HIPAA Breach News

Patient Data Lost in Ransomware Attack on EHR Vendor

The electronic medical record vendor MDLand International Corporation has fallen victim to a ransomware attack that resulted in the encryption of some of its computer systems. The ransomware attack was detected on May 2, 2025, when certain systems became inaccessible. Immediate action was taken to isolate its network, and a forensic investigation was launched with the assistance of third-party cybersecurity specialists.

The forensic investigation confirmed that an unknown actor encrypted a limited number of MDLand’s systems on May 1, 2025, and may have gained access to patient information stored in one specific database on its network. There was no unauthorized access to the networks or systems of its clients, and no evidence was found to indicate any information in the impacted database was viewed or exfiltrated in the attack, although unauthorized data access and data theft could not be ruled out.

Certain data was encrypted and rendered inaccessible; however, it was possible to restore some of the impacted data, but despite MDLand’s best efforts, some records could not be recovered or recreated. Those records related to the period from April 1, 2025, to May 1, 2025. Data input into patients’ medical records during that time has been lost, including patient names, treatment plan information, and providers’ notes about patients.

The impacted database includes the following data elements: name, date of birth, gender, marital status, address, phone number, and prescription information. Financial account information, Social Security numbers, and health benefits information were not involved.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 22,586 individuals. Additional security measures have been implemented, and security policies and procedures are being reviewed to identify any areas for improvement. At the time of issuing notifications, no evidence of misuse of patient data had been identified; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The post Patient Data Lost in Ransomware Attack on EHR Vendor appeared first on The HIPAA Journal.

Insider Breaches Identified by Three Healthcare Providers

Three insider incidents have recently been identified by healthcare providers in Florida, Massachusetts, and Indiana, including one privacy breach that has been ongoing for more than two and a half years.

University of Miami Health System

University of Miami Health System (UMHS) is notifying almost 3,000 patients about an insider data breach that has been ongoing for more than two and a half years. In June 2025, UMHS discovered that an employee had been accessing the medical records of patients when there was no legitimate business or clinical reason for doing so.

The review of access logs showed the unauthorized access started in September 2022 and continued until May 2025. Under HIPAA, medical records may only be accessed by employees for reasons related to treatment, payment for healthcare, and healthcare operations. If unauthorized medical record access is identified, individuals face sanctions, which in this case was termination of employment. UMHS is also collaborating with law enforcement over the incident.

The former employee did not have the necessary access rights to view financial information or Social Security numbers, but was able to view patient information such as names, dates of birth, medical record numbers, provider names, diagnosis/condition information, insurance information, and vaccination status. In total, the medical records of 2,928 patients were accessed over the space of more than two and a half years.

The affected individuals are being notified by Kroll and are being offered complimentary credit monitoring and identity theft protection services. UMHS is also enhancing its security measures and practices to better safeguard patient data.

Berkshire Health Systems

Berkshire Health Systems (BHS) in Massachusetts has discovered that an employee has been accessing patients’ medical records without authorization. An investigation was launched after BHS received a report about an employee potentially accessing patients’ medical records without a legitimate work reason for doing so. The privacy team immediately launched an investigation, which involved a review of access logs.

The access logs confirmed there had been unauthorized access to patient records, but no evidence was found to indicate any of the information in those records was downloaded, printed, or copied. BHS believes the employee was acting independently, with no other individuals involved. The employee was interviewed and denied disclosing any patient information to other individuals and was terminated for the HIPAA violation.

BHS said it has optimized its privacy monitoring software to help prevent further incidents of this nature in the future, and wrote to the affected patients on August 12, 2025, informing them about the privacy breach. The former employee only had limited access to patient data and could not view highly sensitive information such as financial information, health insurance information, or Social Security numbers. Information potentially viewed includes patient names, dates of birth, medical record numbers, diagnoses, and visit notes. BHS has not publicly disclosed how many individuals were affected, and the incident is not currently shown on the HHS’ Office for Civil Rights breach portal.

Life in Motion Family Wellness Center

Life in Motion Family Wellness Center in Evansville, Indiana, has discovered that patient data has been provided to a local physician and used to try to solicit business. The data breach occurred on July 22, 2025, and involved an individual who had previously rented office space in the center. That individual obtained a list of patient names, addresses, telephone numbers, and dates of birth, which she provided to the physician for marketing purposes.

The HHS’ Office for Civil Rights has been notified, law enforcement has been informed, and individual notification letters have been sent to the affected patients. Steps have also been taken to prevent similar incidents in the future, including reviewing system access and adding new layers of protection.

The post Insider Breaches Identified by Three Healthcare Providers appeared first on The HIPAA Journal.

Large Vision Care Provider Announced Breach of Patient Data

Data breaches have been announced by CEI Vision Partners, MedicareCompareUSA, Academic Urology & Urogynecology of Arizona, and the Friesen Group.

CEI Vision Partners

CEI Vision Partners (CVP), a network of more than 300 ophthalmologists and 700 optometrists across the United States (now part of EyeCare Partners), has disclosed a 2024 data breach to several state attorneys general. According to the notifications, CVP identified unauthorized access to its computer network on May 26, 2024. The forensic investigation confirmed that a threat actor had access to its network between May 24, 2024, and May 27, 2024, and potentially obtained files containing patient information.

The extensive review and data validation process was completed on June 10, 2025. CVP determined that information potentially compromised in the cyberattack included names, birth dates, Social Security numbers, financial account information, health insurance information, and limited clinical information. Notification letters are being mailed to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. CVP has also confirmed that it is enhancing its technical security measures to prevent similar incidents in the future. There is currently no data breach listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

MedicareCompareUSA

MedicareCompareUSA, the nation’s largest provider-controlled Medicare insurance agency and a business associate of several HIPAA-covered health insurers, issued notification letters in May 2025 about a security incident involving unauthorized access to employee email accounts. Suspicious activity was identified within its email system in November 2024. A forensic investigation was initiated to determine the nature and scope of the unauthorized activity, and it was confirmed that certain email accounts were accessed by an unauthorized third party between November 5, 2024, and November 21, 2024.

The accounts were reviewed and found to contain names, birth dates, Social Security numbers, driver’s license/state identification numbers, financial account information, health insurance information, Medicare information, and individual taxpayer identification numbers. The breach also involved the data of Humana members, including names, dates of birth, health insurance policy numbers, Medicare numbers, and Social Security numbers.

Complimentary credit monitoring services have been offered to the affected individuals, additional email security measures have been implemented, and further email security training has been provided to the workforce. The Washington attorney general was informed that MedicareCompareUSA is issuing notification letters to 822 Humana members in Washington state who have been affected. The HHS’ Office for Civil Rights was informed that 5,782 individuals were affected in total.

Friesen Group

Friesen Group, a California-based provider of business support services to healthcare companies, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 500 individuals. The 500 figure is a commonly used placeholder when the number of affected individuals has not been confirmed by the HIPAA breach reporting deadline.

According to its website notice, a data security incident was identified by The Friesen Group on or around May 19, 2025. Its incident response protocols were initiated, and an investigation was launched to determine the nature and scope of the unauthorized activity. While the investigation is ongoing, Friesen Group says the unauthorized access was only for “a limited period of time.” It is not yet possible to determine the number of individuals affected or the types of data involved.

No misuse of data has been identified so far, but as a precaution, the affected individuals have been advised to remain vigilant against potential misuse of their information and should check their credit reports, account statements, and Explanation of Benefits statements carefully and report any suspicious activity to the appropriate entity. Friesen Group performed a reset of user passwords and has implemented new endpoint detection and monitoring tools.

Academic Urology & Urogynecology of Arizona

Academic Urology & Urogynecology of Arizona has recently confirmed that sensitive patient data may have been stolen in a recent cybersecurity incident, identified on May 22, 2025. A forensic investigation was conducted to determine the nature and scope of the unauthorized activity, and the investigation and file review are ongoing. Academic Urology has published a substitute data breach notice on its website that warns patients that the following information may have been stolen in the incident:

Full name, address, Social Security number, driver’s license number/government-issued identification number, tribal identification card, date of birth, digital signatures, passport number, taxpayer identification number/IRS-issued identity protection personal identification number, health insurance information, any information in an individual’s application and claims history, including any appeals records, diagnosis/conditions information, lab results, medications, credit card information, and potentially other types of sensitive data.

At the time of publication of the website notice, no misuse of patient data had been identified. Since the investigation is ongoing, it is currently unclear how many individuals have been affected. While ransomware was not mentioned in the breach notice, this appears to have been an attack by the Inc Ransom ransomware group, which added Academic Urology to its dark web data leak site in June 2025.

The post Large Vision Care Provider Announced Breach of Patient Data appeared first on The HIPAA Journal.

Arizona Orthopedics Practice Announces Data Breach

Data breaches have recently been reported by Integrated Orthopedics of Arizona, Glen Falls Hospital in New York, and South Coast Pediatrics in California.

Integrated Orthopedics of Arizona

Integrated Orthopedics of Arizona (IOA) in Phoenix, Arizona, has recently notified patients about a breach of its email tenant. Unauthorized activity was identified on or around April 7, 2025. Assisted by third-party cybersecurity experts, IOA confirmed unauthorized access to the email system, and some emails had been copied.

The email system was reviewed to determine the individuals affected and the types of data involved, and that process was completed on June 19, 2025. The affected individuals had either visited IOA for healthcare services or their information was provided by other healthcare providers. The breached information included some or all of the following: name, address, date of birth, medical record number, patient ID/ account number, Medicare number, Medicaid number, health insurance information, diagnosis information, treatment information including date(s) and location, doctor’s name, lab or test results, and for a small subset of individuals, driver’s license number and/or Social Security number. IOA has offered the affected individuals 24 months of complimentary credit monitoring and identity theft protection services, and has taken steps to improve email security.

Glens Falls Hospital, New York

Glens Falls Hospital in New York has recently confirmed that patient data was compromised in an Oracle Health/Cerner cybersecurity incident in January this year. The data was stored on legacy servers that were awaiting migration to Oracle Cloud, when hackers gained access. The hackers may have breached the servers as early as January 22, 2025, and accessed medical records stored on those servers. The compromised information included patients’ names, Social Security numbers, medical record numbers, physicians’ names, diagnoses, medications, test results, medical images, and treatment information.

Glen Falls Hospital said it was not using Oracle Health or Cerner as its electronic health vendor at the time, having terminated that relationship on November 2, 2024, yet it was still affected by the incident. Glen Falls Hospitals was provided with a list of the affected individuals on June 6, 2025, and has been working with Oracle Health to notify those individuals and provide them with 24 months of complimentary credit monitoring and identity theft protection services. There is currently no entry relating to the breach on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

South Coast Pediatrics, California

South Coast Pediatrics, a pediatric medical group with locations in Bristol, Spurgeon, and Anaheim in California, has notified 7,000 individuals about a June 2025 cyberattack that involved unauthorized access to computers containing patient information. The attack was identified on June 12, 2025, and steps were immediately taken to contain the threat, assess the impact, and restore its systems.

The forensic investigation confirmed that patient data was present on the affected computers, including name, address, date of birth, medical record number, diagnosis, and treatment codes/descriptions. Steps have been taken to enhance network security and prevent similar incidents in the future. The affected patients have been advised to remain vigilant against instances of identity theft and fraud.

The post Arizona Orthopedics Practice Announces Data Breach appeared first on The HIPAA Journal.

Data Breaches Announced by Langdon & Company; Michigan Medicine

A cyberattack has been announced by the North Carolina accountancy firm Langdon & Company, and Michigan Medicine has experienced a mailing incident that exposed patient information.

Langdon & Company, North Carolina

Langdon & Company, LLP, a certified public accountancy firm based in Garner, North Carolina, has recently notified 46,061 individuals about a breach of some of their protected health information. Langdon & Company is a business associate of Easterseals North Carolina & Virginia, which provides services to individuals with disabilities.

Unusual network activity was identified by the accountancy firm on April 28, 2024. Cybersecurity experts were engaged to investigate the activity and determine the nature and scope of the activity. The forensic investigation revealed unauthorized network access between April 21, 2024, through April 28, 2024, during which time files were exfiltrated from its network.

It has taken more than a year to review the affected files and issue notification letters. Langdon & Company said the delay was due to the extensive analysis required to review all the affected data. The data review was not finalized until June 3, 2025, and notification letters were mailed on or around August 1, 2025. The data involved varied from individual to individual and may have included names in combination with one or more of the following: address, birth date, Taxpayer identification number, Social Security number, financial account information, medical information, health insurance information, and/or digital signature.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services, steps have been taken to improve data security, and any information that does not need to be retained for business purposes or legal reasons is being destroyed.

Michigan Medicine

Michigan Medicine has notified 1,015 patients about the exposure of a limited amount of their protected health information as a result of a mailing error. On June 27, 2025, potential participants in a research study were contacted by mail regarding the study. The requests were sent on postcards, which were not in envelopes, resulting in the exposure of protected health information to anyone who may have come into contact with the postcards. When the error was identified, the research study staff took immediate action to prevent any further postcards from being mailed.

The incident was investigated, and revealed that the University of Michigan’s Institutional Review Board (IRB), which is responsible for oversight of research studies, had mistakenly approved the use of postcards for contacting study participants. IRB is taking steps to ensure that similar incidents are prevented in the future, including improving education about protecting PHI in communication materials.

Michigan Medicine has experienced eight reportable data breaches since 2018 that have affected more than 500 individuals, including two phishing incidents last year that each affected more than 50,000 individuals. “We take patient privacy very seriously, and we regret this incident. Whenever situations like this occur, we immediately take steps to investigate,” said Jeanne Strickland, Michigan Medicine Chief Compliance Officer. “We will analyze this incident and review our safeguards and make changes if needed to protect those we care for.”

The post Data Breaches Announced by Langdon & Company; Michigan Medicine appeared first on The HIPAA Journal.

At Least 14,485 Individuals Known to be Affected by Oracle Health/Cerner Data Breach

The number of individuals affected by a data breach at Oracle Health (formerly Cerner Corporation) is becoming clearer. While the total number of affected individuals has yet to be disclosed, based on the breach notifications issued to state attorneys general, more than 14,480 individuals have been confirmed as affected, although the actual total is undoubtedly considerably larger.

While several states publish their breach notification letters, only a few disclose the number of affected individuals, such as Massachusetts, South Carolina, Texas, and Washington.  In addition to those states, California has published a breach notice from Oracle Health, but California has not stated how many individuals were affected.

State Affected State Residents
Massachusetts 6,562
Texas 4,082
South Carolina 2,989
Washington 802
California Unknown
Total At least 14,485 individuals

Oracle Health stated previously that it is the responsibility of each affected covered entity to determine if there has been a breach that requires reporting to the HHS’ Office for Civil Rights (OCR). As such, the affected covered entity clients are likely to report the breach themselves to OCR, which makes determining the number of affected individuals difficult.

April 21, 2025: CISA issues Security Alert for Customers Affected by Oracle Data Breach

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert about the recently confirmed Oracle data breach. Oracle has confirmed that an unauthorized individual gained access to its legacy cloud environment, although limited details about the incident have been disclosed by Oracle, and the extent of the breach is currently unconfirmed. There have been reports of threat actor activity targeting Oracle customers, but the scope and impact of that activity are not yet known.

Information compromised in the incident includes credentials such as usernames, email addresses, passwords, authentication tokens, and encryption keys, and as such, the breach poses a risk to enterprise environments. CISA recommends that Oracle customers take steps to protect against unauthorized access and warns that when credential material has been embedded into scripts, applications, infrastructure templates, and automation tools, it can be hard to detect. Should action not be taken, unauthorized actors could potentially use credential material for long-term access to enterprise environments.

Breaches of credential material carry a risk, as threat actors frequently harvest and weaponize credentials. The stolen data can be enriched with information obtained in prior breaches, the information could be sold to other threat actors, and could be used to conduct BEC attacks or phishing campaigns. Valid credentials could be used to escalate privileges and move laterally within networks, or access cloud and identity management systems.

The suggested mitigations include resetting passwords across enterprise servers, especially in cases where local credentials may not be federated through enterprise identity solutions. Source code should be reviewed, along with infrastructure as code templates, configuration files, and automation templates, to identify embedded credentials, which should be replaced with secure authentication methods. Authentication logs should be monitored for anomalous activity, especially for privileged, service, or federated identity accounts, and if possible, phishing-resistant multifactor authentication should be implemented and enforced, especially for administrator accounts.

Oracle has stressed that the breach involved legacy servers and there was no breach of Oracle Cloud, but has yet to issue any public advisory to help customers mitigate risk.

April 15, 2025: Oracle Confirms Hacking Incident Involving Obsolete Servers

Oracle has issued notifications to customers about a security incident widely reported in the media, confirming that Oracle Cloud was not breached. Oracle explained in its April 7, 2025, email notification to customers that “Oracle would like to state unequivocally that the Oracle Cloud – Also known as Oracle Cloud Infrastructure or OCI – has not experienced a security breach.” Oracle also confirmed that “no OCR customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.”

There was, however, a security incident involving legacy servers. Oracle said, “A hacker did access and publish user names from two obsolete servers that were never part of OCI. The hacker did not expose usable passwords because the passwords on those two servers were either encrypted or hashed. Therefore, the hacker was not able to access any customer environments or customer data.”

According to security researcher Kevin Beaumont, the “obsolete servers” were Gen1, aka Oracle Cloud Classic, a different platform from Oracle Cloud, but they were Oracle-managed cloud services. Beaumont suggested Oracle is engaging in wordplay regarding its breach notifications and questioned why two obsolete servers containing data could still be accessed. Oracle’s response relates to a claim by a threat actor – rose87168 – who is attempting to sell 6 million data records, including LDAP display names, email addresses, given names, hashed passwords, and other information.

There was also a separate incident involving Oracle Health, formerly Cerner. The Oracle Health incident involved a hacker named “Andrew” who is reportedly attempting to extort Oracle Health customers and is demanding millions of dollars in cryptocurrency to prevent the publication of stolen data.  The Federal Bureau of Investigation is investigating, but does not divulge information about ongoing investigations.

The Oracle Health security incident also involved legacy servers, in this case, older servers from the electronic health record company Cerner. Those servers had not yet been migrated to Oracle Cloud. Oracle said stolen credentials were used to access those servers on or around January 22, 2025. The security incident was identified on or around February 20, 2025. The number of individuals affected and the types of data involved have yet to be confirmed, but they are likely to include information typically found in medical records.

Another lawsuit has been filed against Oracle Health in relation to the breach. This lawsuit was filed in the U.S. District Court for the Western District of Missouri and claims a hacker stole sensitive information, including names, Social Security numbers, clinical test results, and other protected health information. The lawsuit claims Oracle Health was negligent by failing to secure servers after the $28.3 billion acquisition of Cerner in 2022.

The two named plaintiffs, Rebecca Blount and Cheryl McCulley, maintain they were not informed about the data breach by Oracle Health, and say they now face an increased and ongoing risk of identity theft and fraud and have incurred costs protecting themselves against the misuse of their data. In addition to damages, the lawsuit seeks injunctive relief, including an order from the court for Oracle Health to improve security and operate with greater transparency in the future.

Oracle Health explained in its notifications to its healthcare provider customers that it is their responsibility to determine if a breach occurred that is reportable under HIPAA, and also their responsibility to issue breach notifications to the affected individuals if they determine a reportable breach occurred.

April 3, 2025: Oracle Sued Over Healthcare Data Breach

A class action lawsuit has been filed against Oracle Corporation by a Florida resident in the U.S. District Court for the Western District of Texas over a January 2025 data breach. Oracle has yet to publicly confirm that there has been a data breach, and the incident has yet to appear on the breach portal of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), so it is currently unclear how many individuals have been affected.

The lawsuit, filed by the law firm Shamis & Gentile, names Michael Toikach as plaintiff and was filed on behalf of other similarly situated individuals who had their personal data compromised in the incident.  The plaintiff claims that his personal and health information was stored by Oracle via a healthcare provider that used Oracle’s software. The lawsuit alleges Oracle failed to implement reasonable and industry-standard data security practices to properly store, safeguard, and adequately destroy the sensitive data it received and stored for business purposes, and as a result of the data security failures, fell victim to a cyberattack and data breach. Specifically, the lawsuit claims that Oracle had inadequate network segmentation, insufficient staff cybersecurity training, and a lack of monitoring and alert systems.

That breach occurred on or around January 22, 2025, and was discovered by Oracle on February 20, 2025. The lawsuit takes issue with the lack of notifications, which under the HIPAA Breach Notification Rule should be issued without undue delay and no later than 60 days from the date the data breach was discovered. There is also a data breach notification statute in Texas, which the lawsuit claims has been violated. Akin to HIPAA, under the Texas statute, notifications must be issued without undue delay and no later than the 60th day following the discovery of a data breach.

The lawsuit claims the delay in issuing notifications, combined with the lack of transparency about the data breach, has deprived the plaintiff and class members of the information they need to mitigate risks and exposure. Since sensitive personal and health data were compromised in the incident, the plaintiff and class members claim to face an increased and ongoing risk of identity theft and fraud, with the elevated risk likely to last for years to come.

The lawsuit asserts claims of negligence, negligence per se, breach of third-party beneficiary contract, unjust enrichment, and breach of fiduciary duty and seeks a jury trial, compensatory damages, reimbursement of out-of-pocket losses, and long-term credit monitoring services. The lawsuit also seeks injunctive relief, requiring Oracle to implement a long list of security measures, including data encryption, regular penetration tests, third-party security audits, automated security monitoring, and enhancements to its security awareness training program.

March 31, 2025: Oracle Health Breach Affects Patients of Multiple U.S. Hospitals

Oracle appears to have suffered two security incidents, one of which involved data stored by Oracle Health related to the electronic health record (EHR) company Cerner. Oracle Health is a provider of health information technology to hospitals. In December 2021, Oracle announced it had reached an agreement to buy Cerner Corporation, an EHR vendor. The deal was closed in June 2022, and Cerner became Oracle Health.

Oracle Health has yet to make a public announcement about the cyberattack and data breach, but has started notifying the affected healthcare providers that their data has been compromised. Details are scant at this stage, as Oracle Health did not disclose details of the incident to the affected healthcare providers in its breach notifications. According to Bleeping Computer, which has been in touch with some of the affected healthcare provider clients, the notification letters advise that Oracle Health detected the security breach on February 20, 2025, and the forensic investigation confirmed that the breach occurred on or after January 22, 2025. Oracle Health said an unknown threat actor accessed a legacy server using stolen credentials and exfiltrated data.

The types of data involved are unclear but appear to include data contained in electronic health records, which would make it a reportable breach under the Health Insurance Portability and Accountability Act (HIPAA). Oracle Health has reportedly told the affected providers that the company will help by identifying the affected individuals and the types of data involved, will cover the cost of complimentary credit monitoring and identify theft protection services, can provide templates for breach notification letters; however, said it is the responsibility of each affected healthcare provider to determine if there has been a HIPAA breach and for them to issue notification letters to the affected individuals if that is the case.

Under the HIPAA Breach Notification Rule, in the event of a breach of unsecured protected health information, the U.S. Department of Health and Human Services must be notified about a data breach without undue delay and no later than 60 days from the date of discovery of the data breach. Individual notification letters must also be mailed within the same time frame, and if the breach affects 500 or more individuals, a notice must be provided to prominent media outlets serving the state or jurisdiction where the affected individuals reside.

When a data breach is experienced by a business associate of a HIPAA-regulated entity, the business associate must notify the affected covered entity clients without undue delay and no later than 60 days from the date of discovery of a data breach, as appears to have been the case here. It is the responsibility of the affected covered entities to ensure that notification letters are mailed to the affected individuals within 60 days, and the clock starts ticking when they receive notification from their business associate.  Each covered entity is permitted under HIPAA to delegate the responsibility of issuing notification letters to the business associate, although ultimately it is the responsibility of each affected HIPAA-covered entity to ensure those notifications are issued.

The Oracle Health notification letters were reportedly signed by Seema Verma, Executive Vice President & GM of Oracle Health; however, the letters were not sent on headed paper, and the affected customers have been told to contact Oracle Health’s Chief Information Security Office (CISO) directly over the phone, not via email. This suggests Oracle is trying to avoid any association with the breach of legacy Cerner data migration servers.

It is unclear if ransomware was used, but data was exfiltrated and is being used in extortion attempts against the affected providers. Some of those providers have reportedly received ransom demands from a threat actor called “Andrew” who claims he is not affiliated with any known ransomware group. The threat actor is threatening to leak the stolen data if payment is not made.

In what appears to be a separate incident, another individual claims to have exploited a vulnerability around a month ago and accessed an Oracle Cloud server and exfiltrated approximately 6 million records. A person using the name rose87168 said she obtained SSO authentication data and encrypted LDAP passwords, which she claims could be decrypted using information in the stolen files. The vulnerability she allegedly exploited was CVE-2021-35587 and affects Oracle Access Manager.

Representatives from several companies allegedly affected by the incident have confirmed to Bleeping Computer that the sample of stolen data contains genuine information associated with their accounts. CloudSEK researchers reviewed the data provided by rose87168 and concluded with medium confidence that it rates high in severity and involved more than 140,000 customers who use Oracle Cloud services. Oracle Cloud maintains that there was no breach of Oracle Cloud and none of the published credentials are for Oracle Cloud, but it has not provided any official explanation.

The post At Least 14,485 Individuals Known to be Affected by Oracle Health/Cerner Data Breach appeared first on The HIPAA Journal.

Data Breaches Announced by Doctors’ Memorial & Sabine County Hospitals

Data breaches have been announced by Doctors’ Memorial Hospital in Florida, Sabine County Hospital in Texas, Compass Counseling Services in Florida, and Precision Endodontics of Raleigh in North Carolina.

Doctors’ Memorial Hospital, Florida

Doctors’ Memorial Hospital in Florida has recently confirmed that it was affected by the data breach at the debt recovery firm Nationwide Recovery Service (NRS) last year. An unauthorized third party accessed the NRS information technology network between July 5, 2024, and July 11, 2024, and copied files and folders from its systems. The review of the compromised data was completed in February 2025. Based on data breach reports submitted by the affected entities, more than 543,000 individuals were affected.

Doctors’ Memorial Hospital said it only learned about the data breach on February 7, 2024, 7 months after the attack occurred, and was informed at the time that NRS would take full responsibility for issuing notification letters to the affected individuals. NRS changed its position and refused to issue notifications. It took NRS until May 27, 2025, to provide Doctors’ Memorial Hospital with a list of the affected patients. The data has been verified, and Doctors’ Memorial Hospital is sending notification letters to the affected individuals.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals.  The total will be amended when all notifications have been issued. Doctors’ Memorial Hospital said the data compromised in the incident included names, dates of birth, financial account numbers, Social Security numbers, and medical information.

Sabine County Hospital, Texas

Sabine County Hospital (SCH) in Hemphill, Texas, has identified unauthorized access to an employee’s email account.  The incident was detected on February 12, 2025, and access to the account was immediately blocked. An investigation was launched to determine the nature and scope of the incident, and the account was reviewed to determine if it contained any patient information.

The account audit was time-consuming and has only recently been completed. The review confirmed that patient information contained in internal logs and reports may have been viewed or obtained. For most of the affected patients, the information compromised in the incident was limited to name, date(s) of service, and the service(s) received. For some patients, more detailed demographic information was involved, such as address, date of birth, and gender, along with clinical information such as symptoms and diagnosis. For a small subset of the affected individuals, more detailed clinical information was involved, such as test results, treatment information, financial information, Social Security number, Medicare number, insurance information, and payment information.

While information was exposed, the primary purpose of the attack was to get a fraudulent invoice paid, which was sent from the account to the hospital.  “Phishing incidents, like the one that occurred at SCH, are becoming increasingly common, and more sophisticated,” said SCH spokesperson Kaylee McDaniels. “We are very sorry this occurred and will continue to educate our staff about the dangers, and steps they should take to avoid becoming a victim.

Compass Counseling Services, Florida

Compass Counseling Services, in Orlando, Florida, has recently announced a hacking incident that was detected on November 20, 2024. The intrusion was rapidly contained, and an investigation was launched to determine the nature and scope of the unauthorized activity. Following an extensive forensic investigation, Compass discovered on February 2, 2025, that there had been unauthorized access to files containing patient information between November 19, 2024, and November 21, 2024.

The file review has recently been completed and confirmed that the compromised data included first and last names, birth dates, financial account numbers, routing numbers, Social Security numbers, digital signatures, account access credentials, driver’s license numbers and/or other governmental identification numbers, Medicare/Medicaid numbers, medical histories, patient numbers, provider names and locations, medical diagnosis information, medical treatment information, and other health insurance information. Compass said it is reviewing its practices and internal controls to enhance the security and privacy of patient information.

Precision Endodontics of Raleigh, North Carolina

Precision Endodontics of Raleigh in North Carolina has recently notified 4,022 current and former patients about a phishing-related data breach.  On June 10, 2025, Precision Endodontics identified unauthorized access to its email account. An investigation was launched, which revealed the account had been used to send phishing emails to a portion of its contact list.

The compromised email account was reviewed and found to contain patients’ first and last names and email addresses; however, no misuse of that information has been identified. Precision Endodontics has implemented additional safeguards to improve data security and its web server infrastructure and will take further actions to reduce the risk of similar breaches in the future.

The post Data Breaches Announced by Doctors’ Memorial & Sabine County Hospitals appeared first on The HIPAA Journal.

Data Breaches Announced by Three Oral Healthcare Practices

Data breaches have been announced by the Washington dental practice 32 Pearls, West Texas Oral Facial Surgery, and the Indiana dental and general healthcare services provider Mid America Health.

32 Pearls, Washington

Dr. Michael Bilikas and Associates, doing business as 32 Pearls, a dental practice with locations in Seattle and Tacoma in Washington state, has recently disclosed a security incident that was detected on May 22, 2025. Ransomware was used to encrypt files on its systems, and third-party cybersecurity experts were engaged to determine the scope of the incident.  They concluded that the ransomware actor had access to certain systems between May 19, 2025, and May 22, 2025, and may have viewed or acquired files containing patient data.

The file review has recently been completed, and notifications are being sent to 23,517 current and former patients, who have been offered complimentary credit monitoring and identity theft protection services. Information exposed in the incident included full names, addresses, driver’s license numbers, Social Security numbers, and medical information. At the time of issuing notifications, the practice was unaware of any misuse of patient information as a result of the incident. Internal processes are being reviewed, and security measures have been enhanced to prevent similar incidents in the future.

West Texas Oral Facial Surgery

West Texas Oral Facial Surgery in Lubbock, Texas, has notified 11,151 patients about a security incident in which some of their protected health information may have been compromised. The practice experienced network disruption on May 29, 2025, and engaged third-party cybersecurity experts to investigate and determine the nature and scope of any unauthorized activity.

The investigation confirmed that there had been unauthorized access to its network, and patient data may have been compromised. The substitute breach notice does not state when the unauthorized access occurred. The file review was completed on July 18, 2025, and confirmed that the exposed data included first and last names, imaging files, which in some cases included birth dates, and the reason given for seeking treatment. The electronic medical record system was not accessed, and Social Security numbers and financial information were not involved. Cybersecurity experts are conducting a review of systems, security, and practices, and measures will be taken to improve security. The Inc Ransom ransomware group claimed responsibility for the attack and added West Texas Oral Facial Surgery to its data leak site on June 18, 2025.

Mid America Health, Indiana

Mid America Health, a Greenwood, IN-based provider of dental and general healthcare services to state and federal government agencies, has notified the Massachusetts Attorney General about a data incident that involved unauthorized access to personal information. The notification provides no information about the nature of the data incident, such as when it occurred, or what happened, only stating that the breached information included first and last names, Social Security numbers, and financial account information, and that the affected individuals have been offered complimentary credit monitoring services for 24 months.

Individual notification letters were mailed to the affected individuals on July 31, 2025. There is currently no listing on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Data Breaches Announced by Three Oral Healthcare Practices appeared first on The HIPAA Journal.

Cencora & The Lash Group Settle Data Breach Litigation for $40 Million

Cencora & The Lash Group have agreed to pay $40 million to settle class action data breach litigation over a February 2024 data breach that affected more than 1.43 million individuals.

Cencora, Inc., formerly AmerisourceBergen, is an American drug wholesale company and a contract research organization, and The Lash Group is a pharmaceutical solutions organization. Cencora disclosed the data breach in a February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC), stating that on February 21, 2024, the company learned that data had been exfiltrated from its information systems.

On July 31, 2024, an updated SEC filing confirmed that more data had been stolen than initially thought. At least 27 pharmaceutical companies were affected, and the stolen personal and protected health information included names, addresses, dates of birth, Social Security Numbers, health and insurance information, financial information, transactional information, consumer profile information, racial/ethnic identity, political opinions, sexual orientation/identity, criminal history, IP addresses, other electronic identifiers, biometric information, genetic information, trade union membership information, and driver’s license and passport information.

Since the breach has been reported separately by several different entities, the total number of affected individuals is not known. TechCrunch tracked breach reports submitted to state Attorneys General and reports that at least 1.43 million individuals have been notified that their data was compromised in the February security incident. Only a few states publish breach report data that includes the number of affected individuals, so the total is likely to be significantly higher than 1.43 million.

Several class action lawsuits were filed against Cencora, the Lash Group, and the affected pharmaceutical firms (see the list below). The lawsuits were consolidated in a single action – Anaya et Al. v. Cencora, Inc., et al. – in the U.S District Court for the Eastern District of Pennsylvania. The defendants were alleged to have been negligent by failing to implement reasonable and appropriate safeguards to protect sensitive data, and as a result of that negligence, sensitive data was stolen.

The defendants chose to settle the lawsuit with no admission of wrongdoing or liability and will establish a $40 million settlement fund to cover attorneys’ fees (up to $13,333,333.33), attorneys’ expenses (up to $300,000), service awards to the 28 class representatives (total $42,000), and settlement administration costs (yet to be determined).

The remainder of the settlement fund will be used to pay benefits to class members. Class members may choose to submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses fairly traceable to the data breach, which were incurred on or after September 1, 2023. Claims have been capped at $5,000 per class member, and the total loss payments are capped at $5,000,000. If that total is exceeded, claims will be paid pro rata. Alternatively, class members may claim a cash fund payment, the value of which will depend on the number of valid claims received.

The dates for exclusion from and objection to the settlement will be 150 days from the date the settlement receives preliminary approval from the court. The deadline for submitting a claim will be 180 days from the date of preliminary approval, and the final approval hearing will be scheduled for 230 days after the preliminary approval date. Claims will be paid between 306 and 311 days after the preliminary approval date. Further information can be found on the settlement website, which is not yet live – cencoraincidentsettlement.com

August 2, 2024: Cencora: Additional Data Exfiltrated in February 2024 Cyberattack

On July 31, 2024, in an updated filing with the Securities and Exchange Commission (SEC), the pharmaceutical firm Cencora explained that more data was exfiltrated from its network in its February 2024 cyberattack than was initially thought, including personally identifiable information (PII) and protected health information (PHI). The majority of the additional data was maintained by one of its subsidiaries that provides patient support services.

The review of the exfiltrated data is still ongoing, and notifications will be issued to the affected individuals in due course. Cencora did not state how many individuals have been affected, the name of the subsidiary company, or the types of data that were compromised in the incident.

Three HIPAA breach reports have previously been filed with the HHS Office for Civil Rights as a result of the Cencora cyberattack, two by AmerisourceBergen Specialty Group which affected 252,214 individuals and 3,102 individuals, and one by The Lash Group, which affected 15,196 individuals. Many of the affected companies have also filed breach reports with state attorneys general, as detailed in previous reporting by the HIPAA Journal (see below).

While data has been stolen, Cencora is unaware of any actual or attempted misuse of the affected data and does not believe any of the stolen data has been published online. Cencora believes the incident has been contained; however, the remediation efforts and file review are ongoing. Cencora has engaged cybersecurity experts to assist with reinforcing cybersecurity measures and strengthening cyber threat monitoring.

May 27, 2024: 2 Dozen Pharmaceutical Companies Affected by Cencora Cyberattack

Cencora, Inc. (formerly AmerisourceBergen), and its Lash Group affiliate have been affected by a cyberattack. Cencora announced the attack in a February 2024 filing with the Securities and Exchange Commission (SEC); however, at that point, the extent of the data breach had yet to be determined, although Cencora did confirm in the SEC filing that data was exfiltrated in the attack.

Cencora is a Conshohocken, PA-based company that partners with pharmaceutical firms, healthcare providers, and pharmacies and offers drug distribution, patient support and services, business analytics and technology, and other services. Around 20% of pharmaceutical products sold and distributed in the United States are handled by Cencora.

Last week, clients of Cencora and The Lash Group started notifying state Attorneys General about the data breach. The total number of affected clients has not yet been confirmed, but the breach is known to have affected at least 27 pharmaceutical and biotechnology companies and involved the theft of the personal data of hundreds of thousands of individuals. Based on the notifications sent to state Attorneys General so far, the following pharmaceutical and biotechnology companies have been affected:

  • Abbot
  • AbbVie Inc.
  • Acadia Pharmaceuticals Inc.
  • Acrotech Biopharma Inc.
  • Amgen Inc.
  • Bausch Health Companies Inc.
  • Bayer Corporation
  • Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation
  • CareDx, Inc
  • Dendreon Pharmaceuticals LLC
  • Endo Pharmaceuticals Inc.
  • Genentech, Inc.
  • GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation
  • Heron Therapeutics, Inc.
  • Incyte Corporation
  • Johnson & Johnson Services, Inc.& Johnson & Johnson Patient Assistance Foundation, Inc.
  • Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
  • Novartis Pharmaceuticals Corporation
  • Otsuka America Pharmaceutical, Inc.
  • Pfizer Inc.
  • Pharming Healthcare, Inc.
  • Rayner Surgical Inc.
  • Regeneron Pharmaceuticals, Inc
  • Sandoz Inc.
  • Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc.
  • Takeda Pharmaceuticals U.S.A., Inc.
  • Tolmar

While State Attorneys general often publish notices of data breaches, they do not always state how many individuals have been affected, so the scale of the breach is unknown at this stage. Cencora detected the cyberattack on February 21, 2024, and took immediate action to contain the attack and prevent further unauthorized access. The forensic investigation confirmed that a threat actor had exfiltrated data from its systems, including patient data provided by its clients for its patient support programs. AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. AmerisourceBergen Specialty Group has filed two separate breach reports with the Office for Civil Rights affecting 252,214 and 3,102 patients. The Lash Group has reported the breach to OCR separately as affecting 15,003 individuals

On April 10, 2024, Cencora confirmed that the stolen data included first names, last names, addresses, dates of birth, health diagnoses, and/or medications and prescriptions. Cencora’s investigation found no connection with other major healthcare cyberattacks such as the attacks on Change Healthcare and Ascension; and at the time of issuing notifications, Cencora/LashGroup said they were unaware of any actual or attempted misuse of the stolen data and had not detected any public disclosure of the stolen data. While data misuse has not been identified, the affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost. Steps have also been taken to harden defenses to prevent similar security breaches in the future. At the time of publication, no cybercriminal group appears to have claimed responsibility for the attack.

The post Cencora & The Lash Group Settle Data Breach Litigation for $40 Million appeared first on The HIPAA Journal.