On October 10, 2025, SimonMed Imaging started mailing notification letters to the individuals affected by its January 2025 cyberattack. SimonMed Imaging is one of the largest medical imaging providers in the country, operating more than 170 medical imaging facilities in 10 U.S. states. In a breach notice to the Maine Attorney General, the Scottsdale, AZ-based company confirmed that the protected health information of 1,275,669 individuals was compromised in the incident, including 22 Maine residents. The HHS’ Office for Civil Rights breach portal still lists the incident with a 500-individual placeholder figure.

The notification letters provide little extra information beyond that provided in its previous announcement, other than the fact that data theft has now been confirmed. While patient data was stolen in the attack, SimonMed Imaging said it is unaware of any misuse of the stolen data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

As previously reported, the Medusa ransomware group claimed responsibility for the attack; however, SimonMed Imaging is not currently listed on the group’s data leak site, which suggests that the ransom was paid. Regardless, the affected individuals should take advantage of the free services being offered.

Apr 2, 2025: SimonMed Imaging Confirms January 2025 Cyberattack

SimonMed Imaging has recently confirmed that it was affected by a cybersecurity incident earlier this year that involved unauthorized access to patient data via one of its vendors. The Scottsdale, Arizona-based radiology practice said that on January 27, 2025, it was alerted by one of its vendors that they were experiencing a security incident. A review was initiated of its own systems, and the following day, January 28, 2025, suspicious activity was identified within the SimonMed network. Immediate action was taken to contain the situation, and a forensic investigation was initiated to determine the extent to which systems had been compromised and the nature of the unauthorized activity.

The investigation confirmed that an unauthorized actor had direct access to its systems between January 21, 2025, and February 5, 2025. The review of the affected files is ongoing to identify the individuals who had their data exposed, but the initial findings of the investigation suggest that the following data has been exposed and potentially stolen: names, addresses, birth dates, dates of service, provider names, medical record numbers, patient numbers, medical condition information, diagnosis/ treatment information, medications, health insurance information, and driver’s license numbers. The data exposed in the incident varies from individual to individual.

SimonMed said several steps have been taken to improve security as a result of the incident, including enhancing multifactor authentication, resetting passwords, implementing endpoint detection and response monitoring, and removing all third-party vendor direct access to systems within SimonMed’s environment and all associated tools. As the investigation progresses, further technical safeguards will be implemented to bolster existing protections.

SimonMed did not state the name of the threat group behind the attack, nor was any confirmation provided on whether ransomware was used.  The Medusa ransomware group had previously claimed responsibility for the attack and said more than 212 GB of data had been infiltrated, and proof of the breach was posted on its data leak site. Medusa claimed to have demanded a $1 million ransom payment and gave a deadline of February 21, 2025, for payment to be made. At least one class action lawsuit has already been filed against SimonMed over the incident.

The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals.  The total will be updated when the investigation and file review have concluded.

The post SimonMed Imaging: 1.27M Individuals Affected by January 2025 Cyberattack appeared first on The HIPAA Journal.

Data breaches have been announced by Doctors Imaging Group in Florida, Rectangle Health in New York, and Care N’ Care in Texas.

Doctors Imaging Group, Florida

Doctors Imaging Group, a Gainesville, Florida-based physician-owned radiology practice, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 171,862 current and former patients. Suspicious activity was identified within its computer network on or around November 11, 2024, and the forensic investigation confirmed that unknown actors accessed its network between November 5, 2024, and November 11, 2024. During that time, files were copied from its systems, some of which contained the protected health information of patients. The substitute breach notice does not say if this was an extortion attempt, such as a ransomware attack, and the HIPAA Journal has not identified any posts by ransomware groups claiming responsibility for the attack.

Doctors Imaging Group conducted a file review to identify the types of information exposed in the incident, which was completed on August 29, 2025. Data potentially compromised in the attack includes names, addresses, birth dates, admission dates, medical treatment information, claims information, Social Security numbers, patient account numbers, medical record numbers, financial account numbers, and account types. The affected individuals have been advised to monitor their account statements, explanation of benefits statements, and free credit reports for suspicious activity. Doctors Imaging Group has reviewed its data security policies and procedures and is evaluating additional cybersecurity tools to reduce the risk of similar incidents in the future.

Rectangle Health, New York

Rectangle Health, a Valhalla, NY-based software company that provides practice management software to healthcare providers, has recently notified the Maine Attorney General about a breach affecting 2,095 individuals, including 11 Maine residents. The incident involved unauthorized access to its Salesforce platform on August 14, 2025. The platform was used to store customer information. Rectangle Health did not state which cybercriminal group was involved. The file review was completed on September 4, 2025, and confirmed that the stolen data includes names, dates of birth, and Social Security numbers. Notification letters were mailed to the affected individuals on October 8, 2025. Complimentary credit monitoring services are being offered to the affected individuals.

There has been a spate of attacks on Salesforce environments over the past few months, prompting the Federal Bureau of Investigation (FBI) to issue a Flash Alert in September. The alert warned that two cybercriminal groups – UNC6040 (ShinyHunters) and UNC6395 – were targeting Salesforce environments. In September, a hacking group called Scattered Lapsus$ Hunters started leaking stolen Salesforce data. Some members are believed to also be part of the ShinyHunters group. The group has attempted to extort Salesforce and has threatened to extort companies directly if Salesforce refuses to pay the ransom.

Care N’ Care, Texas

Care N’ Care, a Medicare Advantage health plan provider serving Medicare beneficiaries in North Texas, has recently notified the Texas Attorney General about a data breach affecting 32,452 Texas residents. While little is currently known about the data breach, this was a hacking incident that involved unauthorized access to protected health information, which may also have been stolen in the attack. The date of the cyberattack has not been publicly disclosed. The file review has confirmed that the exposed data includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information.

The post Florida Radiology Practice Announces 171K-record Data Breach appeared first on The HIPAA Journal.

Data breaches have been announced by Doctors Imaging Group in Florida, Rectangle Health in New York, and Care N’ Care in Texas.

Doctors Imaging Group, Florida

Doctors Imaging Group, a Gainesville, Florida-based physician-owned radiology practice, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 171,862 current and former patients. Suspicious activity was identified within its computer network on or around November 11, 2024, and the forensic investigation confirmed that unknown actors accessed its network between November 5, 2024, and November 11, 2024. During that time, files were copied from its systems, some of which contained the protected health information of patients. The substitute breach notice does not say if this was an extortion attempt, such as a ransomware attack, and the HIPAA Journal has not identified any posts by ransomware groups claiming responsibility for the attack.

Doctors Imaging Group conducted a file review to identify the types of information exposed in the incident, which was completed on August 29, 2025. Data potentially compromised in the attack includes names, addresses, birth dates, admission dates, medical treatment information, claims information, Social Security numbers, patient account numbers, medical record numbers, financial account numbers, and account types. The affected individuals have been advised to monitor their account statements, explanation of benefits statements, and free credit reports for suspicious activity. Doctors Imaging Group has reviewed its data security policies and procedures and is evaluating additional cybersecurity tools to reduce the risk of similar incidents in the future.

Rectangle Health, New York

Rectangle Health, a Valhalla, NY-based software company that provides practice management software to healthcare providers, has recently notified the Maine Attorney General about a breach affecting 2,095 individuals, including 11 Maine residents. The incident involved unauthorized access to its Salesforce platform on August 14, 2025. The platform was used to store customer information. Rectangle Health did not state which cybercriminal group was involved. The file review was completed on September 4, 2025, and confirmed that the stolen data includes names, dates of birth, and Social Security numbers. Notification letters were mailed to the affected individuals on October 8, 2025. Complimentary credit monitoring services are being offered to the affected individuals.

There has been a spate of attacks on Salesforce environments over the past few months, prompting the Federal Bureau of Investigation (FBI) to issue a Flash Alert in September. The alert warned that two cybercriminal groups – UNC6040 (ShinyHunters) and UNC6395 – were targeting Salesforce environments. In September, a hacking group called Scattered Lapsus$ Hunters started leaking stolen Salesforce data. Some members are believed to also be part of the ShinyHunters group. The group has attempted to extort Salesforce and has threatened to extort companies directly if Salesforce refuses to pay the ransom.

Care N’ Care, Texas

Care N’ Care, a Medicare Advantage health plan provider serving Medicare beneficiaries in North Texas, has recently notified the Texas Attorney General about a data breach affecting 32,452 Texas residents. While little is currently known about the data breach, this was a hacking incident that involved unauthorized access to protected health information, which may also have been stolen in the attack. The date of the cyberattack has not been publicly disclosed. The file review has confirmed that the exposed data includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information.

The post Florida Radiology Practice Announces 171K-record Data Breach appeared first on The HIPAA Journal.

Harris Health in Texas has recently started notifying more than 5,000 patients that their electronic health records may have been impermissibly accessed by a former employee. Concerningly, the unauthorized access had been ongoing for a decade before it was identified.

Harris Health operates Ben Taub Hospital and Lyndon B. Johnson Hospital, and a network of 37 clinics, health centers, and specialty locations in and around Houston, Texas.  While notification letters are now being mailed to the affected individuals, the unauthorized access was detected on February 10, 2021. An investigation was launched to determine the extent of the employee’s HIPAA violation, with assistance provided by a nationally recognized digital forensics firm. The investigation confirmed unauthorized access to patient records from January 4, 2011, to March 8, 2021.

After confirming that patients’ medical records had been accessed without any legitimate work purpose, the employee was terminated, and the Federal Bureau of Investigation (FBI) was notified. Harris Health has been assisting with the investigation, which confirmed that the employee had disclosed some patient information to unauthorized individuals. The substitute breach notice on the Harris Health website doesn’t provide any indication as to why patients’ records were being accessed or the purpose of the disclosure of patient data.

Harris Health was unable to determine the specific patients whose protected health information was disclosed to other individuals, so notification letters are being sent to all individuals whose data may have been impermissibly disclosed. Notification letters were delayed at the request of law enforcement so as not to interfere with the investigation. While law enforcement requests to delay notifications are not unusual, a 4-year delay is unusually long. Typically, notifications are only delayed by a few weeks or months.

Data potentially accessed and disclosed includes demographic information such as names, dates of birth, addresses, email addresses, telephone numbers, and medical record numbers; clinical information such as diagnoses, medical history, medications, immunizations, dates of service, and provider names; health insurance information, and, for a limited number of individuals, Social Security numbers. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services.

All individuals potentially affected have been advised to monitor their explanation of benefits statements and should report any suspicious activity to their health insurer. Harris Health said it is providing further training to the workforce on the importance of protecting patient privacy, and additional tools have been implemented that allow proactive monitoring of employee access to patient records and provide enhanced auditing capabilities to help Harris Health identify unauthorized access more quickly in the future.

Under HIPAA, all employees should be provided with unique logins to allow their interactions with patient information to be tracked. Logs should be maintained to support investigations of unauthorized access to patient records, and those logs should be regularly reviewed. Regular reviews of access logs will help to limit the harm caused if employees impermissibly access patient records. HIPAA-covered entities should also ensure that they provide HIPAA training to their employees during onboarding, as well as annual refresher training sessions to remind employees of their responsibilities under HIPAA and the importance of protecting patient privacy.

The post Harris Health Notifies Patients About 10-Year Insider Data Breach appeared first on The HIPAA Journal.

Superior Vision Service has announced that protected health information has been compromised in a phishing attack. People Encouraging People has fallen victim to a ransomware attack.

Superior Vision Service

Superior Vision Service, a vision insurance company and subsidiary of Versant Health, has announced a July 2025 security incident.  According to the September 26, 2025, notification letters, Superior Vision learned on July 11, 2025, that an employee had been tricked in a sophisticated phishing attack and disclosed their credentials to the attacker.  The employee responded to the phishing email on July 9, 2025, and the threat actor used the employee’s credentials to access their account. On July 11, 2025, the threat actor may have copied emails from the account that contained sensitive customer information.

The account was reviewed and found to contain full names, physical addresses, phone numbers, email addresses, dates of birth, genders, Social Security numbers, vision coverage election information, and employment information related to enrollment. Notification letters are now being sent to the affected individuals, who have been offered a complimentary 12-month membership to a three-bureau credit monitoring service. Superior Vision has also implemented additional safeguards to prevent similar data breaches in the future. State attorneys general have been notified about the breach, and the website of the Texas Attorney General indicates 3,161 Texas residents have been affected; however, it is unclear how many individuals have been affected in total.

People Encouraging People

People Encouraging People, a behavioral healthcare provider in Baltimore, Maryland, has experienced a ransomware attack that involved data theft and file encryption. The attack was identified on or around December 21, 2024. A forensic investigation was launched, which confirmed that the attacker had access to its network between December 18, 2024, and December 23, 2024, during which time files containing sensitive patient data were stolen. The file review confirmed that the stolen data included full names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, diagnosis information, medication information, and treatment information. The types of information involved vary from individual to individual.

People Encouraging People is unaware of any misuse of the stolen information; however, patients have been advised to remain vigilant against identity theft and fraud. Safeguards had been implemented to prevent unauthorized access to its computer network and patient data, and those safeguards are being reviewed and enhanced to prevent similar incidents in the future. The ransomware attack has been reported to the HHS’ Office for Civil Rights as involving the protected health information of 13,083 individuals.

The post PHI Potentially Stolen in Phishing Attack on Superior Vision Service appeared first on The HIPAA Journal.

Treasure Coast Hospice, a palliative care provider in Florida, and Harbor, a mental health and addiction treatment service provider in Ohio, have recently announced security incidents that have exposed patient data.

Health & Palliative Services of the Treasure Coast (Treasure Coast Hospice), Florida

Health & Palliative Services of the Treasure Coast, Inc. d/b/a Treasure Coast Hospice, a provider of palliative care and hospice services to residents of Martin, St. Lucie, and Okeechobee counties in Florida, has recently notified 13,234 individuals about a September 2024 security incident. On September 25, 2025, Treasure Coast Hospice was made aware of unusual activity within its email environment. A third-party cybersecurity firm was engaged to investigate the activity and confirmed unauthorized access to an email account that contained patient information.

The account was reviewed, and on July 15, 2025, the data mining process was completed, and it was confirmed that a range of information had been exposed and may have been accessed or copied. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: date of birth, demographic information, Social Security number, driver’s license number, medical information, financial information, and health insurance information.

At the time of issuing notification letters, Treasure Coast Hospice was unaware of any misuse of the exposed information; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Treasure Coast Hospice said it strongly encourages the affected individuals to take advantage of the services being offered. Additional security measures have been implemented to harden email security, weekly security scans will be conducted, and additional training is being provided to its workforce.

Harbor, Ohio

Harbor, a mental health and substance use disorder treatment provider in Ohio, confirmed in a September 30, 2025, press release that an unauthorized third party breached its security defenses and gained access to its computer network. Suspicious activity was identified on August 1, 2025, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation determined that an unauthorized third party had access to its computer network between July 25, 2025, and August 1, 2025, during which time files were exfiltrated from its network. The types of information in the files vary from individual to individual, and may include names, addresses, birth dates, Social Security numbers, driver’s license numbers/state identification numbers, diagnoses, treatment information, clinical information, financial account information, and health insurance information.  Harbor is reviewing its security policies and procedures and will take steps to improve privacy and security. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Data Breaches Announced by Treasure Coast Hospice & Harbor appeared first on The HIPAA Journal.

Gaylord Specialty Healthcare is notifying patients affected by a December hacking incident, and Gainwell Technologies has reported a breach involving the data of Medicaid recipients in Georgia.

Gaylord Specialty Healthcare, Connecticut

Gaylord Farm Association Inc., doing business as Gaylord Specialty Healthcare, a nonprofit medical rehabilitation center in Wallingford, Connecticut, has recently started notifying patients about a December 2024 security incident that potentially involved unauthorized access to patient information.

Suspicious activity was identified within its computer network on December 19, 2024, and the forensic investigation confirmed unauthorized access to its network from December 16 to December 19. Files were reviewed to determine the types of information involved and the individuals affected. On August 25, 2025, Gaylord learned that the impacted data included names, dates of birth, Social Security numbers, taxpayer ID numbers, driver’s license or state ID numbers, passport numbers, account numbers, routing numbers, payment card numbers, payment card CVVs, medical record numbers, mental or physical condition, treatment information, diagnoses and diagnosis codes, treatment locations, procedure types, provider names, treatment costs, medical date of services, admission/discharge dates, prescriptions, billing/claims information, health insurance information and/or patient account numbers.

Gaylord said it issued a provisional notice to the HHS’ Office for Civil Rights about the data breach and uploaded a breach notice to its website on February 28, 2025; however, the incident is not yet shown on the HHS’ data breach portal, which suggests the initial estimate indicated that fewer than 500 individuals were affected. Gaylord said the delay in issuing individual notifications was due to the complex and time-consuming review of the affected files, which required a manual review of thousands of documents. Security policies, procedures, and practices have been reviewed and enhanced to prevent similar breaches in the future. The total number of affected individuals is not currently known, although the breach was reported to the Maine Attorney General as affecting 75 Maine residents.

Gainwell Technologies, Virginia

Gainwell Technologies, a provider of technology solutions and software to healthcare organizations and government agencies, has recently announced a data breach affecting 912 Medicaid recipients in Georgia. Gainwell Technologies is the fiscal agent for Medicaid in the state, and contracts with Georgia’s Department of Community Health. According to a statement issued by the contractor, on July 23, 2025, an unauthorized caller requested access to payments to providers and gained access to a reimbursement account that contained patient information.

The account contained billing statements that included Medicaid recipients’ names, Medicaid ID numbers, coverage information, and payment information for the periods when services were received. Gainwell Technologies said it is unaware of any misuse of the affected data but has offered complimentary credit monitoring services to the affected individuals for a period of one year as a precaution.

The post Connecticut Medical Rehabilitation Center Announces Hacking Incident appeared first on The HIPAA Journal.