and/or driver’s license numbers were involved have been offered complimentary identity theft protection services. All individuals have been advised to remain vigilant against misuse of their information and should monitor their accounts, explanation of benefits statements, and credit reports closely for signs of data misuse.

While the name of the threat actor was not disclosed in the breach notification letters, the Medusa ransomware group claimed responsibility for the attack. Medusa is known to engage in double extortion, stealing data and demanding a ransom payment to prevent the publication of the stolen data and to provide the keys to decrypt the data. Medusa was the subject of a joint alert by CISA, the FBI, and MS-ISAC earlier this year after attacking more than 300 entities, including several healthcare providers. Medusa was behind the ransomware attack on the kidney dialysis giant DaVita earlier this year. Highlands Oncology Group was added to the Medusa data leak site temporarily, and a $700,000 ransom was demanded. There is currently no listing on the data leak site, which suggests the ransom was paid.

Highlands Oncology Group is one of several cancer care facilities to fall victim to cyberattacks in recent weeks. Last month, a phishing attack affected at least 26 cancer care providers who were part of the Integrated Oncology Network. This is not the first ransomware attack on Highlands Oncology Group, which experienced an attack in November 2023. A recent survey conducted on behalf of the cybersecurity firm Semperis revealed that 77% of healthcare organizations were targeted with ransomware in the past 12 months, 53% of those attacks were successful, and 60% faced multiple attacks.

The post Ransomware Attack on Arkansas Oncology Group Affects 113,500 Individuals appeared first on The HIPAA Journal.

Hacking-related data breaches have been announced by Mid Florida Primary Care, Northwest Denture Center in Washington, Forward, The National Databank for Rheumatic Diseases in Kansas, and Equilibria Mental Health Services in Massachusetts. Inc Ransom claims to have attacked the West Virginia Primary Care Association.

Mid Florida Primary Care

On July 29, 2025, Mid Florida Primary Care, a specialized internal medicine practice in Leesburg, Florida, disclosed a cyberattack and data breach that was identified on or around January 23, 2025. An investigation was launched to determine the nature and scope of the activity, which confirmed that an unauthorized third party accessed its network and copied files between November 29, 2024, and December 11, 2024. The data review was completed on June 19, 2025.

The information compromised in the incident includes names, addresses, dates of birth, email addresses, Social Security numbers, driver’s license numbers, health insurance information, Medicare/Medicaid numbers, health insurance information, diagnosis and/or treatment information, medical histories, allergies, prescription information, test results, and treatment locations.

Mid Florida Primary Care has confirmed that the affected individuals will be offered at least 12 months of complimentary credit monitoring and identity theft restoration services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Northwest Denture Center, Washington

Northwest Denture Center in Burlington, Washington, has confirmed that the protected health information of 12,209 individuals has been exposed in a recent hacking incident. Suspicious network activity was identified on or around May 28, 2025, and action was taken to isolate the network to prevent further unauthorized access. The investigation confirmed that an unauthorized third party first gained access to its network on May 27, 2025.

The review of the affected files was completed on June 27, 2025, and notification letters started to be sent to the affected individuals on July 25, 2025. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Additional training is being provided to the workforce, and additional security measures are being implemented. Complimentary credit monitoring services have been provided to the affected individuals for 12 months.

Equilibria Mental Health Services, Massachusetts

Equilibria Mental Health Services in Massachusetts has discovered that the personal and protected health information of up to 2,000 individuals was potentially compromised in a phishing attack. The incident was identified on June 24, 2025, when two employee email accounts were discovered to have been compromised following responses to phishing emails. The email accounts were accessed by an unauthorized third party for a short period on June 24, 2025.

There was unauthorized access to the email addresses of multiple clients, and individuals who had previously contacted Equilibria Mental Health Services to inquire about mental health services. Some of those individuals have reported receiving phishing emails from a compromised Equilibria email account.

The compromised accounts were reviewed and found to contain mailing addresses, physical addresses, telephone numbers, health insurance plan information, and reasons for making contact. The aim of the attack appears to have been to use the compromised accounts for further phishing attempts. Equilibria Mental Health Services said it is evaluating its cybersecurity protocols and taking action to strengthen email security.

Forward, The National Databank for Rheumatic Diseases

Forward, The National Databank for Rheumatic Diseases in Wichita, Kansas, has announced a security incident that was detected on March 21, 2025. Suspicious activity was identified within certain systems, and the forensic investigation confirmed unauthorized access between March 17, 2025, and March 22, 2025. During that time, files containing sensitive information were potentially viewed and copied from its network.

The file review was completed on June 22, 2025, when it was confirmed that personally identifiable information (PII) and protected health information (PHI) had been compromised, including names, contact information, dates of birth, Social Security numbers, medical information/histories, disability information, mental and physical treatment information, diagnoses, prescription information, treating or referring physicians, and medical record numbers. Forward is reviewing its policies, procedures, and processes to reduce the likelihood of a similar future event, and notification letters are being mailed to the affected individuals.

It is currently unclear how many individuals have been affected. The Maine Attorney General was informed that the breach involved the personal information of 38 Maine residents, but the total size of the data breach was not disclosed.

Ransomware Group Claims Attack on West Virginia Primary Care Association

West Virginia Primary Care Association (WVPCA), in Charleston, West Virginia, has recently been added to the dark web data leak site of the Inc Ransom ransomware group. In Ransom is a prolific hacking group that engages in double extortion ransomware attacks, stealing data, encrypting files, and demanding payment for the decryptors and to prevent publication of the stolen data. Inc Ransom claims to have exfiltrated 296 GB of data.

The addition of an entity on a dark web data leak site does not necessarily mean data has been stolen. There have been several cases where claims of attacks have been partially or entirely fabricated. West Virginia Primary Care Association has yet to announce any cyberattack or data breach, or issue a statement about the posting. The HIPAA Journal has not accessed any of the leaked data, so is unable to verify whether the claim is legitimate.

The post Florida Internal Medicine Practices Discloses November 2024 Data Breach appeared first on The HIPAA Journal.

Several dermatology practices have recently announced data breaches following an attack on their management company. The number of attacks reported this year by dermatology practices suggests they are being targeted by one or more threat actors.

In May 2025, DermCare Management, a Florida-based company that provides support services for dermatologists and dermatology specialists, notified the HHS’ Office for Civil Rights (OCR) about a network server hacking/IT incident, using a placeholder estimate of 501 affected individuals as the number of affected individuals had yet to be established. Several of the affected practices have now issued substitute breach notifications about the incident.

DermCare Management has more than 60 locations in Florida, Texas, California, and Virginia, and primarily provides services related to platform building and development, revenue growth, operational improvement, and improving the patient experience. At least 10 practices are known to have been affected. The list of affected providers is not exhaustive and mostly consists of practices in Florida. Further practices may announce that they have been affected in the coming days and weeks. None of the practices below are currently listed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Confirmed Affected Practices

• Miami Plastic Surgery, Florida
• Keys Dermatology, Florida
• Hollywood Dermatology, Florida
• Jacksonville Beach Dermatology, Florida
• Skin Center of South Miami, Florida
• Florida West Coast Skin Center, Florida
• Dania Dermatology, Florida
• Florida Academic Dermatology Center, Florida
• Rendon Center, Florida
• Dermatology Treatment and Research Center, Texas

According to the substitute breach notices on the websites of the above practices, the attack was identified on February 26, 2025. Suspicious network activity was identified, and networks were rapidly secured. The investigation confirmed on March 3, 2025, that patient information may have been copied from the network. Files are still being reviewed to determine the number of affected individuals and the types of data involved; however, the compromised information likely includes names, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their account statements and free credit reports.

String of Cyberattacks Affecting Dermatology Practices

Major data breaches have been reported by other dermatology practices in recent weeks. One hacking incident that stands out is Anne Arundel Dermatology, which recently reported a hacking-related data breach affecting 1,905,000 individuals. Shelby Dermatology (Dermatologists of Birmingham) has reported a hacking incident affecting 86,414 individuals, Mountain Laurel Dermatology has reported a data breach affecting 3,324 individuals, and a hacking incident has been announced by U.S. Dermatology Partners, a network of 100 dermatology practices. That incident occurred in June and is not yet shown on the HHS’ Office for Civil Rights breach portal, although one of the affected practices appears to be Oliver Street Dermatology Management LLC, which reported that 13,717 individuals were affected.

The post Dermatology Clinics Affected by Practice Management Company Data Breach appeared first on The HIPAA Journal.

Two mental healthcare providers have recently announced cybersecurity incidents that exposed patient data: Eleos Wellness in Florida and Clinica Family Health & Wellness in Colorado.

Eleos Wellness, Florida

Eleos Wellness, a Pinellas Park, FL-based provider of mental health services, has recently announced a data security incident that potentially involved unauthorized access to client information. Unauthorized network activity was detected on June 11, 2025, and third-party cybersecurity experts were engaged to investigate the activity. The investigation is ongoing; however, it has been confirmed that an unauthorized third party had access to names, addresses, dates of birth, Social Security numbers, and health insurance information. No evidence has been found to indicate that its electronic medical record system was involved.

No fraudulent activity related to the incident has been identified; however, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their personal accounts and explanation of benefits statements. Eleos Wellness has confirmed that steps are being taken to improve security to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Clinica Family Health & Wellness, Colorado

Clinica Family Health & Wellness, a Colorado-based network of mental health clinics, has announced a security breach affecting the Mental Health Partners environment. An intrusion was identified and rapidly contained on March 25, 2025, and third-party cybersecurity experts were engaged to investigate the nature and scope of the unauthorized activity.

No evidence was found to indicate that any data was removed from its network; however, it is possible that patient data may have been accessed. Clinica Family Health & Wellness said a comprehensive and thorough investigation is ongoing, and it has yet to be determined exactly how many individuals have been affected or the types of information involved. Notification letters will be mailed to the affected individuals when the review is concluded.

The post Data Breaches Announced by Florida & Colorado Mental Health Clinics appeared first on The HIPAA Journal.

Think Big Health Care Solutions, a Florida-based practice management company, and Minnesota Epilepsy Group have recently confirmed cyberattacks and data breaches. Ransomware groups have claimed responsibility for attacks on Emerson Chiropractic in Indiana and El Paso Quality Dentistry in Texas.

Think Big Health Care Solutions, Florida

Think Big Health Care Solutions, a Wellington, FL-based practice management company that provides billing, contracting, and credentialing services to medical practices, has identified unauthorized access to an employee’s email account. Suspicious activity within the account was identified on June 20, 2025, and third-party cybersecurity specialists were engaged to investigate the incident.

Evidence was found that suggested some emails and files in the account had been accessed by an unauthorized third party. A review was conducted to determine the types of information involved and the individuals affected, and notification letters will be mailed to those individuals when that process has been completed. Think Big Health Care Solutions has confirmed that the account contained information such as first names, initials, and last names, addresses, telephone/fax numbers, email addresses, dates of birth, Social Security numbers, tax identification numbers, passport numbers, admission dates, health insurance policy numbers, bank/financial account numbers and routing numbers, credit/debit card information, diagnoses/conditions, lab results, medications, claims information, medical record numbers, other medical/health information, CPT codes, and referring provider names.

Additional technical and administrative measures have been implemented to prevent similar incidents in the future, and enhanced training is being provided to the workforce on phishing detection, secure data handling, and incident response procedures.

Minnesota Epilepsy Group

Roseville, MN-based Minnesota Epilepsy Group (MEG) has experienced a cybersecurity incident that affected certain systems within its network and caused some disruption to business operations. According to the April 25, 2025, substitute breach notice, MEG identified the incident on February 27, 2025. Immediate action was taken to secure its systems, and third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the unauthorized activity. The investigation is ongoing, but it has been confirmed that client and employee data were exposed in the incident.

The exact types of data involved have yet to be confirmed, but likely include individuals’ names, addresses, dates of birth, medical record numbers, EEG summaries, neuropsychology reports, medication records, and health insurance information. No evidence of misuse of that information has been identified to date; however, the affected individuals have been advised to remain vigilant and should review their financial account statements for signs of fraudulent activity. MEG said it continually evaluates and modifies its practices to enhance privacy and security and is taking steps to augment existing cybersecurity measures to prevent similar incidents in the future.

Ransomware Groups Claim Responsibility for Attacks on Two Healthcare Providers

Ransomware groups have recently claimed responsibility for attacks on two healthcare providers, Emerson Chiropractic in Indiana and El Paso Quality Dentistry in Texas. The Dragonforce ransomware group claims to have stolen 96 GB of data from Emerson Chiropractic, which provides chiropractic services to individuals in the Southside of Indianapolis. Stolen data has been published on the data leak site, indicating the ransom was not paid.

The Beast ransomware group has added El Paso Quality Dentistry to its data leak site and claims to have stolen approximately 700 GB of data. Screenshots have been uploaded to the data leak site, indicating a broad range of data has been stolen, with some folder names suggesting patient data was involved. Currently, the stolen data has not been leaked. Neither healthcare provider has publicly announced a cyberattack or data breach at the time of writing.

The post Florida Practice Management Company Announces June 2025 Data Breach appeared first on The HIPAA Journal.

Data incidents have recently been announced by Wood River Health in Rhode Island, Jack L Marcus in Wisconsin, and Avala and Primary Health Services Center in Louisiana.

Wood River Health, Rhode Island

Wood River Health, a provider of medical, dental, and social services to communities in southwestern Rhode Island and southeastern Connecticut, has recently announced a data breach that has affected 54,926 individuals. Suspicious activity was identified in an employee’s email account on or around September 6, 2024. Assisted by third-party cybersecurity experts, Wood River Health investigated the activity and confirmed that an unauthorized third party had access to the email account between August 8, 2024, and September 6, 2024, and may have viewed or acquired names and Social Security numbers.

The review of the affected account was completed on or around May 29, 2025, and notification letters were mailed to the affected individuals on or around July 28, 2025. The affected individuals have been offered 12 months of complimentary credit monitoring services, additional safeguards have been implemented to improve security, and employees have been provided with further security awareness training.

Avala, Louisiana

Avala, a Covington, LA-based physician-led health network that operates a 21-bed hospital in St. Tammany Parish, a surgery center in Metairie, and a medical imaging center in Covington, has recently announced a cybersecurity incident, discovered on May 30, 2025, that impacted its IT systems. Third-party cybersecurity experts were engaged to assist with containment and remediation and determine if patient data was exposed. No instances of identity theft or fraud have been identified; however, the investigation confirmed on July 23, 2025, that patient data had been exposed and was potentially exfiltrated from its network.

The exposed data varied from individual to individual and may have included names, addresses, birth dates, treatment information, health insurance information, and Social Security numbers. Notification letters are now being sent to the affected individuals. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Primary Health Services Center, Louisiana

Primary Health Services Center (PHSC), a Monroe, LA-based non-profit healthcare provider that operates several clinics serving the Ouachita, Morehouse, and Lincoln Parishes, has started notifying individuals affected by a recent cybersecurity incident. The nature of the incident was not detailed in the website data breach announcement, nor was the date the incident was detected.

Third-party cybersecurity professionals were engaged to investigate the incident, and the investigation and file review are ongoing. The number of affected individuals and the types of exposed data have yet to be publicly disclosed. PHSC is currently unaware of any misuse of patient information as a result of the incident and said data security policies and procedures have been enhanced to reduce the risk of similar incidents in the future.

The security breach appears to be a ransomware attack by the Inc Ransom ransomware group, which added PHSC to its dark web data leak site on December 24, 2024. Inc Ransom uploaded the stolen data on January 15, 2025, which includes user data, employee data, and financial information.

Jack L Marcus Inc.

Jack L Marcus Inc., a Milwaukee, WI-based retailer that allows orders to be placed for incarcerated individuals under an agreement with the Wisconsin Department of Corrections, has announced a data breach affecting 712 individuals. According to the substitute breach notice, a website misconfiguration allowed limited information to be displayed that should have been hidden.

Between August 15, 2024, and May 16, 2025, the name of the treatment facility where an individual was located was displayed to individuals placing orders for that individual. The facility address was masked, but the name of the treatment facility was displayed.  No other information was impermissibly disclosed. The error was identified on March 15, 2025, and was corrected the following day.  Jack L Marcus has reviewed and updated its processes and technology to prevent similar incidents in the future.

The post Wood River Health Notifies 54K Patients About August 2024 Data Breach appeared first on The HIPAA Journal.

Ransomware groups have attacked three healthcare providers: Gastroenterology Consultants of South Texas, Infinite Services in New York, and High Point Treatment Center in Massachusetts.

Gastroenterology Consultants of South Texas (Texas Digestive Specialists)

Gastroenterology Consultants of South Texas, which does business as Texas Digestive Specialists, has recently disclosed a May 2025 cybersecurity incident and data breach. According to the substitute data breach notice, an unauthorized third party gained access to its network in late May 2025 and may have obtained files containing personally identifiable information (PII) and protected health information (PHI). The Texas Attorney General was informed that the exposed information may have included names, addresses, dates of birth, medical records, and health insurance information.

The breach notification does not state when the attack was detected or for how long the hackers had access to the network. Third-party cybersecurity experts assisted with the investigation, and the lessons learned will be used to enhance the security of its IT systems. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that the PII and PHI of 41,521 Texans was exposed in the incident. The affected individuals have been offered complimentary credit monitoring services.

The breach notification letters do not mention ransomware; however, the Interlock ransomware group claimed responsibility for the attack and added the practice to its dark web data leak site. The group claims to have stolen 263 GB of data, which has been leaked online. Interlock was recently the subject of a joint alert from the FBI, CISA, HHS, and MS-ISAC following an increase in attacks on critical infrastructure entities.

Infinite Services, New York

Infinite Services, a New York-based provider of physical therapy, occupational therapy, speech therapy, and home health services, has fallen victim to a ransomware attack that exposed patient and employee data. The attack was detected on May 5, 2025, when employees were prevented from accessing the network. Third-party cybersecurity experts were engaged to investigate the incident and confirmed there was unauthorized access to one of its servers.

Ransomware was used to encrypt files, although the server was powered off, interrupting the encryption process. On June 23, 2025, Infinite Services determined that the affected server contained patient and employee information, and the decision was made to send notification letters to all potentially affected individuals, rather than wait for data mining to determine exactly which individuals had been affected.  That decision ensured that notification letters were mailed promptly.

The ransomware group was not named; however, Infinite Services said no ransom was paid, and at the time notification letters were issued, none of the stolen data had been published online. Since data may be leaked, the affected individuals should take advantage of the complimentary credit monitoring and identity theft protection services that have been offered. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals were affected or notified.

High Point Treatment Center, Massachusetts

High Point Treatment Center in New Bedford, Massachusetts, a provider of mental health and substance abuse treatment, has been added to the dark web data leak site of the Abyss ransomware group. The group claims to have exfiltrated 1.8 TB of data, although it has not listed any of the stolen data on its data leak site so far. High Point Treatment Center has yet to announce the attack or data breach.

The post Texas Gastroenterology Clinic Falls Victim to Interlock Ransomware Attack appeared first on The HIPAA Journal.

McKenzie Memorial Hospital in Michigan has reported a hacking incident affecting more than 54,000 patients. Arbor Associates in Massachusetts has reported a 17K-record data breach, and data breaches have been confirmed by Blue Shield of California and Human Development Services of Westchester.

McKenzie Memorial Hospital, Michigan

McKenzie Memorial Hospital in Sandusky, Michigan, has recently disclosed a cybersecurity incident that was detected on or around April 15, 2025, when suspicious activity was identified within its network. McKenzie Memorial did not state whether ransomware was used, only that the forensic investigation confirmed that its network was accessed by an unauthorized third party between April 14, 2025, and April 15, 2025. During that time, files containing patients’ protected health information may have been accessed.

The investigation and file review were completed on June 19, 2025, and confirmed that the potentially compromised information included names, Social Security numbers, and financial account information. The data breach was recently reported to the Maine Attorney General as affecting 54,016 individuals. Credit monitoring and identity theft protection services have been offered for 12 months, and the hospital is strengthening network security and reviewing its data security policies and procedures.

Arbor Associates, Massachusetts

Arbor Associates, a business associate that helps healthcare organizations collect patient survey analytics, has recently announced a data security incident that involved unauthorized access to patient data. Unusual network activity was detected on April 17, 2025, and independent cybersecurity experts were engaged to investigate the activity. They confirmed that there was unauthorized access to its network between April 15, 2025, and April 17, 2025, during which time files containing patient information may have been acquired.

The file review was completed in May 2025, and the affected healthcare partners were notified. Data potentially compromised in the incident includes first and last name, contact information, age, biological sex, date of birth, service date, CPT or diagnosis code, medical record number, name of insurance, and/or doctor’s name. Arbor Associates started mailing notification letters on behalf of the affected clients on July 3, 2025. The data breach was reported to the HHS’ Office for Civil Rights as a network server incident affecting 17,040 individuals.

Blue Shield of California

The health insurer Blue Shield of California (BSC) has recently notified the California Attorney General about a recent HIPAA breach. On May 22, 2025, BSC learned that a broker with Harmon Insurance Services had passed away, and the late broker’s husband had accessed her online client list after her death. He then asked a friend, who was also a broker, to assist her clients. A former employee of the late broker may also have accessed the client list and client applications between March 25, 2025, and May 22, 2025.

The access was unauthorized, and upon discovery, the login credentials were revoked to prevent further unauthorized access. No evidence was found to indicate any acquisition of members’ information. Information potentially accessed included names, member IDs, Social Security numbers, birth dates, addresses, phone numbers, group ID numbers, and Medicare numbers.

The affected individuals have been notified by mail and offered a one-year membership to an identity theft protection service. The OCR data breach portal lists the incident as affecting 1,543 individuals. A later breach report indicates that an email breach also occurred that affected 673 individuals.

Human Development Services of Westchester, New York

Human Development Services of Westchester, a provider of community-based direct-care services for vulnerable populations in New York State, has recently announced unauthorized access to its email tenant. Suspicious activity was identified within a single email account, and the forensic investigation confirmed unauthorized access between May 19, 2025, and May 20, 2025. The review of the account and attachments is ongoing, so it is not yet possible to determine the exact types of information involved or the number of affected individuals. The account likely contained employee and patient information.

Email security is currently being reviewed, and new cybersecurity tools are being assessed. The breach has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals. The total will be updated when the review concludes.

The post McKenzie Memorial Hospital Announces Data Breach Affecting 54,000 Patients appeared first on The HIPAA Journal.

While compiling data for last month’s data breach report, the HIPAA Journal identified a data breach that had previously been missed. On June 2, 2025, Cumberland County Hospital Association in Kentucky notified the HHS’ Office for Civil Rights about a hacking-related data breach that affected 36,659 individuals. Cumberland County Hospital detected the hacking incident on April 3, 2025. According to its substitute breach notice, an unauthorized third party had access to its network between February 21, 2025, and April 3, 2025. While its electronic medical record system was not accessed, files on the compromised parts of the network were discovered to include patient information, and some of those files were accessed during the attack.

The review of the files confirmed they contained demographic information (name, date of birth, address, phone number(s), email address, race, and ethnicity), along with Social Security numbers, medications, diagnoses, treatment notes, dates of service, medical record numbers, health plan numbers, and claims and billing information. Some employee data was also compromised in the attack, which may have included additional information such as driver’s license, birth certificate, background check information, W-4s and W-2s, and bank account numbers. Notification letters were mailed to the affected individuals on June 2, 2025, and credit monitoring and identity theft protection services have been offered for 12 months.

Ellis Medicine Discovers Unauthorized Access to Employee Email Account

Ellis Medicine, a Schenectady, NY-based health system serving the Capital District in New York State, has notified the Maine Attorney General about a data incident that involved unauthorized access to an employee’s email account. Suspicious activity was identified in the account, which was immediately secured. Third-party digital forensics specialists were engaged to investigate the activity and confirmed that the account was accessed “for a limited period” between January 17, 2025, through January 24, 2025, and again between March 27, 2025, through April 5, 2025.

The account was reviewed to identify the types of information potentially accessed, and that review was completed on May 14, 2025. Emails and attachments were discovered to include the personal and protected health information of 13,383 individuals. The Notification to the Maine Attorney General includes mail merge fields rather than a list of potentially compromised data, and there is currently no substitute breach notice on the Ellis Medicine website, so the types of information compromised are unknown.

Notification letters are being mailed to the affected individuals, which will state the exact types of information involved for each patient. Ellis Medicine has offered single-bureau credit monitoring, credit report, and credit score services to the affected individuals for 12 months.

The post Cumberland County Hospital Data Breach Affects Almost 37,000 Individuals appeared first on The HIPAA Journal.