HIPAA Breach News

Florida Practice Management Company Announces June 2025 Data Breach

Think Big Health Care Solutions, a Florida-based practice management company, and Minnesota Epilepsy Group have recently confirmed cyberattacks and data breaches. Ransomware groups have claimed responsibility for attacks on Emerson Chiropractic in Indiana and El Paso Quality Dentistry in Texas.

Think Big Health Care Solutions, Florida

Think Big Health Care Solutions, a Wellington, FL-based practice management company that provides billing, contracting, and credentialing services to medical practices, has identified unauthorized access to an employee’s email account. Suspicious activity within the account was identified on June 20, 2025, and third-party cybersecurity specialists were engaged to investigate the incident.

Evidence was found that suggested some emails and files in the account had been accessed by an unauthorized third party. A review was conducted to determine the types of information involved and the individuals affected, and notification letters will be mailed to those individuals when that process has been completed. Think Big Health Care Solutions has confirmed that the account contained information such as first names, initials, and last names, addresses, telephone/fax numbers, email addresses, dates of birth, Social Security numbers, tax identification numbers, passport numbers, admission dates, health insurance policy numbers, bank/financial account numbers and routing numbers, credit/debit card information, diagnoses/conditions, lab results, medications, claims information, medical record numbers, other medical/health information, CPT codes, and referring provider names.

Additional technical and administrative measures have been implemented to prevent similar incidents in the future, and enhanced training is being provided to the workforce on phishing detection, secure data handling, and incident response procedures.

Minnesota Epilepsy Group

Roseville, MN-based Minnesota Epilepsy Group (MEG) has experienced a cybersecurity incident that affected certain systems within its network and caused some disruption to business operations. According to the April 25, 2025, substitute breach notice, MEG identified the incident on February 27, 2025. Immediate action was taken to secure its systems, and third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the unauthorized activity. The investigation is ongoing, but it has been confirmed that client and employee data were exposed in the incident.

The exact types of data involved have yet to be confirmed, but likely include individuals’ names, addresses, dates of birth, medical record numbers, EEG summaries, neuropsychology reports, medication records, and health insurance information. No evidence of misuse of that information has been identified to date; however, the affected individuals have been advised to remain vigilant and should review their financial account statements for signs of fraudulent activity. MEG said it continually evaluates and modifies its practices to enhance privacy and security and is taking steps to augment existing cybersecurity measures to prevent similar incidents in the future.

Ransomware Groups Claim Responsibility for Attacks on Two Healthcare Providers

Ransomware groups have recently claimed responsibility for attacks on two healthcare providers, Emerson Chiropractic in Indiana and El Paso Quality Dentistry in Texas. The Dragonforce ransomware group claims to have stolen 96 GB of data from Emerson Chiropractic, which provides chiropractic services to individuals in the Southside of Indianapolis. Stolen data has been published on the data leak site, indicating the ransom was not paid.

The Beast ransomware group has added El Paso Quality Dentistry to its data leak site and claims to have stolen approximately 700 GB of data. Screenshots have been uploaded to the data leak site, indicating a broad range of data has been stolen, with some folder names suggesting patient data was involved. Currently, the stolen data has not been leaked. Neither healthcare provider has publicly announced a cyberattack or data breach at the time of writing.

The post Florida Practice Management Company Announces June 2025 Data Breach appeared first on The HIPAA Journal.

Wood River Health Notifies 54K Patients About August 2024 Data Breach

Data incidents have recently been announced by Wood River Health in Rhode Island, Jack L Marcus in Wisconsin, and Avala and Primary Health Services Center in Louisiana.

Wood River Health, Rhode Island

Wood River Health, a provider of medical, dental, and social services to communities in southwestern Rhode Island and southeastern Connecticut, has recently announced a data breach that has affected 54,926 individuals. Suspicious activity was identified in an employee’s email account on or around September 6, 2024. Assisted by third-party cybersecurity experts, Wood River Health investigated the activity and confirmed that an unauthorized third party had access to the email account between August 8, 2024, and September 6, 2024, and may have viewed or acquired names and Social Security numbers.

The review of the affected account was completed on or around May 29, 2025, and notification letters were mailed to the affected individuals on or around July 28, 2025. The affected individuals have been offered 12 months of complimentary credit monitoring services, additional safeguards have been implemented to improve security, and employees have been provided with further security awareness training.

Avala, Louisiana

Avala, a Covington, LA-based physician-led health network that operates a 21-bed hospital in St. Tammany Parish, a surgery center in Metairie, and a medical imaging center in Covington, has recently announced a cybersecurity incident, discovered on May 30, 2025, that impacted its IT systems. Third-party cybersecurity experts were engaged to assist with containment and remediation and determine if patient data was exposed. No instances of identity theft or fraud have been identified; however, the investigation confirmed on July 23, 2025, that patient data had been exposed and was potentially exfiltrated from its network.

The exposed data varied from individual to individual and may have included names, addresses, birth dates, treatment information, health insurance information, and Social Security numbers. Notification letters are now being sent to the affected individuals. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Primary Health Services Center, Louisiana

Primary Health Services Center (PHSC), a Monroe, LA-based non-profit healthcare provider that operates several clinics serving the Ouachita, Morehouse, and Lincoln Parishes, has started notifying individuals affected by a recent cybersecurity incident. The nature of the incident was not detailed in the website data breach announcement, nor was the date the incident was detected.

Third-party cybersecurity professionals were engaged to investigate the incident, and the investigation and file review are ongoing. The number of affected individuals and the types of exposed data have yet to be publicly disclosed. PHSC is currently unaware of any misuse of patient information as a result of the incident and said data security policies and procedures have been enhanced to reduce the risk of similar incidents in the future.

The security breach appears to be a ransomware attack by the Inc Ransom ransomware group, which added PHSC to its dark web data leak site on December 24, 2024. Inc Ransom uploaded the stolen data on January 15, 2025, which includes user data, employee data, and financial information.

Jack L Marcus Inc.

Jack L Marcus Inc., a Milwaukee, WI-based retailer that allows orders to be placed for incarcerated individuals under an agreement with the Wisconsin Department of Corrections, has announced a data breach affecting 712 individuals. According to the substitute breach notice, a website misconfiguration allowed limited information to be displayed that should have been hidden.

Between August 15, 2024, and May 16, 2025, the name of the treatment facility where an individual was located was displayed to individuals placing orders for that individual. The facility address was masked, but the name of the treatment facility was displayed.  No other information was impermissibly disclosed. The error was identified on March 15, 2025, and was corrected the following day.  Jack L Marcus has reviewed and updated its processes and technology to prevent similar incidents in the future.

The post Wood River Health Notifies 54K Patients About August 2024 Data Breach appeared first on The HIPAA Journal.

Texas Gastroenterology Clinic Falls Victim to Interlock Ransomware Attack

Ransomware groups have attacked three healthcare providers: Gastroenterology Consultants of South Texas, Infinite Services in New York, and High Point Treatment Center in Massachusetts.

Gastroenterology Consultants of South Texas (Texas Digestive Specialists)

Gastroenterology Consultants of South Texas, which does business as Texas Digestive Specialists, has recently disclosed a May 2025 cybersecurity incident and data breach. According to the substitute data breach notice, an unauthorized third party gained access to its network in late May 2025 and may have obtained files containing personally identifiable information (PII) and protected health information (PHI). The Texas Attorney General was informed that the exposed information may have included names, addresses, dates of birth, medical records, and health insurance information.

The breach notification does not state when the attack was detected or for how long the hackers had access to the network. Third-party cybersecurity experts assisted with the investigation, and the lessons learned will be used to enhance the security of its IT systems. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that the PII and PHI of 41,521 Texans was exposed in the incident. The affected individuals have been offered complimentary credit monitoring services.

The breach notification letters do not mention ransomware; however, the Interlock ransomware group claimed responsibility for the attack and added the practice to its dark web data leak site. The group claims to have stolen 263 GB of data, which has been leaked online. Interlock was recently the subject of a joint alert from the FBI, CISA, HHS, and MS-ISAC following an increase in attacks on critical infrastructure entities.

Infinite Services, New York

Infinite Services, a New York-based provider of physical therapy, occupational therapy, speech therapy, and home health services, has fallen victim to a ransomware attack that exposed patient and employee data. The attack was detected on May 5, 2025, when employees were prevented from accessing the network. Third-party cybersecurity experts were engaged to investigate the incident and confirmed there was unauthorized access to one of its servers.

Ransomware was used to encrypt files, although the server was powered off, interrupting the encryption process. On June 23, 2025, Infinite Services determined that the affected server contained patient and employee information, and the decision was made to send notification letters to all potentially affected individuals, rather than wait for data mining to determine exactly which individuals had been affected.  That decision ensured that notification letters were mailed promptly.

The ransomware group was not named; however, Infinite Services said no ransom was paid, and at the time notification letters were issued, none of the stolen data had been published online. Since data may be leaked, the affected individuals should take advantage of the complimentary credit monitoring and identity theft protection services that have been offered. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals were affected or notified.

High Point Treatment Center, Massachusetts

High Point Treatment Center in New Bedford, Massachusetts, a provider of mental health and substance abuse treatment, has been added to the dark web data leak site of the Abyss ransomware group. The group claims to have exfiltrated 1.8 TB of data, although it has not listed any of the stolen data on its data leak site so far. High Point Treatment Center has yet to announce the attack or data breach.

The post Texas Gastroenterology Clinic Falls Victim to Interlock Ransomware Attack appeared first on The HIPAA Journal.

McKenzie Memorial Hospital Announces Data Breach Affecting 54,000 Patients

McKenzie Memorial Hospital in Michigan has reported a hacking incident affecting more than 54,000 patients. Arbor Associates in Massachusetts has reported a 17K-record data breach, and data breaches have been confirmed by Blue Shield of California and Human Development Services of Westchester.

McKenzie Memorial Hospital, Michigan

McKenzie Memorial Hospital in Sandusky, Michigan, has recently disclosed a cybersecurity incident that was detected on or around April 15, 2025, when suspicious activity was identified within its network. McKenzie Memorial did not state whether ransomware was used, only that the forensic investigation confirmed that its network was accessed by an unauthorized third party between April 14, 2025, and April 15, 2025. During that time, files containing patients’ protected health information may have been accessed.

The investigation and file review were completed on June 19, 2025, and confirmed that the potentially compromised information included names, Social Security numbers, and financial account information. The data breach was recently reported to the Maine Attorney General as affecting 54,016 individuals. Credit monitoring and identity theft protection services have been offered for 12 months, and the hospital is strengthening network security and reviewing its data security policies and procedures.

Arbor Associates, Massachusetts

Arbor Associates, a business associate that helps healthcare organizations collect patient survey analytics, has recently announced a data security incident that involved unauthorized access to patient data. Unusual network activity was detected on April 17, 2025, and independent cybersecurity experts were engaged to investigate the activity. They confirmed that there was unauthorized access to its network between April 15, 2025, and April 17, 2025, during which time files containing patient information may have been acquired.

The file review was completed in May 2025, and the affected healthcare partners were notified. Data potentially compromised in the incident includes first and last name, contact information, age, biological sex, date of birth, service date, CPT or diagnosis code, medical record number, name of insurance, and/or doctor’s name. Arbor Associates started mailing notification letters on behalf of the affected clients on July 3, 2025. The data breach was reported to the HHS’ Office for Civil Rights as a network server incident affecting 17,040 individuals.

Blue Shield of California

The health insurer Blue Shield of California (BSC) has recently notified the California Attorney General about a recent HIPAA breach. On May 22, 2025, BSC learned that a broker with Harmon Insurance Services had passed away, and the late broker’s husband had accessed her online client list after her death. He then asked a friend, who was also a broker, to assist her clients. A former employee of the late broker may also have accessed the client list and client applications between March 25, 2025, and May 22, 2025.

The access was unauthorized, and upon discovery, the login credentials were revoked to prevent further unauthorized access. No evidence was found to indicate any acquisition of members’ information. Information potentially accessed included names, member IDs, Social Security numbers, birth dates, addresses, phone numbers, group ID numbers, and Medicare numbers.

The affected individuals have been notified by mail and offered a one-year membership to an identity theft protection service. The OCR data breach portal lists the incident as affecting 1,543 individuals. A later breach report indicates that an email breach also occurred that affected 673 individuals.

Human Development Services of Westchester, New York

Human Development Services of Westchester, a provider of community-based direct-care services for vulnerable populations in New York State, has recently announced unauthorized access to its email tenant. Suspicious activity was identified within a single email account, and the forensic investigation confirmed unauthorized access between May 19, 2025, and May 20, 2025. The review of the account and attachments is ongoing, so it is not yet possible to determine the exact types of information involved or the number of affected individuals. The account likely contained employee and patient information.

Email security is currently being reviewed, and new cybersecurity tools are being assessed. The breach has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals. The total will be updated when the review concludes.

The post McKenzie Memorial Hospital Announces Data Breach Affecting 54,000 Patients appeared first on The HIPAA Journal.

Cumberland County Hospital Data Breach Affects Almost 37,000 Individuals

While compiling data for last month’s data breach report, the HIPAA Journal identified a data breach that had previously been missed. On June 2, 2025, Cumberland County Hospital Association in Kentucky notified the HHS’ Office for Civil Rights about a hacking-related data breach that affected 36,659 individuals. Cumberland County Hospital detected the hacking incident on April 3, 2025. According to its substitute breach notice, an unauthorized third party had access to its network between February 21, 2025, and April 3, 2025. While its electronic medical record system was not accessed, files on the compromised parts of the network were discovered to include patient information, and some of those files were accessed during the attack.

The review of the files confirmed they contained demographic information (name, date of birth, address, phone number(s), email address, race, and ethnicity), along with Social Security numbers, medications, diagnoses, treatment notes, dates of service, medical record numbers, health plan numbers, and claims and billing information. Some employee data was also compromised in the attack, which may have included additional information such as driver’s license, birth certificate, background check information, W-4s and W-2s, and bank account numbers. Notification letters were mailed to the affected individuals on June 2, 2025, and credit monitoring and identity theft protection services have been offered for 12 months.

Ellis Medicine Discovers Unauthorized Access to Employee Email Account

Ellis Medicine, a Schenectady, NY-based health system serving the Capital District in New York State, has notified the Maine Attorney General about a data incident that involved unauthorized access to an employee’s email account. Suspicious activity was identified in the account, which was immediately secured. Third-party digital forensics specialists were engaged to investigate the activity and confirmed that the account was accessed “for a limited period” between January 17, 2025, through January 24, 2025, and again between March 27, 2025, through April 5, 2025.

The account was reviewed to identify the types of information potentially accessed, and that review was completed on May 14, 2025. Emails and attachments were discovered to include the personal and protected health information of 13,383 individuals. The Notification to the Maine Attorney General includes mail merge fields rather than a list of potentially compromised data, and there is currently no substitute breach notice on the Ellis Medicine website, so the types of information compromised are unknown.

Notification letters are being mailed to the affected individuals, which will state the exact types of information involved for each patient. Ellis Medicine has offered single-bureau credit monitoring, credit report, and credit score services to the affected individuals for 12 months.

The post Cumberland County Hospital Data Breach Affects Almost 37,000 Individuals appeared first on The HIPAA Journal.

New York Surgery Center Pays $250K to Settle HIPAA Risk Analysis; Breach Notification Violations

Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Director, Paula M. Stannard, has announced OCR’s 18th HIPAA penalty of the year.  Syracuse ASC, which does business as Specialty Surgery Center of Central New York, a single-facility ambulatory surgery center in Liverpool, New York, has agreed to settle alleged violations of the HIPAA Security Rule and HIPAA Breach Notification Rule and will pay a $250,000 financial penalty.

OCR launched an investigation of Syracuse ASC after receiving a data breach notification report on October 14, 2021, about a hacking incident involving unauthorized access to the protected health information of 24,891 current and former patients. A threat actor had access to its network from March 14, 2021, through March 31, 2021, and potentially obtained names, dates of birth, Social Security numbers, financial information, and clinical treatment information. OCR investigation confirmed that this was a ransomware attack involving PYSA ransomware.

OCR’s investigation uncovered no evidence to suggest that Syracuse ASC had ever conducted a risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information, as required by the HIPAA Security Rule – 45 C.F.R. §164.308(a)(1)(ii)(A). OCR also determined that Syracuse ASC had failed to issue timely notifications to the HHS Secretary and the affected individuals. The data breach was identified on March 31, 2021, yet notifications were not issued for six and a half months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach – 45 C.F.R. § 164.404(b) and 45 C.F.R. § 164.408(b).

Syracuse ASC was given the opportunity to resolve the alleged HIPAA violations informally, and the case was settled. Syracuse ASC has agreed to pay a $250,000 penalty and adopt a corrective action plan to ensure compliance with the HIPAA Rules. The corrective action plan requires Syracuse ASC to conduct an accurate and thorough risk analysis; develop and implement a risk management plan; develop, implement and maintain policies and procedures to ensure compliance with the HIPAA Rules; distribute those policies and procedures to the workforce; and provide the workforce with training on those policies and procedures at least every 12 months.

“Conducting a thorough HIPAA-compliant risk analysis (and developing and implementing risk management measures to address any identified risks and vulnerabilities) is even more necessary as sophisticated cyberattacks increase,” said OCR Director Paula M. Stannard. “HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”

OCR penalties for HIPAA violations - 2017 - 2025

The post New York Surgery Center Pays $250K to Settle HIPAA Risk Analysis; Breach Notification Violations appeared first on The HIPAA Journal.

Naper Grove Vision Care Falls Victim to Interlock Ransomware Attack

Naper Grove Vision Care in Naperville, Illinois, has recently announced a cybersecurity incident that was detected on May 24, 2025. Independent cybersecurity experts were engaged to investigate unusual network activity and confirmed that an unauthorized third party accessed its network and exfiltrated files containing patient information.

The file review revealed the stolen files contained names, addresses, birth dates, driver’s license numbers, patient numbers, health insurance information, explanation of benefits documents, and medical condition and treatment information. A limited number of patients also had their Social Security numbers stolen.

Naper Grove Vision Care has advised the affected patients to monitor their account statements and credit reports closely and report any suspicious activity to law enforcement. There is no mention of complimentary credit monitoring services in the substitute data breach notice. The data breach has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals.

While ransomware was not mentioned in the notice, a ransomware group has claimed responsibility for the attack. The Interlock ransomware group has added Naper Grove Vision Care to its data leak site and claims to have stolen 214 GB of data in the attack across 32,971 folders and 656,891 files. The full data has been leaked, indicating the ransom was not paid.

Florida Lung, Asthma & Sleep Specialists Cyberattack Affects Up to 10,000 Patients

Florida Lung, Asthma & Sleep Specialists (FLASS), which has offices in Orlando, Kissimmee, Winter Garden, and Poinciana, has notified 10,000 patients about a recent data breach. Unauthorized network activity was identified on May 11, 2025, and the forensic investigation indicated that the medical records of certain patients may have been accessed.

Data potentially compromised in the incident includes patient names, birth dates, contact information, and limited medical and billing information. The investigation is ongoing, and notification letters will soon be mailed to the affected individuals. FLASS has not uncovered any evidence to suggest that any of the exposed information has been misused; however, the affected individuals have been advised to remain vigilant and monitor their medical accounts and statements for unusual activity. The affected systems have been secured, and cybersecurity experts have been engaged to review security measures and recommend areas for improvement.

The post Naper Grove Vision Care Falls Victim to Interlock Ransomware Attack appeared first on The HIPAA Journal.

Business Associate Data Breach Affects Duke Regional Hospital Patients

A law firm that provides legal counsel and assistance to Durham County Hospital Corporation in North Carolina has experienced a data breach involving the personal and protected health information of 2,150 individuals.

Manning, Fulton & Skinner, P.A. (MFS), identified suspicious activity within its email system on February 6, 2025. An investigation was launched to determine the cause of the activity, and it was confirmed that certain MFS email accounts had been accessed by an unauthorized individual between September 19, 2024, and February 6, 2025.

Third-party data review specialists were engaged to review the affected accounts and completed the review on May 14, 2025. Durham County Hospital Corporation was notified about the data breach on May 29, 2025, and provided MFS with the necessary information for mailing notifications on July 14, 2025. The law firm has implemented additional email security measures and has offered the affected individuals 12 months of complimentary credit monitoring and identity theft protection services.

The Brien Center for Mental Health and Substance Abuse Services Announces May 2025 Hacking Incident

The Brien Center for Mental Health and Substance Abuse Services in Pittsfield, Massachusetts, has notified state attorneys general about a recent security incident involving unauthorized access to patient information.  The intrusion was identified on May 21, 2025, and third-party cybersecurity specialists were engaged to investigate the incident. The Brien Center learned there was unauthorized network access between May 19, 2025, and May 21, 2025, during which time files containing patient information may have been copied from the network.

The file review confirmed that the data potentially compromised in the incident included names, dates of birth, addresses, phone numbers, email addresses, client IDs, dates and times of recent visits, and clinical diagnostic information. Credit monitoring and identity restoration services have been offered to the affected individuals. Currently, there is no breach report on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Business Associate Data Breach Affects Duke Regional Hospital Patients appeared first on The HIPAA Journal.

Small Michigan Physical Therapy Practice Reports Loss of Patient Data Due to Cyberattack

Complete Care Rehab, a small physical therapy practice in East Pointe, Michigan, has been targeted by cybercriminals who gained access to its network and potentially viewed or acquired patient information. Suspicious activity was identified within its IT environment on or around May 11, 2025. Third-party cybersecurity experts were engaged to investigate the activity, and the forensic investigation confirmed that patient data was exposed and potentially stolen, including names, phone numbers, addresses, email addresses, dates of birth, diagnoses, treatment information, dates of service, and health insurance information may have been compromised. For a limited number of patients, Social Security numbers were also involved.

It is unclear from the substitute data breach notice whether ransomware was used in the attack. Data had to be restored from backups, but the restoration process failed, and all patient information was lost. Since it was not possible to determine exactly which patients were affected, the decision was taken to send notification letters to all 4,764 current and former patients.

Notification letters were mailed to the affected individuals on July 2, 2025. Complete Care Rehab said it is reviewing and enhancing its existing policies and procedures related to data privacy and security to prevent similar incidents in the future. The incident demonstrates the importance of testing backups to ensure that file recovery is possible.

Susan B. Allen Memorial Hospital Investigating Potential Cyberattack

Susan B. Allen Memorial Hospital in El Dorado, Kansas, is investigating a cybersecurity incident after receiving complaints from patients who were unable to access its online appointment scheduling system. The investigation identified anomalous activity within its network, which resulted in a system outage. Third-party cybersecurity experts have been engaged to assist with the investigation and support its recovery efforts. At such an early stage of the investigation, it has yet to be determined if patient information has been exposed or stolen. A spokesperson for the hospital confirmed that patients will be notified if their data has been exposed or stolen.

The post Small Michigan Physical Therapy Practice Reports Loss of Patient Data Due to Cyberattack appeared first on The HIPAA Journal.