A ransomware attack on Hospital Caribbean Medical Center in Puerto Rico has affected up to 92,000 individuals. Data breaches have also been announced by Murray County Medical Center in Minnesota and Aligned Orthopedic Partners in Maryland.

Hospital Caribbean Medical Center, Puerto Rico

A major data breach has been announced by Hospital Caribbean Medical Center in Fajardo, Puerto Rico. While it is unclear when the attack occurred, the hospital issued a press release on February 8, 2026, about a cyberattack that targeted its information systems. The intrusion was detected by its monitoring systems, and steps were immediately taken to contain the incident and prevent further unauthorized access to its IT systems.

The types of information exposed in the incident were not detailed in the press release, nor was the number of affected individuals; however, the incident is now shown on the HHS’ Office for Civil Rights breach portal as affecting up to 92,000 individuals. Hospital Caribbean Medical Center said it has reinforced its monitoring systems, implemented additional updates to its technological infrastructure, and strengthened its internal security protocols.

While not described as a ransomware attack, a ransomware group claimed responsibility for the incident. A group known as The Gentlemen added Hospital Caribbean Medical Center to its dark web data leak site on February 17, 2026, claiming to have exfiltrated sensitive data, including patient information, and threatened to release the stolen data if the ransom was not paid.

Murray County Medical Center, Minnesota

The County of Murray has announced a data security incident that affected current and former patients of Murray County Medical Center in Slayton, Minnesota. The data breach was first announced in early March 2026, although the incident was first detected on August 21, 2025, when suspicious activity was observed in its IT systems.

A leading IT security firm was engaged to assist with the investigation, secure its network, and determine whether any sensitive data had been exposed or stolen in the incident. Unauthorized access to computer systems was confirmed; however, it took until January 27, 2026, to determine that patient and employee data had been compromised in the incident. Information exposed or stolen included patient names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health insurance information, medical treatment information, and medical history information.

The data breach has recently been added to the HHS’ Office for Civil Rights breach portal as affecting 5,073 individuals. Murray County Medical Center has implemented additional safeguards to prevent similar incidents in the future and is offering the affected individuals complimentary credit monitoring and identity theft protection services.

Aligned Orthopedic Partners, Maryland

ASC Ortho Management Company, LLC, which does business as Aligned Orthopedic Partners, has announced a data security incident involving its email platform. Suspicious activity was identified on December 8, 2025, and the investigation confirmed that an unknown actor accessed the platform between November 16, 2026, and December 16, 2026, during which time, personal and protected health information may have been viewed or acquired.

The email system was reviewed, and on February 17, 2026, Aligned Orthopedic Partners confirmed that the exposed data included names, dates of birth, Social Security numbers, driver’s license or state identification numbers, Medicaid or Medicare numbers, financial account numbers, medical dates of service, medical provider names, mental or physical condition, medical treatment information, diagnosis or clinical information, prescription information, health insurance information, patient account numbers, and medical record numbers.

Notification letters were mailed to the affected individuals on April 17, 2026, and complimentary identity protection services have been offered. Steps have been taken to augment security to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ransomware Attack on Hospital Caribbean Medical Center Affects 92,000 Individuals appeared first on The HIPAA Journal.

North Texas Behavioral Health Authority (NTBHA), a provider of mental health and substance use treatment and services in Dallas, Ellis, Hunt, Kaufman, Navarro & Rockwall counties, has notified the Department of Health and Human Services (HHS) Office for Civil Rights about a breach of the protected health information of 285,086 individuals. The data breach is the 6^th largest data breach reported to OCR so far in 2026.

NTBHA identified unauthorized activity within its computer systems on or around October 15, 2025, and launched an investigation to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party accessed its network between October 13, 2025, and October 15, 2025, during which time files containing patient information may have been viewed or acquired.

It took around three months to review the affected files, and on January 7, 2026, NTBHA confirmed that some of the files contained personal information. The substitute data breach notice does not list the types of data involved, although for some individuals, Social Security numbers were exposed. NTBHA said that at the time of issuing breach notification letters, no evidence had been found of any actual or attempted misuse of the impacted information.

Notification letters started to be sent to the affected individuals on March 6, 2026, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. NTBHA said it continually evaluates its privacy and security measures and has taken steps to augment security following this incident. They include resetting passwords, expanding multi-factor authentication, and deploying advanced endpoint detection and response tools and services. At present, no threat actor appears to have claimed responsibility for the incident. Several law firms have opened investigations in response to the data breach and are considering filing class action lawsuits.

The post North Texas Behavioral Health Authority Data Breach Affects 285K Individuals appeared first on The HIPAA Journal.

Saint Anthony Hospital, a nonprofit, faith-based, acute care, community hospital in Chicago, has started notifying individuals about unauthorized access and/or theft of some of their personal and protected health information. The substitute breach notification does not state when the unauthorized access was detected, only that an unauthorized third party accessed and/or acquired certain files and folders of unstructured data from its email system on February 27, 2025. The forensic investigation confirmed that electronic medical records were not affected by the incident.

More than a year after the unauthorized access occurred, notification letters are being sent to the affected individuals. Saint Anthony Hospital said the third-party specialists engaged to review the affected files completed their review on February 13, 2026, and notification letters started to be mailed to the affected individuals on March 6, 2026, after the results of the data review were verified and contact information was obtained.

The substitute breach notice on the Saint Anthony Hospital website does not state what types of information were involved; however, the hospital had previously disclosed in November 2025 that names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, prescription information, and medical histories were involved. Back in November, the hospital reported that approximately 6,600 patients and employees had been affected; however, the breach notice submitted to the HHS’ Office for Civil Rights shows that the breach was much larger, involving the protected health information of 146,108 individuals.

While no evidence has been found to suggest any actual or attempted misuse of patient data, the affected individuals have been advised to exercise caution and monitor their free credit reports, financial accounts, and explanation of benefits statements carefully for signs of data misuse. Complimentary credit monitoring and identity theft protection services do not appear to have been offered to the affected individuals.

The post Chicago’s Saint Anthony Hospital Reports Breach Affecting 146,000 Individuals appeared first on The HIPAA Journal.

Data breaches have been announced by the California psychiatry and therapy provider Mindpath Health, Springfield Hospital in Vermont, and Lone Peak Psychiatry in Utah.

Community Psychiatry Management (Mindpath Health)

Community Psychiatry Management, LLC, doing business as Mindpath Health, a Sacramento, California-based provider of in-person and online psychiatry and therapy services, has notified the Maine Attorney General about a hacking incident that Mindpath Health learned about on November 14, 2025. The personal and protected health information of 14,060 individuals was potentially compromised in the incident, including 2 Maine residents.

The incident is part of a much larger data breach at its vendor, Pinnacle Holdings, LTD. Pinnacle Holdings provides healthcare consulting services, and the data breach affected many of the company’s healthcare clients. The incident was detected by Pinnacle Holdings on November 25, 2024, when Pinnacle Holdings experienced a network disruption. The forensic investigation confirmed unauthorized network access between November 11, 2024, and November 25, 2024, during which time files containing patient information may have been copied by the threat actor.

Data compromised includes names, addresses, phone numbers, email addresses, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, diagnoses, treatment information, dates of service, patient ID numbers, provider names, medical record numbers, health insurance information, and treatment cost information. Individual notification letters started to be sent to the affected individuals on March 9, 2026, and 12 months of complimentary credit monitoring and identity theft protection services have been offered.

Springfield Hospital

Springfield Hospital in Vermont has started mailing notification letters to patients advising them that some of their personal and protected health information has been exposed in a recent data security incident. Springfield Hospital learned about the incident when it identified suspicious activity within an employee’s email account. The forensic investigation determined that the account was accessed by an unauthorized individual on December 17, 2025, and Springfield Hospital learned that personal and protected health information was involved on February 10, 2026.

Data exposed in the incident includes names, dates of birth, and Social Security numbers, along with protected health information such as medical record numbers, treating physician names, and reasons for visit. Springfield Hospital said it has taken steps to improve email security to prevent similar incidents in the future. At the time of issuing notification letters, Springfield Hospital had not identified any attempted or actual misuse of the exposed information. It is currently unclear how many individuals have been affected.

Lone Peak Psychiatry

Lone Peak Psychiatry, a mental health practice with locations in Lehi and Murray, Utah, has notified state attorneys general about a recent data breach. The notification letters are light on detail and do not contain any information about the nature of the incident, dates of compromise, or types of information involved. There is currently no substitute breach notice on the Lone Peak Psychiatry website.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services, although if the notice to state attorneys general is a reflection of the individual notification letters being sent, then the affected patients do not have enough information to gauge the level of risk they face and whether they need to sign up for the free services being offered. In such cases, it is always wise to err on the side of caution and take steps to protect against identity theft and fraud, including signing up for any free services on offer. There is no listing on the OCR data breach portal at present, so it is unclear how many individuals have been affected.

The post Data Breaches Announced by Mindpath Health; Springfield Hospital; Lone Peak Psychiatry appeared first on The HIPAA Journal.

Ransomware attacks have been announced by Glendale Obstetrics & Gynecology in Arizona and Lymphedema Therapy Specialists in Texas, and City Health in California has notified patients about a recent data breach.

Glendale Obstetrics & Gynecology

Glendale Obstetrics & Gynecology in Glendale, Arizona, has started issuing notifications about an October 2025 security incident. The incident was described as “network disruption affecting a portion of its digital environment,” terminology often used to describe a ransomware attack. The notification letters sent to state attorneys general do not state when the unauthorized access first occurred, only that it was detected on October 25, 2025.

The files on the compromised parts of its network were reviewed, and that process was completed on March 16, 2026. Data compromised in the incident varies from individual to individual and may include names plus one or more of the following: address, date of birth, Social Security number, driver’s license information, medical information, and health insurance information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

A ransomware group called Safepay claimed responsibility for the attack. SafePay engages in data theft and data encryption and claimed to have exfiltrated data in the attack. SafePay added Glendale Obstetrics to its data leak site on November 11, 2025, and then leaked the stolen data on its dark web site. Glendale Obstetrics reported the data breach to the HHS’ Office for Civil Rights on December 24, 2025, using a placeholder estimate of at least 501 affected individuals. State attorneys general have recently been notified, although the 501 total has yet to be updated on the OCR breach portal, so it is unclear how many individuals have been affected. Individual notification letters started to be mailed on April 9, 2026.

Lymphedema Therapy Specialists

Lymphedema Therapy Specialists (LTS), a Houston, Texas-based clinic providing lymphedema treatment, has recently announced a data breach. Unauthorized network activity was identified on February 11, 2026, and a third-party digital forensic investigation confirmed that its network was accessed by an unauthorized third party who may have viewed or copied patient information.

The compromised parts of its network were reviewed, and on February 18, 2026, LTS confirmed that patient and employee information had been exposed, including names, Social Security numbers, government-issued identification numbers, workers’ compensation information, medical information, and health insurance information.

While not described as a ransomware attack, a ransomware group claimed responsibility for the incident. The INC Ransom group added LTS to its dark web data leak site and claimed that personally identifiable information and protected health information were stolen in the attack, in addition to organizational data. Based on the substitute breach notice on the LTS website, credit monitoring and identity theft protection services do not appear to have been offered. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that 378 Texas residents were affected.

City Health

City Health, a California healthcare provider with locations in San Leandro and Oakland, has notified certain patients about a hacking incident that was identified on March 30, 2026. Assisted by third-party cybersecurity specialists, City Health determined that an unauthorized third party accessed its network between March 2, 2026, and March 11, 2026, and viewed or acquired files containing sensitive information.

Data accessed in the incident included names, insurance provider names, and procedure codes only. City Health said contact information, dates of birth, and Social Security numbers were not involved. The incident was rapidly reported to regulators, including the California Attorney General, who was notified about the incident on April 13, 2026, just two weeks after the breach was first identified. Individual notification letters are now being sent to the affected individuals.

City Health is reviewing its security practices, policies, and procedures, and is taking steps to prevent similar incidents in the future. While data has been exposed, City Health is unaware of any actual or attempted misuse of the exposed data. “We apologize for any inconvenience and concerns this may cause you,” City Health’s management team said. “City Health would like to assure you that we have handled the situation swiftly and have taken necessary steps to ensure that it will not happen again.” The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Arizona & Texas Clinics Notify Patients About Ransomware Incidents appeared first on The HIPAA Journal.

Two providers of senior services have recently disclosed data security incidents. Windward Life Care in California and Legend Senior Care in Kansas experienced data breaches in 2025, for which ransomware groups claimed responsibility and proceeded to leak the stolen data.

Windward Life Care, California

Buena Vista Management Services, LLC, doing business as Windward Life Care, a San Diego, CA-based provider of aging life care management and home health care services to seniors and disabled adults, has started notifying individuals about a December 2025 data security incident. According to the breach notice, suspicious activity was identified within its computer network on December 8, 2025, and the forensic investigation determined that an unauthorized third party gained access to the network earlier that day.

The compromised parts of the network were reviewed and found to contain files containing personal and protected health information. The review of those files was completed on April 6, 2026, and notification letters were mailed to the affected individuals on April 10, 2026. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. Information potentially compromised in the incident varies from individual to individual, and may include names in combination with addresses, email addresses, personal identification numbers, Social Security numbers, driver’s license numbers, taxpayer identification numbers, passport information, patient identification numbers, financial account numbers, debit/credit card numbers, handwriting or electronic signatures, medical information, health insurance information, usernames, and other account holder identifying information and access information.

While Windward Life Care did not describe the incident as a ransomware attack, a ransomware group has claimed responsibility for the attack. Despite the incident being detected on the same day as its network was breached, Sinobi claims to have encrypted files and exfiltrated 25 gigabytes of data from the network. Windward Life Care was added to the Sinobi data leak site on January 5, 2026, along with a threat to publish the stolen data. Sinobi proceeded to leak the stolen data when the ransom was not paid. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Legend Senior Living, Kansas

Legend Senior Living, LLC, a Wichita, Kansas-based senior living community, has recently notified state attorneys general about a data security incident discovered on or around August 15, 2025. The forensic investigation confirmed unauthorized access to its computer systems between July 27, 2025, and August 15, 2025, during which time, files containing personal and protected health information may have been viewed or acquired.

Legend Senior Living said it promptly initiated a data review to determine the extent of the data breach. The review was preliminarily completed on March 12, 2026, and after verifying the findings and obtaining contact information, notification letters started to be mailed to the affected individuals on April 10, 2026. Data potentially compromised in the incident included names, Social Security numbers, driver’s license numbers/state ID numbers, passport information, financial account information, medical information, and health insurance information. The affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The Workdleaks threat group claimed responsibility for the attack and added Legend Senior Living to its dark web data leak site in September 2025. Worldleaks proceeded to leak the stolen data, indicating the ransom was not paid. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that 5,006 Texas residents were affected.

The post Two Senior Care Providers Affected by Ransomware Attacks appeared first on The HIPAA Journal.

Cookeville Regional Medical Center in Cookeville, Tennessee, has recently confirmed that a 2025 ransomware attack exposed the personal and protected health information of 337,917 individuals. Cookeville Regional Medical Center identified the ransomware attack on July 14, 2025, and immediately took action to prevent further unauthorized access to its network. The forensic investigation determined that the ransomware group had access to its computer network between July 11, 2025, and July 14, 2025.

The attack was announced by Cookeville Regional Medical Center promptly, and within a couple of months, when it was confirmed that personal and protected health information had been exposed, a further announcement was made, warning patients about potential data theft. The data breach was reported to the HHS’ Office for Civil Rights in August 2025, using a placeholder figure of 500 individuals; however, it has taken several months to review all of the exposed data.

On March 16, 2026, the file review was completed, and Cookeville Regional Medical Center obtained the full list of affected individuals. Up-to-date contact information was obtained, and notification letters are now being sent. The types of importation exposed in the incident vary from individual to individual, and may include names in combination with some or all of the following: address, date of birth, Social Security number, driver’s license number, financial account number, medical treatment information, medical record number, and/or health insurance policy information.

The affected individuals have been advised to remain vigilant against misuse of their information and should check their accounts and explanation of benefits statements carefully. While no evidence has been found to indicate misuse of the compromised data, Cookeville Regional Medical Center has offered the affected individuals complimentary credit monitoring and identity theft protection services for 12 months, and additional technical security measures have been implemented to prevent similar incidents in the future.

The Rhysida ransomware group claimed responsibility for the attack and added Cookeville Regional Medical Center to its dark web data leak site. Rhysida claims to have exfiltrated 538 gigabytes of data in the attack and has published the data that it has been unable to sell. The data leak site indicates 70% of the data has been leaked, which suggests that the group found a buyer for 30% of the data.

The post Ransomware Attack on Cookeville Regional Medical Center Affected 338K Individuals appeared first on The HIPAA Journal.

Rocky Mountain Associated Physicians has reported a data breach affecting more than 50,000 patients. Data breaches have also been announced by Aroostook Mental Health Center and the Iowa Department of Health and Human Services.

Rocky Mountain Associated Physicians

The Salt Lake City, Utah-based surgical and medical weight loss specialists, Rocky Mountain Associated Physicians, have recently announced a security incident involving unauthorized access to the protected health information of up to 50,640 current and former patients. Rocky Mountain said its forensic investigation determined on February 2, 2026, that an advanced threat actor accessed certain systems, including its patient database. The compromised database included individuals’ names, dates of birth, contact information, Social Security numbers, medical record numbers, diagnosis and treatment information, and health insurance information. For some individuals, financial information was compromised, including their debit/credit card numbers and PINs.

Third-party cybersecurity experts were engaged to review the security of its systems, and additional safeguards have been implemented to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The affected individuals should take advantage of the services being offered, as the compromised data has been leaked on the dark web. The PEAR threat group claimed responsibility for the attack and added Rocky Mountain to its dark web data leak site. PEAR, which stands for Pure Extortion and Ransom, leaked the stolen data when the ransom was not paid.

Aroostook Mental Health Center

Legal counsel for Aroostook Mental Health Center in Presque Isle, Maine, has recently notified the Maine Attorney General about a data security incident discovered on March 21, 2026. The investigation and data review are currently ongoing, so it has yet to be determined how many individuals have been affected. Notification letters will be mailed to the affected individuals when those processes have been completed, and complimentary credit monitoring and identity theft protection services will be made available.

According to the notification letter, Aroostook Mental Health Center started receiving alerts that its computer network had been disrupted on March 12, 2026. Immediate steps were taken to prevent further unauthorized access, and a forensic investigation was initiated, which confirmed that its network was accessed by an unauthorized third party between March 11, 2026, and March 12, 2026. The investigation confirmed that files had been exfiltrated from its network. Aroostook Mental Health Center has enhanced its technical security measures and is reviewing and updating its data privacy and security policies. On April 2, 2026, the Qilin ransomware group took credit for the attack and added Aroostook Mental Health Center to its dark web data leak site.

Iowa Department of Health and Human Services

The Iowa Department of Health and Human Services (HHS) has started notifying 6,717 individuals about the exposure of some of their protected health information. On February 20, 2026, the Iowa HHS learned that a file containing Medicaid recipients’ data had been inadvertently posted on its publicly accessible website. The file was posted on February 16, 2026, and was accessible until February 20, 2026.

The file contained limited information, including Medicaid subscriber identification numbers, the names of Medicaid waiver programs linked to the Medicaid IDs, and eligibility assessment dates only. No names, contact information, or health information were exposed. The Iowa HHS said it has provided additional training to its workforce and is reviewing its policies and procedures to prevent similar incidents in the future.

The post Data Breach at Rocky Mountain Associated Physicians Affects 50,000 Patients appeared first on The HIPAA Journal.