HIPAA Breach News

Sedgebrook & Heartland Health Center Hit with Ransomware Attacks

Posted by Steve Alder

Ransomware attacks have recently been announced by the Illinois retirement village and skilled nursing provider Sedgebrook, and the Nebraska healthcare provider Heartland Health Center.

Sedgebrook

Sedgebrook, a retirement village and skilled nursing facility in Lincolnshire, Illinois, has recently announced a ransomware attack that involved unauthorized access to files containing individuals’ personal and protected health information. The attack was detected on May 5, 2025, when network disruption was experienced. Assisted by third-party digital forensics experts, Sedgebrook determined that a ransomware group had access to its network from May 4 to May 5, 2025, and used ransomware to encrypt files. During that time, data may have been exfiltrated from its network.

The exposed files were reviewed, and on August 26, 2025, it was confirmed that some of those files contained protected health information, including names, addresses, birth dates, Social Security numbers, driver’s license numbers, financial account information, medical treatment information, medical record numbers, and health insurance information. Notification letters started to be mailed to the affected individuals on October 24, 2025.

While no evidence was found to indicate any misuse of the exposed information, individuals whose Social Security numbers or driver’s license numbers were exposed have been offered complimentary credit monitoring and identity theft protection services. Steps have also been taken to improve security to prevent similar incidents in the future. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Heartland Health Center

Heartland Health Center, a provider of medical, dental, and behavioral health services at clinics in Ravenna and Hastings in Nebraska, has recently disclosed a security breach that was first identified on February 4, 2025. An investigation was launched, with assistance provided by third-party cybersecurity experts, to determine if any sensitive data had been exposed. Following an exhaustive review, Heartland Health Center determined on June 3, 2025, that sensitive data had been exposed and may have been acquired in the attack.

The types of information involved vary from individual to individual and may have include names plus one or more of the following: date of birth, Social Security number, driver license number, financial account number, username and access information for a non-financial account, dates of service, diagnosis information, health insurance information, physician/medical facility information, medical condition/treatment information, medical record number, Medicare or Medicaid number, patient account number, certificate or license number, full face photo, and referral information.

Heartland Health Center said it already had robust cybersecurity measures in place, and they will continue to be reviewed and enhanced as necessary. As a precaution against misuse of patient information, the affected individuals have been offered complimentary single-bureau credit monitoring, credit score, and credit report services. While not described as a ransomware attack, the Medusa ransomware group claimed responsibility for the incident. Medusa is known to exfiltrate and either sell or publish the stolen data, so the affected individuals should ensure that they take advantage of the credit monitoring services on offer. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

The post Sedgebrook & Heartland Health Center Hit with Ransomware Attacks appeared first on The HIPAA Journal.

Conduent Anticipates Data Breach Cost to Rise to $50M by Q1, 2026

Posted by Steve Alder

In its first-quarter earnings report, Conduent said it did not experience any material impacts to its operating environment or costs from the January 2025 cyberattack itself; however, it did incur $25 million in non-recurring expenses from direct response costs. Those losses have continued to increase, with a further $9 million added to that total for breach notifications through the end of September, according to its third-quarter earnings report.

Conduent also anticipates incurring a further $16 million in costs related to breach notifications by the first quarter of 2026, but said it holds a cyber insurance policy and anticipates that any additional notification costs will be covered by the insurance policy.

Further costs may be incurred due to the impacted data, reputational harm, litigation, and regulatory actions, which could impact the company’s financial position. As reported below, several lawsuits have already been filed in response to the data breach, and Conduent is certain to be investigated by the HHS’ Office for Civil Rights and state attorneys general. Regulatory fines may be imposed if Conduent is found to have violated state or federal regulations.

November 7, 2025: Lawsuits Mount Over 10.5 Million-Record Conduent Data Breach

A data breach affecting more than 10.5 million individuals was certain to trigger a barrage of lawsuits, and litigation has been swift, with at least 9 class action lawsuits already filed in response to the Conduent data breach in New Jersey federal court. That total is certain to grow over the coming days and weeks, as many law firms have announced that they have opened investigations regarding potential class action litigation.

The lawsuits make similar claims – that Conduent was negligent by failing to adequately protect its network against unauthorized access and for its alleged failure to provide adequate notifications to the individuals affected by the data breach. The cyberattack was first detected by Conduent in January 2025, three months after hackers first gained access to its network. Conduent first announced the data breach three months later, confirming that sensitive data had been exposed and that the incident affected a substantial number of individuals.

It naturally takes time to investigate any data breach and to determine the number of individuals affected and the types of data involved; however, the lawsuits take issue with the length of that process. It has taken 10 months from when the cyberattack was first detected for the scale of the breach to become clear and for the affected individuals to be notified that their sensitive information has been compromised. Notification letters started to be sent in October 2025, one year after Conduent’s network was first accessed by unauthorized individuals.

In addition to negligence and negligence per se, the lawsuits assert claims such as breach of third-party beneficiary contract and unjust enrichment, and seek a jury trial, compensatory, statutory, and punitive damages, and injunctive relief, requiring the court to order Conduent to implement a range of security measures to ensure sensitive data is adequately protected.

The threat group behind the attack may have been the Safepay ransomware group, which added Conduent to its data leak site in January 2025, although Conduent is not currently listed on the Safepay data leak blog. That often means that a ransom has been paid or the stolen data has been sold, although ransomware groups have been known to fabricate claims.

Class action lawsuits are mounting, but Conduent is also likely to face regulatory scrutiny over the data breach. States are likely to investigate a data breach of this magnitude to determine whether appropriate cybersecurity measures had been implemented in line with state laws and the HIPAA Security Rule. Questions are likely to be asked about how the hackers were able to gain access to such a large amount of sensitive data.

Conduent will also face scrutiny from the HHS’ Office for Civil Rights, which will seek to establish whether the data breach was the result of HIPAA compliance failures. While OCR HIPAA compliance investigations often take many months or years, OCR has indicated it is prioritizing high-impact incidents, as it did with the cyberattack on Change Healthcare, which affected north of 190 million individuals. There is, at this stage, no indication that Conduent has violated any regulations at the federal or state level.

October 28, 2025: More Than 10.5 Million Patients Affected by Conduent Business Solutions Data Breach

A data breach at a business associate of several HIPAA-covered entities and government agencies has resulted in the exposure and potential theft of the protected health information of more than 10.5 million patients. The Conduent Business Solutions data breach is the largest healthcare data breach to be announced so far this year, affecting almost twice as many individuals as the second-largest data breach, which was reported earlier this year by Yale New Haven Health. It also ranks as the 8th largest healthcare data breach in history.

Conduent Business Solutions provides a range of back-office services, including printing, mailing, document processing, payment integrity services, and other support services to government agencies and healthcare organizations. It is currently unknown how many HIPAA-regulated entities have been affected by the data breach.

Blue Cross and Blue Shield of Montana recently announced that it had been affected and that notification letters are being mailed to 462,000 individuals. Blue Cross and Blue Shield of Texas has announced that approximately 310,000 UT Select and UT Care plan members have been affected. The incident is also known to have affected Humana customers and Premera Blue Cross members, although it is unclear how many. Conduent provides services to government agencies such as the Wisconsin Department of Children and Families and Oklahoma Human Services (OHS), which experienced temporary disruption to some of their services due to the outage in January, although OHS was informed that it did not have sensitive data exposed in the incident.

State regulators have been informed that 10,515,849 patients have been affected, including more than 4 million individuals in Texas. It is unclear if any non-healthcare clients had data compromised in the incident. The Conduent Business Solutions data breach was reported to the U.S. Securities and Exchange Commission (SEC) in April. In the SEC filing, Conduent explained that a threat actor gained access to a limited portion of its network IT environment and obtained the data of “a significant number” of people. The incident is not yet shown on the HHS’ Office for Civil Rights (OCR) breach portal, which has not been updated by OCR since September 24, 2025, due to the government shutdown.

The intrusion was detected on January 13, 2025. Assisted by third-party digital forensics experts, Conduent determined that initial access occurred on October 21, 2024, with the threat actor maintaining access for almost three months until Conduent secured its network on January 13, 2025. Conduent said it restored access to the affected systems within days, and in some cases, within hours, and the incident did not have any material impact on its operations.

The investigation confirmed that the threat actor exfiltrated files associated with some of its clients. Due to the complexity of the data involved, it has taken several months to complete the file review and determine the individuals affected and the types of data involved. Individual notifications are now being mailed to the affected individuals.

Information compromised in the incident varies from company to company and individual to individual, potentially involving names, dates of birth, Social Security numbers, treatment information, and claims information. Based on the notice provided to the California Attorney General, complimentary credit monitoring and identity theft protection services do not appear to have been offered.

While the total cost of the cyberattack is not yet known, Conduent said in its May 2025 first-quarter earnings report that it incurred $25 million in direct costs related to the breach response. A cyber insurance policy is held, which will cover a proportion of the cost.

This post will be updated when further information is released.

The post Conduent Anticipates Data Breach Cost to Rise to $50M by Q1, 2026 appeared first on The HIPAA Journal.

Data Breaches Announced by ModMed, LifeBridge Health & Right at Home

Posted by Steve Alder

Data breaches have been announced by the EHR provider Modernizing Medicine (ModMed), the Baltimore healthcare provider LifeBridge Health, and the home health care provider Right at Home.

Modernizing Medicine

Modernizing Medicine (ModMed), a provider of specialty-specific electronic health record software, has recently notified state attorneys general about a July 2025 security incident involving theft of data from its systems. Suspicious activity was identified on its computer servers on July 21, 2025. An investigation was launched to determine the cause of the activity, and on July 29, 2025, it was unauthorized access to its servers was confirmed between July 9, 2025, and July 10, 2025, during which time, files containing sensitive data were copied from the servers.

The files were reviewed and found to contain personal and protected health information such as full names, dates of birth, addresses, phone numbers, email addresses, Social Security numbers, medical record numbers, patient account numbers, provider and practice names, billing and diagnostic codes, prescriptions/medications, diagnosis and treatment information, bank/financial account information, driver’s license numbers/government ID cards, and health insurance information. ModMed said full medical records were not involved, and the types of information compromised vary from individual to individual.

The affected healthcare providers were notified on September 19, 2025, and notification letters started to be mailed to the affected individuals on October 17, 2025. ModMed is offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were compromised in the incident, and steps have been taken to improve security to prevent similar incidents in the future. Due to the government shutdown, the HHS’ Office for Civil Rights breach portal has not been updated in a month, so it is currently unclear how many individuals have been affected.

LifeBridge Health

LifeBridge Health, a non-profit healthcare corporation serving patients in and around Baltimore, Maryland, has recently informed patients that some of their protected health information was compromised in a data breach earlier this year. The breach involved one of its vendors, Oracle Health (formerly Cerner). LifeBridge Health was one of many healthcare providers to be affected. Hackers gained access to a legacy system as early as January 22, 2025, and obtained patient information such as names, medical record numbers, Social Security numbers, physician names, diagnoses, test results, medications, medical images, and treatment information. LifeBridge Health said the breach was confined to Oracle Health servers, and its own systems were unaffected.

Oracle Health notified LifeBridge Health about the data breach in March 2025, with notifications reportedly delayed at the request of law enforcement. Oracle Health provided LifeBridge Health with a final list of the affected individuals on September 19, 2025. The data breach was announced by LifeBridge Health on October 16, when notification letters started to be mailed to the affected individuals. Two years of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. It is currently unclear how many individuals have been affected.

Right at Home

Ever Care Corporation, which does business as Right at Home, a provider of in-home care to seniors and adults with disabilities, experienced a hacking incident that likely involved the theft of sensitive patient information. Suspicious network activity was identified on September 3, 2025, and an investigation was launched to determine the cause of the activity. Right at Home confirmed that the activity was due to an unauthorized actor, who is thought to have acquired files from its network on September 3, 2025. The review of the affected files was completed on October 6, 2025. There is currently no substitute data breach notice on the Right at Home website, and the types of information involved are not shown on the notifications published on attorneys’ general websites. The exact types of information involved are detailed in the individual notification letters. Right at Home is paying for single-bureau credit monitoring, credit score, and credit report services for the affected individuals.  It is currently unclear how many individuals have been affected.

While not described by Right at Home as a ransomware attack, a ransomware group claimed responsibility for the attack. The Sinobi ransomware group, which has attacked several healthcare providers in recent months, claimed to have exfiltrated around 50 GB of data and encrypted files. Right at Home was listed on its data leak site on October 8, 2025. As such, any individual receiving a notification letter should sign up for the credit services being offered.

The post Data Breaches Announced by ModMed, LifeBridge Health & Right at Home appeared first on The HIPAA Journal.

Yale New Haven Health Agrees to $18 Million Data Breach Settlement

Posted by Steve Alder

An $18 million settlement proposed by Yale New Haven Health to resolve claims stemming from a 2025 data breach has been granted preliminary approval by a federal court judge. Yale New Haven Health is a non-profit health system that operates five acute care hospitals, including the main teaching hospital for the Yale School of Medicine, as well as a medical foundation and several outpatient facilities in Connecticut, New York, and Rhode Island. The health system employs more than 12,000 people, including 4,500 university and community physicians.

The data breach in question was reported to the HHS’ Office for Civil Rights on April 11, 2025, as involving the protected health information of up to 5,556,702 individuals. The New Haven, Connecticut-based health system identified suspicious network activity on March 8, 2025, and the breach was announced via its website three days later. Yale New Haven Health later confirmed that hackers accessed its network on March 8, 2025, and exfiltrated files containing patient information.

While its electronic medical record system was not accessed, the stolen files contained patient information, including names, addresses, telephone numbers, email addresses, dates of birth, race/ethnicity information, patient types, medical record numbers, and Social Security numbers. At more than 5.5 million affected individuals, the data breach was, and still is, the largest healthcare data breach of the year.

The cyberattack was announced quickly, reported to OCR well within the breach reporting deadline, and notification letters were issued promptly. Yale New Haven Health has also agreed to settle the resultant litigation quickly. Data breach lawsuits can take many months and even years to resolve, yet in this case, a settlement has been approved to resolve the litigation in just 7 months. The first lawsuit over the data breach was filed in March 2025, followed by 17 additional complaints, which were consolidated into a single action in June 2025 – In Re: Yale New Haven Health Services Corp. Data Breach – in the U.S. District Court for the District of Connecticut.

The plaintiffs alleged in the consolidated lawsuit that Yale New Haven Health had failed to implement reasonable and appropriate cybersecurity measures to secure the data stored on its network, and had reasonable measures been implemented, the data breach could have been prevented. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and declaratory judgment.

Yale New Haven Health denied all claims in the lawsuit and filed a motion to dismiss in July, with the plaintiffs filing their opposition in August. At the end of August, all parties attended mediation, and the material terms of a settlement were agreed upon. The details of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Yale New Haven Health has agreed to establish an $18,000,000 settlement fund to cover all costs associated with the litigation – Attorneys’ fees and expenses, service awards for the lead plaintiffs, and settlement administration costs. The remainder of the settlement fund will be used to pay benefits to the class members. The attorneys are seeking one-third of the settlement, and the service awards are likely to be $2,500 per named plaintiff.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may claim an alternative cash payment. The cash payments are anticipated to be approximately $100 per class member. The pro rata cash payments may increase or decrease depending on the number of valid claims received, and will exhaust the settlement fund. In addition to either of those benefits, class members may also claim a two-year complimentary membership to a medical data monitoring service. Yale New Haven Health has also agreed to implement security enhancements.  The final approval hearing has been scheduled for March 3, 2026.

April 24, 2025: Yale New Haven Health System Announces 5.5-Million Record Data Breach

Yale New Haven Health System has announced a data security incident that has affected more than 5.5 million individuals. The breach report to the HHS’ Office for Civil Rights indicates up to 5,556,702 individuals had their protected health information compromised in the incident, making it the largest healthcare data breach to be reported so far this year, beating the previous record of 4.7 million individuals set this month by Blue Shield of California.

Yale New Haven Health is a nonprofit health system in New Haven, Connecticut, that includes five acute-care hospitals, a medical foundation, and multiple outpatient facilities and multispecialty centers in Connecticut, New York, and Rhode Island. On March 8, 2025, anomalous activity was identified within its information technology systems. Immediate action was taken to contain the incident, and an investigation was launched to assess the nature and scope of the unauthorized activity. Yale New Haven Health announced the security incident on its website 3 days after it was detected.

Yale New Haven Health engaged the cybersecurity firm Mandiant to assist with the investigation and said the rapid response helped to ensure it was contained and prevented disruption to patient care. Yale New Haven Health has confirmed that an unauthorized third party gained access to its network on March 8, 2025, and exfiltrated files, some of which included patient information. There was no unauthorized access to its electronic medical record system, and no financial information was compromised in the incident. The types of data stolen in the cyberattack varied from individual to individual and may have included names in combination with one or more of the following: address, telephone number, email address, date of birth, race/ethnicity, patient type, medical record number, and/or Social Security number.

Yale New Haven Health said it continuously updates and enhances its systems to protect sensitive data and will continue to do so. Individual notification letters started to be mailed to the affected individuals on April 14, 2025, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were compromised.

While questions will be asked about how hackers managed to access such a vast amount of patient data, Yale New Haven Health should at least be commended for the rapid response, transparency, and prompt breach notifications, which started to be sent on April 14, 2025.

The post Yale New Haven Health Agrees to $18 Million Data Breach Settlement appeared first on The HIPAA Journal.

Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients

Posted by Steve Alder

Four employees of Baptist Health’s Jay Hospital in Florida have been terminated for allegedly taking unauthorized photographs of patients and sharing the images on the Snapchat social media platform. The privacy violations reportedly occurred in February 2025. The employees were alleged to have entered patients’ rooms late at night and photographed patients while they were sleeping or medicated without the patients’ knowledge or consent.

Personal injury attorney Joe Zarzaur was contacted by three patients who were recently notified about the privacy violations by the hospital. It is unclear why it took so long for the affected patients to be notified, or how many patients have been affected. The nature of the photographs was not disclosed to the patients. According to Zazaur, the patients were informed that the photographs were “unflattering” and “horrible.” They were not told how many photographs were taken, exactly what the photographs showed, and were not allowed to see any of the images.

One of the patients was notified about the privacy violation while they were still admitted at Jay Hospital, and another was informed when they visited an outpatient rehab facility. At least two of the affected patients are taking legal action for invasion of privacy and are being represented by Zarzaur.

“Upon learning of the allegation, we immediately conducted a preliminary investigation and notified the appropriate authorities and the patients,” explained a spokesperson for Jay Hospital. “Following the investigation, the individuals involved were terminated. We are committed to protecting the privacy, safety, and dignity of our patients. As this matter involves patient privacy and is currently under investigation, we are unable to share further details at this time.”

The sharing of protected health information (PHI) for reasons unrelated to treatment, payment, or hospital operations is not permitted by the HIPAA Privacy Rule, unless consent is obtained from the subject of the PHI.  Photographs of patients are classed as PHI, and the employees clearly violated HIPAA as well as ethical and professional standards.

The post Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients appeared first on The HIPAA Journal.

Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members

Posted by Steve Alder

Approximately 462,000 current and former customers of Blue Cross Blue Shield of Montana (BCBSMT) have been affected by a cyberattack on its New Jersey-based business associate, Conduent Business Services. Conduent Business Services provides BCBSMT with payment, document processing, and other back office services, which require access to BCBSMT members’ protected health information. On January 13, 2025, Conduent Business Services identified a security incident that caused operational disruption – terminology typically used to describe a ransomware attack.

Conduent Business Services was able to restore access to the affected systems and return to normal business operations within a few days. The investigation confirmed unauthorized access to its IT environment commencing on October 21, 2024, and lasting for almost three months. During that time, files were exfiltrated from its network. On April 9, 2025, Conduent Business Services disclosed the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC). At the time, it was unclear exactly how many individuals had been affected.

On October 8, 2025, Conduent Business Services notified the California Attorney General about the data breach, which reportedly affected approximately 4.3 million individuals. It is unclear how many of the company’s clients were affected by the breach, and if the breach affected any other HIPAA-covered entity clients. The breach is not currently listed on the HHS’ Office for Civil Rights website.

BCBSMT notified the Montana State Auditor’s Office about the data breach in early October, almost one year after the breach was first detected by its business associate. BCBSMT claims to have been notified that it was affected earlier this year and has been conducting its own investigation and reviewing the affected data. The review was not completed until September 23, 2025. The BCBSMT data breach is not listed on the OCR breach portal, although the breach portal has not been updated by OCR since September 24, 2025, due to the government shutdown. The Montana State News Bureau learned about the data breach after submitting a records request. The obtained documents indicate that up to 462,000 Montanans have been affected, and that the compromised information included names, birth dates, Social Security numbers, treatment and diagnosis codes, provider names, and claims amounts.

The Montana Commissioner of Securities and Insurance has launched an investigation to determine if there has been a violation of state data breach notification laws, which require individuals to be notified about a data breach in a timely manner. Breached entities must also notify the Department of Justice about a data breach without unreasonable delay, but there is currently no listing on the DOJ consumer protection website about the data breach. The state auditor is seeking answers to questions about the data breach and has requested a copy of its privacy and security policies. Should BCBSMT be determined to have failed to comply with state laws, financial penalties may be imposed.

The post Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members appeared first on The HIPAA Journal.

September 2025 Healthcare Data Breach Report

Posted by Steve Alder

While the figures in our September 2025 data breach report look encouraging, there is a major caveat. Due to the government shutdown, the HHS’ Office for Civil Rights (OCR) has largely stopped adding data breaches to its data breach portal.  The figures for September are therefore likely to increase considerably when the furlough comes to an end, staff return to work, and the backlog of data breach reports is addressed. While we do not generally update our monthly breach reports after publication, we will revise the figures and re-publish this report when the government shutdown comes to an end.

September 2025 Healthcare Data Breach Report

As of October 22, 2025, OCR has added 26 data breaches affecting 500 or more individuals to its data breach portal – the lowest monthly total since December 2018.  While data breaches are down 56% from August’s 64 data breaches, there are likely to be several more breaches added to that total. That said, there has been a downward trend in healthcare data breaches since April, and the year-to-date total from January 1 to September 30 is 469 data breaches, compared to 554 data breaches in the corresponding period in 2024. Even accounting for missing breach reports due to the government shutdown, data breaches are down considerably from last year.

Healthcare data breaches in the past 12 months

Across the 26 September data breaches on the OCR data breach portal, the protected health information of at least 1,294,769 individuals was exposed or impermissibly disclosed, marking the third consecutive month with a fall in the number of affected individuals, and currently down 65.9% from August. That number could increase considerably, but currently, for the year-to-date, 42,216,193 individuals have had their protected health information exposed or impermissibly disclosed. While this year’s total is higher than in the whole of 2019 and 2020, the number of affected individuals is down 85% compared to last year and 75% compared to 2023.

Individuals affected by healthcare data breaches in the past 12 months.

The Biggest Healthcare Data Breaches Announced in September

Currently, 42% of the month’s breaches (11 incidents) involved the exposure or impermissible disclosure of the protected health information of 10,000 or more individuals. All but one of the 11 data breaches were hacking incidents involving unauthorized access to protected health information stored on network servers, with one incident involving a compromised email account. Goshen Medical Center was the worst-affected covered entity, with more than 456,000 patients affected by its hacking incident. One provider that stands out is Sturgis Hospital, which was investigating a cyberattack that occurred in December 2024, when another intrusion was experienced in June 2025.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Goshen Medical Center NC Healthcare Provider 456,385 Network server hacking incident
Medical Associates of Brevard, LLC FL Healthcare Provider 246,711 Network server hacking incident
Doctors Imaging Group FL Healthcare Provider 171,862 Network server hacking incident – Data theft confirmed
Retina Group of Florida FL Healthcare Provider 152,691 Network server hacking incident
Sturgis Hospital MI Health Plan 77,771 Network server hacking incident
Sturgis Hospital MI Healthcare Provider 77,771 Network server hacking incident
PGA Development, Inc. PA Healthcare Provider 23,899 Network server hacking/IT Incident
Teamsters Union 25 Health Services & Insurance Plan MA Health Plan 19,231 Network server hacking incident
Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice  (“Treasure Health ”) FL Healthcare Provider 13,234 Email account breach
People Encouraging People MD Healthcare Provider 13,083 Ransomware attack – Data theft confirmed

The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to OCR and issue notifications within 60 days of the discovery of a data breach; however, if the total number of affected individuals is not known at that point, an estimate should be provided to OCR. Many regulated entities submit a breach report using a placeholder figure of 500 or 501 affected individuals, then provide an updated total when the file review is concluded. Four data breaches were reported in September using 500 or 501 totals indicative of a placeholder. These data breaches could affect considerably more individuals than the initial breach report suggests.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Cookeville Regional Medical Center TN Healthcare Provider 500 Hacking/IT Incident
Hampton Regional Medical Center SC Healthcare Provider 501 Hacking/IT Incident
Coos County Family Health Services NH Healthcare Provider 501 Hacking/IT Incident
La Perouse, LLC NV Business Associate 501 Hacking/IT Incident

Causes of September 2025 Healthcare Data Breaches

Out of the 23 large healthcare data breaches added to the OCR breach portal in September, 23 (88.5%) were reported as hacking/IT incidents, involving unauthorized access to the protected health information of 1,279,139 individuals, which is 98.8% of the total individuals affected by data breaches in September. The average number of individuals affected by these incidents was 55,615 (median: 6,243 individuals).

Causes of September 2025 healthcare data breaches

The exact nature of the hacking incidents, such as whether ransomware was used to encrypt files, if a ransom demand was received, or even if data was stolen, is often not disclosed. This trend has been growing for several years and is not confined to the healthcare industry. The Identity Theft Resource Center (ITRC) has reported that this trend is evident across many industry sectors.

The remaining three data breaches were unauthorized/disclosure incidents, affecting 15,630 individuals. On average, 5,210 individuals were affected (median: 1,700 individuals). Based on the available data, no loss, theft, or improper disposal incidents were reported to OCR in September. There have been no loss/theft incidents reported since March 2025, and the last reported improper disposal incident was in May 2025.

Location of breaches protected health information in September 2025 healthcare data breaches

Where Did the Data Breaches Occur?

September 2025 healthcare data breaches by regulated entity type

September 2025: individuals affected by healthcare data breaches by regulated entity type

Geographical Distribution of Healthcare Data Breaches in September

Florida and North Carolina were the worst-affected states, with four data breaches affecting 500 or more individuals reported by entities based in those states, and both states top the list in terms of the number of affected individuals, with 584,498 and 465,721 individuals affected, respectively.

State Breaches
Florida & North Carolina 4
Michigan, Pennsylvania & Tennessee 2
Louisiana, Massachusetts, Maryland, Minnesota, Missouri, New Hampshire, Nevada, Oregon, South Carolina, Texas, Virginia, and Washington 1

The table below shows the number of individuals affected by healthcare data breaches based on the state where the regulated entity is based, not necessarily where the affected individuals reside.

State Individuals Affected
Florida 584,498
North Carolina 465,721
Michigan 155,542
Pennsylvania 26,150
Massachusetts 19,231
Maryland 13,083
Missouri 11,538
Louisiana 6,243
Minnesota 3,572
Tennessee 2,957
Oregon 1,700
Texas 1,236
Washington 1,099
Virginia 696
New Hampshire 501
Nevada 501
South Carolina 501

HIPAA Enforcement Activity in September 2025

It has been a busy year of HIPAA enforcement for OCR, with 20 enforcement actions involving settlements or civil monetary penalties announced this year, including one enforcement action in September.  OCR agreed to settle alleged violations of the HIPAA Privacy Rule and Breach Notification Rule with Cadia Healthcare facilities, which agreed to pay $182,000 to resolve the alleged violations.

Cadia Healthcare is a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware. An employee had posted success stories about its patients to its social media channel; however, it had not obtained valid HIPAA authorizations for that purpose, and therefore, the use of PHI in the stories was an impermissible disclosure of PHI. After being notified by OCR, Cadia found that 150 patients had PHI posted online without valid authorizations, deleted the posts, and shut down the success story program; however, notification letters about the HIPAA breach were not issued.  The corrective action plan requires policies and procedures to be revised, training to be provided to staff members, and notification letters to be issued.

The post September 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Oregon Eye Care Provider and New York Children’s Center Announce Hacking Incidents

Posted by Steve Alder

Cyberattacks have recently been announced by River City Eye in Oregon and Elmcrest Children’s Center in New York.

River City Eye Care

River City Eye Care, an eye care provider with locations in Portland and Happy Valley, Oregon, has started notifying patients about a recent security incident involving the theft of files containing patient information. Unusual network activity was detected on or around September 8, 2025, and an investigation was launched to determine the nature and scope of the activity.

The investigation confirmed unauthorized access to its network and the exfiltration of files. The affected files were reviewed, and River City Eye Care completed the review on October 1, 2025. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: address, email address, phone number, and date of birth.  Driver’s license numbers and Social Security numbers were involved for a limited number of individuals. Notification letters started to be mailed on October 16, 2025, and steps are being taken to reduce the risk of similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The Genesis threat group claimed responsibility for the attack and has added River City Eye to its data leak site. The group claims it operates a data extraction operation (no file encryption) and says it exfiltrated 200 GB of data from company management hosts and file servers, which has been made available for download. The HIPAA Journal has not downloaded any data, so cannot verify the legitimacy of the group’s claim.

Elmcrest Children’s Center

Elmcrest Children’s Center, a Syracuse, NY-based provider of support services to children with emotional, behavioral, and developmental limitations and their families, has recently disclosed a security incident involving unauthorized access to its network. The investigation into the incident is ongoing, but it has been confirmed that its network was subject to unauthorized access between March 10, 2025, and July 24, 2025, during which time files were accessed and acquired by the threat actor.

The files are still being reviewed, but based on the initial findings, the types of information involved include names, dates of birth, and medical information. Technical and administrative policies and procedures are being reviewed and will be updated to reduce the risk of similar incidents in the future. Elmcrest Children’s Center has yet to disclose how many individuals have been affected; however, the data breach does appear to be significant. The Interlock ransomware group has claimed responsibility for the attack and says almost 450 GB of data was copied.

The post Oregon Eye Care Provider and New York Children’s Center Announce Hacking Incidents appeared first on The HIPAA Journal.

Massachusetts Hospitals Experiencing Disruption Due to Cyberattack

Posted by Steve Alder

A cyberattack has caused a network outage that has disrupted operations at two hospitals in North Central Massachusetts – the 134-bed non-profit Heywood Hospital in Gardner, and Athol Hospital, a 25-bed critical access hospital in Athol, both owned and operated by Heywood Healthcare.

The attack was detected last week, and systems were immediately taken offline to protect the network and patients. Incident response protocols were activated, a Code Black was declared, and the emergency department was closed to all patients arriving by ambulance. Ambulances were diverted to other facilities due to the inability to access certain systems. Radiology and laboratory services have also been disrupted.

The attack affected its Internet connection, email system, and phone lines, and while communications are back up and running, some issues are still being experienced. On Thursday, October 16, 2025, the hospital confirmed that the network outage was caused by a cybersecurity incident and that a third-party cybersecurity firm has been engaged to assist with the investigation and recovery. The Athena portal is online, and patients are encouraged to use the portal to communicate with the hospital and providers, and its answering service is operational if the portal cannot be accessed.

Heywood Hospital said its main priority is ensuring that care continues to be provided to patients, and has confirmed that both hospitals and Heywood Medical Group have remained open throughout and are continuing to provide care to patients. Heywood Healthcare is working with the cybersecurity experts to restore systems as quickly as possible, but no timeline has been provided for when full functionality will be restored. The exact nature of the attack, such as whether ransomware was involved, has not been disclosed. No ransomware group appears to have claimed responsibility for the attack. At such an early stage of the investigation, it is unclear to what extent, if any, patient data has been exposed or if sensitive data was stolen in the attack. Heyward Healthcare said it will provide further updates as more is learned about the incident.

Patient care is often disrupted by cyberattacks, the extent of which was recently explored in a survey conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint. The survey found that 93% of healthcare organizations in the study had experienced a cybersecurity incident in the past 12 months, and 72% had experienced a cybersecurity incident that disrupted patient care. Healthcare providers reported negative impacts such as cancelled appointments, delayed intake, longer patient stays, poorer outcomes, increased complications from medical procedures, and an increase in mortality rate following a cyberattack.

The post Massachusetts Hospitals Experiencing Disruption Due to Cyberattack appeared first on The HIPAA Journal.