The Oncology Institute, a publicly traded provider of cancer care through more than 100 clinics in California, Oregon, Nevada, Arizona, and Florida, has recently confirmed that patient data was potentially accessed by an unauthorized third party as a result of a security incident at one of its vendors.

In a November 3, 2025, filing with the U.S. Securities and Exchange Commission (SEC), The Oncology Institute said that it determined on November 3, 2025, that a cybersecurity incident at one of its information technology software providers would potentially delay fee-for-service collections. At the time of the notice, The Oncology Institute said its vendor was unable to confirm whether patient data had been accessed in the attack, and that at the time of issuing the filing, it was unaware of any unauthorized access to patient data as a result of the incident, but the investigation into the incident was ongoing.

In an updated SEC filing, the Oncology Institute said further information has come to light indicating that certain Oncology Institute systems were subject to unauthorized access by a third party as a result of the incident, including systems containing patient data.  Kroll, the third-party administrator for the vendor, had made that determination and notified the Oncology Institute on May 20, 2026.

The Oncology Institute said it is working with its vendor to provide complimentary credit monitoring and identity theft protection services to the affected individuals. At the time of issuing the SEC filing on May 20, 2026, The Oncology Institute said the cybersecurity incident had not had a material impact on the company’s operations, financial systems, or the quality of care provided to patients. The Oncology Institute has yet to publicly disclose the types of data potentially compromised in the incident.

The Oncology Institute provides cancer care to around 2 million patients. It is currently unclear how many of those patients have been affected by the incident. The Oncology Institute has not disclosed the name of the vendor that experienced the cybersecurity incident, although certain media outlets have suggested that the vendor was TriZetto Provider Solutions, which experienced a major data breach last year affecting many of its healthcare provider clients.

The post The Oncology Institute Confirms Unauthorized Access to Systems Due to Vendor Breach appeared first on The HIPAA Journal.

A round-up of data breaches recently announced by 9 HIPAA-regulated entities: University of Nebraska Medical Center, Singing River Health System, Tampa Bay Dental Implants & Prosthetics, Aligned Orthopedic Partners, South Alabama Regional Planning Commission, Pivot Health, LHC Group, Mays Housecall Home Health, and the World Trade Center Health Program.

University of Nebraska Medical Center

University of Nebraska Medical Center (UNMC) has discovered that a vulnerability in a third-party software application has been exploited by a threat actor, exposing patient information. UNMC learned about the vulnerability in the REDCap software application in February 2026. REDCap software is used by UNMC to support its research studies and public health activities. When UNMC learned about the vulnerability, the software was taken offline, and an investigation was launched to determine if the vulnerability had already been exploited. Assisted by third-party cybersecurity experts, UNMC determined that the vulnerability had been exploited on September 20, 2023, and access remained possible until February 3, 2026.

The data review confirmed that the system contained a range of sensitive data, which varied from individual to individual depending on the nature of the research study/public health activities. That information may have included names, dates of birth, addresses, phone numbers, email addresses, medical record numbers, and information created or collected in connection with a research study. Such information may have included visit dates, diagnoses, medications, laboratory results, imaging or procedure information, questionnaire responses, or other health-related information. A subset of individuals also had their Social Security numbers exposed. In total, 26,937 individuals had data exposed. Individuals whose Social Security numbers were impacted have been offered complimentary credit monitoring services.

Singing River Health System

Singing River Health System, a non-profit health system with three hospitals and more than 50 clinics serving the Mississippi Gulf Coast, has started notifying patients about a hacking incident identified on or around December 21, 2025. The forensic investigation confirmed unauthorized access to its computer network between December 19, 2025, and December 21, 2025, and on February 10, 2026, it was confirmed that files containing patient information were viewed and potentially copied.

Data exposed varied from individual to individual and may have included names in combination with one or more of the following: contact information, Social Security numbers, driver’s license numbers, dates of birth, bank account information, health insurance information, provider names, internal patient identification numbers, dates of service, medication information, and treatment and/or diagnostic information.

Singing River Health System said, “We will continue to implement and evaluate enhanced safeguards and security measures to further protect our systems and continue to provide security training to our employees.” The affected individuals have been advised to monitor their accounts and explanation of benefits statements for data misuse. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Tampa Bay Dental Implants & Prosthetics

Tampa Bay Dental Implants & Prosthetics, which also does business as Tampa Bay Dental Implants, Periodontics & Oral Surgery, a dental care provider serving the St. Petersburg and Tampa Bay area in Florida, has recently disclosed a data breach affecting 6,400 individuals. Tampa Bay Dental discovered unauthorized access to its network on January 19, 2026, when ransomware was used to encrypt files. The attack affected a legacy server that contained a backup of electronic medical records.

The file review confirmed that patient data was exposed, including names, contact information, birth dates, treatment notes, and clinical histories, and for a limited number of individuals, Social Security numbers. Tampa Bay Dental has implemented additional security measures to prevent similar incidents in the future, including enhancing its security logging, strengthening server encryption, and updating access controls. Credit monitoring and identity theft protection services do not appear to have been offered to the affected individuals.

World Trade Center Health Program

The World Trade Center (WTC) Health Program, which provides no-cost healthcare services to individuals harmed by the 9/11 attack on the World Trade Center, has reported a data security incident to the HHS’ Office for Civil Rights affecting 1,071 individuals. Highly sensitive data was compromised in the incident, which occurred at a vendor, Managed Care Advisors/Sedgwick Government Solutions.

Hackers accessed a server containing files associated with the WTC Health Program and exfiltrated sensitive data before encrypting files. The TridentLocker ransomware group claimed responsibility for the attack. The attack was detected by Managed Care Advisors/Sedgwick Government Solutions on December 4, 2025, and the forensic investigation confirmed that the server was first breached on November 16, 2025. Data compromised in the incident includes names, addresses, Social Security numbers, dates of birth, and protected health information. TridentLocker proceeded to leak the stolen data on its dark web data site when the ransom was not paid. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Aligned Orthopedic Partners

Bethesda, Maryland-based ASC Ortho Management Company, LLC, doing business as Aligned Orthopedic Partners, has discovered unauthorized access to its email environment and the exposure of the protected health information of 7,213 individuals. The forensic investigation determined unauthorized access occurred between November 16, 2025, and December 16, 2025, during which time, emails and files may have been accessed or acquired.

The file review determined on February 17, 2026, that the exposed data included names in combination with one or more of the following: date of birth, Social Security number, driver’s license or state identification number, Medicaid or Medicare number, financial account number, date(s) of service, medical provider name, mental or physical condition, medical treatment information, diagnosis or clinical information, prescription information, health insurance information, patient account number, and or medical record number. The affected individuals were notified on April 17, 2026, and complimentary identity protection services have been made available. Aligned Orthopedic Partners said steps have been taken to augment security to prevent similar incidents in the future.

Pivot Health

Pivot Health, a health insurance company specializing in short-term and supplemental health insurance products, has identified unauthorized access to its Amazon Web Services cloud environment. The unauthorized access was detected and blocked on March 13, 2026. The investigation confirmed that its AWS environment was accessed by an unauthorized third party at various points over a two-week period between February 26, 2026, and March 13, 2026. During that time, files containing member data were viewed or copied.

The digital forensic investigation confirmed that the exposed data included names, birth dates, member identification numbers, person identification, certificate identification, coverage identification, insurance billing and payment information, and, for certain individuals, financial account information. Data security policies and procedures are being reviewed, and additional cybersecurity protections have been implemented. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected, although the Texas Attorney General was informed that 1,172 Texas residents had their data exposed in the incident.

LHC Group / Mays Housecall Home Health

Two more healthcare providers have notified patients that some of their protected health information was compromised in a security incident at vendor Doctor Alliance: The home healthcare providers LHC Group in Louisiana and Mays Housecall Home Health, an Oklahoma-based provider of community and home health care services throughout Oklahoma, Kansas, and Texas.

The data breach did not involve unauthorized access to the home healthcare providers’ systems, as the incident was confined to the web-based portal used in connection with the services provided by their technology vendor. Doctor Alliance provides a platform that physicians and healthcare providers use to exchange and sign documentation related to patient care. The Doctor Alliance web portal was accessed by an unauthorized third party between October 31, 2026, and November 17, 2026. Doctor Alliance discovered the unauthorized access on November 12, 2025.

LHC Group said 8,644 individuals were affected and had the following types of information exposed: names, dates of birth, demographic information, health information, including clinical summaries and diagnosis codes, provider information, and health insurance information. Mays Housecall Home Health said 5,208 individuals were affected. Data compromised in the incident included names, demographic information, dates of birth, clinical information, diagnosis information, physician information, insurance-related information, and other information related to patient care documentation.

No data misuse has been detected. Both home healthcare providers are conducting additional oversight and review procedures related to third-party providers, and Doctor Alliance has implemented additional security safeguards and monitoring capabilities.

The South Alabama Regional Planning Commission

The South Alabama Regional Planning Commission has reported a data breach to the HHS’ Office for Civil Rights involving unauthorized access to the protected health information of 3,043 individuals. The substitute data breach notice does not state when the unauthorized access was detected, nor when its systems were accessed by unauthorized individuals, only that the investigation determined on August 6, 2025, that certain files were copied from its systems.

The files were reviewed and found to contain client names, Medicaid numbers, Social Security numbers, and medical information related to eligible services. The Alabama Department of Senior Services was notified about the breach on January 28, 2026, and the HHS’ Office for Civil Rights was notified on March 18, 2026. Notification letters have now been mailed to the affected individuals, and complimentary credit monitoring services have been offered.

The post May 2026 Data Breach Round Up: Data Breaches Affect 9 HIPAA-regulated Entities appeared first on The HIPAA Journal.

Radiology Associates of Richmond in Virginia, one of the oldest, continuously operating private radiology practices in the United States, has announced another major data breach. Two years ago, the protected health information of more than 1.4 million individuals was compromised in a cybersecurity incident. A little over one year later, another cybersecurity incident was experienced that exposed the personal and protected health information of more than 266,000 current and former patients.

The most recent incident has recently been reported to the Maine Attorney General as involving unauthorized access to the electronic personal and protected health information of 266,183 individuals. The breach notice does not state when the intrusion was detected; only that the forensic investigation determined that the unauthorized access occurred on or around July 25, 2026.

The extensive forensic investigation and manual data review concluded on April 6, 2026, when it was confirmed that personal and protected health information was potentially viewed or acquired in the incident. A substitute data breach notice has been added to the Radiology Associates of Richmond website, but it does not state what specific types of information were compromised in the incident. The individual notification letters, which started to be mailed to the affected individuals on May 21, 2026, inform each individual which types of data were exposed or stolen in the attack.

The letters explain the steps that individuals can take to protect themselves against any data misuse. Individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

“[Radiology Associates of Richmond] is committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information,” explained Radiology Associates of Richmond.

The post Radiology Associates of Richmond Data Breach Affects 266K Individuals appeared first on The HIPAA Journal.

Data breaches have been announced by Family Health Centers of San Diego, Totem Lake Family Dentistry, and Glendora Surgery Center.

Family Health Centers of San Diego

Family Health Centers of San Diego is sending notification letters to patients about an insider breach of their protected health information. According to the breach notification sent to the California Attorney General, Family Health Centers of San Diego discovered that one of its physicians had sent the personal and protected health information of certain patients to their personal email addresses, in violation of HIPAA and hospital policies.

The investigation confirmed that names, dates of birth, contact information, medical record numbers, and medical information had been emailed to the physician’s account. Family Health Centers of San Diego shut down the physician’s access to patient records, terminated the physician’s employment, and initiated legal action to compel the physician to destroy the emailed information. The physician has also been reported to the Medical Board of California. Family Health Centers of San Diego has offered the affected individuals a complimentary membership to a credit monitoring service for 12 months. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Totem Lake Family Dentistry

Totem Lake Family Dentistry, a Kirkland, WA-based family dental practice, has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 3,464 patients. According to the notification letters, suspicious activity was identified within an employee’s email account. The investigation confirmed unauthorized access to the account between May 28, 2025, and June 2, 2025. During that time, information in the account may have been viewed or copied. It has taken 11 months to review the contents of the account and mail notification letters to the affected individuals. At the time of issuing notification letters, Totem Lake Family Dentistry was unaware of any attempted or actual misuse of patient data. Credit monitoring and identity theft protection services do not appear to have been offered.

Glendora Surgery Center

Glendora Surgery Center in California has alerted patients about a data security incident that was first identified on December 3, 2025. The forensic investigation confirmed unauthorized access to its network between November 29, 2025, and December 3, 2025. During that time, files containing patient information were exfiltrated from its network. Data compromised in the incident included patient names and medical treatment information.

While data was stolen, Glendora Surgery Center is unaware of any actual or attempted misuse of that information. In response, data privacy and security policies and procedures have been reviewed, administrative and technical controls have been enhanced, and additional security training has been provided to the workforce. The HHS’ Office for Civil Rights has been notified, and a placeholder estimate of at least 501 individuals has been used. The data review is ongoing, and the total will be updated when the data review is concluded.

The post California & Washington Healthcare Providers Announce Data Breaches appeared first on The HIPAA Journal.

The diagnostic imaging service provider Lumexa Imaging has been affected by a security incident at one of its vendors. FMRS Health Systems, a West Virginia-based provider of mental health services, is investigating a January 2026 data breach.

Lumexa Imaging

Lumexa Imaging, a diagnostic imaging provider that, together with its affiliates, has the second-largest diagnostic imaging footprint in the United States, has notified regulators about a data security incident involving one of its vendors. The unnamed vendor provided non-clinical support services in connection with the administrative services Lumexa Imaging provided to its affiliated radiology practices. On April 9, 2026, the vendor notified Lumexa Imaging that it was investigating suspicious activity within part of its computer network. Lumexa Imaging immediately terminated the vendor’s access to its systems while the incident was investigated and remediated.

The investigation confirmed a breach of the vendor’s systems between March 31, 2026, and April 9, 2026. On April 15, 2026, Lumexa Imaging learned that an unauthorized actor may have used the connection between itself and the vendor to view or obtain documents associated with its affiliated radiology practices. The documents were reviewed and found to contain patient information such as names, birth dates, addresses, phone numbers, patient account numbers, insurance information, and clinical information such as diagnoses, visit dates, and other information related to the radiology services received. A small subset of patients had their Social Security numbers exposed.

The vendor has provided assurances that steps have been taken to secure its systems to prevent similar incidents in the future, including scrubbing and validating the affected systems and implementing additional cybersecurity monitoring and detection tools. Lumexa Imaging is unaware of any misuse of the exposed data and is offering complementary credit monitoring services to individuals whose Social Security numbers were exposed. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

FMRS Health Systems

FMRS Health Systems, Inc., a West Virginia-based nonprofit mental health center, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 500 individuals. That figure will likely increase, as at the time of issuing its substitute breach notice, the investigation was still ongoing. According to the substitute breach notice on the FMRS Health Systems website, suspicious activity was identified within its computer systems on February 27, 2026. Steps were immediately taken to secure its systems, and a forensic investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed unauthorized access between January 20, 2026, and February 27, 2026, during which time files containing patient information were copied by the threat actor. Electronic medical records were not subject to unauthorized access. The file review confirmed that names were stolen in combination with one or more of the following: address, birth date, Social Security number, driver’s license number, financial account information, medical history information, diagnostic and treatment information, prescription information, physician’s name, medical record number, and health insurance information. FMRS Health Systems did not state whether ransomware was used; however, a ransomware group – Qilin – claimed responsibility for the attack.

The post Data Breaches Announced by Lumexa Imaging; FMRS Health Systems appeared first on The HIPAA Journal.

Erie Family Health Centers, a Chicago, IL-based network of health centers providing primary medical, dental, and behavioral healthcare services to individuals regardless of their ability to pay, has experienced a major data breach affecting up to 570,000 individuals.

Suspicious activity indicative of unauthorized access was identified within its computer network on January 27, 2026. Immediate action was taken to secure its network, and third-party digital forensics experts were engaged to investigate the incident and determine the nature and scope of the activity. They confirmed that an unauthorized third party first accessed its network on December 10, 2025, and retained access until its network was secured on January 27, 2026.

The exposed files were reviewed and confirmed to contain personal and protected health information. The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: address, phone number, email address, date of birth, Social Security number, driver’s license/state ID number, taxpayer ID number, passport number, financial account information, payment card information, online account credentials, digital signature, biometric data, medical treatment or diagnosis information, prescription information, date of service, patient ID number, encounter ID number, , medical record number, Medicare/Medicaid number, provider name, patient account number, health insurance information, and/or treatment cost information.

Erie Family Health Centers has taken steps to strengthen network security to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services as a precaution against data misuse. No threat group appears to have claimed responsibility for the incident.

This is the second data breach to be announced by Erie Family Health Centers this year. Erie Family Health Centers was also affected by a data breach at its business associate, TriZetto Provider Solutions, a provider of revenue cycle management and claims clearinghouse services.  That breach affected a currently undisclosed number of patients of Erie Family Health Centers.

The post Erie Family Health Centers Data Breach Affects 570,000 Individuals appeared first on The HIPAA Journal.

Elara Caring has confirmed that thousands of its patients were affected by the cyberattack on vendor Doctor Alliance. Data breaches have also been announced by the medical record organization and analysis SaaS company Excelas, and Pulpdent, a dental research and manufacturing company.

Elara Caring

Elara Caring, a nationwide provider of home-based skilled nursing care, personal care, and palliative care services, has been affected by a cyberattack involving one of its third-party vendors. On December 12, 2025, the vendor notified Elara Caring that a threat actor had accessed and downloaded files from its network. There was no unauthorized access to the Elara Caring network. The incident was confined to the vendor’s systems, which were accessed between November 4 and November 6, 2025, and again between November 14 and November 17, 2025. During those times, files containing names, addresses, dates of birth, medical records, Social Security numbers, and health insurance information were stolen.

While Elara Caring did not disclose the name of the vendor in its breach notification letters, based on the dates of unauthorized access, it was Doctor Alliance, the provider of a platform for managing and facilitating electronic physician signatures. Notification letters were mailed to the affected individuals on May 12, 2025, and the affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. Elara Caring provides services across the United States. While it is currently unclear how many individuals have been affected in total, the Texas Attorney General was informed that more than 3,300 Texas residents were affected.

Excelas

Ocelot Ventures, LLC, doing business as Excelas, a provider of medical record organization and analysis software, has identified unauthorized access to its network. A suspected intrusion was detected on or around January 28, 2026. Assisted by law enforcement and third-party cybersecurity specialists, Excelas determined that an unauthorized third party had access to certain computer systems from November 27, 2025, to December 3, 2025. During that time, a limited amount of data may have been viewed or copied.

The file review confirmed that names, dates of birth, Social Security numbers, government-issued ID numbers, diagnoses, referring/treating physician names, medications, medical record images, payment information, and health insurance information were involved. Excelas is working on implementing additional safeguards to prevent similar incidents in the future. At the time of issuing notification letters on May 12, 2026, no attempted or actual misuse of the impacted information had been detected. As a precaution, single-bureau credit monitoring and fraud protection services have been offered to the affected individuals.

Cl0p, a financially motivated threat group that engages in data theft and extortion, claimed that it had exfiltrated sensitive data from Excelas systems. The incident has been reported to regulators, although it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Pulpdent Corp.

Pulpdent Corp., a Watertown, Massachusetts-based dental research and manufacturing company, has alerted certain individuals about a cybersecurity incident it first detected on March 13, 2026. Systems were secured, and an investigation was launched into the unauthorized activity. On or around April 17, 2026, Pulpdent determined that information such as names, Social Security numbers, driver’s license numbers, and financial account information had been exposed and potentially stolen.

Notification letters started to be mailed to the affected individuals on May 8, 2026, and complimentary credit monitoring and identity theft protection services have been made available. Individuals who receive a notification letter should take advantage of those free services. The Inc Ransom ransomware group took responsibility for the attack and claimed to have exfiltrated sensitive data. The number of affected individuals has yet to be publicly disclosed.

The post Data Breaches Announced by Elara Caring; Excelas; Pulpdent Corp. appeared first on The HIPAA Journal.

Ransomware groups have claimed responsibility for attacks on Advanced Family Surgery Center in Tennessee, Orem Eye Clinic in Utah, and Belmont Aesthetic & Reconstructive Plastic Surgery in Virginia/Washington D.C.

Surgery Center of Oak Ridge (Advanced Family Surgery Center)

Surgery Center of Oak Ridge, LLC, doing business as Advanced Family Surgery Center in Oak Ridge, Tennessee, has notified certain patients about a network intrusion first identified on or around November 26, 2025. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that certain parts of its network were accessed by an unauthorized third party who potentially viewed or acquired files containing patient information.

The files were reviewed and found to contain names, addresses, dates of birth, dates of service, health insurance information, medical diagnosis information, medical record numbers, Medicare/Medicaid numbers, patient account numbers, prescription/treatment information, provider names, and Social Security numbers. Additional security measures have been implemented to prevent similar incidents in the future, and policies and procedures with respect to data security are being reviewed.

This appears to have been a ransomware attack with data theft. The Genesis ransomware group, a financially motivated threat group that has attacked many healthcare providers, claimed responsibility for the attack and added Advanced Family Surgery Center to its dark web data leak site. Genesis claims to have exfiltrated 100 GB of data in the attack, including files containing patient information.

Orem Eye Clinic

Orem Eye Clinic in Orem, Utah, has notified individuals and the HHS’ Office for Civil Rights about a cybersecurity incident involving unauthorized access to parts of its network that contained the protected health information of approximately 5,800 patients. No substitute breach notice has been added to the Orem Eye Clinic website at the time of publication of this article, so the exact details, such as the types of data involved and the nature of the incident, have yet to be confirmed. Individuals receiving a notification letter should be aware that a ransomware group called Nightspire claimed responsibility for the attack and added Orem Eye Clinic to its dark web data leak site. The group claims to have exfiltrated 1 terabyte of data in the attack.

Belmont Aesthetic & Reconstructive Plastic Surgery

Belmont Aesthetic & Reconstructive Plastic Surgery, a cosmetic and reconstructive surgery practice with locations in Washington, D.C., and Virginia, has reported a data breach to the HHS’ Office for Civil Rights that has affected 528 individuals. While there is currently no website notice, and no other information has been released about the data breach so far, this appears to have been a ransomware attack. The Insomnia ransomware group added Belmont Aesthetic & Reconstructive Plastic Surgery to its dark web data leak site in early March 2026 and threatened to publish the stolen data if the ransom was not paid.

The post Ransomware Groups Claim Responsibility for Attacks on 3 Healthcare Providers appeared first on The HIPAA Journal.

Data breaches have recently been announced by Verber Dental Group in Pennsylvania, Northwoods Surgery Center in Minnesota, Cunningham Prosthetic Care in Maine, Healthcare In Action in California, and Preakness Healthcare Center in New Jersey.

Verber Dental Group

Verber Dental Group, a Camp Hill, PA-based dental group comprising 14 dental practices, has recently notified patients of unauthorized network access that exposed patient data. Suspicious network activity was identified on January 27, 2026. The network was secured, and an investigation was launched, which revealed the threat actor had access to its network from January 26, 2026, to January 27, 2026. The investigation confirmed that patient information had been exposed, including names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, medical records, and health insurance information.

Verber Dental has not identified any misuse of patient information. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals as a precaution. At present, the incident is not shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Northwoods Surgery Center

Northwoods Surgery Center in Virginia, MN, identified unauthorized activity within its computer network on or around September 8, 2025. Its network was secured, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized network access over a two-month period between July 11, 2025, and September 8, 2025. The compromised parts of the network were reviewed, and it was confirmed that files containing patient information had been exposed and may have been accessed or acquired by the threat actor.

In total, 5,385 individuals were affected. Data potentially compromised in the incident included names, addresses, dates of birth, health insurance information, patient medical record numbers, doctor’s name, practice type, medical date of service, medication information, diagnosis and treatment information, and medical claims or billing information. While patient data was exposed, Northwoods Surgery Center has not identified any actual or attempted misuse of patient information. Notification letters are now being mailed, and complimentary credit monitoring services have been made available.

Cunningham Prosthetic Care

Cunningham Prosthetic Care, a Saco, ME-based prosthetic and orthotic practice, has notified the HHS’ Office for Civil Rights about a data breach affecting 2,523 patients. On or around October 22, 2025, suspicious activity was identified within its email environment. An investigation was launched that confirmed unauthorized access to an employee’s email account. The account was reviewed, and on March 4, 2026, Cunningham Prosthetic Care confirmed that the account contained patient information.

Data exposed and potentially acquired included names, dates of birth, Social Security numbers, medical record numbers, driver’s license numbers, diagnostic and treatment information, and health insurance information. The types of exposed data varied from individual to individual. Notification letters were mailed to the affected individuals on May 1, 2026. The practice has implemented additional security measures to enhance data privacy and security.

Healthcare in Action

Healthcare In Action, a medical group serving the homeless population in California, has recently identified unauthorized access to an employee’s email account between January 28, 2026, and January 30, 2026. The account was compromised using stolen credentials. The unauthorized access was limited to a single email account, which has now been secured. Third-party experts were engaged to investigate and determined that the account contained the information of 1,143 individuals, including patients and other individuals.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: date of birth, email address, phone number, driver’s license/state ID number, Social Security numbers, ethnicity, housing application case number/HMIS number, health plan information, mailing/ physical address, medical record number, diagnosis/condition information, date(s) of service, location(s) of service, treatment information, disability verification information, and/or medication information. For non-patients, the compromised data included names, addresses, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Preakness Healthcare Center

Preakness Healthcare Center, a Wayne, NJ-based skilled nursing facility, has recently identified unauthorized access to its computer network. Suspicious activity was first identified on March 4, 2026. The forensic investigation confirmed that an unauthorized third party had access to parts of its computer network from February 24, 2026, to March 4, 2026, during which time residents’ data may have been viewed or acquired. The exposed data included residents’ names, demographic information, and limited clinical information. The affected individuals had been admitted on or after January 1, 2019. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. At present, the number of affected individuals has not been publicly disclosed.

The post Verber Dental Group Notifies Patients About January Hacking Incident appeared first on The HIPAA Journal.