Two U.S. senators have written to UnitedHealth Group (UHG) CEO Stephen J. Hemsley demanding answers about cybersecurity and the response to the massive data breach at its subsidiary, Episource, which exposed the personal and protected health information of 5.4 million individuals earlier this year.

Episource, which was acquired by UHG-owned Optum in 2023, provides medical coding and risk adjustment services to physicians, health plans, and other healthcare companies. In June 2025, the company announced a hacking incident that involved unauthorized access to its network between January 27, 2025, and February 6, 2025. The hackers stole sensitive information such as names, dates of birth, Social Security numbers, health information, health insurance information, and Medicare/Medicaid numbers.

The hacking incident at Episource occurred within a year of a ransomware attack on another UHG subsidiary, Change Healthcare, which resulted in the largest healthcare data breach in U.S. history. Change Healthcare has recently confirmed that 192.7 million individuals were affected and had their data stolen in the attack. The attack resulted in a prolonged outage that caused major disruption to electronic prescribing, claims submission, and payment transmission, resulting in a $14 billion payment backlog, which put healthcare providers across the country under significant financial strain. Former UHG CEO Andrew Witty was grilled by Senators about the Change Healthcare ransomware attack and confirmed that the attackers accessed Change Healthcare’s systems using compromised credentials for a Citrix portal that lacked multifactor authentication.

In the letter, Senator Bill Cassidy (R-LA), Chairman of the Senate Committee on Health, Education, Labor, and Pensions (HELP), and Senator Maggie Wood Hassan (D-NH) questioned UHG’s commitment to securing patients’ protected health information given the fact that two major cyberattacks have been experienced in just 12 months and the Change Healthcare cyberattack was the result of a lack of basic cybersecurity measures and a failure to upgrade legacy systems in the two years since UHG acquired Change Healthcare. The senators also criticized UHG for the aggressive approach being taken to recover the loans issued to healthcare providers who were unable to bill for their services due to the prolonged outage of Change Healthcare’s systems.

“We have seen the recent threat that hostile actors, including Iran, may pose on healthcare entities and UHG’s repeated failures to protect against such attacks jeopardizes patient health,” wrote the senators, who have demanded answers from UHG about its response to the Episource cyberattack and how it is improving its security processes company-wide following the Change HEalthcare cyberattack.

Regarding the Episource cyberattack, the senators want to know when the attack was first detected, when federal agencies were notified about the attack, the steps being taken to identify the information compromised in the incident, when UHG anticipates finalizing that process, and how UHG is proactively communicating with potentially impacted individuals and entities.

Given the hugely disruptive attack on Change Healthcare in February 2024, which was made possible due to security deficiencies, the senators want to know what remedial steps have been taken to improve security protocols, if those action have been completed and, if not, when they will be completed, and if UHG has made any changes to how it conducts due diligence on companies it plans to acquire to assess potential security risks.  The senators require answers to their questions by August 18, 2025.

The post Senators Demand Answers from UnitedHealth After Second Massive Data Breach in a Year appeared first on The HIPAA Journal.

Alera Group has notified more than 155,000 individuals about a July 2024 hacking incident. Data breaches have also been announced by The Good Samaritan Health Center of Cobb and Western Montana Clinic.

Alera Group Notifies Individuals About July 2024 Hacking Incident

Alera Group, Inc., a provider of risk management, insurance, and financial services, has notified 155,567 individuals about the potential theft of some of their protected health information. The incident was first announced on May 21, 2025, and has recently been reported to the HHS’ Office for Civil Rights.

Suspicious network activity was detected in August 2024, and the forensic investigation confirmed unauthorized access to its network between July 19, 2024, and August 4, 2024. During that time, sensitive data may have been copied. A file review was initiated to determine the types of data involved and the individuals affected, and that process was completed on April 28, 2025.

Alera Group has confirmed that the data related to employees and certain clients, business partners, and providers. That information included names, addresses, demographic information, dates of birth, birth/marriage certificates, Social Security numbers, driver’s licenses, financial account/credit card information, passports, other government-issued IDs (such as state IDs, military IDs, tribal IDs or taxpayer identification numbers), medical information (such as medical histories, diagnosis information, medications, and treatment/testing information), medical record numbers, insurance/claims data (potentially including health insurance information and Medicare/Medicaid IDs), electronic/digital signatures, biometric information, and username/password information.  Alera Group has implemented additional cybersecurity measures to reduce the risk of similar incidents in the future.

The Good Samaritan Health Center of Cobb Announces Hacking Incident

The Good Samaritan Health Center of Cobb, in Marietta, Georgia, a provider of healthcare services to underserved and uninsured individuals, has disclosed a cybersecurity incident via its legal counsel. On or around November 4, 2024, suspicious activity was identified in its computer systems. A third-party cybersecurity firm was engaged to investigate the activity and confirmed unauthorized network access by an unknown third party, who may have viewed or acquired patient information. That third party appears to be the Qilin ransomware group, which claimed responsibility for the attack on its dark web data leak site.

The file review confirmed that the exposed data included full names, Social Security numbers, financial information, driver’s license or state identification information, medical information, and health insurance information. No reports have been received to date to indicate any misuse of that information; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Several steps have been taken since the incident to improve security, including implementing encryption, password changes, and new technical safeguards. A new Security Rule risk analysis has been conducted, and a risk management plan has been implemented. The Good Samaritan Health Center will also be conducting periodic technical and non-technical evaluations of its security measures. There is no listing on the HHS’ Office for Civil Rights breach portal at present, so it is currently unclear how many individuals have been affected.

Western Montana Clinic Targeted in Phishing Campaign

Western Montana Clinic in Missoula has notified 8,255 patients that some of their personal and protected health information has been exposed in a security incident.  Employees were targeted in a phishing campaign, and several employees responded and disclosed their login credentials, allowing unauthorized access to their accounts between March 11, 2025, and April 15, 2025.

The main purpose of the campaign was to change bank account information to divert payments to the attacker’s account, rather than to obtain patient information; however, data theft could not be ruled out. The incident was confined to email accounts, which were found to contain names, contact information, dates of birth, treating physician names, internal identification numbers, dates of service, diagnostic information, treatment information, medications, and for a small subset of patients, Social Security numbers. Western Montana Clinic said it will review email security and will continue to provide security awareness training to the workforce to help employees recognize and avoid phishing emails.

The post Alera Group Notifies 155K Individuals About July 2024 Hacking Incident appeared first on The HIPAA Journal.

A drug and alcohol addiction center and an OB/GYN Medical Center in Texas have notified patients about unauthorized access to some of their protected health information.

Nova Recovery Center Reports Unauthorized Network Access

Nova Recovery LLC (Nova Recovery Center), a drug and alcohol addiction center in Wimberley, Texas, has identified unauthorized access to certain systems hosted on the Nova Recovery network. The intrusion was identified by its IT and Security teams on May 25, 2025. The threat was neutralized, and the breach was investigated to determine if any patient data had been exposed.

On June 17, 2025, Nova Recovery confirmed that business records on its network had been accessed, some of which contained patients’ personal information. Data compromised in the incident includes first, middle, and last names, addresses, dates of birth, Social Security numbers, and financial payment information. Individual notification letters have been mailed to the 7,713 affected individuals, and complimentary credit monitoring services have been offered. The third-party consulting firm hired to investigate the incident is helping to implement additional security measures to prevent similar incidents in the future.

OB/GYN Medical Center Associates Affected by ConnectOnCall Breach

In July 2025, OB/GYN Medical Center Associates in Houston, TX, published a breach notice on its website about a security incident at one of its business associates. ConnectOnCall.com, LLC, provided a voicemail messaging service through May 2024. ConnectOnCall notified OB/GYN Medical Center Associates that an unknown third party had access to certain data within the ConnectOnCall application between February 16, 2024, and May 12, 2024. ConnectOnCall took the compromised application offline while the incident was investigated by cybersecurity experts, and after enhancing security controls, the solution was brought back online.

Since being notified about the breach, OB/GYN Medical Center Associates has been reviewing the messages left for the practice via the ConnectOnCall system and has confirmed that patient data may have been accessed. The types of data involved depended on the information disclosed by patients in the messages and may have included names, information about physical conditions, medications, procedures, and other personal and medical information. The review was completed on June 25, 2025, and notification letters were mailed to the 2,132 affected individuals on July 23, 2025.

The post Hacking Incidents Announced by Two Texas Health Clinics appeared first on The HIPAA Journal.

PhyNet Dermatology, a business associate of Premier Dermatology Partners, has identified unauthorized access to an email account containing patient information. Baptist Health South Florida has recently confirmed that it was affected by a breach at Oracle Health (Cerner).

PhyNet Dermatology – Premier Dermatology Partners

PhyNet Dermatology, a provider of managed administrative services to dermatology practices, has announced a breach that has affected one of its affiliates, Boca Raton, FL-based Total Vein & Skin, LLC, which does business as Premier Dermatology Partners.

Suspicious activity was identified in an employee’s email account on November 7, 2024. Immediate action was taken to secure the account, and an investigation was launched to determine the nature and scope of the activity. The investigation determined that the breach was more extensive, and further employee email accounts had also been compromised.

The review was completed on June 6, 2025, and confirmed that Premier Dermatiology Partners’ data was present in the compromised accounts. The types of information involved vary from individual to individual and may include names in addition to one or more of the following: address, Social Security number, financial account information, date of birth, medical history information, treatment information, diagnosis information, treating physician, medical record number, and health insurance information.

PhyNet Dermatology has reviewed its policies and procedures and enhanced certain administrative and technical controls. Additional security awareness training has also been provided to the workforce to reduce the risk of similar incidents in the future.

Baptist Health South Florida

Baptist Health South Florida has recently confirmed that it has been affected by the Oracle Health hacking incident, which involved unauthorized access to legacy Cerner servers that were awaiting migration to Oracle Cloud. No Baptist Health South Florida systems were compromised.

Data compromised in the incident includes names, Social Security numbers, medical record numbers, physician names, diagnoses, medical images, test results, and treatment information. Many of the healthcare providers affected by the Oracle Health incident issued notifications shortly after being notified about the January 22, 2025, hacking incident.

Baptist Health South Florida said its notifications were delayed at the request of law enforcement while the incident was investigated. The affected individuals are now being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. Baptist Health South Florida has not publicly disclosed the number of individuals affected, and the breach is not currently listed on the HHS’ Office for Civil Rights breach portal.

The post Business Associate Data Breaches Affect Florida Healthcare Providers appeared first on The HIPAA Journal.

Genoa Medical Facilities, which operates a 19-bed critical access hospital in Nebraska, has discovered unauthorized access to its email environment.  Email breaches have also been confirmed by Vail Summit Orthopaedics & Neurosurgery in Colorado and Southern Immediate Care in Alabama.

Genoa Community Hospital (Genoa Medical Facilities), Nebraska

Genoa Medical Facilities, which includes Genoa Community Hospital, a 19-bed critical access hospital, a 39-bed nursing home, and a medical clinic in Nebraska, has discovered unauthorized access to an employee’s email account. Suspicious email activity associated with a single email account was identified in March 2025. The forensic investigation confirmed that the breach was limited to a single account, and the account was reviewed to determine whether patient data had been exposed.

The review was completed on July 8, 2025, when it was confirmed that names, dates of birth, Social Security numbers, other government ID numbers, financial account information, medical treatment/diagnosis information, and health insurance information had been exposed. Notification letters are being sent to the affected individuals, and steps have been taken to improve email security. At the time of issuing notification letters, no misuse of the exposed information had been identified. The incident is not currently shown on the HHS’ Office for Civil Rights (OCR) breach portal, so it is unclear how many individuals have been affected.

Vail Summit Orthopaedics & Neurosurgery

Vail Summit Orthopaedics & Neurosurgery in Colorado has recently disclosed a breach of its email environment. Suspicious activity was identified on August 6, 2024. Immediate action was taken to prevent further unauthorized access, and cybersecurity professionals were engaged to investigate the activity. The investigation confirmed that an unauthorized third party accessed and acquired files, and a review has been conducted to determine the types of information involved and the individuals affected.

On July 24, 2025, Vail Summit confirmed that some patient information was copied in the incident, although no evidence has been uncovered to indicate any misuse of that data. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, health insurance information, treatment/insurance cost, diagnosis/treatment/procedure information, medical history/allergies, prescription drugs taken, medical images, test results/vital signs, healthcare provider name, and treatment date and location.

Single-bureau credit monitoring, credit report, and credit score services have been offered to the affected individuals. There is currently no listing on the OCR breach portal, so it is unclear how many individuals have been affected.

Southern Immediate Care, Alabama

Southern Immediate Care, an urgent care provider in Alabama, has announced a security incident involving two employee email accounts. Suspicious activity was identified in the accounts on April 15, 2025. An investigation has been launched, and the accounts are being reviewed to determine the extent to which patient information has been exposed. While that review is ongoing, Southern Immediate Care believes that both email accounts contain patient information. Notification letters will be mailed to the affected individuals when the review is completed. At present, no reports of misuse of patient data have been received.

The post Small Nebraska Critical Access Hospital Announces Data Breach appeared first on The HIPAA Journal.

DaVita, a Denver, CO-based kidney dialysis service provider, has submitted a breach report to the HHS’ Office for Civil Rights confirming the number of individuals affected by its April 12, 2025, ransomware attack. Hackers gained access to its network, exfiltrated sensitive data, and then encrypted files on parts of its network. While the attack caused some temporary operational disruption, DaVita said the critical care it provides to patients continued uninterrupted.

DaVita previously confirmed that the ransomware group gained access to a laboratory database containing patient information. The database and other affected parts of the network have been reviewed, and DaVita has now confirmed that the protected health information of 2,689,826 individuals was compromised in the incident. That makes it the third-largest healthcare data breach announced so far this year, behind the cyberattack on Episource that affected 5.5 million individuals, and the website tracking data breach at Blue Shield of California that affected 4.7 million individuals.

Notification letters are currently being mailed to the affected individuals, who are being offered complimentary credit monitoring and identity theft protection services. The HIPAA Journal has previously reported on the data breach, including DaVita’s announcement and breach notification letter, details of which can be found below.

August 6, 2025: DaVita Ransomware Attack Affects More Than 1 Million Individuals

In April 2025, the kidney dialysis giant DaVita disclosed a security incident in a Securities and Exchange Commission (SEC) filing, although at the time, it was unclear how much sensitive data was stolen. Over the past 3 months, the investigation and data review have been progressing. State Attorneys General have been notified about the incident, and the scale of the data breach is becoming clearer.

Based on the state AG reports so far, the breach has affected more than 1 million patients; however, while all states have data breach notification laws, only a few publish breach reports, and only a handful publicly disclose the number of state residents affected. The table below shows the confirmed totals, but given that DaVita operates more than 2,675 outpatient dialysis centers in 43 states, the final total could well be several orders of magnitude larger.

At present, there is no listing on the HHS’ Office for Civil Rights breach portal. There is often a delay of a week or two between OCR receiving a breach report and adding it to the breach portal, so a listing is expected in the coming two weeks that will confirm how many individuals have been affected.

The notification letters provide further information about the data breach, although they do not mention ransomware. As reported below, the Interlock ransomware group claimed responsibility for the attack. DaVita described the cyberattack as “a security incident that resulted in unauthorized access to certain DaVita network servers, primarily at its laboratories.” The intrusion was identified on April 12, 2025, and the threat actor was eradicated from its systems the same day. Third-party digital forensics experts were engaged to investigate the incident and assist with containment, eradication, and remediation.

The investigation confirmed that initial access to its network occurred on March 24, 2025, and continued until April 12, 2025. Data compromised in the incident included the dialysis labs database. The Interlock ransomware group claimed that it had stolen 20+ TB of databases, which included more than 200 million rows of patient data.

DaVita said the types of data involved were determined on or around June 18, 2025. The types of information compromised in the incident vary from individual to individual and may include:

• Demographic information – name, address, date of birth, Social Security number, health insurance-related information, and other identifiers internal to DaVita
• Clinical information – health condition, other treatment information, and certain dialysis lab test results
• Tax information – In limited cases, tax Identification numbers and, for a small subset of individuals, images of checks written to DaVita

DaVita said additional security monitoring tools and enhanced system controls have been implemented to prevent similar incidents in the future. DaVita is unaware of any misuse of patient data as a result of the security incident, but as a precaution, is offering the affected individuals a complimentary membership to the Experian IdentityWorks identity theft protection service for 12-24 months.

On August 5, 2025, DaVita told the SEC that the attack caused a temporary disruption to its operations and cost the company $13.5 million in the second quarter, $12.5 million of which was due to administrative costs remediating the attack, hiring third-party cybersecurity specialists, and restoring systems. The remaining $1.0 million was due to an increase in patient care costs. The $13.5 million figure does not include costs incurred due to the business interruption.

Further losses are possible due to any noncompliance with privacy and security laws by DaVita or its business associates, and costs associated with noncompliance or breach involving the misappropriation, loss, or other unauthorized use or disclosure of confidential information. Aside from a reduction in revenue from lower patient admissions and ongoing staffing challenges due to lower admissions, DaVita CEO, Javier Rodriguez, said he believes further impacts of the cyber event are likely to have limited effects on its adjusted results.

April 25, 2025: Ransomware Group Claims Responsibility for DaVita Ransomware Attack; Leaks Data

In mid-April, the kidney dialysis service provider DaVita announced in an SEC filing that it was dealing with a ransomware attack that had encrypted parts of its network. An investigation had been launched to determine its impact and whether any patient data was compromised. DaVita said internal operations faced disruption, but care delivery has continued at its dialysis centers and for patients treated at home, and new patients continued to be accepted.

DaVita has yet to make an announcement about a data breach as the investigation and data review are ongoing; however, the Interlock ransomware group has recently claimed responsibility for the attack and has started to leak some of the exfiltrated data. The Interlock ransomware data leak site claims that 20+ terabytes of sensitive data were stolen, including files containing patient data. The group claims to have attempted ransom negotiations before adding DaVita to its data leak site when the negotiations failed. The listing offers 1.5 terabytes of the stolen data for download, spread across 683,104 files in 75,836 folders. The remainder of the data has not been leaked as the group is holding out for a sale. The group claims to be selling 20+ terabytes of SQL databases that include more than 200 million rows of patient data. The HIPAA Journal has not verified whether any patient data is present in the leaked files.

DaVita has confirmed it is aware of the ransomware group’s claims and is currently engaged in a comprehensive data review and is working as quickly as possible to confirm which individuals have been affected and the types of data involved. Any affected parties and individuals will be notified as soon as possible. DaVita has also promised to share the findings of its investigation with its vendors and partners to raise awareness on how to defend against future attacks.

“Interlock first began adding victims to its data leak site in October 2024. As with most ransomware gangs today, it seeks a ransom payment for the decryption of systems and the deletion of stolen data. Since October 2024, we’ve tracked 13 confirmed attacks via this group and a further 13 unconfirmed attacks that haven’t been acknowledged by the organizations in question,” Rebecca Moody, Head of Data Research at Comparitech told The HIPAA Journal. “As we are seeing with DaVita, ransomware attacks on healthcare companies have the potential for widespread disruption. Not only can patient care be affected when systems are encrypted, but these attacks often have ongoing consequences when data is stolen by hackers. In 2024 alone, nearly 25.7 million individual records were breached across 160 ransomware attacks on US healthcare providers.”

At least two class action lawsuits have been filed against DaVita over the ransomware attack, even though DaVita has yet to confirm a data breach. DaVita disclosed the attack in an SEC filing but is still in the process of investigating the incident, and has not yet disclosed the types of information compromised in the attack or the number of affected individuals. The Interlock ransomware group claimed responsibility for the attack and has added DaVita to its data leak site. The lawsuits, Reid v. Davita Inc., and Jenkins et al v. DaVita were both filed in the U.S. District Court for the District of Colorado, allege the stolen data is already being misused, but there has been no confirmation from DaVita that the plaintiffs’ sensitive data has been stolen, nor have they been offered any assistance with credit monitoring and identity theft protection services. More lawsuits are expected to be filed in the coming days and weeks.

April 15, 2025: Dialysis Provider DaVita Hit with Ransomware Attack

The kidney dialysis giant DaVita has fallen victim to a ransomware attack that resulted in the encryption of parts of its network. The attack occurred on Saturday, April 12, 2025, and is impacting some of its operations, according to a Monday, April 14, 2025, 8K filing with the U.S. Securities and Exchange Commission (SEC).

The Denver, CO-based Fortune 500 firm operates more than 2,650 outpatient treatment centers in the United States, 509 centers in 13 other countries, employs 76,000 people globally, and served around 200,000 patients in the United States last year. In 2024, the company reported revenues of $12.82 billion. DaVita outpatient centers are used by patients with kidney disease which requires frequent dialysis. Any disruption to patient services could therefore have serious health implications for patients.

DaVita explained that its incident response protocols were immediately initiated, and the impacted systems were isolated to contain the attack and limit its impact. Backup systems have been activated, and manual processes have been implemented to ensure that care can continue to be provided to patients. While the DaVita ransomware attack is causing some disruption to operations, all dialysis centers remain open and care continues to be provided to patients.

Interim measures have been implemented to allow the rapid restoration of certain functions, but DaVita is currently unable to provide an estimate of the duration or extent of disruption or a timeline for a full recovery. Third-party cybersecurity professionals have been engaged to assist with the investigation and recovery, and law enforcement has been notified. At present, no ransomware group appears to have claimed responsibility for the attack.

“Given the recency of the incident, our investigation and response are ongoing, and the full scope, nature, and potential ultimate impact on the Company are not yet known,” explained DaVita in its 8K filing. While there is a growing trend of ransomware groups eschewing encryption, the majority steal sensitive data and use it as leverage to obtain a ransom payment. At this early stage of the investigation, DaVita is unable to confirm to what extent, if any, sensitive patient data was exposed or stolen.

This post will be updated when further information becomes available.

The post DaVita Confirms 2.7 Million Individuals Affected by Ransomware Attack appeared first on The HIPAA Journal.

A January data breach at Northwest Radiologists and Mount Baker Imaging has affected more than 348,000 patients. Data breaches have also been reported by Self Regional Healthcare in South Carolina and Health Care & Rehabilitation Services of SE Vermont.

Northwest Radiologists & Mount Baker Imaging

Northwest Radiologists and Mount Baker Imaging have provided an update on a data breach first announced in March 2025. The incident was described as a security incident that caused network disruption, and evidence had been found to indicate data exfiltration. At the time of the initial announcement, it was unclear how many individuals had been affected.

In a recent notification sent to the Washington Attorney General, Northwest Radiologists and Mount Baker Imaging confirmed that the following information was compromised in the incident: first and last names, addresses, telephone numbers, dates of birth, email addresses, Social Security numbers, driver’s license or state identification card numbers, treatment or diagnosis information, provider names, medical record numbers or patient identification numbers, health insurance information, and/or treatment cost information.

The same description of the incident is used, with no mention of ransomware. The forensic investigation confirmed that there had been unauthorized network access between January 20, 2025, and January 25, 2025. The delay in issuing notifications was due to the time taken to review the exposed files and obtain up-to-date address information.

Northwest Radiologists and Mount Baker Imaging said that, at the time of issuing notification letters, no misuse of the exposed data had been detected and that they have no reason to suspect any of the exposed information will be misused; however, as a precaution, the affected individuals are being offered complimentary credit monitoring and identity theft protection services. There is no data breach listed on the HHS’ Office for Civil Rights breach portal, but there is often a delay in adding data breaches. The Washington Attorney General was informed that the breach affected 348,118 state residents.

Self Regional Healthcare, South Carolina

Self Regional Healthcare, an independent regional referral hospital in Greenwood, South Carolina, has started notifying 26,696 patients that some of their protected health information was compromised in a cyberattack on a business associate in July 2024. The breach occurred at Nationwide Recovery Service, which provides debt collection services. Hackers had access to its network between July 5, 2024, and July 11, 2024, and exfiltrated data. The majority of affected clients were notified about the breach last year; however, Self Regional Healthcare only received a list of the affected individuals from NRS on May 23, 2025.

According to Self Regional Healthcare, “NRS is the successor entity to a vendor that Self Regional Healthcare (“SRH”) used back in 2012 for debt collection services,” and the data compromised in the attack on NRS relates to a period between 2012 and 2013. The compromised data includes names, dates of birth, Social Security numbers, diagnoses, dates of service, provider names, medical information, and/or health insurance information. Self Regional Healthcare has confirmed that the affected patients have been offered complimentary credit monitoring and identity theft protection services and said it no longer does business with NRS.

Health Care & Rehabilitation Services of SE Vermont

Health Care & Rehabilitation Services of SE Vermont (HCRS) has recently notified the Vermont Attorney General about unauthorized access to two employee email accounts. The unauthorized access was detected on December 20, 2025, and the passwords were reset to prevent further unauthorized access. Third-party cybersecurity professionals were engaged to investigate the unauthorized activity and determine the information that was exposed.

Following an extensive investigation and complex manual data review, HCRS learned on May 13, 2025, that the email accounts were subject to unauthorized access between December 4, 2025, and December 9, 2025, and client and staff information may have been viewed or copied. The exposed information included first and last names, dates of birth, Social Security numbers, financial account numbers, driver’s license numbers, dates of service, patient numbers, medical record numbers, billing information, treatment information, medical histories, and health insurance information.

The affected individuals have been advised to remain vigilant against incidents of identity theft and fraud. At present, there is no data breach listed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Medical Imaging Provider Confirms Data Breach Affecting More Than 348,000 Patients appeared first on The HIPAA Journal.

Highlands Oncology Group, a comprehensive cancer care provider with six locations in Northwest Arkansas, has recently disclosed a cyberattack that was first identified on June 2, 2025. A hacker gained access to its network on January 21, 2025, and remained within the network undetected until June 2, 2025, when ransomware was used to encrypt files. Between those dates, there was intermittent access to the network, and patient data may have been viewed or acquired.

The files were reviewed and found to contain protected health information such as names, dates of birth, Social Security numbers, driver’s license/state identification numbers, passport numbers, credit/debit card numbers, financial account numbers, medical treatment information, medical record numbers, patient account numbers, and/or health insurance policy information. The types of data exposed or stolen varied from individual to individual.

The data breach was recently reported to the Maine Attorney General as involving the personal information of 113,575 individuals. Notification letters started to be mailed on August 1, 2025, and individuals whose Social Security numbers and/or driver’s license numbers were involved have been offered complimentary identity theft protection services. All individuals have been advised to remain vigilant against misuse of their information and should monitor their accounts, explanation of benefits statements, and credit reports closely for signs of data misuse.

While the name of the threat actor was not disclosed in the breach notification letters, the Medusa ransomware group claimed responsibility for the attack. Medusa is known to engage in double extortion, stealing data and demanding a ransom payment to prevent the publication of the stolen data and to provide the keys to decrypt the data. Medusa was the subject of a joint alert by CISA, the FBI, and MS-ISAC earlier this year after attacking more than 300 entities, including several healthcare providers. Medusa was behind the ransomware attack on the kidney dialysis giant DaVita earlier this year. Highlands Oncology Group was added to the Medusa data leak site temporarily, and a $700,000 ransom was demanded. There is currently no listing on the data leak site, which suggests the ransom was paid.

Highlands Oncology Group is one of several cancer care facilities to fall victim to cyberattacks in recent weeks. Last month, a phishing attack affected at least 26 cancer care providers who were part of the Integrated Oncology Network. This is not the first ransomware attack on Highlands Oncology Group, which experienced an attack in November 2023. A recent survey conducted on behalf of the cybersecurity firm Semperis revealed that 77% of healthcare organizations were targeted with ransomware in the past 12 months, 53% of those attacks were successful, and 60% faced multiple attacks.

The post Ransomware Attack on Arkansas Oncology Group Affects 113,500 Individuals appeared first on The HIPAA Journal.

Hacking-related data breaches have been announced by Mid Florida Primary Care, Northwest Denture Center in Washington, Forward, The National Databank for Rheumatic Diseases in Kansas, and Equilibria Mental Health Services in Massachusetts. Inc Ransom claims to have attacked the West Virginia Primary Care Association.

Mid Florida Primary Care

On July 29, 2025, Mid Florida Primary Care, a specialized internal medicine practice in Leesburg, Florida, disclosed a cyberattack and data breach that was identified on or around January 23, 2025. An investigation was launched to determine the nature and scope of the activity, which confirmed that an unauthorized third party accessed its network and copied files between November 29, 2024, and December 11, 2024. The data review was completed on June 19, 2025.

The information compromised in the incident includes names, addresses, dates of birth, email addresses, Social Security numbers, driver’s license numbers, health insurance information, Medicare/Medicaid numbers, health insurance information, diagnosis and/or treatment information, medical histories, allergies, prescription information, test results, and treatment locations.

Mid Florida Primary Care has confirmed that the affected individuals will be offered at least 12 months of complimentary credit monitoring and identity theft restoration services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Northwest Denture Center, Washington

Northwest Denture Center in Burlington, Washington, has confirmed that the protected health information of 12,209 individuals has been exposed in a recent hacking incident. Suspicious network activity was identified on or around May 28, 2025, and action was taken to isolate the network to prevent further unauthorized access. The investigation confirmed that an unauthorized third party first gained access to its network on May 27, 2025.

The review of the affected files was completed on June 27, 2025, and notification letters started to be sent to the affected individuals on July 25, 2025. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Additional training is being provided to the workforce, and additional security measures are being implemented. Complimentary credit monitoring services have been provided to the affected individuals for 12 months.

Equilibria Mental Health Services, Massachusetts

Equilibria Mental Health Services in Massachusetts has discovered that the personal and protected health information of up to 2,000 individuals was potentially compromised in a phishing attack. The incident was identified on June 24, 2025, when two employee email accounts were discovered to have been compromised following responses to phishing emails. The email accounts were accessed by an unauthorized third party for a short period on June 24, 2025.

There was unauthorized access to the email addresses of multiple clients, and individuals who had previously contacted Equilibria Mental Health Services to inquire about mental health services. Some of those individuals have reported receiving phishing emails from a compromised Equilibria email account.

The compromised accounts were reviewed and found to contain mailing addresses, physical addresses, telephone numbers, health insurance plan information, and reasons for making contact. The aim of the attack appears to have been to use the compromised accounts for further phishing attempts. Equilibria Mental Health Services said it is evaluating its cybersecurity protocols and taking action to strengthen email security.

Forward, The National Databank for Rheumatic Diseases

Forward, The National Databank for Rheumatic Diseases in Wichita, Kansas, has announced a security incident that was detected on March 21, 2025. Suspicious activity was identified within certain systems, and the forensic investigation confirmed unauthorized access between March 17, 2025, and March 22, 2025. During that time, files containing sensitive information were potentially viewed and copied from its network.

The file review was completed on June 22, 2025, when it was confirmed that personally identifiable information (PII) and protected health information (PHI) had been compromised, including names, contact information, dates of birth, Social Security numbers, medical information/histories, disability information, mental and physical treatment information, diagnoses, prescription information, treating or referring physicians, and medical record numbers. Forward is reviewing its policies, procedures, and processes to reduce the likelihood of a similar future event, and notification letters are being mailed to the affected individuals.

It is currently unclear how many individuals have been affected. The Maine Attorney General was informed that the breach involved the personal information of 38 Maine residents, but the total size of the data breach was not disclosed.

Ransomware Group Claims Attack on West Virginia Primary Care Association

West Virginia Primary Care Association (WVPCA), in Charleston, West Virginia, has recently been added to the dark web data leak site of the Inc Ransom ransomware group. In Ransom is a prolific hacking group that engages in double extortion ransomware attacks, stealing data, encrypting files, and demanding payment for the decryptors and to prevent publication of the stolen data. Inc Ransom claims to have exfiltrated 296 GB of data.

The addition of an entity on a dark web data leak site does not necessarily mean data has been stolen. There have been several cases where claims of attacks have been partially or entirely fabricated. West Virginia Primary Care Association has yet to announce any cyberattack or data breach, or issue a statement about the posting. The HIPAA Journal has not accessed any of the leaked data, so is unable to verify whether the claim is legitimate.

The post Florida Internal Medicine Practices Discloses November 2024 Data Breach appeared first on The HIPAA Journal.