HIPAA Breach News

North Los Angeles County Regional Center Notifies Individuals About November 2024 Ransomware Attack

North Los Angeles County Regional Center has started mailing notification letters to individuals affected by a November 2024 ransomware attack, and Midland Care Connection in Kansas has announced a March 2026 hacking incident.

North Los Angeles County Regional Center

North Los Angeles County Regional Center has started notifying individuals about a cybersecurity incident and data breach that was first identified 17 months ago on November 28, 2024. Suspicious activity was identified within its computer network, and the forensic investigation confirmed unauthorized access from November 20, 2024, to December 1, 2024.

North Los Angeles County Regional Center determined that sensitive data was exfiltrated from its systems before ransomware was used to encrypt files. The files exfiltrated from its systems included names, addresses, dates of birth, telephone numbers, Social Security numbers, passport numbers, driver’s license or other state-issued ID numbers, U.S. federal issued ID numbers, email addresses, usernames/passwords, financial account information, payment card information, health plan information, CI and patient ID numbers, medical record numbers, lab results, medications, physical and/or mental conditions, diagnosis and/or treatment information, prescription or medication information, treatment cost information, disability codes, certificate/license numbers, and certain other medical and health insurance-related information.

North Los Angeles County Regional Center said it first announced the incident on its website on January 6, 2025, to allow individuals to take steps to protect themselves against data misuse; however, it has taken time to review the affected data to allow notification letters to be issued. North Los Angeles County Regional Center said it implemented additional technical security measures shortly after the attack and is continuing to work with data security experts to further enhance the security of its systems. The Medusa ransomware group claimed responsibility for the attack, in which more than 600 gigabytes of data was allegedly stolen.

The incident is shown on the HHS’ Office for Civil Rights website as affecting 500 individuals. That is a placeholder figure, as the breach was reported to OCR on January 6, 2025, well before the investigation had concluded.  The total should be updated in the coming days, now that the data review has concluded.

Midland Care Connection

Midland Care Connection Inc., a Topeka, Kansas-based non-profit provider of patient care, hospice, and community health support services, has experienced a cybersecurity incident that may have resulted in the theft of sensitive data. Suspicious network activity was identified on March 31, 2026, and legal counsel and third-party digital forensics experts were engaged to investigate the activity. They confirmed network access by an unauthorized third party starting on March 30, 2026, and initiated a data review to determine the individuals affected and the types of information. The data review was completed on June 12, 2026.

The affected information varied from individual to individual and may have included names, birth dates, medical treatment information, medical health information, health insurance information, financial account information, and, for certain individuals, Social Security numbers. Data privacy and security policies have been reviewed and enhanced to reduce the risk of similar incidents in the future, and the affected individuals have been notified by mail and offered 12 months of complimentary single-bureau credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post North Los Angeles County Regional Center Notifies Individuals About November 2024 Ransomware Attack appeared first on The HIPAA Journal.

Almost 30,000 Texas Residents Affected by Data Breach at The Texas Hearing Institute

The Texas Hearing Institute has notified the Texas Attorney General about a data breach impacting more than 29, 000 state residents. Data breaches have also been announced by Family Health Centers of Southern Indiana, the Wisconsin Department of Health Services, and Stephen W. Brown & Radiology Associates of Augusta.

Texas Hearing Institute

The Texas Hearing Institute, a pediatric hearing center in Houston, Texas, has started notifying at least 29,498 individuals about a March 2026 cyberattack that resulted in unauthorized access to its network and the exposure of patients’ personal and health data.

Unauthorized network access was identified on March 20, 2026, and immediate steps were taken to contain the incident and secure its systems. Assisted by third-party digital forensics experts, the Texas Hearing Institute determined on April 22, 2026, that there had been unauthorized access to personal information on its systems. The data review confirmed that names, Social Security numbers, financial information, and medical records were compromised in the incident.

The affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. While the notification letters do not provide further information about the nature of the attack, this appears to have been a ransomware incident. The interlock ransomware group added the Texas Hearing Institute to its dark web data leak site in early April, claiming to have stolen 540 gigabytes of data. As such, the affected individuals should ensure that they take advantage of the free identity theft protection services being offered. The Texas Attorney General was informed that 29,498 Texas residents were affected. It is currently unclear how many individuals were affected in total.

Family Health Centers of Southern Indiana

Family Health Centers of Southern Indiana, a network of health centers in Jeffersonville, New Albany, Corydon, and Clarksville in Indiana, announced a data security incident on June 22, 2026, that may have resulted in unauthorized access to patient data.

Unauthorized network activity was identified on or around January 16, 2026. Its incident response plan was immediately initiated, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had access to parts of its network containing patient data, including names, dates of birth, contact information, demographic information, Social Security numbers, medical information, and health insurance information.

Family Health Centers of Southern Indiana has implemented additional technical safeguards, enhanced security measures, and updated its procedures related to data privacy and security. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved.

The data breach is not yet shown on the HHS’ Office for Civil Rights website; however, the Indiana Attorney General was informed that the protected health information of 7,037 Indiana residents was compromised in the incident. The Termine threat group took responsibility for the incident and added Family Health Centers of Southern Indiana to its dark web data leak site, including samples of the stolen data. The group claims to have exfiltrated around 250 gigabytes of data.

Stephen W. Brown & Radiology Associates of Augusta

Stephen W. Brown & Radiology Associates of Augusta have been affected by a data breach at their third-party billing vendor, MCBS, LLC. MCBS was provided with patient information as part of its contracted duties, and discovered on or around September 26, 2025, that an unauthorized third party had gained access to systems containing that information.

After an extensive forensic analysis, MCBS determined that its systems were accessed by an unauthorized third party between September 22 and September 26, 2025. Individuals affected by the incident may have had some or all of the following data stolen in the incident: name, address, date of birth, Social Security number, diagnosis, treatment information, mental or physical condition, medical history, health plan beneficiary number, health insurance policy number/subscriber identification number, and other health insurance information.

MCBS said it is unaware of any misuse of the affected data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. It is currently unclear how many patients of Stephen W. Brown & Radiology Associates of Augusta have been affected, or how many individuals were affected in total.

Wisconsin Department of Health Services

The Wisconsin Department of Health Services has recently reported a HIPAA breach to the HHS’ Office for Civil Rights that involved unauthorized access to the protected health information of 8,157 individuals. The affected individuals were Medicaid recipients who received benefits from the Wisconsin Supplementary Security Income program.

Letters were mailed to those individuals that contained personal and private information regarding an increase in their benefits. Some of those letters were inadvertently sent to outdated addresses. The error was identified on April 30, 2026, and further mailings to the incorrect addresses have been prevented. Up to 8,157 individuals were affected and have now been notified that their information may have been accessed by unauthorized individuals as a result of the error. Complimentary credit monitoring services have been offered to those individuals for 12 months.

The post Almost 30,000 Texas Residents Affected by Data Breach at The Texas Hearing Institute appeared first on The HIPAA Journal.

AdaptHealth Reports Material Cybersecurity Incident and Theft of Patient Data

AdaptHealth, a publicly traded healthcare company that provides home medical equipment, diabetes supplies, and sleep therapy products, has informed the U.S. Securities and Exchange Commission (SEC) that it is investigating a material cybersecurity incident involving unauthorized access to patient data.

According to the company’s Form 8-K filing, a threat actor contacted the company on June 15, 2026, claiming to have obtained files containing patient data. AdaptHealth launched an investigation, engaged third-party cybersecurity experts, and notified law enforcement. AdaptHealth has determined that certain cloud-based business applications were accessed by the threat actor, including internal patient management systems and document storage platforms. Files containing patients’ personally identifiable information (PII) and protected health information were exfiltrated by the threat actor.

The investigation is ongoing; however, AdaptHealth has determined that the unauthorized access occurred as a result of a response to a social engineering attack on a third-party contractor, which allowed the contractor’s credentials to be obtained. The threat actor obtained a stored password file tied to insurance billing and access to external electronic health record portals.

The affected account has been disabled, credentials have been reset, and additional access controls have been implemented. The incident has not had an impact on its operations or patient services, and a review is ongoing to determine the extent of data theft. The types of data involved have yet to be determined, and the number of affected individuals is currently unknown. AdaptHealth said it does not collect patients’ Social Security numbers, and financial account information and payment card information are not stored in the compromised systems.

AdaptHealth said it considers this to be a material cybersecurity incident due to the nature and potential volume of data at risk. The financial impact of the incident is still being assessed, with the company potentially having to cover costs associated with forensics, breach notification, legal and regulatory responses, and any remediation measures. The company holds a cybersecurity insurance policy, which may cover certain losses associated with the incident.

While AdaptHealth has not named the threat actor behind the attack, this appears to have been a data theft and extortion attempt by the ShinyHunters threat group. ShinyHunters added AdaptHealth to its data leak site and has threatened to leak the stolen data if the ransom is not paid, giving the company a final warning to pay or face a data leak.

The post AdaptHealth Reports Material Cybersecurity Incident and Theft of Patient Data appeared first on The HIPAA Journal.

Delaware & Florida Women’s Health Centers Announce Data Breaches

Two women’s healthcare providers have announced data privacy incidents. Women’s Wellness of Southern Delaware recently learned about unauthorized retention of patient data by a former provider of aesthetic services, and Women’s Center for Radiology has identified a hacking incident.

Women’s Wellness of Southern Delaware

Women’s Wellness of Southern Delaware, a Lewes, DE-based provider of obstetrics, gynecology, and facial aesthetic services, has recently learned that a former provider who rendered aesthetic services for the practice retained the protected health information of patients after engagement with the practice had terminated. Women’s Wellness of Southern Delaware was made aware of the data retention on April 28, 2026. The provider retained patients’ contact information and other patient-related information and is believed to have contacted certain patients to offer similar services at a new practice.

The information retained relates to certain recipients of aesthetic services and clinical services patients. For the aesthetic services patients, the information included their name, birth date, gender, email address, physical address, phone number, allergies, medications, supplements, and information related to the services received, which may include photographs, intake records, aesthetics-related medical history, face maps, dates of services and purchases, and descriptions of services or items purchased. For the clinical services recipients, the impacted data included name, phone number, dates of purchases, and descriptions of the items/medications purchased. The former provider did not have access to electronic medical records.

Women’s Wellness of Southern Delaware said it is in communication with the former provider and is seeking to obtain assurances that the data is returned or destroyed, and steps have been taken to enhance its data privacy and security measures to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Women’s Center for Radiology

Women’s Center for Radiology, a provider of medical imaging services at three locations in Orlando, Florida, has identified unauthorized access to parts of its network containing patient data. The unauthorized access was identified on or around April 28, 2026, and the forensic investigation determined that an unauthorized third party gained access to a limited part of its computer network. Files containing patient information were viewed or downloaded by the unauthorized third party.

Assisted by third-party specialists, Women’s Center for Radiology determined that the exposed files contained patient information such as names, addresses, dates of birth, contact information, diagnosis or condition, lab results, treating physician, medical record number, health insurance information, and driver’s license numbers.

Women’s Center for Radiology has started notifying the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. Women’s Center for Radiology is reviewing its policies, procedures, and protocols related to data privacy and security. Regulators have been notified about the incident; however, the number of affected individuals has not yet been publicly disclosed.

The post Delaware & Florida Women’s Health Centers Announce Data Breaches appeared first on The HIPAA Journal.

Data Breaches Reported by Amicus Solutions: Huntsville Hospital Health System

Amicus Solutions (Fedora Solutions) has been affected by a cybersecurity incident, and Huntsville Hospital has confirmed it was affected by a January 2025 breach at Cerner (Oracle Health).

Amicus Solutions

Amicus Solutions, Inc., doing business as Fedora Solutions, a provider of managed IT and revenue cycle management services, has experienced a cybersecurity incident involving the protected health information of 1,137 individuals. According to the breach notification to the Massachusetts Office of Consumer Affairs and Business Regulation, the breach affected patients of medical practices managed by OneOncology, LLC, including New York Cancer and Blood Specialists.

Suspicious activity was identified within the Amicus Solutions network on April 2, 2026, with the unauthorized access believed to have occurred between February 2, 2026, and February 18, 2026. During that time, a threat actor exfiltrated data from its systems, and some of that data was posted to the threat actor’s website, including personally identifiable information and protected health information.

The data review confirmed that the threat actor obtained patient data such as first and last names, phone numbers, email addresses, birth dates, gender information, Social Security numbers, medical information, and health insurance information. Amicus Solutions confirmed that there was no unauthorized access to its clients’ networks. No misuse of that data had been identified at the time of issuing notifications. Amicus Solutions said additional safeguards have been implemented to harden security, and 24 months of complementary credit monitoring and identity theft protection services have been offered to the affected individuals.

Huntsville Hospital

Huntsville Hospital Health System in Alabama has recently announced that it has been affected by the January 2025 data breach at electronic health record vendor Cerner, now Oracle Health. The data breach affected approximately 90 healthcare providers, and many of those providers announced the data breach last year. Hackers gained access to two legacy Cerner servers as early as January 22, 2025, and Huntsville Hospital was informed that it was affected on August 12, 2025. The hospital said law enforcement requested delaying notifying the affected individuals and additional providers so as not to impede the investigation.

According to the hospital, the breach was confined to Cerner systems, which contained names, Social Security numbers, and details from medical records, including medical record numbers, doctors’ names, diagnoses, medications, test results, images, and treatment information. The affected individuals have been offered complementary credit monitoring services for 24 months. It is currently unclear how many Huntsville Hospital patients have been affected.

The post Data Breaches Reported by Amicus Solutions: Huntsville Hospital Health System appeared first on The HIPAA Journal.

Washington Dept. Health & Social Services Insider Breach Affects 8,600 Individuals

The Washington Department of Social and Health Services (DSHS) has identified an insider data breach involving unauthorized access to the protected health information of approximately 8,600 individuals.

Insider threats are a major problem in healthcare, more so than in other sectors. While most insider incidents are unintentional, and snooping on medical records is a common cause of healthcare data breaches. Patient records may also be obtained for financial gain. Regular workforce HIPAA training is important to remind employees of their responsibilities with respect to patient privacy, and employee access logs should be routinely monitored. Without active monitoring, these privacy violations can persist for long periods before unauthorized access is identified.

In this case, a DSHS employee was discovered to have accessed a DSHS internal client data system without authorization and viewed records containing full names, dates of birth, Social Security numbers, DSHS client numbers, and information about DSHS program enrollment.

The DSHS investigation found no evidence that health information was accessed, such as diagnoses, test results, treatments, claims, or chart notes. The DSHS said the employee was found to have accessed records for “reasons unrelated to their job duties,” but did not elaborate further on the individual’s reasons for access. It is also unclear when the unauthorized access was detected, or for how long the employee had been accessing records for non-work purposes.

DSHS confirmed that action was immediately taken when the privacy violations were identified, preventing further unauthorized access. DSHS has confirmed that the individual is no longer working for the department. It is unclear whether the employee was terminated over the HIPAA violation or if they left voluntarily.

DSHS said it is issuing notification letters by mail to all affected individuals and encourages them to monitor their account statements and credit reports for unauthorized activity. DSHS is cooperating with state and local law enforcement in their ongoing investigation. DSHS said steps are being taken to implement additional safeguards, and internal policies and procedures related to data privacy and security are being reviewed.

The post Washington Dept. Health & Social Services Insider Breach Affects 8,600 Individuals appeared first on The HIPAA Journal.

South Florida Injury Centers; Chickasaw Nation Department of Health Report Data Breaches

A hacking incident has been reported by South Florida Injury Centers, and Chickasaw Nation Department of Health has discovered that an employee accessed patient data without authorization.

South Florida Injury Centers

South Florida Injury Centers, Inc., a medical practice with locations in Tamarac and Port Saint Lucie that specializes in treating patients injured in automobile accidents, has recently reported a hacking-related data breach to the HHS’ Office for Civil Rights that has affected up to 1,525 patients.

While few details have been released about the incident, this appears to have been a cyberattack by the threat actor Kairos. Kairos is a financially motivated threat group that engages in data theft and extortion, breaching networks, exfiltrating data, and demanding payment to prevent the data from being leaked online. The group has conducted attacks on several healthcare organizations and claims to have exfiltrated 45 GB of data from South Florida Injury Centers.

South Florida Injury Centers was added to its dark web data leak site on April 7, 2026, along with samples of the stolen data, which appear to contain redacted patient information such as names, contact information, driver’s license numbers, Social Security numbers, and medical histories. Kairos proceeded to leak the stolen data, indicating that the ransom was not paid.

Chickasaw Nation Department of Health, Oklahoma

Chickasaw Nation Department of Health in Oklahoma has identified an insider patient privacy incident that was first identified on April 22, 2026. An investigation was promptly initiated when unauthorized access to patient records was identified, and immediate steps were taken to prevent further unauthorized access.

The review of access logs confirmed that the privacy breach was due to the actions of a single employee, who had accessed patient records without authorization between December 1, 2025, and April 22, 2026. During that time, the records of 1,607 patients may have been accessed without authorization.

The information viewed included patient names, ages, dates of service, tribal affiliations, reasons for visits, and clinical information such as lab and radiology orders. No evidence was found to indicate that full Social Security numbers were viewed. The website notification about the privacy incident does not state the actions that have been taken against the employee over the privacy breach.

The post South Florida Injury Centers; Chickasaw Nation Department of Health Report Data Breaches appeared first on The HIPAA Journal.

Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches

Data security incidents have been announced by the Colorado Health Network and Kentucky Mountain Health Alliance. In both cases, only limited information has been released about the nature of the incidents.

Colorado Health Network

Colorado Health Network Inc., a nonprofit organization that provides health and support services to individuals with HIV/AIDS across Colorado, has recently disclosed a data security incident. The breach notification does not state when the breach was detected or for how long the threat actors had access to its network, only that an unauthorized third-party accessed and removed files from its systems.

The files have been reviewed and found to contain patient names in combination with one or more of the following: Social Security number, driver’s license/state identification card number, passport number, financial account information, debit/credit card information, health insurance information (which may include Medicaid/Medicare information), and medical information. The medical information may include, but is not limited to, diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s/location.

Colorado Health Network started mailing notification letters to the affected individuals on June 18, 2026, and said it has received no reports to suggest that any of the exposed or copied information has been misused. The affected individuals have been advised to monitor their account statements, free credit reports, and explanation of benefits statements for suspicious activity, and to sign up for the complimentary credit monitoring and identity theft protection services that have been offered.

This appears to have been a ransomware attack by the Cephalus ransomware group. Cephalus claimed on its dark web data leak site on August 28, 2025, that it was behind the attack and obtained more than 900 GB of data. The group’s data leak site is not currently accessible, so it is unclear whether the data was leaked online.

The Texas attorney general was informed that 257 Texas residents were affected by the breach. Given that the primary location of business is Colorado, that would suggest that the incident affected more than 500 individuals and should have been reported to the HHS’ Office for Civil Rights (OCR) and added to the OCR data breach portal; however, it is not currently shown on the breach portal.

Kentucky Mountain Health Alliance

Kentucky Mountain Health Alliance, a Hazard, KY-based nonprofit organization that provides primary and specialty care to the homeless, has disclosed a data breach that involved unauthorized access to patient data, some of which was copied in the incident.

While data breach notices should be placed in a prominent location on the home page of the provider’s website under HIPAA, users are required to click on the “more” section and then select the notice from the drop-down menu. The notice states that the information compromised in the includes names plus one or more of the following: Social Security numbers, driver’s license numbers/state identification numbers, passport numbers, financial account information, debit/credit card information, health insurance information, and medical information such as diagnosis, diagnosis code, mental/physical condition, prescription information, provider’s name and location, and health insurance information. Notification letters were issued to the affected individuals on June 12, 2026.

As with the data breach at Colorado Health Network (above), the breach notifications do not elaborate further on the nature of the incident, such as who potentially accessed the data (internal/external), when the incident was detected, or for how long the data was exposed. The website notice makes no mention of credit monitoring services; however, the notice issued to the Massachusetts Office of Consumer Affairs and Business Regulation states that 24 months of complimentary credit monitoring and identity theft protection services are being provided through Epiq. The number of affected individuals has yet to be publicly disclosed.

The post Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches appeared first on The HIPAA Journal.

Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches

Data breaches have been announced by Minnesota Epilepsy Group, Campbell University, and the City of Middletown, Ohio.

Minnesota Epilepsy Group

Minnesota Epilepsy Group, the largest epilepsy center in the Midwest, has started notifying current and former patients about a recent cybersecurity incident that may have resulted in unauthorized access to the protected health information of current and former patients. Suspicious network activity was identified on April 7, 2026, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had accessed its network at various times between March 16, 2026, and April 10, 2026.

The parts of the network that were accessed contained files that included patient data. The file review concluded on May 18, 2026, and determined that the exposed information included names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance information. The types of information exposed varied from patient to patient.

Notification letters started to be mailed to the affected individuals on June 5, 2026, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were exposed. Minnesota Epilepsy Group confirmed that it has taken steps to enhance its technical security measures to prevent similar incidents in the future.

City of Middletown, Ohio

The City of Middletown in Ohio has started notifying individuals about a cybersecurity incident that occurred last year that resulted in unauthorized access to sensitive personal and protected health information. The incident was first identified on August 17, 2025, and the forensic investigation determined that its network was accessed by an unauthorized third party between July 29, 2025, and August 17, 2025, during which time files containing sensitive information may have been accessed or acquired.

The data review concluded on May 18, 2026, and determined that data compromised in the incident included names, addresses, Social Security numbers, driver’s license or government identification, financial account information, medical information, and health insurance information. Notification letters were mailed to the individuals with a complete address on file on June 3, 2026. City of Middletown officials have confirmed that steps are being taken to augment security. The HHS’ Office for Civil Rights was informed that the protected health information of 20,608 individuals was compromised in the incident.

This appears to have been a ransomware attack by the SafePay ransomware group, which added the City of Middletown to its dark web data leak site on September 12, 2025, then proceeded to leak the stolen data.

Campbell University, North Carolina

Campbell University in North Carolina is investigating a cybersecurity incident that was first identified on April 1, 2026. The incident involved unauthorized access to one of its cloud-based data storage platforms between March 31, 2026, and April 1, 2026. The university explained that due to its security protections, the incident was contained to a single platform.

The investigation and data review are ongoing, and as such, the total number of affected individuals has yet to be determined. The HHS’ Office for Civil Rights has been informed that the protected health information of at least 500 individuals was involved. The total will be updated when the data review is concluded. The specific type of information involved has not yet been determined, but general categories of data involved have been disclosed. In addition to their name, individuals may have had one or more of the following exposed or stolen in the incident:

Address, date of birth, admission/discharge/death date, medical record number, provider/facility name, medical condition, diagnosis and/or treatment information, lab results, prescriptions and/or medications, personal history, mental health information, insurance/payment amount history information, date of service, payment card information, and/or any information on an individual that was created, used, or disclosed in the course of providing health care services, and Social Security number, driver’s license or state identification number, passport number, student identification number, other government identification number, financial account information, debit/credit card information, health insurance information, medical information, individual taxpayer identification number, identity protection PIN issued by the IRS, parent’s legal surname prior to marriage, digital signature, geolocation, and/or user name and access information for a non-financial account.

Campbell University said it has reset passwords, set up a new instance of the affected platform, strengthened data access policies, and implemented additional technical safeguards.

The post Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches appeared first on The HIPAA Journal.