The sensitive data of more than 23,000 Florida Medicare members has been impermissibly shared with overseas companies, putting Medicare members’ sensitive health data at risk. The data was shared by Mirra Health, a provider of administrative services to health maintenance organizations (HMOs) in Florida.

Mirra Health had contracts with three HMOs in Florida: Secure Inc, Solis Health Plans Inc., and Ultimate Health Plans Inc. Under those contracts, Mirra Health agreed to provide certain administrative services, including member enrollment, claims adjudication and payment, utilization management, and grievance and appeals processing. Mirra Health engaged four unlicensed companies in India and the Philippines to perform claims processing and other functions and provided those companies with the necessary data to perform those functions.

While Mirra Health may choose to delegate certain functions to subcontractors, sensitive data was shared with unlicensed companies without the knowledge or prior approval of the HMOs or their enrollees. Under the terms of its contracts with the HMOs, prior authorization must be received before passing any data to offshore partners.

An investigation conducted by the Florida Office of Insurance Regulation determined that Mirra Health had engaged in business practices that pose an imminent threat to the public health, safety, and welfare of state residents. Mirra Health was found to have disclosed the sensitive data of 23,119 Florida Medicare Advantage enrollees to those unlicensed companies. The majority of the affected individuals participated in Chronic Condition Special Needs Plans (C-SNPs), Dual Eligible Special Needs Plans (D-SNPs), and Institutional Special Needs Plans (I-SNPs). When the Florida Office of Insurance Regulation requested that Mirra Health produce the contracts it had signed, it failed to produce all contracts with overseas companies, in violation of section 626.884 of the Florida Insurance Code.

This week, Florida Insurance Commissioner Michael Yaworsky suspended Mirra Health LLC’s certificate of authority. Yaworsky said the company demonstrated it is not competent or trustworthy, as it disclosed sensitive Medicare data to foreign entities that are beyond the regulatory reach of the Office of Insurance Regulation, depriving both the Office and the HMOs of the ability to protect vulnerable state residents.

The post Florida Insurance Commissioner Suspends Mirra Health for Medicare Data Transfers to Foreign Companies appeared first on The HIPAA Journal.

A major data breach has been reported by the telehealth platform provider OpenLoop Health Inc. While the total number of affected individuals has yet to be publicly disclosed, it could well be one of the largest healthcare data breaches of the year to date. According to the breach notice provided to the California Attorney General, OpenLoop Health learned on January 7, 2026, that an unauthorized third party had gained access to some of its systems and copied files containing sensitive data. Third-party cybersecurity specialists were engaged to investigate and determine the nature and scope of the incident and ensure that its systems were secured and could no longer be accessed.

The forensic investigation confirmed that the unauthorized third party had access to its network from January 7, 2026, to January 8, 2026, and the files exfiltrated from its systems included information such as names, addresses, email addresses, dates of birth, and medical information. OpenLoop Health said Social Security numbers were not accessed or stolen. Steps have since been taken to harden security, and the affected individuals are being notified by mail. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

A threat actor with the moniker Stuckin2019 claimed responsibility for the incident in a hacking forum listing and claims to have obtained the information of 1.6 million patients. Threat actor claims may be exaggerated, the records may not all be unique, and in some cases, the claims are entirely fabricated. In this case, Stuckin2019 published samples of patient data as proof of data theft. OpenLoop Health has yet to publicly confirm the scale of the data breach or the validity of Stuckin2019’s claims. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, although the website of the Office of the Texas Attorney General lists an OpenLoop Health data breach affecting 68,160 state residents. That incident was published by the Texas Attorney General on March 18, 2026.

Databreaches.net reports that the Stuckin2019 is male and an individual rather than a group, who seemingly has form attacking telehealth companies. He claimed earlier this year to have attacked the New York telehealth company Zealthy, although the company has yet to publicly disclose any data breach. Databreaches reports that the OpenLoop Health forum post was only live for two days before being taken down, and in conversation with the hacker on Tox, was informed that payment was received and the data had been deleted.

The post Telehealth Platform Provider OpenLoop Health Disclosed Data Breach appeared first on The HIPAA Journal.

The National Association on Drug Abuse Problems has experienced a data breach affecting up to 90,000 individuals. An insider data breach has been discovered by Weill Cornell Medicine, and Commonwealth Care Alliance has identified a mis-mailing incident.

The National Association on Drug Abuse Problems Hacking Incident Affects 90K Individuals

The National Association on Drug Abuse Problems (NADAP), a New York-based nonprofit, has disclosed a cybersecurity incident that has affected up to 90,000 individuals. Suspicious activity was identified within its network on or around January 10, 2026. Immediate action was taken to secure its network, and an investigation was launched to determine the nature and scope of the activity. On or around January 27, 2026, NADAP determined that the protected health information of certain clients, employees, and related individuals was present in files that were subject to unauthorized access.

The files have been reviewed and found to contain names, Social Security numbers, dates of birth, medical or health information, health care treatment or diagnostic information, health insurance information, and tax or financial information. The types of data involved vary from individual to individual. NADAP has implemented additional measures to enhance network security, including strengthening password requirements and implementing conditional access policies, and the incident has been reported to regulators and law enforcement. No known threat group has claimed responsibility for the incident.

The substitute data breach notice makes no mention of complimentary credit monitoring services. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements for suspicious activity.

Weill Cornell Medicine Identifies Insider Data Breach

Weill Cornell Medicine, the medical school of Cornell University in New York, has identified an insider breach involving the electronic medical records of 516 patients. Following an internal investigation, Weill Cornell Medicine confirmed that a former employee had accessed patient records for reasons unrelated to their job duties.

The potential for misuse of patient data is limited due to the nature of the data accessed, which was limited to name, contact information, and reason for visit. No Social Security numbers, clinical information, or financial information were accessed. Weill Cornell Medicine did not state the reason for the access but confirmed that the employee is no longer with the organization. All affected individuals have been notified by mail, and additional security measures have been implemented to reduce the risk of similar incidents in the future.

Commonwealth Care Alliance Announces Mis-Mailing Incident

Commonwealth Care Alliance, a Massachusetts-based health plan and care delivery system, has notified 634 individuals about a recent mis-mailing incident. The incident was identified on December 29, 2025, and involved letters intended for one member being mailed to an incorrect member. The letters included a member’s name, CCA Member ID number, and their Medicare eligibility status only. An investigation was launched to identify the cause of the error, and additional safeguards have been implemented to reduce the risk of similar incidents in the future, including supplemental quality checks with its mailing process.

The post National Association on Drug Abuse Problems Announces Data Breach Affecting 90,000 Individuals appeared first on The HIPAA Journal.

Over a three-week period between December 2025 and January 2026, hackers had access to the network of a Washington-based employee benefits administrator and potentially acquired the data of almost 2.7 million current and former participants and their dependents.

Renton, WA-based Navia Benefit Solutions, Inc., provides employee benefits administration services, including Health Care Flexible Spending Accounts and COBRA benefits. The company works with employers to manage tax-advantaged healthcare and dependent care accounts, and as such, maintains large amounts of employee data. The company has more than 10,000 clients nationwide and more than 1 million participants. The intrusion was identified on or around January 15, 2026, and the forensic investigation confirmed that its computer environment was subject to unauthorized access from December 22, 2025, to January 15, 2026. According to the breach notice provided to the Maine Attorney General, 2,697,540 individuals have been affected.

Navia Benefit Solutions uploaded a substitute breach notice to its website on March 13, 2026, and individual notification letters started to be mailed to the affected individuals on March 18, 2026. Data potentially compromised in the incident included names, email addresses, phone numbers, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Navia Benefit Solutions said it moved quickly to respond to the incident and secure its systems, and an investigation was launched to determine the nature and scope of the incident. Federal law enforcement was notified, and the company has been working to implement additional security measures and provide its employees with additional training to prevent similar incidents in the future. Navia Benefit Solutions did not disclose whether this was a ransomware attack or if it received a ransom demand. No ransomware group has claimed responsibility for the incident.

The data breach is a reportable incident under HIPAA. The Department of Health and Human Services has been notified, and a media notice has also been issued, in compliance with the HIPAA Breach Notification Rule. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal. While it is unclear how many clients have been affected, the Washington State Health Care Authority is one of the affected clients. Navia Benefit Solutions contracted with the Washington State Health Care Authority as the administrator of its Flexible Spending Arrangement (FSA) and Dependent Care Assistance Program (DCAP) for the PEBB and SEBB Programs.

Washington State Health Care Authority, which manages Medicaid in the state, has published its own substitute breach notice. The notice confirms that records going back seven years were compromised in the incident, which relate to approximately 27,000 current and former PEBB members, 5,600 current and former SEBB members, and 3,000 current and former Compacts of Free Association (COFA) islander members. In addition, 37 school districts that contracted with Navia before the SEBB Program was implemented in January 2020 have also been notified that some of their data was potentially compromised in the incident. The impacted data includes first and last names, Navia ID numbers, addresses, phone numbers, email addresses, enrollment start and end dates, employee IDs, Social Security numbers, and dates of birth.

The post Navia Benefit Solutions Discloses Data Breach Affecting 2.7 Million Individuals appeared first on The HIPAA Journal.

Trinity Health and the University of Pittsburgh Medical Center are notifying patients about potential unauthorized access to patient data by third parties via a Health Information Exchange (HIE).

Trinity Health, a not-for-profit Michigan-based Catholic health system that operates more than 92 hospitals in 22 states, has informed state attorneys general that some of its patients may have had their protected health information accessed without authorization. Trinity Health participates in automated electronic data exchanges with Health Information Exchanges (HIEs), which ensure that patient data can be easily accessed by other healthcare providers for treatment purposes, regardless of where the provider is located.

On January 13, 2026, Trinity Health was informed by its HIE partner that there had potentially been unauthorized access to the protected health information of certain Trinity Health patients. The incident involves an HIE member called Health Gorilla, which provides an interoperability platform and manages data access requests for client companies. Health Gorilla grants access to its network to companies that require access to patient data for treatment purposes. The HIE partner warned Trinity Health that Health Gorilla claimed that health information was required for treatment purposes; however, the HIE partner said it was unable to verify whether the statements made by Health Gorilla were accurate, and whether the recipient companies had authorizations for the information they obtained via the HIE.

Data potentially accessed without authorization included clinical care details, demographic information, insurance information, and potentially driver’s license numbers. Health Gorilla has suspended access to the HIE for the companies concerned. Trinity Health is providing the affected individuals with complimentary credit monitoring and identity theft protection services for 24 months. The number of affected individuals has not yet been disclosed.

University of Pittsburgh Medical Center (UPMC) patients have also been affected and are in the process of being notified about the potential unauthorized access. Data potentially accessed without a valid authorization included names, ages, diagnoses, and other information from patients’ medical histories. UPMC said it was informed about the potential unauthorized access by its electronic medical record vendor (Epic), and similarly, the unauthorized access occurred through an HIE via Health Gorilla. The incident has been reported to the HHS’ Office for Civil Rights, although it is not yet shown on the breach portal, so it is unclear how many patients have been affected.

Further healthcare providers are expected to issue similar notices in the coming days and weeks.

Legal Action Taken Over Alleged Unauthorized Access and Disclosures

Legal action is being taken over the alleged impermissible disclosures by Epic, OCHIN, and several healthcare providers who allege that Health Gorilla and others enabled “sham” companies to access their platforms to obtain patient data from national HIEs. While not stated in the breach notice, the information accessed by the sham companies may have been disclosed to third parties, such as law firms. One of the companies named as a defendant has admitted to making fraudulent claims that data was required for treatment purposes, when the data was disclosed to law firms. The lawsuit is proceeding against the other named defendants. Health Gorilla, a Qualified Health Information Network (QHIN), denies any wrongdoing, and so far, only one of the defendants has admitted wrongdoing.  You can read more about the lawsuit in this post.

The post Trinity Health & UPMC Notify Patients About Potential Unauthorized Data Access via HIE appeared first on The HIPAA Journal.

Data breaches have recently been announced by Delta Medical Systems in Wisconsin, Ansell Healthcare Products in New Jersey, and FuturHealth in California.

Delta Medical Systems, Wisconsin

Delta Medical Systems, a Wisconsin-based provider of medical imaging solutions and associated services, has notified state attorneys general about an email incident that occurred last summer. On July 15, 2025, Delta Medical Systems identified unusual activity within its email environment. Immediate action was taken to secure its email system and network, and a forensic investigation was launched to determine the cause, nature, and scope of the activity.

Assisted by third-party cybersecurity experts, Delta Medical Systems determined that an unauthorized third party had access to its email environment and may have viewed or acquired company data, including patient information, on July 15, 2025. The affected data was reviewed, and that process was completed in November 2025, when it was confirmed that personal and protected health information was involved. Data compromised in the incident included names, birth dates, Social Security numbers, driver’s license numbers/state identification numbers, bank account and routing numbers, health insurance information, and medical information.

On February 11, 2026, Delta Medical Systems finished identifying and notifying the affected individuals. Individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services, and steps have been taken to improve security to prevent similar incidents in the future. At present, the data breach is not listed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Ansell Healthcare Products, New Jersey

Ansell Healthcare Products, a New Jersey-based manufacturer of medical protective products, has notified state attorneys general about a data breach last summer that affected 2,061 individuals. Anomalous activity was identified within its computer systems on September 30, 2025, and the forensic investigation confirmed that an unknown actor had access to its computer systems between August 9, 2026, and September 30, 2026.

The review of the affected data confirmed that the personally identifiable information of employees was compromised in the incident, including names and Social Security numbers. No ransomware or hacking group appears to have claimed responsibility for the incident, and Ansell Healthcare Products said it is unaware of any of the impacted data being exposed online.  Notification letters were mailed to the affected individuals on March 10, 2026. Due to the nature of the exposed data, Ansell Healthcare Products has offered the affected individuals complimentary credit monitoring and identity theft protection services for 12 months.

FuturHealth

San Diego, CA-based FuturHealth, a health tech company that provides a telehealth-focused platform for weight loss programs, has recently notified the Vermont Attorney General about a security incident that occurred last summer. Unauthorized activity was identified within its computer systems on August 8, 2025. The forensic investigation determined that there had been unauthorized network access between August 8, 2025, and August 14, 2025, during which time files containing sensitive data were exfiltrated from its network.

The file review confirmed that the impacted data included names, health insurance information, and other sensitive data. FuturHealth has confirmed that the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. In October 2025, individuals affected by an earlier data breach received notification letters. That breach occurred in October 2024 and involved unauthorized access to a data storage environment containing G-Plan data.

The post Delta Medical Systems Notifies Patients About July 2025 Cyberattack appeared first on The HIPAA Journal.

Data breaches have recently been reported by Cedar Valley Services and Health Dimensions Group in Minnesota, and Community Nurse in Massachusetts.

Cedar Valley Services, Minnesota

Cedar Valley Services, a provider of vocational rehabilitation services to individuals in Southern Minnesota, has notified the HHS’ Office for Civil Rights about a data incident that involved the exposure of individuals’ protected health information. Little information about the incident has been publicly disclosed by Cedar Valley Services at this point, other than it being a hacking/IT incident affecting at least 501 individuals. The 501 total provided to the HHS’ Office for Civil Rights is a commonly used placeholder figure when the number of affected individuals has yet to be determined.

This appears to have been a ransomware attack by the Qilin ransomware group, which added Cedar Valley Services to its dark web data leak site in December 2025. Qilin claims to have exfiltrated sensitive data in the attack. The listing was added on December 21, 2025, and screenshots of data allegedly stolen in the attack have been uploaded to the data leak site as proof; however, as of March 17, 2026, the full dataset does not appear to have been leaked.

Community Nurse, Massachusetts

Community Nurse, a Fairhaven, MA-based home health agency, has confirmed that the personal and protected health information of 6,746 individuals has potentially been compromised in a security incident at its document management and billing services vendor, Doctor Alliance. Doctor Alliance experienced a network disruption on November 13, 2025. The forensic investigation determined that a threat actor may have viewed or acquired files without authorization between October 31, 2025, and November 17, 2025.

The analysis of those files was completed on March 2, 2026, and confirmed that they contained information such as names, addresses, dates of birth, Medicare numbers, start of care dates, certification period dates, medical record numbers, provider names and addresses, type of advance directives, diagnoses/current health statuses, medication lists, treatment orders, and goals of treatment. Doctor Alliance has implemented additional security measures to prevent similar incidents in the future, and notification letters have now been mailed to the affected individuals.

Health Dimensions Group, Minnesota

Health Dimensions Group, a Minneapolis, Minnesota-based provider of senior living and senior care management and consulting services, has reported a data breach to the Maine Attorney General that affected 450 individuals, including 1 Maine resident. Legal counsel for Health Dimensions Group explained in the notification letters that it first learned about a cybersecurity incident on October 20, 2025, and activated its incident response plan. Third-party cybersecurity experts were engaged to investigate the incident and assist with securing its environment, and they confirmed on November 6, 2025, that files were obtained in the incident.

The data review was completed on February 4, 2026, when it was confirmed that information relating to independent contractors was compromised in the incident, including names, addresses, and Social Security numbers. Notification letters were mailed to the affected individuals on March 11, 2026. While no data misuse has been identified, complimentary credit monitoring and identity theft protection services have been made available. The Worldleaks threat group claimed responsibility for the attack and leaked the stolen data, indicating the ransom was not paid. Since data has been leaked online, the affected individuals are advised to take advantage of the free credit monitoring services being offered.

The post PHI Exposed in Data Breaches at Cedar Valley Services; Community Nurse; Health Dimensions Group appeared first on The HIPAA Journal.

The Chicago, IL-based Catholic health system CommonSpirit Health has announced that it has been affected by a security incident at a vendor of one of its business associates.  The healthcare consulting company Pinnacle Holdings Ltd experienced network disruption on November 25, 2024, as a result of a ransomware attack. The ransomware group had access to Pinnacle’s network from November 11, 2024, to November 25, 2024. During that time, files were exfiltrated from Pinnacle’s network.

Pinnacle was a vendor of CommonSpirit Health’s vendor, NorthGauge Healthcare Advisors. In a breach notice issued to the Washington Attorney General on behalf of CommonSpirit Health, NorthGauge explained that Pinnacle immediately isolated its network when the attack was detected and has since implemented additional security measures to prevent similar incidents in the future. NorthGauge explained that Pinnacle had strict policies and procedures in place concerning data retention and data destruction, which limited the amount of data compromised in the incident.

Pinnacle engaged a third-party vendor to review the exposed data, and in November 2025 – a year after the attack – Pinnacle notified NorthGauge about the incident. NorthGuage said it did not receive confirmation about the identities of the affected individuals until January 30, 2026, and notified CommonSpirit Health about the affected Washington residents on February 2, 2026. NorthGauge said individual notification letters will be mailed to the affected Washington residents as soon as up-to-date contact information has been obtained. Those individuals are being offered complimentary credit monitoring and identity theft protection services.

The breach notice does not state the types of data compromised in the incident; however, they are stated in the individual notification letters to the affected individuals. According to the Washington Attorney General, the breach affected 19,027 Washington residents. The incident is not currently listed on the HHS’ Office for Civil Rights website, so it is unclear if individuals in other states have also been affected.

The post CommonSpirit Health Patients Affected by Vendor Data Breach appeared first on The HIPAA Journal.