Radiology Associates of Richmond in Virginia, one of the oldest, continuously operating private radiology practices in the United States, has announced another major data breach. Two years ago, the protected health information of more than 1.4 million individuals was compromised in a cybersecurity incident. A little over one year later, another cybersecurity incident was experienced that exposed the personal and protected health information of more than 266,000 current and former patients.

The most recent incident has recently been reported to the Maine Attorney General as involving unauthorized access to the electronic personal and protected health information of 266,183 individuals. The breach notice does not state when the intrusion was detected; only that the forensic investigation determined that the unauthorized access occurred on or around July 25, 2026.

The extensive forensic investigation and manual data review concluded on April 6, 2026, when it was confirmed that personal and protected health information was potentially viewed or acquired in the incident. A substitute data breach notice has been added to the Radiology Associates of Richmond website, but it does not state what specific types of information were compromised in the incident. The individual notification letters, which started to be mailed to the affected individuals on May 21, 2026, inform each individual which types of data were exposed or stolen in the attack.

The letters explain the steps that individuals can take to protect themselves against any data misuse. Individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

“[Radiology Associates of Richmond] is committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information,” explained Radiology Associates of Richmond.

The post Radiology Associates of Richmond Data Breach Affects 266K Individuals appeared first on The HIPAA Journal.

Data breaches have been announced by Family Health Centers of San Diego, Totem Lake Family Dentistry, and Glendora Surgery Center.

Family Health Centers of San Diego

Family Health Centers of San Diego is sending notification letters to patients about an insider breach of their protected health information. According to the breach notification sent to the California Attorney General, Family Health Centers of San Diego discovered that one of its physicians had sent the personal and protected health information of certain patients to their personal email addresses, in violation of HIPAA and hospital policies.

The investigation confirmed that names, dates of birth, contact information, medical record numbers, and medical information had been emailed to the physician’s account. Family Health Centers of San Diego shut down the physician’s access to patient records, terminated the physician’s employment, and initiated legal action to compel the physician to destroy the emailed information. The physician has also been reported to the Medical Board of California. Family Health Centers of San Diego has offered the affected individuals a complimentary membership to a credit monitoring service for 12 months. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Totem Lake Family Dentistry

Totem Lake Family Dentistry, a Kirkland, WA-based family dental practice, has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 3,464 patients. According to the notification letters, suspicious activity was identified within an employee’s email account. The investigation confirmed unauthorized access to the account between May 28, 2025, and June 2, 2025. During that time, information in the account may have been viewed or copied. It has taken 11 months to review the contents of the account and mail notification letters to the affected individuals. At the time of issuing notification letters, Totem Lake Family Dentistry was unaware of any attempted or actual misuse of patient data. Credit monitoring and identity theft protection services do not appear to have been offered.

Glendora Surgery Center

Glendora Surgery Center in California has alerted patients about a data security incident that was first identified on December 3, 2025. The forensic investigation confirmed unauthorized access to its network between November 29, 2025, and December 3, 2025. During that time, files containing patient information were exfiltrated from its network. Data compromised in the incident included patient names and medical treatment information.

While data was stolen, Glendora Surgery Center is unaware of any actual or attempted misuse of that information. In response, data privacy and security policies and procedures have been reviewed, administrative and technical controls have been enhanced, and additional security training has been provided to the workforce. The HHS’ Office for Civil Rights has been notified, and a placeholder estimate of at least 501 individuals has been used. The data review is ongoing, and the total will be updated when the data review is concluded.

The post California & Washington Healthcare Providers Announce Data Breaches appeared first on The HIPAA Journal.

The diagnostic imaging service provider Lumexa Imaging has been affected by a security incident at one of its vendors. FMRS Health Systems, a West Virginia-based provider of mental health services, is investigating a January 2026 data breach.

Lumexa Imaging

Lumexa Imaging, a diagnostic imaging provider that, together with its affiliates, has the second-largest diagnostic imaging footprint in the United States, has notified regulators about a data security incident involving one of its vendors. The unnamed vendor provided non-clinical support services in connection with the administrative services Lumexa Imaging provided to its affiliated radiology practices. On April 9, 2026, the vendor notified Lumexa Imaging that it was investigating suspicious activity within part of its computer network. Lumexa Imaging immediately terminated the vendor’s access to its systems while the incident was investigated and remediated.

The investigation confirmed a breach of the vendor’s systems between March 31, 2026, and April 9, 2026. On April 15, 2026, Lumexa Imaging learned that an unauthorized actor may have used the connection between itself and the vendor to view or obtain documents associated with its affiliated radiology practices. The documents were reviewed and found to contain patient information such as names, birth dates, addresses, phone numbers, patient account numbers, insurance information, and clinical information such as diagnoses, visit dates, and other information related to the radiology services received. A small subset of patients had their Social Security numbers exposed.

The vendor has provided assurances that steps have been taken to secure its systems to prevent similar incidents in the future, including scrubbing and validating the affected systems and implementing additional cybersecurity monitoring and detection tools. Lumexa Imaging is unaware of any misuse of the exposed data and is offering complementary credit monitoring services to individuals whose Social Security numbers were exposed. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

FMRS Health Systems

FMRS Health Systems, Inc., a West Virginia-based nonprofit mental health center, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 500 individuals. That figure will likely increase, as at the time of issuing its substitute breach notice, the investigation was still ongoing. According to the substitute breach notice on the FMRS Health Systems website, suspicious activity was identified within its computer systems on February 27, 2026. Steps were immediately taken to secure its systems, and a forensic investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed unauthorized access between January 20, 2026, and February 27, 2026, during which time files containing patient information were copied by the threat actor. Electronic medical records were not subject to unauthorized access. The file review confirmed that names were stolen in combination with one or more of the following: address, birth date, Social Security number, driver’s license number, financial account information, medical history information, diagnostic and treatment information, prescription information, physician’s name, medical record number, and health insurance information. FMRS Health Systems did not state whether ransomware was used; however, a ransomware group – Qilin – claimed responsibility for the attack.

The post Data Breaches Announced by Lumexa Imaging; FMRS Health Systems appeared first on The HIPAA Journal.

Erie Family Health Centers, a Chicago, IL-based network of health centers providing primary medical, dental, and behavioral healthcare services to individuals regardless of their ability to pay, has experienced a major data breach affecting up to 570,000 individuals.

Suspicious activity indicative of unauthorized access was identified within its computer network on January 27, 2026. Immediate action was taken to secure its network, and third-party digital forensics experts were engaged to investigate the incident and determine the nature and scope of the activity. They confirmed that an unauthorized third party first accessed its network on December 10, 2025, and retained access until its network was secured on January 27, 2026.

The exposed files were reviewed and confirmed to contain personal and protected health information. The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: address, phone number, email address, date of birth, Social Security number, driver’s license/state ID number, taxpayer ID number, passport number, financial account information, payment card information, online account credentials, digital signature, biometric data, medical treatment or diagnosis information, prescription information, date of service, patient ID number, encounter ID number, , medical record number, Medicare/Medicaid number, provider name, patient account number, health insurance information, and/or treatment cost information.

Erie Family Health Centers has taken steps to strengthen network security to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services as a precaution against data misuse. No threat group appears to have claimed responsibility for the incident.

This is the second data breach to be announced by Erie Family Health Centers this year. Erie Family Health Centers was also affected by a data breach at its business associate, TriZetto Provider Solutions, a provider of revenue cycle management and claims clearinghouse services.  That breach affected a currently undisclosed number of patients of Erie Family Health Centers.

The post Erie Family Health Centers Data Breach Affects 570,000 Individuals appeared first on The HIPAA Journal.

Elara Caring has confirmed that thousands of its patients were affected by the cyberattack on vendor Doctor Alliance. Data breaches have also been announced by the medical record organization and analysis SaaS company Excelas, and Pulpdent, a dental research and manufacturing company.

Elara Caring

Elara Caring, a nationwide provider of home-based skilled nursing care, personal care, and palliative care services, has been affected by a cyberattack involving one of its third-party vendors. On December 12, 2025, the vendor notified Elara Caring that a threat actor had accessed and downloaded files from its network. There was no unauthorized access to the Elara Caring network. The incident was confined to the vendor’s systems, which were accessed between November 4 and November 6, 2025, and again between November 14 and November 17, 2025. During those times, files containing names, addresses, dates of birth, medical records, Social Security numbers, and health insurance information were stolen.

While Elara Caring did not disclose the name of the vendor in its breach notification letters, based on the dates of unauthorized access, it was Doctor Alliance, the provider of a platform for managing and facilitating electronic physician signatures. Notification letters were mailed to the affected individuals on May 12, 2025, and the affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. Elara Caring provides services across the United States. While it is currently unclear how many individuals have been affected in total, the Texas Attorney General was informed that more than 3,300 Texas residents were affected.

Excelas

Ocelot Ventures, LLC, doing business as Excelas, a provider of medical record organization and analysis software, has identified unauthorized access to its network. A suspected intrusion was detected on or around January 28, 2026. Assisted by law enforcement and third-party cybersecurity specialists, Excelas determined that an unauthorized third party had access to certain computer systems from November 27, 2025, to December 3, 2025. During that time, a limited amount of data may have been viewed or copied.

The file review confirmed that names, dates of birth, Social Security numbers, government-issued ID numbers, diagnoses, referring/treating physician names, medications, medical record images, payment information, and health insurance information were involved. Excelas is working on implementing additional safeguards to prevent similar incidents in the future. At the time of issuing notification letters on May 12, 2026, no attempted or actual misuse of the impacted information had been detected. As a precaution, single-bureau credit monitoring and fraud protection services have been offered to the affected individuals.

Cl0p, a financially motivated threat group that engages in data theft and extortion, claimed that it had exfiltrated sensitive data from Excelas systems. The incident has been reported to regulators, although it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Pulpdent Corp.

Pulpdent Corp., a Watertown, Massachusetts-based dental research and manufacturing company, has alerted certain individuals about a cybersecurity incident it first detected on March 13, 2026. Systems were secured, and an investigation was launched into the unauthorized activity. On or around April 17, 2026, Pulpdent determined that information such as names, Social Security numbers, driver’s license numbers, and financial account information had been exposed and potentially stolen.

Notification letters started to be mailed to the affected individuals on May 8, 2026, and complimentary credit monitoring and identity theft protection services have been made available. Individuals who receive a notification letter should take advantage of those free services. The Inc Ransom ransomware group took responsibility for the attack and claimed to have exfiltrated sensitive data. The number of affected individuals has yet to be publicly disclosed.

The post Data Breaches Announced by Elara Caring; Excelas; Pulpdent Corp. appeared first on The HIPAA Journal.

Ransomware groups have claimed responsibility for attacks on Advanced Family Surgery Center in Tennessee, Orem Eye Clinic in Utah, and Belmont Aesthetic & Reconstructive Plastic Surgery in Virginia/Washington D.C.

Surgery Center of Oak Ridge (Advanced Family Surgery Center)

Surgery Center of Oak Ridge, LLC, doing business as Advanced Family Surgery Center in Oak Ridge, Tennessee, has notified certain patients about a network intrusion first identified on or around November 26, 2025. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that certain parts of its network were accessed by an unauthorized third party who potentially viewed or acquired files containing patient information.

The files were reviewed and found to contain names, addresses, dates of birth, dates of service, health insurance information, medical diagnosis information, medical record numbers, Medicare/Medicaid numbers, patient account numbers, prescription/treatment information, provider names, and Social Security numbers. Additional security measures have been implemented to prevent similar incidents in the future, and policies and procedures with respect to data security are being reviewed.

This appears to have been a ransomware attack with data theft. The Genesis ransomware group, a financially motivated threat group that has attacked many healthcare providers, claimed responsibility for the attack and added Advanced Family Surgery Center to its dark web data leak site. Genesis claims to have exfiltrated 100 GB of data in the attack, including files containing patient information.

Orem Eye Clinic

Orem Eye Clinic in Orem, Utah, has notified individuals and the HHS’ Office for Civil Rights about a cybersecurity incident involving unauthorized access to parts of its network that contained the protected health information of approximately 5,800 patients. No substitute breach notice has been added to the Orem Eye Clinic website at the time of publication of this article, so the exact details, such as the types of data involved and the nature of the incident, have yet to be confirmed. Individuals receiving a notification letter should be aware that a ransomware group called Nightspire claimed responsibility for the attack and added Orem Eye Clinic to its dark web data leak site. The group claims to have exfiltrated 1 terabyte of data in the attack.

Belmont Aesthetic & Reconstructive Plastic Surgery

Belmont Aesthetic & Reconstructive Plastic Surgery, a cosmetic and reconstructive surgery practice with locations in Washington, D.C., and Virginia, has reported a data breach to the HHS’ Office for Civil Rights that has affected 528 individuals. While there is currently no website notice, and no other information has been released about the data breach so far, this appears to have been a ransomware attack. The Insomnia ransomware group added Belmont Aesthetic & Reconstructive Plastic Surgery to its dark web data leak site in early March 2026 and threatened to publish the stolen data if the ransom was not paid.

The post Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers appeared first on The HIPAA Journal.

Data breaches have recently been announced by Verber Dental Group in Pennsylvania, Northwoods Surgery Center in Minnesota, Cunningham Prosthetic Care in Maine, Healthcare In Action in California, and Preakness Healthcare Center in New Jersey.

Verber Dental Group

Verber Dental Group, a Camp Hill, PA-based dental group comprising 14 dental practices, has recently notified patients of unauthorized network access that exposed patient data. Suspicious network activity was identified on January 27, 2026. The network was secured, and an investigation was launched, which revealed the threat actor had access to its network from January 26, 2026, to January 27, 2026. The investigation confirmed that patient information had been exposed, including names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, medical records, and health insurance information.

Verber Dental has not identified any misuse of patient information. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals as a precaution. At present, the incident is not shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Northwoods Surgery Center

Northwoods Surgery Center in Virginia, MN, identified unauthorized activity within its computer network on or around September 8, 2025. Its network was secured, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized network access over a two-month period between July 11, 2025, and September 8, 2025. The compromised parts of the network were reviewed, and it was confirmed that files containing patient information had been exposed and may have been accessed or acquired by the threat actor.

In total, 5,385 individuals were affected. Data potentially compromised in the incident included names, addresses, dates of birth, health insurance information, patient medical record numbers, doctor’s name, practice type, medical date of service, medication information, diagnosis and treatment information, and medical claims or billing information. While patient data was exposed, Northwoods Surgery Center has not identified any actual or attempted misuse of patient information. Notification letters are now being mailed, and complimentary credit monitoring services have been made available.

Cunningham Prosthetic Care

Cunningham Prosthetic Care, a Saco, ME-based prosthetic and orthotic practice, has notified the HHS’ Office for Civil Rights about a data breach affecting 2,523 patients. On or around October 22, 2025, suspicious activity was identified within its email environment. An investigation was launched that confirmed unauthorized access to an employee’s email account. The account was reviewed, and on March 4, 2026, Cunningham Prosthetic Care confirmed that the account contained patient information.

Data exposed and potentially acquired included names, dates of birth, Social Security numbers, medical record numbers, driver’s license numbers, diagnostic and treatment information, and health insurance information. The types of exposed data varied from individual to individual. Notification letters were mailed to the affected individuals on May 1, 2026. The practice has implemented additional security measures to enhance data privacy and security.

Healthcare in Action

Healthcare In Action, a medical group serving the homeless population in California, has recently identified unauthorized access to an employee’s email account between January 28, 2026, and January 30, 2026. The account was compromised using stolen credentials. The unauthorized access was limited to a single email account, which has now been secured. Third-party experts were engaged to investigate and determined that the account contained the information of 1,143 individuals, including patients and other individuals.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: date of birth, email address, phone number, driver’s license/state ID number, Social Security numbers, ethnicity, housing application case number/HMIS number, health plan information, mailing/ physical address, medical record number, diagnosis/condition information, date(s) of service, location(s) of service, treatment information, disability verification information, and/or medication information. For non-patients, the compromised data included names, addresses, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Preakness Healthcare Center

Preakness Healthcare Center, a Wayne, NJ-based skilled nursing facility, has recently identified unauthorized access to its computer network. Suspicious activity was first identified on March 4, 2026. The forensic investigation confirmed that an unauthorized third party had access to parts of its computer network from February 24, 2026, to March 4, 2026, during which time residents’ data may have been viewed or acquired. The exposed data included residents’ names, demographic information, and limited clinical information. The affected individuals had been admitted on or after January 1, 2019. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. At present, the number of affected individuals has not been publicly disclosed.

The post Verber Dental Group Notifies Patients About January Hacking Incident appeared first on The HIPAA Journal.

Atrium Health Navicent and Interim HealthCare of Lubbock/Amarillo have recently announced that they have been affected by data breaches at third-party vendors.

Atrium Health Navicent

Atrium Health Navicent is the latest healthcare provider to announce that it has been affected by the January 2025 data breach at Oracle Health. Oracle Health acquired the electronic medical record company Cerner, and was due to migrate patient records from legacy Cerner servers to Oracle Health’s systems. As early as January 22, 2025, a hacker gained access to two legacy servers and exfiltrated patient data. Oracle Health detected the breach in February 2025. Many healthcare providers were affected and issued notification letters last year.

According to Atrium Health Navicent, the delay in notification is due to the complexity of the data review, which has taken many months to complete. Atrium Health Navicent said it only recently learned from Oracle Health that it had been affected, and the review of the impacted data was not completed until March 12, 2026. The data compromised in the incident was stored in a legacy Cerner system that was historically used by Atrium Health.

The compromised data related to patients who received services from Atrium Health in the greater Charlotte (NC) area prior to August 6, 2022, or from Atrium Health Navicent prior to July 3, 2021. The compromised data includes names, addresses, dates of birth, medical record numbers, provider names, diagnoses, medications, test results, images, and other information included with patient medical records. For certain individuals, Social Security numbers were also compromised.

Notification letters are now being mailed, and the affected individuals have been offered complimentary credit monitoring services for two years. Atrium Health Navicent has yet to publicly announce how many patients have been affected. An estimated 2 million people across the country are thought to have been affected by the Oracle Health data breach in total.

Interim HealthCare of Lubbock/Amarillo

Interim HealthCare of Lubbock and Interim HealthCare of Amarillo have recently notified the HHS’ Office for Civil Rights about a data breach at a third-party vendor that affected 2,071 and 666 patients respectively. The incident occurred at the healthcare technology firm Doctor Alliance. Unauthorized individuals gained access to the Doctor Alliance web portal and intermittently accessed the portal between October 31, 2025, and November 17, 2025.

Interim HealthCare of Lubbock and Interim HealthCare of Amarillo completed their reviews of the affected data on March 18, 2026, and confirmed that data potentially viewed or obtained included names, dates of birth, addresses, diagnoses, treatment plans, medications, and provider information. There has been no known misuse of patient data; however, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring services.

The post Atrium Health & Interim HealthCare Affected by Business Associate Data Breaches appeared first on The HIPAA Journal.

A cyberattack on Mt. Spokane Pediatrics exposed the data of more than 32,000 patients. Data breaches have also been announced by Cornerstone Care Center in California and Michigan Medicine.

Mt. Spokane Pediatrics

Mt. Spokane Pediatrics in Washington state has started notifying 32,021 individuals about the theft of some of their personal and protected health information in a January 2026 cyberattack. According to its website breach notice, the attack occurred on or around January 1, 2026, and the threat actor was found to have exfiltrated files containing patients’ protected health information. The forensic investigation determined on April 22, 2026, that the data exfiltrated in the attack included full names, dates of birth, Social Security numbers, diagnoses, treatment information, patient numbers, medical record numbers, health plan beneficiary numbers, and dates of service.

Mt. Spokane Pediatrics said it is unaware of any actual or attempted fraud as a result of the data breach. Complementary single-bureau credit monitoring services have been offered to the affected individuals as a precaution. The breach notice does not mention ransomware; however, a ransomware group claimed responsibility for the attack. The Lockbit5 ransomware group added Mt. Spokane Pediatrics to its dark web data leak site on January 3, 2026, and threatened to leak the stolen data in 20 days if the ransom was not paid.

Sanger Skilled Care (Cornerstone Care Center)

Sanger Skilled Care, LLC, doing business as Cornerstone Care Center, a skilled nursing and long-term care facility in Sanger, California, has issued prompt notifications about a recent security incident identified on or around April 7, 2026. According to its substitute data breach notice, unauthorized network access was identified on April 7, 2026. Steps were taken to contain the incident, and an investigation was launched to determine the nature and scope of the activity. On April 16, 2026, the investigation was completed, and it was confirmed that the breach was confined to a single account, which contained some protected health information.

The data review confirmed that the exposed data includes names, dates of birth, lab results, diagnoses, prescription and treatment information, provider names, medical record numbers, patient identification numbers, Social Security numbers, health insurance information, and dates of services. Notification letters were mailed to the affected individuals on May 1, 2026, and 12 months of complimentary credit monitoring services have been offered. At present, the number of affected individuals has not been publicly disclosed.

University of Michigan (Michigan Medicine)

The University of Michigan (Michigan Medicine) has recently announced that it has been affected by a data breach involving its electronic medical record company, Epic Systems Corporation. Michigan Medicine was one of several healthcare providers to be affected by the incident, which involved unauthorized access to patient records through a nationwide health information exchange. Third-party companies accessed patient records for reasons unrelated to patient care. Those companies had been granted access after claiming they had a legitimate need to access patient records; however, patient information was accessed for reasons unrelated to the provision of healthcare services.

Michigan Medicine was informed about the breach by Epic Systems, and its internal review determined in March 2026 that 551 individuals had been affected. The types of information viewed or obtained included names, addresses, phone numbers, email addresses, dates of birth, medical record numbers, diagnoses, medications, allergies, test results, treatment information, and health insurance information. Michigan Medicine is working with Epic and the relevant exchange and network parties to investigate the incident and is monitoring the litigation initiated by Epic Systems in response to the unauthorized access.

The post Mt. Spokane Pediatrics Data Breach Affects 32,000 Patients appeared first on The HIPAA Journal.