2025 was another bad year for healthcare data breaches. As of June, 2026, 2025, 772 healthcare data breaches affecting 500 or more individuals are listed on the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal, involving the exposure or theft of the protected health information of 139,721,832 individuals. That total is likely to increase further as there are several data breach investigations that have yet to conclude.

Based on the current totals, 2025 was the worst ever year for large healthcare data breaches, beating the previous record of 746 data breaches set in 2023 by 3.49%.  In terms of affected individuals, 2025 was the third-worst year, behind the 289.8 million affected individuals in 2024 and the 183 million affected individuals in 2023. You can view the latest figures and how they compare to previous years on our Healthcare Data Breach Statistics page.

Large healthcare data breaches increased by 4.18% year over year, although there was a 51.79% year-over-year decrease in affected individuals. Such a large decrease in affected individuals was expected, as in 2024, there was a gargantuan data breach at Change Healthcare, which affected an estimated 192,700,000 individuals. That single data breach accounted for 66.49% of the 289,819,703 affected individuals in 2024.

The Largest Healthcare Data Breaches of 2025

The table below shows the largest healthcare data breaches of 2025 known at the time of publication. At the time of publication, 16 healthcare data breaches were reported to OCR in 2025 that each affected more than one million individuals, and a further 7 data breaches affected between 500,000 and 999,999 individuals.

Conduent Business Services – 62.2 million individuals

The largest healthcare data breach of 2025 by some distance was reported by the HIPAA business associate, Conduent Business Services. Conduent is a business associate of HIPAA-covered entities and government agencies that provides a range of back-office services. Conduent reported a data breach to OCR in October 2025 as involving unauthorized access to the protected health information of 42,616 individuals, including names, dates of birth, Social Security numbers, treatment information, and claims information.

Since then, the Oregon Attorney General was informed that the data breach involved unauthorized access to the sensitive data of more than 10.5 million state residents, and the Texas Attorney General was later informed that 14,791,500 individuals in Texas were affected. That total was later increased to 15,494,592 individuals. Other state attorneys general have also received notifications confirming that some of their state residents have been affected, but have not published how many individuals were affected in their states. An updated total was provided to OCR in mid 2026, indicating that the protected health information of 62,224,658 individuals was compromised in the incident, making it the third-largest healthcare data breach of all time.

The incident was described as a security incident that caused an outage, resulting in temporary disruption to its services – terminology often used to describe a ransomware attack. The Safepay ransomware group claimed responsibility for the attack and added Conduent to its data leak site, although the listing has now been removed, suggesting the ransom was paid.

Aflac – 13.9 million individuals

In a June 12, 2025, filing with the U.S. Securities and Exchange Commission (SEC), the insurance giant Aflac disclosed a cyberattack by a threat actor that “may be affiliated with a known cyber-criminal organization.” While not confirmed by Aflac, that group is widely believed to be the Scattered Spider threat group, which at the time was targeting the insurance industry. The data breach was reported to OCR on August 8, 2025, using a placeholder figure of 500 affected individuals, as the investigation was ongoing at the time. The hackers gained access to names, addresses, dates of birth, government-issued ID numbers such as passports and state ID card numbers, driver’s license numbers, Social Security numbers, medical information, and health insurance information.

As the year drew to a close, Aflac confirmed that there had been unauthorized access to the sensitive data of 22.65 million individuals globally. The OCR breach portal has since been updated to confirm that the protected health information of at least 13,924,906 individuals was compromised in the incident.

Episource, LLC – 6.73 million individuals

The UnitedHealth (Optum) subsidiary Episource, a provider of medical coding, risk adjustment services, and software solutions for healthcare providers and health plans, experienced a ransomware attack in February 2025 that involved the exfiltration of files containing sensitive patient data. Data compromised in the attack included names, contact information, medical information, and health insurance information. The ransomware group gained access to EpiSource’s AWS environment,

The investigation confirmed that the ransomware group had access to its network from January 27, 2025, to February 6, 2025, and potentially obtained the protected health information of 5,418,866 individuals. Multiple healthcare provider clients were affected by the attack, including Sharp HealthCare and Sharp Community Medical Group. That total has since been increased to 6,725,572 individuals.

Yale New Haven Health System – 5.6 million individuals

Yale New Haven Health System, the largest health system in the state of Connecticut, reported the data breach to OCR in April 2025, after its investigation determined that hackers breached its network on March 8, 2025, and obtained the sensitive data of 5,556,702 individuals.

The electronic medical record system was not accessed, and the hackers were unable to access financial information; however, they did obtain names, contact information, demographic information, medical record numbers, and Social Security numbers. Yale New Haven Health faced multiple class action lawsuits over the data breach, which were settled rapidly. Yale New Haven Health agreed to an $18 million settlement to resolve a consolidated class action lawsuit that amalgamated 18 separate complaints, just 7 months after the data breach occurred.

Blue Shield of California – 4.70 million individuals

The health insurance provider Blue Shield of California was one of many healthcare entities to experience data breaches involving tracking software on their websites. In this case, Blue Shield of California had added Google Analytics code to certain websites, which was configured in a way that resulted in member data being shared with Google Ads for almost 3 years. In certain cases, the protected health information shared with Google may have been used to serve members with personalized Google Ads related to their interactions on Blue Shield of California websites. For instance, if the “Find a Doctor” service was used, then search criteria and results may have been disclosed.

While the scale of the breach – up to 4.7 million individuals – makes it one of the worst of the year, notification letters were issued to all members who accessed the websites over 3 years; however, it is unclear how many of those individuals had protected health information disclosed to third parties. Further, there was limited potential for harm, and no indications that any bad actor was able to access plan members’ data.

PIH Health – 2.95 million individuals

The California healthcare provider PIH Health experienced a ransomware attack in December 2024, in which the ransomware group claimed to have exfiltrated 2 Terabytes of data.  The threat actor had access to the PIH Health network from November 14, 2024, to December 23, 2024. It took more than a year for PIH Health to review the affected data and determine that patient data had been exposed. That determination was not made until December 2025, and it took until February 2026 for individuals to start being notified.

The ransomware group stole files containing names, addresses, medical information, health insurance information, Social Security numbers, taxpayer identification numbers, driver’s license numbers, financial account information, and credit/debit card numbers. PIH Health informed the HHS Office for Civil Rights that the protected health information of 2,947,264 individuals was compromised in the incident.

DaVita – 2.69 million individuals

The Denver, CO-based kidney dialysis service provider DaVita experienced a ransomware attack in April 2025. DaVita operates more than 2,600 kidney dialysis centers across the United States, and while the attack caused temporary operational disruption, critical care provided to patients across the United States was unaffected.

The ransomware group was able to access a laboratory database containing the protected health information of 2,689,826 individuals, including demographic information, clinical information, and tax information. The Interlock ransomware group claimed responsibility for the attack and had access to DaVita systems from March 24, 2025, to April 12, 2025.

Veradigm LLC – 2.67 million individuals

Veradigm, a Chicago, Illinois-based provider of practice management and electronic health record solutions to healthcare providers (formerly Allscripts), experienced a data security incident in July 2025 that involved unauthorized access to protected health information. One of its storage locations had been compromised as a result of an incident at one of its customers. Credentials were stolen that allowed access to the storage environment.

Data compromised in the incident included names, contact information, dates of birth, health records information, health insurance information, payment details, and limited identifiers, such as Social Security numbers and driver’s license numbers. It took some time to review the affected data, with 2,672,036 individuals now known to have had their data exposed or stolen in the incident. Veradigm settled the class action lawsuit that followed for $10.5 million.

Anne Arundel Dermatology – 1.91 million individuals

Anne Arundel Dermatology, a dermatology practice with more than 30 locations in 7 U.S. states, experienced a hacking incident that saw unauthorized individuals access its network from February 14, 2025, to May 13, 2025. The systems compromised in the attack contained the protected health information of up to 1,905,000 individuals, including names, addresses, dates of birth, and health insurance information.

Since it was not possible to determine which records were viewed or copied, notification letters were mailed to all potentially affected individuals. Anne Arundel Dermatology was one of several dermatology practices to be targeted by hackers in 2025.

Kettering Adventist Healthcare – 1.7 million individuals

The Ohio health system, Kettering Adventist Healthcare (Kettering Health), experienced a ransomware attack on May 20, 2025, although its network was first breached on April 9, 2025. The Interlock ransomware group claimed responsibility for the attack, alleging that 941 GB of data was stolen in the attack. Kettering Health refused to pay the ransom, and Interlock proceeded to leak the stolen data.

It took several months to review the affected data and determine the individuals affected. Around April 2026, OCR was provided with a revised total, showing that the protected health information of 1,695,382 individuals was stolen in the attack. The stolen data included names, Social Security numbers, financial account numbers, driver’s license numbers, medical and/or treatment information, health insurance information, billing and/or claim information, passport numbers, and/or usernames and associated passwords. Kettering Health faced dozens of class action lawsuits over the data breach. The litigation is ongoing.

Radiology Associates of Richmond – 1.42 million individuals

Radiology Associates of Richmond, a provider of medical imaging services at seven hospitals in Virginia and multiple outpatient facilities within the state, experienced a cyberattack in April 2024, although the data breach was not reported to OCR until July 2025.

The hackers had access to its network from April 2, 2024, to April 6, 2024, and exfiltrated files containing the protected health information of 1,419,091 patients, including names, dates of birth, email addresses, Social Security numbers, account numbers, routing numbers, medical information, and health insurance information.

DermCare Management – 1.4 million individuals

DermCare Management, a Florida-based provider of practice management services to dermatology practices in Florida, Texas, California, and Virginia, identified a hacking incident in February 2025, with the investigation confirming that an unauthorized third party had access to its computer systems between February 14, 2025, and February 26, 2025.

It took until March 2026 to review the affected data, when it was confirmed that the data breach affected patients of more than 70 dermatology clinics. It has since been confirmed that the protected health information of 1,361,735 individuals was compromised in the incident, including names, Social Security numbers, driver’s license numbers, credit and debit card information, financial account information, and medical information.

SimonMed Imaging- 1.3 million individuals

SimonMed Imaging, one of the largest medical imaging providers in the country, operates more than 170 medical imaging facilities in 10 U.S. states. The Scottsdale, AZ-based radiology practice learned from one of its vendors in January 2025 that there had been a security incident. The investigation confirmed that an unauthorized actor had direct access to its systems between January 21, 2025, and February 5, 2025. The Medusa ransomware group claimed responsibility for the attack and said it stole 212 GB of data, and demanded a $1 million ransom to prevent the data from being leaked or sold.

While the attack was announced in April 2025, it took several months to review the affected data. names, addresses, birth dates, dates of service, provider names, medical record numbers, patient numbers, medical condition information, diagnosis/ treatment information, medications, health insurance information, and driver’s license numbers. The protected health information of 1,275,669 individuals was stolen in the attack.

Absolute Dental Group – 1.2 million individuals

Absolute Dental Group, a Nevada dental practice with over 50 locations in Las Vegas, Carson City, Reno, Sparks, and Minden, identified a cybersecurity incident in February 2025. In July 2025, the company confirmed that data stolen in the attack included names, contact information, date of birth, Social Security number, driver’s license or state-issued ID information, passport or other government ID information, and health information.

The incident was initially reported to OCR using a placeholder estimate of 501 individuals, with that total updated in late summer to show that the protected health information of 1,223,365 individuals was exposed and potentially stolen in the incident.

Southeast Series of Lockton Companies – 1.1 million individuals

Southeast Series of Lockton Companies (Lockton), an insurance brokerage company that provides employee benefits services, reported a data breach to OCR on February 28, 2025, that involved unauthorized access to its computer network on November 20, 2025. While initially reported as involving unauthorized access to the protected health information of 1,706 individuals, the total was later revised to 1,124,727 individuals.

Hackers had access to a single account and computer for a few hours, but during that time, they may have viewed or acquired names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and financial information.

Community Health Center – 1.1 million individuals

Community Health Center, a nonprofit healthcare provider in Middletown, Connecticut, identified unauthorized access to its computer network on January 2, 2025. The investigation confirmed that a hacker first accessed its network without authorization on October 14, 2024, and retained access until the intrusion was detected on January 2, 2025.

The attack did not involve file encryption; however, the hackers had access to sensitive patient data such as names, addresses, phone numbers, email addresses, dates of birth, diagnoses, test results, treatment information, health insurance information, and Social Security numbers. The investigation confirmed that up to 1,060,936 individuals were potentially affected.

Frederick Health – 934K individuals

Frederick Health Medical Group, a Maryland-based healthcare group, announced on January 27, 2025, that it had fallen victim to a ransomware attack. The group behind the attack was not disclosed and remains unknown.

The investigation confirmed that the protected health information of up to 934,326 individuals was potentially compromised, including names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and/or clinical information related to patients’ care.

McLaren Health Care – 743K individuals

McLaren Health Care in Michigan experienced a ransomware attack in August 2024 that involved unauthorized access to systems used by McLaren Health Care and its Karmanos cancer centers between July 17, 2024, and August 3, 2024. The file review was extensive and time-consuming, revealing on May 5, 2025, that sensitive data had been compromised in the incident.

The data breach affected 743,131 individuals and involved unauthorized access to names, Social Security numbers, driver’s license numbers, medical information, and health insurance information. While not reported as a ransomware attack, the Inc Ransom ransomware group claimed responsibility. While McLaren Health Care was added to the Inc Ransom data leak site, the listing has been removed, suggesting the ransom was paid. This was McLaren Health Care’s second ransomware attack in the space of a year.

Medusind – 701K individuals

Medusind, a Florida-based revenue cycle management vendor and practice management software provider, reported a cyberattack and data breach to OCR in early January that was first identified on December 23, 2023. Initially, the data breach was determined to have affected 360,934 individuals; however, the total was increased on two further occasions, with a final tally of 701,475 individuals.

The hackers had access to names, demographic information, health insurance and billing information, debit/credit card numbers or bank account information, Social Security numbers, and other government-issued ID numbers. Medusind faced multiple class action lawsuits over the data breach and settled the consolidated lawsuit for $5 million.

Blue & Co. – 591K individuals

Blue & Co, an accounting and advisory firm with offices in Indiana, Ohio, Kentucky, and Michigan, reported a data breach to OCR in 2025, although the incident was first detected on December 9, 2024, when an unauthorized actor claimed to have removed data from its network. That person had gained access to a network server via a phishing attack.

While the unauthorized access only occurred for around 30 minutes, the forensic investigation confirmed that the protected health information of 591,713 individuals had been exposed and was potentially copied. That information included names, Social Security numbers, driver’s license numbers, passport numbers, financial account information, health information, and health insurance information.

Kelly & Associates Insurance Group – 553K individuals

Kelly & Associates, doing business as Kelly Benefits, discovered a cyberattack in December 2024 and determined that hackers had access to its network from December 12, 2024, to December 17, 2024. During that time, they exfiltrated files containing names, dates of birth, Social Security numbers, health insurance information, financial account information, and medical information.

The data breach was not reported to OCR until April 2025, and notification letters were issued on a rolling basis. In late June 2025, the final victim tally was confirmed as 553,332 individuals. The delay in issuing notifications was due to the amount of data involved and the complexity of the file review.

Decisely Insurance Services, LLC – 537K individuals

Decisely Insurance Services, a Roswell, GA-based benefits brokerage and HR services firm, reported a data breach to OCR in 2025 that affected 65,405 individuals. Hackers had gained access to its cloud storage platform on December 17, 2024. Data compromised in the incident included names, dates of birth, phone numbers, passport numbers, digital signatures, and Social Security numbers, and the affected individuals were notified in June 2025.

However, the breach was far more extensive than the initial investigation suggested. Decisely Insurance Services later determined that the protected health information of 537,603 individuals had been compromised in the incident

United Seating and Mobility (Numotion) – 529K individuals

United Seating & Mobility, doing business as Numotion, a wheelchair and mobility equipment provider, identified unauthorized access to employee email accounts in November 2024. The investigation confirmed that the accounts were compromised between September 2, 2024, and November 18, 2024, as a result of responses to phishing emails.

The data breach was first reported to OCR in March 2025, as involving unauthorized access to the protected health information of 494,326 individuals, but the total was later revised to 529,004 individuals. The hackers were able to access names, dates of birth, product information, payment and financial account information, health insurance information, and medical information.

The post Largest Healthcare Data Breaches of 2025 appeared first on The HIPAA Journal.

Wellesley, MA-based DentaQuest, a dental benefits administrator that manages the benefits for 32 million Americans, has announced it is actively managing a cybersecurity incident involving unauthorized access to a limited part of its network. According to its website notice, immediate action was taken to contain and mitigate the threat, and the company is working with a leading cybersecurity expert, forensic investigators, and law enforcement authorities.

DentaQuest, part of Sun Life U.S. Dental, is the largest Medicaid and Children’s Health Insurance Program dental benefits administrator in the country, operating in 50 U.S. states. The company has yet to determine the exact scope of the incident and the extent to which sensitive data has been compromised. The company has promised to update clients and ensure that they receive information as quickly and transparently as possible.

The digital extortion group ShinyHunters has claimed responsibility for the incident and has added DentaQuest to its dark web data leak site. The group specializes in data theft and extortion and claims to have exfiltrated 234 GB of data from DentaQuest systems. ShinyHunters explained on its data leak site that it has attempted to negotiate a ransom payment with DentaQuest to prevent the publication of stolen data, but despite exercising considerable patience and making multiple offers, it failed to reach an agreement with DentaQuest. As a result of the failure, ShinyHunters proceeded to leak the stolen data.

Have I Been Pwned (HIBP) has analyzed the leaked data, which contains the unique email addresses of 2.6 million individuals, along with names, addresses, phone numbers, dates of birth, and genders. HIBP said the leaked data appears in healthcare enrollment files (ASC X12 transaction sets), some of which include information such as Medicaid IDs, other government-issued IDs, and health insurance information. Around 66% of the records exposed were already in its database, having been breached in previous incidents.

Social Security numbers do not appear to have been stolen or leaked, so the affected individuals do not face an immediate threat of identity theft; however, since email addresses and contact information have been leaked, they do face an increased risk of social engineering and phishing attacks. If the data breach is confirmed as affecting 2.6 million individuals, it will rank as one of the largest healthcare data breaches of the year to date.

The post Hacking Group Claims Responsibility for Multi-Million-Record DentaQuest Data Breach appeared first on The HIPAA Journal.

Data breaches have been announced by Clarinda Regional Health Center in Iowa, Community Connections in DC, Waveny Lifecare Network in Connecticut, and NJ Pain Care Specialists in New Jersey.

Clarinda Regional Health Center

Clarinda Regional Health Center, a Clarinda, IA-based non-profit hospital, has started notifying 24,341 individuals about a recent cybersecurity incident that exposed sensitive data. Suspicious activity was identified within its computer network on December 15, 2026, and the forensic investigation determined that files containing patient data may have been accessed or acquired without authorization in October 2025. The LockBit5 ransomware group claimed responsibility for the incident.

The file review confirmed that the exposed data included first and last names, dates of birth, medical information, health insurance information, financial account numbers, Social Security numbers, driver’s license numbers, and taxpayer identification numbers. The types of data varied from individual to individual.

The review of the affected files was completed on May 21, 2026, and notification letters started to be mailed to the affected individuals on June 2, 2026. Individuals whose Social Security numbers were exposed in the incident have been offered complimentary credit monitoring and identity theft protection services. Clarinda Regional Health Center has confirmed that additional security measures have been implemented to reduce the risk of similar incidents in the future.

Community Connections

Community Connections, a Washington D.C.-based non-profit provider of behavioral health, residential, and primary health care coordination services, has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 18,943 individuals.

The breach was reported to OCR on May 18, 2026. Details about the data breach have yet to be publicly disclosed; however, a ransomware group – Inc Ransom – claimed responsibility for the incident and listed Community Connections to its dark web data leak site in late March, although it does not appear to have leaked the stolen data.

A similarly sized data breach was experienced in 2024, affecting 18,943 individuals. According to the notifications issued on August 27, 2025. The incident was detected on October 21, 2024, and full names, addresses, dates of birth, Social Security numbers, financial information, driver’s license or state identification information, medical information, and health insurance information were potentially involved. Following that incident, multiple steps were taken to reduce the risk of similar incidents in the future, including implementing new technical safeguards and retraining members of its workforce.

Waveny Lifecare Network

Waveny Lifecare Network, a New Canaan, CT-based community-focused non-profit providing residential care, skilled nursing, and in-home care services to seniors, has recently reported a data security incident to the Maine Attorney General that has affected 8,548 individuals. Suspicious activity was identified within its computer systems on May 28, 2025. Third-party cybersecurity specialists were engaged to investigate the incident and confirmed that a limited amount of data was accessed by an unauthorized third party on May 28, 2025.

Waveny Lifecare Network conducted a time-consuming review of the affected data, and that process was completed on March 23, 2026. Up-to-date contact information was then obtained to allow notification letters to be mailed, which were sent on June 2, 2026. The notification letter to the Maine AG has the data types redacted, although they are detailed in the individual notification letters. As a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

NJ Pain Care Specialists

NJ Pain Care Specialists, LLC, an interventional spine and pain management practice in Ocean Township, New Jersey, has announced a data security incident. Unauthorized activity was identified within its computer network on or around February 28, 2026. The investigation confirmed unauthorized access to its network occurred between February 25, 2026, and February 28, 2026, during which time, files may have been removed from its network.

The investigation to date has determined that data compromised in the incident includes names, addresses, dates of birth, medical record numbers, driver’s license numbers or other ID numbers, clinical or treatment information, medical procedure information, medical provider names, prescription information, and health insurance information.

NJ Pain Care Specialists said it has reviewed and enhanced its data security policies and procedures, and its technical, administrative, and physical safeguards. The investigation is ongoing, and the number of individuals has yet to be determined. The breach has been reported to the HHS’ Office for Civil Rights using an interim total of at least 501 individuals. The total will be updated when the investigation is concluded.

The post Clarinda Regional Health Center Reports Data Breach Affecting 24K Patients appeared first on The HIPAA Journal.

Singing River Health System in Mississippi has issued an update on a cybersecurity incident that was first announced in December 2025, shortly after the attack was detected. In the updated breach notice, Singing River Health System explained that its investigation revealed an unauthorized third party had access to certain computer systems between December 19, 2025, and December 21, 2025. On February 10, 2026, Singing River Health System confirmed that the unauthorized individual had access to files containing patient information.

The file review has recently concluded and revealed that the exposed data included names in combination with one or more of the following: contact information, Social Security numbers, driver’s license numbers, dates of birth, diagnostic/treatment information, medication information, dates of service, bank account information, health insurance information, provider names, and internal patient identification numbers.

Singing River Health System said it will continue to implement and evaluate enhanced safeguards and security measures to further protect its systems. The affected individuals have been advised to review the statements they receive from their healthcare providers and insurers for any services that have not been received. The incident has recently been reported to the HHS’ Office for Civil Rights as affecting 53,888 individuals.

Adams County Memorial Hospital

Adams County Memorial Hospital has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 5,305 individuals. The data was exposed as a result of an employee responding to a phishing email, which allowed an unauthorized third party to gain access to the employee’s email account on December 22, 2026. The breach was confined to the email account. The electronic medical record system was not affected. The investigation confirmed that the account contained personal and protected health information such as names, addresses, dates of birth, Social Security numbers, dates of service, diagnoses, charges, and health insurance information.

In response to the incident, additional security protocols have been implemented to protect against future phishing incidents, and additional education has been provided to employees on phishing and malicious email identification. As a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Central Kansas Mental Health Center

Central Kansas Mental Health Center in Salina, KS, has experienced a cybersecurity incident that exposed patient data. The incident was first identified on September 26, 2025, when suspicious activity was observed within its computer network. Immediate action was taken to contain the incident, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed that an unauthorized third party accessed its network and likely exfiltrated files containing patient data. The files are being reviewed to determine the types of data involved and the individuals affected. Central Kansas Mental Health Center first announced the data breach via its website in November 2025, confirming that credit monitoring and identity theft protection services are being made available.  Central Kansas Mental Health Center has not identified any misuse of the exposed data to date. The incident has yet to be added to the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Singing River Health System: 54K Individuals Affected by December Cyberattack appeared first on The HIPAA Journal.

Data breaches have been announced by Bridle Trails Family Dentistry, Verber Dental Group, and Bronsky Orthodontics. Across the three incidents, the protected health information of more than 32,700 individuals was exposed and potentially stolen.

Bridle Trails Family Dentistry

Bridle Trails Family Dentistry, a dental practice in Kirkland, Washington, has notified 20,976 current and former patients about a cybersecurity incident that occurred in the Fall of 2024 that exposed some of their personal and protected health information. According to the April 10, 2026, breach notification letters, an investigation was launched into a potential breach of its email environment, which confirmed that an employee’s email account was accessed by an unauthorized individual between November 19, 2024, and November 25, 2024. The account was reviewed, and Bridle Trails Family Dentistry learned on March 12, 2026, that the account contained a limited amount of personal and health information.

Data potentially compromised in the incident included full names, birth dates, Social Security numbers, reason for visit, medical provider name, clinical/treatment information, driver’s license numbers, taxpayer ID numbers, medical record numbers, and health insurance information. The impacted information varied from individual to individual. At the time of issuing notifications, Bridle Trails Family Dentistry was unaware of any misuse of data as a direct result of the incident. Bridle Trails Family Dentistry said it has taken many precautions to safeguard the personal and protected health information in its possession and continually evaluates and modifies its practices and internal controls.

Verber Dental Group

Verber Dental Group PC, a Camp Hill, Pennsylvania-based network of 14 dental practices, has announced a breach of the protected health information of up to 8,598 individuals. Suspicious activity was identified within its network environment on January 27, 2026. Immediate action was taken to ensure its network environment was secure, and an investigation was launched to determine whether sensitive data had been exposed.

The forensic investigation determined that an unauthorized third party had access to files containing patient data, which may have been viewed or acquired between January 26, 2026, and January 27, 2026. The files on the compromised parts of its network were reviewed and found to contain names, Social Security numbers, dates of birth, driver’s license numbers, medical information, and health insurance information. Notification letters are being mailed to the affected individuals, and steps have been taken to reduce the risk of similar incidents in the future.

Bronsky Orthodontics

Bronsky Orthodontics, an orthodontic practice in New York City, has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 3,183 individuals. Suspicious activity was identified within an employee’s email account on October 16, 2025. The account was immediately secured, and an investigation was launched to determine the nature and scope of the activity. Assisted by third-party cybersecurity specialists, Bronsky Orthodontics determined that a limited number of email accounts had been accessed by an unknown actor between August 18, 2025, and October 16, 2025.

The accounts were reviewed, and on March 11, 2026, Bronsky Orthodontics determined that they contained patient information such as names, dates of birth, contact information, dental and orthodontic treatment information, and insurance information. A limited number of individuals also had their financial account information, Social Security numbers, driver’s licenses, and/or other government-issued identification numbers exposed.   Policies and procedures related to data privacy and security are being reviewed as a result of the incident.

The post Patient Data Exposed in Cyberattacks on Dental Practices appeared first on The HIPAA Journal.

The Las Vegas medical billing and coding management company, La Perouse, has announced a data breach that has affected seven of its medical group clients. Data breaches have also been announced by Acadia Healthcare Company, Harbor Regional Center, United Medical Systems, and Ohio ENT & Allergy Physicians.

La Perouse

La Perouse LLC, a Las Vegas, NV-based medical billing and coding management company, has notified the California Attorney General about a breach of one of its third-party billing platforms. Potential unauthorized activity was first identified on July 8, 2025. The platform and its network environment were secured, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed that the unauthorized access was confined to the third-party billing platform and that sensitive data stored within that platform had been copied by the attacker. The review of the affected data was completed in the Spring of 2026, and notification letters were mailed to the affected individuals on April 17, 2026. The data compromised in the incident varies from individual to individual and may have included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, patient identification and medical record numbers, medical information, and health insurance information.

La Perouse worked with its third-party billing platform provider to implement additional technical safeguards, enhance security measures, and update security policies and procedures. The affected individuals have been offered at least 12 months of complimentary credit monitoring services. The affected individuals had received medical services from one or more of the following healthcare providers;

• Beach Emergency Medical Associates
• Centinela Freeman Emergency Medical Associates
• Chino Emergency Medical Associates
• Hollywood Presbyterian Emergency Medical Associates
• Montclair Emergency Medical Associates
• Tarzana Emergency Medical Associates
• Temecula Valley Hospitalist Medical Group

The incident was reported to the HHS’ Office for Civil Rights in September 2025 using a placeholder estimate of at least 501 individuals. The total has yet to be updated.

Acadia Healthcare Company

Acadia Healthcare Company, the operator of a network of almost 280 behavioral healthcare facilities in 40 U.S. states and Puerto Rico, has recently disclosed a data security incident that was first identified in March 2026. Suspicious activity was observed within an employee’s email account. The email account was secured, and an investigation was launched to determine the nature and scope of the activity. The forensic investigation determined that the account and an associated SharePoint account were accessed by an unauthorized third party between March 21 and March 25, 2026, as a result of social engineering attacks. No other systems were involved.

The data review was completed on May 15, 2026, and confirmed that the information compromised in the incident included names, addresses, dates of birth, treatment information, health insurance information, admission dates, diagnosis codes, patient statuses, Medicare insurance claim numbers, and, for some individuals, Social Security numbers. Notification letters started to be mailed to the affected individuals on May 22, 2026. Acadia Healthcare Company said additional cybersecurity measures have been implemented to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Harbor Regional Center

Harbor Developmental Disabilities Foundation, doing business as Harbor Regional Center, a Long Beach, CA-based provider of services to individuals with developmental disorders, identified suspicious activity within its computer network on or around March 7, 2026. The forensic investigation confirmed unauthorized access to its computer network between March 6 and March 7, during which time, files may have been viewed or copied from the network.

On May 15, 2026, Harbor Regional Center completed its review of the exposed files. The exact types of information involved are detailed in the individual notification letters that have recently been mailed to the affected individuals. The number of affected individuals has yet to be publicly disclosed. The affected individuals have been offered single-bureau credit monitoring and identity theft protection services, and steps have been taken to improve security to prevent similar breaches in the future.

Ohio ENT & Allergy Physicians

Ohio ENT & Allergy Physicians in Columbus, Ohio, has recently reported a data breach to the Maine Attorney General that involved unauthorized access to the personal and protected health information of 324 individuals, including 1 Maine resident. A cybersecurity incident was detected on March 30, 2026, when suspicious activity was identified on a workstation within its network environment. The forensic investigation confirmed unauthorized access between March 29, 2026, and March 30, 2026. The review of all potentially exposed files was completed on May 18, 2026. Data exposed in the incident included full names and Social Security numbers. Notification letters were mailed to the affected individuals on May 29, 2026.

Ohio ENT & Allergy Physicians has implemented additional technical safeguards and has enhanced its security measures to prevent similar incidents in the future, and complementary credit monitoring services have been offered to the affected individuals.

United Medical Systems

Westborough, Massachusetts-based mobile specialty healthcare service provider United Medical Systems has disclosed a data breach affecting 485 individuals. According to the notification letters, which were mailed to the affected individuals on May 20, 2026. The forensic investigation confirmed that names, driver’s license numbers, and Social Security numbers were exposed in the incident. As a precaution against identity theft and fraud, the affected individuals have been offered complimentary single-bureau credit monitoring and identity theft protection services for 24 months, and steps have been taken to enhance security to prevent similar incidents in the future.

The post Medical Billing Company Data Breach Affects 7 Medical Groups appeared first on The HIPAA Journal.

A settlement has been negotiated to resolve a class action lawsuit against Lakeview Health Systems LLC. The lawsuit stemmed from a January 2024 cyberattack that exposed the personal and protected health information of 10,772 individuals. Hackers breached its network and accessed and potentially obtained files containing names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, patient IDs, diagnoses, treatment information, prescription information, and health insurance information.

Shortly after being notified about the breach, some of the affected individuals filed lawsuits against Lakeview Health, alleging negligence for failing to adequately protect sensitive data stored on its network. The plaintiffs claimed the data breach could have been and should have been prevented. Lakeview Health maintains that there was no wrongdoing and is no liability.

The lawsuits made similar claims and were consolidated – Skov et al., v. Lakeview Health Systems, L.L.C – in the Circuit Court of Duval County, Florida. The lawsuit is pending; however, the defendants and the plaintiffs agreed to settle the lawsuit to avoid the costs, risks, disruptions, and uncertainties from continuing with the litigation.

The defendant has agreed to pay attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $2,000 per class member and reimbursement of up to $5,000 in extraordinary losses. A claim may also be submitted for up to 4 hours of lost time at $20 per hour, and one year of credit monitoring services. If none of those options are claimed, class members may claim a one-time cash payment of $50.

The deadline for objection and exclusion is July 23, 2026. Claims must be submitted by August 24, 2026, and the final fairness hearing has been scheduled for October 8, 2026.

The post Lakeview Health Systems Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

The personal and protected health information of approximately 22,500 Hartford HealthCare patients has been exposed in a security incident. Data breaches have also been announced by the New York City cosmetic surgery practice of Ira L. Savetsky, MD, and the mobility and rehabilitation product provider ERMI, LLC.

Hartford HealthCare

The Connecticut Department of Social Services and Gainwell Technologies, a vendor that provides fiscal agent and account administration services for the Connecticut Medicaid program (HUSKY), have identified unauthorized access to certain payment accounts on the HUSKY provider portal website.

Suspicious activity was identified on March 25, 2026, and the forensic investigation confirmed unauthorized access to a small number of Hartford HealthCare’s payment accounts on the website. The accounts were accessed on March 4, 2026, using the compromised credentials of Hartford Healthcare employees. Immediate action was taken to prevent further unauthorized access, and assisted by third-party cybersecurity experts, the incident was determined to have been contained and further unauthorized access blocked; however, the threat actor had downloaded files containing the data of approximately 22,500 individuals.

The review of those files revealed they contained information such as full names, ID numbers associated with Hartford HealthCare accounts or Medicaid claims, dates of medical services, information about services received and how they were billed, payment information including amounts paid, and information about applicable non-Medicaid health insurance, including policy and group number. Social Security numbers were not stored in the system, and were not obtained in the attack.

This appears to have been a financially motivated attack, and the primary purpose does not appear to have been patient data theft; however, patient information was compromised and, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. DSS and Gainwell Technologies began sending notification letters to the affected Hartford HealthCare patients on May 22, 2026.

Ira L. Savetsky, MD

The New York City cosmetic surgery practice of Ira L. Savetsky, MD, has experienced a breach of its email environment. The security incident was detected in January 2026, and the forensic investigation confirmed that a single employee’s email account had been accessed by an unauthorized third party. The first instance of unauthorized access occurred in November 2024, and access to the account remained possible until January 2026. Over that 14-month period, information in the account may have been viewed or copied. The account was reviewed and found to contain patient information such as scheduling information and correspondents related to patient care, along with first and last names, birth dates, telephone numbers, driver’s license numbers, medical records, health information, health insurance information, and photographs.

Notification letters started to be mailed to the affected individuals on May 21, 2026. Complimentary credit monitoring and identity theft protection services do not appear to have been offered. The incident has been reported to regulators, but it is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

ERMI LLC

ERMI LLC, an Atlanta, GA-based provider of mobility and rehabilitation products, has identified a cybersecurity incident that exposed sensitive data. Unauthorized access to certain employee email accounts was identified on or around August 14, 2025. The accounts were secured, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed unauthorized access to a limited number of employee email accounts between February 15, 2025, and August 14, 2025. The review of the accounts was completed on or around April 17, 2026. Individual notification letters are being sent to the affected individuals, which detail the exact types of data exposed in the incident. As a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit score, and credit report services. The number of affected individuals has yet to be publicly disclosed.

The post Connecticut Medicaid Portal Breach Affects 22,500 Hartford HealthCare Patients appeared first on The HIPAA Journal.

The Oncology Institute, a publicly traded provider of cancer care through more than 100 clinics in California, Oregon, Nevada, Arizona, and Florida, has recently confirmed that patient data was potentially accessed by an unauthorized third party as a result of a security incident at one of its vendors.

In a November 3, 2025, filing with the U.S. Securities and Exchange Commission (SEC), The Oncology Institute said that it determined on November 3, 2025, that a cybersecurity incident at one of its information technology software providers would potentially delay fee-for-service collections. At the time of the notice, The Oncology Institute said its vendor was unable to confirm whether patient data had been accessed in the attack, and that at the time of issuing the filing, it was unaware of any unauthorized access to patient data as a result of the incident, but the investigation into the incident was ongoing.

In an updated SEC filing, the Oncology Institute said further information has come to light indicating that certain Oncology Institute systems were subject to unauthorized access by a third party as a result of the incident, including systems containing patient data.  Kroll, the third-party administrator for the vendor, had made that determination and notified the Oncology Institute on May 20, 2026.

The Oncology Institute said it is working with its vendor to provide complimentary credit monitoring and identity theft protection services to the affected individuals. At the time of issuing the SEC filing on May 20, 2026, The Oncology Institute said the cybersecurity incident had not had a material impact on the company’s operations, financial systems, or the quality of care provided to patients. The Oncology Institute has yet to publicly disclose the types of data potentially compromised in the incident.

The Oncology Institute provides cancer care to around 2 million patients. It is currently unclear how many of those patients have been affected by the incident. The Oncology Institute has not disclosed the name of the vendor that experienced the cybersecurity incident, although certain media outlets have suggested that the vendor was TriZetto Provider Solutions, which experienced a major data breach last year affecting many of its healthcare provider clients.

The post The Oncology Institute Confirms Unauthorized Access to Systems Due to Vendor Breach appeared first on The HIPAA Journal.