Rocky Mountain Associated Physicians has reported a data breach affecting more than 50,000 patients. Data breaches have also been announced by Aroostook Mental Health Center and the Iowa Department of Health and Human Services.

Rocky Mountain Associated Physicians

The Salt Lake City, Utah-based surgical and medical weight loss specialists, Rocky Mountain Associated Physicians, have recently announced a security incident involving unauthorized access to the protected health information of up to 50,640 current and former patients. Rocky Mountain said its forensic investigation determined on February 2, 2026, that an advanced threat actor accessed certain systems, including its patient database. The compromised database included individuals’ names, dates of birth, contact information, Social Security numbers, medical record numbers, diagnosis and treatment information, and health insurance information. For some individuals, financial information was compromised, including their debit/credit card numbers and PINs.

Third-party cybersecurity experts were engaged to review the security of its systems, and additional safeguards have been implemented to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The affected individuals should take advantage of the services being offered, as the compromised data has been leaked on the dark web. The PEAR threat group claimed responsibility for the attack and added Rocky Mountain to its dark web data leak site. PEAR, which stands for Pure Extortion and Ransom, leaked the stolen data when the ransom was not paid.

Aroostook Mental Health Center

Legal counsel for Aroostook Mental Health Center in Presque Isle, Maine, has recently notified the Maine Attorney General about a data security incident discovered on March 21, 2026. The investigation and data review are currently ongoing, so it has yet to be determined how many individuals have been affected. Notification letters will be mailed to the affected individuals when those processes have been completed, and complimentary credit monitoring and identity theft protection services will be made available.

According to the notification letter, Aroostook Mental Health Center started receiving alerts that its computer network had been disrupted on March 12, 2026. Immediate steps were taken to prevent further unauthorized access, and a forensic investigation was initiated, which confirmed that its network was accessed by an unauthorized third party between March 11, 2026, and March 12, 2026. The investigation confirmed that files had been exfiltrated from its network. Aroostook Mental Health Center has enhanced its technical security measures and is reviewing and updating its data privacy and security policies. On April 2, 2026, the Qilin ransomware group took credit for the attack and added Aroostook Mental Health Center to its dark web data leak site.

Iowa Department of Health and Human Services

The Iowa Department of Health and Human Services (HHS) has started notifying 6,717 individuals about the exposure of some of their protected health information. On February 20, 2026, the Iowa HHS learned that a file containing Medicaid recipients’ data had been inadvertently posted on its publicly accessible website. The file was posted on February 16, 2026, and was accessible until February 20, 2026.

The file contained limited information, including Medicaid subscriber identification numbers, the names of Medicaid waiver programs linked to the Medicaid IDs, and eligibility assessment dates only. No names, contact information, or health information were exposed. The Iowa HHS said it has provided additional training to its workforce and is reviewing its policies and procedures to prevent similar incidents in the future.

The post Data Breach at Rocky Mountain Associated Physicians Affects 50,000 Patients appeared first on The HIPAA Journal.

Data breaches have recently been announced by DermCare Management in Florida, Option Care Health in New York, and Aetna in Connecticut.

DermCare Management Discloses 2025 Hacking Incident

DermCare Management, a Florida-based provider of practice management services to dermatology practices in Florida, Texas, California, and Virginia, has identified unauthorized access to its computer systems. Suspicious activity was identified within its computer network on February 26, 2025, and, assisted by third-party digital forensics specialists, DermCare Management determined on March 3, 2025, that there had been unauthorized network access between February 14, 2025, and February 26, 2025. During that time, patient information was either accessed or acquired.

DermCare Management engaged data review specialists to determine the individuals affected and the types of data involved. Due to the complexity of the data, it took until March 2, 2026, to identify the individuals affected, the types of data involved, and obtain sufficient information to issue individual notification letters. DermCare Management confirmed that the information exposed or acquired in the incident included names, Social Security numbers, driver’s license numbers, credit and debit card information, financial account information, and medical information.

The affected individuals have been notified by mail and offered complimentary credit monitoring and identity restoration services. Regulators have been notified about the incident; however, the incident has yet to be added to the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Aetna Notifies 11,663 Individuals About Third-Party Mailing Error

The Hartford, CT-based health insurance provider Aetna recently disclosed two data breaches to the HHS’ Office for Civil Rights affecting 10,888 and 775 individuals. Both incidents were unauthorized access/disclosure incidents and occurred in 2025. There was no unauthorized access to its network or computer systems, as both incidents involved mailing errors involving a third-party vendor.

Aetna’s parent company, CVS Health, issued a statement confirming that the information disclosed as a result of the mailing error was minimal. The error occurred on mailings sent on behalf of two health plans and involved letters sent to a plan member that may have inadvertently included the name of another individual who was not a member of their health plan. Aetna has implemented additional measures to prevent similar incidents in the future, and while only minimal data was impermissibly disclosed, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Option Care Health Identifies Unauthorized Email Access

Option Care Health, Inc., a Ridgewood, NY-based provider of home infusion services, has identified unauthorized access to an employee’s email account. The unauthorized access was detected on or around February 9, 2026, and the forensic investigation confirmed unauthorized access to the account between February 6, 2026, and February 9, 2026. The account was reviewed, and on February 26, 2026, Option Care Health confirmed that the information exposed in the incident included names, dates of birth, medical record numbers, and treatment information. Option Care Health has reviewed its technical security measures and has taken steps to prevent similar incidents in the future. The incident has been reported to regulators, but it is currently unclear how many individuals have been affected.

The post Data Breaches Announced by DermCare Management; Option Care Health; Aetna appeared first on The HIPAA Journal.

Neinstein Plastic Surgery in New York and Atlantic Brain and Spine in North Carolina have announced security incidents that exposed patient information.

Neinstein Plastic Surgery, New York

Neinstein Plastic Surgery in New York City has identified unauthorized access to an email account that contained sensitive patient information. Unauthorized activity was identified in the email account on December 2, 2025. The account was secured, and an investigation was initiated to determine the nature and scope of the activity. The investigation confirmed that the account had been accessed by an unauthorized individual between November 12, 2025, and November 20, 2025, and that this was a financially motivated attack rather than an attempt to obtain patient information; however, patient information may have been obtained in the incident.

The account was reviewed and on February 20, 2026, Neinstein Plastic Surgery confirmed that emails and documents in the account contained information such as names, contact information, dates of birth, driver’s license or passport numbers, Social Security numbers, credit card or financial account information, health insurance information, and clinical information, which may have included healthcare provider names, diagnoses, and treatment information. The types of information involved vary from individual to individual.

The incident was reported to law enforcement, additional technical safeguards have been implemented to improve email security, and further employee training has been provided. While there has been no known misuse of patient information, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The data breach has been reported to the appropriate authorities, although it is currently unclear how many individuals have been affected.

Atlantic Brain and Spine, North Carolina

Wilmington, North Carolina-based Atlantic Brain and Spine has disclosed a January 2026 cybersecurity incident. Suspicious activity was identified within its computer network on January 26, 2026. Third-party specialists were engaged to investigate the incident and confirmed that certain patient data had been accessed by an unauthorized third party.

The exposed data is still being reviewed; however, Atlantic Brain and Spine determined that the impacted data includes names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, financial account information, treatment/diagnosis information, prescription/medication information, dates of service, provider names, medical record numbers, patient account numbers, Medicare/Medicaid ID numbers, health insurance information, and/or medical billing/claims information. The types of data involved vary from individual to individual.

Atlantic Brain & Spine is working with third-party cybersecurity specialists to implement additional measures to prevent similar incidents in the future and is reviewing its policies and procedures related to data privacy and security.  Since the review is ongoing, it is unclear how many individuals have been affected at this moment in time.

The post Data Breaches Announced by Neinstein Plastic Surgery; Atlantic Brain and Spine appeared first on The HIPAA Journal.

The New Jersey long-term care pharmacy Innovative Pharmacy Packaging Corp (IPPC Inc), and the affiliated entities IPPC of New York LLC, and Innovative Pharmacy LLC have confirmed in a breach report to the HHS’ Office for Civil Rights (OCR) that the protected health information of 133,862 patients has been exposed and potentially obtained in a recent security incident.

IPPC identified anomalous network activity in September 2025 and launched an investigation to determine the nature and scope of the activity. The forensic investigation confirmed that an unauthorized third party accessed its network between September 18, 2025, and September 19, 2025, and exfiltrated files from its network. IPPC conducted a review of the affected files, which concluded on February 9, 2026, when it was confirmed that they contained a range of personal and protected health information.

The types of information involved vary from individuals to individual and may include names in combination with dates of birth, driver’s license/ government-issued identification numbers, Medicare/Medicaid identification numbers, individual taxpayer identification numbers, passport numbers, medical record number/patient account numbers, diagnosis and treatment information, procedure information, prescription information, health insurance information, payment card information, financial account information, billing and claims information, treating/referring provider names, and admission and discharge dates.

IPPC started sending notification letters to the affected individuals on April 1, 2026, and has offered the affected individuals 24 months of complimentary credit monitoring and identity theft protection services. Individuals receiving a notification letter should ensure that they sign up for those services as soon as possible to protect themselves against misuse of their data, since data was copied in the incident. IPPC said it has implemented additional security measures to prevent similar incidents in the future and is revising its policies and procedures related to data privacy and security.

The post New Jersey Long Term Care Pharmacy Data Breach Affects 133,800 Patients appeared first on The HIPAA Journal.

Patient data has potentially been compromised in data incidents at Southern Illinois Dermatology and Heart South Cardiovascular Group in Alabama.

Southern Illinois Dermatology, Illinois

Southern Illinois Dermatology has notified an unspecified number of individuals about a data security incident it identified on November 28, 2025. An investigation was immediately launched to determine the nature and scope of the activity, with assistance provided by third-party cybersecurity experts. The investigation confirmed unauthorized access to parts of its network where patient data was stored, and potentially, files were copied from its network. The affected data was reviewed and found to contain personal information and protected health information, including full names, addresses, dates of birth, Social Security numbers, telephone numbers, email addresses, person numbers, and medical record numbers. The types of data involved vary from individual to individual. Notification letters started to be mailed to the affected individuals on April 2, 2026.

Southern Illinois Dermatology has taken measures to augment cybersecurity and continually evaluates and modifies its security practices. While the threat group behind the attack was not disclosed, the Insomnia threat group took responsibility for the incident and claimed to have obtained the data of more than 150,000 patients. Samples of the stolen data were uploaded to its data leak site as proof, and the group proceeded to leak the data allegedly stolen in the attack.

Heart South Cardiovascular Group

Heart South Cardiovascular Group, a provider of cardiac testing and preventive treatment at centers in Alabama, has notified the Maine Attorney General about a data breach affecting up to 46,666 individuals, including 3 Maine residents. The incident was detected on November 11, 2025, when an unauthorized third party claimed to have obtained sensitive data from Heart South. An investigation was launched to determine the legitimacy of the claim, and while no evidence was found to indicate an intrusion or data exfiltration, Heart South confirmed that the threat actor had posted a limited amount of Heart South data online.

A review was conducted to determine all potentially affected individuals, which was completed on February 12, 2026. As a precaution, Heart South sent notification letters to all individuals whose data was stored on the parts of its network where the posted data was stored, and the potentially affected individuals have been offered complimentary credit monitoring and identity theft protection services. The Rhysida threat group claimed responsibility for the incident.

The post Data Breaches Reported by Southern Illinois Dermatology; Heart South Cardiovascular Group appeared first on The HIPAA Journal.

Brockton Hospital in Massachusetts is continuing to grapple with a cybersecurity incident that took many of its electronic systems offline on April 6, 2026, and forced the hospital to divert ambulances to alternate facilities and cancel scheduled cancer treatments. An investigation into the cyberattack is ongoing, and the hospital is working with federal and state officials. While some systems have been brought back online, the hospital is continuing to use its downtime procedures, with staff members working off paper rather than computers. A Signature Healthcare spokesperson told Boston 25 News that the hospital would continue under downtime procedures for the next two weeks.

Signature Healthcare has been providing updates on the attack and recovery, and on April 10, 2026, said care continues to be provided to patients at the hospital, although there have been some disruptions to certain patient services. Lab work and medical testing are continuing, but there may be delays, and the patient portal system remains offline. The hospital is still unable to fill new prescriptions, and cannot currently fulfil requests for medical records. Inpatient food services are continuing, although special food requests for patients with dietary restrictions cannot currently be accommodated.

The Anubis ransomware-as-a-service group claimed responsibility for the attack. Anubis engages in double extortion, stealing data and encrypting files. A ransom must be paid to prevent the release of stolen data and obtain the keys to recover encrypted files. According to SuspectFile, which was contacted by a member of the Anubis group, files were encrypted in the attack. The Anubis spokesperson told SuspectFile that only non-critical systems were encrypted, and 2TB of data was stolen in the attack, including a large volume of patient data.

Anubis is attempting to pressure Signature Healthcare into paying the ransom by adding the hospital to its data leak site, along with a countdown clock when the stolen data will be published. Signature Healthcare has yet to confirm the extent of data theft, which may not be known for some time. The priority continues to be patient care, remediating the attack, and bringing systems back online when it is safe to do so.

April 8, 2026: Ambulances Diverted from Brockton Hospital While Signature Healthcare Deals with Cyberattack

Signature Healthcare’s Brockton Hospital in Massachusetts is grappling with a cyberattack and has implemented its downtime procedures while the incident is investigated. Some procedures have been temporarily cancelled, and the electronic medical record system and patient portal have been taken offline.

Signature Healthcare treats around 70,000 patients a year in Southeastern Massachusetts at its 216-bed Brockton Hospital, and the 15 care locations served by Signature Medical Group. The cybersecurity incident was detected on April 6, 2026, which impacted its information systems. The emergency room was placed on divert, with ambulances sent to alternate facilities due to the inability to access key information technology systems, although emergency services continued to be provided to walk-ins.

While the hospital continued to provide inpatient services and surgeries were proceeding without interruption, patients faced delays and some services were postponed, including chemotherapy infusions at the Greene Cancer Center, which were cancelled on April 7. Signature Healthcare partially closed its Brockton and East Bridgewater pharmacies, with consultations still taking place but prescriptions unable to be filled.

Signature Healthcare issued a statement confirming that surgeries and procedures were continuing, that its ambulatory physician practices and urgent care facilities remained open. Without access to certain information systems, alternative methods of documentation were being used, and there were naturally some delays to patient care as a result.

Signature Healthcare said it is working with third-party cybersecurity specialists and federal officials to investigate the incident, determine the nature and scope of the unauthorized activity, and identify the source of the intrusion.  “Our care teams continue to provide high-quality care using established downtime procedures. We remain committed to serving our community throughout this process,” Kim Walsh, Signature Healthcare’s chief operating officer, said.

The priority is ensuring high-quality care continues to be provided to patients while the incident is investigated. Systems will be brought back online when it is safe to do so, and as the investigation progresses, it will become clear to what extent, if any, patient data has been compromised. On April 8, when this article was posted, no threat actor had claimed responsibility for the incident; however, on Thursday 9, the Anubis ransomware group took credit for the attack, although no data appears to have been leaked so far.

There is usually a lag between an attack taking place and the victim being added to a data leak site, as the threat actor typically gives the victim time to make contact and negotiate payment. For a group to claim responsibility so quickly suggests that Signature Healthcare has made contact and likely made it clear that payment would not be forthcoming. Anubis claims to have exfiltrated a huge amount of data – 2 TB, including sensitive patient data.

The post Brockton Hospital Ransomware Attack: Downtime Procedures to Continue for Two Weeks appeared first on The HIPAA Journal.

Data incidents have recently been announced by ProxyCare in Florida, Oscar Health in New York, and AccentCare in Texas.

ProxyCare, Florida

ProxyCare LLC, a Sunrise, Florida-based provider of personalized pharmacy services, has started mailing notification letters to individuals impacted by an August 2025 cybersecurity incident. The company learned on August 22, 2025, that certain computer systems within its network environment had been affected by a cybersecurity incident. Third-party cybersecurity professionals were engaged to determine the nature and scope of the incident, and whether, and to what extent, patient information had been compromised.

The investigation confirmed that patient data had been exposed, and following a comprehensive manual document review, ProxyCare determined on January 29, 2026, that files accessed or acquired by an unauthorized third party in the incident included names, dates of birth, Social Security numbers, and driver’s license numbers. Notification letters were mailed to the affected individuals on March 23, 2026, and individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services.

Based on notifications to state attorneys general, around 150 individuals in Massachusetts and New Hampshire have been affected, but it is currently unclear how many individuals have been affected in total, as the incident has yet to be added to the HHS’ Office for Civil Rights breach portal.

Oscar Health, New York

Oscar Health, Inc., a New York-based health insurance company, has recently disclosed a data privacy incident that resulted in the unauthorized disclosure of a limited amount of member information. On December 31, 2025, Oscar Health learned that member identification cards and other enrollment information related to 2026 health insurance coverage were inadvertently mailed to old and potentially incorrect member addresses.

When the error was identified, immediate action was taken to prevent similar mis-mailing incidents, and an investigation was launched to determine the scope of the event. All individuals potentially affected were identified, and notification letters have now been sent to individuals for whom correct address information could be found, warning them that their name, health insurance policy number, and health insurance plan information were potentially impermissibly disclosed.

Oscar Health confirmed that highly sensitive information such as Social Security numbers, government identification numbers, and financial information was not involved, and there has been no known misuse of the disclosed information. The data breach notice was issued individually and on behalf of its affiliated covered entities, including Oscar Health Plan, Inc., Oscar Insurance Company of Florida, and Oscar Health Plan of Georgia. The incident affected up to 91,350 individuals.

AccentCare, Texas

AccentCare, a Texas-based provider of home health, palliative, and hospice services, has been affected by a data breach at its billing service vendor, Doctor Alliance. The protected health information of 19,772 individuals was potentially compromised in the incident. Doctor Alliance determined on November 16, 2025, that an unauthorized third party had accessed a web application. The forensic investigation determined that the threat actor had access to the application between October 31, 2025, and November 16, 2025, and accessed or exfiltrated files containing patient information.

Data compromised in the incident included names, Social Security numbers, medical record numbers, Medicare numbers, diagnosis/treatment information, provider information, and medical/health information. AccentCare said there was no unauthorized access to its own systems, and no impact to the care provided to its patients. AccentCare is monitoring Doctor Alliance’s response to the incident and its continued role as a service provider.

The post ProxyCare; Oscar Health; AccentCare Announce Data Breaches appeared first on The HIPAA Journal.