Blue Fish Pediatrics in Texas has announced a July 2025 cyberattack that affected more than 41,000 Texas patients. Data breaches have also been announced by Cherry Health in Michigan, Coastal Carolina Centers of Urology and Surgery in South Carolina, and Regence in Oregon.

Blue Fish Pediatrics, Texas

Blue Fish Pediatrics, a Houston, Texas-based network of pediatric medical practices, has notified the Texas Attorney General about a cybersecurity incident last year that exposed the personal and protected health information of its patients.

In a substitute breach notice on its website, Blue Fish Pediatrics explained that unauthorized access to its IT systems was identified on or around July 17, 2025. After securing its systems, an investigation was conducted to determine the nature and scope of the unauthorized activity. The forensic investigation confirmed that a threat actor had access to a limited number of files between July 11, 2025, and July 17, 2025. Some of those files contained personally identifiable information and protected health information and may have been acquired in the incident.

The files have now been reviewed and found to contain full names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, medical record numbers, diagnosis/condition information, lab results, medications, claims information, and clinical/treatment information. Notification letters are now being mailed to the affected individuals, and complementary credit monitoring have been made available to individuals whose Social Security numbers were exposed.

The total number of affected individuals has yet to be disclosed; however, the bulk of the affected individuals reside in Texas. The Texas Attorney General was informed that 41,485 Texas residents were affected.

Cherry Health, Michigan

Cherry Health, Michigan’s largest non-profit Federally Qualified Health Center serving six counties in the state, announced a breach of patients’ protected health information on June 18, 2026. Suspicious network activity was identified on or around April 19, 2026. The forensic investigation confirmed unauthorized access to its network and the copying of files containing patient information.

The file review is ongoing; however, information likely stolen in the incident includes names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID numbers, patient ID numbers, provider names, service dates, and, for a limited number of individuals, Social Security numbers. Cherry Health said it has not identified any misuse of the impacted data. Cherry Health is working on implementing additional safeguards to prevent similar incidents in the future. At present, it is unclear how many individuals have been affected.

Coastal Carolina Centers of Urology and Surgery, South Carolina

Coastal Carolina Centers of Urology and Surgery, LLC, doing business as Rivertown Surgery Center in Conway, South Carolina, has notified the HHS’ Office for Civil Rights about a network server hacking incident involving unauthorized access to the electronic protected health information of 2,886 individuals.

Only limited information has been made public about the breach, such as it involved unauthorized access to names and health records; however, this appears to have been a ransomware attack by the Qilin ransomware group. Qilin added Coastal Carolina Centers of Urology and Surgery to its dark web data leak site on September 4, 2025, along with screenshots of files allegedly stolen in the attack.  According to the notice sent to the Indiana Attorney General, the breach occurred on August 26, 2025, and notifications were mailed on or around May 22, 2026.

Regence, Oregon

Regence Blue Cross Blue Shield of Oregon has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 2,856 individuals. According to a notice on the Regence website, unauthorized actors registered and accessed some Regence digital member accounts between January 1, 2026, and April 15, 2026, and redeemed wellness rewards for gift cards. Information in the accounts may have been accessed.

The post Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients appeared first on The HIPAA Journal.

One Medical, the Amazon-owned primary care provider, has recently announced a cybersecurity incident in which an unauthorized third party gained access to a third-party file storage system containing archived information for One Medical Seniors patients. Last week, the ShinyHunters threat group added One Medical to its dark web data leak site and claimed to have exfiltrated 8.8 terabytes of data.

According to the One Medical website data breach notice, the unauthorized access was identified on June 13, 2026, and was limited to the file storage system, which contained legacy data of One Medical Seniors patients. One Medical Seniors is the new name for Iora Health, which One Medical acquired in 2021. When the breach was discovered, the affected system was immediately secured, and all access was revoked. An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that the file storage system was accessed by an unauthorized third party between June 8 and June 11, 2026. While it has only been a few days since the breach was discovered, One Medical has confirmed that the breach was limited to the file storage platform, which only contained legacy data of certain Iora Health/One Medical Seniors patients. No other One Medical clinics, services, or the One Medical electronic medical record system were accessed.

The data review has begun, and One Medical has confirmed that the system contained demographic information and the clinical records of Iora Health/One Medical Seniors patients in Atlanta, Cape Cod, Charlotte, Piedmont Triad, Denver, Houston, Phoenix, Tucson, and Seattle. The exact data types involved have yet to be made public.  In response to the breach, One Medical said it has revoked all user access and is rotating credentials for all employees with access to the system, and has implemented additional safeguards to prevent similar incidents in the future. The number of affected individuals has yet to be publicly disclosed. One Medical has not confirmed the name of the group behind the attack.

ShinyHunters is a prolific data extortion group that targets large companies, breaches their networks, exfiltrates sensitive data, and demands a ransom to prevent a data leak. The group’s previous healthcare victims include dental benefits administrator DentaQuest, and the medical device manufacturer Medtronic. Last week, ShinyHunters claimed it had stolen 8.8 TB of data from One Medical and threatened to publish the stolen data unless One Medical entered ransom negotiations. One Medical was given until June 22, 2026, to do so, or the data would be leaked. The claim has not been verified by One Medical, and currently, no samples of the stolen data have been provided as proof of data theft. “This is a final warning to reach out by 22 June 2026 before we leak along with several annoying (digital) problems that’ll come your way,” states ShinyHunters on its dark web data leak site.

The post ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data appeared first on The HIPAA Journal.

iRhythm Holdings Inc., a publicly traded heart monitoring device manufacturer, has notified the U.S. Securities and Exchange Commission (SEC) about a cybersecurity incident that was first identified on June 8, 2026.

According to the SEC filing, iRhythm identified unauthorized access to certain business applications that are hosted on a third-party platform. The company activated its cybersecurity incident response plan and launched an investigation to determine the nature and scope of the unauthorized activity. On June 9, 2026, one day after the unauthorized access was identified, the company received communications from a threat actor who claimed to have exfiltrated sensitive data from its applications and demanded payment to prevent the data from being publicly released.

San Francisco, CA-based iRhythm makes cardiac monitoring devices that are used by approximately 8 million patients in the United States and Europe, and cloud-based data analytics for diagnosing and tracking patients with heart arrhythmias. The threat actor claimed to have exfiltrated proprietary data and patient data from iRhythm applications.

The internal investigation confirmed that the threat actor had exfiltrated sensitive data, including personal and protected health information. While the number of individuals affected by the incident has yet to be confirmed by iRhythm, the company said in the Form 8-K filing that this was a material incident due to the volume of data potentially stolen in the attack.

iRhythm has not identified any impact on its products, clinical, or medical device systems as a result of the incident. The incident has not had any impact on patient safety, manufacturing, its distribution operations, financial reporting systems, or the company’s ability to meet patient needs.

The threat actor gained access to certain third-party hosted business applications through social engineering. The company’s medical device systems and connections to customers were not affected, and the company does not retain any individual financial account information or payment card information. iRhythm is still investigating the data breach and has yet to announce the number of affected individuals or the types of data compromised in the incident.

The SEC filing does not state whether payment was made to the attacker or if the company is negotiating payment. While this was a material cybersecurity incident, the company does not believe it will have a material impact on its financial condition or results of operations, although the company warned that the attack could cause significant harm to the company’s brand, reputation, and patient trust in its devices. The company holds a cyber insurance policy, which may cover certain losses incurred as a result of the incident.

Several cyberattacks have recently been reported by medical device manufacturers, including UFP Technologies in February 2026, which involved either the theft or destruction of company data; Stryker, which involved the exfiltration of around 50 terabytes of data in March; and Medtronic experienced a major data theft incident in March, involving around 9 million patient records.

The post Heart Monitoring Device Manufacturer Discloses Cyberattack; Data Breach appeared first on The HIPAA Journal.

Data breaches have been announced by the Tennessee-based disability care provider Open Arms Care Corporation and the Rhode Island and Massachusetts home healthcare provider, Elmwood Home Care.

Open Arms Care, Tennessee

Open Arms Care Corporation, a Brentwood, TN-based nonprofit provider of residential and therapeutic care services to individuals with disabilities, has recently disclosed a breach of its email tenant. Suspicious activity was identified in August 2025, indicative of unauthorized access to an email account. The forensic investigation confirmed that the account had been accessed by an unauthorized third party between June 2025 and August 2025.

The account was reviewed to determine the individuals affected and the types of data involved, and that process was completed on April 30, 2026. Up-to-date contact information was obtained, and notification letters were mailed to the affected individuals on June 9, 2026. The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: Medical diagnosis, treatment information, Social Security number, and/or health insurance information. The number of affected individuals has not been publicly disclosed at the time of writing.

Elmwood Home Care, Rhode Island/Massachusetts

Elmwood Home Care, a home healthcare provider serving patients in Rhode Island and Massachusetts, has recently announced a cybersecurity incident that resulted in unauthorized access to its computer systems between January 24, 2026, and February 13, 2026.

The forensic investigation determined that a threat group viewed or acquired files containing patient data such as names, dates of birth, Social Security numbers, driver’s license numbers, other demographic information, medical information, and health insurance information. Elmwood Home Care said it is reviewing its data security policies and procedures and is implementing additional administrative and technical safeguards to better protect its systems and sensitive data.

At the time of publication, the number of affected individuals had not been publicly disclosed. This appears to have been a ransomware attack, for which the LockBit5 ransomware group claimed responsibility.

The post Data Breaches Announced by Open Arms Care; Elmwood Home Care appeared first on The HIPAA Journal.

Data breaches have been announced by Clinical Registry Solutions in New York, First Sight Family Vision in Washington, and VHC Health in Virginia.

Clinical Registry Solutions, New York

Clinical Registry Solutions, a Brooklyn, New York-based provider of clinical data abstraction and registry support services to healthcare providers, is notifying patients of Dignity Health’s St. Mary’s Medical Center that some of their protected health information has potentially been compromised in an April 2026 cybersecurity incident.

Suspicious activity was identified within its computer network on April 9, 2026. The forensic investigation identified unauthorized access to its computer network, and evidence was found indicating that files containing patient data were copied by the attackers. The data review determined that patient names, procedure dates, and medical record numbers were involved; however, Social Security numbers and diagnosis and treatment information were not involved. Company data was also stolen in the attack.

Clinical Registry Solutions has not identified any misuse of the impacted data; however, as a precaution, complimentary credit monitoring and identity theft protection services have been made available. While not mentioned in the notification letters, the threat group behind the attack appears to be the Akira ransomware group. Akira claimed to have exfiltrated 41 GB of data, including employee information such as passports, Social Security numbers, and driver’s license numbers.

First Sight Family Vision (Jason R Egbert OD PC)

First Sight Family Vision, a Battle Ground, Washington-based optometry practice that used to operate under the name Jason R Egbert OD PC, has been affected by a data breach at vendor Networking Technology Inc, which does business as RXNT.

RXNT, a provider of cloud-based electronic prescribing, practice management, and electronic health records software to healthcare organizations, discovered unauthorized access to systems used by some of its customers on March 3, 2026. The forensic investigation confirmed unauthorized access between March 1, 2026, and March 3, 2026, during which time files containing patient information were potentially accessed or acquired.

Data potentially compromised in the incident include names, birth dates, contact information, patient ID’s, prescription information, and Social Security numbers. RXNT has offered the affected individuals complimentary credit monitoring and identity theft protection services. While it is unclear how many individuals have been affected in total, the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 1,225 patients of Jason R Egbert OD PC.

VHC Health

VHC Health, a healthcare provider serving patients in Northern Virginia and the Washington D.C. Metro area, has been affected by a cybersecurity incident at one of its vendors. VHC Health contracted with a company called Xsolis, Inc., which provides utilization management services to healthcare organizations.

On January 22, 2026, Xsolis identified unauthorized access to parts of its environment as a result of a response to a phishing attempt on January 20, 2026. The incident was contained, its environment was secured, and an investigation was launched to determine the impact of the incident. The investigation confirmed that files containing names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance information were exposed.

Xsolis has implemented additional security measures to protect against similar incidents in the future, and complimentary credit monitoring and identity theft protection services have been made available. Notification letters started to be mailed to the affected individuals by Xsolis on April 23, 2026. At present, it is unclear how many VHC patients have been affected or how many individuals have been affected in total.

The post Clinical Registry Solutions; Jason R Egbert OD PC; VNC Health Announce Data Breaches appeared first on The HIPAA Journal.

A hacking group has claimed responsibility for the cyberattack on the pharmaceutical company Novo Nordisk and says it exfiltrated more than 1 terabyte of data over several weeks. Another individual/group has also claimed it breached certain Novo Nordisk systems in June, in a separate hacking incident in June.

FulcrumSec is a cyber extortion group that has been active since at least September 2025. The group specializes in high-speed data exfiltration, commonly from cloud-hosted databases, and demands payment to prevent the publication or sale of stolen data. The group exploits unrotated API keys and cloud misconfigurations for initial access.

Novo Nordisk disclosed the attack on June 11, 2026, and shortly thereafter, FulcrumSec added Novo Nordisk to its dark web data leak site, along with samples of data from its claimed 1.3 TB data heist. The listing states that data exfiltrated in the attack includes clinical trial information, intellectual property, and artificial intelligence models used for drug discovery.

FulcrumSec claims it issued a $25 million ransom demand to prevent the publication of the stolen data; however, Novo Nordisk refused to pay. Data has started to be leaked – at the time of writing, 264 GB of data is listed as available for download – as a result of non-payment, and the group says it is seeking a private buyer for the bulk of the stolen data,

The group’s dark web data leak site states that it obtained 4,750 source code repositories, more than 41,000 proprietary drug compounds with structures, over 30 trained AI models, 73 datasets, the data of 11,500 pseudonymised clinical trial patients, more than 163,000 employee records, data from 5 undisclosed drug programs, and the exact manufacturing recipe for one of the company’s major drugs.

While some data has been leaked, around 1.05 terabytes of data is being withheld. FulcrumSec claims it will not release certain data, such as the data of employees and physicians, the pseudoanonymized clinical trial patient data, and certain data related to operational technology and software used to interact with sensors and equipment at Novo Nordisk’s production facilities.

The group claims to have gained initial access “through secrets left in client-side JavaScript on two separate unrelated Novo Nordisk subdomains — two completely different teams, two different applications, the same elementary mistake made twice,” and suggests highly sensitive data was protected with extremely weak passwords.

The group said it used Azure container registry credentials that were baked into a client-side JavaScript bundle, and a GitHub personal access token that had access to hundreds of repositories. The repositories contained API tokens, database credentials, and service account passwords that allowed lateral movement to hundreds of Novo Nordisk systems. The group claims that Novo Nordisk’s security team detected its presence in its GitHub accounts around two weeks after the initial intrusion, and in its Azure environment after 3 weeks.

FulcrumSec is not alone in claiming responsibility for hacking Novo Nordisk’s systems. According to databreaches.net, a hacker identifying themselves as TheUSERS007 has claimed to have breached the drug company’s systems between June 5 and June 7, 2026, after the claimed hack by FulcrumSec. TheUSERS007 demanded a $50 million ransom, which similarly wasn’t paid, and told databreaches.net that access was gained using venomware, “a self-learning, adaptive AI engine designed for the surgical extraction of intellectual property.”

FulcrumSec referenced the claim on its data leak site and suggests that the claim is potentially legitimate. The attack disclosed by Novo Nordisk relates to the FulcrumSec hack, rather than the second incident, which has yet to be confirmed by Novo Nordisk.

June 15, 2026: Clinical Trial Data Stolen in Novo Nordisk Cyberattack

Novo Nordisk, the Danish pharmaceutical firm behind the GLP-1 weight loss drugs Ozempic and Wegovy, has experienced a cyberattack that exposed the data of healthcare providers and patients enrolled in clinical trials. According to the company’s June 11, 2026, breach notice, a threat actor gained access to a limited number of its internal systems, and certain personal data stored on those systems was exfiltrated by the attackers. It is currently unclear when the intrusion was detected or for how long hackers had access to its systems, and the threat group behind the attack has yet to publicly claim responsibility.

The exposed data related to certain patients who took part in its clinical trials; however, the risk to those patients is limited, as the exfiltrated data was deidentified. Patient names were not exposed; only the ID numbers were used to identify specific patients participating in clinical trials. The ID numbers consist of random alphanumeric strings. Other compromised information was limited to sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors, such as BMI, whether the patient was a smoker, and information about their alcohol usage.

Novo Nordisk said that because the exposed data was pseudonymized, patients cannot be identified from the exposed information without further information from another source, therefore, patients are not believed to face any immediate risks. Patients have been advised to remain vigilant and to contact Novo Nordisk if they identify any suspicious activity that they believe may be linked to the incident.

When the attack was detected, certain systems were taken offline as a precaution while the incident was investigated, and Novo Nordisk is working to bring the systems back online safely and securely. The company said the cyberattack has had no impact on its core business operations, which remain up and running. The forensic investigation and data review are ongoing, and Novo Nordisk has yet to determine the number of individuals affected.

Certain healthcare providers have been affected by the incident, and they are currently being notified. The information stolen in the attack varies from provider to provider, and may include information such as the company name, registration number, contact email address, phone number, office location, and WhatsApp details. Since contact information has been compromised, healthcare providers are potentially at risk of phishing or social engineering attacks and should therefore remain vigilant.

The post Hackers Claim Responsibility for Novo Nordisk Cyberattack appeared first on The HIPAA Journal.

Cybersecurity incidents involving unauthorized access to protected health information have been announced by the revenue cycle management company Medenet, the California medical group United Medical Doctors, and the Kentucky residential school, Stewart Home & School.

Medenet Inc.

Medenet Inc., a Florida-based medical billing, EMR software, and revenue cycle management service provider to physician practices, has started issuing notifications about a cyberattack identified on December 26, 2025. Assisted by third party cybersecurity experts, Medenet determined that personal and protected health information was likely compromised in the incident, including medical records and Social Security numbers.

Medenet said it is unaware of any misuse of the impacted data; however, as a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services. The data breach has yet to be added to the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

United Medical Doctors

United Medical Doctors, a Murrieta, California-based multi-specialty medical and surgical group, has discovered unauthorized access to its computer systems. Suspicious activity was identified within its computer systems on March 26, 2026, and the forensic investigation determined that a threat actor had access to its systems for around three and a half months, between December 12, 2025, and March 31, 2026. During that time, files containing patient information may have been viewed or acquired.

The May 20, 2026, substitute breach notice states that the types of information compromised in the incident have yet to be determined, and the number of affected individuals has yet to be publicly disclosed.

Stewart Home & School

Stewart Home & School (formerly Stewart Home School), a residential school in Franklin County, Kentucky, has recently announced that it was the victim of a criminal cyberattack on its computer network. The attack occurred in the early hours of August 4, 2025, with the threat actor gaining access to its network using stolen credentials.

Those credentials allowed the threat actor to access two of its internal electronic drives. Data on those drives was accessed and exfiltrated, then ransomware was used to encrypt the data. Stewart Home & School said the nature of the attack and the design of its electronic network meant it has taken a significant amount of time to determine the types of data involved and the individuals affected.

The data analysis has recently concluded, and confirmed that 3,677 individuals potentially had data stolen in the incident, including personal information and protected health information. That information included names, demographic information such as phone numbers, email addresses, addresses, and Social Security numbers, financial information, and protected health information such as health insurance information, diagnoses, medical conditions, test results, and medications, and education-related information, including evaluation and testing information.

The affected individuals were notified about the incident in April 2026 and have been offered 24 months of complimentary credit monitoring and identity theft protection services. The Sinobi ransomware group claimed responsibility for the attack.

The post PHI Compromised in Cyber Incidents at Medenet; United Medical Doctors; Stewart Home & School appeared first on The HIPAA Journal.

A cyberattack at the law firm GrayRobinson has affected 65,000 individuals. Data breaches have also been announced by C2N Diagnostics in Missouri and Virta Health in Colorado.

GrayRobinson

The Orlando, Florida-based law firm GrayRobinson, P.A., has notified the Maine Attorney General about a data breach affecting 65,113 individuals, including 52 Maine residents. Among those individuals, 54,131 people had their protected health information exposed in the incident. In its substitute data breach notice, GrayRobinson explained that unauthorized access to its network was detected on or around March 24, 2025. Immediate steps were taken to secure its network, and assisted by third-party cybersecurity specialists, the incident was investigated to determine the extent to which sensitive information had been compromised.

The investigation confirmed that its network was accessed by an unauthorized third party between March 5, 2025, and March 24, 2025, and during that time, files containing personal and protected health information were exfiltrated from its network.  The data was reviewed, and on April 13, 2026, the file review concluded and determined that full names, dates of birth, Social Security numbers, driver’s license numbers, state and government ID numbers, financial account information, medical information, and health insurance information were involved.

GrayRobinson said it had taken many precautions to protect against unauthorized access to its systems and data, and continually evaluates and modifies its practices and internal controls to enhance security and ensure the privacy of sensitive information. Complimentary credit monitoring and identity theft protection services have been made available. Notification letters started to be sent to the affected individuals on April 24, 2026.

C2N Diagnostics, Missouri

C2N Diagnostics, a St. Louis, MO-based specialty diagnostics company providing lab services and products related to brain health, has disclosed a cybersecurity incident that was identified on March 6, 2026. C2N Diagnostics said it was targeted by a cybercriminal actor who gained access to a small number of stored employee communications, some of which contained personal information.

The data was reviewed and found to include names, dates of birth, contact information, health information, blood test analysis results, health insurance information, and Social Security numbers. The affected individuals have been notified by mail and offered complimentary credit monitoring and identity theft protection services for at least 12 months as a precaution against data misuse. At the time of issuing notification letters, C2N Diagnostics was unaware of any misuse of the exposed data. C2N Diagnostics reported the breach to the HHS’ Office for Civil Rights on April 27, 2026, as affecting 2,027 individuals.

Virta Health

Virta Health Corp & Virta Medical PC, a Denver, CO-based provider of digital health services to help individuals manage type 2 diabetes, prediabetes, and obesity, has identified unauthorized access to one of its data repositories. The unauthorized access was identified on March 24, 2026, and the investigation confirmed that it had been compromised between March 19, 2026, and March 22, 2026.

The data repository was separate from its current production platform and contained personal information, the details of which were not disclosed in its data breach notice. Virta Health said its investigation confirmed that data had been exposed, and “could not rule out the possibility that an unknown actor may have accessed [personal information].” The Lapsus$ threat group claimed responsibility for the attack and added Virta Health to its data leak site on March 23, 2026, one day prior to the breach being detected. It is unclear if the ransom was paid or how many individuals were affected by the incident.

The post Florida Law Firm Data Breach Affects 65,000 Individuals appeared first on The HIPAA Journal.

Cyberattacks and data breaches have recently been announced by the national gastroenterology medical group Gastro Health and Spokane Digestive Disease Center in Washington.

Gastro Health

Gastro Health, a gastroenterology medical group with more than 200 locations in Florida, Alabama, Washington, Virginia, Ohio, Massachusetts, and Maryland, has announced an email security incident that exposed the protected health information of some of its patients.

The incident was detected on February 25, 2026, when the company learned that some of its employees had responded to phishing emails, resulting in unauthorized access to their email accounts. A separate phishing incident was identified on March 2, 2026, resulting in a further email account being subject to unauthorized access.

The review of the affected email accounts confirmed that they contained information such as names, dates of birth, Social Security numbers, and state or government-issued ID numbers. Protected health information in the accounts included diagnosis and treatment information, prescription information, provider/clinic information, medical record numbers, patient account numbers, Medicare/Medicaid numbers, and health insurance or group account numbers. The types of information involved varied from individual to individual.

Notification letters are being mailed to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 24 months. The number of affected individuals has yet to be publicly disclosed, although the Washington Attorney General has been informed that more than 1,800 state residents have been affected.

Spokane Digestive Disease Center

Spokane Digestive Disease Center in Washington has notified certain patients about unauthorized access to an employee’s email account. Suspicious activity was identified within the account on February 19, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to the account on various dates between January 22, 2026, and February 18, 2026.

The account was reviewed, and on May 8, 2026, it was confirmed that information in the account included names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, credit card information, financial account information, electronic signatures, and medical information.

The affected individuals have been offered 12 months of complimentary credit monitoring services, and steps have been taken to improve email security. The HHS’ Office for Civil Rights currently lists the data breach with a placeholder estimate of at least 501 individuals. The Washington attorney general was informed that the information of 2,093 state residents was involved.

The post Data Breaches Announced by Two Digestive Health Companies appeared first on The HIPAA Journal.