HIPAA Breach News

Almost 26,000 Individuals Affected by Data Breach at Methodist Homes of Alabama & Northwest Florida

Posted by Steve Alder

Data breaches have recently been announced by Methodist Homes of Alabama & Northwest Florida, Rockhill Women’s Care, and Sierra Vista Hospital & Clinics.

Methodist Homes of Alabama & Northwest Florida

Methodist Homes of Alabama & Northwest Florida, a provider of affordable homes, senior living, and healthcare services, disclosed a data breach on October 8, 2025, involving unauthorized access to the personal and protected health information of almost 26,000 residents, employees, and other individuals. The breach occurred almost one year previously, having first been detected on October 14, 2024.

An investigation was launched to determine the cause of suspicious network activity, which confirmed that an unauthorized actor had access to its network between October 2, 2024, and October 14, 2024. During that time, sensitive data may have been accessed or acquired. All exposed files were reviewed, and that process was completed on September 2, 2025. Notification letters have now been mailed to all individuals with valid contact information, and regulators have been notified, including the HHS’ Office for Civil Rights.

The incident is not yet shown on the HHS’ Office for Civil Rights breach portal; however, the Maine Attorney General was informed that 25,579 individuals have been affected in total. The information involved varies from individual to individual and may include names in combination with one or more of the following: Social Security number, driver license or state ID number, health insurance number, and clinical information, including medical record number, medical history, diagnosis and treatment information, patient number, Medicaid/Medicaid number, date of discharge, and date of birth.

Individuals who were neither patient nor resident had their first and last name exposed, plus one or more of the following: Social Security number, driver’s license number, state ID, health insurance number, and medical history information. Credit monitoring services have been offered free of charge to individuals whose Social Security numbers were involved.

Rockhill Women’s Care

The OB-GYN medical practice, Rockhill Women’s Care, which has locations in Overland Park, Kansas, and Lee’s Summit, Missouri, has started notifying patients about a security incident that affected its IT systems and exposed patient information. Suspicious network activity was identified on or around February 26, 2025, and third-party cybersecurity experts were engaged to investigate the activity and assist with remediation. The substitute breach notice does not state when its network was first accessed or for how long hackers had access to the network.

The file review concluded on August 13, 2025, when it was confirmed that the information compromised in the incident included names, addresses, dates of birth, Social Security numbers, treatment information, and, for some patients, also health insurance information. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Sierra Vista Hospital & Clinics

Sierra Vista Hospital & Clinics in Truth or Consequences, New Mexico, has identified unauthorized access to its computer network and the exposure of patient information. The unauthorized access was identified on January 29, 2025, and working with third-party digital forensics specialists, it was determined that a threat actor had access to its network from January 14, 2025, to January 31, 2025.

A comprehensive review was conducted to determine whether patient data had been exposed, and on August 13, 2025, it was confirmed that sensitive patient data may have been accessed or acquired, including first and last names, addresses, state identification numbers/driver’s license numbers, medical information, and health insurance information. Network security has been strengthened, and additional cybersecurity measures have been implemented to prevent similar breaches in the future. Those measures include strengthened email filtering and malware monitoring, and additional cybersecurity awareness training is being provided to the workforce.

The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected. The Texas Attorney General was notified that 481 Texas residents were affected.

The post Almost 26,000 Individuals Affected by Data Breach at Methodist Homes of Alabama & Northwest Florida appeared first on The HIPAA Journal.

Fort Wayne Medical Education Program Data Breach Affects Almost 30,000 Individuals

Posted by Steve Alder

A data breach at the Fort Wayne Medical Education Program has affected almost 30,000 individuals. Data breaches have also been announced by Space Coast Vascular in Florida and Partners in Pediatrics in Colorado.

Fort Wayne Medical Education Program

Fort Wayne Medical Education Program, a family medicine residency in Northeastern Indiana, has recently announced a security incident that potentially involved unauthorized access to the personal and protected health information of up to 29,485 individuals, including patients, employees, and employees’ dependents.

Suspicious activity was identified within its computer network on December 17, 2024, and after securing its systems, the activity was investigated. The forensic investigation confirmed that an unauthorized actor had access to its computer network from December 12, 2024, to December 17, 2024, during which time files containing sensitive data may have been viewed or acquired. The file review was completed on September 9, 2025, when it was confirmed that personal and protected health information had been exposed.

The types of data involved vary from individual to individual. For employees and their dependents, the exposed data included first and last names, in combination with a Social Security number, driver’s license number, state ID number, or passport number. For patients, the exposed information includes names in combination with some or all of the following: Social Security number, government ID number such as driver’s license or passport number, date of birth, medical information, health insurance information, and medical billing information, which may have included bank account number and payment or credit card number (but not CVC). Notification letters were mailed to the affected individuals on October 2, 2025, and complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security number was involved.

Space Coast Vascular

Space Coast Vascular, a vascular and venous health diagnostic laboratory and treatment center in Melbourne, Florida, has announced that it was the subject of a criminal cyberattack on or around January 13, 2025, that impacted its computer systems. Assisted by third-party cybersecurity experts, Space Coast Vascular learned on August 7, 2025, that patients’ protected health information had been exposed and may have been viewed or acquired by the threat actor.

The types of data involved vary from individual to individual and may include name, date of birth, Social Security number, driver’s license/state ID number, medical treatment information, health insurance information, and/or financial account information. At the time of issuing notifications, Space Coast Vascular was unaware of any misuse of patient data as a result of the incident.

The affected individuals are now being notified by mail, and at least 12 months of complimentary credit monitoring and related services are being offered.  Space Coast Vascular has also confirmed that a series of cybersecurity improvements have been made to reduce the risk of similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Partners in Pediatrics

Partners in Pediatrics, an integrative pediatric healthcare practice with offices in Denver and Englewood in Colorado, has recently notified patients about a recent email account breach. Suspicious activity was identified in an employee’s email account on March 5, 2025. The email account was secured, and digital forensics experts were engaged to investigate the activity. They determined that the threat actor had access to emails containing patient information; however, no other systems were affected. The emails were reviewed, and that process was completed on September 23, 2025. Information potentially compromised in the incident includes names, dates of birth, Social Security numbers, driver’s license numbers, clinical information, treatment information, lab test results, prescription information, provider information, and health insurance information.

Data privacy and security policies and procedures have been reviewed, and security measures have been enhanced to prevent similar incidents in the future. On October 3, 2025, individual notification letters started to be mailed to the affected individuals. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Fort Wayne Medical Education Program Data Breach Affects Almost 30,000 Individuals appeared first on The HIPAA Journal.

ALN Medical Management to Pay $4 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

ALN Medical Management, a Nebraska-based revenue cycle management company, has agreed to pay $4 million to settle class action litigation over a March 2024 cybersecurity incident. As reported below, this was a hacking incident that occurred in March 2024, which was initially reported to the HHS’ Office for Civil Rights (OCR) using a placeholder figure of at least 501 affected individuals. The breach total was then revised to more than 1.8 million individuals, and subsequently revised downwards to 1,323,720 individuals. The incident is now archived on the OCR breach portal, indicating that OCR has closed the investigation.

ALN Medical Management and its healthcare clients, Allied Physicians Group, PLLC, Bethany Medical Clinic of New York, PLLC, Hoag Clinic, and National Spine and Pain Centers, LLC, were named in class action lawsuits over the data breach, which were consolidated in a single suit, In Re: ALN Medical Management Data Incident Litigation, in the U.S. District Court for the District of Nebraska.

The lawsuit alleged that ALN Medical Management used the information technology company Long View to host, manage, and secure its IT environment against unauthorized access, and that ALN stored its healthcare clients’ data within an environment hosted, supported, and managed by Long View, which was also named as a defendant in the litigation. Between March 18, 2024, and March 24, 2024, an unauthorized third party gained access to that environment and either accessed or acquired the sensitive data of approximately 1.8 million individuals. The consolidated class action lawsuit asserted claims of negligence, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and violations of the California Consumer Privacy Act.

The defendants deny any wrongdoing, and the plaintiffs believe they have made valid claims; however, all parties quickly moved to settle the litigation, and on August 4, 2025, a settlement in principle was agreed upon. The terms of the settlement have now been finalised and await preliminary approval from the court. Under the terms of the proposed settlement, a $4 million settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the named plaintiffs. After all costs have been deducted, the remaining funds will be used to pay for benefits for the class members.

Class members may choose one of two cash payments: They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member or, alternatively, they can submit a claim for a cash payment. The cash payments are expected to be approximately $50.00 per class member, but may be adjusted upwards or downwards based on the number of valid claims received. The dates for objection, exclusion, and submitting a claim have yet to be set.

May 29, 2025: More Than 1.8 Million Individuals Affected by 2024 ALN Medical Management Data Breach

ALN Medical Management, a Lincoln, Nebraska-based provider of revenue cycle and billing services to the healthcare industry, has recently confirmed the scale of a data breach that occurred more than a year ago in March 2024. The protected health information of more than 1.8 million individuals was compromised in the incident.

On May 23, 2024, ALN Medical Management filed a breach report with the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. At the time, the investigation into the cyberattack and the review of the compromised files were ongoing. In March 2025, ALN Medical Management provided an update on the data breach, confirming that the hackers obtained files from systems hosted by a third-party service provider. The files included individuals’ names, Social Security numbers, driver’s license numbers, government-issued ID numbers, financial information (account number, credit/debit card number), medical information, and health insurance information.

ALN Medical Management started mailing notification letters to the affected individuals on March 21, 2025, and is offering them complimentary credit monitoring and identity theft protection services. The notification process has been ongoing, as there have been reports of notification letters only recently being received. The HHS’ Office for Civil Rights has been provided with an updated total, with the OCR breach portal now showing that the protected health information of 1,823,844 individuals was compromised in the incident. (Update October 2025: That total has since been revised downwards to 1,323,720 individuals.)

State attorneys general have also been provided with updated breach notices, including in Texas, California, and Massachusetts. The notification letter to the Massachusetts Attorney General lists four affected clients: National Spine and Pain in Frederick, Maryland; Inpatient Physician Associates in Lincoln, Nebraska; Hoag Clinic in Costa Mesa, California; and Allied Physicians Group of Melville, New York. It is currently unclear how many other healthcare organizations have been affected.

ALN Medical Management and its Maryland-based parent company, Health Prime International, are facing multiple class action lawsuits over the data breach, with many law firms having opened investigations into potential litigation. The lawsuits already filed allege negligence due to the failure to implement reasonable and appropriate security measures and adhere to industry standard best practices, breach of contract, and other claims. The lawsuits seek financial damages, reimbursement of out-of-pocket expenses, and injunctive relief, requiring ALN Medical Management to implement additional security measures to prevent further data breaches.

The post ALN Medical Management to Pay $4 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

SimonMed Imaging: 1.27M Individuals Affected by January 2025 Cyberattack

Posted by Steve Alder

On October 10, 2025, SimonMed Imaging started mailing notification letters to the individuals affected by its January 2025 cyberattack. SimonMed Imaging is one of the largest medical imaging providers in the country, operating more than 170 medical imaging facilities in 10 U.S. states. In a breach notice to the Maine Attorney General, the Scottsdale, AZ-based company confirmed that the protected health information of 1,275,669 individuals was compromised in the incident, including 22 Maine residents. The HHS’ Office for Civil Rights breach portal still lists the incident with a 500-individual placeholder figure.

The notification letters provide little extra information beyond that provided in its previous announcement, other than the fact that data theft has now been confirmed. While patient data was stolen in the attack, SimonMed Imaging said it is unaware of any misuse of the stolen data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

As previously reported, the Medusa ransomware group claimed responsibility for the attack; however, SimonMed Imaging is not currently listed on the group’s data leak site, which suggests that the ransom was paid. Regardless, the affected individuals should take advantage of the free services being offered.

Apr 2, 2025: SimonMed Imaging Confirms January 2025 Cyberattack

SimonMed Imaging has recently confirmed that it was affected by a cybersecurity incident earlier this year that involved unauthorized access to patient data via one of its vendors. The Scottsdale, Arizona-based radiology practice said that on January 27, 2025, it was alerted by one of its vendors that they were experiencing a security incident. A review was initiated of its own systems, and the following day, January 28, 2025, suspicious activity was identified within the SimonMed network. Immediate action was taken to contain the situation, and a forensic investigation was initiated to determine the extent to which systems had been compromised and the nature of the unauthorized activity.

The investigation confirmed that an unauthorized actor had direct access to its systems between January 21, 2025, and February 5, 2025. The review of the affected files is ongoing to identify the individuals who had their data exposed, but the initial findings of the investigation suggest that the following data has been exposed and potentially stolen: names, addresses, birth dates, dates of service, provider names, medical record numbers, patient numbers, medical condition information, diagnosis/ treatment information, medications, health insurance information, and driver’s license numbers. The data exposed in the incident varies from individual to individual.

SimonMed said several steps have been taken to improve security as a result of the incident, including enhancing multifactor authentication, resetting passwords, implementing endpoint detection and response monitoring, and removing all third-party vendor direct access to systems within SimonMed’s environment and all associated tools. As the investigation progresses, further technical safeguards will be implemented to bolster existing protections.

SimonMed did not state the name of the threat group behind the attack, nor was any confirmation provided on whether ransomware was used.  The Medusa ransomware group had previously claimed responsibility for the attack and said more than 212 GB of data had been infiltrated, and proof of the breach was posted on its data leak site. Medusa claimed to have demanded a $1 million ransom payment and gave a deadline of February 21, 2025, for payment to be made. At least one class action lawsuit has already been filed against SimonMed over the incident.

The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals.  The total will be updated when the investigation and file review have concluded.

The post SimonMed Imaging: 1.27M Individuals Affected by January 2025 Cyberattack appeared first on The HIPAA Journal.

Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member

Posted by Steve Alder

An Iowa nurse has been terminated for a HIPAA violation and has lost her unemployment benefits after disclosing the pregnancy status of a 17-year-old patient to a family member without the patient’s consent. Erica Hulsing was a registered nurse at Waverly Health Center in Waverly, Iowa, where she had been employed since September 2016. On April 17, 2025, Hulsing received a call from a family member of a 17-year-old patient inquiring about the patient’s recent stay at the hospital.

The patient had made an explicit request for her pregnancy status to be kept confidential; however, Hulsing informed the family member that the patient had been pregnant. Following the disclosure, the patient and family members filed complaints with the hospital over the disclosure, prompting an internal investigation. The hospital determined that Hulsing had disclosed highly sensitive information about a patient to an individual who was not authorized to receive that information, as the family member was not listed on her consent form. The hospital determined that the disclosure was a violation of the HIPAA Privacy Rule, which prohibits disclosures of protected health information to unauthorized individuals. The disclosure also violated hospital policies on professional conduct, resulting in termination for gross misconduct.

HIPAA gives patients the right to request that disclosures of their health information be restricted, including disclosures of their health information to family members. While individuals under 18 years of age are considered minors, if a 17-year-old consents to treatment under state law, the Privacy Rule generally allows the minor to exercise their own privacy rights.

Hulsing maintained that she was unaware that disclosing the patient’s pregnancy status to a family member violated the HIPAA Rules. Hulsing applied for unemployment benefits while her case was under review, and she was paid $4,214 in benefits; however, last month, Administrative Law Judge Duane Golden ruled that Hulsing was not eligible to receive unemployment benefits as her actions constituted job-related misconduct, and Hulsing was ordered to repay the $4,214 she received.

Disclosing patient information to any unauthorized individual can have serious consequences for both the healthcare professional and the patient. As this case clearly demonstrates, a lack of knowledge about the requirements of HIPAA is not a valid defense against a HIPAA violation. In this case, the patient’s request for confidentiality should have been respected, and the disclosure should only have been made if the patient had consented to the disclosure and that consent had been documented.

Healthcare professionals must ensure that they are aware of the requirements of HIPAA, and should ensure that they stay up to date with state and federal laws. Healthcare providers should ensure that they provide comprehensive HIPAA training to all employees to ensure they are aware of their responsibilities under HIPAA, and should reinforce training through annual refresher training sessions to help prevent HIPAA violations in the workplace.

The post Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member appeared first on The HIPAA Journal.

Florida Radiology Practice Announces 171K-record Data Breach

Posted by Steve Alder

Data breaches have been announced by Doctors Imaging Group in Florida, Rectangle Health in New York, and Care N’ Care in Texas.

Doctors Imaging Group, Florida

Doctors Imaging Group, a Gainesville, Florida-based physician-owned radiology practice, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 171,862 current and former patients. Suspicious activity was identified within its computer network on or around November 11, 2024, and the forensic investigation confirmed that unknown actors accessed its network between November 5, 2024, and November 11, 2024. During that time, files were copied from its systems, some of which contained the protected health information of patients. The substitute breach notice does not say if this was an extortion attempt, such as a ransomware attack, and the HIPAA Journal has not identified any posts by ransomware groups claiming responsibility for the attack.

Doctors Imaging Group conducted a file review to identify the types of information exposed in the incident, which was completed on August 29, 2025. Data potentially compromised in the attack includes names, addresses, birth dates, admission dates, medical treatment information, claims information, Social Security numbers, patient account numbers, medical record numbers, financial account numbers, and account types. The affected individuals have been advised to monitor their account statements, explanation of benefits statements, and free credit reports for suspicious activity. Doctors Imaging Group has reviewed its data security policies and procedures and is evaluating additional cybersecurity tools to reduce the risk of similar incidents in the future.

Rectangle Health, New York

Rectangle Health, a Valhalla, NY-based software company that provides practice management software to healthcare providers, has recently notified the Maine Attorney General about a breach affecting 2,095 individuals, including 11 Maine residents. The incident involved unauthorized access to its Salesforce platform on August 14, 2025. The platform was used to store customer information. Rectangle Health did not state which cybercriminal group was involved. The file review was completed on September 4, 2025, and confirmed that the stolen data includes names, dates of birth, and Social Security numbers. Notification letters were mailed to the affected individuals on October 8, 2025. Complimentary credit monitoring services are being offered to the affected individuals.

There has been a spate of attacks on Salesforce environments over the past few months, prompting the Federal Bureau of Investigation (FBI) to issue a Flash Alert in September. The alert warned that two cybercriminal groups – UNC6040 (ShinyHunters) and UNC6395 – were targeting Salesforce environments. In September, a hacking group called Scattered Lapsus$ Hunters started leaking stolen Salesforce data. Some members are believed to also be part of the ShinyHunters group. The group has attempted to extort Salesforce and has threatened to extort companies directly if Salesforce refuses to pay the ransom.

Care N’ Care, Texas

Care N’ Care, a Medicare Advantage health plan provider serving Medicare beneficiaries in North Texas, has recently notified the Texas Attorney General about a data breach affecting 32,452 Texas residents. While little is currently known about the data breach, this was a hacking incident that involved unauthorized access to protected health information, which may also have been stolen in the attack. The date of the cyberattack has not been publicly disclosed. The file review has confirmed that the exposed data includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information.

The post Florida Radiology Practice Announces 171K-record Data Breach appeared first on The HIPAA Journal.

Florida Radiology Practice Announces 171K-record Data Breach

Posted by Steve Alder

Data breaches have been announced by Doctors Imaging Group in Florida, Rectangle Health in New York, and Care N’ Care in Texas.

Doctors Imaging Group, Florida

Doctors Imaging Group, a Gainesville, Florida-based physician-owned radiology practice, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 171,862 current and former patients. Suspicious activity was identified within its computer network on or around November 11, 2024, and the forensic investigation confirmed that unknown actors accessed its network between November 5, 2024, and November 11, 2024. During that time, files were copied from its systems, some of which contained the protected health information of patients. The substitute breach notice does not say if this was an extortion attempt, such as a ransomware attack, and the HIPAA Journal has not identified any posts by ransomware groups claiming responsibility for the attack.

Doctors Imaging Group conducted a file review to identify the types of information exposed in the incident, which was completed on August 29, 2025. Data potentially compromised in the attack includes names, addresses, birth dates, admission dates, medical treatment information, claims information, Social Security numbers, patient account numbers, medical record numbers, financial account numbers, and account types. The affected individuals have been advised to monitor their account statements, explanation of benefits statements, and free credit reports for suspicious activity. Doctors Imaging Group has reviewed its data security policies and procedures and is evaluating additional cybersecurity tools to reduce the risk of similar incidents in the future.

Rectangle Health, New York

Rectangle Health, a Valhalla, NY-based software company that provides practice management software to healthcare providers, has recently notified the Maine Attorney General about a breach affecting 2,095 individuals, including 11 Maine residents. The incident involved unauthorized access to its Salesforce platform on August 14, 2025. The platform was used to store customer information. Rectangle Health did not state which cybercriminal group was involved. The file review was completed on September 4, 2025, and confirmed that the stolen data includes names, dates of birth, and Social Security numbers. Notification letters were mailed to the affected individuals on October 8, 2025. Complimentary credit monitoring services are being offered to the affected individuals.

There has been a spate of attacks on Salesforce environments over the past few months, prompting the Federal Bureau of Investigation (FBI) to issue a Flash Alert in September. The alert warned that two cybercriminal groups – UNC6040 (ShinyHunters) and UNC6395 – were targeting Salesforce environments. In September, a hacking group called Scattered Lapsus$ Hunters started leaking stolen Salesforce data. Some members are believed to also be part of the ShinyHunters group. The group has attempted to extort Salesforce and has threatened to extort companies directly if Salesforce refuses to pay the ransom.

Care N’ Care, Texas

Care N’ Care, a Medicare Advantage health plan provider serving Medicare beneficiaries in North Texas, has recently notified the Texas Attorney General about a data breach affecting 32,452 Texas residents. While little is currently known about the data breach, this was a hacking incident that involved unauthorized access to protected health information, which may also have been stolen in the attack. The date of the cyberattack has not been publicly disclosed. The file review has confirmed that the exposed data includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information.

The post Florida Radiology Practice Announces 171K-record Data Breach appeared first on The HIPAA Journal.

Harris Health Notifies Patients About 10-Year Insider Data Breach

Posted by Steve Alder

Harris Health in Texas has recently started notifying more than 5,000 patients that their electronic health records may have been impermissibly accessed by a former employee. Concerningly, the unauthorized access had been ongoing for a decade before it was identified.

Harris Health operates Ben Taub Hospital and Lyndon B. Johnson Hospital, and a network of 37 clinics, health centers, and specialty locations in and around Houston, Texas.  While notification letters are now being mailed to the affected individuals, the unauthorized access was detected on February 10, 2021. An investigation was launched to determine the extent of the employee’s HIPAA violation, with assistance provided by a nationally recognized digital forensics firm. The investigation confirmed unauthorized access to patient records from January 4, 2011, to March 8, 2021.

After confirming that patients’ medical records had been accessed without any legitimate work purpose, the employee was terminated, and the Federal Bureau of Investigation (FBI) was notified. Harris Health has been assisting with the investigation, which confirmed that the employee had disclosed some patient information to unauthorized individuals. The substitute breach notice on the Harris Health website doesn’t provide any indication as to why patients’ records were being accessed or the purpose of the disclosure of patient data.

Harris Health was unable to determine the specific patients whose protected health information was disclosed to other individuals, so notification letters are being sent to all individuals whose data may have been impermissibly disclosed. Notification letters were delayed at the request of law enforcement so as not to interfere with the investigation. While law enforcement requests to delay notifications are not unusual, a 4-year delay is unusually long. Typically, notifications are only delayed by a few weeks or months.

Data potentially accessed and disclosed includes demographic information such as names, dates of birth, addresses, email addresses, telephone numbers, and medical record numbers; clinical information such as diagnoses, medical history, medications, immunizations, dates of service, and provider names; health insurance information, and, for a limited number of individuals, Social Security numbers. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services.

All individuals potentially affected have been advised to monitor their explanation of benefits statements and should report any suspicious activity to their health insurer. Harris Health said it is providing further training to the workforce on the importance of protecting patient privacy, and additional tools have been implemented that allow proactive monitoring of employee access to patient records and provide enhanced auditing capabilities to help Harris Health identify unauthorized access more quickly in the future.

Under HIPAA, all employees should be provided with unique logins to allow their interactions with patient information to be tracked. Logs should be maintained to support investigations of unauthorized access to patient records, and those logs should be regularly reviewed. Regular reviews of access logs will help to limit the harm caused if employees impermissibly access patient records. HIPAA-covered entities should also ensure that they provide HIPAA training to their employees during onboarding, as well as annual refresher training sessions to remind employees of their responsibilities under HIPAA and the importance of protecting patient privacy.

The post Harris Health Notifies Patients About 10-Year Insider Data Breach appeared first on The HIPAA Journal.

PHI Potentially Stolen in Phishing Attack on Superior Vision Service

Posted by Steve Alder

Superior Vision Service has announced that protected health information has been compromised in a phishing attack. People Encouraging People has fallen victim to a ransomware attack.

Superior Vision Service

Superior Vision Service, a vision insurance company and subsidiary of Versant Health, has announced a July 2025 security incident.  According to the September 26, 2025, notification letters, Superior Vision learned on July 11, 2025, that an employee had been tricked in a sophisticated phishing attack and disclosed their credentials to the attacker.  The employee responded to the phishing email on July 9, 2025, and the threat actor used the employee’s credentials to access their account. On July 11, 2025, the threat actor may have copied emails from the account that contained sensitive customer information.

The account was reviewed and found to contain full names, physical addresses, phone numbers, email addresses, dates of birth, genders, Social Security numbers, vision coverage election information, and employment information related to enrollment. Notification letters are now being sent to the affected individuals, who have been offered a complimentary 12-month membership to a three-bureau credit monitoring service. Superior Vision has also implemented additional safeguards to prevent similar data breaches in the future. State attorneys general have been notified about the breach, and the website of the Texas Attorney General indicates 3,161 Texas residents have been affected; however, it is unclear how many individuals have been affected in total.

People Encouraging People

People Encouraging People, a behavioral healthcare provider in Baltimore, Maryland, has experienced a ransomware attack that involved data theft and file encryption. The attack was identified on or around December 21, 2024. A forensic investigation was launched, which confirmed that the attacker had access to its network between December 18, 2024, and December 23, 2024, during which time files containing sensitive patient data were stolen. The file review confirmed that the stolen data included full names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, diagnosis information, medication information, and treatment information. The types of information involved vary from individual to individual.

People Encouraging People is unaware of any misuse of the stolen information; however, patients have been advised to remain vigilant against identity theft and fraud. Safeguards had been implemented to prevent unauthorized access to its computer network and patient data, and those safeguards are being reviewed and enhanced to prevent similar incidents in the future. The ransomware attack has been reported to the HHS’ Office for Civil Rights as involving the protected health information of 13,083 individuals.

The post PHI Potentially Stolen in Phishing Attack on Superior Vision Service appeared first on The HIPAA Journal.