HIPAA Breach News

Hacking Incidents Announced by Two Texas Health Clinics

A drug and alcohol addiction center and an OB/GYN Medical Center in Texas have notified patients about unauthorized access to some of their protected health information.

Nova Recovery Center Reports Unauthorized Network Access

Nova Recovery LLC (Nova Recovery Center), a drug and alcohol addiction center in Wimberley, Texas, has identified unauthorized access to certain systems hosted on the Nova Recovery network. The intrusion was identified by its IT and Security teams on May 25, 2025. The threat was neutralized, and the breach was investigated to determine if any patient data had been exposed.

On June 17, 2025, Nova Recovery confirmed that business records on its network had been accessed, some of which contained patients’ personal information. Data compromised in the incident includes first, middle, and last names, addresses, dates of birth, Social Security numbers, and financial payment information. Individual notification letters have been mailed to the 7,713 affected individuals, and complimentary credit monitoring services have been offered. The third-party consulting firm hired to investigate the incident is helping to implement additional security measures to prevent similar incidents in the future.

OB/GYN Medical Center Associates Affected by ConnectOnCall Breach

In July 2025, OB/GYN Medical Center Associates in Houston, TX, published a breach notice on its website about a security incident at one of its business associates. ConnectOnCall.com, LLC, provided a voicemail messaging service through May 2024. ConnectOnCall notified OB/GYN Medical Center Associates that an unknown third party had access to certain data within the ConnectOnCall application between February 16, 2024, and May 12, 2024. ConnectOnCall took the compromised application offline while the incident was investigated by cybersecurity experts, and after enhancing security controls, the solution was brought back online.

Since being notified about the breach, OB/GYN Medical Center Associates has been reviewing the messages left for the practice via the ConnectOnCall system and has confirmed that patient data may have been accessed. The types of data involved depended on the information disclosed by patients in the messages and may have included names, information about physical conditions, medications, procedures, and other personal and medical information. The review was completed on June 25, 2025, and notification letters were mailed to the 2,132 affected individuals on July 23, 2025.

The post Hacking Incidents Announced by Two Texas Health Clinics appeared first on The HIPAA Journal.

Business Associate Data Breaches Affect Florida Healthcare Providers

PhyNet Dermatology, a business associate of Premier Dermatology Partners, has identified unauthorized access to an email account containing patient information. Baptist Health South Florida has recently confirmed that it was affected by a breach at Oracle Health (Cerner).

PhyNet Dermatology – Premier Dermatology Partners

PhyNet Dermatology, a provider of managed administrative services to dermatology practices, has announced a breach that has affected one of its affiliates, Boca Raton, FL-based Total Vein & Skin, LLC, which does business as Premier Dermatology Partners.

Suspicious activity was identified in an employee’s email account on November 7, 2024. Immediate action was taken to secure the account, and an investigation was launched to determine the nature and scope of the activity. The investigation determined that the breach was more extensive, and further employee email accounts had also been compromised.

The review was completed on June 6, 2025, and confirmed that Premier Dermatiology Partners’ data was present in the compromised accounts. The types of information involved vary from individual to individual and may include names in addition to one or more of the following: address, Social Security number, financial account information, date of birth, medical history information, treatment information, diagnosis information, treating physician, medical record number, and health insurance information.

PhyNet Dermatology has reviewed its policies and procedures and enhanced certain administrative and technical controls. Additional security awareness training has also been provided to the workforce to reduce the risk of similar incidents in the future.

Baptist Health South Florida

Baptist Health South Florida has recently confirmed that it has been affected by the Oracle Health hacking incident, which involved unauthorized access to legacy Cerner servers that were awaiting migration to Oracle Cloud. No Baptist Health South Florida systems were compromised.

Data compromised in the incident includes names, Social Security numbers, medical record numbers, physician names, diagnoses, medical images, test results, and treatment information. Many of the healthcare providers affected by the Oracle Health incident issued notifications shortly after being notified about the January 22, 2025, hacking incident.

Baptist Health South Florida said its notifications were delayed at the request of law enforcement while the incident was investigated. The affected individuals are now being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. Baptist Health South Florida has not publicly disclosed the number of individuals affected, and the breach is not currently listed on the HHS’ Office for Civil Rights breach portal.

The post Business Associate Data Breaches Affect Florida Healthcare Providers appeared first on The HIPAA Journal.

Small Nebraska Critical Access Hospital Announces Data Breach

Genoa Medical Facilities, which operates a 19-bed critical access hospital in Nebraska, has discovered unauthorized access to its email environment.  Email breaches have also been confirmed by Vail Summit Orthopaedics & Neurosurgery in Colorado and Southern Immediate Care in Alabama.

Genoa Community Hospital (Genoa Medical Facilities), Nebraska

Genoa Medical Facilities, which includes Genoa Community Hospital, a 19-bed critical access hospital, a 39-bed nursing home, and a medical clinic in Nebraska, has discovered unauthorized access to an employee’s email account. Suspicious email activity associated with a single email account was identified in March 2025. The forensic investigation confirmed that the breach was limited to a single account, and the account was reviewed to determine whether patient data had been exposed.

The review was completed on July 8, 2025, when it was confirmed that names, dates of birth, Social Security numbers, other government ID numbers, financial account information, medical treatment/diagnosis information, and health insurance information had been exposed. Notification letters are being sent to the affected individuals, and steps have been taken to improve email security. At the time of issuing notification letters, no misuse of the exposed information had been identified. The incident is not currently shown on the HHS’ Office for Civil Rights (OCR) breach portal, so it is unclear how many individuals have been affected.

Vail Summit Orthopaedics & Neurosurgery

Vail Summit Orthopaedics & Neurosurgery in Colorado has recently disclosed a breach of its email environment. Suspicious activity was identified on August 6, 2024. Immediate action was taken to prevent further unauthorized access, and cybersecurity professionals were engaged to investigate the activity. The investigation confirmed that an unauthorized third party accessed and acquired files, and a review has been conducted to determine the types of information involved and the individuals affected.

On July 24, 2025, Vail Summit confirmed that some patient information was copied in the incident, although no evidence has been uncovered to indicate any misuse of that data. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, health insurance information, treatment/insurance cost, diagnosis/treatment/procedure information, medical history/allergies, prescription drugs taken, medical images, test results/vital signs, healthcare provider name, and treatment date and location.

Single-bureau credit monitoring, credit report, and credit score services have been offered to the affected individuals. There is currently no listing on the OCR breach portal, so it is unclear how many individuals have been affected.

Southern Immediate Care, Alabama

Southern Immediate Care, an urgent care provider in Alabama, has announced a security incident involving two employee email accounts. Suspicious activity was identified in the accounts on April 15, 2025. An investigation has been launched, and the accounts are being reviewed to determine the extent to which patient information has been exposed. While that review is ongoing, Southern Immediate Care believes that both email accounts contain patient information. Notification letters will be mailed to the affected individuals when the review is completed. At present, no reports of misuse of patient data have been received.

The post Small Nebraska Critical Access Hospital Announces Data Breach appeared first on The HIPAA Journal.

DaVita Confirms 2.7 Million Individuals Affected by Ransomware Attack

DaVita, a Denver, CO-based kidney dialysis service provider, has submitted a breach report to the HHS’ Office for Civil Rights confirming the number of individuals affected by its April 12, 2025, ransomware attack. Hackers gained access to its network, exfiltrated sensitive data, and then encrypted files on parts of its network. While the attack caused some temporary operational disruption, DaVita said the critical care it provides to patients continued uninterrupted.

DaVita previously confirmed that the ransomware group gained access to a laboratory database containing patient information. The database and other affected parts of the network have been reviewed, and DaVita has now confirmed that the protected health information of 2,689,826 individuals was compromised in the incident. That makes it the third-largest healthcare data breach announced so far this year, behind the cyberattack on Episource that affected 5.5 million individuals, and the website tracking data breach at Blue Shield of California that affected 4.7 million individuals.

Notification letters are currently being mailed to the affected individuals, who are being offered complimentary credit monitoring and identity theft protection services. The HIPAA Journal has previously reported on the data breach, including DaVita’s announcement and breach notification letter, details of which can be found below.

August 6, 2025: DaVita Ransomware Attack Affects More Than 1 Million Individuals

In April 2025, the kidney dialysis giant DaVita disclosed a security incident in a Securities and Exchange Commission (SEC) filing, although at the time, it was unclear how much sensitive data was stolen. Over the past 3 months, the investigation and data review have been progressing. State Attorneys General have been notified about the incident, and the scale of the data breach is becoming clearer.

Based on the state AG reports so far, the breach has affected more than 1 million patients; however, while all states have data breach notification laws, only a few publish breach reports, and only a handful publicly disclose the number of state residents affected. The table below shows the confirmed totals, but given that DaVita operates more than 2,675 outpatient dialysis centers in 43 states, the final total could well be several orders of magnitude larger.

State Individuals Affected
Oregon 915,952
Texas 81,740
Washington 13,404
South Carolina 11,570
Massachusetts 7,829
Confirmed Total 1,030,495

At present, there is no listing on the HHS’ Office for Civil Rights breach portal. There is often a delay of a week or two between OCR receiving a breach report and adding it to the breach portal, so a listing is expected in the coming two weeks that will confirm how many individuals have been affected.

The notification letters provide further information about the data breach, although they do not mention ransomware. As reported below, the Interlock ransomware group claimed responsibility for the attack. DaVita described the cyberattack as “a security incident that resulted in unauthorized access to certain DaVita network servers, primarily at its laboratories.” The intrusion was identified on April 12, 2025, and the threat actor was eradicated from its systems the same day. Third-party digital forensics experts were engaged to investigate the incident and assist with containment, eradication, and remediation.

The investigation confirmed that initial access to its network occurred on March 24, 2025, and continued until April 12, 2025. Data compromised in the incident included the dialysis labs database. The Interlock ransomware group claimed that it had stolen 20+ TB of databases, which included more than 200 million rows of patient data.

DaVita said the types of data involved were determined on or around June 18, 2025. The types of information compromised in the incident vary from individual to individual and may include:

  • Demographic information – name, address, date of birth, Social Security number, health insurance-related information, and other identifiers internal to DaVita
  • Clinical information – health condition, other treatment information, and certain dialysis lab test results
  • Tax information – In limited cases, tax Identification numbers and, for a small subset of individuals, images of checks written to DaVita

DaVita said additional security monitoring tools and enhanced system controls have been implemented to prevent similar incidents in the future. DaVita is unaware of any misuse of patient data as a result of the security incident, but as a precaution, is offering the affected individuals a complimentary membership to the Experian IdentityWorks identity theft protection service for 12-24 months.

On August 5, 2025, DaVita told the SEC that the attack caused a temporary disruption to its operations and cost the company $13.5 million in the second quarter, $12.5 million of which was due to administrative costs remediating the attack, hiring third-party cybersecurity specialists, and restoring systems. The remaining $1.0 million was due to an increase in patient care costs. The $13.5 million figure does not include costs incurred due to the business interruption.

Further losses are possible due to any noncompliance with privacy and security laws by DaVita or its business associates, and costs associated with noncompliance or breach involving the misappropriation, loss, or other unauthorized use or disclosure of confidential information. Aside from a reduction in revenue from lower patient admissions and ongoing staffing challenges due to lower admissions, DaVita CEO, Javier Rodriguez, said he believes further impacts of the cyber event are likely to have limited effects on its adjusted results.

April 25, 2025: Ransomware Group Claims Responsibility for DaVita Ransomware Attack; Leaks Data

In mid-April, the kidney dialysis service provider DaVita announced in an SEC filing that it was dealing with a ransomware attack that had encrypted parts of its network. An investigation had been launched to determine its impact and whether any patient data was compromised. DaVita said internal operations faced disruption, but care delivery has continued at its dialysis centers and for patients treated at home, and new patients continued to be accepted.

DaVita has yet to make an announcement about a data breach as the investigation and data review are ongoing; however, the Interlock ransomware group has recently claimed responsibility for the attack and has started to leak some of the exfiltrated data. The Interlock ransomware data leak site claims that 20+ terabytes of sensitive data were stolen, including files containing patient data. The group claims to have attempted ransom negotiations before adding DaVita to its data leak site when the negotiations failed. The listing offers 1.5 terabytes of the stolen data for download, spread across 683,104 files in 75,836 folders. The remainder of the data has not been leaked as the group is holding out for a sale. The group claims to be selling 20+ terabytes of SQL databases that include more than 200 million rows of patient data. The HIPAA Journal has not verified whether any patient data is present in the leaked files.

DaVita has confirmed it is aware of the ransomware group’s claims and is currently engaged in a comprehensive data review and is working as quickly as possible to confirm which individuals have been affected and the types of data involved. Any affected parties and individuals will be notified as soon as possible. DaVita has also promised to share the findings of its investigation with its vendors and partners to raise awareness on how to defend against future attacks.

“Interlock first began adding victims to its data leak site in October 2024. As with most ransomware gangs today, it seeks a ransom payment for the decryption of systems and the deletion of stolen data. Since October 2024, we’ve tracked 13 confirmed attacks via this group and a further 13 unconfirmed attacks that haven’t been acknowledged by the organizations in question,” Rebecca Moody, Head of Data Research at Comparitech told The HIPAA Journal. “As we are seeing with DaVita, ransomware attacks on healthcare companies have the potential for widespread disruption. Not only can patient care be affected when systems are encrypted, but these attacks often have ongoing consequences when data is stolen by hackers. In 2024 alone, nearly 25.7 million individual records were breached across 160 ransomware attacks on US healthcare providers.”

At least two class action lawsuits have been filed against DaVita over the ransomware attack, even though DaVita has yet to confirm a data breach. DaVita disclosed the attack in an SEC filing but is still in the process of investigating the incident, and has not yet disclosed the types of information compromised in the attack or the number of affected individuals. The Interlock ransomware group claimed responsibility for the attack and has added DaVita to its data leak site. The lawsuits, Reid v. Davita Inc., and Jenkins et al v. DaVita were both filed in the U.S. District Court for the District of Colorado, allege the stolen data is already being misused, but there has been no confirmation from DaVita that the plaintiffs’ sensitive data has been stolen, nor have they been offered any assistance with credit monitoring and identity theft protection services. More lawsuits are expected to be filed in the coming days and weeks.

April 15, 2025: Dialysis Provider DaVita Hit with Ransomware Attack

The kidney dialysis giant DaVita has fallen victim to a ransomware attack that resulted in the encryption of parts of its network. The attack occurred on Saturday, April 12, 2025, and is impacting some of its operations, according to a Monday, April 14, 2025, 8K filing with the U.S. Securities and Exchange Commission (SEC).

The Denver, CO-based Fortune 500 firm operates more than 2,650 outpatient treatment centers in the United States, 509 centers in 13 other countries, employs 76,000 people globally, and served around 200,000 patients in the United States last year. In 2024, the company reported revenues of $12.82 billion. DaVita outpatient centers are used by patients with kidney disease which requires frequent dialysis. Any disruption to patient services could therefore have serious health implications for patients.

DaVita explained that its incident response protocols were immediately initiated, and the impacted systems were isolated to contain the attack and limit its impact. Backup systems have been activated, and manual processes have been implemented to ensure that care can continue to be provided to patients. While the DaVita ransomware attack is causing some disruption to operations, all dialysis centers remain open and care continues to be provided to patients.

Interim measures have been implemented to allow the rapid restoration of certain functions, but DaVita is currently unable to provide an estimate of the duration or extent of disruption or a timeline for a full recovery. Third-party cybersecurity professionals have been engaged to assist with the investigation and recovery, and law enforcement has been notified. At present, no ransomware group appears to have claimed responsibility for the attack.

“Given the recency of the incident, our investigation and response are ongoing, and the full scope, nature, and potential ultimate impact on the Company are not yet known,” explained DaVita in its 8K filing. While there is a growing trend of ransomware groups eschewing encryption, the majority steal sensitive data and use it as leverage to obtain a ransom payment. At this early stage of the investigation, DaVita is unable to confirm to what extent, if any, sensitive patient data was exposed or stolen.

This post will be updated when further information becomes available.

The post DaVita Confirms 2.7 Million Individuals Affected by Ransomware Attack appeared first on The HIPAA Journal.

Medical Imaging Provider Confirms Data Breach Affecting More Than 348,000 Patients

A January data breach at Northwest Radiologists and Mount Baker Imaging has affected more than 348,000 patients. Data breaches have also been reported by Self Regional Healthcare in South Carolina and Health Care & Rehabilitation Services of SE Vermont.

Northwest Radiologists & Mount Baker Imaging

Northwest Radiologists and Mount Baker Imaging have provided an update on a data breach first announced in March 2025. The incident was described as a security incident that caused network disruption, and evidence had been found to indicate data exfiltration. At the time of the initial announcement, it was unclear how many individuals had been affected.

In a recent notification sent to the Washington Attorney General, Northwest Radiologists and Mount Baker Imaging confirmed that the following information was compromised in the incident: first and last names, addresses, telephone numbers, dates of birth, email addresses, Social Security numbers, driver’s license or state identification card numbers, treatment or diagnosis information, provider names, medical record numbers or patient identification numbers, health insurance information, and/or treatment cost information.

The same description of the incident is used, with no mention of ransomware. The forensic investigation confirmed that there had been unauthorized network access between January 20, 2025, and January 25, 2025. The delay in issuing notifications was due to the time taken to review the exposed files and obtain up-to-date address information.

Northwest Radiologists and Mount Baker Imaging said that, at the time of issuing notification letters, no misuse of the exposed data had been detected and that they have no reason to suspect any of the exposed information will be misused; however, as a precaution, the affected individuals are being offered complimentary credit monitoring and identity theft protection services. There is no data breach listed on the HHS’ Office for Civil Rights breach portal, but there is often a delay in adding data breaches. The Washington Attorney General was informed that the breach affected 348,118 state residents.

Self Regional Healthcare, South Carolina

Self Regional Healthcare, an independent regional referral hospital in Greenwood, South Carolina, has started notifying 26,696 patients that some of their protected health information was compromised in a cyberattack on a business associate in July 2024. The breach occurred at Nationwide Recovery Service, which provides debt collection services. Hackers had access to its network between July 5, 2024, and July 11, 2024, and exfiltrated data. The majority of affected clients were notified about the breach last year; however, Self Regional Healthcare only received a list of the affected individuals from NRS on May 23, 2025.

According to Self Regional Healthcare, “NRS is the successor entity to a vendor that Self Regional Healthcare (“SRH”) used back in 2012 for debt collection services,” and the data compromised in the attack on NRS relates to a period between 2012 and 2013. The compromised data includes names, dates of birth, Social Security numbers, diagnoses, dates of service, provider names, medical information, and/or health insurance information. Self Regional Healthcare has confirmed that the affected patients have been offered complimentary credit monitoring and identity theft protection services and said it no longer does business with NRS.

Health Care & Rehabilitation Services of SE Vermont

Health Care & Rehabilitation Services of SE Vermont (HCRS) has recently notified the Vermont Attorney General about unauthorized access to two employee email accounts. The unauthorized access was detected on December 20, 2025, and the passwords were reset to prevent further unauthorized access. Third-party cybersecurity professionals were engaged to investigate the unauthorized activity and determine the information that was exposed.

Following an extensive investigation and complex manual data review, HCRS learned on May 13, 2025, that the email accounts were subject to unauthorized access between December 4, 2025, and December 9, 2025, and client and staff information may have been viewed or copied. The exposed information included first and last names, dates of birth, Social Security numbers, financial account numbers, driver’s license numbers, dates of service, patient numbers, medical record numbers, billing information, treatment information, medical histories, and health insurance information.

The affected individuals have been advised to remain vigilant against incidents of identity theft and fraud. At present, there is no data breach listed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Medical Imaging Provider Confirms Data Breach Affecting More Than 348,000 Patients appeared first on The HIPAA Journal.

Ransomware Attack on Arkansas Oncology Group Affects 113,500 Individuals

Highlands Oncology Group, a comprehensive cancer care provider with six locations in Northwest Arkansas, has recently disclosed a cyberattack that was first identified on June 2, 2025. A hacker gained access to its network on January 21, 2025, and remained within the network undetected until June 2, 2025, when ransomware was used to encrypt files. Between those dates, there was intermittent access to the network, and patient data may have been viewed or acquired.

The files were reviewed and found to contain protected health information such as names, dates of birth, Social Security numbers, driver’s license/state identification numbers, passport numbers, credit/debit card numbers, financial account numbers, medical treatment information, medical record numbers, patient account numbers, and/or health insurance policy information. The types of data exposed or stolen varied from individual to individual.

The data breach was recently reported to the Maine Attorney General as involving the personal information of 113,575 individuals. Notification letters started to be mailed on August 1, 2025, and individuals whose Social Security numbers and/or driver’s license numbers were involved have been offered complimentary identity theft protection services. All individuals have been advised to remain vigilant against misuse of their information and should monitor their accounts, explanation of benefits statements, and credit reports closely for signs of data misuse.

While the name of the threat actor was not disclosed in the breach notification letters, the Medusa ransomware group claimed responsibility for the attack. Medusa is known to engage in double extortion, stealing data and demanding a ransom payment to prevent the publication of the stolen data and to provide the keys to decrypt the data. Medusa was the subject of a joint alert by CISA, the FBI, and MS-ISAC earlier this year after attacking more than 300 entities, including several healthcare providers. Medusa was behind the ransomware attack on the kidney dialysis giant DaVita earlier this year. Highlands Oncology Group was added to the Medusa data leak site temporarily, and a $700,000 ransom was demanded. There is currently no listing on the data leak site, which suggests the ransom was paid.

Highlands Oncology Group is one of several cancer care facilities to fall victim to cyberattacks in recent weeks. Last month, a phishing attack affected at least 26 cancer care providers who were part of the Integrated Oncology Network. This is not the first ransomware attack on Highlands Oncology Group, which experienced an attack in November 2023. A recent survey conducted on behalf of the cybersecurity firm Semperis revealed that 77% of healthcare organizations were targeted with ransomware in the past 12 months, 53% of those attacks were successful, and 60% faced multiple attacks.

The post Ransomware Attack on Arkansas Oncology Group Affects 113,500 Individuals appeared first on The HIPAA Journal.

Florida Internal Medicine Practices Discloses November 2024 Data Breach

Hacking-related data breaches have been announced by Mid Florida Primary Care, Northwest Denture Center in Washington, Forward, The National Databank for Rheumatic Diseases in Kansas, and Equilibria Mental Health Services in Massachusetts. Inc Ransom claims to have attacked the West Virginia Primary Care Association.

Mid Florida Primary Care

On July 29, 2025, Mid Florida Primary Care, a specialized internal medicine practice in Leesburg, Florida, disclosed a cyberattack and data breach that was identified on or around January 23, 2025. An investigation was launched to determine the nature and scope of the activity, which confirmed that an unauthorized third party accessed its network and copied files between November 29, 2024, and December 11, 2024. The data review was completed on June 19, 2025.

The information compromised in the incident includes names, addresses, dates of birth, email addresses, Social Security numbers, driver’s license numbers, health insurance information, Medicare/Medicaid numbers, health insurance information, diagnosis and/or treatment information, medical histories, allergies, prescription information, test results, and treatment locations.

Mid Florida Primary Care has confirmed that the affected individuals will be offered at least 12 months of complimentary credit monitoring and identity theft restoration services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Northwest Denture Center, Washington

Northwest Denture Center in Burlington, Washington, has confirmed that the protected health information of 12,209 individuals has been exposed in a recent hacking incident. Suspicious network activity was identified on or around May 28, 2025, and action was taken to isolate the network to prevent further unauthorized access. The investigation confirmed that an unauthorized third party first gained access to its network on May 27, 2025.

The review of the affected files was completed on June 27, 2025, and notification letters started to be sent to the affected individuals on July 25, 2025. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Additional training is being provided to the workforce, and additional security measures are being implemented. Complimentary credit monitoring services have been provided to the affected individuals for 12 months.

Equilibria Mental Health Services, Massachusetts

Equilibria Mental Health Services in Massachusetts has discovered that the personal and protected health information of up to 2,000 individuals was potentially compromised in a phishing attack. The incident was identified on June 24, 2025, when two employee email accounts were discovered to have been compromised following responses to phishing emails. The email accounts were accessed by an unauthorized third party for a short period on June 24, 2025.

There was unauthorized access to the email addresses of multiple clients, and individuals who had previously contacted Equilibria Mental Health Services to inquire about mental health services. Some of those individuals have reported receiving phishing emails from a compromised Equilibria email account.

The compromised accounts were reviewed and found to contain mailing addresses, physical addresses, telephone numbers, health insurance plan information, and reasons for making contact. The aim of the attack appears to have been to use the compromised accounts for further phishing attempts. Equilibria Mental Health Services said it is evaluating its cybersecurity protocols and taking action to strengthen email security.

Forward, The National Databank for Rheumatic Diseases

Forward, The National Databank for Rheumatic Diseases in Wichita, Kansas, has announced a security incident that was detected on March 21, 2025. Suspicious activity was identified within certain systems, and the forensic investigation confirmed unauthorized access between March 17, 2025, and March 22, 2025. During that time, files containing sensitive information were potentially viewed and copied from its network.

The file review was completed on June 22, 2025, when it was confirmed that personally identifiable information (PII) and protected health information (PHI) had been compromised, including names, contact information, dates of birth, Social Security numbers, medical information/histories, disability information, mental and physical treatment information, diagnoses, prescription information, treating or referring physicians, and medical record numbers. Forward is reviewing its policies, procedures, and processes to reduce the likelihood of a similar future event, and notification letters are being mailed to the affected individuals.

It is currently unclear how many individuals have been affected. The Maine Attorney General was informed that the breach involved the personal information of 38 Maine residents, but the total size of the data breach was not disclosed.

Ransomware Group Claims Attack on West Virginia Primary Care Association

West Virginia Primary Care Association (WVPCA), in Charleston, West Virginia, has recently been added to the dark web data leak site of the Inc Ransom ransomware group. In Ransom is a prolific hacking group that engages in double extortion ransomware attacks, stealing data, encrypting files, and demanding payment for the decryptors and to prevent publication of the stolen data. Inc Ransom claims to have exfiltrated 296 GB of data.

The addition of an entity on a dark web data leak site does not necessarily mean data has been stolen. There have been several cases where claims of attacks have been partially or entirely fabricated. West Virginia Primary Care Association has yet to announce any cyberattack or data breach, or issue a statement about the posting. The HIPAA Journal has not accessed any of the leaked data, so is unable to verify whether the claim is legitimate.

The post Florida Internal Medicine Practices Discloses November 2024 Data Breach appeared first on The HIPAA Journal.

Dermatology Clinics Affected by Practice Management Company Data Breach

Several dermatology practices have recently announced data breaches following an attack on their management company. The number of attacks reported this year by dermatology practices suggests they are being targeted by one or more threat actors.

In May 2025, DermCare Management, a Florida-based company that provides support services for dermatologists and dermatology specialists, notified the HHS’ Office for Civil Rights (OCR) about a network server hacking/IT incident, using a placeholder estimate of 501 affected individuals as the number of affected individuals had yet to be established. Several of the affected practices have now issued substitute breach notifications about the incident.

DermCare Management has more than 60 locations in Florida, Texas, California, and Virginia, and primarily provides services related to platform building and development, revenue growth, operational improvement, and improving the patient experience. At least 10 practices are known to have been affected. The list of affected providers is not exhaustive and mostly consists of practices in Florida. Further practices may announce that they have been affected in the coming days and weeks. None of the practices below are currently listed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Confirmed Affected Practices

  • Miami Plastic Surgery, Florida
  • Keys Dermatology, Florida
  • Hollywood Dermatology, Florida
  • Jacksonville Beach Dermatology, Florida
  • Skin Center of South Miami, Florida
  • Florida West Coast Skin Center, Florida
  • Dania Dermatology, Florida
  • Florida Academic Dermatology Center, Florida
  • Rendon Center, Florida
  • Dermatology Treatment and Research Center, Texas

According to the substitute breach notices on the websites of the above practices, the attack was identified on February 26, 2025. Suspicious network activity was identified, and networks were rapidly secured. The investigation confirmed on March 3, 2025, that patient information may have been copied from the network. Files are still being reviewed to determine the number of affected individuals and the types of data involved; however, the compromised information likely includes names, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their account statements and free credit reports.

String of Cyberattacks Affecting Dermatology Practices

Major data breaches have been reported by other dermatology practices in recent weeks. One hacking incident that stands out is Anne Arundel Dermatology, which recently reported a hacking-related data breach affecting 1,905,000 individuals. Shelby Dermatology (Dermatologists of Birmingham) has reported a hacking incident affecting 86,414 individuals, Mountain Laurel Dermatology has reported a data breach affecting 3,324 individuals, and a hacking incident has been announced by U.S. Dermatology Partners, a network of 100 dermatology practices. That incident occurred in June and is not yet shown on the HHS’ Office for Civil Rights breach portal, although one of the affected practices appears to be Oliver Street Dermatology Management LLC, which reported that 13,717 individuals were affected.

The post Dermatology Clinics Affected by Practice Management Company Data Breach appeared first on The HIPAA Journal.

Data Breaches Announced by Florida & Colorado Mental Health Clinics

Two mental healthcare providers have recently announced cybersecurity incidents that exposed patient data: Eleos Wellness in Florida and Clinica Family Health & Wellness in Colorado.

Eleos Wellness, Florida

Eleos Wellness, a Pinellas Park, FL-based provider of mental health services, has recently announced a data security incident that potentially involved unauthorized access to client information. Unauthorized network activity was detected on June 11, 2025, and third-party cybersecurity experts were engaged to investigate the activity. The investigation is ongoing; however, it has been confirmed that an unauthorized third party had access to names, addresses, dates of birth, Social Security numbers, and health insurance information. No evidence has been found to indicate that its electronic medical record system was involved.

No fraudulent activity related to the incident has been identified; however, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their personal accounts and explanation of benefits statements. Eleos Wellness has confirmed that steps are being taken to improve security to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Clinica Family Health & Wellness, Colorado

Clinica Family Health & Wellness, a Colorado-based network of mental health clinics, has announced a security breach affecting the Mental Health Partners environment. An intrusion was identified and rapidly contained on March 25, 2025, and third-party cybersecurity experts were engaged to investigate the nature and scope of the unauthorized activity.

No evidence was found to indicate that any data was removed from its network; however, it is possible that patient data may have been accessed. Clinica Family Health & Wellness said a comprehensive and thorough investigation is ongoing, and it has yet to be determined exactly how many individuals have been affected or the types of information involved. Notification letters will be mailed to the affected individuals when the review is concluded.

The post Data Breaches Announced by Florida & Colorado Mental Health Clinics appeared first on The HIPAA Journal.