HIPAA Breach News

Two Senior Care Providers Affected by Ransomware Attacks

Posted by Steve Alder

Two providers of senior services have recently disclosed data security incidents. Windward Life Care in California and Legend Senior Care in Kansas experienced data breaches in 2025, for which ransomware groups claimed responsibility and proceeded to leak the stolen data.

Windward Life Care, California

Buena Vista Management Services, LLC, doing business as Windward Life Care, a San Diego, CA-based provider of aging life care management and home health care services to seniors and disabled adults, has started notifying individuals about a December 2025 data security incident. According to the breach notice, suspicious activity was identified within its computer network on December 8, 2025, and the forensic investigation determined that an unauthorized third party gained access to the network earlier that day.

The compromised parts of the network were reviewed and found to contain files containing personal and protected health information. The review of those files was completed on April 6, 2026, and notification letters were mailed to the affected individuals on April 10, 2026. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. Information potentially compromised in the incident varies from individual to individual, and may include names in combination with addresses, email addresses, personal identification numbers, Social Security numbers, driver’s license numbers, taxpayer identification numbers, passport information, patient identification numbers, financial account numbers, debit/credit card numbers, handwriting or electronic signatures, medical information, health insurance information, usernames, and other account holder identifying information and access information.

While Windward Life Care did not describe the incident as a ransomware attack, a ransomware group has claimed responsibility for the attack. Despite the incident being detected on the same day as its network was breached, Sinobi claims to have encrypted files and exfiltrated 25 gigabytes of data from the network. Windward Life Care was added to the Sinobi data leak site on January 5, 2026, along with a threat to publish the stolen data. Sinobi proceeded to leak the stolen data when the ransom was not paid. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Legend Senior Living, Kansas

Legend Senior Living, LLC, a Wichita, Kansas-based senior living community, has recently notified state attorneys general about a data security incident discovered on or around August 15, 2025. The forensic investigation confirmed unauthorized access to its computer systems between July 27, 2025, and August 15, 2025, during which time, files containing personal and protected health information may have been viewed or acquired.

Legend Senior Living said it promptly initiated a data review to determine the extent of the data breach. The review was preliminarily completed on March 12, 2026, and after verifying the findings and obtaining contact information, notification letters started to be mailed to the affected individuals on April 10, 2026. Data potentially compromised in the incident included names, Social Security numbers, driver’s license numbers/state ID numbers, passport information, financial account information, medical information, and health insurance information. The affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The Workdleaks threat group claimed responsibility for the attack and added Legend Senior Living to its dark web data leak site in September 2025. Worldleaks proceeded to leak the stolen data, indicating the ransom was not paid. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that 5,006 Texas residents were affected.

The post Two Senior Care Providers Affected by Ransomware Attacks appeared first on The HIPAA Journal.

Ransomware Attack on Cookeville Regional Medical Center Affected 338K Individuals

Posted by Steve Alder

Cookeville Regional Medical Center in Cookeville, Tennessee, has recently confirmed that a 2025 ransomware attack exposed the personal and protected health information of 337,917 individuals. Cookeville Regional Medical Center identified the ransomware attack on July 14, 2025, and immediately took action to prevent further unauthorized access to its network. The forensic investigation determined that the ransomware group had access to its computer network between July 11, 2025, and July 14, 2025.

The attack was announced by Cookeville Regional Medical Center promptly, and within a couple of months, when it was confirmed that personal and protected health information had been exposed, a further announcement was made, warning patients about potential data theft. The data breach was reported to the HHS’ Office for Civil Rights in August 2025, using a placeholder figure of 500 individuals; however, it has taken several months to review all of the exposed data.

On March 16, 2026, the file review was completed, and Cookeville Regional Medical Center obtained the full list of affected individuals. Up-to-date contact information was obtained, and notification letters are now being sent. The types of importation exposed in the incident vary from individual to individual, and may include names in combination with some or all of the following: address, date of birth, Social Security number, driver’s license number, financial account number, medical treatment information, medical record number, and/or health insurance policy information.

The affected individuals have been advised to remain vigilant against misuse of their information and should check their accounts and explanation of benefits statements carefully. While no evidence has been found to indicate misuse of the compromised data, Cookeville Regional Medical Center has offered the affected individuals complimentary credit monitoring and identity theft protection services for 12 months, and additional technical security measures have been implemented to prevent similar incidents in the future.

The Rhysida ransomware group claimed responsibility for the attack and added Cookeville Regional Medical Center to its dark web data leak site. Rhysida claims to have exfiltrated 538 gigabytes of data in the attack and has published the data that it has been unable to sell. The data leak site indicates 70% of the data has been leaked, which suggests that the group found a buyer for 30% of the data.

The post Ransomware Attack on Cookeville Regional Medical Center Affected 338K Individuals appeared first on The HIPAA Journal.

Data Breach at Rocky Mountain Associated Physicians Affects 50,000 Patients

Posted by Steve Alder

Rocky Mountain Associated Physicians has reported a data breach affecting more than 50,000 patients. Data breaches have also been announced by Aroostook Mental Health Center and the Iowa Department of Health and Human Services.

Rocky Mountain Associated Physicians

The Salt Lake City, Utah-based surgical and medical weight loss specialists, Rocky Mountain Associated Physicians, have recently announced a security incident involving unauthorized access to the protected health information of up to 50,640 current and former patients. Rocky Mountain said its forensic investigation determined on February 2, 2026, that an advanced threat actor accessed certain systems, including its patient database. The compromised database included individuals’ names, dates of birth, contact information, Social Security numbers, medical record numbers, diagnosis and treatment information, and health insurance information. For some individuals, financial information was compromised, including their debit/credit card numbers and PINs.

Third-party cybersecurity experts were engaged to review the security of its systems, and additional safeguards have been implemented to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The affected individuals should take advantage of the services being offered, as the compromised data has been leaked on the dark web. The PEAR threat group claimed responsibility for the attack and added Rocky Mountain to its dark web data leak site. PEAR, which stands for Pure Extortion and Ransom, leaked the stolen data when the ransom was not paid.

Aroostook Mental Health Center

Legal counsel for Aroostook Mental Health Center in Presque Isle, Maine, has recently notified the Maine Attorney General about a data security incident discovered on March 21, 2026. The investigation and data review are currently ongoing, so it has yet to be determined how many individuals have been affected. Notification letters will be mailed to the affected individuals when those processes have been completed, and complimentary credit monitoring and identity theft protection services will be made available.

According to the notification letter, Aroostook Mental Health Center started receiving alerts that its computer network had been disrupted on March 12, 2026. Immediate steps were taken to prevent further unauthorized access, and a forensic investigation was initiated, which confirmed that its network was accessed by an unauthorized third party between March 11, 2026, and March 12, 2026. The investigation confirmed that files had been exfiltrated from its network. Aroostook Mental Health Center has enhanced its technical security measures and is reviewing and updating its data privacy and security policies. On April 2, 2026, the Qilin ransomware group took credit for the attack and added Aroostook Mental Health Center to its dark web data leak site.

Iowa Department of Health and Human Services

The Iowa Department of Health and Human Services (HHS) has started notifying 6,717 individuals about the exposure of some of their protected health information. On February 20, 2026, the Iowa HHS learned that a file containing Medicaid recipients’ data had been inadvertently posted on its publicly accessible website. The file was posted on February 16, 2026, and was accessible until February 20, 2026.

The file contained limited information, including Medicaid subscriber identification numbers, the names of Medicaid waiver programs linked to the Medicaid IDs, and eligibility assessment dates only. No names, contact information, or health information were exposed. The Iowa HHS said it has provided additional training to its workforce and is reviewing its policies and procedures to prevent similar incidents in the future.

The post Data Breach at Rocky Mountain Associated Physicians Affects 50,000 Patients appeared first on The HIPAA Journal.

Medical Group Announces PHI Exposure Due to Unencrypted Emails

Posted by Steve Alder

CardioFit Medical Group has discovered emails containing protected health information were inadvertently sent without encryption. Interventional Pain Center in Tennessee has identified unauthorized access to an email account containing PHI.

CardioFit Medical Group, California

CardioFit Medical Group, Inc., a California-based medical group providing acute, chronic, and preventive cardiology care, has started notifying certain patients about the exposure of some of their protected health information. The inadvertent HIPAA violation was identified on February 17, 2026, when CardioFit learned that patient information had been sent via emails that had not been encrypted. The emails were sent in January and February 2026 and were found to contain a limited amount of patient information.

Highly sensitive information such as Social Security numbers, bank account details, or credit card information was not included in the emails; however, the emails did contain names, demographic information, and in certain cases, limited clinical information such as diagnoses and health insurance information. Under HIPAA, email encryption is not mandatory when emails are sent internally, provided that alternative measures are implemented that provide an equivalent level of protection, such as a firewall. When protected health information is sent externally beyond the protection of a firewall, emails should be encrypted to prevent interception in transit and ensure that only the intended recipient can access the emails.

While patient data was exposed, there are no indications that the emails were accessed by unauthorized individuals, and no evidence has been found to indicate any misuse of the exposed information. In response to the breach, CardioFit has conducted a review of its privacy and security practices and has strengthened its procedures related to email encryption. CardioFit has also provided additional training to its staff to prevent similar incidents in the future. Notification letters were sent to the affected individuals on or around April 10, 2026. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Interventional Pain Center, Tennessee

Interventional Pain Center, a network of pain management centers in Tennessee, has identified unauthorized access to an employee’s email account that contained the personal and protected health information of 3,171 individuals. The incident was detected on December 11, 2025, and the forensic investigation confirmed that the unauthorized access was limited to a single email account, which was compromised between December 1, 2025, and December 11, 2025.

The account was reviewed to determine the types of information contained in the account and to whom it related. On or around March 17, 2026, Interventional Pain Center confirmed that the account contained files and emails that included names, addresses, zip codes, dates of birth, Social Security numbers, driver’s license numbers, medical histories, diagnoses, condition information, treatment information, prescription information, treating physician names, and health insurance information.

Interventional Pain Center secured the account to prevent further unauthorized access and has implemented additional safeguards to prevent similar incidents in the future, including enhancing its email security and monitoring controls, and providing additional training to the workforce. At the time of issuing notifications, Interventional Pain Center had found no evidence to suggest any of the exposed information had been misused.

The post Medical Group Announces PHI Exposure Due to Unencrypted Emails appeared first on The HIPAA Journal.

Data Breaches Announced by DermCare Management; Option Care Health; Aetna

Posted by Steve Alder

Data breaches have recently been announced by DermCare Management in Florida, Option Care Health in New York, and Aetna in Connecticut.

DermCare Management Discloses 2025 Hacking Incident

DermCare Management, a Florida-based provider of practice management services to dermatology practices in Florida, Texas, California, and Virginia, has identified unauthorized access to its computer systems. Suspicious activity was identified within its computer network on February 26, 2025, and, assisted by third-party digital forensics specialists, DermCare Management determined on March 3, 2025, that there had been unauthorized network access between February 14, 2025, and February 26, 2025. During that time, patient information was either accessed or acquired.

DermCare Management engaged data review specialists to determine the individuals affected and the types of data involved. Due to the complexity of the data, it took until March 2, 2026, to identify the individuals affected, the types of data involved, and obtain sufficient information to issue individual notification letters. DermCare Management confirmed that the information exposed or acquired in the incident included names, Social Security numbers, driver’s license numbers, credit and debit card information, financial account information, and medical information.

The affected individuals have been notified by mail and offered complimentary credit monitoring and identity restoration services. Regulators have been notified about the incident; however, the incident has yet to be added to the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Aetna Notifies 11,663 Individuals About Third-Party Mailing Error

The Hartford, CT-based health insurance provider Aetna recently disclosed two data breaches to the HHS’ Office for Civil Rights affecting 10,888 and 775 individuals. Both incidents were unauthorized access/disclosure incidents and occurred in 2025. There was no unauthorized access to its network or computer systems, as both incidents involved mailing errors involving a third-party vendor.

Aetna’s parent company, CVS Health, issued a statement confirming that the information disclosed as a result of the mailing error was minimal. The error occurred on mailings sent on behalf of two health plans and involved letters sent to a plan member that may have inadvertently included the name of another individual who was not a member of their health plan. Aetna has implemented additional measures to prevent similar incidents in the future, and while only minimal data was impermissibly disclosed, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Option Care Health Identifies Unauthorized Email Access

Option Care Health, Inc., a Ridgewood, NY-based provider of home infusion services, has identified unauthorized access to an employee’s email account. The unauthorized access was detected on or around February 9, 2026, and the forensic investigation confirmed unauthorized access to the account between February 6, 2026, and February 9, 2026. The account was reviewed, and on February 26, 2026, Option Care Health confirmed that the information exposed in the incident included names, dates of birth, medical record numbers, and treatment information. Option Care Health has reviewed its technical security measures and has taken steps to prevent similar incidents in the future. The incident has been reported to regulators, but it is currently unclear how many individuals have been affected.

The post Data Breaches Announced by DermCare Management; Option Care Health; Aetna appeared first on The HIPAA Journal.

February 2026 Healthcare Data Breach Report

Posted by Steve Alder

In February 2026, 63 data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that affected 500 or more individuals, a 14.5% increase from January 2026, and 12.5% more than the average number of February data breaches over the past 5 years.

Healthcare data breaches in the past 12 months - February 2026

Between January 1 and February 28, 2026, 118 data breaches affecting 500 or more individuals have been reported to OCR, involving the protected health information of 9,651,076 individuals. While healthcare data breaches have declined 10.6% year-over-year, the number of individuals affected has increased 44.7%.

February Healthcare data breaches - 2022-2026

Individuals affected by healthcare data breaches in the past 12 months - Feb 2026

Across the 63 data breaches reported in February, the protected health information of at least 8,134,378 individuals was exposed or impermissibly disclosed, a 436% month-over-month increase and 38.9% more than the average number of affected individuals over the past 12 months.

Individuals affected by February healthcare data breaches 2022-2026

Biggest Healthcare Data Breaches in February 2026

The high total in February is due to massive data breaches at two HIPAA-regulated entities in February – TriZetto Provider Solutions, a provider of administrative services to healthcare providers and health plans, and QualDerm Partners, a healthcare management services provider to 158 healthcare practices in 17 states. Both incidents potentially involved unauthorized access to the protected health information of more than 3 million individuals.

TriZetto is a business associate of many HIPAA-covered entities and was a subcontractor used by the healthcare technology and data analytics company OCHIN, a provider of specialized electronic health record software to healthcare providers. OCHIN said the breach impacted around 9% of the patient population of its member network – around 700,000 patients. It is unclear how many healthcare organizations were affected in total by the TRiZetto data breach. The HIPAA Journal has tracked 44 HIPAA-covered entities that have announced that they were affected, although the total is undoubtedly higher. Hackers gained access to the web portal that TriZetto’s clients used to access TriZetto’s systems. The intrusion was detected in October 2025; however, the threat actor had access to its systems for almost a year. It is unclear which threat group was behind the breach, as it was not disclosed by TriZetto, and no group appears to have claimed responsibility for the breach.

The data breach at QualDerm Partners was of a similar scale, affecting more than 3.1 million individuals. The intrusion was detected in December 2025, and the investigation confirmed that hackers had access to its systems between December 23 and December 24, 2025, and exfiltrated protected health information. As with the data breach at TriZetto, the threat actor behind the incident is unknown. While on a much smaller scale, the data breach at ApolloMD Business Services affected many healthcare provider clients. The ransomware group Qilin claimed responsibility for the attack and claimed to have exfiltrated patient data. While the data breach was reported in February, it was detected in May 2025. More individuals were affected by those three data breaches alone than in all data breaches reported to OCR since mid September 2025.

HIPAA-Regulated Entity State Entity Type Individuals Affected Cause of Breach
TriZetto Provider Solutions MO Business Associate 3,433,965 Hacking incident
QualDerm Partners, LLC TN Healthcare Provider 3,117,874 Hacking incident – data theft confirmed
ApolloMD Business Services, LLC GA Business Associate 626,540 Ransomware attack (Qilin)
Vikor Scientific, LLC. SC Healthcare Provider 139,964 Network server hacking incident – OCR provided technical assistance on HIPAA compliance
IPPC Inc., IPPC of New York LLC, and Innovative Pharmacy LLC NJ Healthcare Provider 133,862 Hacking incident – data theft confirmed
Oscar Health NY Health Plan 91,350 Employee emailed ePHI to incorrect recipients – OCR provided technical assistance on HIPAA compliance
National Association on Drug Abuse Problems NY Healthcare Provider 90,000 Hacking incident
Counseling Center of Wayne & Holmes Counties OH Healthcare Provider 83,354 Hacking incident – data theft confirmed
Academic Urology & Urogynecology of Arizona AZ Healthcare Provider 73,281 Hacking incident
Lakeside Pediatrics & Adolescent Medicine, PLLC ID Healthcare Provider 34,154 Hacking incident
Emanuel Medical Center GA Healthcare Provider 28,963 Hacking incident
Advanced Homecare Management, LLC DBA Enhabit Home Health & Hospice TX Healthcare Provider 23,154 Hacking incident at a business associate
Cedar Point Health, LLC CO Healthcare Provider 23,114 Hacking incident
WIRX Pharmacy PA Healthcare Provider 20,047 Hacking incident
Wendy Foster OD KS Healthcare Provider 20,000 Hacking incident
AccentCare TX Healthcare Provider 19,772 Hacking incident at a business associate (Doctor Alliance) involving a web application
Communications Workers of America Local 1180 Security Benefits Fund NY Health Plan 18,550 Unauthorized access to electronic medical records at a business associate
EyeCare Partners, LLC, including The Ophthalmology Group, Ophthalmology Consultants, and Ophthalmology Associates. MO Healthcare Provider 17,110 Unauthorized access to employee email accounts
Manhattan Retirement Foundation d/b/a Meadowlark Hills KS Healthcare Provider 14,442 Ransomware attack (Beast) – data theft confirmed
Jackson Hospital and Clinic AL Healthcare Provider 13,910 Hacking incident at a business associate
Couve Healthcare Consulting, LLC DBA Evergreen Healthcare Group WA Business Associate 11,795 Hacking incident involving its cloud-based electronic medical records
Triad Radiology Associates NC Healthcare Provider 11,011 Unauthorized access to an employee’s email account

Under the HIPAA Breach Notification Rule, data breaches must be reported to OCR within 60 days of the discovery of a data breach. When the number of affected individuals is not known, an estimate should be provided to OCR. Many regulated entities choose to report a breach using a placeholder figure of 500 or 501 individuals in such cases. The breach data for February 2026 includes 7 such data breaches. These figures are usually, but not always, updated when data breach investigations/data reviews are completed.

HIPAA-Regulated Entity State Entity Type Individuals Affected Cause of Breach
AltaMed Health Services Corporation CA Healthcare Provider 501 Ransomware attack
Cedar Valley Services MN Healthcare Provider 501 Hacking incident
Resource Corporation of America TX Business Associate 501 Hacking incident
Carolina Foot & Ankle Associates NC Healthcare Provider 501 Hacking/IT Incident
Marin Cancer Care CA Healthcare Provider 501 Hacking/IT Incident
Issaqueena Pediatric Dentistry PA SC Healthcare Provider 501 Ransomware attack
Alexes Hazen MD, PLLC NY Healthcare Provider 500 Hacking incident

Causes of February 2026 Healthcare Data Breaches

Hacking and other IT incidents continue to be the leading cause of healthcare data breaches, as has been the case for many years. All but 6 of the data breaches in February were hacking/IT incidents, which accounted for 98.6% of all individuals affected in the February 2026 data set. Across the 57 hacking-related data breaches, 8,020,208 individuals were affected. The average breach size was 140,705 individuals, and the median breach size was 2,908 individuals.

Causes of February 2026 healthcare data breaches

The remaining 6 data breaches were unauthorized access/disclosure incidents, which affected 114,170 individuals. The average breach size was 19,028 individuals, and the median breach size was 1,560 individuals. The largest of these incidents affected more than 91,000 individuals and was the result of an employee emailing ePHI to an incorrect recipient. Loss and theft incidents were once one of the biggest causes of healthcare data breaches, but they are now rarely reported. There were no loss or theft incidents in February, nor any improper disposal incidents. The most common location of breached protected health information in February was network servers, followed by email accounts/disclosures.

Locvation of breached protected health information in February 2026

February 2026 Data Breaches at HIPAA Regulated Entities

In February, data breaches involving the protected health information of 500 or more individuals were reported by 49 healthcare providers (3,940,433 individuals), 7 health plans (116,690 individuals), and 7 business associates (4,077,255 individuals). The raw data from the OCR breach portal shows the reporting entity rather than the entity that experienced the breach, as when a data breach occurs at a business associate, it is often the covered entity that reports the breach.

February serves as a good example of how business associate data breaches are often underrepresented in data breach reports.  Recalculating the data based on the entity that experienced the data breach, 25 data breaches occurred at business associates. The data breach at Trizetto Provider Solutions was reported to OCR by Trizetto as affecting more than 3.4 million individuals; however, many of the affected entities reported the breach to OCR themselves. The charts below are based on the entity that experienced the data breach, rather than the entity that reported the data breach, to better reflect data breaches at business associates.

February 20-26 data breaches at HIPAA-regulated entities

Individuals affected by data breaches at HIPAA-regulated entities in February 2026

Geographical Distribution of February 2026 Healthcare Data Breaches

The data breaches reported to OCR in February were quite widely distributed, affecting entities in 32 U.S. states. New York and Texas topped the list with 6 data breaches in each state, with four data breaches reported by entities based in California.

State Breaches
New York & Texas 6
California 4
Georgia, Kansas & Oregon 3
Arkansas, Illinois, Kentucky, Michigan, Missouri, North Carolina, New Jersey, Oklahoma, Pennsylvania, South Carolina, Tennessee & Utah 2
Alabama, Arizona, Colorado, Florida, Idaho, Indiana, Massachusetts, Maryland, Maine, Minnesota, New Hampshire, Ohio, Virginia & Washington 1

In terms of breach severity, Missouri and Tennessee topped the list for affected individuals.

State Individuals Affected State Individuals Affected
Missouri 3,451,075 North Carolina 11,512
Tennessee 3,119,544 Maine 9,300
Georgia 658,003 Kentucky 8,972
New York 210,655 California 6,283
South Carolina 140,465 Arkansas 5,800
New Jersey 134,444 Oregon 4,641
Ohio 83,354 Michigan 4,473
Arizona 73,281 Indiana 3,158
Texas 52,361 Illinois 2,891
Kansas 35,769 Oklahoma 2,275
Idaho 34,154 Virginia 1,544
Pennsylvania 24,647 Florida 1,107
Colorado 23,114 New Hampshire 1,005
Alabama 13,910 Massachusetts 634
Utah 12,085 Maryland 626
Washington 11,795 Minnesota 501

HIPAA Enforcement Activity in February 2026

There were no announcements about HIPAA enforcement actions by the HHS Office for Civil Rights or state attorneys general in February. OCR has confirmed, however, that its risk analysis enforcement initiative has been expanded to cover risk management. When investigating a data breach, OCR will request documentation demonstrating that a comprehensive, organization-wide risk analysis has been conducted and that risks identified by the risk analysis have been managed and reduced to a reasonable and acceptable level in a timely manner.

To help HIPAA-regulated entities manage risks and comply with the requirements of the HIPAA Security Rule, OCR released a video presentation this month. In the video, Nicholas Heesters, OCR’s Senior Advisor for Cybersecurity, explains the HIPAA requirements for risk management, provides examples of violations of the risk management implementation specification of the security management process standard that OCR discovered during its data breach investigations.

About this Report

The HIPAA Journal healthcare data breach reports are based on data breaches reported to the HHS’ Office for Civil Rights, as HIPAA-regulated entities rarely publicly disclose the number of individuals affected by a data breach, and in the case of hacking incidents, attackers’ claims are unreliable. Typically, the data breach reports are published around the 20th of each month for the preceding month; however, OCR has been slow to add data breaches to its data breach portal, hence the delay in publication.

OCR is delaying adding breach reports to the “under investigation” section of its data breach portal. For instance, no data breach reports submitted to OCR in March 2026 were added to the under investigation section of the breach portal in March 2026. As of April 10, 2026, there are only two data breaches listed for March. While the delay could indicate resource pressure at OCR, data breaches have been added to the “Archive” section of the OCR breach portal at a much-accelerated pace, indicating a change of priorities at OCR. OCR appears to be concentrating on investigating data breaches and closing investigations more quickly.

The post February 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Data Breaches Announced by Neinstein Plastic Surgery; Atlantic Brain and Spine

Posted by Steve Alder

Neinstein Plastic Surgery in New York and Atlantic Brain and Spine in North Carolina have announced security incidents that exposed patient information.

Neinstein Plastic Surgery, New York

Neinstein Plastic Surgery in New York City has identified unauthorized access to an email account that contained sensitive patient information. Unauthorized activity was identified in the email account on December 2, 2025. The account was secured, and an investigation was initiated to determine the nature and scope of the activity. The investigation confirmed that the account had been accessed by an unauthorized individual between November 12, 2025, and November 20, 2025, and that this was a financially motivated attack rather than an attempt to obtain patient information; however, patient information may have been obtained in the incident.

The account was reviewed and on February 20, 2026, Neinstein Plastic Surgery confirmed that emails and documents in the account contained information such as names, contact information, dates of birth, driver’s license or passport numbers, Social Security numbers, credit card or financial account information, health insurance information, and clinical information, which may have included healthcare provider names, diagnoses, and treatment information. The types of information involved vary from individual to individual.

The incident was reported to law enforcement, additional technical safeguards have been implemented to improve email security, and further employee training has been provided. While there has been no known misuse of patient information, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The data breach has been reported to the appropriate authorities, although it is currently unclear how many individuals have been affected.

Atlantic Brain and Spine, North Carolina

Wilmington, North Carolina-based Atlantic Brain and Spine has disclosed a January 2026 cybersecurity incident. Suspicious activity was identified within its computer network on January 26, 2026. Third-party specialists were engaged to investigate the incident and confirmed that certain patient data had been accessed by an unauthorized third party.

The exposed data is still being reviewed; however, Atlantic Brain and Spine determined that the impacted data includes names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, financial account information, treatment/diagnosis information, prescription/medication information, dates of service, provider names, medical record numbers, patient account numbers, Medicare/Medicaid ID numbers, health insurance information, and/or medical billing/claims information. The types of data involved vary from individual to individual.

Atlantic Brain & Spine is working with third-party cybersecurity specialists to implement additional measures to prevent similar incidents in the future and is reviewing its policies and procedures related to data privacy and security.  Since the review is ongoing, it is unclear how many individuals have been affected at this moment in time.

The post Data Breaches Announced by Neinstein Plastic Surgery; Atlantic Brain and Spine appeared first on The HIPAA Journal.

New Jersey Long Term Care Pharmacy Data Breach Affects 133,800 Patients

Posted by Steve Alder

The New Jersey long-term care pharmacy Innovative Pharmacy Packaging Corp (IPPC Inc), and the affiliated entities IPPC of New York LLC, and Innovative Pharmacy LLC have confirmed in a breach report to the HHS’ Office for Civil Rights (OCR) that the protected health information of 133,862 patients has been exposed and potentially obtained in a recent security incident.

IPPC identified anomalous network activity in September 2025 and launched an investigation to determine the nature and scope of the activity. The forensic investigation confirmed that an unauthorized third party accessed its network between September 18, 2025, and September 19, 2025, and exfiltrated files from its network. IPPC conducted a review of the affected files, which concluded on February 9, 2026, when it was confirmed that they contained a range of personal and protected health information.

The types of information involved vary from individuals to individual and may include names in combination with dates of birth, driver’s license/ government-issued identification numbers, Medicare/Medicaid identification numbers, individual taxpayer identification numbers, passport numbers, medical record number/patient account numbers, diagnosis and treatment information, procedure information, prescription information, health insurance information, payment card information, financial account information, billing and claims information, treating/referring provider names, and admission and discharge dates.

IPPC started sending notification letters to the affected individuals on April 1, 2026, and has offered the affected individuals 24 months of complimentary credit monitoring and identity theft protection services. Individuals receiving a notification letter should ensure that they sign up for those services as soon as possible to protect themselves against misuse of their data, since data was copied in the incident. IPPC said it has implemented additional security measures to prevent similar incidents in the future and is revising its policies and procedures related to data privacy and security.

The post New Jersey Long Term Care Pharmacy Data Breach Affects 133,800 Patients appeared first on The HIPAA Journal.

Data Breaches Reported by Southern Illinois Dermatology; Heart South Cardiovascular Group

Posted by Steve Alder

Patient data has potentially been compromised in data incidents at Southern Illinois Dermatology and Heart South Cardiovascular Group in Alabama.

Southern Illinois Dermatology, Illinois

Southern Illinois Dermatology has notified an unspecified number of individuals about a data security incident it identified on November 28, 2025. An investigation was immediately launched to determine the nature and scope of the activity, with assistance provided by third-party cybersecurity experts. The investigation confirmed unauthorized access to parts of its network where patient data was stored, and potentially, files were copied from its network. The affected data was reviewed and found to contain personal information and protected health information, including full names, addresses, dates of birth, Social Security numbers, telephone numbers, email addresses, person numbers, and medical record numbers. The types of data involved vary from individual to individual. Notification letters started to be mailed to the affected individuals on April 2, 2026.

Southern Illinois Dermatology has taken measures to augment cybersecurity and continually evaluates and modifies its security practices. While the threat group behind the attack was not disclosed, the Insomnia threat group took responsibility for the incident and claimed to have obtained the data of more than 150,000 patients. Samples of the stolen data were uploaded to its data leak site as proof, and the group proceeded to leak the data allegedly stolen in the attack.

Heart South Cardiovascular Group

Heart South Cardiovascular Group, a provider of cardiac testing and preventive treatment at centers in Alabama, has notified the Maine Attorney General about a data breach affecting up to 46,666 individuals, including 3 Maine residents. The incident was detected on November 11, 2025, when an unauthorized third party claimed to have obtained sensitive data from Heart South. An investigation was launched to determine the legitimacy of the claim, and while no evidence was found to indicate an intrusion or data exfiltration, Heart South confirmed that the threat actor had posted a limited amount of Heart South data online.

A review was conducted to determine all potentially affected individuals, which was completed on February 12, 2026. As a precaution, Heart South sent notification letters to all individuals whose data was stored on the parts of its network where the posted data was stored, and the potentially affected individuals have been offered complimentary credit monitoring and identity theft protection services. The Rhysida threat group claimed responsibility for the incident.

The post Data Breaches Reported by Southern Illinois Dermatology; Heart South Cardiovascular Group appeared first on The HIPAA Journal.