Legal counsel for Woodfords Family Services has provided an updated breach notice to the Maine Attorney General, confirming that more individuals were affected by its ransomware attack than previously reported. The initial breach report submitted to the Maine Attorney General on March 27, 2026, stated that 8,073 individuals had been affected; however, a substitute notice has been issued for 33,911 individuals, with 41,984 individuals in total confirmed as affected by the data breach.

March 30, 2026: Woodfords Family Services Notifies Patients Affected by April 2024 Ransomware Attack

Westbrook, Maine-based Woodfords Family Services, a provider of services to individuals with special needs and their families, has notified the Maine Attorney General about a breach of the personal and protected health information of 8,073 individuals in a ransomware attack, including 7,701 Maine residents.

Suspicious network activity was identified on April 8, 2024. The investigation confirmed that its network had been accessed by the Medusa ransomware group. Immediate action was taken to investigate the incident and ensure the security of its systems, and the forensic investigation ended on May 30, 2024. A preliminary breach notice was issued on June 3, 2024, and a media notice was issued on June 7, 2024, to alert individuals potentially affected by the incident. Some notification letters were mailed to individuals in March 2025, although some people have only recently received notification letters.

While the incident was initially investigated internally, Woodfoods Family Services determined that it was unable to identify the full scope of the incident and engaged data mining specialists on September 25, 2024, to confirm the individuals affected and the types of data involved. The initial data mining process took until October 3, 2025, to complete, then the data had to be reviewed internally. The internal review was completed on January 29, 2026, mailing addresses for the affected individuals were verified, and the last of the notification letters were mailed to the affected individuals on March 27, 2026.

Data compromised in the incident included names, Social Security numbers, driver’s license numbers, financial account information, health insurance information, and diagnosis and treatment information. The affected individuals have been offered a complimentary 12-month membership to credit monitoring and identity theft protection services.

The data breach was reported to the HHS’ Office for Civil Rights in June 2024 using a placeholder figure of at least 500 affected individuals. The total has yet to be updated, although OCR has delayed adding new breach reports to its portal. This is not the first ransomware attack to be experienced by Woodfoods Family Services. An attack on June 19, 2023, involved unauthorized access to the personal information of 17,285 individuals, including the protected health information of 6,691 individuals.

The post Woodfords Family Services Data Breach Affected Almost 42,000 Individuals appeared first on The HIPAA Journal.

The Somerset, New Jersey-based healthcare software company CareCloud has notified the U.S. Securities and Exchange Commission (SEC) about a security incident that caused network disruption on March 16, 2026. CareCloud is a business associate of hospitals and physician practices and works with more than 45,000 providers. The company provides software solutions, including electronic health records systems, and it was its electronic health record environment that was subject to unauthorized access.

According to the SEC filing, a hacker gained access to one of its six electronic health record environments for a period of around 8 hours, partially disrupting functionality and data access. CareCloud was able to fully restore the environment on the evening of March 16, 2026. CareCloud believes that the threat actor no longer has access to its systems. Initially, the incident was reported to law enforcement, its cyber insurer was notified, and third-party cybersecurity specialists were engaged to assist with the investigation and help with securing its environment. When it became clear that this was a material incident due to the sensitivity of the data stored within the compromised environment and the potential cost of a data breach, the SEC was notified.

CareCloud believes that the incident was contained in the one CareCloud Health environment, and no other business systems were involved. The investigation to determine the nature and scope of the unauthorized activity is ongoing, including the extent to which patient data was accessed or exfiltrated, and the categories of and volume of data involved.

As of the date of the SEC filing, the incident has had no material impact on the company’s operations, and the initial assessment suggests that the incident is not reasonably likely to have a material impact on the company’s financial position or results of operations, although the impact of the incident has yet to be fully assessed. There will naturally be costs associated with remediation and response, legal, regulatory, and notification-related matters, and possible effects on patients, customers, counterparties, reputation, and operations. The company holds cyber insurance policies and believes that it has sufficient insurance coverage to cover any costs.

CareCloud has not publicly disclosed how any of its clients have been affected, nor has it provided an estimate for the number of individuals whose medical records were exposed in the incident. Notifications will be issued to the affected clients and individuals when they have been identified. At the time of publication, no cyber threat actor is known to have claimed responsibility for the attack.

The post Healthcare Software Company Announces Breach of its Electronic Health Record Environment appeared first on The HIPAA Journal.

Data breaches have been announced by New Horizons Behavioral Health in Georgia, CWA Local 1180 in New York, Coastal Carolina Health Care in North Carolina, West Texas Health, and Nephrology Associates Medical Group and Stockton Cardiology Medical Group in California.

New Horizons Behavioral Health, Georgia

The Columbus, Georgia-based community mental healthcare provider New Horizons Behavioral Health has announced a January 2026 security incident. Suspicious network activity was identified on January 18, 2026, and the forensic investigation confirmed unauthorized access to its network between January 15, 2026, and January 18, 2026. Data review specialists have been engaged to determine which individuals have been affected, and while that process is ongoing, New Horizons Behavioral Health has confirmed that the data exposed in the incident includes names, addresses, birth dates, Social Security numbers, driver’s license numbers, financial account information, diagnosis information, treatment and prescription information, provider names, treatment locations, and health insurance information.

New Horizons Behavioral Health said the affected individuals will be offered complimentary credit monitoring and identity theft protection services, and will receive notifications when the data review is concluded. While not stated in the breach notice, the Devman threat group took credit for the attack. On December 1, 2025, Devman added New Horizons Behavioral Health to its data leak site with a threat to publish 236 GB of data allegedly stolen in the attack.

Stockton Cardiology Medical Group, California

Stockton Cardiology Medical Group, an independent physician practice serving the San Joaquin Valley area of California, has started notifying patients about a recent security incident. According to the breach notice provided to the California Attorney General, suspicious emails were identified that had been sent to its employees. Stockton Cardiology deleted the emails as part of its remediation efforts; however, on January 17, 2026, Stockton Cardiology learned that files containing patient information may have been accessed or acquired.

An investigation was launched to determine the scope of the breach, and the impacted files were found to contain personally identifiable information and protected health information, including patient names, mailing addresses, email addresses, and billing records that may contain limited medical information associated with services provided. The affected individuals have been offered complimentary credit monitoring services, and steps have been taken to improve security. They include shutting down an older remote access service used by staff members, implementing multifactor authentication for internal systems, resetting all passwords, and reviewing data retention policies to minimize the data stored on its systems.

Stockton Cardiology said it learned on February 17, 2026, that some of the stolen data had been published online. That was the date that the Genesis threat group claimed responsibility for the attack. Genesis said 645 GB of data was stolen in the attack, including personal and healthcare data.

Coastal Carolina Health Care, North Carolina

Coastal Carolina Health Care (CCHC), a provider of primary and specialty care services in Craven, Pamlico, and Carteret Counties in North Carolina, has recently notified the New Hampshire Attorney General about a data breach. Unauthorized network activity was first identified on March 25, 2025, and after securing its network and investigating the incident, the healthcare provider determined that there had been unauthorized network access between March 21, 2025, and March 27, 2025. A third-party vendor was engaged to review the affected data, and almost a year later, the types of data involved have been confirmed.

Coastal Carolina Health Care said it was determined on February 26, 2026, that names and Social Security numbers were compromised in the incident, and sufficient information was obtained to effectuate individual notifications.  The affected individuals have been offered complimentary credit monitoring and identity theft protection services. Coastal Carolina Health Care said additional security measures have been implemented to prevent similar incidents in the future.

West Texas Health

West Texas Health PLLC has notified 73,720 individuals about a recent data security incident that impacted Privia Medical Groups West Texas, LLC. On or around October 3, 2025, West Texas Health discovered a security incident. Assisted by external cybersecurity professionals, unauthorized access was confirmed between September 12, 2025, and October 3, 2025.  West Texas Health said that following an extensive forensic investigation and comprehensive document review, on February 6, 2026, it was confirmed that protected health information was acquired in the incident.

The types of data involved vary from individual to individual and may include names in combination with some or all of the following: first and last names, Social Security numbers, driver’s license/state-issued identification numbers, passports, military identifications, other unique government-issued identification numbers, financial account information, financial account numbers, payment card information, taxpayer identification numbers or IRS identity protection PINs, medical histories, medical diagnosis and treatment information, health insurance policy numbers, claims histories, other health insurance information, and usernames/email addresses with passwords and security questions and answers. West Texas Health said individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Nephrology Associates Medical Group, California

Nephrology Associates Medical Group in Riverside, California, has notified the California Attorney General about a May 2025 cybersecurity incident. Suspicious activity was identified within its email system on May 20, 2025. Assisted by third-party cybersecurity professionals, Nephrology Associates confirmed that an employee’s email account had been compromised. The account was reviewed, and on December 12, 2025, the review was completed, confirming that personal information was present in the account, including names, Social Security numbers, dates of birth, medical/health information, treatment/diagnostic information, health insurance information, billing/payment information, and credentialing information.

Nephrology Associates has strengthened password requirements, is now enforcing more frequent password changes, has reduced access permissions, and is storing older data offline. The breach has been reported to the HHS’ Office for Civil Rights; however, there is now a substantial delay in adding breach data to the public-facing section of its breach portal. At present, it is unclear how many individuals have been affected.

Communications Workers of America Local 1180 Security Benefits Fund, New York

Communications Workers of America Local 1180 Security Benefits Fund (CWA Local 1180) has notified regulators about a data breach involving unauthorized access and potential acquisition of the personal and protected health information of 18,550 individuals. In a notification to the Massachusetts Attorney General, CWA Local 1180 said the forensic investigation of the incident determined that its network was breached on December 24, 2025.

The investigation determined that names and Social Security numbers were potentially compromised in the incident, although no evidence has been found to indicate that there has been any misuse of the impacted data. As a precaution against data misuse, the affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. CWA Local 1180 said that it has taken steps to harden security to prevent similar incidents in the future.

The post Six New Healthcare Data Breaches Announced appeared first on The HIPAA Journal.

Data breaches have recently been reported by Vantage Plastic Surgery in New York City and Austin Plastic and Reconstructive Surgery in Texas.

Vantage Plastic Surgery, New York

Vantage Plastic Surgery, a plastic surgery practice in New York City, has recently disclosed a security incident involving unauthorized access to the protected health information of 4,600 current and former patients. The plastic surgery practice said it first learned about the cyberattack on January 15, 2026, and immediate action was taken to secure its computer environment. Third-party cybersecurity specialists were engaged to assist with the investigation, and on January 22, 2026, the practice confirmed that patient data had been exposed and may have been obtained by an unauthorized third party.

The file review determined that names, addresses, phone numbers, email addresses, dates of birth, and medical record information had been exposed in the incident. The practice announced the data breach on February 14, 2026, and is now notifying the affected patients. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, and steps have been taken to bolster security to prevent similar incidents in the future.

Austin Plastic and Reconstructive Surgery, Texas

Austin Plastic and Reconstructive Surgery in Texas has notified patients about a security incident that involved unauthorized access to its network last summer. The incident was detected on or around July 1, 2025, and the forensic investigation confirmed unauthorized access to its network between June 30, 2025, and July 1, 2025.

Third-party cybersecurity professionals were engaged to investigate the incident, and the affected files were reviewed. On February 28, 2026, it was confirmed that files accessed or acquired in the incident contained names, addresses, dates of birth, financial account information, driver’s license numbers/state identification numbers, passport numbers, Social Security numbers, medical information, and health insurance information.

Notification letters were sent to the affected individuals on March 11, 2026, and at that time, no misuse of the affected data had been identified. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. The breach is not currently listed on the HHS Office for Civil Rights breach portal of the website of the Texas Attorney General, so it is currently unclear how many individuals have been affected.

The post Data Breaches Reported by New York & Texas Plastic Surgery Practices appeared first on The HIPAA Journal.

On March 24, 2026, NYC Health + Hospitals Corporation announced that personally identifiable information (PII) and protected health information (PHI) were exposed in a data security incident. NYC Health + Hospitals identified suspicious activity within its computer network on February 2, 2026. Immediate action was taken to secure the affected systems, and an investigation was launched to determine the nature and scope of the unauthorized activity, with assistance provided by third-party cybersecurity specialists.

The investigation determined that an unauthorized third party first gained access to its network more than two months previously, on November 25, 2026, and retained access until February 11, 2026. The investigation into the incident is ongoing; however, NYC Health + Hospitals believes that initial access to its systems may have been gained in a security breach at one of its third-party vendors. The name of that vendor was not disclosed.

NYC Health + Hospitals determined that files were exfiltrated from its network, some of which contained PII and PHI. Over the past few weeks, NYC Health + Hospitals has been reviewing the impacted data to determine the types of information involved and the individuals affected by the incident. The delay in issuing notifications to the affected individuals was due to the time taken to review the affected data. There were no instructions from law enforcement to delay notifications.

Based on the results of the data review to date, the following types of data were compromised in the incident: names; medical information (medical record numbers, disability codes, diagnoses, medications, test results, images, treatment plans); health insurance information (plans/policies, insurance companies, member/group ID numbers, Medicaid-Medicare-government payor ID numbers), billing/claims information; biometric information; personal information (Social Security numbers, driver’s license numbers or other government-issued identification numbers, taxpayer identification numbers or IRS-issued identity protection numbers, precise geolocation data, credit or debit card numbers, financial account information or credentials, online account credentials). The information involved varies from individual to individual.

NYC Health + Hospitals said several steps have been taken to bolster security to prevent similar incidents in the future. They include enhanced detection rules for cybersecurity tools, password resets for compromised accounts, additional detection and protective technologies, and updates to remote access management policies. Credit monitoring and identity theft protection services have been offered to the affected employees and patients for 24 months.

The data breach has been reported to the appropriate authorities, but it has yet to appear on the HHS’ Office for Civil Rights breach portal, which currently shows no data breach reports since February 26, 2026. As such, it is currently unclear how many individuals have been affected.

The post NYC Health + Hospitals Discloses 11-week Network Compromise appeared first on The HIPAA Journal.

Evansville, Indiana-based Deaconess Health System has announced a data breach involving information shared with a third-party vendor, the MRO Corp-owned company MediCopy. Deaconess Health System is one of the largest health systems in the Illinois-Indiana-Kentucky tri-state area, and operates 18 hospitals in southwestern Indiana, western Kentucky, and southeastern Illinois. The data breach affects certain patients of two of its hospitals: Deaconess Henderson Hospital in Henderson, KY, and Deaconess Union County Hospital in Morganfield, KY.

Deaconess Health System contracted with MediCopy to handle release of information (ROI) requests. Deaconess Health System’s substitute breach notice explains that MediCopy informed the health system about the security incident on February 2, 2026. The investigation determined that an unauthorized actor accessed MediCopy-controlled/managed cloud-based file-sharing software on January 13, 2026, and downloaded files related to ROI requests. The security incident was limited to the cloud-based platform. There was no unauthorized access to any Deaconess Health System’s IT systems or electronic health record system. A spokesperson for MRO said neither the MRO platform nor MediCopy systems were compromised in the incident.

Deaconess Health System conducted a comprehensive review of the affected data and determined that the information compromised in the incident included names, dates of birth, dates of service, medical record numbers, Social Security numbers, health insurance information, and medical records related to the treatment received at Deaconess Health System hospitals.

Notification letters are being mailed to the affected individuals by Deaconess Health System, which is offering complimentary credit monitoring and identity theft protection services. Deaconess Health System has confirmed that additional measures have been implemented to further strengthen the security of its file-sharing platform and the information maintained on that platform.

The number of Deaconess Health System patients affected by the data breach has yet to be publicly disclosed. Deaconess Health System said it has reported the breach to the appropriate agencies,  but the breach is not yet shown on the HHS’ Office for Civil Rights breach portal. There has been a delay in adding data breaches to the OCR data breach portal. While there have been some additions of data breaches with reporting dates prior to February 26, 2026, the breach portal lists no new additions after that date (as of March 25, 2026).

The post Deaconess Health System Affected by Vendor Data Breach appeared first on The HIPAA Journal.

The sensitive data of more than 23,000 Florida Medicare members has been impermissibly shared with overseas companies, putting Medicare members’ sensitive health data at risk. The data was shared by Mirra Health, a provider of administrative services to health maintenance organizations (HMOs) in Florida.

Mirra Health had contracts with three HMOs in Florida: Secure Inc, Solis Health Plans Inc., and Ultimate Health Plans Inc. Under those contracts, Mirra Health agreed to provide certain administrative services, including member enrollment, claims adjudication and payment, utilization management, and grievance and appeals processing. Mirra Health engaged four unlicensed companies in India and the Philippines to perform claims processing and other functions and provided those companies with the necessary data to perform those functions.

While Mirra Health may choose to delegate certain functions to subcontractors, sensitive data was shared with unlicensed companies without the knowledge or prior approval of the HMOs or their enrollees. Under the terms of its contracts with the HMOs, prior authorization must be received before passing any data to offshore partners.

An investigation conducted by the Florida Office of Insurance Regulation determined that Mirra Health had engaged in business practices that pose an imminent threat to the public health, safety, and welfare of state residents. Mirra Health was found to have disclosed the sensitive data of 23,119 Florida Medicare Advantage enrollees to those unlicensed companies. The majority of the affected individuals participated in Chronic Condition Special Needs Plans (C-SNPs), Dual Eligible Special Needs Plans (D-SNPs), and Institutional Special Needs Plans (I-SNPs). When the Florida Office of Insurance Regulation requested that Mirra Health produce the contracts it had signed, it failed to produce all contracts with overseas companies, in violation of section 626.884 of the Florida Insurance Code.

This week, Florida Insurance Commissioner Michael Yaworsky suspended Mirra Health LLC’s certificate of authority. Yaworsky said the company demonstrated it is not competent or trustworthy, as it disclosed sensitive Medicare data to foreign entities that are beyond the regulatory reach of the Office of Insurance Regulation, depriving both the Office and the HMOs of the ability to protect vulnerable state residents.

The post Florida Insurance Commissioner Suspends Mirra Health for Medicare Data Transfers to Foreign Companies appeared first on The HIPAA Journal.

A major data breach has been reported by the telehealth platform provider OpenLoop Health Inc. While the total number of affected individuals has yet to be publicly disclosed, it could well be one of the largest healthcare data breaches of the year to date. According to the breach notice provided to the California Attorney General, OpenLoop Health learned on January 7, 2026, that an unauthorized third party had gained access to some of its systems and copied files containing sensitive data. Third-party cybersecurity specialists were engaged to investigate and determine the nature and scope of the incident and ensure that its systems were secured and could no longer be accessed.

The forensic investigation confirmed that the unauthorized third party had access to its network from January 7, 2026, to January 8, 2026, and the files exfiltrated from its systems included information such as names, addresses, email addresses, dates of birth, and medical information. OpenLoop Health said Social Security numbers were not accessed or stolen. Steps have since been taken to harden security, and the affected individuals are being notified by mail. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

A threat actor with the moniker Stuckin2019 claimed responsibility for the incident in a hacking forum listing and claims to have obtained the information of 1.6 million patients. Threat actor claims may be exaggerated, the records may not all be unique, and in some cases, the claims are entirely fabricated. In this case, Stuckin2019 published samples of patient data as proof of data theft. OpenLoop Health has yet to publicly confirm the scale of the data breach or the validity of Stuckin2019’s claims. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, although the website of the Office of the Texas Attorney General lists an OpenLoop Health data breach affecting 68,160 state residents. That incident was published by the Texas Attorney General on March 18, 2026.

Databreaches.net reports that the Stuckin2019 is male and an individual rather than a group, who seemingly has form attacking telehealth companies. He claimed earlier this year to have attacked the New York telehealth company Zealthy, although the company has yet to publicly disclose any data breach. Databreaches reports that the OpenLoop Health forum post was only live for two days before being taken down, and in conversation with the hacker on Tox, was informed that payment was received and the data had been deleted.

The post Telehealth Platform Provider OpenLoop Health Disclosed Data Breach appeared first on The HIPAA Journal.