Teamsters Union 25 Health Services & Insurance Plan, a health and wellness benefits plan for members of Teamsters Union Local 25, a trade union representing truck drivers, warehouse workers, clerical workers, and service and technology employees, identified suspicious activity within its computer network on or around August 1, 2025, potentially indicating unauthorized access.

Third-party cybersecurity experts were engaged to investigate the activity and confirmed unauthorized access to the network. Further investigation uncovered evidence that certain data on the network was accessed and potentially copied without authorization. The data related to members of the Teamsters Union 25 Health Services & Insurance Plan and the Teamsters Union 25 Investment Plan.

The review of the affected files was completed on August 18, 2025, and notification letters were mailed to the affected individuals on September 3, 2025. The affected individuals have been offered 12-24 months of complimentary credit monitoring and identity theft protection services, and steps have been taken to enhance security to prevent similar breaches in the future. The data involved varies from individual to individual and may include names, member IDs, Social Security numbers, health information, and health insurance information. The HHS’ Office for Civil Rights was informed that the protected health information of 19,231 individuals was compromised in the incident.

Anthony L. Jordan Health Corporation

Anthony L. Jordan Health Corporation (AJHC) in Rochester, New York, has fallen victim to a phishing attack that involved unauthorized access to the email, OneDrive, and SharePoint accounts of three employees. Suspicious activity was identified in an employee’s email account on June 30, 2025. The account was immediately secured, and an investigation was launched to determine the nature and scope of the incident.

The investigation confirmed that an unauthorized actor had accessed the accounts at various times between April 30, 2025, and July 9, 2025, after the employees responded to phishing emails. The purpose of the unauthorized access appeared to be to fraudulently obtain funds from Jordan Health, rather than to obtain patient data; however, unauthorized access to patient information could not be ruled out.

The affected accounts were reviewed and found to contain patient information such as names, dates of birth, medical record numbers, provider names, dates of service, and health insurance information. In total, 2,974 patients potentially had information compromised in the incident. Jordan Health has provided additional cybersecurity awareness training to the workforce to prevent similar incidents in the future.

Sentara Health

Last week, Sentara Health notified 696 patients about a mailing incident that disclosed a limited amount of patient data. The mailing was sent to patients of a specific Sentara Behavioral Health Specialists provider to advise them of the departure of that provider from Sentara.

An error was made when compiling the list of recipients for the mailing, resulting in the mismatching of patients’ names and addresses. Letters intended for one patient were sent to a different patient, resulting in the disclosure of the patient’s name, location of the practice, and the provider’s name. Sentara Health addressed the matter with the employee in question, according to its internal policies and procedures, and has taken steps to prevent similar incidents in the future, including evaluating additional training opportunities.

The post Teamsters Union 25 Health Services & Insurance Plan Hacking Incident Affects 19,000 Members appeared first on The HIPAA Journal.

The medical education provider US HealthConnect and the California billing services vendor Altos Inc have recently announced cyberattacks and data breaches.

US HealthConnect

US HealthConnect, a provider of continuing medical education and promotional education to healthcare providers, has recently announced a cybersecurity incident that was identified on January 25, 2025. Suspicious activity was identified within its computer network, and third-party cybersecurity specialists were engaged to investigate to determine the nature and scope of the activity.

The investigation confirmed that an unauthorized third party had access to its network and may have obtained certain information from the affected systems, including names and Social Security numbers. After validating the results and obtaining up-to-date contact information, notification letters started to be issued on September 4, 2025.

US HealthConnect has enhanced its existing policies and procedures and implemented additional administrative and technical safeguards to protect against similar incidents in the future, and the affected individuals have been offered up to 24 months of complimentary credit monitoring and identity theft protection services.  The data breach has been reported to regulators, although it is currently unclear how many individuals have been affected.

Altos Inc.

Altos Inc., a provider of medical billing, medical transcription & medical management services to healthcare providers in southern California, has discovered that an internal system containing patients’ protected health information has been accidentally exposed to the Internet.

The security error was identified on June 17, 2025. The exposed system was immediately secured, and an investigation was launched to determine how the error occurred and the information that had been exposed. On July 21, 2025, Altos determined that the exposed system contained the protected health information of 6,414 individuals, including names, addresses, dates of birth, Social Security numbers, and health information.

In addition to securing the exposed system and implementing procedures to reduce the risk of similar incidents in the future, additional security reviews have been conducted, and steps are being taken to improve its overall security posture. While there have been no reports of misuse of patient data in connection with the incident, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Data Breaches Announced by US HealthConnect & Altos Inc. appeared first on The HIPAA Journal.

Data breaches have recently been announced by Northwest Medical Specialties in Washington, Medical Associates of Brevard in Florida, and Twin Cities Pain Clinic in Minnesota.

Northwest Medical Specialties

Northwest Medical Specialties, PLLC (NWMS), a physician-owned practice with six locations in the South Puget Sound area of Washington state, has started notifying patients about a recent security incident that potentially involved unauthorized access to some of their protected health information.

NWMS was contacted by an unidentified party on August 18, 2025, who claimed to have accessed its network and sensitive patient data. After securing the network and engaging third-party digital forensics specialists to investigate a potential breach, it was concluded that patient data was potentially copied without authorization. The review of the affected files was completed on August 22, 2025, and confirmed that the potentially compromised data included full names, dates of birth, Social Security numbers, and medical information. Notification letters are now being sent to the affected individuals, who have been offered complimentary credit monitoring services.

NWMS said it is reviewing its policies and procedures related to data privacy and security and has implemented additional technical safeguards to further enhance system security. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so the total number of affected individuals cannot yet be confirmed; however, the Washington Attorney General was notified that 3,846 Washingtonians were affected.

Medical Associates of Brevard

Medical Associates of Brevard, a provider of comprehensive healthcare services to residents of Brevard County in Florida, has recently notified state attorneys general about a recent criminal cyberattack that occurred on or around January 17, 2025. Third-party cybersecurity experts were engaged to investigate the incident and review the files on the compromised parts of its network. The review was completed on July 7, 2025, when it was confirmed that the potentially compromised data included names, dates of birth, medical treatment information, health insurance information, Social Security numbers, driver’s license numbers/state identification numbers, and, for a limited number of individuals, financial account information.

Notification letters were mailed to the affected individuals on September 5, 2025. Complimentary credit monitoring and identity theft protection services have been offered, and a series of cybersecurity enhancements have been made to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Twin Cities Pain Clinic

Twin Cities Pain Clinic, a specialized pain management medical group with six locations in Minnesota, has recently disclosed an email security incident that has exposed patient data. Suspicious activity was identified within an employee’s email account on or around July 9, 2025. A digital forensics firm was engaged to investigate the activity and confirmed on July 31, 2025, that an unauthorized user had accessed the account and a limited number of files stored within SharePoint.

A data mining review was initiated to identify any patients who may have had their protected health information exposed. On August 18, 2025, the review was completed, and determined that patient data was present within emails, attachments, and SharePoint. The exposed data included full names, dates of birth, mailing addresses, phone numbers, email addresses, Social Security numbers, medical record numbers, treatment notes, provide information, Social Security numbers, health insurance information, and financial account information.

Legal counsel is conducting a full review of security practices and systems, and enhanced security protocols and security awareness training will be implemented. While no evidence was found to suggest any information had been downloaded or otherwise removed from its email or SharePoint environments, as a precaution, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 24 months.

The post Data Breaches Announced by Washington, Florida, and Minnesota Healthcare Providers appeared first on The HIPAA Journal.

Wayne Memorial Hospital patients have recently been notified that some of their protected health information was stolen by a ransomware group fifteen months ago. Wayne Memorial Hospital, a rural 84-bed hospital in Jessup, Georgia, has recently mailed individual notifications to the 163,400 patients affected by the incident. The ransomware attack was first identified on June 3, 2024, and the forensic investigation revealed that the ransomware group had access to its network from May 30, 2024, to June 3, 2024.

The ransomware group exfiltrated files containing patient data, encrypted files on its network, and demanded a ransom payment to prevent the publication of the data and to obtain the keys to decrypt data. When the attack was identified, the network was disconnected, and systems were taken offline to contain the attack. The ransom was not paid, and files were successfully recovered from backups. The Monti ransomware group claimed responsibility for the attack and added Wayne Memorial Hospital to its data leak site. While the leak site is not currently accessible, the posting received almost 300,000 views while it was live.

The breach notification letters explain that the information involved varies from individual to individual and includes names in combination with some or all of the following: name, date of birth, Social Security number, driver’s license number, state identification number, user identification and password, financial account number, credit or debit card number, credit card expiration date or CVV code, Medicare or Medicaid number, health insurance member number, healthcare provider number, diagnoses, medical history, treatment information, prescription information, and lab test results or images.

Wayne Memorial Hospital said its systems were quickly secured, and additional cybersecurity measures have been implemented to prevent similar incidents in the future. The data breach was first announced more than a year ago on August 2, 2024, and a press release was issued to local media to put patients on alert that their sensitive data had been exposed; however, it has taken a considerable amount of time to review the affected files and issue notifications.

Individual notification letters started to be mailed on August 27, 2025, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The data breach was initially reported to the HHS’ Office for Civil Rights as affecting up to 2,500 individuals; however, the breach turned out to be more severe than that initial estimate, based on the notification to the Maine Attorney General. The HHS’ Office for Civil Rights breach portal has yet to be updated with the latest figure.

The post Wayne Memorial Hospital Notifies 163,000 Patients About May 2024 Ransomware Attack appeared first on The HIPAA Journal.

Officials in Somerset County, Pennsylvania, have confirmed an email hacking incident affecting Children and Youth Services patients. Beech Acres Parenting Center in Cincinnati has notified more than 19,000 clients that their personal information was compromised in a November 2024 hacking incident.

Somerset County Children and Youth Services

Officials in Somerset County, Pennsylvania, have identified unauthorized access to the email accounts of certain employees of the Department of Children and Youth Services. Suspicious activity was identified in an employee’s email account on June 26, 2025. Third-party cybersecurity experts were engaged to investigate the activity and confirmed that multiple email accounts had been accessed by an unauthorized third party between June 26 and June 30, 2025.

Some of the emails and attachments in the compromised accounts contained patients’ protected health information. The data review confirmed that the affected individuals had some or all of the following exposed: name, date of birth, Social Security number, date(s) of service, information related to the services received, physician/facility information, medical condition/diagnosis, treatment information, health insurance information, and/or Medicare/Medicaid number. A small subset of individuals may also have had financial information exposed or information related to paternity tests.

The review is ongoing, so it is not yet possible to say how many individuals have been affected. Notification letters will be mailed to the affected individuals when the review is completed, and complimentary credit monitoring services will be offered, where appropriate. County officials have confirmed that several steps have been taken in response to the incident, including changing email passwords, strengthening authentication requirements, providing further cybersecurity training for the workforce, communicating with staff about the risks from phishing emails, and enhancing email security procedures. Additional tools, training, and third-party monitoring partnerships are also being evaluated.

Beech Acres Parenting Center

Beech Acres Parenting Center, a provider of support services to parents and caregivers in the Greater Cincinnati area in Ohio, has started notifying 19,315 individuals about a November 2024 security incident. Unusual activity was identified within its network on November 24, 2024. Immediate action was taken to contain the incident and prevent further unauthorized access, and third-party cybersecurity experts were engaged to investigate the activity.

The forensic investigation confirmed unauthorized access to its network, and the threat actor may have viewed or acquired files containing sensitive information. The review of the affected files confirmed that the exposed data included the names of current and former clients in combination with one or more of the following: date of birth, Social Security number, driver’s license number, bank account and routing number, health insurance information, and medical or treatment information. The affected individuals were notified by mail on August 22, 2025.

The post Somerset County Children and Youth Services Department Data Breach appeared first on The HIPAA Journal.

Hacking-related data breaches have been reported by Meridian Valley Laboratories in Washington, and College Parkside Pharmacy and College Hometown Pharmacy in New York state.

College Parkside Pharmacy & College Hometown Pharmacy

Certain patients who received services from College Parkside Pharmacy and/or College Hometown Pharmacy in New York state are being notified about a recent security incident that potentially involved unauthorized access to their protected health information. The pharmacies are operated by Albany College of Pharmacy and Health Sciences, which previously announced the security breach; however, the HHS’ Office for Civil Rights has only recently been notified. The OCR breach portal indicates the incident affected 9,742 individuals who received services from College Hometown Pharmacy and 5,736 individuals who received services from College Parkside Pharmacy.

According to the breach notice, unusual activity was identified within its computer network on or around September 14, 2024. External cybersecurity specialists were engaged to assist with the investigation and confirmed unauthorized network access between August 31, 2024, and September 14, 2024.  A limited amount of data was exfiltrated during that time, in what was described as “a sophisticated cybersecurity incident”.

The delay in issuing notifications was due to the time taken to review the affected files. That process was completed on May 30, 2025, and notification letters started to be mailed on June 16, 2025. No evidence of data misuse has been identified; however, the following data was exposed and potentially stolen: First and last name, plus one or more of the following: date of birth, birth certificate, account number, routing number, security code, marriage certificate, mother’s maiden name, digital signature, passport number, government identification number, Social Security number, taxpayer ID number, driver’s license number, payment card number, payment card expiration date, alien registration number, username and password, health insurance information, medical record number, mental or physical condition, diagnosis/treatment information, procedure type, provider name, prescription information, biometric data, and student information.  Albany College of Pharmacy and Health Sciences said additional cybersecurity safeguards are being implemented to prevent similar incidents in the future.

Meridian Valley Laboratories

Meridian Valley Laboratories in Tukwila, Washington, is investigating a security incident that was discovered on July 3, 2025. The investigation has so far revealed that there was unauthorized access to its network between May 30, 2025, and July 3, 2025. During that time, files were copied from its network. They are currently being reviewed to determine the individuals affected and the types of information involved.

At this stage of the investigation, it is too early to tell how many individuals have been affected. The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. Meridian Valley Laboratories said notification letters will be mailed to the affected individuals as quickly as possible when the file review is completed, and they will be informed about the exact types of information involved.

In the meantime, all individuals who used Meridian Valley Laboratories have been advised to remain vigilant against identity theft and fraud by reviewing their accounts, explanation of benefits statements, and credit reports for suspicious activity.

The post Cybercriminals Hit Washington Laboratory and New York Pharmacies appeared first on The HIPAA Journal.

Pediatric Otolaryngology Head & Neck Surgery Associates has reported a data breach affecting almost 44,000 patients. Anchorage Neighborhood Health Clinic in Alaska is investigating a potential security breach that may have affected up to 10,000 patients, and Valley Mountain Regional Center has exposed data over the Internet.

Pediatric Otolaryngology Head & Neck Surgery Associates, Florida

Pediatric Otolaryngology Head & Neck Surgery Associates (POHNS) in Florida recently reported a data breach to the HHS Office for Civil Rights affecting 43,446 individuals. POHNS first announced the data breach on April 25, 2025. Unusual activity was identified within its computer network on February 24, 2025. The forensic investigation confirmed unauthorized access between February 19 and February 24, 2025, including access to patients’ protected health information. The file review confirmed that a range of patient data had been exposed, although the information involved varied from individual to individual.

Data potentially compromised in the incident included names in combination with one or more of the following: address, email address, phone number, Social Security number, driver’s license/state ID number, financial account information, taxpayer ID number, digital signature, date of birth, medical diagnosis/treatment information, prescription information, date of service, patient ID number, provider name, medical record number, Medicare/Medicaid number, health insurance information, health insurance claim number, health insurance policy number, and/or treatment cost information. Notification letters have been mailed to the affected individuals who have been offered complimentary credit monitoring and identity protection services.

Anchorage Neighborhood Health Clinic, Alaska

Anchorage Neighborhood Health Clinic, a Federally Qualified Health Center in Alaska, has confirmed to local media that it is investigating a claim from a hacker about unauthorized access to the personal and health information of 10,000 patients.

Notifications have been issued to patients warning them about a potential security incident after the health center learned that the hacker had contacted certain patients directly. In some cases, the emails sent to patients included information such as their name, address, Social Security number, date of birth, phone number, driver’s license, and health insurance information. Patients have been advised not to interact with any communications they receive from the hacker.

On August 26, 2025, the health center posted a notice on its Facebook page explaining that technical difficulties are being experienced with computer systems, which prevent appointment scheduling, and that phone lines are down. Some progress has been made restoring the affected systems; however, a follow-up post on September 2, 2025, warned that there was only limited computer access due to ongoing technical difficulties, and the phone lines had not been restored by September 9, 2025. The Facebook posts suggest that this was a ransomware attack. The investigation is ongoing, and the extent of any data theft has yet to be confirmed.

Valley Mountain Regional Center

Valley Mountain Regional Center, a Stockton, CA-based provider of support services to individuals with intellectual and developmental disabilities and their families, has recently notified 529 individuals about the accidental exposure of some of their protected health information. On July 14, 2025, a list of State Supplemental Payment (SSP) vendors was posted on its website.

An SSP is an additional payment from the state government that is used to help individuals with disabilities who are living independently. Valley Mountain Regional Center said it discovered that the list contained consumer information such as name, address, city, state, zip code, phone number, vendor name, service code, and service description.

The error was identified quickly, and the list was removed within 18 hours of posting. Valley Mountain Regional Center said it is unaware of any misuse of the exposed information and stressed that Social Security numbers and financial account information were not exposed. Steps have been taken to improve policies and protocols to ensure that similar errors are not made in the future.

The post Florida Pediatric ENT Specialists Confirm Data Breach Affecting 44,000 Individuals appeared first on The HIPAA Journal.

New York Blood Center Enterprises, the operator of 19 blood donor centers in New York and New Jersey, has notified the Maine Attorney General about its January 2025 ransomware attack and has provided further information on the findings of its investigation. As previously announced and reported below, the attack was detected on January 26, 2025. The forensic investigation confirmed that an unauthorized third party had access to its computer network between January 20 and January 26, 2025, and obtained a copy of a subset of files stored on the network.

The files were reviewed, and New York Blood Center Enterprises obtained a preliminary list of individuals whose names and sensitive data were involved on June 30, 2025. The draft list was reviewed, and “an extensive analysis” was conducted to develop a final list of the individuals to notify. The final list was obtained on August 12, 2025. The types of information involved vary from individual to individual and may include names in combination with Social Security numbers, driver’s license numbers, other government identification card numbers, and/or financial account information.

New York Blood Center Enterprises started mailing notification letters to the affected individuals on September 5, 2025, and individuals whose Social Security number or driver’s license number was involved have been offered one year of complimentary credit monitoring and identity theft protection services. New York Blood Center Enterprises said it has enhanced its security protocols and technical safeguards to further protect and monitor its systems.

The notification letters do not mention ransomware, although New York Blood Center Enterprises previously stated that ransomware was involved. The threat group responsible for the attack has not been disclosed, and no group is known to have claimed responsibility for the attack. The notification letter to the Maine Attorney General states that 8 Maine residents were affected, but the breach report does not state how many individuals were affected in total. The HHS’ Office for Civil Rights does not yet show the breach, so it is currently unclear how many individuals have been affected in total.

January 31, 2025: New York Blood Center Enterprises Grappling with Ransomware Attack

A ransomware group has attacked another U.S. blood donation organization. New York Blood Center Enterprises (NYBCe) is one of the largest community-based, non-profit blood collection and distribution organizations in the United States. NYBCe operates 19 donor centers in New York and New Jersey and provides blood and stem cell products to around 70 hospitals in the area. Through its operating divisions in Connecticut, Delaware, Kansas, Minnesota, Missouri, Nebraska, Rhode Island, and Wisconsin, transfusion-related services are provided to more than 500 hospitals nationwide serving around 75 million people.

On Sunday, January 26, 2025, suspicious activity was identified in its IT systems. Third-party cybersecurity experts were engaged to investigate, and it was confirmed that the suspicious activity was due to a ransomware attack. Steps were taken to contain the threat and eject the threat actor from its network, and work is underway to restore its systems as quickly and safely as possible. Law enforcement has been notified, workarounds are being implemented to restore its services and fulfill orders, and NYBCe has been in regular communication with its hospital partners and is working on minimizing disruption to blood supplies.

At this stage, NYBCe is unable to provide a timeline for when its systems will be restored. While the incident has affected the functionality of its IT systems, all blood donor centers remain operational and its community blood drives are continuing with donations being accepted; however, the IT issues caused by the ransomware attack mean processing times are likely to be longer than normal at its donation centers and blood drives and some donation center activities and blood drives may need to be rescheduled. The attack could not have come at a worse time. On January 21, 2025, just a few days before the attack, NYBCe declared a blood emergency due to a 30% reduction in blood donations in recent weeks that has caused a blood shortage in the region. Some blood drives have had to be canceled as a result of the attack.

It is currently unclear which ransomware group is behind the attack and whether donor information was stolen. NYBCe has been providing updates on its website and will issue notifications to any affected individuals if it is confirmed that personal information has been stolen. Ransomware attacks on blood collection and distribution organizations can cause serious disruption to blood supplies. A July 2024 ransomware attack on the Florida-based blood organization, OneBlood, disrupted blood supplies to the 350 hospitals it serves in Alabama, Florida, Georgia, and North and South Carolina, forcing them to implement their critical blood shortage protocols.

A ransomware attack on a pathology service provider to the UK’s NHS in June 2024 caused major disruption to blood transfusions in London and prolonged blood shortages due to the significant reduction in capacity.  A ransomware attack on the Swiss pharma firm OctaPharma in April 2024 resulted in the closure of all blood plasma donation centers in the United States for several weeks.

The post New York Blood Center Enterprises Notifies Individuals Affected by January Ransomware Attack appeared first on The HIPAA Journal.