HIPAA Breach News

Data Breaches Announced by ModMed, LifeBridge Health & Right at Home

Posted by Steve Alder

Data breaches have been announced by the EHR provider Modernizing Medicine (ModMed), the Baltimore healthcare provider LifeBridge Health, and the home health care provider Right at Home.

Modernizing Medicine

Modernizing Medicine (ModMed), a provider of specialty-specific electronic health record software, has recently notified state attorneys general about a July 2025 security incident involving theft of data from its systems. Suspicious activity was identified on its computer servers on July 21, 2025. An investigation was launched to determine the cause of the activity, and on July 29, 2025, it was unauthorized access to its servers was confirmed between July 9, 2025, and July 10, 2025, during which time, files containing sensitive data were copied from the servers.

The files were reviewed and found to contain personal and protected health information such as full names, dates of birth, addresses, phone numbers, email addresses, Social Security numbers, medical record numbers, patient account numbers, provider and practice names, billing and diagnostic codes, prescriptions/medications, diagnosis and treatment information, bank/financial account information, driver’s license numbers/government ID cards, and health insurance information. ModMed said full medical records were not involved, and the types of information compromised vary from individual to individual.

The affected healthcare providers were notified on September 19, 2025, and notification letters started to be mailed to the affected individuals on October 17, 2025. ModMed is offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were compromised in the incident, and steps have been taken to improve security to prevent similar incidents in the future. Due to the government shutdown, the HHS’ Office for Civil Rights breach portal has not been updated in a month, so it is currently unclear how many individuals have been affected.

LifeBridge Health

LifeBridge Health, a non-profit healthcare corporation serving patients in and around Baltimore, Maryland, has recently informed patients that some of their protected health information was compromised in a data breach earlier this year. The breach involved one of its vendors, Oracle Health (formerly Cerner). LifeBridge Health was one of many healthcare providers to be affected. Hackers gained access to a legacy system as early as January 22, 2025, and obtained patient information such as names, medical record numbers, Social Security numbers, physician names, diagnoses, test results, medications, medical images, and treatment information. LifeBridge Health said the breach was confined to Oracle Health servers, and its own systems were unaffected.

Oracle Health notified LifeBridge Health about the data breach in March 2025, with notifications reportedly delayed at the request of law enforcement. Oracle Health provided LifeBridge Health with a final list of the affected individuals on September 19, 2025. The data breach was announced by LifeBridge Health on October 16, when notification letters started to be mailed to the affected individuals. Two years of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. It is currently unclear how many individuals have been affected.

Right at Home

Ever Care Corporation, which does business as Right at Home, a provider of in-home care to seniors and adults with disabilities, experienced a hacking incident that likely involved the theft of sensitive patient information. Suspicious network activity was identified on September 3, 2025, and an investigation was launched to determine the cause of the activity. Right at Home confirmed that the activity was due to an unauthorized actor, who is thought to have acquired files from its network on September 3, 2025. The review of the affected files was completed on October 6, 2025. There is currently no substitute data breach notice on the Right at Home website, and the types of information involved are not shown on the notifications published on attorneys’ general websites. The exact types of information involved are detailed in the individual notification letters. Right at Home is paying for single-bureau credit monitoring, credit score, and credit report services for the affected individuals.  It is currently unclear how many individuals have been affected.

While not described by Right at Home as a ransomware attack, a ransomware group claimed responsibility for the attack. The Sinobi ransomware group, which has attacked several healthcare providers in recent months, claimed to have exfiltrated around 50 GB of data and encrypted files. Right at Home was listed on its data leak site on October 8, 2025. As such, any individual receiving a notification letter should sign up for the credit services being offered.

The post Data Breaches Announced by ModMed, LifeBridge Health & Right at Home appeared first on The HIPAA Journal.

Yale New Haven Health Agrees to $18 Million Data Breach Settlement

Posted by Steve Alder

An $18 million settlement proposed by Yale New Haven Health to resolve claims stemming from a 2025 data breach has been granted preliminary approval by a federal court judge. Yale New Haven Health is a non-profit health system that operates five acute care hospitals, including the main teaching hospital for the Yale School of Medicine, as well as a medical foundation and several outpatient facilities in Connecticut, New York, and Rhode Island. The health system employs more than 12,000 people, including 4,500 university and community physicians.

The data breach in question was reported to the HHS’ Office for Civil Rights on April 11, 2025, as involving the protected health information of up to 5,556,702 individuals. The New Haven, Connecticut-based health system identified suspicious network activity on March 8, 2025, and the breach was announced via its website three days later. Yale New Haven Health later confirmed that hackers accessed its network on March 8, 2025, and exfiltrated files containing patient information.

While its electronic medical record system was not accessed, the stolen files contained patient information, including names, addresses, telephone numbers, email addresses, dates of birth, race/ethnicity information, patient types, medical record numbers, and Social Security numbers. At more than 5.5 million affected individuals, the data breach was, and still is, the largest healthcare data breach of the year.

The cyberattack was announced quickly, reported to OCR well within the breach reporting deadline, and notification letters were issued promptly. Yale New Haven Health has also agreed to settle the resultant litigation quickly. Data breach lawsuits can take many months and even years to resolve, yet in this case, a settlement has been approved to resolve the litigation in just 7 months. The first lawsuit over the data breach was filed in March 2025, followed by 17 additional complaints, which were consolidated into a single action in June 2025 – In Re: Yale New Haven Health Services Corp. Data Breach – in the U.S. District Court for the District of Connecticut.

The plaintiffs alleged in the consolidated lawsuit that Yale New Haven Health had failed to implement reasonable and appropriate cybersecurity measures to secure the data stored on its network, and had reasonable measures been implemented, the data breach could have been prevented. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and declaratory judgment.

Yale New Haven Health denied all claims in the lawsuit and filed a motion to dismiss in July, with the plaintiffs filing their opposition in August. At the end of August, all parties attended mediation, and the material terms of a settlement were agreed upon. The details of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Yale New Haven Health has agreed to establish an $18,000,000 settlement fund to cover all costs associated with the litigation – Attorneys’ fees and expenses, service awards for the lead plaintiffs, and settlement administration costs. The remainder of the settlement fund will be used to pay benefits to the class members. The attorneys are seeking one-third of the settlement, and the service awards are likely to be $2,500 per named plaintiff.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may claim an alternative cash payment. The cash payments are anticipated to be approximately $100 per class member. The pro rata cash payments may increase or decrease depending on the number of valid claims received, and will exhaust the settlement fund. In addition to either of those benefits, class members may also claim a two-year complimentary membership to a medical data monitoring service. Yale New Haven Health has also agreed to implement security enhancements.  The final approval hearing has been scheduled for March 3, 2026.

April 24, 2025: Yale New Haven Health System Announces 5.5-Million Record Data Breach

Yale New Haven Health System has announced a data security incident that has affected more than 5.5 million individuals. The breach report to the HHS’ Office for Civil Rights indicates up to 5,556,702 individuals had their protected health information compromised in the incident, making it the largest healthcare data breach to be reported so far this year, beating the previous record of 4.7 million individuals set this month by Blue Shield of California.

Yale New Haven Health is a nonprofit health system in New Haven, Connecticut, that includes five acute-care hospitals, a medical foundation, and multiple outpatient facilities and multispecialty centers in Connecticut, New York, and Rhode Island. On March 8, 2025, anomalous activity was identified within its information technology systems. Immediate action was taken to contain the incident, and an investigation was launched to assess the nature and scope of the unauthorized activity. Yale New Haven Health announced the security incident on its website 3 days after it was detected.

Yale New Haven Health engaged the cybersecurity firm Mandiant to assist with the investigation and said the rapid response helped to ensure it was contained and prevented disruption to patient care. Yale New Haven Health has confirmed that an unauthorized third party gained access to its network on March 8, 2025, and exfiltrated files, some of which included patient information. There was no unauthorized access to its electronic medical record system, and no financial information was compromised in the incident. The types of data stolen in the cyberattack varied from individual to individual and may have included names in combination with one or more of the following: address, telephone number, email address, date of birth, race/ethnicity, patient type, medical record number, and/or Social Security number.

Yale New Haven Health said it continuously updates and enhances its systems to protect sensitive data and will continue to do so. Individual notification letters started to be mailed to the affected individuals on April 14, 2025, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were compromised.

While questions will be asked about how hackers managed to access such a vast amount of patient data, Yale New Haven Health should at least be commended for the rapid response, transparency, and prompt breach notifications, which started to be sent on April 14, 2025.

The post Yale New Haven Health Agrees to $18 Million Data Breach Settlement appeared first on The HIPAA Journal.

Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients

Posted by Steve Alder

Four employees of Baptist Health’s Jay Hospital in Florida have been terminated for allegedly taking unauthorized photographs of patients and sharing the images on the Snapchat social media platform. The privacy violations reportedly occurred in February 2025. The employees were alleged to have entered patients’ rooms late at night and photographed patients while they were sleeping or medicated without the patients’ knowledge or consent.

Personal injury attorney Joe Zarzaur was contacted by three patients who were recently notified about the privacy violations by the hospital. It is unclear why it took so long for the affected patients to be notified, or how many patients have been affected. The nature of the photographs was not disclosed to the patients. According to Zazaur, the patients were informed that the photographs were “unflattering” and “horrible.” They were not told how many photographs were taken, exactly what the photographs showed, and were not allowed to see any of the images.

One of the patients was notified about the privacy violation while they were still admitted at Jay Hospital, and another was informed when they visited an outpatient rehab facility. At least two of the affected patients are taking legal action for invasion of privacy and are being represented by Zarzaur.

“Upon learning of the allegation, we immediately conducted a preliminary investigation and notified the appropriate authorities and the patients,” explained a spokesperson for Jay Hospital. “Following the investigation, the individuals involved were terminated. We are committed to protecting the privacy, safety, and dignity of our patients. As this matter involves patient privacy and is currently under investigation, we are unable to share further details at this time.”

The sharing of protected health information (PHI) for reasons unrelated to treatment, payment, or hospital operations is not permitted by the HIPAA Privacy Rule, unless consent is obtained from the subject of the PHI.  Photographs of patients are classed as PHI, and the employees clearly violated HIPAA as well as ethical and professional standards.

The post Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients appeared first on The HIPAA Journal.

Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members

Posted by Steve Alder

Approximately 462,000 current and former customers of Blue Cross Blue Shield of Montana (BCBSMT) have been affected by a cyberattack on its New Jersey-based business associate, Conduent Business Services. Conduent Business Services provides BCBSMT with payment, document processing, and other back office services, which require access to BCBSMT members’ protected health information. On January 13, 2025, Conduent Business Services identified a security incident that caused operational disruption – terminology typically used to describe a ransomware attack.

Conduent Business Services was able to restore access to the affected systems and return to normal business operations within a few days. The investigation confirmed unauthorized access to its IT environment commencing on October 21, 2024, and lasting for almost three months. During that time, files were exfiltrated from its network. On April 9, 2025, Conduent Business Services disclosed the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC). At the time, it was unclear exactly how many individuals had been affected.

On October 8, 2025, Conduent Business Services notified the California Attorney General about the data breach, which reportedly affected approximately 4.3 million individuals. It is unclear how many of the company’s clients were affected by the breach, and if the breach affected any other HIPAA-covered entity clients. The breach is not currently listed on the HHS’ Office for Civil Rights website.

BCBSMT notified the Montana State Auditor’s Office about the data breach in early October, almost one year after the breach was first detected by its business associate. BCBSMT claims to have been notified that it was affected earlier this year and has been conducting its own investigation and reviewing the affected data. The review was not completed until September 23, 2025. The BCBSMT data breach is not listed on the OCR breach portal, although the breach portal has not been updated by OCR since September 24, 2025, due to the government shutdown. The Montana State News Bureau learned about the data breach after submitting a records request. The obtained documents indicate that up to 462,000 Montanans have been affected, and that the compromised information included names, birth dates, Social Security numbers, treatment and diagnosis codes, provider names, and claims amounts.

The Montana Commissioner of Securities and Insurance has launched an investigation to determine if there has been a violation of state data breach notification laws, which require individuals to be notified about a data breach in a timely manner. Breached entities must also notify the Department of Justice about a data breach without unreasonable delay, but there is currently no listing on the DOJ consumer protection website about the data breach. The state auditor is seeking answers to questions about the data breach and has requested a copy of its privacy and security policies. Should BCBSMT be determined to have failed to comply with state laws, financial penalties may be imposed.

The post Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members appeared first on The HIPAA Journal.

September 2025 Healthcare Data Breach Report

Posted by Steve Alder

While the figures in our September 2025 data breach report look encouraging, there is a major caveat. Due to the government shutdown, the HHS’ Office for Civil Rights (OCR) has largely stopped adding data breaches to its data breach portal.  The figures for September are therefore likely to increase considerably when the furlough comes to an end, staff return to work, and the backlog of data breach reports is addressed. While we do not generally update our monthly breach reports after publication, we will revise the figures and re-publish this report when the government shutdown comes to an end.

September 2025 Healthcare Data Breach Report

As of October 22, 2025, OCR has added 26 data breaches affecting 500 or more individuals to its data breach portal – the lowest monthly total since December 2018.  While data breaches are down 56% from August’s 64 data breaches, there are likely to be several more breaches added to that total. That said, there has been a downward trend in healthcare data breaches since April, and the year-to-date total from January 1 to September 30 is 469 data breaches, compared to 554 data breaches in the corresponding period in 2024. Even accounting for missing breach reports due to the government shutdown, data breaches are down considerably from last year.

Healthcare data breaches in the past 12 months

Across the 26 September data breaches on the OCR data breach portal, the protected health information of at least 1,294,769 individuals was exposed or impermissibly disclosed, marking the third consecutive month with a fall in the number of affected individuals, and currently down 65.9% from August. That number could increase considerably, but currently, for the year-to-date, 42,216,193 individuals have had their protected health information exposed or impermissibly disclosed. While this year’s total is higher than in the whole of 2019 and 2020, the number of affected individuals is down 85% compared to last year and 75% compared to 2023.

Individuals affected by healthcare data breaches in the past 12 months.

The Biggest Healthcare Data Breaches Announced in September

Currently, 42% of the month’s breaches (11 incidents) involved the exposure or impermissible disclosure of the protected health information of 10,000 or more individuals. All but one of the 11 data breaches were hacking incidents involving unauthorized access to protected health information stored on network servers, with one incident involving a compromised email account. Goshen Medical Center was the worst-affected covered entity, with more than 456,000 patients affected by its hacking incident. One provider that stands out is Sturgis Hospital, which was investigating a cyberattack that occurred in December 2024, when another intrusion was experienced in June 2025.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Goshen Medical Center NC Healthcare Provider 456,385 Network server hacking incident
Medical Associates of Brevard, LLC FL Healthcare Provider 246,711 Network server hacking incident
Doctors Imaging Group FL Healthcare Provider 171,862 Network server hacking incident – Data theft confirmed
Retina Group of Florida FL Healthcare Provider 152,691 Network server hacking incident
Sturgis Hospital MI Health Plan 77,771 Network server hacking incident
Sturgis Hospital MI Healthcare Provider 77,771 Network server hacking incident
PGA Development, Inc. PA Healthcare Provider 23,899 Network server hacking/IT Incident
Teamsters Union 25 Health Services & Insurance Plan MA Health Plan 19,231 Network server hacking incident
Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice  (“Treasure Health ”) FL Healthcare Provider 13,234 Email account breach
People Encouraging People MD Healthcare Provider 13,083 Ransomware attack – Data theft confirmed

The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to OCR and issue notifications within 60 days of the discovery of a data breach; however, if the total number of affected individuals is not known at that point, an estimate should be provided to OCR. Many regulated entities submit a breach report using a placeholder figure of 500 or 501 affected individuals, then provide an updated total when the file review is concluded. Four data breaches were reported in September using 500 or 501 totals indicative of a placeholder. These data breaches could affect considerably more individuals than the initial breach report suggests.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Cookeville Regional Medical Center TN Healthcare Provider 500 Hacking/IT Incident
Hampton Regional Medical Center SC Healthcare Provider 501 Hacking/IT Incident
Coos County Family Health Services NH Healthcare Provider 501 Hacking/IT Incident
La Perouse, LLC NV Business Associate 501 Hacking/IT Incident

Causes of September 2025 Healthcare Data Breaches

Out of the 23 large healthcare data breaches added to the OCR breach portal in September, 23 (88.5%) were reported as hacking/IT incidents, involving unauthorized access to the protected health information of 1,279,139 individuals, which is 98.8% of the total individuals affected by data breaches in September. The average number of individuals affected by these incidents was 55,615 (median: 6,243 individuals).

Causes of September 2025 healthcare data breaches

The exact nature of the hacking incidents, such as whether ransomware was used to encrypt files, if a ransom demand was received, or even if data was stolen, is often not disclosed. This trend has been growing for several years and is not confined to the healthcare industry. The Identity Theft Resource Center (ITRC) has reported that this trend is evident across many industry sectors.

The remaining three data breaches were unauthorized/disclosure incidents, affecting 15,630 individuals. On average, 5,210 individuals were affected (median: 1,700 individuals). Based on the available data, no loss, theft, or improper disposal incidents were reported to OCR in September. There have been no loss/theft incidents reported since March 2025, and the last reported improper disposal incident was in May 2025.

Location of breaches protected health information in September 2025 healthcare data breaches

Where Did the Data Breaches Occur?

September 2025 healthcare data breaches by regulated entity type

September 2025: individuals affected by healthcare data breaches by regulated entity type

Geographical Distribution of Healthcare Data Breaches in September

Florida and North Carolina were the worst-affected states, with four data breaches affecting 500 or more individuals reported by entities based in those states, and both states top the list in terms of the number of affected individuals, with 584,498 and 465,721 individuals affected, respectively.

State Breaches
Florida & North Carolina 4
Michigan, Pennsylvania & Tennessee 2
Louisiana, Massachusetts, Maryland, Minnesota, Missouri, New Hampshire, Nevada, Oregon, South Carolina, Texas, Virginia, and Washington 1

The table below shows the number of individuals affected by healthcare data breaches based on the state where the regulated entity is based, not necessarily where the affected individuals reside.

State Individuals Affected
Florida 584,498
North Carolina 465,721
Michigan 155,542
Pennsylvania 26,150
Massachusetts 19,231
Maryland 13,083
Missouri 11,538
Louisiana 6,243
Minnesota 3,572
Tennessee 2,957
Oregon 1,700
Texas 1,236
Washington 1,099
Virginia 696
New Hampshire 501
Nevada 501
South Carolina 501

HIPAA Enforcement Activity in September 2025

It has been a busy year of HIPAA enforcement for OCR, with 20 enforcement actions involving settlements or civil monetary penalties announced this year, including one enforcement action in September.  OCR agreed to settle alleged violations of the HIPAA Privacy Rule and Breach Notification Rule with Cadia Healthcare facilities, which agreed to pay $182,000 to resolve the alleged violations.

Cadia Healthcare is a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware. An employee had posted success stories about its patients to its social media channel; however, it had not obtained valid HIPAA authorizations for that purpose, and therefore, the use of PHI in the stories was an impermissible disclosure of PHI. After being notified by OCR, Cadia found that 150 patients had PHI posted online without valid authorizations, deleted the posts, and shut down the success story program; however, notification letters about the HIPAA breach were not issued.  The corrective action plan requires policies and procedures to be revised, training to be provided to staff members, and notification letters to be issued.

The post September 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Oregon Eye Care Provider and New York Children’s Center Announce Hacking Incidents

Posted by Steve Alder

Cyberattacks have recently been announced by River City Eye in Oregon and Elmcrest Children’s Center in New York.

River City Eye Care

River City Eye Care, an eye care provider with locations in Portland and Happy Valley, Oregon, has started notifying patients about a recent security incident involving the theft of files containing patient information. Unusual network activity was detected on or around September 8, 2025, and an investigation was launched to determine the nature and scope of the activity.

The investigation confirmed unauthorized access to its network and the exfiltration of files. The affected files were reviewed, and River City Eye Care completed the review on October 1, 2025. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: address, email address, phone number, and date of birth.  Driver’s license numbers and Social Security numbers were involved for a limited number of individuals. Notification letters started to be mailed on October 16, 2025, and steps are being taken to reduce the risk of similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The Genesis threat group claimed responsibility for the attack and has added River City Eye to its data leak site. The group claims it operates a data extraction operation (no file encryption) and says it exfiltrated 200 GB of data from company management hosts and file servers, which has been made available for download. The HIPAA Journal has not downloaded any data, so cannot verify the legitimacy of the group’s claim.

Elmcrest Children’s Center

Elmcrest Children’s Center, a Syracuse, NY-based provider of support services to children with emotional, behavioral, and developmental limitations and their families, has recently disclosed a security incident involving unauthorized access to its network. The investigation into the incident is ongoing, but it has been confirmed that its network was subject to unauthorized access between March 10, 2025, and July 24, 2025, during which time files were accessed and acquired by the threat actor.

The files are still being reviewed, but based on the initial findings, the types of information involved include names, dates of birth, and medical information. Technical and administrative policies and procedures are being reviewed and will be updated to reduce the risk of similar incidents in the future. Elmcrest Children’s Center has yet to disclose how many individuals have been affected; however, the data breach does appear to be significant. The Interlock ransomware group has claimed responsibility for the attack and says almost 450 GB of data was copied.

The post Oregon Eye Care Provider and New York Children’s Center Announce Hacking Incidents appeared first on The HIPAA Journal.

Massachusetts Hospitals Experiencing Disruption Due to Cyberattack

Posted by Steve Alder

A cyberattack has caused a network outage that has disrupted operations at two hospitals in North Central Massachusetts – the 134-bed non-profit Heywood Hospital in Gardner, and Athol Hospital, a 25-bed critical access hospital in Athol, both owned and operated by Heywood Healthcare.

The attack was detected last week, and systems were immediately taken offline to protect the network and patients. Incident response protocols were activated, a Code Black was declared, and the emergency department was closed to all patients arriving by ambulance. Ambulances were diverted to other facilities due to the inability to access certain systems. Radiology and laboratory services have also been disrupted.

The attack affected its Internet connection, email system, and phone lines, and while communications are back up and running, some issues are still being experienced. On Thursday, October 16, 2025, the hospital confirmed that the network outage was caused by a cybersecurity incident and that a third-party cybersecurity firm has been engaged to assist with the investigation and recovery. The Athena portal is online, and patients are encouraged to use the portal to communicate with the hospital and providers, and its answering service is operational if the portal cannot be accessed.

Heywood Hospital said its main priority is ensuring that care continues to be provided to patients, and has confirmed that both hospitals and Heywood Medical Group have remained open throughout and are continuing to provide care to patients. Heywood Healthcare is working with the cybersecurity experts to restore systems as quickly as possible, but no timeline has been provided for when full functionality will be restored. The exact nature of the attack, such as whether ransomware was involved, has not been disclosed. No ransomware group appears to have claimed responsibility for the attack. At such an early stage of the investigation, it is unclear to what extent, if any, patient data has been exposed or if sensitive data was stolen in the attack. Heyward Healthcare said it will provide further updates as more is learned about the incident.

Patient care is often disrupted by cyberattacks, the extent of which was recently explored in a survey conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint. The survey found that 93% of healthcare organizations in the study had experienced a cybersecurity incident in the past 12 months, and 72% had experienced a cybersecurity incident that disrupted patient care. Healthcare providers reported negative impacts such as cancelled appointments, delayed intake, longer patient stays, poorer outcomes, increased complications from medical procedures, and an increase in mortality rate following a cyberattack.

The post Massachusetts Hospitals Experiencing Disruption Due to Cyberattack appeared first on The HIPAA Journal.

Data Breaches Announced by Watsonville Community Hospital & Palomar Health Medical Group

Posted by Steve Alder

Data breaches have recently been announced by Watsonville Community Hospital and Palomar Health Medical Group in California, and the Phia Group in Massachusetts.

Watsonville Community Hospital

Watsonville Community Hospital in California is notifying individuals affected by a November 2024 security incident. Suspicious activity was identified within its computer systems on November 29, 2024, and the investigation confirmed that there had been unauthorized access to its network from November 25, 2024, to November 30, 2024, when the hackers were ejected from its network. The investigation confirmed that files containing patient information were either accessed or downloaded during those five days.

The file review confirmed that the data compromised in the incident included names, addresses, and driver’s license numbers or government ID numbers, with the exposed data varying from individual to individual. Notification letters started to be sent to the affected individuals on December 30, 2024; however, the file review was not completed until September 22, 2025. The final batch of notification letters started to be mailed on October 15, 2025.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. Watsonville Community Hospital has implemented additional cybersecurity safeguards and has provided further training to its workforce. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Palomar Health Medical Group

Arch Health Partners, Inc., doing business as Palomar Health Medical Group, in Poway, California, has started notifying patients about a data security incident first identified on May 5, 2024. Palomar Health Medical Group launched an investigation into suspicious network activity and confirmed that an unauthorized threat actor gained access to certain files on its network on April 23, 2024, and maintained access until the data breach was detected on May 5, 2024. During that time, files may have been copied that contained patient information.

The data compromised in the incident included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, military identification numbers, passport numbers, U.S. alien registration numbers, financial account information, payment card information, health savings account information, medical histories, diagnostic information, treatment information, biometric data, medical record numbers, Medicare/ Medicaid identification numbers, patient account numbers, health insurance information, email addresses and passwords, and usernames and passwords.

Palomar Health Medical Group had previously announced the cyberattack and data breach; however, it took until September 4, 2025, to finish the review of the affected files to allow notification letters to be sent. Complimentary credit monitoring and identity theft protection services have been made available for 12 or 24 months, and steps have been taken to improve security to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The Phia Group

The Phia Group, a Canton, Massachusetts-based provider of outsourced cost containment and payment integrity solutions to healthcare payers, has recently notified the Massachusetts Attorney General about a recent data security incident. The notice is a copy of the data breach notifications sent to the affected individuals, and it provides no information about the nature of the data breach, such as when it occurred, when it was detected, or the cause of the breach. The data potentially compromised in the incident includes names, Social Security numbers, and medical record numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

This post will be updated when further information becomes available.

The post Data Breaches Announced by Watsonville Community Hospital & Palomar Health Medical Group appeared first on The HIPAA Journal.

Five Healthcare Providers Warn Patients About Cyberattacks & Data Breaches

Posted by Steve Alder

Cyberattacks and data breaches have been announced by Crenshaw Community Hospital in Alabama, Waveny LifeCare in Connecticut, Aunt Martha’s Health and Wellness in Illinois, Pulse Urgent Care Center in California, and MyCardiologist in Florida.

Crenshaw Community Hospital

Crenshaw Community Hospital in Luverne, Alabama, has recently announced a security incident. Crenshaw Community Hospital said the incident was detected on June 16, 2025, and involved “network disruption that impacted the functionality and access of certain computer systems.” Third-party cybersecurity experts were engaged to investigate the incident and provide help with securing its environment. The investigation into the attack is ongoing, but it has been determined that certain files were copied from its systems.

The ransomware group, Payouts King, has claimed responsibility for the attack. The group is known to engage in double extortion, stealing data and demanding payment to prevent its publication and for the decryption keys to unlock files. The group claims to have exfiltrated 53 GB of data, and has listed Crenshaw Community Hospital on its dark web data leak site, and claims to have published the entire dataset as the ransom was not paid.

Crenshaw Community Hospital is still reviewing the affected data to determine the individuals affected and the types of data involved. Individual notification letters will be mailed when the file review is concluded. In the meantime, all patients have been advised to remain vigilant against identity theft and fraud by monitoring their account statements, explanation of benefits statements, and free credit reports.

Waveny LifeCare

Waveny LifeCare Network, a New Canaan, Connecticut-based provider of senior living and healthcare services, has experienced a cyberattack that disrupted its network systems. The attack was detected on or around May 28, 2025, and immediate action was taken to contain the incident and secure its systems. Waveny LifeCare engaged third-party cybersecurity experts to assist with the investigation, who confirmed that the attackers accessed certain data on its network.

The investigation and file review are ongoing, but it has been confirmed that the following types of information were involved: name, address, date of birth, admission/discharge date, date of death, telephone number, email address, Social Security number, medical record number, patient account number, facial photographic images, laboratory test results, medical imaging results, driver’s license number, electronic health records, health insurance account or policy number, payment information, Medicare or Medicaid information, and/or financial account number. While sensitive data was accessed, no evidence has been found to date to indicate that any of that information has been misused. Notification letters will be sent to the affected individuals when the file review is concluded.

Aunt Martha’s Health and Wellness

Aunt Martha’s Health and Wellness, a provider of community health, wellness, and support services in Illinois, has fallen victim to a ransomware attack. The attack was detected on August 13, 2025, when suspicious network activity was observed. The forensic investigation confirmed that a threat actor gained access to its computer network on August 12, 2025, exfiltrated sensitive data, and deployed malware that encrypted files. The attack was rapidly contained, and systems and data were restored from backups, without paying the ransom. No evidence has been found to indicate that any of the compromised data has been misused; however, the affected individuals have been advised to remain vigilant against identity theft and fraud.

While the file review is ongoing, Aunt Martha’s Health and Wellness has identified the general categories of information exposed in the incident as name, address, birth date, provider/facility name, medical condition, diagnosis information, treatment information, lab results, prescriptions/medications, personal history, mental health information, insurance/payment amount history information, date(s) of service, Social Security number, medical information, health insurance information, and driver’s license or state identification number. Other information created, used, or disclosed in the course of providing health care services may also have been compromised.

Pulse Urgent Care Center

Pulse Urgent Care Center, which has locations in Redding and Red Bluff in California, is alerting patients about a network security breach that was identified on March 24, 2025.  The incident was investigated and determined to involve network access by an unauthorized third party who deployed malicious software. The attack caused temporary disruption to its IT systems; however, network access and data were rapidly restored from backups, and normal operations were quickly resumed.

The investigation confirmed on May 1, 2025, that some patient data had been exposed and many have been viewed or acquired. The types of data involved vary from individual to individual, and may include names, dates of birth, home addresses, phone numbers, diagnoses, service dates, and treatment information. Pulse Urgent Care Center has strengthened its web server infrastructure and has implemented enhanced safeguards to prevent similar incidents in the future. Individual notification letters state the specific information involved for each individual. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

MyCardiologist

Cardiovascular Medicine Associates, PA, which does business as MyCardiologist, a cardiology practice with nine locations in South Florida, is alerting patients about a cyberattack involving the theft of data from its network. The attack was detected on June 12, 2025, when suspicious activity was observed within its email system. Third-party investigators determined that its email system was compromised on May 30, 2025, and an unauthorized third party had access to its environment until June 12, 2025, when the security breach was identified and blocked. The forensic investigation confirmed that the threat actor copied data from its environment.

Notification letters started to be mailed to the affected individuals on October 7, 2025, following a comprehensive and time-consuming review of the affected data. The review confirmed that names, addresses, dates of birth, clinical information, diagnoses, provider names/locations, and Medicare numbers were compromised in the incident. No evidence has been found to indicate that any of the impacted data has been misused; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Five Healthcare Providers Warn Patients About Cyberattacks & Data Breaches appeared first on The HIPAA Journal.