A hacking group has claimed responsibility for the cyberattack on the pharmaceutical company Novo Nordisk and says it exfiltrated more than 1 terabyte of data over several weeks. Another individual/group has also claimed it breached certain Novo Nordisk systems in June, in a separate hacking incident in June.

FulcrumSec is a cyber extortion group that has been active since at least September 2025. The group specializes in high-speed data exfiltration, commonly from cloud-hosted databases, and demands payment to prevent the publication or sale of stolen data. The group exploits unrotated API keys and cloud misconfigurations for initial access.

Novo Nordisk disclosed the attack on June 11, 2026, and shortly thereafter, FulcrumSec added Novo Nordisk to its dark web data leak site, along with samples of data from its claimed 1.3 TB data heist. The listing states that data exfiltrated in the attack includes clinical trial information, intellectual property, and artificial intelligence models used for drug discovery.

FulcrumSec claims it issued a $25 million ransom demand to prevent the publication of the stolen data; however, Novo Nordisk refused to pay. Data has started to be leaked – at the time of writing, 264 GB of data is listed as available for download – as a result of non-payment, and the group says it is seeking a private buyer for the bulk of the stolen data,

The group’s dark web data leak site states that it obtained 4,750 source code repositories, more than 41,000 proprietary drug compounds with structures, over 30 trained AI models, 73 datasets, the data of 11,500 pseudonymised clinical trial patients, more than 163,000 employee records, data from 5 undisclosed drug programs, and the exact manufacturing recipe for one of the company’s major drugs.

While some data has been leaked, around 1.05 terabytes of data is being withheld. FulcrumSec claims it will not release certain data, such as the data of employees and physicians, the pseudoanonymized clinical trial patient data, and certain data related to operational technology and software used to interact with sensors and equipment at Novo Nordisk’s production facilities.

The group claims to have gained initial access “through secrets left in client-side JavaScript on two separate unrelated Novo Nordisk subdomains — two completely different teams, two different applications, the same elementary mistake made twice,” and suggests highly sensitive data was protected with extremely weak passwords.

The group said it used Azure container registry credentials that were baked into a client-side JavaScript bundle, and a GitHub personal access token that had access to hundreds of repositories. The repositories contained API tokens, database credentials, and service account passwords that allowed lateral movement to hundreds of Novo Nordisk systems. The group claims that Novo Nordisk’s security team detected its presence in its GitHub accounts around two weeks after the initial intrusion, and in its Azure environment after 3 weeks.

FulcrumSec is not alone in claiming responsibility for hacking Novo Nordisk’s systems. According to databreaches.net, a hacker identifying themselves as TheUSERS007 has claimed to have breached the drug company’s systems between June 5 and June 7, 2026, after the claimed hack by FulcrumSec. TheUSERS007 demanded a $50 million ransom, which similarly wasn’t paid, and told databreaches.net that access was gained using venomware, “a self-learning, adaptive AI engine designed for the surgical extraction of intellectual property.”

FulcrumSec referenced the claim on its data leak site and suggests that the claim is potentially legitimate. The attack disclosed by Novo Nordisk relates to the FulcrumSec hack, rather than the second incident, which has yet to be confirmed by Novo Nordisk.

June 15, 2026: Clinical Trial Data Stolen in Novo Nordisk Cyberattack

Novo Nordisk, the Danish pharmaceutical firm behind the GLP-1 weight loss drugs Ozempic and Wegovy, has experienced a cyberattack that exposed the data of healthcare providers and patients enrolled in clinical trials. According to the company’s June 11, 2026, breach notice, a threat actor gained access to a limited number of its internal systems, and certain personal data stored on those systems was exfiltrated by the attackers. It is currently unclear when the intrusion was detected or for how long hackers had access to its systems, and the threat group behind the attack has yet to publicly claim responsibility.

The exposed data related to certain patients who took part in its clinical trials; however, the risk to those patients is limited, as the exfiltrated data was deidentified. Patient names were not exposed; only the ID numbers were used to identify specific patients participating in clinical trials. The ID numbers consist of random alphanumeric strings. Other compromised information was limited to sex, year of birth, biomarkers, health and immunogenicity data, and lifestyle factors, such as BMI, whether the patient was a smoker, and information about their alcohol usage.

Novo Nordisk said that because the exposed data was pseudonymized, patients cannot be identified from the exposed information without further information from another source, therefore, patients are not believed to face any immediate risks. Patients have been advised to remain vigilant and to contact Novo Nordisk if they identify any suspicious activity that they believe may be linked to the incident.

When the attack was detected, certain systems were taken offline as a precaution while the incident was investigated, and Novo Nordisk is working to bring the systems back online safely and securely. The company said the cyberattack has had no impact on its core business operations, which remain up and running. The forensic investigation and data review are ongoing, and Novo Nordisk has yet to determine the number of individuals affected.

Certain healthcare providers have been affected by the incident, and they are currently being notified. The information stolen in the attack varies from provider to provider, and may include information such as the company name, registration number, contact email address, phone number, office location, and WhatsApp details. Since contact information has been compromised, healthcare providers are potentially at risk of phishing or social engineering attacks and should therefore remain vigilant.

The post Hackers Claim Responsibility for Novo Nordisk Cyberattack appeared first on The HIPAA Journal.

Cybersecurity incidents involving unauthorized access to protected health information have been announced by the revenue cycle management company Medenet, the California medical group United Medical Doctors, and the Kentucky residential school, Stewart Home & School.

Medenet Inc.

Medenet Inc., a Florida-based medical billing, EMR software, and revenue cycle management service provider to physician practices, has started issuing notifications about a cyberattack identified on December 26, 2025. Assisted by third party cybersecurity experts, Medenet determined that personal and protected health information was likely compromised in the incident, including medical records and Social Security numbers.

Medenet said it is unaware of any misuse of the impacted data; however, as a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services. The data breach has yet to be added to the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

United Medical Doctors

United Medical Doctors, a Murrieta, California-based multi-specialty medical and surgical group, has discovered unauthorized access to its computer systems. Suspicious activity was identified within its computer systems on March 26, 2026, and the forensic investigation determined that a threat actor had access to its systems for around three and a half months, between December 12, 2025, and March 31, 2026. During that time, files containing patient information may have been viewed or acquired.

The May 20, 2026, substitute breach notice states that the types of information compromised in the incident have yet to be determined, and the number of affected individuals has yet to be publicly disclosed.

Stewart Home & School

Stewart Home & School (formerly Stewart Home School), a residential school in Franklin County, Kentucky, has recently announced that it was the victim of a criminal cyberattack on its computer network. The attack occurred in the early hours of August 4, 2025, with the threat actor gaining access to its network using stolen credentials.

Those credentials allowed the threat actor to access two of its internal electronic drives. Data on those drives was accessed and exfiltrated, then ransomware was used to encrypt the data. Stewart Home & School said the nature of the attack and the design of its electronic network meant it has taken a significant amount of time to determine the types of data involved and the individuals affected.

The data analysis has recently concluded, and confirmed that 3,677 individuals potentially had data stolen in the incident, including personal information and protected health information. That information included names, demographic information such as phone numbers, email addresses, addresses, and Social Security numbers, financial information, and protected health information such as health insurance information, diagnoses, medical conditions, test results, and medications, and education-related information, including evaluation and testing information.

The affected individuals were notified about the incident in April 2026 and have been offered 24 months of complimentary credit monitoring and identity theft protection services. The Sinobi ransomware group claimed responsibility for the attack.

The post PHI Compromised in Cyber Incidents at Medenet; United Medical Doctors; Stewart Home & School appeared first on The HIPAA Journal.

A cyberattack at the law firm GrayRobinson has affected 65,000 individuals. Data breaches have also been announced by C2N Diagnostics in Missouri and Virta Health in Colorado.

GrayRobinson

The Orlando, Florida-based law firm GrayRobinson, P.A., has notified the Maine Attorney General about a data breach affecting 65,113 individuals, including 52 Maine residents. Among those individuals, 54,131 people had their protected health information exposed in the incident. In its substitute data breach notice, GrayRobinson explained that unauthorized access to its network was detected on or around March 24, 2025. Immediate steps were taken to secure its network, and assisted by third-party cybersecurity specialists, the incident was investigated to determine the extent to which sensitive information had been compromised.

The investigation confirmed that its network was accessed by an unauthorized third party between March 5, 2025, and March 24, 2025, and during that time, files containing personal and protected health information were exfiltrated from its network.  The data was reviewed, and on April 13, 2026, the file review concluded and determined that full names, dates of birth, Social Security numbers, driver’s license numbers, state and government ID numbers, financial account information, medical information, and health insurance information were involved.

GrayRobinson said it had taken many precautions to protect against unauthorized access to its systems and data, and continually evaluates and modifies its practices and internal controls to enhance security and ensure the privacy of sensitive information. Complimentary credit monitoring and identity theft protection services have been made available. Notification letters started to be sent to the affected individuals on April 24, 2026.

C2N Diagnostics, Missouri

C2N Diagnostics, a St. Louis, MO-based specialty diagnostics company providing lab services and products related to brain health, has disclosed a cybersecurity incident that was identified on March 6, 2026. C2N Diagnostics said it was targeted by a cybercriminal actor who gained access to a small number of stored employee communications, some of which contained personal information.

The data was reviewed and found to include names, dates of birth, contact information, health information, blood test analysis results, health insurance information, and Social Security numbers. The affected individuals have been notified by mail and offered complimentary credit monitoring and identity theft protection services for at least 12 months as a precaution against data misuse. At the time of issuing notification letters, C2N Diagnostics was unaware of any misuse of the exposed data. C2N Diagnostics reported the breach to the HHS’ Office for Civil Rights on April 27, 2026, as affecting 2,027 individuals.

Virta Health

Virta Health Corp & Virta Medical PC, a Denver, CO-based provider of digital health services to help individuals manage type 2 diabetes, prediabetes, and obesity, has identified unauthorized access to one of its data repositories. The unauthorized access was identified on March 24, 2026, and the investigation confirmed that it had been compromised between March 19, 2026, and March 22, 2026.

The data repository was separate from its current production platform and contained personal information, the details of which were not disclosed in its data breach notice. Virta Health said its investigation confirmed that data had been exposed, and “could not rule out the possibility that an unknown actor may have accessed [personal information].” The Lapsus$ threat group claimed responsibility for the attack and added Virta Health to its data leak site on March 23, 2026, one day prior to the breach being detected. It is unclear if the ransom was paid or how many individuals were affected by the incident.

The post Florida Law Firm Data Breach Affects 65,000 Individuals appeared first on The HIPAA Journal.

Cyberattacks and data breaches have recently been announced by the national gastroenterology medical group Gastro Health and Spokane Digestive Disease Center in Washington.

Gastro Health

Gastro Health, a gastroenterology medical group with more than 200 locations in Florida, Alabama, Washington, Virginia, Ohio, Massachusetts, and Maryland, has announced an email security incident that exposed the protected health information of some of its patients.

The incident was detected on February 25, 2026, when the company learned that some of its employees had responded to phishing emails, resulting in unauthorized access to their email accounts. A separate phishing incident was identified on March 2, 2026, resulting in a further email account being subject to unauthorized access.

The review of the affected email accounts confirmed that they contained information such as names, dates of birth, Social Security numbers, and state or government-issued ID numbers. Protected health information in the accounts included diagnosis and treatment information, prescription information, provider/clinic information, medical record numbers, patient account numbers, Medicare/Medicaid numbers, and health insurance or group account numbers. The types of information involved varied from individual to individual.

Notification letters are being mailed to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 24 months. The number of affected individuals has yet to be publicly disclosed, although the Washington Attorney General has been informed that more than 1,800 state residents have been affected.

Spokane Digestive Disease Center

Spokane Digestive Disease Center in Washington has notified certain patients about unauthorized access to an employee’s email account. Suspicious activity was identified within the account on February 19, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to the account on various dates between January 22, 2026, and February 18, 2026.

The account was reviewed, and on May 8, 2026, it was confirmed that information in the account included names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, credit card information, financial account information, electronic signatures, and medical information.

The affected individuals have been offered 12 months of complimentary credit monitoring services, and steps have been taken to improve email security. The HHS’ Office for Civil Rights currently lists the data breach with a placeholder estimate of at least 501 individuals. The Washington attorney general was informed that the information of 2,093 state residents was involved.

The post Data Breaches Announced by Two Digestive Health Companies appeared first on The HIPAA Journal.

Data breaches have been announced by several dental practices: Bayside Dental (TX/WA), Aldrich Pediatric Dentistry (IN), Stafford Oral Surgery (VA), Garrisonville Dental (VA), and Drs. Abdelbaky, Boes, Cameron & Associates of Wake Forest and Cary Park (NC).

Bayside Dental

Bayside Dental, a dental practice with locations in Rowlett, Texas, and Anacortes, Washington, has experienced a cybersecurity incident. Unauthorized network access was identified on or around January 5, 2026, and the forensic investigation confirmed on March 13, 2026, that there had been unauthorized access to files containing patient data on January 5, 2026.

Data potentially viewed or obtained in the incident included full names, dates of birth, Social Security numbers, medical treatment information, medical diagnostic information, prescription information, patient numbers, health insurance information, health insurance plan beneficiaries, and dates of service. Bayside Dental determined that the protected health information of up to 10,216 patients was potentially compromised in the incident. Bayside Dental has offered the affected individuals complimentary single-bureau credit monitoring, credit score, and credit report services for 12 months.

While not described by Bayside Dental as a ransomware attack, the Sinobi ransomware group claimed responsibility and added Bayside Dental to its dark web data leak site. The group claims to have stolen 580 gigabytes of data in the attack, including files containing patient data. Patients should therefore ensure that they sign up for the credit monitoring services being offered.

Aldrich Pediatric Dentistry

Aldrich Pediatric Dentistry in Indianapolis, IN, has also recently announced the exposure of patient data as a result of an email incident. On February 26, 2026, the practice learned that an employee’s email account was compromised on January 16, 2026, as a result of a response to a phishing email on January 16, 2026. The account was immediately secured, and an investigation was launched, which confirmed that the account contained the protected health information of 5,900 individuals.

Data potentially obtained in the attack included names, addresses, email addresses, telephone numbers, dates of service, procedures, and insurance information. Social Security numbers and financial information were not involved. The practice has implemented additional security measures to strengthen email security, and notification letters were mailed to the affected individuals around April 24, 2026.

Vendor Incident Affects Multiple Dental Practices

Several dental practices have recently disclosed data breaches involving a third-party vendor. The practices were contacted by the unnamed vendor on March 19, 2025, and were informed that limited patient data had been accessed by an unauthorized individual in a security incident. The vendor identified the unauthorized access on October 24, 2025, and the forensic investigation confirmed that some of the vendor’s email accounts and files were accessed between October 15 and October 23, 2025, as a result of a phishing attack.

The investigation found no evidence to suggest that the unauthorized third party accessed or copied any files containing patient information; however, unauthorized data access and acquisition could not be ruled out. The breach was limited to the vendor’s email accounts and associated files. There was no unauthorized access to patient medical or dental records. The compromised data varied from individual to individual and may have included names, addresses, dates of birth, medical information, health insurance information, and Social Security numbers. The affected individuals have been notified by mail and offered complimentary credit monitoring and identity theft protection services.

The HIPAA Journal has not yet been able to confirm how many dental practices have been affected; however, the following dental practices have issued breach notices confirming that patient data was potentially compromised in the incident.

Spate of Attacks on Dental Practices

There has been a spate of data breaches reported by dental practices recently, including Bridle Trails Family Dentistry in Washington (20,976 individuals), Verber Dental Group PC in New York (8,598 individuals), Bronsky Orthodontics in New York (3,183 individuals) – covered here, and Totem Lake Family Dentistry in Washington (3,464 individuals). Apart from the Verber Dental Group data breach, these incidents involved unauthorized access to email accounts.

Dental practices should ensure that they set strong, unique passwords for employee email accounts, protect accounts with multifactor authentication, implement an email security solution, and provide security awareness training to the workforce to raise awareness of phishing and social engineering.

The post Cybersecurity Incidents Reported by Multiple Dental Practices appeared first on The HIPAA Journal.

A data breach at Southern Illinois Ob-Gyn Associates has affected 38,700 individuals. Data breaches have also been reported by Wellpoint Washington – involving Independent Clinics of Washington – and Dillon Family Medicine, part of McLeod Health.

Southern Illinois Ob-Gyn Associates

Southern Illinois Ob-Gyn Associates has notified 38,700 current and former patients about a breach of their personal and protected health information. The cybersecurity incident was identified on November 24, 2025, and after securing its systems, third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the incident. They confirmed that its systems had been subject to unauthorized access, and on January 28, 2026, it was confirmed that there was unauthorized access to patient data.

Data compromised in the incident included names, dates of birth, Social Security numbers, demographic information, health information, and health insurance information. Southern Illinois Ob-Gyn Associates said it has implemented additional technical safeguards and has enhanced its existing security measures to prevent similar incidents in the future. Southern Illinois Ob-Gyn Associates obtained the final list of individuals to notify on April 28, 2026. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Wellpoint Washington

Wellpoint Washington, Inc., has notified 12,020 individuals that some of their personal and protected health information was stored in an employee’s email account that was accessed by an unauthorized third party between June 24 and July 2, 2025. During that time, emails and files may have been exfiltrated.

The data breach affected Independent Clinics of Washington, a delegated provider of Elevance Health, and was detected on July 2, 2025. The incident exposed information such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance ID numbers, medical information, and pharmacy information. The affected individuals were notified directly by Wellpoint Washington Inc. Complimentary credit monitoring and identity theft protection services do not appear to have been made available.

Dillon Family Medicine

Dillon Family Medicine, a healthcare provider that’s part of McLeod Health and serves patients in and around Dillon, South Carolina, has identified unauthorized access to a network server containing patient information. According to the substitute breach notice on the McLeod Health website, the unauthorized access occurred between October 17, 2026, and October 18, 2026.

The breach was not detected until March 5, 2026, when a suspicious file was found on the server, which was about to be decommissioned. An investigation was launched, which determined on April 14, 2026, that there had been unauthorized access to the server. The server contained names, dates of birth, Social Security numbers, and health information, including diagnoses, medications, test results, medical images, treatment information, and health insurance information.

Additional safeguards have been implemented to prevent similar incidents in the future, and the affected server has now been fully decommissioned and is no longer in use. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so the number of affected individuals is currently unknown.

The post Southern Illinois Ob-Gyn Associates Announces Data Breach Affecting 38,700 Individuals appeared first on The HIPAA Journal.

2025 was another bad year for healthcare data breaches. As of June, 2026, 2025, 772 healthcare data breaches affecting 500 or more individuals are listed on the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal, involving the exposure or theft of the protected health information of 139,721,832 individuals. That total is likely to increase further as there are several data breach investigations that have yet to conclude.

Based on the current totals, 2025 was the worst ever year for large healthcare data breaches, beating the previous record of 746 data breaches set in 2023 by 3.49%.  In terms of affected individuals, 2025 was the third-worst year, behind the 289.8 million affected individuals in 2024 and the 183 million affected individuals in 2023. You can view the latest figures and how they compare to previous years on our Healthcare Data Breach Statistics page.

Large healthcare data breaches increased by 4.18% year over year, although there was a 51.79% year-over-year decrease in affected individuals. Such a large decrease in affected individuals was expected, as in 2024, there was a gargantuan data breach at Change Healthcare, which affected an estimated 192,700,000 individuals. That single data breach accounted for 66.49% of the 289,819,703 affected individuals in 2024.

The Largest Healthcare Data Breaches of 2025

The table below shows the largest healthcare data breaches of 2025 known at the time of publication. At the time of publication, 16 healthcare data breaches were reported to OCR in 2025 that each affected more than one million individuals, and a further 7 data breaches affected between 500,000 and 999,999 individuals.

Conduent Business Services – 62.2 million individuals

The largest healthcare data breach of 2025 by some distance was reported by the HIPAA business associate, Conduent Business Services. Conduent is a business associate of HIPAA-covered entities and government agencies that provides a range of back-office services. Conduent reported a data breach to OCR in October 2025 as involving unauthorized access to the protected health information of 42,616 individuals, including names, dates of birth, Social Security numbers, treatment information, and claims information.

Since then, the Oregon Attorney General was informed that the data breach involved unauthorized access to the sensitive data of more than 10.5 million state residents, and the Texas Attorney General was later informed that 14,791,500 individuals in Texas were affected. That total was later increased to 15,494,592 individuals. Other state attorneys general have also received notifications confirming that some of their state residents have been affected, but have not published how many individuals were affected in their states. An updated total was provided to OCR in mid 2026, indicating that the protected health information of 62,224,658 individuals was compromised in the incident, making it the third-largest healthcare data breach of all time.

The incident was described as a security incident that caused an outage, resulting in temporary disruption to its services – terminology often used to describe a ransomware attack. The Safepay ransomware group claimed responsibility for the attack and added Conduent to its data leak site, although the listing has now been removed, suggesting the ransom was paid.

Aflac – 13.9 million individuals

In a June 12, 2025, filing with the U.S. Securities and Exchange Commission (SEC), the insurance giant Aflac disclosed a cyberattack by a threat actor that “may be affiliated with a known cyber-criminal organization.” While not confirmed by Aflac, that group is widely believed to be the Scattered Spider threat group, which at the time was targeting the insurance industry. The data breach was reported to OCR on August 8, 2025, using a placeholder figure of 500 affected individuals, as the investigation was ongoing at the time. The hackers gained access to names, addresses, dates of birth, government-issued ID numbers such as passports and state ID card numbers, driver’s license numbers, Social Security numbers, medical information, and health insurance information.

As the year drew to a close, Aflac confirmed that there had been unauthorized access to the sensitive data of 22.65 million individuals globally. The OCR breach portal has since been updated to confirm that the protected health information of at least 13,924,906 individuals was compromised in the incident.

Episource, LLC – 6.73 million individuals

The UnitedHealth (Optum) subsidiary Episource, a provider of medical coding, risk adjustment services, and software solutions for healthcare providers and health plans, experienced a ransomware attack in February 2025 that involved the exfiltration of files containing sensitive patient data. Data compromised in the attack included names, contact information, medical information, and health insurance information. The ransomware group gained access to EpiSource’s AWS environment,

The investigation confirmed that the ransomware group had access to its network from January 27, 2025, to February 6, 2025, and potentially obtained the protected health information of 5,418,866 individuals. Multiple healthcare provider clients were affected by the attack, including Sharp HealthCare and Sharp Community Medical Group. That total has since been increased to 6,725,572 individuals.

Yale New Haven Health System – 5.6 million individuals

Yale New Haven Health System, the largest health system in the state of Connecticut, reported the data breach to OCR in April 2025, after its investigation determined that hackers breached its network on March 8, 2025, and obtained the sensitive data of 5,556,702 individuals.

The electronic medical record system was not accessed, and the hackers were unable to access financial information; however, they did obtain names, contact information, demographic information, medical record numbers, and Social Security numbers. Yale New Haven Health faced multiple class action lawsuits over the data breach, which were settled rapidly. Yale New Haven Health agreed to an $18 million settlement to resolve a consolidated class action lawsuit that amalgamated 18 separate complaints, just 7 months after the data breach occurred.

Blue Shield of California – 4.70 million individuals

The health insurance provider Blue Shield of California was one of many healthcare entities to experience data breaches involving tracking software on their websites. In this case, Blue Shield of California had added Google Analytics code to certain websites, which was configured in a way that resulted in member data being shared with Google Ads for almost 3 years. In certain cases, the protected health information shared with Google may have been used to serve members with personalized Google Ads related to their interactions on Blue Shield of California websites. For instance, if the “Find a Doctor” service was used, then search criteria and results may have been disclosed.

While the scale of the breach – up to 4.7 million individuals – makes it one of the worst of the year, notification letters were issued to all members who accessed the websites over 3 years; however, it is unclear how many of those individuals had protected health information disclosed to third parties. Further, there was limited potential for harm, and no indications that any bad actor was able to access plan members’ data.

PIH Health – 2.95 million individuals

The California healthcare provider PIH Health experienced a ransomware attack in December 2024, in which the ransomware group claimed to have exfiltrated 2 Terabytes of data.  The threat actor had access to the PIH Health network from November 14, 2024, to December 23, 2024. It took more than a year for PIH Health to review the affected data and determine that patient data had been exposed. That determination was not made until December 2025, and it took until February 2026 for individuals to start being notified.

The ransomware group stole files containing names, addresses, medical information, health insurance information, Social Security numbers, taxpayer identification numbers, driver’s license numbers, financial account information, and credit/debit card numbers. PIH Health informed the HHS Office for Civil Rights that the protected health information of 2,947,264 individuals was compromised in the incident.

DaVita – 2.69 million individuals

The Denver, CO-based kidney dialysis service provider DaVita experienced a ransomware attack in April 2025. DaVita operates more than 2,600 kidney dialysis centers across the United States, and while the attack caused temporary operational disruption, critical care provided to patients across the United States was unaffected.

The ransomware group was able to access a laboratory database containing the protected health information of 2,689,826 individuals, including demographic information, clinical information, and tax information. The Interlock ransomware group claimed responsibility for the attack and had access to DaVita systems from March 24, 2025, to April 12, 2025.

Veradigm LLC – 2.67 million individuals

Veradigm, a Chicago, Illinois-based provider of practice management and electronic health record solutions to healthcare providers (formerly Allscripts), experienced a data security incident in July 2025 that involved unauthorized access to protected health information. One of its storage locations had been compromised as a result of an incident at one of its customers. Credentials were stolen that allowed access to the storage environment.

Data compromised in the incident included names, contact information, dates of birth, health records information, health insurance information, payment details, and limited identifiers, such as Social Security numbers and driver’s license numbers. It took some time to review the affected data, with 2,672,036 individuals now known to have had their data exposed or stolen in the incident. Veradigm settled the class action lawsuit that followed for $10.5 million.

Anne Arundel Dermatology – 1.91 million individuals

Anne Arundel Dermatology, a dermatology practice with more than 30 locations in 7 U.S. states, experienced a hacking incident that saw unauthorized individuals access its network from February 14, 2025, to May 13, 2025. The systems compromised in the attack contained the protected health information of up to 1,905,000 individuals, including names, addresses, dates of birth, and health insurance information.

Since it was not possible to determine which records were viewed or copied, notification letters were mailed to all potentially affected individuals. Anne Arundel Dermatology was one of several dermatology practices to be targeted by hackers in 2025.

Kettering Adventist Healthcare – 1.7 million individuals

The Ohio health system, Kettering Adventist Healthcare (Kettering Health), experienced a ransomware attack on May 20, 2025, although its network was first breached on April 9, 2025. The Interlock ransomware group claimed responsibility for the attack, alleging that 941 GB of data was stolen in the attack. Kettering Health refused to pay the ransom, and Interlock proceeded to leak the stolen data.

It took several months to review the affected data and determine the individuals affected. Around April 2026, OCR was provided with a revised total, showing that the protected health information of 1,695,382 individuals was stolen in the attack. The stolen data included names, Social Security numbers, financial account numbers, driver’s license numbers, medical and/or treatment information, health insurance information, billing and/or claim information, passport numbers, and/or usernames and associated passwords. Kettering Health faced dozens of class action lawsuits over the data breach. The litigation is ongoing.

Radiology Associates of Richmond – 1.42 million individuals

Radiology Associates of Richmond, a provider of medical imaging services at seven hospitals in Virginia and multiple outpatient facilities within the state, experienced a cyberattack in April 2024, although the data breach was not reported to OCR until July 2025.

The hackers had access to its network from April 2, 2024, to April 6, 2024, and exfiltrated files containing the protected health information of 1,419,091 patients, including names, dates of birth, email addresses, Social Security numbers, account numbers, routing numbers, medical information, and health insurance information.

DermCare Management – 1.4 million individuals

DermCare Management, a Florida-based provider of practice management services to dermatology practices in Florida, Texas, California, and Virginia, identified a hacking incident in February 2025, with the investigation confirming that an unauthorized third party had access to its computer systems between February 14, 2025, and February 26, 2025.

It took until March 2026 to review the affected data, when it was confirmed that the data breach affected patients of more than 70 dermatology clinics. It has since been confirmed that the protected health information of 1,361,735 individuals was compromised in the incident, including names, Social Security numbers, driver’s license numbers, credit and debit card information, financial account information, and medical information.

SimonMed Imaging- 1.3 million individuals

SimonMed Imaging, one of the largest medical imaging providers in the country, operates more than 170 medical imaging facilities in 10 U.S. states. The Scottsdale, AZ-based radiology practice learned from one of its vendors in January 2025 that there had been a security incident. The investigation confirmed that an unauthorized actor had direct access to its systems between January 21, 2025, and February 5, 2025. The Medusa ransomware group claimed responsibility for the attack and said it stole 212 GB of data, and demanded a $1 million ransom to prevent the data from being leaked or sold.

While the attack was announced in April 2025, it took several months to review the affected data. names, addresses, birth dates, dates of service, provider names, medical record numbers, patient numbers, medical condition information, diagnosis/ treatment information, medications, health insurance information, and driver’s license numbers. The protected health information of 1,275,669 individuals was stolen in the attack.

Absolute Dental Group – 1.2 million individuals

Absolute Dental Group, a Nevada dental practice with over 50 locations in Las Vegas, Carson City, Reno, Sparks, and Minden, identified a cybersecurity incident in February 2025. In July 2025, the company confirmed that data stolen in the attack included names, contact information, date of birth, Social Security number, driver’s license or state-issued ID information, passport or other government ID information, and health information.

The incident was initially reported to OCR using a placeholder estimate of 501 individuals, with that total updated in late summer to show that the protected health information of 1,223,365 individuals was exposed and potentially stolen in the incident.

Southeast Series of Lockton Companies – 1.1 million individuals

Southeast Series of Lockton Companies (Lockton), an insurance brokerage company that provides employee benefits services, reported a data breach to OCR on February 28, 2025, that involved unauthorized access to its computer network on November 20, 2025. While initially reported as involving unauthorized access to the protected health information of 1,706 individuals, the total was later revised to 1,124,727 individuals.

Hackers had access to a single account and computer for a few hours, but during that time, they may have viewed or acquired names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and financial information.

Community Health Center – 1.1 million individuals

Community Health Center, a nonprofit healthcare provider in Middletown, Connecticut, identified unauthorized access to its computer network on January 2, 2025. The investigation confirmed that a hacker first accessed its network without authorization on October 14, 2024, and retained access until the intrusion was detected on January 2, 2025.

The attack did not involve file encryption; however, the hackers had access to sensitive patient data such as names, addresses, phone numbers, email addresses, dates of birth, diagnoses, test results, treatment information, health insurance information, and Social Security numbers. The investigation confirmed that up to 1,060,936 individuals were potentially affected.

Frederick Health – 934K individuals

Frederick Health Medical Group, a Maryland-based healthcare group, announced on January 27, 2025, that it had fallen victim to a ransomware attack. The group behind the attack was not disclosed and remains unknown.

The investigation confirmed that the protected health information of up to 934,326 individuals was potentially compromised, including names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and/or clinical information related to patients’ care.

McLaren Health Care – 743K individuals

McLaren Health Care in Michigan experienced a ransomware attack in August 2024 that involved unauthorized access to systems used by McLaren Health Care and its Karmanos cancer centers between July 17, 2024, and August 3, 2024. The file review was extensive and time-consuming, revealing on May 5, 2025, that sensitive data had been compromised in the incident.

The data breach affected 743,131 individuals and involved unauthorized access to names, Social Security numbers, driver’s license numbers, medical information, and health insurance information. While not reported as a ransomware attack, the Inc Ransom ransomware group claimed responsibility. While McLaren Health Care was added to the Inc Ransom data leak site, the listing has been removed, suggesting the ransom was paid. This was McLaren Health Care’s second ransomware attack in the space of a year.

Medusind – 701K individuals

Medusind, a Florida-based revenue cycle management vendor and practice management software provider, reported a cyberattack and data breach to OCR in early January that was first identified on December 23, 2023. Initially, the data breach was determined to have affected 360,934 individuals; however, the total was increased on two further occasions, with a final tally of 701,475 individuals.

The hackers had access to names, demographic information, health insurance and billing information, debit/credit card numbers or bank account information, Social Security numbers, and other government-issued ID numbers. Medusind faced multiple class action lawsuits over the data breach and settled the consolidated lawsuit for $5 million.

Blue & Co. – 591K individuals

Blue & Co, an accounting and advisory firm with offices in Indiana, Ohio, Kentucky, and Michigan, reported a data breach to OCR in 2025, although the incident was first detected on December 9, 2024, when an unauthorized actor claimed to have removed data from its network. That person had gained access to a network server via a phishing attack.

While the unauthorized access only occurred for around 30 minutes, the forensic investigation confirmed that the protected health information of 591,713 individuals had been exposed and was potentially copied. That information included names, Social Security numbers, driver’s license numbers, passport numbers, financial account information, health information, and health insurance information.

Kelly & Associates Insurance Group – 553K individuals

Kelly & Associates, doing business as Kelly Benefits, discovered a cyberattack in December 2024 and determined that hackers had access to its network from December 12, 2024, to December 17, 2024. During that time, they exfiltrated files containing names, dates of birth, Social Security numbers, health insurance information, financial account information, and medical information.

The data breach was not reported to OCR until April 2025, and notification letters were issued on a rolling basis. In late June 2025, the final victim tally was confirmed as 553,332 individuals. The delay in issuing notifications was due to the amount of data involved and the complexity of the file review.

Decisely Insurance Services, LLC – 537K individuals

Decisely Insurance Services, a Roswell, GA-based benefits brokerage and HR services firm, reported a data breach to OCR in 2025 that affected 65,405 individuals. Hackers had gained access to its cloud storage platform on December 17, 2024. Data compromised in the incident included names, dates of birth, phone numbers, passport numbers, digital signatures, and Social Security numbers, and the affected individuals were notified in June 2025.

However, the breach was far more extensive than the initial investigation suggested. Decisely Insurance Services later determined that the protected health information of 537,603 individuals had been compromised in the incident

United Seating and Mobility (Numotion) – 529K individuals

United Seating & Mobility, doing business as Numotion, a wheelchair and mobility equipment provider, identified unauthorized access to employee email accounts in November 2024. The investigation confirmed that the accounts were compromised between September 2, 2024, and November 18, 2024, as a result of responses to phishing emails.

The data breach was first reported to OCR in March 2025, as involving unauthorized access to the protected health information of 494,326 individuals, but the total was later revised to 529,004 individuals. The hackers were able to access names, dates of birth, product information, payment and financial account information, health insurance information, and medical information.

The post Largest Healthcare Data Breaches of 2025 appeared first on The HIPAA Journal.

Wellesley, MA-based DentaQuest, a dental benefits administrator that manages the benefits for 32 million Americans, has announced it is actively managing a cybersecurity incident involving unauthorized access to a limited part of its network. According to its website notice, immediate action was taken to contain and mitigate the threat, and the company is working with a leading cybersecurity expert, forensic investigators, and law enforcement authorities.

DentaQuest, part of Sun Life U.S. Dental, is the largest Medicaid and Children’s Health Insurance Program dental benefits administrator in the country, operating in 50 U.S. states. The company has yet to determine the exact scope of the incident and the extent to which sensitive data has been compromised. The company has promised to update clients and ensure that they receive information as quickly and transparently as possible.

The digital extortion group ShinyHunters has claimed responsibility for the incident and has added DentaQuest to its dark web data leak site. The group specializes in data theft and extortion and claims to have exfiltrated 234 GB of data from DentaQuest systems. ShinyHunters explained on its data leak site that it has attempted to negotiate a ransom payment with DentaQuest to prevent the publication of stolen data, but despite exercising considerable patience and making multiple offers, it failed to reach an agreement with DentaQuest. As a result of the failure, ShinyHunters proceeded to leak the stolen data.

Have I Been Pwned (HIBP) has analyzed the leaked data, which contains the unique email addresses of 2.6 million individuals, along with names, addresses, phone numbers, dates of birth, and genders. HIBP said the leaked data appears in healthcare enrollment files (ASC X12 transaction sets), some of which include information such as Medicaid IDs, other government-issued IDs, and health insurance information. Around 66% of the records exposed were already in its database, having been breached in previous incidents.

Social Security numbers do not appear to have been stolen or leaked, so the affected individuals do not face an immediate threat of identity theft; however, since email addresses and contact information have been leaked, they do face an increased risk of social engineering and phishing attacks. If the data breach is confirmed as affecting 2.6 million individuals, it will rank as one of the largest healthcare data breaches of the year to date.

The post Hacking Group Claims Responsibility for Multi-Million-Record DentaQuest Data Breach appeared first on The HIPAA Journal.