HIPAA Breach News

South Florida Injury Centers; Chickasaw Nation Department of Health Report Data Breaches

A hacking incident has been reported by South Florida Injury Centers, and Chickasaw Nation Department of Health has discovered that an employee accessed patient data without authorization.

South Florida Injury Centers

South Florida Injury Centers, Inc., a medical practice with locations in Tamarac and Port Saint Lucie that specializes in treating patients injured in automobile accidents, has recently reported a hacking-related data breach to the HHS’ Office for Civil Rights that has affected up to 1,525 patients.

While few details have been released about the incident, this appears to have been a cyberattack by the threat actor Kairos. Kairos is a financially motivated threat group that engages in data theft and extortion, breaching networks, exfiltrating data, and demanding payment to prevent the data from being leaked online. The group has conducted attacks on several healthcare organizations and claims to have exfiltrated 45 GB of data from South Florida Injury Centers.

South Florida Injury Centers was added to its dark web data leak site on April 7, 2026, along with samples of the stolen data, which appear to contain redacted patient information such as names, contact information, driver’s license numbers, Social Security numbers, and medical histories. Kairos proceeded to leak the stolen data, indicating that the ransom was not paid.

Chickasaw Nation Department of Health, Oklahoma

Chickasaw Nation Department of Health in Oklahoma has identified an insider patient privacy incident that was first identified on April 22, 2026. An investigation was promptly initiated when unauthorized access to patient records was identified, and immediate steps were taken to prevent further unauthorized access.

The review of access logs confirmed that the privacy breach was due to the actions of a single employee, who had accessed patient records without authorization between December 1, 2025, and April 22, 2026. During that time, the records of 1,607 patients may have been accessed without authorization.

The information viewed included patient names, ages, dates of service, tribal affiliations, reasons for visits, and clinical information such as lab and radiology orders. No evidence was found to indicate that full Social Security numbers were viewed. The website notification about the privacy incident does not state the actions that have been taken against the employee over the privacy breach.

The post South Florida Injury Centers; Chickasaw Nation Department of Health Report Data Breaches appeared first on The HIPAA Journal.

Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches

Data security incidents have been announced by the Colorado Health Network and Kentucky Mountain Health Alliance. In both cases, only limited information has been released about the nature of the incidents.

Colorado Health Network

Colorado Health Network Inc., a nonprofit organization that provides health and support services to individuals with HIV/AIDS across Colorado, has recently disclosed a data security incident. The breach notification does not state when the breach was detected or for how long the threat actors had access to its network, only that an unauthorized third-party accessed and removed files from its systems.

The files have been reviewed and found to contain patient names in combination with one or more of the following: Social Security number, driver’s license/state identification card number, passport number, financial account information, debit/credit card information, health insurance information (which may include Medicaid/Medicare information), and medical information. The medical information may include, but is not limited to, diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s/location.

Colorado Health Network started mailing notification letters to the affected individuals on June 18, 2026, and said it has received no reports to suggest that any of the exposed or copied information has been misused. The affected individuals have been advised to monitor their account statements, free credit reports, and explanation of benefits statements for suspicious activity, and to sign up for the complimentary credit monitoring and identity theft protection services that have been offered.

This appears to have been a ransomware attack by the Cephalus ransomware group. Cephalus claimed on its dark web data leak site on August 28, 2025, that it was behind the attack and obtained more than 900 GB of data. The group’s data leak site is not currently accessible, so it is unclear whether the data was leaked online.

The Texas attorney general was informed that 257 Texas residents were affected by the breach. Given that the primary location of business is Colorado, that would suggest that the incident affected more than 500 individuals and should have been reported to the HHS’ Office for Civil Rights (OCR) and added to the OCR data breach portal; however, it is not currently shown on the breach portal.

Kentucky Mountain Health Alliance

Kentucky Mountain Health Alliance, a Hazard, KY-based nonprofit organization that provides primary and specialty care to the homeless, has disclosed a data breach that involved unauthorized access to patient data, some of which was copied in the incident.

While data breach notices should be placed in a prominent location on the home page of the provider’s website under HIPAA, users are required to click on the “more” section and then select the notice from the drop-down menu. The notice states that the information compromised in the includes names plus one or more of the following: Social Security numbers, driver’s license numbers/state identification numbers, passport numbers, financial account information, debit/credit card information, health insurance information, and medical information such as diagnosis, diagnosis code, mental/physical condition, prescription information, provider’s name and location, and health insurance information. Notification letters were issued to the affected individuals on June 12, 2026.

As with the data breach at Colorado Health Network (above), the breach notifications do not elaborate further on the nature of the incident, such as who potentially accessed the data (internal/external), when the incident was detected, or for how long the data was exposed. The website notice makes no mention of credit monitoring services; however, the notice issued to the Massachusetts Office of Consumer Affairs and Business Regulation states that 24 months of complimentary credit monitoring and identity theft protection services are being provided through Epiq. The number of affected individuals has yet to be publicly disclosed.

The post Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches appeared first on The HIPAA Journal.

Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches

Data breaches have been announced by Minnesota Epilepsy Group, Campbell University, and the City of Middletown, Ohio.

Minnesota Epilepsy Group

Minnesota Epilepsy Group, the largest epilepsy center in the Midwest, has started notifying current and former patients about a recent cybersecurity incident that may have resulted in unauthorized access to the protected health information of current and former patients. Suspicious network activity was identified on April 7, 2026, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had accessed its network at various times between March 16, 2026, and April 10, 2026.

The parts of the network that were accessed contained files that included patient data. The file review concluded on May 18, 2026, and determined that the exposed information included names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance information. The types of information exposed varied from patient to patient.

Notification letters started to be mailed to the affected individuals on June 5, 2026, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were exposed. Minnesota Epilepsy Group confirmed that it has taken steps to enhance its technical security measures to prevent similar incidents in the future.

City of Middletown, Ohio

The City of Middletown in Ohio has started notifying individuals about a cybersecurity incident that occurred last year that resulted in unauthorized access to sensitive personal and protected health information. The incident was first identified on August 17, 2025, and the forensic investigation determined that its network was accessed by an unauthorized third party between July 29, 2025, and August 17, 2025, during which time files containing sensitive information may have been accessed or acquired.

The data review concluded on May 18, 2026, and determined that data compromised in the incident included names, addresses, Social Security numbers, driver’s license or government identification, financial account information, medical information, and health insurance information. Notification letters were mailed to the individuals with a complete address on file on June 3, 2026. City of Middletown officials have confirmed that steps are being taken to augment security. The HHS’ Office for Civil Rights was informed that the protected health information of 20,608 individuals was compromised in the incident.

This appears to have been a ransomware attack by the SafePay ransomware group, which added the City of Middletown to its dark web data leak site on September 12, 2025, then proceeded to leak the stolen data.

Campbell University, North Carolina

Campbell University in North Carolina is investigating a cybersecurity incident that was first identified on April 1, 2026. The incident involved unauthorized access to one of its cloud-based data storage platforms between March 31, 2026, and April 1, 2026. The university explained that due to its security protections, the incident was contained to a single platform.

The investigation and data review are ongoing, and as such, the total number of affected individuals has yet to be determined. The HHS’ Office for Civil Rights has been informed that the protected health information of at least 500 individuals was involved. The total will be updated when the data review is concluded. The specific type of information involved has not yet been determined, but general categories of data involved have been disclosed. In addition to their name, individuals may have had one or more of the following exposed or stolen in the incident:

Address, date of birth, admission/discharge/death date, medical record number, provider/facility name, medical condition, diagnosis and/or treatment information, lab results, prescriptions and/or medications, personal history, mental health information, insurance/payment amount history information, date of service, payment card information, and/or any information on an individual that was created, used, or disclosed in the course of providing health care services, and Social Security number, driver’s license or state identification number, passport number, student identification number, other government identification number, financial account information, debit/credit card information, health insurance information, medical information, individual taxpayer identification number, identity protection PIN issued by the IRS, parent’s legal surname prior to marriage, digital signature, geolocation, and/or user name and access information for a non-financial account.

Campbell University said it has reset passwords, set up a new instance of the affected platform, strengthened data access policies, and implemented additional technical safeguards.

The post Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches appeared first on The HIPAA Journal.

Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company

Florida Retina Center has identified unauthorized access to systems containing the protected health information of more than 13,600 patients. Acadia Healthcare Company has experienced a breach affecting 1,800 patients.

Florida Retina Center

Bonita Springs-based Florida Retina Center has announced a cybersecurity incident that was first identified on January 30, 2026. Immediate action was taken to secure its network, and an investigation was launched to determine the nature and scope of the unauthorized activity. On May 19, 2026, Florida Retina Center confirmed unauthorized access to parts of its network containing patient data.

The file review confirmed that the data of 13,652 patients was exposed and potentially acquired in the incident. The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Notification letters have been mailed to the affected individuals, and 12 months of complimentary credit monitoring and identity theft protection services have been made available. At the time of issuing notification letters, no misuse of the affected data had been identified.

Acadia Healthcare Company

Franklin, Tennessee-based Acadia Healthcare Company, Inc., a provider of psychiatric and chemical dependency services, has announced a data breach affecting 1,807 individuals. Unusual activity was identified within an employee’s email account on March 25, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to a single employee’s email account and associated SharePoint files between March 21, 2026, and March 25, 2026. There was no unauthorized access to any other email accounts, other systems, or the electronic medical record system.

The types of data involved varied from individual to individual, and for the majority of affected individuals, involved one or more of the following data elements in addition to their names: address, date of birth, treatment information, dates of treatment, type of treatment, and health insurance information. Certain individuals also had their Medicare Health Insurance Claim Number (HICN) exposed, which may include their Social Security number. Notification letters were mailed to the affected individuals on May 22, 2026, and additional safeguards have been implemented to prevent similar incidents in the future.

The post Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company appeared first on The HIPAA Journal.

April 2026 Healthcare Data Breach Report

In April 2026, 47 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). That represents a 33.8% reduction in large healthcare data breaches from the 71 large data breaches reported in March 2026, and well below the 12-month average of 62.4 data breaches per month.

healthcare data breaches in the past 12 months - April 2026

The year-to-date figures also show a reduction in large healthcare data breaches. From January 1 to April 30, 252 large healthcare data breaches have been reported by HIPAA-regulated entities, compared to 276 (-8.7%) for the corresponding period in 2025 and 299 (-15.7%) for the corresponding period in 2024.

Healthcare data breaches - January 1 to April 30 (2022-2026)

Across the 47 data breaches, the protected health information of 1,336,264 individuals was exposed or impermissibly disclosed – the second lowest monthly total in the past 12 months, and currently an 84.9% reduction from March 2026. The number of affected individuals is likely to increase, as some regulated entities have reported breaches with placeholder estimates of 500 or 501 affected individuals.

Individuals affected by healthcare data breaches in the past 12 months (April 2026)

The year-to-date figures for affected individuals are encouraging. From January 1 to April 30, the protected health information of 20.1 million individuals has been breached, and while that is a sizeable figure, it is a reduction of 25.5% from the corresponding period in 2025 and a reduction of 48.8% from the corresponding period in 2024.

Individuals affected by healthcare data breaches - january 1 to April 30 (2022-2026)

The Biggest Healthcare Data Breaches Reported in April 2026

In April, 15 data breaches affecting 10,000 or more individuals were reported to the HHS’ Office for Civil Rights, all but one of which were hacking incidents. The biggest data breach of the month was reported by the medical group Florida Physician Specialists, involving unauthorized access to the protected health information of 276,498 individuals.  Two of the 15 data breaches were confirmed ransomware attacks, and one incident involved unauthorized access by “a business counterparty” after access was thought to have been terminated.

Regulated Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Cause of Breach
Florida Physician Specialists FL Healthcare Provider 276,498 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Southern Illinois Dermatology IL Healthcare Provider 160,312 Hacking/IT Incident Network Server Hacking incident
Laurel Eye Clinic PA Healthcare Provider 145,221 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Innovative Scientific Solutions, LLC SC Healthcare Provider 143,842 Hacking/IT Incident Network Server Hacking incident
Hospital Caribbean Medical Center PR Healthcare Provider 92,000 Hacking/IT Incident Network Server Ransomware attack (The Gentlemen) – Data theft confirmed
Tri-Cities Gastroenterology TN Healthcare Provider 67,115 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
City Health, a medical corporation CA Healthcare Provider 65,000 Unauthorized Access/Disclosure Electronic Medical Record Access to its electronic medical record system by a former business counterparty after termination
Hematology Oncology Consultants MI Healthcare Provider 62,972 Hacking/IT Incident Network Server Hacking incident – Data theft likely
GrayRobinson, P.A. FL Business Associate 54,131 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Rocky Mountain Associated Physicians, P.C. UT Healthcare Provider 50,640 Hacking/IT Incident Network Server Hacking incident
Heart South Cardiovascular Group AL Healthcare Provider 46,666 Hacking/IT Incident Network Server Hacking incident
Mt. Spokane Pediatrics WA Healthcare Provider 32,021 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
University of Nebraska Medical Center NE Healthcare Provider 26,937 Hacking/IT Incident Network Server Hacking of a third-party software application
Liberty Bankers Life Ins. Co. TX Health Plan 20,202 Hacking/IT Incident Network Server Hacking incident at a business associate
Bayside Dental WA Healthcare Provider 10,216 Hacking/IT Incident Network Server Ransomware attack (Sinobi) – Data theft claimed

Three data breaches were reported in April before data reviews had been completed. Placeholder figures of 500 or 501 affected individuals were used and will be updated when the file reviews are concluded.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Spokane Digestive Disease Center, P.S. WA Healthcare Provider 501 Unauthorized access to its email environment
FMRS Health Systems, Inc. WV Healthcare Provider 500 Hacking incident – data theft confirmed
CARE Clinic MN Healthcare Provider 500 Unauthorized access to its email environment

Causes of April 2026 Healthcare Data Breaches

Hacking and other types of IT incidents dominated the breach reports in April, accounting for 36 (76.6%) of the 47 reported large data breaches. Across those incidents, the protected health information of 1,240,571 individuals was exposed or impermissibly disclosed. Hacking/IT incidents accounted for 92.8% of the affected individuals in April. The average breach size was 32,883 individuals, and the median breach size was 4,547 individuals.

Causes of APril 2026 healthcare data breaches

There were 9 unauthorized access/disclosure incidents in April, which accounted for 19.1% of the month’s data breaches. Across those incidents, the protected health information of 86,717 individuals was accessed without authorization or was impermissibly disclosed – 6.5% of the month’s affected individuals. The average breach size was 9,635 individuals, and the median breach size was 1,467 individuals. There were no loss, theft, or improper disposal incidents in April.

Location of breached PHI in April 2026

States Affected by April 2026 Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 25 states, the District of Columbia, and Puerto Rico in April. California was the worst-affected state in terms of data breaches, while Florida was the worst-affected state in terms of the number of individuals affected.

April 2026 Healthcare Data Breaches

State Breaches
California 6
Texas & Washington 4
Florida & Virginia 3
Illinois, Minnesota, Oklahoma, Pennsylvania & West Virginia 2
Alabama, Delaware, Iowa, Indiana, Kentucky, Maryland, Michigan, Missouri, Nebraska, New Jersey, New York, South Carolina, Tennessee, Utah, Vermont, the District of Columbia & Puerto Rico 1

Individuals Affected by April 2026 Healthcare Data Breaches

State Individuals Affected State Individuals Affected
Florida 331,316 Oklahoma 8,233
Illinois 162,203 Maryland 7,213
Pennsylvania 145,976 Iowa 6,717
South Carolina 143,842 Indiana 5,900
Pouerto Rico 92,000 Vermont 5,892
California 78,846 Minnesota 5,885
Tennessee 67,115 Kentucky 3,677
Michigan 62,972 Virginia 2,552
Utah 50,640 New York 2,123
Alabama 46,666 Missouri 2,027
Washington 46,202 West Virginia 1,500
Nebraska 26,937 District of Columbia 1,467
Texas 26,648

April 2026 Data Breaches at HIPAA Regulated Entities

In April 2026, 36 data breaches were reported by healthcare providers, 8 breaches were reported by health plans, and 3 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.

The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 11 of the 47 breaches (rather than 3) occurred at business associates in April.

Data breaches at HIPAA-regulated entities in April 2026

Individuals affected by healthcare data breaches at HIPAA-regulated entities in April 2026

HIPAA Enforcement Activity in April 2026

The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, announced 4 settlements with HIPAA-regulated entities in April to resolve alleged violations of the HIPAA Rules. When alleged HIPAA violations are settled, the settlement agreement includes a corrective action plan to address the areas of noncompliance identified by OCR. When a civil monetary penalty is imposed, OCR cannot compel the regulated entity to adopt a corrective action plan.

All four of the settlements related to ransomware attacks, and in all cases, OCR identified a risk analysis failure. The HIPAA Security Rule requires regulated entities to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to electronic protected health information. It is the most commonly identified HIPAA Security Rule violation.  You can read more about each enforcement action in this post. No state attorneys general announced any HIPAA penalties in April.

HIPAA -Regulated Entity Entity Type Reason for Investigation Alleged HIPAA violation(s) Settlement Amount
Regional Women’s Health Group (Axia Women’s Health) Healthcare Provider Reported ransomware attack involving the protected health information of 37,989 individuals Risk analysis failure; impermissible disclosure of ePHI $320,000
Assured Imaging Affiliated Covered Entities Healthcare Provider Reported ransomware attack involving the protected health information of 244,813 individuals Risk analysis failure (never conducted); breach notification failure $375,000
Consociate, Inc. (Consociate Health) Business Associate Reported ransomware attack involving the protected health information of 136,539 individuals Risk analysis failure $225,000
Star Group, L.P. Health Benefits Plan Health Plan Reported ransomware attack involving the protected health information of 9,316 individuals Risk analysis failure $245,000

 

The post April 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches

Data breaches have been announced by Lifepoint Health, Southwest Behavioral & Health Services, and Nottingham Village.

Lifepoint Health

Lifepoint Health Inc., a healthcare delivery network that operates more than 60 hospital campuses in 28 U.S. states, more than 30 rehabilitation and behavioral health hospitals, and over 170 acute rehabilitation units, discovered unauthorized activity within its network on February 23, 2026. The forensic investigation traced the activity to a compromised user account. Assisted by third-party cybersecurity experts, Lifepoint Health determined that an unauthorized third party gained limited access to certain internal databases on February 22, 2026. The incident was fully contained within 24 hours.

Lifepoint Health determined that the data breach was limited in scope and was restricted to employees of contracted vendors. Direct employees of the company and patients were not affected. The affected employees had their names, addresses, phone numbers, dates of birth, and Social Security numbers compromised in the incident. Notification letters were sent to those individuals on April 23, 2026, and complimentary credit monitoring and identity theft protection services have been made available.

Southwest Behavioral & Health Services

Southwest Behavioral & Health Services, a Phoenix, AZ-based non-profit behavioral health organization, has identified a breach of its email environment. Suspicious activity was identified within its email environment on April 1, 2026, and the forensic investigation determined that six employee email accounts were compromised.

The review of the affected email accounts was completed on April 30, 2026, and notification letters have now been sent to the 2,316 affected individuals. Southwest Behavioral & Health Services has published a substitute breach notice on its website, but it does not state the types of information exposed in the incident. No evidence has been identified to suggest any misuse of the exposed data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services, and steps have been taken to improve email security to prevent similar incidents in the future.

Nottingham Village

Nottingham Village, a skilled nursing and assisted living facility in Northumberland, Pennsylvania, has notified 5,240 individuals about a security incident that was identified on November 9, 2025. After securing its network, an investigation was launched, and on May 12, 2026, it was confirmed that the exposed data included names, birth dates, Social Security numbers, driver’s license numbers/state government IDs, financial account information, medical information, and health insurance information. Nottingham Village said it continually evaluates and modifies its security practices and will continue to do so in the future.

The post LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches appeared first on The HIPAA Journal.

Xsolis Data Breach Affects 1.4M Individuals

Xsolis, a business associate of HIPAA-covered entities that provides AI-powered solutions for improving case and utilization management to achieve more efficient outcomes, has experienced a major data breach as a result of a phishing attack.

According to the data breach notification filed with the California Attorney General, unauthorized activity was identified within the Xsolis environment on January 22, 2026, as a result of a targeted phishing attack. The incident has been contained, unauthorized access has been terminated, no evidence has been found of unauthorized access since January 22, 2026, and Xsolis has found no evidence to suggest any of the exposed data has been misused.

An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that patient data had been exposed and may have been copied. Xsolis engaged digital specialists to review the affected data, and that process has now been completed. Xsolis is notifying the affected individuals and has offered them complementary credit monitoring and identity theft protection services through Kroll for 12 months.

The Kroll website notice about the security incident states that an unauthorized third party had access to a limited portion of the Xsolis environment from January 20, 2026, to January 22, 2026. Data exposed in the incident included names, dates of birth, Social Security numbers, health insurance information, and medical treatment information.

The data breach has been reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 1,396,519 patients of its healthcare provider clients. A list of the affected clients has not been published; however, VHC Health, a healthcare provider serving patients in Northern Virginia and the Washington D.C. Metro area, has confirmed that it has been affected, as has Rochester Regional Health in New York.

Additional security measures have been implemented to prevent similar incidents in the future, system monitoring has been increased, all passwords for key users have been reset, new protective technologies have been deployed, security awareness training for employees has been accelerated, and credential management processes have been strengthened.

The post Xsolis Data Breach Affects 1.4M Individuals appeared first on The HIPAA Journal.

Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients

Blue Fish Pediatrics in Texas has announced a July 2025 cyberattack that affected more than 41,000 Texas patients. Data breaches have also been announced by Cherry Health in Michigan, Coastal Carolina Centers of Urology and Surgery in South Carolina, and Regence in Oregon.

Blue Fish Pediatrics, Texas

Blue Fish Pediatrics, a Houston, Texas-based network of pediatric medical practices, has notified the Texas Attorney General about a cybersecurity incident last year that exposed the personal and protected health information of its patients.

In a substitute breach notice on its website, Blue Fish Pediatrics explained that unauthorized access to its IT systems was identified on or around July 17, 2025. After securing its systems, an investigation was conducted to determine the nature and scope of the unauthorized activity. The forensic investigation confirmed that a threat actor had access to a limited number of files between July 11, 2025, and July 17, 2025. Some of those files contained personally identifiable information and protected health information and may have been acquired in the incident.

The files have now been reviewed and found to contain full names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, medical record numbers, diagnosis/condition information, lab results, medications, claims information, and clinical/treatment information. Notification letters are now being mailed to the affected individuals, and complementary credit monitoring have been made available to individuals whose Social Security numbers were exposed.

The total number of affected individuals has yet to be disclosed; however, the bulk of the affected individuals reside in Texas. The Texas Attorney General was informed that 41,485 Texas residents were affected.

Cherry Health, Michigan

Cherry Health, Michigan’s largest non-profit Federally Qualified Health Center serving six counties in the state, announced a breach of patients’ protected health information on June 18, 2026. Suspicious network activity was identified on or around April 19, 2026. The forensic investigation confirmed unauthorized access to its network and the copying of files containing patient information.

The file review is ongoing; however, information likely stolen in the incident includes names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID numbers, patient ID numbers, provider names, service dates, and, for a limited number of individuals, Social Security numbers. Cherry Health said it has not identified any misuse of the impacted data. Cherry Health is working on implementing additional safeguards to prevent similar incidents in the future. At present, it is unclear how many individuals have been affected.

Coastal Carolina Centers of Urology and Surgery, South Carolina

Coastal Carolina Centers of Urology and Surgery, LLC, doing business as Rivertown Surgery Center in Conway, South Carolina, has notified the HHS’ Office for Civil Rights about a network server hacking incident involving unauthorized access to the electronic protected health information of 2,886 individuals.

Only limited information has been made public about the breach, such as it involved unauthorized access to names and health records; however, this appears to have been a ransomware attack by the Qilin ransomware group. Qilin added Coastal Carolina Centers of Urology and Surgery to its dark web data leak site on September 4, 2025, along with screenshots of files allegedly stolen in the attack.  According to the notice sent to the Indiana Attorney General, the breach occurred on August 26, 2025, and notifications were mailed on or around May 22, 2026.

Regence, Oregon

Regence Blue Cross Blue Shield of Oregon has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 2,856 individuals. According to a notice on the Regence website, unauthorized actors registered and accessed some Regence digital member accounts between January 1, 2026, and April 15, 2026, and redeemed wellness rewards for gift cards. Information in the accounts may have been accessed.

The post Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients appeared first on The HIPAA Journal.

ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data

One Medical, the Amazon-owned primary care provider, has recently announced a cybersecurity incident in which an unauthorized third party gained access to a third-party file storage system containing archived information for One Medical Seniors patients. Last week, the ShinyHunters threat group added One Medical to its dark web data leak site and claimed to have exfiltrated 8.8 terabytes of data.

According to the One Medical website data breach notice, the unauthorized access was identified on June 13, 2026, and was limited to the file storage system, which contained legacy data of One Medical Seniors patients. One Medical Seniors is the new name for Iora Health, which One Medical acquired in 2021. When the breach was discovered, the affected system was immediately secured, and all access was revoked. An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that the file storage system was accessed by an unauthorized third party between June 8 and June 11, 2026. While it has only been a few days since the breach was discovered, One Medical has confirmed that the breach was limited to the file storage platform, which only contained legacy data of certain Iora Health/One Medical Seniors patients. No other One Medical clinics, services, or the One Medical electronic medical record system were accessed.

The data review has begun, and One Medical has confirmed that the system contained demographic information and the clinical records of Iora Health/One Medical Seniors patients in Atlanta, Cape Cod, Charlotte, Piedmont Triad, Denver, Houston, Phoenix, Tucson, and Seattle. The exact data types involved have yet to be made public.  In response to the breach, One Medical said it has revoked all user access and is rotating credentials for all employees with access to the system, and has implemented additional safeguards to prevent similar incidents in the future. The number of affected individuals has yet to be publicly disclosed. One Medical has not confirmed the name of the group behind the attack.

ShinyHunters is a prolific data extortion group that targets large companies, breaches their networks, exfiltrates sensitive data, and demands a ransom to prevent a data leak. The group’s previous healthcare victims include dental benefits administrator DentaQuest, and the medical device manufacturer Medtronic. Last week, ShinyHunters claimed it had stolen 8.8 TB of data from One Medical and threatened to publish the stolen data unless One Medical entered ransom negotiations. One Medical was given until June 22, 2026, to do so, or the data would be leaked. The claim has not been verified by One Medical, and currently, no samples of the stolen data have been provided as proof of data theft. “This is a final warning to reach out by 22 June 2026 before we leak along with several annoying (digital) problems that’ll come your way,” states ShinyHunters on its dark web data leak site.

The post ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data appeared first on The HIPAA Journal.