Munson Healthcare, the largest health system in Northern Michigan, has recently notified patients about unauthorized access to its electronic medical record system. The unauthorized access started as early as January 22, 2025, and was detected by its EHR vendor Cerner on February 20, 2025. Cerner, now Oracle Health, confirmed that a hacker gained access to two legacy Cerner servers and potentially stole a range of personal and health information. Munson Healthcare has confirmed that the stolen data included names, Social Security numbers, and information typically found in electronic medical records, such as medical record numbers, diagnoses, medications, test results, care and treatment information, and doctors’ names. The data on the servers was awaiting migration to the Oracle Cloud at the time of the data breach.

Munson Healthcare said Cerner took action to prevent further unauthorized access, engaged third-party cybersecurity experts to investigate the data breach, and notified law enforcement about the cyberattack. While Oracle Health publicly confirmed the cyberattack in March 2025, it has taken months for the affected healthcare providers to be notified, and many patients have only recently learned that their personal and health information was stolen in the incident. Munson Healthcare attributed the delay in issuing notifications to Cerner, which has previously stated that the delay was at the request of law enforcement so as not to interfere with the investigation.

Oracle Health has not confirmed exactly how many of its healthcare provider clients have been affected, nor the number of affected individuals. Multiple class action lawsuits have been filed in response to the data breach, and as part of the litigation, the company’s attorneys said up to 80 hospitals may have been affected. Munson Healthcare was one of the worst-affected clients, as 1,01,891 current and former patients have been affected. Munson Healthcare has confirmed that the affected individuals have been offered complimentary credit monitoring and identity theft protection services for two years.

Munson Healthcare’s Chief Legal Officer, Rachel Roe, and Michigan Attorney General Dana Nessel issued a consumer alert about the data breach last week. Attorney General Nessel is pushing for stronger consumer data protection laws to be enacted. New legislation was passed by the Senate last summer, but has yet to be passed by the House of Representatives. “These [notification] delays put consumers at higher risk of identity theft, and our state needs stronger laws to better protect Michiganders from bad actors,” said AG Nessel. “I urge anyone who receives a notice that their personal information may have been compromised to consider taking advantage of the free credit monitoring resources being offered.”

The post More than 100K Munson Healthcare Patient Affected by Cerner Cyberattack appeared first on The HIPAA Journal.

Patients of Laurel Health Centers have been notified that their protected health information was exposed in a July 2025 security incident, and Modern Health has identified unauthorized access to member profiles.

Laurel Health Centers

Laurel Health Centers, a Federally Qualified Health Center network in Northern Pennsylvania, has discovered unauthorized access to its email environment. An investigation was launched on July 14, 2025, to determine the cause of unusual email activity. The investigation determined that an unauthorized third party had access to certain email accounts between July 11, 2025, and July 25, 2025. During that time, emails and files may have been viewed or copied.

The affected email accounts were reviewed and found to contain patient information. The types of information vary from individual to individual and may include names in combination with one or more of the following: address, telephone number, email address, date of birth, Social Security numbers, medical record number, date(s) of service, medical provider, Medicare information, insurance information, diagnostic information, treatment and diagnosis data, insurance carrier, procedure codes, disability status, dental and denture information, immunization record, behavioral health information, Pennsylvania Account ID, account number, credit card information, checking account information and claim information.

Laurel Health Centers said it took time to conclusively determine that the threat actor no longer had access to its systems, hence the delay between discovering the unauthorized activity and confirming that the threat actor had been eradicated from its email environment. The review of the email accounts concluded on December 30, 2025, and notification letters were mailed to the affected individuals shortly thereafter. Complimentary credit monitoring services have been offered to the affected individuals. The incident is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Modern Health

Modern Health, a management support organization that provides services to several affiliated entities, including Modern Health Arizona, Modern Health California, Modern Health New Jersey, Elevate Tele-Medicine Telehealth, and Modern Life, has recently notified the Massachusetts Attorney General about an incident involving unauthorized access to member profiles on its behavioral health platform.

In November 2025, Modern Health determined that an unauthorized individual had accessed a limited number of member profiles. Steps were immediately taken to disable those profiles, and an investigation was launched to determine the extent of the unauthorized activity. The affected profiles were reviewed and found to contain sensitive member data, although Social Security numbers and financial information were not exposed. The review of the affected profiles was completed on January 5, 2026, and the affected individuals were notified via email on January 12, 2026. It is currently unclear how many individuals were affected in total. The Massachusetts Attorney General was informed that two state residents were affected.

The post Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach appeared first on The HIPAA Journal.

Columbia Medical Practice has experienced a ransomware attack in which patient data was stolen, and Jupiter Medical Center has notified patients that their personal and health information was stolen in a January 2025 security incident.

Columbia Medical Practice

Columbia Medical Practice in Columbia, Maryland, has recently confirmed that patient data was compromised in a November 2025 ransomware attack. The investigation confirmed that an unnamed threat actor accessed its network on November 5, 2025, and used malware to encrypt files. Prior to file encryption, files were exfiltrated, some of which contained patient information. Columbia Medical Practice said it was able to recover the encrypted files, and it is reviewing the affected files to determine the individuals affected and the exact types of data involved. The Qilin ransomware group claimed responsibility for the attack.

The electronic medical record system was not accessed; however, files on the compromised parts of its network contained names, addresses, phone numbers, birth dates, passport numbers, Social Security numbers, driver’s license numbers, other government identifiers, financial account information (but not information such as security codes that would permit access), health insurance information, patient account numbers, and health information, which may include diagnoses, diagnosis codes, treatment/condition information, prescription information, history information, dates of service, locations of service, assigned physician names and health services payment information. The types of information involved vary from individual to individual.

Columbia Medical Practice said it is evaluating additional technical measures, reviewing its cyber auditing practices, and reviewing and updating its policies and procedures to reduce the risk of similar incidents in the future. Notification letters will be mailed to the affected individuals when the file review is concluded. At present, the incident is not listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jupiter Medical Center

Jupiter Medical Center in Jupiter, Florida, has started notifying patients about unauthorized access to electronic medical records. Notification letters have only recently been sent, although the data breach occurred in January 2025. The breach involved its medical record vendor, Cerner (Now Oracle Health).

Jupiter was one of many healthcare providers affected by the breach. While Oracle Health has not confirmed publicly exactly how many of its clients were affected, in a recent lawsuit, Oracle Health’s attorneys said up to 80 hospitals may have been affected. Jupiter Medical Center said law enforcement requested delaying announcing the data breach and issuing notifications as it would potentially interfere with the law enforcement investigation.

The breach affected a limited number of patients and involved information typically found in medical records, as well as Social Security numbers. The affected individuals have been offered two years of complimentary credit monitoring services.

The post Columbia Medical Practice; Jupiter Medical Center Announce Data Breaches appeared first on The HIPAA Journal.

Based on breach reports submitted to the U.S. Department of Health and Human Services (HHS), November saw relatively low numbers of healthcare data breaches. On average in 2025, 57 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR) each month. In fact, for the past six years, data breaches have been reported at a rate of around 60 per month. The OCR breach portal currently lists 32 large healthcare data breaches for November, and a similar number were reported in October (28) – numbers that have not been regularly seen since 2018.

Compared to previous Novembers, data breaches have decreased substantially, with a 54% reduction from November 2024 and a 56% reduction from November 2023.

While data breaches appear to have halved in October and November, it coincides with the U.S. government shutdown due to Congress failing to pass appropriations legislation for the 2026 fiscal year. The shutdown lasted from October 1, 2025, to November 12, 2025, and during that time, no data breaches were added to the OCR data breach portal. The significant backlog has taken some time to clear, and there may still be breach reports that have yet to be added to the breach portal from that period.

Low numbers of data breaches do not always mean low numbers of affected individuals, as was demonstrated in October 2025, when only 28 breaches were reported, but more than 11 million individuals were affected. Breach victims fell substantially in November, which saw the fewest number of individuals affected by large healthcare data breaches so far this year. Based on current figures, 1,415,934 individuals are known to have had their protected health information exposed or impermissibly disclosed in data breaches reported in November. That’s the lowest monthly total since January 2023, and an 87.2% reduction from October. So far in 2025, from January 1, 2025, to November 30, 2025, 686 large healthcare data breaches have been reported affecting 55,695,906 individuals.

The number of affected individuals in November 2025 was the lowest in the past five years. While the low numbers of data breaches and affected individuals are certainly good news, this trend may be short-lived, as some sizable data breaches have been confirmed by HIPAA-regulated entities in the past two months that have yet to appear on the OCR data breach portal.

The Biggest Healthcare Data Breaches Reported in November 2025

In November, 16 healthcare data breaches were reported to OCR that affected more than 10,000 individuals. The biggest confirmed healthcare data breach of the month affected VITAS Hospice Services in Florida and involved unauthorized access to the protected health information of almost 320,000 patients. An account used by one of its vendors was compromised, and the account was used to access VITAS systems.

The medical supply company Fieldtex Products reported the second-largest data breach, also a hacking incident, affecting 238,615 individuals. A further three breach reports were submitted to OCR by Fieldtex Products in December, adding a further 35,748 individuals to that total. Delta Dental of Virginia reported a hacking incident that was initially thought to have affected 145,918 individuals, although following investigation, was reduced to 126,953 individuals.  This was the largest email data breach of the month and involved unauthorized access to a single email account.

Data breaches must be reported to OCR within 60 days of discovery, per the HIPAA Breach Notification Rule. If the total number of affected individuals is not known, an estimate should be provided within those 60 days. HIPAA-regulated entities often submit a breach report using a placeholder figure of 500 or 501 affected individuals when data reviews are ongoing. In November, two data breaches were reported with 500 totals indicative of placeholder figures.

Causes of November 2025 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 78% of the month’s data breaches (25 incidents) and 99.1% of the month’s affected individuals (1,403,361). On average, 56,134 individuals were affected by each of these incidents (median: 15,027).

Unauthorized access/disclosure incidents accounted for 15.6% of the month’s data breaches (5 incidents) and 0.5% of the month’s affected individuals (7,591). The average breach size was 1,518 individuals (median: 1,518). Loss and theft incidents accounted for 6.3% of the month’s breaches (2 incidents) and 0.4% of the month’s affected individuals. The average breach size was 2,491 individuals (median 2,491).

Ransomware attacks continue to be one of the biggest cyber threats in healthcare, although hacking incidents are rarely reported as such. A recent analysis from GuidePoint Security identified a 58% year-over-year increase in ransomware attacks in 2025, with Qilin, INC Ransom, and SafePay the biggest threats to healthcare organizations. Some threat actors, Pear, for example, have opted for pure data theft and extortion, skipping file encryption in their attacks. Pear has targeted several healthcare organizations in recent months, and a recently emerged ransomware group called Sinobi has claimed many healthcare victims.

While a majority of the hacking incidents (59%) involved compromised network servers, email continues to be targeted and is often used for initial access in more comprehensive attacks on an organization. In November, almost 19% of incidents involved compromised email accounts.

Where did the Data Breaches Occur?

Healthcare providers were the worst-affected HIPAA-covered entities in November, with 22 reported breaches (867,100 affected individuals), with three data breaches at health plans (129,118 affected individuals) and no data breaches at healthcare clearinghouses. In November, 7 business associates of HIPAA-covered entities reported data breaches (419,716 affected individuals); however, a further two breaches occurred at business associates but were reported by the affected covered entities. The charts below are based on where the data breach occurred, rather than the entity that reported the breach.

Geographic Distribution of Healthcare Data Breaches

In November, large healthcare data breaches were reported by HIPAA-regulated entities based in 21 U.S. states. Virginia was the worst-affected state with four breaches, followed by New York and Wisconsin with three data breaches.

While entities in Florida only experienced 2 large healthcare data breaches, the state had the highest number of affected individuals.

HIPAA Enforcement Activity in November 2025

The government shutdown during October and a significant part of November brought many HHS workflows to a grinding halt as staff were furloughed, and there were no announcements about HIPAA enforcement actions. Enforcement activity is continuing, and while there were no new announcements, 2025 ranks as one of the busiest years for HIPAA enforcement. Including one penalty announced in December, OCR closed the year with settlements and civil monetary penalties – the second-highest annual total to date. State Attorneys General also enforce the HIPAA Rules; however, there were no known enforcement actions announced in November to resolve alleged HIPAA violations.

This report is based on data obtained from the HHS’ Office for Civil Rights on January 20, 2026.

The post November 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Data breaches have recently been announced by Central Maine Healthcare, Dermatology Associates in Kentucky, and Reproductive Medicine Associates of Michigan. The Central Maine Healthcare data breach has affected 145,000 individuals.

Central Maine Healthcare

Central Maine Healthcare, an integrated nonprofit healthcare system serving around 400,000 residents in central and western Maine, has announced a major data breach involving the electronic protected health information of up to 145,000 patients.

Suspicious activity was identified within its IT systems on June 1, 2025, and immediate action was taken to secure its systems while an investigation sought to determine the nature and scope of the activity. The investigation determined that between March 19, 2025, and June 1, 2025, an unauthorized third party had access to its network and accessed or acquired files containing sensitive patient data.

The file review confirmed that names and Social Security numbers were compromised, in combination with one or more of the following: address, date(s) of service, provider names, treatment information, and health insurance information. Notification letters started to be mailed to the affected individuals in late December 2025, and single-bureau credit monitoring, credit report, and credit score services have been offered.

Dermatology Associates, Kentucky

Dermatology Associates in Louisville, Kentucky, has recently announced an August 2025 security incident that may have resulted in unauthorized access to patient data. Suspicious activity was identified within its computer systems on August 4, 2025, and third-party cybersecurity experts were engaged to investigate the activity.

The investigation confirmed unauthorized access to its network for a period of two months from June 4, 2025, to August 4, 2025. The data review is ongoing, so the types of information involved have yet to be confirmed. Dermatology Associates said the information likely exposed in the incident included names, addresses, dates of birth, driver’s license numbers, telephone numbers, physician names, billing/claims information, patient ID/account numbers, and health insurance information.

Steps have been taken to improve security, and notification letters will be sent by mail when the investigation is concluded. The data breach is currently shown on the HHS’ Office for Civil Rights breach portal with a placeholder figure of at least 501 affected individuals. The total will be updated when the file review is concluded.

Reproductive Medicine Associates of Michigan

Reproductive Medicine Associates of Michigan (RMAM), a fertility clinic in Troy, MI, has started notifying patients about a recent cybersecurity incident that involved the theft of sensitive data from its network. Suspicious network activity was identified on October 22, 2025, and immediate action was taken to secure its IT environment. Third-party cybersecurity specialists were engaged to investigate the activity, who confirmed that data had been exfiltrated.

On December 19, 2025, a substitute data breach notice was added to the RMAM website that states that the file review is ongoing, and notification letters will be mailed to the affected individuals when that process is completed. The notifications will provide information on the exact types of information involved for each individual. At present, the total number of individuals affected has yet to be confirmed.

The post Central Maine Healthcare Data Breach Affects 145,000 Individuals appeared first on The HIPAA Journal.

The Minnesota Department of Human Services (DHS) has notified almost 304,000 individuals about unauthorized access to their demographic records. The records were stored in the MnChoices system, which is used by counties, Tribal Nations, and managed care organizations to support their assessment and planning work for state residents requiring long-term services and support.

The system is managed by the third-party vendor, FEI Systems, which notified the Minnesota DHS in November about unauthorized access to data in the system by a user associated with a licensed healthcare provider. While there was a legitimate reason to access limited information in the system, some data was accessed without authorization by the user. The unauthorized access ceased on September 21, 2025, and the user’s access to the system was fully removed on October 30, 2025.

For the majority of affected individuals, the information accessed was limited to demographic information, although for 1,206 individuals, additional information was also accessed. Some medical information was accessed, and for certain individuals, the last four digits of their Social Security numbers. While the forensic investigation identified the categories of information accessed, it was not possible to determine, on a record-by-record basis, exactly what information was accessed for each individual. Due to the limited nature of the data accessed, Minnesota DHS is not providing the affected individuals with free credit monitoring services.

A forensic investigation was ordered to determine the exact types of information accessed and the individuals affected. At the time of issuing notification letters on January 16, 2026, no data misuse had been identified. Minnesota DHS has confirmed that the user no longer has access to the system, and additional safeguards have been implemented to prevent similar unauthorized access incidents in the future.

The DHS Office of Inspector General was made aware of the incident and has developed data-driven processes to monitor and evaluate billing information to determine whether there has been inappropriate or fraudulent use of the accessed data. Should any fraudulent use be identified, a thorough investigation will be conducted, and the matter will be reported to law enforcement. In that regard, the Minnesota DHS has requested that all individuals who receive a notification letter about the incident carefully review their health care statements and report any suspicious charges or services.

The post Minnesota Department of Human Services Data Breach Affects Over 300K Individuals appeared first on The HIPAA Journal.

Valley Eye Associates has fallen victim to a ransomware attack in which sensitive patient data was exfiltrated from its network. Imperial Beach Community Clinic has started notifying patients about unauthorized access to its email environment.

Valley Eye Associates, Wisconsin

Valley Eye Associates, an ophthalmology, optometry, and LASIK eye surgery center in Appleton, WI, has recently announced that it fell victim to a ransomware attack on or around October 8, 2025. Third-party cybersecurity specialists were engaged to assist with the investigation and determined that the ransomware group had access to its network between October 8, 2025, and October 9, 2025, during which time files were exfiltrated from its network.

While data was stolen, Valley Eye Associates said there are no indications that the stolen data has been or will be used inappropriately. It is unclear how that determination was made. The ransomware group behind the attack was not mentioned in the breach notice, although the Qilin ransomware group claimed responsibility for the attack and published the stolen data, indicating the ransom was not paid. The group claimed to have exfiltrated 139 GB of data.

Valley Eye Associates is still reviewing the affected data and will notify the affected individuals when that process is completed. Valley Eye Associates said it has taken steps to improve security to prevent similar incidents in the future, including implementing additional security protections for its email environment, which suggests that email was used for initial access.

Imperial Beach Community Clinic, California

Imperial Beach Community Clinic, a California community healthcare serving the San Diego South Bay area, has notified the California Attorney General about a cybersecurity incident and data breach that was first identified almost a year ago. According to the breach notice, unusual activity was identified within its email environment on April 15, 2025. An investigation was launched to determine the nature and scope of the activity, and it was confirmed that an unauthorized individual had access to certain email accounts from February 4, 2025, to May 2, 2025. During that time, certain information in the accounts may have been acquired.

The affected data set was reviewed, and on December 30, 2025, the file review was concluded. Data compromised in the incident included name, age, appointment date, claim number, date of birth, encounter ID number, gender, insurance information, insurance name, patient ID number, procedure type, provider name, service date, and visit type. Imperial Beach Community Clinic has reviewed and enhanced its data privacy and security policies and procedures to prevent similar incidents in the future. The California Attorney General breach notice does not state how many individuals were affected, and the data breach is not yet shown on the HHS’ Office for Civil Rights breach portal.

The post Valley Eye Associates Confirms Patient Data Stolen in Ransomware Attack appeared first on The HIPAA Journal.

Monroe University, a for-profit university with campuses in the Bronx and La Rochelle in New York, and Saint Lucia in the Caribbean, has recently confirmed that a cyberattack has resulted in unauthorized access to the personal and health information of approximately 320,973 individuals.

The cyberattack was detected more than a year ago on December 23, 2024. When the intrusion was detected, immediate action was taken to secure its systems to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that an unauthorized third party had access to its network from December 9, 2024, to December 23, 2024, and exfiltrated files containing sensitive data.

It has taken nine months to review the affected files to determine the individuals affected and the types of data involved. On September 30, 2025, Monroe University confirmed that the data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, government identification numbers, medical information, health insurance information, electronic account or email usernames and passwords, financial account information, and/or student data.

The university started issuing notification letters to the affected individuals on January 2, 2026, and had advised all individuals to remain vigilant against potential fraud and identity theft by monitoring their credit reports, accounts, and explanation of benefits statements for suspicious activity. At the time of issuing notification letters, the university had not identified any misuse of the stolen data. Based on the notification letter seen by The HIPAA Journal, credit monitoring services do not appear to have been offered.

Universities, like healthcare organizations, are an attractive target for hackers, who can gain access to vast amounts of sensitive data, which in this case included student data and health information. Other universities that have recently experienced cyberattacks include Harvard and Columbia.

The post Monroe University: 320,000 Individuals Affected by December 2024 Cyberattack appeared first on The HIPAA Journal.