HIPAA Breach News

Legacy Treatment Services Data Breach Affects 42,000 Individuals

Data breaches have recently been confirmed by Legacy Treatment Services/Community Treatment Solutions in New Jersey, Washington Gastroenterology, Woodlawn Hospital in Indiana, and Children’s Home & Aid (Brightpoint) in Illinois.

Legacy Treatment Services

Legacy Treatment Services, a New Jersey provider of behavioral health and addiction treatment services, has notified the Maine Attorney General about an October 2024 cybersecurity incident involving the personal and protected health information of 41,826 individuals. Some of the affected individuals had received services from Community Treatment Solutions (CTS) in Moorestown, New Jersey.

The incident was identified on or around October 11, 2024, when connectivity to its network was disrupted. The forensic investigation confirmed unauthorized access to its network between October 6, 2024, and October 11, 2024. A file review was initiated, and on July 18, 2025, confirmation was received that employee and patient data were accessed and acquired in the incident.

The data involved varied from individual to individual and included first and last names along with one or more of the following: addresses, phone numbers, email addresses, Social Security numbers, birth dates, driver’s license numbers/state ID numbers, passport numbers, financial account numbers, routing numbers, bank names, credit/debit card numbers/CVV/expiration dates/PIN or security codes, login information, diagnoses, clinical information, treatment/procedure Information, treatment types/locations, treatment cost information, doctors’ names, medical record numbers, patient account numbers, health insurance information, prescription information, and/or biometric information.

While no evidence has been found to indicate any misuse of that information, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Washington Gastroenterology

Washington Gastroenterology has recently started notifying patients about a cybersecurity incident detected on or around March 10, 2025. The exact nature of the incident was not disclosed in its substitute breach notice, only that certain data was accessed by an unknown third party. The affected data was reviewed, and it was confirmed that the breach was limited to a legacy system, which contained names, Social Security numbers, and medical information. No current networks or affiliate systems were involved.

Individual notification letters started to be mailed to the affected individuals on May 23, 2025; however, it later emerged that further individuals were affected, and notification letters are now being mailed to those individuals. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals. The data breach has been reported to regulators, but the incident is not currently shown on the OCR data breach portal or the Washington Attorney General website, so it is currently unclear how many individuals have been affected.

Woodlawn Hospital

Woodlawn Hospital in Rochester, Indiana, has identified unauthorized access to its computer network. The intrusion was identified on June 30, 2025, and the forensic investigation confirmed unauthorized access between June 25, 2025, and June 30, 2025. During that time, files containing patient data were copied from its network.

The files are currently being reviewed, but it has been confirmed that they contain names, addresses, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, medical information, and health insurance information. Notification letters will be mailed to the affected individuals when the file review is concluded. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Children’s Home & Aid (Brightpoint)

Children’s Home & Aid, doing business as Brightpoint in Illinois, has identified unauthorized access to an employee’s email account. The security incident was detected on or around February 27, 2025, and the forensic investigation confirmed unauthorized access to the account between January 12, 2025, and February 27, 2025. Following a programmatic and manual review of the account, it was determined on June 16, 2025, that the account contained the personal and protected health information of 1,051 individuals.

The data involved varied from individual to individual and may have included names, Social Security numbers, driver’s license numbers/ government-issued identification numbers, financial account information, health insurance information, and/or medical information.  Brightpoint has reviewed its security policies and procedures and has taken steps to reduce the risk of similar incidents in the future.

The post Legacy Treatment Services Data Breach Affects 42,000 Individuals appeared first on The HIPAA Journal.

Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach

Healthcare Services Group, Inc. (HSG), a Bensalem, PA-based provider of environmental, dining, and nutritional support services to healthcare facilities, has recently notified the Maine Attorney General about a major data breach involving unauthorized access to systems containing the personal and protected health information of 624,496 individuals, including 3,871 Maine residents.

HCSG provides its services to more than 3,000 healthcare facilities in 48 U.S. states and employs more than 45,000 individuals. HSG first disclosed the security incident on October 16, 2024, in a FORM 8-K filing with the U.S. Securities and Exchange Commission (SEC), explaining that a cybersecurity incident was identified on October 9, 2024, when unauthorized activity was identified within some of its systems.

HSG initiated its cybersecurity incident response process, and an investigation was launched to determine the cause of the activity, with assistance provided by third-party cybersecurity specialists. At the time, the full nature of the incident was unknown, although it was not expected to have a material impact on its financial condition or the results of operations. The breach report indicates initial access to its network occurred on September 27, 2024, twelve days before the intrusion was detected. HSG has been reviewing the exposed files and determined on June 3, 2025, that personal and protected health information was potentially stolen.

Notification letters started to be mailed to the affected individuals on August 25, 2025, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, in Maine at least. While the Maine Attorney General has published a copy of the breach notification letter, a website error means it is not currently viewable, and there is currently no substitute breach notice on the HSG website, so the types of information exposed in the incident and the nature of the cyberattack are currently unknown.

This post will be updated when further information becomes available.

The post Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach appeared first on The HIPAA Journal.

Michigan Rural Health System Notifies 140,000 About Hacking Incident

Aspire Rural Health in Michigan is notifying almost 140,000 patients about unauthorized access to its network and the theft of their personal and healthcare data. Aspire Rural Health consists of more than 70 providers and serves patients in rural areas in Huron County, Sanilac County, Tuscola County, and Lapeer County. Aspire detected the intrusion on or around January 6, 2025, and third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.  The forensic investigation confirmed that an unauthorized third party had access to its network for more than two months from November 4, 2024, to January 6, 2025.

According to the substitute data breach notice on the Aspire website, files containing patients’ protected health information were accessed and/or acquired in the incident. Following a manual review of the affected files, Aspire confirmed that a wide range of data types were compromised in the incident.

Current and former patients had their first and last names stolen, in combination with one or more of the following: date of birth, Social Security number, financial account number and routing number, diagnosis information, medical treatment information, prescription information, health insurance information, payment card number/PIN/expiry date, lab results, provider information, driver’s license number, username/password, biometric identifiers, patient identification number, medical record number, and passport number.

Aspire is unaware of any misuse of the affected data; however, as a precaution, complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. The data breach is not yet listed on the HHS’ Office for Civil Rights breach portal; however, the Maine Attorney General has been informed that 138,386 individuals have been affected, including 4 Maine residents. While not described as a ransomware attack, the BianLian threat group claimed responsibility for the attack and added Aspire to its dark web data leak site.

The post Michigan Rural Health System Notifies 140,000 About Hacking Incident appeared first on The HIPAA Journal.

July 2025 Healthcare Data Breach Report

U.S. healthcare data breaches are down 34.1% month-over-month, and 44.5% fewer individuals had their healthcare data exposed. HIPAA-regulated entities reported 48 data breaches affecting 500 or more individuals in July, 12 fewer than the monthly average over the past 12 months.

Healthcare data breaches in the past 12 months - July 2025

July saw the lowest number of reported healthcare data breaches since September 2024, although the monthly total is likely to increase as there is often a delay between an entity reporting a data breach to the HHS’ Office for Civil Rights (OCR) and it being added to the OCR breach portal. For instance, in August 2024, when we compiled the July 2024 healthcare data breach report, there were 43 data breaches, with the total increasing to 49 over the next few months.

July healthcare data breaches 2020-2025

July’s total is therefore likely to be slightly higher than July 2024, and data breaches are up slightly year-over-year. When we compiled our July 2024 data breach report on July 20, 2024, 435 data breaches affecting 500 or more individuals had been reported to OCR. This year’s total for January 1, 2025, to July 31, 2025, stands at 444 data breaches – a 2% year-over-year increase.

Individuals affected by healthcare data breaches in the past 12 months

There has also been a fall in the number of individuals affected by healthcare data breaches. Across the 48 reported data breaches, 4,397,900 individuals had their healthcare data exposed or impermissibly disclosed – a 44.5% month-over-month reduction, and 1.37 million fewer individuals than the 12-month average of 5,769,912 individuals a month.

Individuals affected by july data breaches 2020 - 2025

While there has been a month-over-month fall in affected individuals based on current data, July’s total will increase further as breached organizations complete their data breach investigations and file reviews. As it stands, the number of affected individuals is down 97.8% from the 200 million+ individuals affected by data breaches last year. It should be noted that the July 2024 total includes the data breach at Change Healthcare, which affected 192.7 million individuals. When we compiled the data for last July’s data breach report, the OCR breach portal only showed 1.2 million affected individuals.

Biggest Healthcare Data Breaches in July 2025

In July, 16 HIPAA-regulated entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates reported data breaches affecting 10,000 or more individuals, all of which were hacking incidents. Two data breaches stand out in terms of the number of affected individuals – the hacking incident at Anne Arundel Dermatology and Radiology Associates of Richmond (RAR), which combined affected more than 3.3 million individuals, 75.6% of the month’s total affected individuals.

It is unclear from the breach reports whether ransomware was used in either of these incidents. Hackers had access to the RAR network for four days in April 2024, but were camped in the Anne Arundel network for three months before the intrusion was detected. Several dermatology practices and medical imaging providers have reported data breaches in recent months, which suggests these types of entities may have been targeted specifically by threat actors.

Three of the top 16 data breaches were reported as ransomware attacks, although ransomware may have been used in more attacks. It is now common for data breach notification letters to omit the cause of the breach, and relatively few mention ransomware, even when ransomware groups have claimed responsibility for an attack.

Name of Regulated Entity State Entity Type Individuals Affected Cause of Breach
Anne Arundel Dermatology MD Healthcare Provider 1,905,000 Hacking incident
Radiology Associates of Richmond, Inc. VA Healthcare Provider 1,419,091 Hacking incident
Zumpano Patricios, P.A. FL Business Associate 279,275 Hacking incident
Cierant Corporation CT Business Associate 232,506 Hacking incident (Cleo VL Trader MFT)
Alera Group, Inc. IL Business Associate 155,567 Hacking incident
McKenzie Memorial Hospital MI Healthcare Provider 58,839 Hacking incident
Wood River Health RI Healthcare Provider 54,926 Hacking incident (Email accounts)
Gastroenterology Consultants of South Texas TX Healthcare Provider 44,579 Ransomware attack (Interlock)
Infinite Services, Inc. NY Healthcare Provider 31,742 Ransomware attack
Self Regional Healthcare SC Healthcare Provider 26,696 Hacking incident at business associate (Nationwide Recovery Service)
Dr. Michael Bilikas and Associates d.b.a. 32 Pearls WA Healthcare Provider 23,517 Ransomware attack
AVALA Holdings LA Healthcare Provider 22,732 Hacking incident
Keys Pathology Associates, PA FL Healthcare Provider 20,000 Hacking incident
Northwest Denture Center, Inc. WA Healthcare Provider 19,419 Hacking incident
Arbor Associates, Inc. MI Business Associate 17,040 Hacking incident
Florida Lung, Asthma & Sleep Specialists (FLASS) FL Healthcare Provider 10,000 Hacking incident

The above list could grow as data breach investigations conclude. The HIPAA Breach Notification Rule requires HIPAA-regulated entities to report a data breach within 60 days of discovery, and when that deadline is reached, data breach investigations may not have concluded. In such cases, many regulated entities submit a breach report with a placeholder figure of 500 or 501 affected individuals as an interim total. In July, five regulated entities reported data breaches using a 500 or 501 figure.

Name of Regulated Entity State Entity Type Breach Size Cause of Breach
Kettering Adventist Healthcare OH Healthcare Provider 501 Hacking/IT Incident (Network server)
Human Development Services of Westchester NY Healthcare Provider 501 Hacking/IT Incident (Email)
Naper Grove Vision Care IL Healthcare Provider 501 Hacking/IT Incident (Network server)
Doctors’ Memorial Hospital FL Healthcare Provider 500 Hacking/IT Incident (Network server)
Northwest Medical Homes, LLC OR Healthcare Provider 500 Hacking/IT Incident (Network server)

Causes of July 2025 Healthcare Data Breaches

Hacking is now the leading cause of data breaches, with July seeing 83.3% of incidents involving hacking or other IT-related issues. On average, 109,620 individuals were affected by these types of data breaches (median: 5,137 individuals).  Hacking/IT incidents accounted for 99.7% of breached healthcare records in July (4,384,794 individuals).

causes of July 2025 healthcare data breaches

There were 8 unauthorized access/disclosure incidents in July, affecting just 13,638 individuals. The average breach size was 1,638 individuals, and the median breach size was 892 individuals. There were no theft incidents, loss incidents, or improper disposal incidents in July, as was the case in June 2025. The most common location of breached protected health information was network servers, followed by email accounts, with just 6 breaches involving protected health information stored in other locations.

Location of breached healthcare data - July 2025

Affected HIPAA Regulated Entities

In July, large data breaches were reported by 37 healthcare providers (3,700,390 affected individuals), 10 business associates (696,727 affected individuals), and one health plan (783 affected individuals). Under HIPAA, it is ultimately the responsibility of each covered entity to ensure the requirements of the HIPAA Breach Notification Rule are met, and some covered entities report breaches that occur at business associates. Many healthcare data breach reports are based on the reporting entity, rather than the entity that suffered the data breach. The charts below show where the breach occurred rather than the entity reporting the data breach.

Data breaches at HIPAA-regulated entities in July 2025

Individuals affected by healthcare data breaches at HIPAA-regulated entities - July 2025

Geographical Distribution of July 2025 Healthcare Data Breaches

HIPAA-regulated entities in 22 U.S. states reported data breaches in July. Florida was the worst-affected state with 9 entities reporting data breaches, although three of those reports were about the same incident, which affected multiple skilled nursing facilities. Texas was the second-worst affected state with 4 data breaches, followed by California, Massachusetts & Michigan, which each had three breaches.

State Individuals Affected
Florida 9
Texas 4
California, Massachusetts & Michigan 3
Georgia, Illinois, New York, Ohio, South Carolina, Virginia & Washington 2
Colorado, Connecticut, Louisiana, Maryland, North Carolina, Pennsylvania, Rhode Island, Tennessee, Wisconsin & West Virginia 1

In terms of affected individuals, Maryland topped the list with 1,905,000 individuals affected by a single data breach, followed by Virginia with 1,421,658 individuals affected by two data breaches. Florida was the third-worst-affected state, with 328,471 individuals affected by its 9 data breaches.

HIPAA Enforcement Activity in July 2025

It has been a busy year of HIPAA enforcement, with 18 settlements and civil monetary penalties announced by OCR up to July 31, 2025. Based on the announcements so far, 2025 looks set to be a record-breaking year for HIPAA penalties.

In October 2024, OCR announced a new enforcement initiative looking at compliance with the risk analysis provision of the HIPAA Security Rule. OCR has targeted this HIPAA provision as it is the most commonly identified HIPAA Security Rule violation, and is a foundational requirement that arguably has the biggest impact on security posture. Two enforcement actions were announced in July, both of which resolved risk analysis failures.

Deer Oaks – The Behavioral Health Solution was investigated over an August 2023 ransomware attack that involved the exfiltration of files containing the protected health information of 171,871 individuals. OCR determined that there had been an impermissible disclosure of patients’ electronic protected health information, and Deer Oaks was unable to provide evidence to show that a thorough and accurate risk analysis had been conducted. The case was settled with a $225,000 penalty and a corrective action plan.

Syracuse ASC (Specialty Surgery Center of Central New York) was investigated over a 2021 ransomware attack that exposed the data of 24,891 current and former patients. Syracuse ASC was unable to provide evidence to show that it had ever conducted a risk analysis to identify risks and vulnerabilities to protected health information. Further, the data breach was identified on March 31, 2021, but OCR and the affected individuals were not notified for six and a half months, four and a half months later than the maximum reporting time under the HIPAA Breach Notification Rule. The case was settled with a $250,000 financial penalty and a corrective action plan. Across the 18 HIPAA penalties in 2025, OCR has collected $7,860,566 to resolve alleged violations of the HIPAA Rules.

The post July 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Mower County, MN Confirms HIPAA-Data Compromised in June Ransomware Attack

Data breaches have recently been announced by Mower County in Minnesota, Seasons Living in Oregon, Dr. Doug’s Pediatric Dentistry in Utah, and Provail in Washington State.

Mower County, Minnesota

Officials in Mower County, Minnesota, have confirmed that HIPAA-protected data was acquired by hackers in a June 2025 ransomware attack. The ransomware attack was identified on June 18, 2025, and an investigation is underway to determine the types of data involved and the individuals affected. The stolen data related to individuals who have previously received services from the County Health and Human Services Department.

Individual notification letters will be mailed to the affected individuals when the investigation is concluded, and County officials have confirmed that complimentary credit monitoring and identity theft protection services will be provided. In the meantime, anyone who has previously received services from the Health and Human Services Department has been advised to be vigilant against identity theft and fraud by reviewing their account statements, explanation of benefits statements, and free credit reports.

Seasons Living

Seasons Living, an assisted living facility in Lake Oswego, Oregon, has disclosed a security incident involving the theft of sensitive data. The security breach was identified on March 4, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network and acquired files containing information related to its vendors, applicants, tenants, owners, and current and former employees.

In a press release about the incident, Seasons Living CEO Eric Jacobsen said the incident has been fully contained, unauthorized access to its network has been blocked, and additional security measures have been implemented to prevent similar incidents in the future. He also confirmed that complimentary credit monitoring services are being provided to all affected individuals.

The press release does not mention the types of data involved; however, a hacker has taken credit for the attack and claims to have stolen information such as names, addresses, birthdates, Social Security and driver’s license numbers, health insurance information, medical records, and financial information. The data breach is not currently listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Dr. Doug’s Pediatric Dentistry

Dr. Doug’s Pediatric Dentistry in Logan, Utah, has recently announced a data security incident that was detected in September 2024. Unusual activity was identified in an employee’s email account. The password was reset, and an investigation was launched, which confirmed that the breach was confined to a single email account and no other systems were affected.

The account was reviewed to determine whether any patient information was present, and contact information was verified to allow notification letters to be mailed. Those processes were concluded in June 2025. The information potentially compromised in the incident includes names, dates of birth, diagnosis or dental treatment information, and Medicaid numbers/health insurance information. A very limited number of patients also had their Social Security numbers and/or driver’s license numbers exposed. The incident has been reported to regulators, although it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals were affected.

Provail

Provail, a nonprofit provider of disability services in Washington State, has recently disclosed a cybersecurity incident that was detected on or around June 8, 2025. Suspicious network activity was identified, and the forensic investigation confirmed that an unauthorized actor had access to its network between June 7, 2025, and June 9, 2025, and viewed or acquired files containing sensitive client data.

The investigation and file review are ongoing; however, it has been confirmed that the data compromised in the incident included names in combination with one or more of the following: diagnosis/condition information, lab results, medications, other treatment information, addresses, dates of birth, driver’s license numbers, Social Security numbers, other identifying information, claims information, credit card numbers, bank account numbers, and other financial information.

Individual notification letters will be mailed to the affected individuals when the investigation and file review are concluded. The OCR breach portal includes a placeholder figure of at least 501 affected individuals.

The post Mower County, MN Confirms HIPAA-Data Compromised in June Ransomware Attack appeared first on The HIPAA Journal.

Business Associate Data Breach Affects 87 Skilled Nursing Facilities

Fundamental Administrative Services, LLC, a healthcare management services company in Sparks, Maryland, that manages more than 85 skilled nursing facilities and rehabilitation centers in Indiana, Maryland, Nevada, New Mexico, South Carolina, Texas, and Wisconsin, has confirmed that the protected health information of 56,235 individuals has potentially been compromised in a cyberattack.

Suspicious network activity was identified on or around January 13, 2025, and immediate action was taken to secure its systems and contain the incident. A forensic investigation was launched to determine the nature and scope of the activity, which confirmed unauthorized access to its network for around two and a half months from October 27, 2024, to January 13, 2025. During that time, files were exfiltrated from the network that contained HIPAA-protected data.

The file review confirmed that the information compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, financial account information, medical treatment information, health insurance information, and Medicare/Medicaid plan names. Fundamental Administrative Services said it is reviewing its policies, procedures, and processes related to the storage and access to information.

The data breach was initially reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals, but has been updated now that the file review has concluded. The skilled nursing facilities and rehabilitation centers affected by the incident are listed in the table below:

Affected Facilities

Alamo Heights Health and Rehabilitation Center Harmon Hospital Restore Health Rehabilitation Center
Allegany Health Nursing and Rehabilitation Hearthstone of Northern Nevada Retama Manor Nursing Center/Victoria South
BellTower Health & Rehabilitation Center Hillside Heights Rehabilitation Suites Riverside Health and Rehab
Bennettsville Health & Rehabilitation Center Horizon Health & Rehab Center San Gabriel Rehabilitation and Care Center
Berlin Nursing and Rehabilitation Center Horizon Specialty Hospital of Henderson Sandy Lake Rehabilitation and Care Center
Bremond Nursing and Rehabilitation Center Horizon Specialty Hospital of Las Vegas Sedona Trace Health and Wellness
Bridgecrest Rehabilitation Suites Julia Manor Nursing and Rehabilitation Center Sierra Ridge Health and Wellness Suites
Brownfield Rehabilitation and Care Center Kirkland Court Health and Rehabilitation Center Solidago Health and Rehabilitation
Calhoun Convalescent Center Lake Emory Post Acute Care Southpointe Healthcare and Rehabilitation
Canton Oaks Lancaster Health and Rehabilitation Spanish Hills Wellness Suites
Casa Arena Blanca Nursing Center Las Brisas Rehabilitation and Wellness Suites Spanish Trails Rehabilitation Suites
Casa Maria Health Care Center and Pecos Valley Rehabilitation Suites Las Ventanas de Socorro St. George Healthcare Center
Cedar Pointe Health and Wellness Suites Los Arcos del Norte Care Center Sterling Oaks Rehabilitation
Central Desert Behavioral Health Hospital Magnolia Manor of Greenville Sunset Villa Care Center
College Park Rehabilitation Center Magnolia Manor of Greenwood Terra Bella Health and Wellness Suites
Corinth Rehabilitation Suites on the Parkway Magnolia Manor of Inman The Brazos of Waco
Courtyards at Pasadena Magnolia Manor of Rock Hill The Casitas at Las Brisas ALF
Creekside Terrace Rehabilitation Magnolia Manor of Spartanburg The Hillcrest of North Dallas
Crimson Heights Health & Wellness ALF Meadowbrook Care Center The Pavilion at Creekwood
Crimson Heights Health and Wellness Midlands Behavioral Health Hospital The Pavilion at Glacier Valley
Crosbyton Nursing and Rehabilitation Center Midlands Health & Rehabilitation Center The Terrace at Denison
Devlin Manor Nursing and Rehabilitation Center Mira Vista Court The Village at Richardson
Edgewood Rehabilitation and Care Center Monarch Pavilion Rehabilitation Suites Valley Falls Terrace
Fairfield Nursing and Rehabilitation Center Moran Nursing and Rehabilitation Center Villa Haven Health and Rehabilitation Center
Falcon Ridge Rehabilitation North Las Vegas Care Center Villa Rosa Nursing and Rehabilitation
Forest Haven Nursing and Rehabilitation Center Northampton Manor Nursing and Rehabilitation Center Willow Springs Health & Rehabilitation Center
Founders Plaza Nursing & Rehab Oakbrook Health and Rehabilitation Center Woodlands Place Rehabilitation Suites
Fruitvale Healthcare Center Oakland Nursing and Rehabilitation Center  
Green Valley Health and Wellness Suites Physical Rehabilitation and Wellness Center of Spartanburg  
Hallmark Healthcare Center Rehab Center of Cheraw  

The post Business Associate Data Breach Affects 87 Skilled Nursing Facilities appeared first on The HIPAA Journal.

Cyberattack on Medical Equipment Provider Affects 90,000 Patients

Data breaches have been announced by medical equipment provider CPAP Medical Supplies and Services, a Miracle Ear franchisee, and a 20-bed critical access hospital in Washington State.

CPAP Medical Supplies and Services Inc.

CPAP Medical Supplies and Services Inc. (CPAP Medical) has announced a major data breach, potentially involving unauthorized access to the personal and protected health information of up to 90,133 patients. CPAP Medical is a Jacksonville, FL-based medical equipment provider that specializes in sleep therapy products for military families and active duty/retired service members. According to the breach notice provided to the Maine Attorney General, hackers had access to its network between December 13, 2024, and December 21, 2024, and files containing sensitive data may have been viewed or exfiltrated from its network.

After securing its systems, a forensic investigation was conducted, followed by a document review to determine the types of data involved and the individuals affected. The document review was complex and took until June 27, 2025, to complete, when it was confirmed that the compromised data included full names, dates of birth, Social Security numbers, financial and banking information, medical information, and health insurance information. CPAP Medical is unaware of any misuse of patient data as a result of the incident; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Health Services LLC (Miracle Ear)

Health Services LLC has started notifying individuals affected by a security incident that was identified on or around January 28, 2025. Suspicious network activity was detected, and the forensic investigation confirmed that an unauthorized actor had breached its security defenses and had access to its network from January 2, 2025, and January 28, 2025.

Health Services LLC operates a franchise of Miracle Ear, and the data relates to individuals who interacted with the company concerning hearing aid products. On or around May 14, 2025, the data review was completed, and confirmed that the exposed data included full names, phone numbers, email addresses, postal addresses, dates of birth, patient ID numbers, Social Security numbers, health insurance information, and diagnosis and treatment information.

The data breach was initially reported to the HHS’ Office for Civil Rights in April as an incident affecting 2,400 individuals; however, the breach portal has since been updated to 75,906 affected individuals.

East Adams Rural Healthcare

East Adams Rural Healthcare, the operator of a 20-bed critical access hospital in Ritzville, Washington, has recently notified the Washington State Attorney General about a data breach that has affected 8,896 state residents. Suspicious network activity was identified on September 12, 2024, and an investigation was launched to determine the cause of the activity.

Forensic evidence was found to indicate its network had been accessed by an unauthorized third party between September 7, 2024, and September 14, 2024, and patient data may have been viewed or acquired. East Adams Rural Healthcare published a substitute notice on its website about the incident on October 4, 2025; however, at the time, the investigation and data review were ongoing, so it was not possible to confirm how many individuals were affected or the specific information involved.

The file review has now been completed, and it has been confirmed that the compromised information included names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information. No evidence has been found to indicate that any patient data has been misused; however, as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Cyberattack on Medical Equipment Provider Affects 90,000 Patients appeared first on The HIPAA Journal.

Patient Data Lost in Ransomware Attack on EHR Vendor

The electronic medical record vendor MDLand International Corporation has fallen victim to a ransomware attack that resulted in the encryption of some of its computer systems. The ransomware attack was detected on May 2, 2025, when certain systems became inaccessible. Immediate action was taken to isolate its network, and a forensic investigation was launched with the assistance of third-party cybersecurity specialists.

The forensic investigation confirmed that an unknown actor encrypted a limited number of MDLand’s systems on May 1, 2025, and may have gained access to patient information stored in one specific database on its network. There was no unauthorized access to the networks or systems of its clients, and no evidence was found to indicate any information in the impacted database was viewed or exfiltrated in the attack, although unauthorized data access and data theft could not be ruled out.

Certain data was encrypted and rendered inaccessible; however, it was possible to restore some of the impacted data, but despite MDLand’s best efforts, some records could not be recovered or recreated. Those records related to the period from April 1, 2025, to May 1, 2025. Data input into patients’ medical records during that time has been lost, including patient names, treatment plan information, and providers’ notes about patients.

The impacted database includes the following data elements: name, date of birth, gender, marital status, address, phone number, and prescription information. Financial account information, Social Security numbers, and health benefits information were not involved.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 22,586 individuals. Additional security measures have been implemented, and security policies and procedures are being reviewed to identify any areas for improvement. At the time of issuing notifications, no evidence of misuse of patient data had been identified; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The post Patient Data Lost in Ransomware Attack on EHR Vendor appeared first on The HIPAA Journal.

Insider Breaches Identified by Three Healthcare Providers

Three insider incidents have recently been identified by healthcare providers in Florida, Massachusetts, and Indiana, including one privacy breach that has been ongoing for more than two and a half years.

University of Miami Health System

University of Miami Health System (UMHS) is notifying almost 3,000 patients about an insider data breach that has been ongoing for more than two and a half years. In June 2025, UMHS discovered that an employee had been accessing the medical records of patients when there was no legitimate business or clinical reason for doing so.

The review of access logs showed the unauthorized access started in September 2022 and continued until May 2025. Under HIPAA, medical records may only be accessed by employees for reasons related to treatment, payment for healthcare, and healthcare operations. If unauthorized medical record access is identified, individuals face sanctions, which in this case was termination of employment. UMHS is also collaborating with law enforcement over the incident.

The former employee did not have the necessary access rights to view financial information or Social Security numbers, but was able to view patient information such as names, dates of birth, medical record numbers, provider names, diagnosis/condition information, insurance information, and vaccination status. In total, the medical records of 2,928 patients were accessed over the space of more than two and a half years.

The affected individuals are being notified by Kroll and are being offered complimentary credit monitoring and identity theft protection services. UMHS is also enhancing its security measures and practices to better safeguard patient data.

Berkshire Health Systems

Berkshire Health Systems (BHS) in Massachusetts has discovered that an employee has been accessing patients’ medical records without authorization. An investigation was launched after BHS received a report about an employee potentially accessing patients’ medical records without a legitimate work reason for doing so. The privacy team immediately launched an investigation, which involved a review of access logs.

The access logs confirmed there had been unauthorized access to patient records, but no evidence was found to indicate any of the information in those records was downloaded, printed, or copied. BHS believes the employee was acting independently, with no other individuals involved. The employee was interviewed and denied disclosing any patient information to other individuals and was terminated for the HIPAA violation.

BHS said it has optimized its privacy monitoring software to help prevent further incidents of this nature in the future, and wrote to the affected patients on August 12, 2025, informing them about the privacy breach. The former employee only had limited access to patient data and could not view highly sensitive information such as financial information, health insurance information, or Social Security numbers. Information potentially viewed includes patient names, dates of birth, medical record numbers, diagnoses, and visit notes. BHS has not publicly disclosed how many individuals were affected, and the incident is not currently shown on the HHS’ Office for Civil Rights breach portal.

Life in Motion Family Wellness Center

Life in Motion Family Wellness Center in Evansville, Indiana, has discovered that patient data has been provided to a local physician and used to try to solicit business. The data breach occurred on July 22, 2025, and involved an individual who had previously rented office space in the center. That individual obtained a list of patient names, addresses, telephone numbers, and dates of birth, which she provided to the physician for marketing purposes.

The HHS’ Office for Civil Rights has been notified, law enforcement has been informed, and individual notification letters have been sent to the affected patients. Steps have also been taken to prevent similar incidents in the future, including reviewing system access and adding new layers of protection.

The post Insider Breaches Identified by Three Healthcare Providers appeared first on The HIPAA Journal.