Data breaches have been announced by the Connecticut diagnostic laboratory Precipio, Pit River Health Service in California, and Tulane University Medical Group in Louisiana.

Precipio, Inc.

Precipio, Inc., a Connecticut-based laboratory specializing in advanced hematopathology diagnostics, has discovered unauthorized access to an employee’s cloud-based storage account. Suspicious activity was identified within the email account on or around November 25, 2025, and the investigation confirmed that an unauthorized third party accessed the employee’s account from November 23, 2025, to November 25, 2025, during which time, files were copied from the account.

The affected files are currently being reviewed to determine the information involved, and that process is currently ongoing. Precipio has yet to disclose a final list of the affected data, but said that, based on its investigation so far, information compromised in the incident includes names, addresses, dates of birth, medical record numbers, clinical/treatment information, medical procedure information, medical provider names, prescription information, and health insurance information.

Since the file review has not yet concluded, the HHS’ Office for Civil Rights has been provided with an interim total of at least 501 affected individuals. The total will be updated when the file review is completed.

Pit River Health Service

Pit River Health Service, the operator of two healthcare clinics in Burney and Alturas in California, has recently announced a data breach affecting up to 1,800 individuals. An unauthorized third party hacked its systems and potentially copied data. Pit River Health Service has confirmed that no data was altered or deleted in the attack, and the Indian Health Service medical record system was not accessed.

In a website update, Pit River Health Service confirmed that some of the affected systems have been restored, although a more extensive security review has been conducted for other affected systems. As a result of the attack, some patient services have been delayed, but appointments and services are continuing. In response to the incident, security monitoring has been stepped up across all of its IT systems.

Tulane University Medical Group

A data breach has been reported to the HHS’ Office for Civil Rights by Administrators of the Tulane Educational Fund d/b/a Tulane University Medical Group. The Louisiana-based medical group experienced a ransomware attack that involved unauthorized access to the protected health information of 6,530 patients.

Tulane University Medical Group does not currently have a substitute data breach notice on its website, so it is unclear exactly what types of information were compromised in the incident. The Cl0p ransomware group claimed responsibility for the attack and added the medical group to its data leak site. Cl0p exploits vulnerabilities in mass attacks, typically vulnerabilities in file-sharing software. Sensitive data is stolen, and ransom demands are issued. Cl0p claims to have exploited a vulnerability on or around November 18, 2025.

The post Precipio; Pit River Health Service; Tulane University Medical Group Confirm Data Breaches appeared first on The HIPAA Journal.

Jefferson-Blount-St. Clair Mental Health Authority in Alabama, Cottage Hospital in New Hampshire, WindRose Health Network in Indiana, and Iroquois Memorial Hospital in Illinois have announced that patient data has been exposed in hacking incidents.

Jefferson-Blount-St. Clair Mental Health Authority, Alabama

Jefferson-Blount-St. Clair (JBS) Mental Health Authority in Alabama has notified more than 30,000 individuals that some of their personal and protected health information was exposed and potentially acquired in a ransomware attack. Suspicious activity was identified within its computer network on or around November 25, 2026. The investigation confirmed that hackers gained access to its network on November 25, 2026, and potentially viewed or acquired information relating to individuals who were patients or employees between 2011 and 2025.

The file review has recently concluded and confirmed that the exposed data included names, Social Security numbers, health insurance information, dates of birth, and medical information, which may have included diagnoses, physician information, medical record numbers, Medicare/Medicaid information, prescription/medication information, diagnostic and treatment information, and billing or claims information.

The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements. The HHS’ Office for Civil Rights breach portal indicates 30,434 individuals were affected by the incident.

Cottage Hospital, New Hampshire

Cottage Hospital, a 35-bed critical access hospital in Woodsville, New Hampshire, has detected unauthorized access to its computer network. The forensic investigation confirmed that hackers had access to a single file server on its computer network from October 14, 2025, to October 21, 2025, and on December 8, 2025, the hospital confirmed that files had been exfiltrated in the incident.  The review of the files is ongoing, although it has been confirmed that the server contained current and former employees’ names, Social Security numbers, driver’s license numbers, and potentially bank account information.

The breach notice submitted to the Maine Attorney General indicates 2,156 individuals were affected, including 83 Maine residents. The affected individuals have been offered complimentary credit monitoring, identity theft restoration, and fraud consultation services. The hospital has confirmed that it will continue to implement and evaluate enhanced safeguards and security measures to better protect sensitive data on its network.

WindRose Health Network, Indiana

WindRose Health Network, a Federally Qualified Health Center with five health centers in Indiana, has notified certain patients about a security incident identified on August 22, 2025. The security breach was detected quickly, with the unauthorized access determined to have commenced on the morning of August 22, 2025. The compromised parts of the network contained personal and protected health information, which may have been accessed or acquired.

A data review firm was engaged to determine the types of information in the exposed files and the individuals affected. That process was recently completed, and the results were assessed to determine the individuals who required notifications. Data compromised in the incident vary from individual to individual and may include names in combination with one or more of the following: contact information, date of birth, patient identification number, date(s) of service, provider name(s), diagnosis, treatment information, prescription(s), medical history, lab reports, health insurance information, and limited number government identification numbers, such as driver’s license number or Social Security number.

Third-party cybersecurity experts were engaged to investigate the incident, review security, and further secure its systems. The affected individuals have been advised to remain vigilant against identity theft and fraud. The HHS’ Office for Civil Rights breach portal indicates 691 individuals were affected by the incident

Iroquois Memorial Hospital, Illinois

Iroquois Memorial Hospital in Watseka, Illinois, has recently reported a hacking incident to the HHS’ Office for Civil Rights involving unauthorized access or theft of patients’ protected health information. A substitute breach notice has yet to be posted to the hospital’s website, so it is unclear exactly what types of data were compromised in the incident. The Pear threat group claimed responsibility for the attack.

Pear engages in data theft and extortion but does not encrypt files. The group maintains a data leak site and added Iroquois Memorial Hospital to the site on December 11, 2025. The listing is still active, which suggests the ransom was not paid. The HHS’ Office for Civil Rights breach portal indicates 621 individuals were affected by the incident

The post Jefferson-Blount-St. Clair Mental Health Authority Data Breach Affects 30,000 Patients appeared first on The HIPAA Journal.

Central States Dermatology Services (DOCS Dermatology Group) in Ohio and The Center for Neuropsychology and Learning in Michigan have identified unauthorized access to patient data.

Central States Dermatology Services, Ohio

Central States Dermatology Services, LLC, doing business as DOCS Dermatology Group (DOCS), has disclosed a security incident that was identified on November 27, 2025. Suspicious activity was identified within its network, and, assisted by third-party cybersecurity experts, DOCS determined that an unauthorized third party had access to its network from November 19, 2025, to November 27, 2025.

The data review is ongoing, so the number of affected individuals had yet to be confirmed; however, DOCS has determined that the data compromised in the incident includes names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, treatment/diagnosis information, prescription/medication information, dates of service, provider name, medical record number, patient account number, Medicare/Medicaid ID number, health insurance information, and/or medical billing/claims information. DOCS is reviewing its policies and procedures related to data security and has engaged cybersecurity experts to review its security measures and make enhancements to strengthen security. At the time of the announcement, DOCS had not identified any misuse of the affected information.

The Center for Neuropsychology and Learning, Michigan

The Center for Neuropsychology and Learning in Ann Arbor, Michigan, has discovered that a malicious cyber actor accessed a server containing the sensitive data of 3,722 of its clients. The unauthorized access was detected on November 10, 2025, and the forensic investigation confirmed that the server was accessed at some point between October 14 and October 31, 2025.

The server was analyzed and found to contain protected health information such as names, dates of birth, contact information, service type(s), and or test reports. Highly sensitive information, such as Social Security numbers, financial information, and therapy notes, was not stored on the server. The Center for Neuropsychology and Learning has confirmed that the threat has been fully mitigated, and notifications have been mailed to the affected individuals, who have been offered 12 months of complimentary credit monitoring and identity theft protection services as a precaution.

The post DOCS Dermatology Group; Center for Neuropsychology and Learning Disclose Data Breaches appeared first on The HIPAA Journal.

Data breaches have recently been announced by Central Ozarks Medical Center in Missouri, AdventHealth Daytona Beach in Florida, and the Middlesex Sheriff’s Office in Massachusetts.

Central Ozarks Medical Center, Missouri

Central Ozarks Medical Center (COMC), a Federally Qualified Health Center (FQHC) in mid-Missouri, has notified 11,818 individuals that some of their personal and protected health information was compromised in a criminal cyberattack. The substitute breach notice on the COMC website does not state when the cyberattack was detected or for how long its network was compromised, only that it was determined on or around November 10, 2025, that personally identifiable information and protected health information may have been subject to unauthorized access or acquisition.

The types of information compromised in the incident included names, dates of birth, Social Security numbers, financial account information, medical treatment information, and health insurance information. COMC has provided the affected individuals with information on steps they can take to reduce the risk of identity theft and fraud, and at least 12 months of complementary credit monitoring and identity theft protection services have been offered. COMC has confirmed that it has implemented a series of cybersecurity enhancements and will continue to augment those measures to better protect patient information.

Middlesex Sheriff’s Office, Massachusetts

The Middlesex Sheriff’s Office in Massachusetts has announced a January 2025 security breach that involved unauthorized access to individuals’ protected health information.  The Sheriff’s Office launched an investigation to determine the extent and nature of the incident, and was assisted by the Federal Bureau of Investigation, the Massachusetts State Police, the Commonwealth Fusion Center, the Executive Office of Technology Services and Security, and two cybersecurity firms.

It took until November 19, 2025, to complete the review of the exposed files, when it was confirmed that they contained names, addresses, dates of birth, diagnoses, and/or other general health information. The Sheriff’s Office said it has not identified any misuse of the exposed information. The Middlesex Sheriff’s Office has implemented additional safeguards to prevent similar breaches in the future and has advised the affected individuals to review their bank statements and insurance records for signs of misuse. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals – a commonly used placeholder figure when the total number of affected individuals has not yet been confirmed.

AdventHealth Daytona Beach, Florida

AdventHealth Daytona Beach in Florida has notified 821 individuals about the loss of paperwork containing their protected health information. The loss of documentation was identified by its outpatient laboratory on November 25, 2025. Outpatient lab orders were determined to be missing for individuals who received outpatient services between September 1 and September 14, 2025.

AdventHealth Daytona Beach said the loss occurred during a departmental relocation from the first to the second floor. Construction activities were taking place to install a new tubing system, and the planned project location was changed by the construction workers, who accessed an area containing the lab orders without first notifying the laboratory team. The paperwork was discarded by the construction workers. AdventHealth Daytona Beach said no evidence was found to indicate the lab orders were or will be misused. The lab orders contained information such as names, addresses, dates of birth, telephone numbers, email addresses, diagnosis codes, health condition(s), and health insurance policy numbers.

The post Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients appeared first on The HIPAA Journal.

Alpine Ear, Nose, and Throat in Colorado, The Phia Group in Massachusetts, and Community Health Northwest Florida have started notifying patients that their personal and health information was impermissibly accessed over a year ago.

Alpine Ear, Nose, and Throat, Colorado

Alpine Ear, Nose, and Throat in Fort Collins, Colorado, has mailed notification letters to 65,648 individuals warning them that some of their protected health information was exposed in a security incident identified by Alpine ENT on November 19, 2024. Alpine ENT engaged its managed service provider to investigate the incident, and it was confirmed that an unauthorized third party accessed and exfiltrated files containing patients’ protected health information.

Alpine ENT’s legal counsel explained in the notification letters that a substitute data breach notice was published on the Alpine ENT website on January 17, 2025, although at the time, the investigation was ongoing. The data mining and review processes were completed on October 9, 2025, and in the subsequent months, Alpine ENT worked to verify the impacted individuals and obtained up-to-date contact information. Notification letters were mailed to the affected individuals on January 30, 2026, 14 months after the breach was first identified.

The BianLian ransomware group claimed responsibility for the attack and added Alpine ENT to its data leak site in early December 2024. Data compromised in the incident included names, demographic information, dates of birth, medical information, health information, financial account information, credit card numbers, CVC, and expiration dates, and Social Security numbers. At the time of issuing notifications, Alpine ENT said it had not identified any instances of identity theft as a result of the incident; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The Phia Group, Massachusetts

The Phia Group, LLC, a Canton, Massachusetts-based provider of healthcare cost containment services to health benefit plans and their third-party administrators, has recently notified individuals about a July 2024 security incident that exposed personal and protected health information. According to The Phia Group, an intrusion was detected on July 9, 2024, and the investigation confirmed that its network had been subject to unauthorized access between July 8, 2024, and July 9, 2024. During that time, files containing sensitive data may have been acquired.

A review was conducted to identify the affected clients, the types of data involved, and the affected individuals. The affected clients were notified, and The Phia Group coordinated with them to issue notifications. Data potentially compromised in the incident included names, addresses, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, health insurance information, and medical information, including provider information, treatment information, prescriptions, and Medicare/Medicaid information. Data security has been enhanced to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Community Health Northwest Florida

On January 26, 2026, Community Health Northwest Florida (CHNF) started notifying individuals about a security incident that was identified on December 24, 2024. CHNF engaged third-party cybersecurity experts to investigate the activity, who confirmed that an unauthorized third party had accessed files on its network that contained patient information.

CHNF said it conducted a comprehensive and time-consuming review and engaged a data mining company to identify the affected individuals. It took until January 19, 2026, to obtain the full list of affected individuals, and notification letters were mailed 10 days later. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, financial account numbers, credit or debit card numbers, patient identification and medical record numbers, medical information, and health insurance information.

CHNF has updated its policies and procedures, implemented additional technical safeguards, and enhanced its security measures to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Patients Learn Their Health Data Was Compromised More Than a Year Ago appeared first on The HIPAA Journal.

Bayada Home Health Care, a New Jersey-based home healthcare provider serving 22 U.S. states, has recently announced a data breach involving a third-party vendor, Doctor Alliance. Doctor Alliance provides services that facilitate physician signatures on clients’ Home Health Certifications and Plans of Care, which involve access to patients’ protected health information.

On December 4, 2025, Doctor Alliance notified Bayada Home Health Care about a cybersecurity incident involving access and potential acquisition of client data by an unauthorized third party. According to Doctor Alliance, an unauthorized third party had access to the Doctor Alliance network between October 31 and November 6, 2025, and November 14 and 17, 2025. During that time, Home Health Certification and Plan of Care forms may have been acquired.

Bayada Home Health Care said it is not aware that any of its forms were copied; however, unauthorized data access could not be ruled out. The exposed forms contained a range of sensitive patient information, including names, dates of birth, diagnoses, medical/physical treatment information, provider information, health insurance plan information, prescription information, hospital admissions/discharges, and disability information, and for a subset of individuals, Social Security numbers.

Bayada Home Health Care said it has discontinued using Doctor Alliance as a vendor in response to the data breach. A review has been conducted of its policies and procedures relating to third-party vendors, and steps have been taken to minimize the risk of similar incidents in the future. The data breach has been reported to state attorneys general and the HHS’ Office for Civil Rights. The incident is not currently listed on the OCR data breach portal, so it is unclear how many individuals have been affected.

Marion County Public Health Department, Indiana

Marion County Public Health Department in Indiana has identified an insider incident involving unauthorized access to the protected health information of 792 clients. An employee was discovered to have accessed more than the necessary patient information to complete their job duties, including names, addresses, dates of birth, and lab test results for clients who received tests that were processed by the Marion County Public Health Department lab.

Marion County Public Health Department said it has found no evidence to suggest that any of the accessed information has been misused and stressed that no financial information was accessed by the employee. In response to the incident, further training has been provided to staff members on the HIPAA minimum necessary standard and its internal policies, and technical safeguards have been enhanced to limit access to protected health information to the minimum necessary for job duties.

The post Bayada Home Health Care Affected by Doctor Alliance Data Breach appeared first on The HIPAA Journal.

Health Care Service Corporation, doing business as Blue Cross Blue Shield of Montana (BCBSMT), is facing a probe into whether the company complied with Montana’s breach notification law following a significant data breach that impacted approximately 462,000 Montanans.

Like many health insurance providers, BCBSMT contracted with Conduent Business Services, a business associate that provides back-office administrative services to HIPAA-covered entities and government agencies. On January 13, 2025, Conduent identified unauthorized access to its network, and its forensic investigation confirmed that a threat actor had access to its network for three months between October 13, 2024, and January 13, 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, health plan and medical record identifiers, diagnosis and treatment codes, provider details, and claims information. The Safepay ransomware group claimed responsibility for the attack.

Conduent disclosed the attack in a filing with the U.S. Securities and Exchange Commission (SEC) on April 9, 2025, although at the time the investigation was ongoing to determine the extent of the data breach. It has been more than a year since the attack was detected, and it is still unclear how many individuals have been affected. The Oregon Attorney General was notified that around 10.5 million individuals had been affected nationwide, and subsequently, the Texas Attorney General was informed that 14.7 million Texas residents had been affected.

In January 2025, BCBSMT was notified by Conduent that it was one of the affected clients; however, BCBSMT did not notify the affected individuals until October 2025 – a year after Conduent’s systems were first breached and 9 months after it first learned that it had been affected. State regulators launched a probe to determine if BCBSMT was compliant with state data breach notification law, which requires notifications to be issued without unreasonable delay. State regulators also seek to establish the circumstances surrounding the data breach.

The Montana Office of the Commissioner of Securities and Insurance (CSI) scheduled a public administrative hearing on January 22, 2026, to gather evidence about the breach, establish a timeline of events, and determine how BCBSMT responded to the incident. BCBSMT sought a temporary restraining order from the Lewis and Clark County District Court to prevent the hearing from taking place; however, the court denied the request.

“It is troubling that it appears [BCBS] attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts,” said Montana CSI communications director Tyler Newcombe. “Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. Our office will consider all the evidence and then issue a final order in due course.”

A Hearing Examiner will review the record from the hearing and will propose a decision for the Commissioner to consider. The Commissioner will publish further information about the timeline of events to ensure transparency over the lengthy delay in issuing breach notifications.

The post Blue Cross Blue Shield of Montana Faces Data Breach Probe appeared first on The HIPAA Journal.