Data breaches have recently been announced by Central Ozarks Medical Center in Missouri, AdventHealth Daytona Beach in Florida, and the Middlesex Sheriff’s Office in Massachusetts.

Central Ozarks Medical Center, Missouri

Central Ozarks Medical Center (COMC), a Federally Qualified Health Center (FQHC) in mid-Missouri, has notified 11,818 individuals that some of their personal and protected health information was compromised in a criminal cyberattack. The substitute breach notice on the COMC website does not state when the cyberattack was detected or for how long its network was compromised, only that it was determined on or around November 10, 2025, that personally identifiable information and protected health information may have been subject to unauthorized access or acquisition.

The types of information compromised in the incident included names, dates of birth, Social Security numbers, financial account information, medical treatment information, and health insurance information. COMC has provided the affected individuals with information on steps they can take to reduce the risk of identity theft and fraud, and at least 12 months of complementary credit monitoring and identity theft protection services have been offered. COMC has confirmed that it has implemented a series of cybersecurity enhancements and will continue to augment those measures to better protect patient information.

Middlesex Sheriff’s Office, Massachusetts

The Middlesex Sheriff’s Office in Massachusetts has announced a January 2025 security breach that involved unauthorized access to individuals’ protected health information.  The Sheriff’s Office launched an investigation to determine the extent and nature of the incident, and was assisted by the Federal Bureau of Investigation, the Massachusetts State Police, the Commonwealth Fusion Center, the Executive Office of Technology Services and Security, and two cybersecurity firms.

It took until November 19, 2025, to complete the review of the exposed files, when it was confirmed that they contained names, addresses, dates of birth, diagnoses, and/or other general health information. The Sheriff’s Office said it has not identified any misuse of the exposed information. The Middlesex Sheriff’s Office has implemented additional safeguards to prevent similar breaches in the future and has advised the affected individuals to review their bank statements and insurance records for signs of misuse. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals – a commonly used placeholder figure when the total number of affected individuals has not yet been confirmed.

AdventHealth Daytona Beach, Florida

AdventHealth Daytona Beach in Florida has notified 821 individuals about the loss of paperwork containing their protected health information. The loss of documentation was identified by its outpatient laboratory on November 25, 2025. Outpatient lab orders were determined to be missing for individuals who received outpatient services between September 1 and September 14, 2025.

AdventHealth Daytona Beach said the loss occurred during a departmental relocation from the first to the second floor. Construction activities were taking place to install a new tubing system, and the planned project location was changed by the construction workers, who accessed an area containing the lab orders without first notifying the laboratory team. The paperwork was discarded by the construction workers. AdventHealth Daytona Beach said no evidence was found to indicate the lab orders were or will be misused. The lab orders contained information such as names, addresses, dates of birth, telephone numbers, email addresses, diagnosis codes, health condition(s), and health insurance policy numbers.

The post Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients appeared first on The HIPAA Journal.

Alpine Ear, Nose, and Throat in Colorado, The Phia Group in Massachusetts, and Community Health Northwest Florida have started notifying patients that their personal and health information was impermissibly accessed over a year ago.

Alpine Ear, Nose, and Throat, Colorado

Alpine Ear, Nose, and Throat in Fort Collins, Colorado, has mailed notification letters to 65,648 individuals warning them that some of their protected health information was exposed in a security incident identified by Alpine ENT on November 19, 2024. Alpine ENT engaged its managed service provider to investigate the incident, and it was confirmed that an unauthorized third party accessed and exfiltrated files containing patients’ protected health information.

Alpine ENT’s legal counsel explained in the notification letters that a substitute data breach notice was published on the Alpine ENT website on January 17, 2025, although at the time, the investigation was ongoing. The data mining and review processes were completed on October 9, 2025, and in the subsequent months, Alpine ENT worked to verify the impacted individuals and obtained up-to-date contact information. Notification letters were mailed to the affected individuals on January 30, 2026, 14 months after the breach was first identified.

The BianLian ransomware group claimed responsibility for the attack and added Alpine ENT to its data leak site in early December 2024. Data compromised in the incident included names, demographic information, dates of birth, medical information, health information, financial account information, credit card numbers, CVC, and expiration dates, and Social Security numbers. At the time of issuing notifications, Alpine ENT said it had not identified any instances of identity theft as a result of the incident; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The Phia Group, Massachusetts

The Phia Group, LLC, a Canton, Massachusetts-based provider of healthcare cost containment services to health benefit plans and their third-party administrators, has recently notified individuals about a July 2024 security incident that exposed personal and protected health information. According to The Phia Group, an intrusion was detected on July 9, 2024, and the investigation confirmed that its network had been subject to unauthorized access between July 8, 2024, and July 9, 2024. During that time, files containing sensitive data may have been acquired.

A review was conducted to identify the affected clients, the types of data involved, and the affected individuals. The affected clients were notified, and The Phia Group coordinated with them to issue notifications. Data potentially compromised in the incident included names, addresses, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, health insurance information, and medical information, including provider information, treatment information, prescriptions, and Medicare/Medicaid information. Data security has been enhanced to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Community Health Northwest Florida

On January 26, 2026, Community Health Northwest Florida (CHNF) started notifying individuals about a security incident that was identified on December 24, 2024. CHNF engaged third-party cybersecurity experts to investigate the activity, who confirmed that an unauthorized third party had accessed files on its network that contained patient information.

CHNF said it conducted a comprehensive and time-consuming review and engaged a data mining company to identify the affected individuals. It took until January 19, 2026, to obtain the full list of affected individuals, and notification letters were mailed 10 days later. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, financial account numbers, credit or debit card numbers, patient identification and medical record numbers, medical information, and health insurance information.

CHNF has updated its policies and procedures, implemented additional technical safeguards, and enhanced its security measures to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Patients Learn Their Health Data Was Compromised More Than a Year Ago appeared first on The HIPAA Journal.

Bayada Home Health Care, a New Jersey-based home healthcare provider serving 22 U.S. states, has recently announced a data breach involving a third-party vendor, Doctor Alliance. Doctor Alliance provides services that facilitate physician signatures on clients’ Home Health Certifications and Plans of Care, which involve access to patients’ protected health information.

On December 4, 2025, Doctor Alliance notified Bayada Home Health Care about a cybersecurity incident involving access and potential acquisition of client data by an unauthorized third party. According to Doctor Alliance, an unauthorized third party had access to the Doctor Alliance network between October 31 and November 6, 2025, and November 14 and 17, 2025. During that time, Home Health Certification and Plan of Care forms may have been acquired.

Bayada Home Health Care said it is not aware that any of its forms were copied; however, unauthorized data access could not be ruled out. The exposed forms contained a range of sensitive patient information, including names, dates of birth, diagnoses, medical/physical treatment information, provider information, health insurance plan information, prescription information, hospital admissions/discharges, and disability information, and for a subset of individuals, Social Security numbers.

Bayada Home Health Care said it has discontinued using Doctor Alliance as a vendor in response to the data breach. A review has been conducted of its policies and procedures relating to third-party vendors, and steps have been taken to minimize the risk of similar incidents in the future. The data breach has been reported to state attorneys general and the HHS’ Office for Civil Rights. The incident is not currently listed on the OCR data breach portal, so it is unclear how many individuals have been affected.

Marion County Public Health Department, Indiana

Marion County Public Health Department in Indiana has identified an insider incident involving unauthorized access to the protected health information of 792 clients. An employee was discovered to have accessed more than the necessary patient information to complete their job duties, including names, addresses, dates of birth, and lab test results for clients who received tests that were processed by the Marion County Public Health Department lab.

Marion County Public Health Department said it has found no evidence to suggest that any of the accessed information has been misused and stressed that no financial information was accessed by the employee. In response to the incident, further training has been provided to staff members on the HIPAA minimum necessary standard and its internal policies, and technical safeguards have been enhanced to limit access to protected health information to the minimum necessary for job duties.

The post Bayada Home Health Care Affected by Doctor Alliance Data Breach appeared first on The HIPAA Journal.

Health Care Service Corporation, doing business as Blue Cross Blue Shield of Montana (BCBSMT), is facing a probe into whether the company complied with Montana’s breach notification law following a significant data breach that impacted approximately 462,000 Montanans.

Like many health insurance providers, BCBSMT contracted with Conduent Business Services, a business associate that provides back-office administrative services to HIPAA-covered entities and government agencies. On January 13, 2025, Conduent identified unauthorized access to its network, and its forensic investigation confirmed that a threat actor had access to its network for three months between October 13, 2024, and January 13, 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, health plan and medical record identifiers, diagnosis and treatment codes, provider details, and claims information. The Safepay ransomware group claimed responsibility for the attack.

Conduent disclosed the attack in a filing with the U.S. Securities and Exchange Commission (SEC) on April 9, 2025, although at the time the investigation was ongoing to determine the extent of the data breach. It has been more than a year since the attack was detected, and it is still unclear how many individuals have been affected. The Oregon Attorney General was notified that around 10.5 million individuals had been affected nationwide, and subsequently, the Texas Attorney General was informed that 14.7 million Texas residents had been affected.

In January 2025, BCBSMT was notified by Conduent that it was one of the affected clients; however, BCBSMT did not notify the affected individuals until October 2025 – a year after Conduent’s systems were first breached and 9 months after it first learned that it had been affected. State regulators launched a probe to determine if BCBSMT was compliant with state data breach notification law, which requires notifications to be issued without unreasonable delay. State regulators also seek to establish the circumstances surrounding the data breach.

The Montana Office of the Commissioner of Securities and Insurance (CSI) scheduled a public administrative hearing on January 22, 2026, to gather evidence about the breach, establish a timeline of events, and determine how BCBSMT responded to the incident. BCBSMT sought a temporary restraining order from the Lewis and Clark County District Court to prevent the hearing from taking place; however, the court denied the request.

“It is troubling that it appears [BCBS] attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts,” said Montana CSI communications director Tyler Newcombe. “Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. Our office will consider all the evidence and then issue a final order in due course.”

A Hearing Examiner will review the record from the hearing and will propose a decision for the Commissioner to consider. The Commissioner will publish further information about the timeline of events to ensure transparency over the lengthy delay in issuing breach notifications.

The post Blue Cross Blue Shield of Montana Faces Data Breach Probe appeared first on The HIPAA Journal.

Protected health information has been exposed in data security incidents at Mitchell County Department of Social Services in North Carolina, 360 Dental in Pennsylvania, and GiaCare in Florida.

Mitchell County Department of Social Services

Individuals who received services from Mitchell County Department of Social Services in North Carolina have had their sensitive information stolen in a ransomware attack. The investigation into the October 2025 ransomware attack on Mitchell County was initiated on October 20, 2025, following the encryption of files. The attack caused email and phone outages that lasted for several days. The forensic investigation confirmed that there had been unauthorized network access between October 16, 2025, and October 20, 2025, during which time files were exfiltrated.

The data review and investigation are ongoing to determine the types of information involved and the individuals affected. After that information has been confirmed and up-to-date contact information has been obtained, notification letters will be mailed to the affected individuals. Complimentary credit monitoring and identity theft protection services will be offered to the affected individuals, if appropriate, for instance, if their Social Security numbers were compromised in the incident.

The data breach has been reported to the HHS’ Office for Civil Rights using an interim total of 501 individuals. The total will be updated when County officials have confirmed the total number of affected individuals. County officials have confirmed that steps have been or will be taken in response to the incident to strengthen security. Those measures include upgrading the County email system, deploying additional software to enhance detection and accelerate the County’s response to cyber incidents, updating password policies, and strengthening restrictions for access to computer systems.

360 Dental

360 Dental in Philadelphia, PA, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 11,273 individuals. According to its substitute breach notice, this was a ransomware attack that resulted in file encryption. The incident was detected on November 16, 2025, and the file review confirmed that sensitive patient data had been exposed in the incident.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: date of birth, address, telephone number, email, patient account or chart number, dental and clinical records (such as treatment history, clinical notes, x -rays, and diagnostic information), insurance provider and member ID, appointment information, and emergency contacts. A limited number of Social Security numbers were also exposed.

360 Dental has taken steps to improve security following the ransomware attack. The affected computers have been replaced, the affected server has been rebuilt, software has been updated, and additional security tools have been implemented, including firewalls, antivirus software, multifactor authentication, and VPN-only remote access.

GiaCare

GiaCare, a Coral Springs, Florida-based company that provides healthcare staffing and IT services to government entities and healthcare organizations, has recently announced a data security incident, first identified on or around December 23, 2025.

GiaCare learned that a vulnerability existed Gladinet CentreStack, a third-party file sharing platform. GiaCare worked closely with its IT vendor to investigate and confirm the security of its systems and data. The IT vendor confirmed that GiaCare’s systems were secure and had not been accessed; however, the vulnerability had been exploited, and data within the Gladinet CentreStack platform had been accessed and exfiltrated by an unauthorized third-party on December 6, 2025. While the threat actor involved was not named, several cybersecurity firms linked the Gladinet CentreStack attacks to the Cl0p ransomware group – a group known to target zero-day vulnerabilities in file-sharing platforms.

The file review confirmed that names, Social Security numbers, and driver’s license numbers were compromised in the incident. The affected individuals are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The number of affected individuals has yet to be publicly disclosed.

The post Mitchell County Dept. Social Services; 360 Dental; GiaCare Announce Data Breaches appeared first on The HIPAA Journal.

MACT Health Board has confirmed that patient data was stolen in a November 2025 cyberattack, for which the INC Ransom ransomware group claimed credit. Data breaches have also been announced by TriCity Family Services in Illinois, HAP (Health Alliance Plan) in Michigan, and Zenflow in California.

MACT Health Board, California

MACT Health Board, a provider of healthcare services to the American Indian and Alaskan Native population in Mariposa, Amador, Alpine, Calaveras & Tuolumne counties in California, has notified individuals affected by a November 2025 security incident. MACT Health board launched an investigation into a potential security breach when it experienced disruption to its IT systems. The investigation confirmed that an unauthorized third party had access to its computer network from November 12, 2025, to November 20, 2025. A review of the exposed files commenced on November 25, 2025, and was completed on January 9, 2026.

Patient information compromised in the incident included names in combination with one or more of the following: diagnoses, test results, medical images, treatment information, doctors’ names, and or Social Security numbers. Notification letters started to be mailed to the affected individuals on January 23, 2026, and individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. Additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.  The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

TriCity Family Services, Illinois

TriCity Family Services, a provider of counseling and mental health services to residents in Kane County, Illinois, has started notifying 2,511 patients about a data security incident.  In the spring of 2025, suspicious activity was identified within its computer network. An investigation was launched, and it was confirmed that an unauthorized actor had access to its computer network from November 11, 2024, to May 14, 2025. During that time, sensitive data was exfiltrated from its network.

The file review confirmed that the following information was included in the exfiltrated files: names, dates of birth, presenting health issues, requested treatment, treatment location, and provider names. Its electronic medical record system was not accessed in the attack. TriCity Family Services said it is reviewing its policies, procedures, and processes related to the storage and access of sensitive information and will take steps to improve security to prevent similar incidents in the future.

While the nature of the incident was not disclosed, the INC Ransom ransomware group claimed responsibility for the attack and added TriCity Family Services to its dark web data leak site. INC Ransom claimed to have exfiltrated 22 GB of data in the attack.

HAP (Health Alliance Plan), Michigan

HAP (Health Alliance Plan) in Michigan has notified 1,059 individuals about the exposure of some of their protected health information as a result of a phishing attack. On October 24, 2025, an employee responded to a phishing email and inadvertently disclosed their credentials, allowing the threat actor to access their account. The investigation was unable to determine if any member information was accessed or acquired in the incident, so notification letters were sent to all potentially affected individuals. Protected health information in the account was limited to names, addresses, dates of birth, and HAP ID numbers, and for a limited number of individuals, Social Security numbers. The affected individuals have been offered two years of complimentary identity theft protection services as a precaution.

Zenflow, California

Zenflow, a San Francisco-based medical device company, has recently notified individuals about a security incident. Limited information about the incident has been released to date, such as when the incident occurred, the nature of the security breach, or for how long its computer systems were subject to unauthorized access. The data breach notice submitted to the Massachusetts Attorney General indicates that names and Social Security numbers were involved, and that single-bureau credit monitoring and identity theft protection services have been offered to the affected individuals for 24 months. It is currently unclear how many individuals have been affected.

The post MACT Health Board Patients Affected by November 2025 Ransomware Attack appeared first on The HIPAA Journal.

Munson Healthcare, the largest health system in Northern Michigan, has recently notified patients about unauthorized access to its electronic medical record system. The unauthorized access started as early as January 22, 2025, and was detected by its EHR vendor Cerner on February 20, 2025. Cerner, now Oracle Health, confirmed that a hacker gained access to two legacy Cerner servers and potentially stole a range of personal and health information. Munson Healthcare has confirmed that the stolen data included names, Social Security numbers, and information typically found in electronic medical records, such as medical record numbers, diagnoses, medications, test results, care and treatment information, and doctors’ names. The data on the servers was awaiting migration to the Oracle Cloud at the time of the data breach.

Munson Healthcare said Cerner took action to prevent further unauthorized access, engaged third-party cybersecurity experts to investigate the data breach, and notified law enforcement about the cyberattack. While Oracle Health publicly confirmed the cyberattack in March 2025, it has taken months for the affected healthcare providers to be notified, and many patients have only recently learned that their personal and health information was stolen in the incident. Munson Healthcare attributed the delay in issuing notifications to Cerner, which has previously stated that the delay was at the request of law enforcement so as not to interfere with the investigation.

Oracle Health has not confirmed exactly how many of its healthcare provider clients have been affected, nor the number of affected individuals. Multiple class action lawsuits have been filed in response to the data breach, and as part of the litigation, the company’s attorneys said up to 80 hospitals may have been affected. Munson Healthcare was one of the worst-affected clients, as 1,01,891 current and former patients have been affected. Munson Healthcare has confirmed that the affected individuals have been offered complimentary credit monitoring and identity theft protection services for two years.

Munson Healthcare’s Chief Legal Officer, Rachel Roe, and Michigan Attorney General Dana Nessel issued a consumer alert about the data breach last week. Attorney General Nessel is pushing for stronger consumer data protection laws to be enacted. New legislation was passed by the Senate last summer, but has yet to be passed by the House of Representatives. “These [notification] delays put consumers at higher risk of identity theft, and our state needs stronger laws to better protect Michiganders from bad actors,” said AG Nessel. “I urge anyone who receives a notice that their personal information may have been compromised to consider taking advantage of the free credit monitoring resources being offered.”

The post More than 100K Munson Healthcare Patient Affected by Cerner Cyberattack appeared first on The HIPAA Journal.