Brockton Hospital in Massachusetts is continuing to grapple with a cybersecurity incident that took many of its electronic systems offline on April 6, 2026, and forced the hospital to divert ambulances to alternate facilities and cancel scheduled cancer treatments. An investigation into the cyberattack is ongoing, and the hospital is working with federal and state officials. While some systems have been brought back online, the hospital is continuing to use its downtime procedures, with staff members working off paper rather than computers. A Signature Healthcare spokesperson told Boston 25 News that the hospital would continue under downtime procedures for the next two weeks.

Signature Healthcare has been providing updates on the attack and recovery, and on April 10, 2026, said care continues to be provided to patients at the hospital, although there have been some disruptions to certain patient services. Lab work and medical testing are continuing, but there may be delays, and the patient portal system remains offline. The hospital is still unable to fill new prescriptions, and cannot currently fulfil requests for medical records. Inpatient food services are continuing, although special food requests for patients with dietary restrictions cannot currently be accommodated.

The Anubis ransomware-as-a-service group claimed responsibility for the attack. Anubis engages in double extortion, stealing data and encrypting files. A ransom must be paid to prevent the release of stolen data and obtain the keys to recover encrypted files. According to SuspectFile, which was contacted by a member of the Anubis group, files were encrypted in the attack. The Anubis spokesperson told SuspectFile that only non-critical systems were encrypted, and 2TB of data was stolen in the attack, including a large volume of patient data.

Anubis is attempting to pressure Signature Healthcare into paying the ransom by adding the hospital to its data leak site, along with a countdown clock when the stolen data will be published. Signature Healthcare has yet to confirm the extent of data theft, which may not be known for some time. The priority continues to be patient care, remediating the attack, and bringing systems back online when it is safe to do so.

April 8, 2026: Ambulances Diverted from Brockton Hospital While Signature Healthcare Deals with Cyberattack

Signature Healthcare’s Brockton Hospital in Massachusetts is grappling with a cyberattack and has implemented its downtime procedures while the incident is investigated. Some procedures have been temporarily cancelled, and the electronic medical record system and patient portal have been taken offline.

Signature Healthcare treats around 70,000 patients a year in Southeastern Massachusetts at its 216-bed Brockton Hospital, and the 15 care locations served by Signature Medical Group. The cybersecurity incident was detected on April 6, 2026, which impacted its information systems. The emergency room was placed on divert, with ambulances sent to alternate facilities due to the inability to access key information technology systems, although emergency services continued to be provided to walk-ins.

While the hospital continued to provide inpatient services and surgeries were proceeding without interruption, patients faced delays and some services were postponed, including chemotherapy infusions at the Greene Cancer Center, which were cancelled on April 7. Signature Healthcare partially closed its Brockton and East Bridgewater pharmacies, with consultations still taking place but prescriptions unable to be filled.

Signature Healthcare issued a statement confirming that surgeries and procedures were continuing, that its ambulatory physician practices and urgent care facilities remained open. Without access to certain information systems, alternative methods of documentation were being used, and there were naturally some delays to patient care as a result.

Signature Healthcare said it is working with third-party cybersecurity specialists and federal officials to investigate the incident, determine the nature and scope of the unauthorized activity, and identify the source of the intrusion.  “Our care teams continue to provide high-quality care using established downtime procedures. We remain committed to serving our community throughout this process,” Kim Walsh, Signature Healthcare’s chief operating officer, said.

The priority is ensuring high-quality care continues to be provided to patients while the incident is investigated. Systems will be brought back online when it is safe to do so, and as the investigation progresses, it will become clear to what extent, if any, patient data has been compromised. On April 8, when this article was posted, no threat actor had claimed responsibility for the incident; however, on Thursday 9, the Anubis ransomware group took credit for the attack, although no data appears to have been leaked so far.

There is usually a lag between an attack taking place and the victim being added to a data leak site, as the threat actor typically gives the victim time to make contact and negotiate payment. For a group to claim responsibility so quickly suggests that Signature Healthcare has made contact and likely made it clear that payment would not be forthcoming. Anubis claims to have exfiltrated a huge amount of data – 2 TB, including sensitive patient data.

The post Brockton Hospital Ransomware Attack: Downtime Procedures to Continue for Two Weeks appeared first on The HIPAA Journal.

Data incidents have recently been announced by ProxyCare in Florida, Oscar Health in New York, and AccentCare in Texas.

ProxyCare, Florida

ProxyCare LLC, a Sunrise, Florida-based provider of personalized pharmacy services, has started mailing notification letters to individuals impacted by an August 2025 cybersecurity incident. The company learned on August 22, 2025, that certain computer systems within its network environment had been affected by a cybersecurity incident. Third-party cybersecurity professionals were engaged to determine the nature and scope of the incident, and whether, and to what extent, patient information had been compromised.

The investigation confirmed that patient data had been exposed, and following a comprehensive manual document review, ProxyCare determined on January 29, 2026, that files accessed or acquired by an unauthorized third party in the incident included names, dates of birth, Social Security numbers, and driver’s license numbers. Notification letters were mailed to the affected individuals on March 23, 2026, and individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services.

Based on notifications to state attorneys general, around 150 individuals in Massachusetts and New Hampshire have been affected, but it is currently unclear how many individuals have been affected in total, as the incident has yet to be added to the HHS’ Office for Civil Rights breach portal.

Oscar Health, New York

Oscar Health, Inc., a New York-based health insurance company, has recently disclosed a data privacy incident that resulted in the unauthorized disclosure of a limited amount of member information. On December 31, 2025, Oscar Health learned that member identification cards and other enrollment information related to 2026 health insurance coverage were inadvertently mailed to old and potentially incorrect member addresses.

When the error was identified, immediate action was taken to prevent similar mis-mailing incidents, and an investigation was launched to determine the scope of the event. All individuals potentially affected were identified, and notification letters have now been sent to individuals for whom correct address information could be found, warning them that their name, health insurance policy number, and health insurance plan information were potentially impermissibly disclosed.

Oscar Health confirmed that highly sensitive information such as Social Security numbers, government identification numbers, and financial information was not involved, and there has been no known misuse of the disclosed information. The data breach notice was issued individually and on behalf of its affiliated covered entities, including Oscar Health Plan, Inc., Oscar Insurance Company of Florida, and Oscar Health Plan of Georgia. The incident affected up to 91,350 individuals.

AccentCare, Texas

AccentCare, a Texas-based provider of home health, palliative, and hospice services, has been affected by a data breach at its billing service vendor, Doctor Alliance. The protected health information of 19,772 individuals was potentially compromised in the incident. Doctor Alliance determined on November 16, 2025, that an unauthorized third party had accessed a web application. The forensic investigation determined that the threat actor had access to the application between October 31, 2025, and November 16, 2025, and accessed or exfiltrated files containing patient information.

Data compromised in the incident included names, Social Security numbers, medical record numbers, Medicare numbers, diagnosis/treatment information, provider information, and medical/health information. AccentCare said there was no unauthorized access to its own systems, and no impact to the care provided to its patients. AccentCare is monitoring Doctor Alliance’s response to the incident and its continued role as a service provider.

The post ProxyCare; Oscar Health; AccentCare Announce Data Breaches appeared first on The HIPAA Journal.

The direct-to-consumer telehealth company Him & Hers has experienced a data breach. In early February, an unauthorized third party gained access to its third-party customer service platform and acquired support tickets that contained personal information.

Suspicious activity was identified within the customer service platform on February 5, 2026. Him & Hers took steps to secure the platform and launched an investigation to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had access to the platform from February 4, 2026, to February 7, 2026. During that time, certain tickets sent to the customer service team were subjected to unauthorized access or were acquired.

Him & Hers reviewed the affected tickets and, on March 3, 2026, confirmed that they contained personal information such as names and contact information; however, customers’ medical records were not involved, and there was no unauthorized access to communications with healthcare providers on the platform. Law enforcement was notified about the incident, and individual notification letters are being mailed to the affected individuals. While the data compromised in the incident is limited, Him & Hers is offering complimentary single-bureau credit monitoring and identity theft protection services for 12 months.

Him & Hers has conducted a review of its policies and procedures related to privacy and security and is taking steps to prevent similar incidents in the future. While the incident has been reported to regulators, including the California Attorney General, Him & Hers has not publicly disclosed the number of individuals affected by the incident.

The threat group behind the attack was not disclosed by Him & Hers; however, Bleeping Computer reports that the ShinyHunters threat group was behind the attack. The attack was part of a broader campaign targeting multiple companies. The threat group compromises Okta SSO accounts to gain access to data storage environments and steals data for extortion purposes. In this case, ShinyHunters used the Okta SSO account to access the Him & Hers Zendesk instance and stole millions of support tickets.

The post Telehealth Giant Him & Hers Announces Data Breach appeared first on The HIPAA Journal.

Nacogdoches Memorial Hospital (NMH), a 226-bed hospital in Nacogdoches, Texas, has recently announced a data security incident that was first identified on January 31, 2026. A hacker gained access to its computer network and information systems and potentially obtained files containing the personal and protected health information of up to 257,073 individuals, according to the notification sent to the Maine Attorney General.

While the data security incident was detected on January 31, 2026, the forensic investigation determined that the hacker first gained access to its network two weeks previously, on January 15, 2026. NMH explained in its notification letters that it has not detected any misuse of the impacted data and that there are no indications that there will be any data misuse.

While NMH said the hacker may have accessed or acquired patient information, with two weeks inside its network, patients should assume that their data has been compromised and should consider taking steps to prevent data misuse, such as implementing a fraud alert or security freeze with one of the three credit reporting bureaus, Equifax, TransUnion, or Experian. The notice to the Maine Attorney General states that complimentary credit monitoring and identity theft protection services are not being offered.

NMH’s investigation determined that the impacted data includes names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, medical record numbers, account numbers, health plan beneficiary numbers, and, for certain individuals, full face photograph images. In response to the cybersecurity incident, NMH has strengthened the security of its information systems and computer network to reduce the risk of similar incidents in the future and is enhancing its cyber preparedness through additional training and updates to its policies and procedures. Law enforcement has been informed, and NMH will assist with any law enforcement investigation. Notification letters were mailed to the affected individuals on March 31, 2026. As of April 1, 2026, no threat group appears to have claimed responsibility for the incident.

The post Nacogdoches Memorial Hospital Data Breach More Than 257,000 Individuals appeared first on The HIPAA Journal.

TriMed, a Santa Clarita, California-based manufacturer of upper and lower orthopedic implants, has announced a data security incident involving unauthorized access to parts of its network where order forms and invoices were stored. While in the most part the exposed data only contained information related to the company’s hardware and the individuals who received it, in some cases, the documentation included personal information.

TriMed identified suspicious activity without certain systems in September 2025, prompting an investigation to determine the nature and scope of the activity. The forensic investigation determined that an unauthorized third party had access to parts of its environment between September 13, 2025, and September 21, 2025, during which time, files were potentially accessed and acquired by the unauthorized third party.

TriMed manufactures hardware that is surgically implanted to repair or replace damaged joints. A programmatic and manual review of the exposed files confirmed that they contained information related to that hardware, which would have been ordered on a patient’s behalf, including part type, associated installation components such as screws, or the ordering surgeon’s name. While the affected documents do not typically include personal information, in certain cases, the documents contained names, dates of birth, and medical record numbers. The exposed documents did not contain Social Security numbers or financial information such as bank account or credit/debit card numbers.

TriMed has taken steps to augment security to prevent similar incidents in the future, including strengthening its existing security controls and threat detection practices. Further, TriMed has integrated a global security operations center and will continue to update its security measures, as appropriate, in the future. TriMed reported the incident to law enforcement, but there was no request to delay notifications to the affected individuals. The notification letters were sent as soon as possible once the affected individuals and data categories were identified. While Social Security numbers were not involved, credit monitoring and identity theft protection services have been offered for 24 months, according to the notification letter sent to the Maine Attorney General.

The Maine Attorney General was informed that two Maine residents were affected, but the data breach listing does not state how many individuals were affected in total, and the incident has yet to be added to the HHS’ Office for Civil Rights website. No known threat group appears to have claimed responsibility for the attack.

The post Data Breach Reported by Orthopedic Implant Manufacturer TriMed appeared first on The HIPAA Journal.

Legal counsel for Woodfords Family Services has provided an updated breach notice to the Maine Attorney General, confirming that more individuals were affected by its ransomware attack than previously reported. The initial breach report submitted to the Maine Attorney General on March 27, 2026, stated that 8,073 individuals had been affected; however, a substitute notice has been issued for 33,911 individuals, with 41,984 individuals in total confirmed as affected by the data breach.

March 30, 2026: Woodfords Family Services Notifies Patients Affected by April 2024 Ransomware Attack

Westbrook, Maine-based Woodfords Family Services, a provider of services to individuals with special needs and their families, has notified the Maine Attorney General about a breach of the personal and protected health information of 8,073 individuals in a ransomware attack, including 7,701 Maine residents.

Suspicious network activity was identified on April 8, 2024. The investigation confirmed that its network had been accessed by the Medusa ransomware group. Immediate action was taken to investigate the incident and ensure the security of its systems, and the forensic investigation ended on May 30, 2024. A preliminary breach notice was issued on June 3, 2024, and a media notice was issued on June 7, 2024, to alert individuals potentially affected by the incident. Some notification letters were mailed to individuals in March 2025, although some people have only recently received notification letters.

While the incident was initially investigated internally, Woodfoods Family Services determined that it was unable to identify the full scope of the incident and engaged data mining specialists on September 25, 2024, to confirm the individuals affected and the types of data involved. The initial data mining process took until October 3, 2025, to complete, then the data had to be reviewed internally. The internal review was completed on January 29, 2026, mailing addresses for the affected individuals were verified, and the last of the notification letters were mailed to the affected individuals on March 27, 2026.

Data compromised in the incident included names, Social Security numbers, driver’s license numbers, financial account information, health insurance information, and diagnosis and treatment information. The affected individuals have been offered a complimentary 12-month membership to credit monitoring and identity theft protection services.

The data breach was reported to the HHS’ Office for Civil Rights in June 2024 using a placeholder figure of at least 500 affected individuals. The total has yet to be updated, although OCR has delayed adding new breach reports to its portal. This is not the first ransomware attack to be experienced by Woodfoods Family Services. An attack on June 19, 2023, involved unauthorized access to the personal information of 17,285 individuals, including the protected health information of 6,691 individuals.

The post Woodfords Family Services Data Breach Affected Almost 42,000 Individuals appeared first on The HIPAA Journal.

The Somerset, New Jersey-based healthcare software company CareCloud has notified the U.S. Securities and Exchange Commission (SEC) about a security incident that caused network disruption on March 16, 2026. CareCloud is a business associate of hospitals and physician practices and works with more than 45,000 providers. The company provides software solutions, including electronic health records systems, and it was its electronic health record environment that was subject to unauthorized access.

According to the SEC filing, a hacker gained access to one of its six electronic health record environments for a period of around 8 hours, partially disrupting functionality and data access. CareCloud was able to fully restore the environment on the evening of March 16, 2026. CareCloud believes that the threat actor no longer has access to its systems. Initially, the incident was reported to law enforcement, its cyber insurer was notified, and third-party cybersecurity specialists were engaged to assist with the investigation and help with securing its environment. When it became clear that this was a material incident due to the sensitivity of the data stored within the compromised environment and the potential cost of a data breach, the SEC was notified.

CareCloud believes that the incident was contained in the one CareCloud Health environment, and no other business systems were involved. The investigation to determine the nature and scope of the unauthorized activity is ongoing, including the extent to which patient data was accessed or exfiltrated, and the categories of and volume of data involved.

As of the date of the SEC filing, the incident has had no material impact on the company’s operations, and the initial assessment suggests that the incident is not reasonably likely to have a material impact on the company’s financial position or results of operations, although the impact of the incident has yet to be fully assessed. There will naturally be costs associated with remediation and response, legal, regulatory, and notification-related matters, and possible effects on patients, customers, counterparties, reputation, and operations. The company holds cyber insurance policies and believes that it has sufficient insurance coverage to cover any costs.

CareCloud has not publicly disclosed how any of its clients have been affected, nor has it provided an estimate for the number of individuals whose medical records were exposed in the incident. Notifications will be issued to the affected clients and individuals when they have been identified. At the time of publication, no cyber threat actor is known to have claimed responsibility for the attack.

The post Healthcare Software Company Announces Breach of its Electronic Health Record Environment appeared first on The HIPAA Journal.

Data breaches have been announced by New Horizons Behavioral Health in Georgia, CWA Local 1180 in New York, Coastal Carolina Health Care in North Carolina, West Texas Health, and Nephrology Associates Medical Group and Stockton Cardiology Medical Group in California.

New Horizons Behavioral Health, Georgia

The Columbus, Georgia-based community mental healthcare provider New Horizons Behavioral Health has announced a January 2026 security incident. Suspicious network activity was identified on January 18, 2026, and the forensic investigation confirmed unauthorized access to its network between January 15, 2026, and January 18, 2026. Data review specialists have been engaged to determine which individuals have been affected, and while that process is ongoing, New Horizons Behavioral Health has confirmed that the data exposed in the incident includes names, addresses, birth dates, Social Security numbers, driver’s license numbers, financial account information, diagnosis information, treatment and prescription information, provider names, treatment locations, and health insurance information.

New Horizons Behavioral Health said the affected individuals will be offered complimentary credit monitoring and identity theft protection services, and will receive notifications when the data review is concluded. While not stated in the breach notice, the Devman threat group took credit for the attack. On December 1, 2025, Devman added New Horizons Behavioral Health to its data leak site with a threat to publish 236 GB of data allegedly stolen in the attack.

Stockton Cardiology Medical Group, California

Stockton Cardiology Medical Group, an independent physician practice serving the San Joaquin Valley area of California, has started notifying patients about a recent security incident. According to the breach notice provided to the California Attorney General, suspicious emails were identified that had been sent to its employees. Stockton Cardiology deleted the emails as part of its remediation efforts; however, on January 17, 2026, Stockton Cardiology learned that files containing patient information may have been accessed or acquired.

An investigation was launched to determine the scope of the breach, and the impacted files were found to contain personally identifiable information and protected health information, including patient names, mailing addresses, email addresses, and billing records that may contain limited medical information associated with services provided. The affected individuals have been offered complimentary credit monitoring services, and steps have been taken to improve security. They include shutting down an older remote access service used by staff members, implementing multifactor authentication for internal systems, resetting all passwords, and reviewing data retention policies to minimize the data stored on its systems.

Stockton Cardiology said it learned on February 17, 2026, that some of the stolen data had been published online. That was the date that the Genesis threat group claimed responsibility for the attack. Genesis said 645 GB of data was stolen in the attack, including personal and healthcare data.

Coastal Carolina Health Care, North Carolina

Coastal Carolina Health Care (CCHC), a provider of primary and specialty care services in Craven, Pamlico, and Carteret Counties in North Carolina, has recently notified the New Hampshire Attorney General about a data breach. Unauthorized network activity was first identified on March 25, 2025, and after securing its network and investigating the incident, the healthcare provider determined that there had been unauthorized network access between March 21, 2025, and March 27, 2025. A third-party vendor was engaged to review the affected data, and almost a year later, the types of data involved have been confirmed.

Coastal Carolina Health Care said it was determined on February 26, 2026, that names and Social Security numbers were compromised in the incident, and sufficient information was obtained to effectuate individual notifications.  The affected individuals have been offered complimentary credit monitoring and identity theft protection services. Coastal Carolina Health Care said additional security measures have been implemented to prevent similar incidents in the future.

West Texas Health

West Texas Health PLLC has notified 73,720 individuals about a recent data security incident that impacted Privia Medical Groups West Texas, LLC. On or around October 3, 2025, West Texas Health discovered a security incident. Assisted by external cybersecurity professionals, unauthorized access was confirmed between September 12, 2025, and October 3, 2025.  West Texas Health said that following an extensive forensic investigation and comprehensive document review, on February 6, 2026, it was confirmed that protected health information was acquired in the incident.

The types of data involved vary from individual to individual and may include names in combination with some or all of the following: first and last names, Social Security numbers, driver’s license/state-issued identification numbers, passports, military identifications, other unique government-issued identification numbers, financial account information, financial account numbers, payment card information, taxpayer identification numbers or IRS identity protection PINs, medical histories, medical diagnosis and treatment information, health insurance policy numbers, claims histories, other health insurance information, and usernames/email addresses with passwords and security questions and answers. West Texas Health said individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Nephrology Associates Medical Group, California

Nephrology Associates Medical Group in Riverside, California, has notified the California Attorney General about a May 2025 cybersecurity incident. Suspicious activity was identified within its email system on May 20, 2025. Assisted by third-party cybersecurity professionals, Nephrology Associates confirmed that an employee’s email account had been compromised. The account was reviewed, and on December 12, 2025, the review was completed, confirming that personal information was present in the account, including names, Social Security numbers, dates of birth, medical/health information, treatment/diagnostic information, health insurance information, billing/payment information, and credentialing information.

Nephrology Associates has strengthened password requirements, is now enforcing more frequent password changes, has reduced access permissions, and is storing older data offline. The breach has been reported to the HHS’ Office for Civil Rights; however, there is now a substantial delay in adding breach data to the public-facing section of its breach portal. At present, it is unclear how many individuals have been affected.

Communications Workers of America Local 1180 Security Benefits Fund, New York

Communications Workers of America Local 1180 Security Benefits Fund (CWA Local 1180) has notified regulators about a data breach involving unauthorized access and potential acquisition of the personal and protected health information of 18,550 individuals. In a notification to the Massachusetts Attorney General, CWA Local 1180 said the forensic investigation of the incident determined that its network was breached on December 24, 2025.

The investigation determined that names and Social Security numbers were potentially compromised in the incident, although no evidence has been found to indicate that there has been any misuse of the impacted data. As a precaution against data misuse, the affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. CWA Local 1180 said that it has taken steps to harden security to prevent similar incidents in the future.

The post Six New Healthcare Data Breaches Announced appeared first on The HIPAA Journal.