HIPAA Breach News

New Jersey Medical Center Suffers Ransomware Attack

Posted November 5, 2025 by Steve Alder

Central Jersey Medical Center in New Jersey has experienced a ransomware attack. David A. Nover, M.D, is notifying patients about a hacking incident, and Goglia Nutrition (FuturHealth) has announced an October 2024 data breach.

Central Jersey Medical Center, New Jersey

Central Jersey Medical Center, Inc., a Federally Qualified Health Center with locations in Perth Amboy, Newark, and Carteret, New Jersey, has started notifying dental patients about a recent security incident. On August 25, 2025, a cybercriminal actor gained access to its dental server’s network and used ransomware to encrypt files.

An investigation was launched to determine the nature and scope of the activity, and a review was conducted to identify the patients affected and the types of information that were exposed. The electronic medical record system was unaffected; however, files containing patient information were potentially accessed or obtained. At the time of issuing notification letters, Central Jersey Medical Center had not found any evidence to indicate any misuse of the exposed data. The Sinobi ransomware group claimed responsibility for the attack and added the healthcare provider to its data leak site. Sinobi claims to have exfiltrated 930 GB of data.

The types of information involved varied from patient to patient and may have included names in combination with one or more of the following: address, telephone number, email address, date of birth, race/ethnicity, Social Security number, dental record number, health insurance information, dental diagnosis, treatment history, and/or billing information.

Third-party cybersecurity experts were engaged to investigate the incident and review and enhance security, and internal procedures have been strengthened to prevent similar incidents in the future. The data breach has been reported to regulators; however, it is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

David A. Nover, M.D., P.C., Pennsylvania

David A. Nover, M.D., P.C., a psychiatry and psychotherapy practice in Warrington, Pennsylvania, is notifying patients about a recent security incident that exposed patient information. On or around June 3, 2025, unusual activity was identified within the practice’s computer network. An investigation was launched, with assistance provided by legal counsel and third-party digital forensics specialists. The investigation confirmed unauthorized access to the network on June 3, 2025, and some files containing patient information were copied from the network. The exposed files have been reviewed, and that process was completed on October 29, 2025.

Information potentially compromised in the incident included names, dates of birth, Social Security numbers, payment card information (number, expiration date, access information), medical record numbers, patient IDs or account numbers, Medicare numbers, health insurance ID numbers, health insurance group numbers, medical diagnosis information, medical treatment information, medical treatment location, doctors’ names, treatment dates, and medical lab or test results. Credit monitoring and identity protection services have been offered to the affected individuals. The data breach is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

FuturHealth, California

Goglia Nutrition, doing business as FuturHealth, Inc., a California-based health and wellness company specializing in nutrition plans and weight management, has experienced a data security incident. According to the notification letters mailed on October 17, 2025, the data breach occurred in October 2024.

According to the notification letters, on October 16, 2024, an unknown actor gained access to a data storage environment containing G-Plan data. The review of the affected storage environment has recently concluded and confirmed that the data compromised in the incident included names and information provided by customers as part of their subscription. Highly sensitive information such as Social Security numbers, driver’s license numbers, and financial information was not involved. The number of affected individuals has yet to be publicly disclosed.

The post New Jersey Medical Center Suffers Ransomware Attack appeared first on The HIPAA Journal.

Oglethorpe Hacking Incident Affects More Than 92,000 Patients

Posted November 4, 2025 by Steve Alder

A Tampa, FL-based network of mental health and addiction recovery treatment facilities has recently disclosed a security incident that involved unauthorized access to patient data. Oglethorpe offers management solutions for health centers, wellness clinics, and hospitals that specialize in psychiatric services, substance abuse treatment programs, and behavioral health counseling, and has facilities in Florida, Louisiana, and Ohio.

In June 2025, Oglethorpe experienced a hacking incident that rendered its systems inoperable for a limited time. Third-party cybersecurity experts were engaged to help contain, investigate, and remediate the incident. The investigation revealed that the hackers first gained access to its network on May 15, 2025, and maintained access until June 6, 2025. The investigation concluded on September 16, 2025, when it was confirmed that files containing patient information had been exfiltrated from its network. Those files were reviewed, and that process was completed on October 23, 2025, when Oglethorpe learned that first and last names, birth dates, Social Security numbers, driver’s license numbers, and medical information were involved.

Oglethorpe said no evidence has been found to indicate any misuse of the impacted information; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months.

In response to the breach, all systems were wiped and rebuilt, and data was restored from backups. Steps have also been taken to improve network security to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights website; however, the Maine Attorney General was informed that the breach affected 92,332 individuals, including 85 Maine residents.

Northern Montana Health Care Affected by Business Associate Hacking Incident

Havre, MT-based Northern Montana Health Care (NMHC) has been affected by a data breach at one of its business associates. NMHC contracted with Wakefield & Associates, LLC, which provides debt collection services. On October 29, 2025, NMHC published a notice warning patients about a security incident at Wakefield & Associates, which involved unauthorized access to certain files. The incident was confined to the Wakefield & Associates network. No NMHC systems were affected.

Wakefield & Associates is notifying the affected individuals directly, and the individual letters state the types of information involved. NMHC has confirmed that Wakefield & Associates is offering the affected individuals complimentary credit monitoring and identity theft protection services. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Oglethorpe Hacking Incident Affects More Than 92,000 Patients appeared first on The HIPAA Journal.

OB-GYN Associates & Beverly Hills Oncology Medical Group Issue Breach Notifications

Posted November 3, 2025 by Steve Alder

OB-GYN Associates in Nevada and Beverly Hills Oncology Medical Group in California have recently started notifying patients affected by hacking incidents.

OB-GYN Associates, Nevada

OB-GYN Associates, a women’s health clinic in Reno, Nevada, has recently mailed notification letters to 62,238 individuals warning them that some of their protected health information has been exposed in a recent security incident. On or around August 7, 2025, suspicious activity was identified within its IT environment. Third-party cybersecurity experts were engaged to investigate the activity and confirmed that there had been unauthorized access to parts of its network where patient data was stored.

The review of the affected data was completed on September 29, 2025. While no evidence of data misuse has been identified, patients have been informed that their first and last names, Social Security numbers, driver’s license numbers, and medical information have been exposed and may have been stolen. As a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit reporting, and credit score services. Data security policies and procedures have been reviewed and updated, network security protections have been upgraded, and changes have been made to how data is stored and managed to protect against similar incidents in the future.

Beverly Hills Oncology Medical Group

Beverly Hills Oncology Medical Group in California has notified certain patients about a security incident in February that may have resulted in the theft of patient information. According to the breach notices provided to the Maine and California Attorneys General, unauthorized network access was identified and blocked on February 11, 2025.

An investigation was launched, with assistance provided by third-party cybersecurity experts, who confirmed unauthorized access to its network between February 7 and February 11, 2025. The exposed files have been reviewed, and on October 13, 2025, Beverly Hills Oncology Medical Group confirmed that the exposed information included names, Social Security numbers, driver’s license numbers/other government identification numbers, financial account information, credit/debit card information, health insurance policy information, diagnoses, treatment information, prescriptions, and/or other clinical information.

Beverly Hills Oncology Medical Group said that, at the time of issuing notification letters in October, no evidence had been found to indicate any misuse of the exposed data; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post OB-GYN Associates & Beverly Hills Oncology Medical Group Issue Breach Notifications appeared first on The HIPAA Journal.

George E. Weems & Virba Hospitals Announce Data Breaches

Posted October 30, 2025 by Steve Alder

Data security incidents have recently been announced by George E. Weems Memorial Hospital in Florida, Vibra Hospital of Sacramento in California, the California-based plastic surgeon Michael R. Schwartz, MD, and the California-based biopharmaceutical company Travere Therapeutics.

George E. Weems Memorial Hospital

On October 20, 2025, George E. Weems Memorial Hospital in Apalachicola, Florida, started mailing notification letters to patients affected by a recent security incident involving unauthorized access to two employee email accounts. The intrusion was detected on May 12, 2025, and the investigation confirmed that the email accounts were subject to unauthorized access from May 6, 2025, to May 12, 2025.

The email accounts were reviewed, and on September 22, 2025, the hospital learned that the accounts contained patients’ protected health information, including names, addresses, phone numbers, email addresses, Social Security numbers, driver’s license numbers, account information, patient ID numbers, diagnoses and medical histories, provider names, dates of service, and health insurance information.

No evidence was found to indicate that any of the exposed information has been or will be misused, but as a precaution, individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring services. George E. Weems Memorial Hospital said it had taken many precautions to protect the privacy of patient information and will continue to review and enhance its measures to ensure privacy and security. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Vibra Hospital of Sacramento

On October 3, 2025, Vibra Hospital of Sacramento in California started notifying patients about a security incident involving unauthorized access to six employee email accounts. Suspicious activity was identified within certain email accounts on or around March 13, 2025. Assisted by third-party cybersecurity experts, Vibra Hospital determined that the email accounts were accessed by an unauthorized third party from March 11, 2025, to March 22, 2025.

The review of the affected accounts was completed on August 4, 2025, when it was confirmed that protected health information had been exposed. The types of data involved vary from individual to individual and may have included names in combination with addresses, birth dates, Social Security numbers, dates of service, diagnoses, treatment information, physician/facility names, Medicare/Medicaid numbers, patient account numbers, and/or financial account numbers.

No evidence was found to indicate any misuse of the exposed data. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their financial accounts, free credit reports, and explanation of benefits statements, and as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Vibra Hospital has also taken steps to improve email security to prevent similar incidents in the future.

Michael R. Schwartz, MD, FACS

Michael R. Schwartz, MD, FACS, a plastic surgeon based in Westlake Village, California, has recently disclosed a security incident that involved unauthorized access to patient information. The intrusion was identified on or around August 25, 2025, and it was later confirmed that an unauthorized third party had remote access to a single computer from January 20, 2025, to August 26, 2025.

The review revealed that the threat actor may have accessed patients’ personal and protected health information, including names, addresses, email addresses, phone numbers, Social Security numbers, medical record numbers, and patient photographs. As a precaution, all office computers and servers have been replaced, security controls have been strengthened, and additional data security training has been provided to the workforce. The affected individuals have also been offered 12 months of complimentary identity theft protection services. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Travere Therapeutics

The San Diego, CA-based biopharmaceutical company, Travere Therapeutics, has recently notified the Massachusetts Attorney General about a recent security incident in which sensitive patient data may have been stolen. The notification letter does not include details of the incident, such as when it was detected, how long the unauthorized access lasted, or how many individuals have been affected, only that the information potentially compromised in the incident included names, addresses, phone numbers, email addresses, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring services for 24 months.

The post George E. Weems & Virba Hospitals Announce Data Breaches appeared first on The HIPAA Journal.

Sedgebrook & Heartland Health Center Hit with Ransomware Attacks

Posted October 29, 2025 by Steve Alder

Ransomware attacks have recently been announced by the Illinois retirement village and skilled nursing provider Sedgebrook, and the Nebraska healthcare provider Heartland Health Center.

Sedgebrook

Sedgebrook, a retirement village and skilled nursing facility in Lincolnshire, Illinois, has recently announced a ransomware attack that involved unauthorized access to files containing individuals’ personal and protected health information. The attack was detected on May 5, 2025, when network disruption was experienced. Assisted by third-party digital forensics experts, Sedgebrook determined that a ransomware group had access to its network from May 4 to May 5, 2025, and used ransomware to encrypt files. During that time, data may have been exfiltrated from its network.

The exposed files were reviewed, and on August 26, 2025, it was confirmed that some of those files contained protected health information, including names, addresses, birth dates, Social Security numbers, driver’s license numbers, financial account information, medical treatment information, medical record numbers, and health insurance information. Notification letters started to be mailed to the affected individuals on October 24, 2025.

While no evidence was found to indicate any misuse of the exposed information, individuals whose Social Security numbers or driver’s license numbers were exposed have been offered complimentary credit monitoring and identity theft protection services. Steps have also been taken to improve security to prevent similar incidents in the future. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Heartland Health Center

Heartland Health Center, a provider of medical, dental, and behavioral health services at clinics in Ravenna and Hastings in Nebraska, has recently disclosed a security breach that was first identified on February 4, 2025. An investigation was launched, with assistance provided by third-party cybersecurity experts, to determine if any sensitive data had been exposed. Following an exhaustive review, Heartland Health Center determined on June 3, 2025, that sensitive data had been exposed and may have been acquired in the attack.

The types of information involved vary from individual to individual and may have include names plus one or more of the following: date of birth, Social Security number, driver license number, financial account number, username and access information for a non-financial account, dates of service, diagnosis information, health insurance information, physician/medical facility information, medical condition/treatment information, medical record number, Medicare or Medicaid number, patient account number, certificate or license number, full face photo, and referral information.

Heartland Health Center said it already had robust cybersecurity measures in place, and they will continue to be reviewed and enhanced as necessary. As a precaution against misuse of patient information, the affected individuals have been offered complimentary single-bureau credit monitoring, credit score, and credit report services. While not described as a ransomware attack, the Medusa ransomware group claimed responsibility for the incident. Medusa is known to exfiltrate and either sell or publish the stolen data, so the affected individuals should ensure that they take advantage of the credit monitoring services on offer. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

The post Sedgebrook & Heartland Health Center Hit with Ransomware Attacks appeared first on The HIPAA Journal.

Conduent Anticipates Data Breach Cost to Rise to $50M by Q1, 2026

Posted October 28, 2025 by Steve Alder

In its first-quarter earnings report, Conduent said it did not experience any material impacts to its operating environment or costs from the January 2025 cyberattack itself; however, it did incur $25 million in non-recurring expenses from direct response costs. Those losses have continued to increase, with a further $9 million added to that total for breach notifications through the end of September, according to its third-quarter earnings report.

Conduent also anticipates incurring a further $16 million in costs related to breach notifications by the first quarter of 2026, but said it holds a cyber insurance policy and anticipates that any additional notification costs will be covered by the insurance policy.

Further costs may be incurred due to the impacted data, reputational harm, litigation, and regulatory actions, which could impact the company’s financial position. As reported below, several lawsuits have already been filed in response to the data breach, and Conduent is certain to be investigated by the HHS’ Office for Civil Rights and state attorneys general. Regulatory fines may be imposed if Conduent is found to have violated state or federal regulations.

November 7, 2025: Lawsuits Mount Over 10.5 Million-Record Conduent Data Breach

A data breach affecting more than 10.5 million individuals was certain to trigger a barrage of lawsuits, and litigation has been swift, with at least 9 class action lawsuits already filed in response to the Conduent data breach in New Jersey federal court. That total is certain to grow over the coming days and weeks, as many law firms have announced that they have opened investigations regarding potential class action litigation.

The lawsuits make similar claims – that Conduent was negligent by failing to adequately protect its network against unauthorized access and for its alleged failure to provide adequate notifications to the individuals affected by the data breach. The cyberattack was first detected by Conduent in January 2025, three months after hackers first gained access to its network. Conduent first announced the data breach three months later, confirming that sensitive data had been exposed and that the incident affected a substantial number of individuals.

It naturally takes time to investigate any data breach and to determine the number of individuals affected and the types of data involved; however, the lawsuits take issue with the length of that process. It has taken 10 months from when the cyberattack was first detected for the scale of the breach to become clear and for the affected individuals to be notified that their sensitive information has been compromised. Notification letters started to be sent in October 2025, one year after Conduent’s network was first accessed by unauthorized individuals.

In addition to negligence and negligence per se, the lawsuits assert claims such as breach of third-party beneficiary contract and unjust enrichment, and seek a jury trial, compensatory, statutory, and punitive damages, and injunctive relief, requiring the court to order Conduent to implement a range of security measures to ensure sensitive data is adequately protected.

The threat group behind the attack may have been the Safepay ransomware group, which added Conduent to its data leak site in January 2025, although Conduent is not currently listed on the Safepay data leak blog. That often means that a ransom has been paid or the stolen data has been sold, although ransomware groups have been known to fabricate claims.

Class action lawsuits are mounting, but Conduent is also likely to face regulatory scrutiny over the data breach. States are likely to investigate a data breach of this magnitude to determine whether appropriate cybersecurity measures had been implemented in line with state laws and the HIPAA Security Rule. Questions are likely to be asked about how the hackers were able to gain access to such a large amount of sensitive data.

Conduent will also face scrutiny from the HHS’ Office for Civil Rights, which will seek to establish whether the data breach was the result of HIPAA compliance failures. While OCR HIPAA compliance investigations often take many months or years, OCR has indicated it is prioritizing high-impact incidents, as it did with the cyberattack on Change Healthcare, which affected north of 190 million individuals. There is, at this stage, no indication that Conduent has violated any regulations at the federal or state level.

October 28, 2025: More Than 10.5 Million Patients Affected by Conduent Business Solutions Data Breach

A data breach at a business associate of several HIPAA-covered entities and government agencies has resulted in the exposure and potential theft of the protected health information of more than 10.5 million patients. The Conduent Business Solutions data breach is the largest healthcare data breach to be announced so far this year, affecting almost twice as many individuals as the second-largest data breach, which was reported earlier this year by Yale New Haven Health. It also ranks as the 8th largest healthcare data breach in history.

Conduent Business Solutions provides a range of back-office services, including printing, mailing, document processing, payment integrity services, and other support services to government agencies and healthcare organizations. It is currently unknown how many HIPAA-regulated entities have been affected by the data breach.

Blue Cross and Blue Shield of Montana recently announced that it had been affected and that notification letters are being mailed to 462,000 individuals. Blue Cross and Blue Shield of Texas has announced that approximately 310,000 UT Select and UT Care plan members have been affected. The incident is also known to have affected Humana customers and Premera Blue Cross members, although it is unclear how many. Conduent provides services to government agencies such as the Wisconsin Department of Children and Families and Oklahoma Human Services (OHS), which experienced temporary disruption to some of their services due to the outage in January, although OHS was informed that it did not have sensitive data exposed in the incident.

State regulators have been informed that 10,515,849 patients have been affected, including more than 4 million individuals in Texas. It is unclear if any non-healthcare clients had data compromised in the incident. The Conduent Business Solutions data breach was reported to the U.S. Securities and Exchange Commission (SEC) in April. In the SEC filing, Conduent explained that a threat actor gained access to a limited portion of its network IT environment and obtained the data of “a significant number” of people. The incident is not yet shown on the HHS’ Office for Civil Rights (OCR) breach portal, which has not been updated by OCR since September 24, 2025, due to the government shutdown.

The intrusion was detected on January 13, 2025. Assisted by third-party digital forensics experts, Conduent determined that initial access occurred on October 21, 2024, with the threat actor maintaining access for almost three months until Conduent secured its network on January 13, 2025. Conduent said it restored access to the affected systems within days, and in some cases, within hours, and the incident did not have any material impact on its operations.

The investigation confirmed that the threat actor exfiltrated files associated with some of its clients. Due to the complexity of the data involved, it has taken several months to complete the file review and determine the individuals affected and the types of data involved. Individual notifications are now being mailed to the affected individuals.

Information compromised in the incident varies from company to company and individual to individual, potentially involving names, dates of birth, Social Security numbers, treatment information, and claims information. Based on the notice provided to the California Attorney General, complimentary credit monitoring and identity theft protection services do not appear to have been offered.

While the total cost of the cyberattack is not yet known, Conduent said in its May 2025 first-quarter earnings report that it incurred $25 million in direct costs related to the breach response. A cyber insurance policy is held, which will cover a proportion of the cost.

This post will be updated when further information is released.

The post Conduent Anticipates Data Breach Cost to Rise to $50M by Q1, 2026 appeared first on The HIPAA Journal.

Data Breaches Announced by ModMed, LifeBridge Health & Right at Home

Posted October 27, 2025 by Steve Alder

Data breaches have been announced by the EHR provider Modernizing Medicine (ModMed), the Baltimore healthcare provider LifeBridge Health, and the home health care provider Right at Home.

Modernizing Medicine

Modernizing Medicine (ModMed), a provider of specialty-specific electronic health record software, has recently notified state attorneys general about a July 2025 security incident involving theft of data from its systems. Suspicious activity was identified on its computer servers on July 21, 2025. An investigation was launched to determine the cause of the activity, and on July 29, 2025, it was unauthorized access to its servers was confirmed between July 9, 2025, and July 10, 2025, during which time, files containing sensitive data were copied from the servers.

The files were reviewed and found to contain personal and protected health information such as full names, dates of birth, addresses, phone numbers, email addresses, Social Security numbers, medical record numbers, patient account numbers, provider and practice names, billing and diagnostic codes, prescriptions/medications, diagnosis and treatment information, bank/financial account information, driver’s license numbers/government ID cards, and health insurance information. ModMed said full medical records were not involved, and the types of information compromised vary from individual to individual.

The affected healthcare providers were notified on September 19, 2025, and notification letters started to be mailed to the affected individuals on October 17, 2025. ModMed is offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were compromised in the incident, and steps have been taken to improve security to prevent similar incidents in the future. Due to the government shutdown, the HHS’ Office for Civil Rights breach portal has not been updated in a month, so it is currently unclear how many individuals have been affected.

LifeBridge Health

LifeBridge Health, a non-profit healthcare corporation serving patients in and around Baltimore, Maryland, has recently informed patients that some of their protected health information was compromised in a data breach earlier this year. The breach involved one of its vendors, Oracle Health (formerly Cerner). LifeBridge Health was one of many healthcare providers to be affected. Hackers gained access to a legacy system as early as January 22, 2025, and obtained patient information such as names, medical record numbers, Social Security numbers, physician names, diagnoses, test results, medications, medical images, and treatment information. LifeBridge Health said the breach was confined to Oracle Health servers, and its own systems were unaffected.

Oracle Health notified LifeBridge Health about the data breach in March 2025, with notifications reportedly delayed at the request of law enforcement. Oracle Health provided LifeBridge Health with a final list of the affected individuals on September 19, 2025. The data breach was announced by LifeBridge Health on October 16, when notification letters started to be mailed to the affected individuals. Two years of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. It is currently unclear how many individuals have been affected.

Right at Home

Ever Care Corporation, which does business as Right at Home, a provider of in-home care to seniors and adults with disabilities, experienced a hacking incident that likely involved the theft of sensitive patient information. Suspicious network activity was identified on September 3, 2025, and an investigation was launched to determine the cause of the activity. Right at Home confirmed that the activity was due to an unauthorized actor, who is thought to have acquired files from its network on September 3, 2025. The review of the affected files was completed on October 6, 2025. There is currently no substitute data breach notice on the Right at Home website, and the types of information involved are not shown on the notifications published on attorneys’ general websites. The exact types of information involved are detailed in the individual notification letters. Right at Home is paying for single-bureau credit monitoring, credit score, and credit report services for the affected individuals. It is currently unclear how many individuals have been affected.

While not described by Right at Home as a ransomware attack, a ransomware group claimed responsibility for the attack. The Sinobi ransomware group, which has attacked several healthcare providers in recent months, claimed to have exfiltrated around 50 GB of data and encrypted files. Right at Home was listed on its data leak site on October 8, 2025. As such, any individual receiving a notification letter should sign up for the credit services being offered.

The post Data Breaches Announced by ModMed, LifeBridge Health & Right at Home appeared first on The HIPAA Journal.

Yale New Haven Health Agrees to $18 Million Data Breach Settlement

Posted October 27, 2025 by Steve Alder

An $18 million settlement proposed by Yale New Haven Health to resolve claims stemming from a 2025 data breach has been granted preliminary approval by a federal court judge. Yale New Haven Health is a non-profit health system that operates five acute care hospitals, including the main teaching hospital for the Yale School of Medicine, as well as a medical foundation and several outpatient facilities in Connecticut, New York, and Rhode Island. The health system employs more than 12,000 people, including 4,500 university and community physicians.

The data breach in question was reported to the HHS’ Office for Civil Rights on April 11, 2025, as involving the protected health information of up to 5,556,702 individuals. The New Haven, Connecticut-based health system identified suspicious network activity on March 8, 2025, and the breach was announced via its website three days later. Yale New Haven Health later confirmed that hackers accessed its network on March 8, 2025, and exfiltrated files containing patient information.

While its electronic medical record system was not accessed, the stolen files contained patient information, including names, addresses, telephone numbers, email addresses, dates of birth, race/ethnicity information, patient types, medical record numbers, and Social Security numbers. At more than 5.5 million affected individuals, the data breach was, and still is, the largest healthcare data breach of the year.

The cyberattack was announced quickly, reported to OCR well within the breach reporting deadline, and notification letters were issued promptly. Yale New Haven Health has also agreed to settle the resultant litigation quickly. Data breach lawsuits can take many months and even years to resolve, yet in this case, a settlement has been approved to resolve the litigation in just 7 months. The first lawsuit over the data breach was filed in March 2025, followed by 17 additional complaints, which were consolidated into a single action in June 2025 – In Re: Yale New Haven Health Services Corp. Data Breach – in the U.S. District Court for the District of Connecticut.

The plaintiffs alleged in the consolidated lawsuit that Yale New Haven Health had failed to implement reasonable and appropriate cybersecurity measures to secure the data stored on its network, and had reasonable measures been implemented, the data breach could have been prevented. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and declaratory judgment.

Yale New Haven Health denied all claims in the lawsuit and filed a motion to dismiss in July, with the plaintiffs filing their opposition in August. At the end of August, all parties attended mediation, and the material terms of a settlement were agreed upon. The details of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Yale New Haven Health has agreed to establish an $18,000,000 settlement fund to cover all costs associated with the litigation – Attorneys’ fees and expenses, service awards for the lead plaintiffs, and settlement administration costs. The remainder of the settlement fund will be used to pay benefits to the class members. The attorneys are seeking one-third of the settlement, and the service awards are likely to be $2,500 per named plaintiff.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may claim an alternative cash payment. The cash payments are anticipated to be approximately $100 per class member. The pro rata cash payments may increase or decrease depending on the number of valid claims received, and will exhaust the settlement fund. In addition to either of those benefits, class members may also claim a two-year complimentary membership to a medical data monitoring service. Yale New Haven Health has also agreed to implement security enhancements. The final approval hearing has been scheduled for March 3, 2026.

April 24, 2025: Yale New Haven Health System Announces 5.5-Million Record Data Breach

Yale New Haven Health System has announced a data security incident that has affected more than 5.5 million individuals. The breach report to the HHS’ Office for Civil Rights indicates up to 5,556,702 individuals had their protected health information compromised in the incident, making it the largest healthcare data breach to be reported so far this year, beating the previous record of 4.7 million individuals set this month by Blue Shield of California.

Yale New Haven Health is a nonprofit health system in New Haven, Connecticut, that includes five acute-care hospitals, a medical foundation, and multiple outpatient facilities and multispecialty centers in Connecticut, New York, and Rhode Island. On March 8, 2025, anomalous activity was identified within its information technology systems. Immediate action was taken to contain the incident, and an investigation was launched to assess the nature and scope of the unauthorized activity. Yale New Haven Health announced the security incident on its website 3 days after it was detected.

Yale New Haven Health engaged the cybersecurity firm Mandiant to assist with the investigation and said the rapid response helped to ensure it was contained and prevented disruption to patient care. Yale New Haven Health has confirmed that an unauthorized third party gained access to its network on March 8, 2025, and exfiltrated files, some of which included patient information. There was no unauthorized access to its electronic medical record system, and no financial information was compromised in the incident. The types of data stolen in the cyberattack varied from individual to individual and may have included names in combination with one or more of the following: address, telephone number, email address, date of birth, race/ethnicity, patient type, medical record number, and/or Social Security number.

Yale New Haven Health said it continuously updates and enhances its systems to protect sensitive data and will continue to do so. Individual notification letters started to be mailed to the affected individuals on April 14, 2025, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were compromised.

While questions will be asked about how hackers managed to access such a vast amount of patient data, Yale New Haven Health should at least be commended for the rapid response, transparency, and prompt breach notifications, which started to be sent on April 14, 2025.

The post Yale New Haven Health Agrees to $18 Million Data Breach Settlement appeared first on The HIPAA Journal.

Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients

Posted October 24, 2025 by Steve Alder

Four employees of Baptist Health’s Jay Hospital in Florida have been terminated for allegedly taking unauthorized photographs of patients and sharing the images on the Snapchat social media platform. The privacy violations reportedly occurred in February 2025. The employees were alleged to have entered patients’ rooms late at night and photographed patients while they were sleeping or medicated without the patients’ knowledge or consent.

Personal injury attorney Joe Zarzaur was contacted by three patients who were recently notified about the privacy violations by the hospital. It is unclear why it took so long for the affected patients to be notified, or how many patients have been affected. The nature of the photographs was not disclosed to the patients. According to Zazaur, the patients were informed that the photographs were “unflattering” and “horrible.” They were not told how many photographs were taken, exactly what the photographs showed, and were not allowed to see any of the images.

One of the patients was notified about the privacy violation while they were still admitted at Jay Hospital, and another was informed when they visited an outpatient rehab facility. At least two of the affected patients are taking legal action for invasion of privacy and are being represented by Zarzaur.

“Upon learning of the allegation, we immediately conducted a preliminary investigation and notified the appropriate authorities and the patients,” explained a spokesperson for Jay Hospital. “Following the investigation, the individuals involved were terminated. We are committed to protecting the privacy, safety, and dignity of our patients. As this matter involves patient privacy and is currently under investigation, we are unable to share further details at this time.”

The sharing of protected health information (PHI) for reasons unrelated to treatment, payment, or hospital operations is not permitted by the HIPAA Privacy Rule, unless consent is obtained from the subject of the PHI. Photographs of patients are classed as PHI, and the employees clearly violated HIPAA as well as ethical and professional standards.

The post Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients appeared first on The HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information