Meadowlark Hills retirement community in Kansas and MedPeds Associates of Sarasota in Florida have announced data breaches. The Beast ransomware group has claimed responsibility for both attacks.

Manhattan Retirement Foundation (Meadowlark Hills), Kansas

Manhattan Retirement Foundation, doing business as Meadowlark Hills, has reported a breach of the protected health information of 14,442 individuals to the HHS’ Office for Civil Rights. The Manhattan, KS-based non-profit retirement community and skilled nursing facility explained that unauthorized access to its network was identified on or around July 21, 2025. The forensic investigation determined that there had been unauthorized network access between July 12, 2025, and July 21, 2025. During that time, files containing personal and protected health information were exfiltrated from its network.

The review of the files on the compromised parts of its network was completed on January 28, 2026, when it was confirmed that the following data elements were involved: name, date of birth, Social Security number, Driver’s license number/state identification number, other government identifiers, financial account information, credit/debit card information, health insurance information, and medical information.

Written notification letters were mailed to affected individuals in late February, and complimentary single-bureau credit monitoring and identity theft protection services have been made available to individuals whose Social Security numbers were involved. The Beast threat group claimed responsibility for the attack and claims to have exfiltrated 750 GB of data.

MedPeds Associates of Sarasota

MedPeds Associates of Sarasota, an internal and pediatric medicine practice in Florida, is notifying 21,430 individuals about a data breach involving their personal and protected health information. According to the notification letters, MedPeds identified unauthorized access to its computer network on September 2, 2025, when ransomware was used to encrypt files.

MedPeds said some patient data was subject to unauthorized access during the attack. The affected files have been reviewed and found to contain names, birth dates, addresses, phone numbers, and patient medical records. The FBI was notified about the intrusion, and the practice has been working with the FBI’s cybersecurity department and has implemented additional safeguards and security measures to prevent similar incidents in the future.

No evidence has been found to indicate any misuse of the impacted data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. While the name of the group was not disclosed by MedPeds, the Beast ransomware group claimed responsibility for the attack. The group claimed to have exfiltrated 400 GB of data and added MedPeds to its data leak site; however, the data allegedly stolen in the attack does not appear to have been published at the time of writing.

The post Ransomware Group Claims Attacks on Meadowlark Hills Retirement Community & MedPeds appeared first on The HIPAA Journal.

A data breach has been announced by Tieu Dental Corporation in California. The Children’s Council of San Francisco has determined that more than 12,650 individuals have been affected by a ransomware attack.

Tieu Dental Corporation

Tieu Dental Corporation, a California-based provider of oral and maxillofacial surgery services, started has notifying patients about unauthorized access to its computer network last summer. The intrusion was identified on or around July 29, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network between July 28 and July 29, 2025.

The compromised parts of its network were reviewed, and on January 11, 2026, Tieu Dental confirmed that the compromised files included patient data such as names, dates of birth, Social Security numbers, medical records, treatment plans, prescription information, and health insurance information. Tieu Dental has not identified any misuse of patient data as a result of the incident; however, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. No known threat group has publicly claimed responsibility for the incident.

While regulators have been notified, the incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Children’s Council of San Francisco

Children’s Council of San Francisco (CCSF), a nonprofit childcare resource and referral agency, has notified regulators about a data breach impacting 12,655 individuals. CCSF identified a security breach on August 3, 2025, that caused network disruption. Assisted by third-party cybersecurity experts, CCSF secured its network, investigated the incident, and determined that an unknown hacker gained access to its network on August 1, 2025, and acquired certain data. The SafePay ransomware group claimed responsibility for the attack.

The file review was completed on or around February 23, 2026, when it was confirmed that names and Social Security numbers were present in the acquired files. Notification letters were mailed to the affected individuals on March 2, 2026, and complimentary single-bureau credit monitoring and identity theft protection services have been offered.  CCSF notified the Federal Bureau of Investigation about the incident and has implemented measures to harden security and reduce the risk of similar incidents in the future.

The post California Dental Care Provider Announces Data Breach appeared first on The HIPAA Journal.

The Medical technology giant Stryker has provided an update on the impact of its March 11, 2026, cyberattack, confirming that the incident has had a material impact on its first quarter earnings. In an amended filing with the U.S. Securities and Exchange Commission (SEC), Stryker confirmed that the company is fully operational across its global manufacturing network, and ordering and shipping capabilities have also been fully restored. The company has been working with Palo Alto Networks to investigate the incident, which temporarily disrupted its manufacturing, ordering, and shipping capabilities. The investigation confirmed that the attackers inserted a malicious (non-malware) file to abuse its Microsoft Intune environment.

Stryker has assessed the scope and duration of the operational disruption, including the disruption to its internal systems, the impact on its customers, and regulatory issues. The extent of the financial impact on its first quarter earnings has yet to be disclosed and will be explained in its first quarter earnings report, which is due to be released on April 30, 2026. Stryker does not anticipate the attack will have a material impact on its full-year earnings.

April 3, 2026: Stryker Fully Operational After March Cyberattack

Stryker has announced that it has recovered systems impacted by its March 11 cyberattack and is once again fully operational across its manufacturing network. The company is moving rapidly toward peak production capacity, now that commercial, ordering, and distribution systems have been restored. Stryker said it is continuing to work with third-party cybersecurity experts, government agencies, and industry partners to investigate the cyberattack. Meanwhile, its overall product supply remains healthy with strong availability across most of its product lines, and it is continuing to meet customer demand and support patient care.

An Iran-linked hacking group, Handala, claimed responsibility for the attack, which involved wiping almost 80,000 Windows devices. The group stole 50 terabytes of data and proceeded to leak the stolen data, although two domains used to leak the data were seized by the Federal Bureau of Investigation. The hackers compromised a Windows domain admin account and used it to set up a new Global Administrator account, with the devices remotely wiped using InTune. Following the attack, Microsoft released guidance for customers on hardening security for Windows domains and securing Intune.

The attack caused temporary, global disruption to business operations; however, the cyberattack did not affect the security or safety of its products or devices. The attack caused some disruption to parts of its supply lines, and there was a knock-on effect for some health systems, which had to delay some surgical procedures due to the disruption to Stryker’s ability to deliver patient-specific products.

Stryker engaged Palo Alto Networks to assist with threat hunting, forensic analysis, containment, eradication, and infrastructure review. Palo Alto Networks has confirmed that no evidence has been found of any unauthorized activity since March 11, 2026, and said the immediate risk to Stryker’s operational environment has been mitigated. No evidence was found to indicate that malware or ransomware was used in the attack. The hacking group used a malicious file to run commands, which allowed them to hide their activity from its threat detection solutions. Stryker confirmed that the malicious file did not have the ability to spread inside or outside of its environment.

Stryker is now facing legal action over the theft of sensitive employee data. At least 6 lawsuits have already been filed by employees who claim the company failed to protect their personal data.

March 12, 2026: Iran Linked Hacking Group Wipes Data of U.S. Medical Device Manufacturer

Stryker, a U.S. medical device and medical equipment manufacturer based in Portage, Michigan, is dealing with a cyberattack linked to the current U.S. military action in Iran. The cyberattack started shortly after midnight and has caused an outage of systems across the organization. An Iran-linked hacking group has claimed responsibility for the attack.

Stryker has operations in 61 countries and has a global workforce of more than 56,000 employees. Stryker said in a filing with the U.S. Securities and Exchange Commission (SEC) that the attack has and is expected to continue to cause “disruptions and limitations of access to certain of the Company’s information systems and business applications.” Stryker is currently unable to provide a timeline for when systems and data will be recovered and when normal operations will resume.

This does not appear to have been a ransomware attack, but rather a data theft and wiping attack. The attack affected Stryker’s Microsoft programs, including the wiping of Windows-based devices such as mobile phones and laptops. Stryker said it has found no indications that ransomware or malware was used, and said it believes it has contained the attack. An investigation has been launched to determine the impact of the attack on its computer systems.

According to the Wall Street Journal, Stryker’s login pages were defaced with the hacking group’s logo. Stryker said it has business continuity measures in place and will continue to support its customers and partners while it recovers from the attack. Stryker has also committed to transparency and said it will keep stakeholders informed as the investigation and recovery processes progress.

An Iran-linked hacking group called Handala immediately claimed responsibility for the attack in an announcement on X. The group claimed its attack has caused disruption at 79 Stryker offices around the world, involved more than 200,000 systems, servers, and mobile devices being wiped, and 50 terabytes of data were exfiltrated in the attack. “We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,” the group said in a post on X.

While the initial access vector is not known, security researcher Kevin Beaumont suggests that Handala actors gained access to Stryker’s Active Directory services and used the Microsoft endpoint management tool Intune to remotely wipe Microsoft devices, including devices used by employees managed under its bring-your-own-device policy.

While Handala appears at face value to be a hacktivist group, the group has been linked to Iran’s Ministry of Intelligence and Security. Palo Alto Networks suggests that Handala is part of the Ministry of Intelligence and Security and masquerades as a hacktivist group, allowing Iran to deny responsibility for its cyber operations.

While Iran has executed a military response to the US-Israel military action, retaliation to the attacks was always likely to involve more than just missiles. Iran has sophisticated cyber capabilities, and any response was likely to take place in cyberspace. Iranian officials stated this week that Tehran would expand its targeting to include economic centers and banks tied to the United States or Israel, and that U.S. companies with ties to the U.S. military or Israel would also be attacked. Stryker has a presence in Israel, including OrthoSpace, an orthopedic device maker that the company acquired in 2019. Handala claimed that Stryker was “a Zionist-rooted corporation.”

“Attacks like this unfortunately aren’t surprising. Even before the latest geopolitical tensions, hacktivist activity targeting healthcare and other critical infrastructure had been steadily increasing, and that trend makes organizations like medical device manufacturers and hospitals more likely to be caught in the crossfire. In many cases, attackers simply find the path of least resistance—an exposed system, an unsecured management console, or credentials that allow them to move deeper into the environment—and once they gain administrative access, they effectively hold the keys to the kingdom and can disrupt everything from mobile devices to operational systems,” Skip Sorrels, Field CTO and CISO, Claroty, said in a statement provided to The HIPAA Journal. “As a former ICU nurse, I’ve seen firsthand how even small technology outages ripple through care delivery, which is why cybersecurity in healthcare must be treated as part of patient safety, with organizations prioritizing visibility into their cyber-physical systems and closing those “open doors” before attackers find them.”

Steve Povolny, Vice President of AI Strategy & Security Research at Exabeam told The HIPAA Journal the attack illustrates how cyber operations are increasingly becoming the asymmetric response of choice during periods of regional conflict or political tension, and that cyber activity from proxy groups provides Tehran with a deniable way to impose costs on Western economies and technology ecosystems.

“Groups like Handala blur the line between hacktivism and state operations, giving governments plausible deniability while still achieving strategic signaling. The cautionary lesson for defenders is that these campaigns are rarely isolated events,” said Povolny. “They are often part of a broader pressure strategy designed to create disruption across multiple industries that support national stability, from healthcare and logistics to energy and manufacturing. Organizations that do not traditionally view themselves as geopolitical targets may increasingly find themselves on the front lines of state-linked cyber conflict.”

In an update on March 15, 2026, Stryker said it believes that the attack has been contained. Stryker confirmed that the attack affected order processing, manufacturing, and shipments, but no patient-related services or connected medical products were ‌affected. The company is prioritizing the restoration of systems that directly support customers, ordering, and shipping. The investigation into the cyberattack is ongoing. Stryker is working with third-party cybersecurity experts and is coordinating with appropriate authorities, including the White House National Cyber Director, FBI, CISA, DHA, HHS, and H-ISAC. Stryker confirmed that ransomware was not used in the attack and no malware was deployed on its systems.

The post Stryker Cyberattack Has Impacted First Quarter Earnings appeared first on The HIPAA Journal.

ID Care in New Jersey and Barrio Comprehensive Family Health Care Center (CommuniCare) in Texas have confirmed that patients’ personal and protected health information have been compromised in recent data security incidents.

ID Care

ID Care, a New Jersey-based network of board-certified infectious disease specialists, has recently disclosed a data security incident that involved unauthorized access to the personal and protected health information of current and former patients.

Suspicious activity was identified within certain systems on November 5, 2025. Industry-leading cybersecurity specialists were engaged to investigate the activity and confirmed that an unknown actor gained access to its network and accessed or downloaded files without authorization.

ID Care is currently reviewing the affected files, and while that process has not yet been completed, ID Care has confirmed that the affected files contained full names, dates of birth, Social Security numbers, health insurance information, and medical information, including diagnoses, treatment information, and prescription information.

Policies and procedures are being reviewed to reduce the likelihood of similar incidents in the future, and the HHS’ Office for Civil Rights has been notified about the data breach. The data breach is not yet shown on the OCR breach portal, so the scale of the breach is currently unclear.

Barrio Comprehensive Family Health Care Center (CommuniCare)

Barrio Comprehensive Family Health Care Center (CommuniCare), a non-profit clinic in San Antonio, Texas, has identified unauthorized access to an employee’s email account. The email account breach was identified on September 16, 2025, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity. CommuniCare determined that emails in the account had been accessed without authorization, some of which contained patient information.

Following a lengthy review of the affected emails and files, CommuniCare determined on February 19, 2026, that they contained first and last names, in combination with one or more of the following: dates of birth, health insurance account/member/group numbers, clinical information, diagnoses, medical treatment/procedure information, prescription information, provider locations, and patient account numbers.

CommuniCare said it is unaware of any misuse of patient data as a result of the incident, nor does it have any reason to believe that any information in the compromised account will be misused; however, the affected individuals have been advised to remain vigilant against data misuse by monitoring their accounts, explanation of benefits statements, and free credit reports for suspicious activity. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post ID Care & CommuniCare Announce Data Breaches appeared first on The HIPAA Journal.

Centerwell, a provider of senior healthcare services in 30 U.S. states, has experienced a cyberattack and data breach. Lakeside Pediatric & Adolescent Medicine has recently notified individuals affected by an October 2024 data breach.

Centerwell

Centerwell, a Louisville, Kentucky-based provider of healthcare services to seniors, has recently reported a data breach to the Texas Attorney General that involved unauthorized access to patient information.

The scale of the breach is currently unclear, other than the personal and protected health information of 4,618 Texas residents was compromised in the incident. The breach could be substantially larger, as Centerwell provides senior healthcare services in 30 U.S. states. The Texas Attorney General was informed on March 6, 2026, that data compromised in the incident includes names, addresses, dates of birth, and medical information. At the time of writing, the affected individuals have not been informed by mail, and no known threat group has publicly claimed responsibility for the incident.

This post will be updated when further information about the incident is released.

Lakeside Pediatric & Adolescent Medicine

Lakeside Pediatric & Adolescent Medicine (Lakeside), a Coeur d’Alene, Idaho-based healthcare provider, has started notifying patients about an October 2024 data security incident. Lakeside identified unauthorized access to its computer systems in late 2024. The forensic investigation confirmed that an unauthorized third party accessed its computer systems on November 1, 2024, and on December 15, 2024, Lakeside confirmed that there had been unauthorized access and potential acquisition of files containing patient information.

On January 1, 2025, Lakeside confirmed in a website breach notice that personal and protected health information had been compromised in the incident, although the data review was ongoing at that time. On or around December 26, 2025, Lakeside confirmed the data types involved, although the website notice has not been updated to state what those data types are.

In a breach notice submitted to the Washington Attorney General, Lakeside confirmed that single-bureau credit monitoring and identity theft protection services are being offered to the affected individuals, and that 1,314 Washington residents were affected. The incident has not yet been listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals in total have been affected.

The post Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine appeared first on The HIPAA Journal.

Bell Ambulance has confirmed that the protected health information of more than 230,000 patients was compromised in a February 2025 cyberattack. Data breaches have also been reported by Northwest Medical Homes in Oregon, and the New York Plastic surgeon, Alexes Hazen, MD.

Bell Ambulance, Wisconsin

Bell Ambulance, a Milwaukee, Wisconsin-based ambulance service, has notified the Maine Attorney General that a hacking incident identified in February 2025 has affected 237,830 individuals. Bell Ambulance detected unauthorized activity within its network on February 13, 2025. Third party cybersecurity experts were engaged to investigate the data breach, and confirmed that the protected health information of 114,000 individuals had been compromised in the incident. Notification letters were sent to those individuals on April 18, 2025; however, the data review had not yet concluded.

It has taken a year to review all data potentially compromised in the incident. On January 15, 2026, additional individuals were notified that they had been affected, and the data review concluded on February 20, 2026. Additional notification letters were mailed on March 9, 2026. Data compromised in the incident included first and last names, birth dates, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information. Bell Ambulance has offered the affected individuals complimentary credit monitoring and identity theft protection services for 12 or 24 months as a precaution. Bell Ambulance said it is unaware of any misuse of the impacted data at the time of issuing notification letters.

Northwest Medical Homes, Oregon

Springfield, Oregon-based Northwest Medical Homes, LLC, has notified certain patients about a cybersecurity incident first identified on May 13, 2025. Third party cybersecurity experts were engaged to help secure its systems, investigate the incident, and harden and enhance system security. The investigation confirmed that patients’ protected health information may have been compromised in the incident.

The breach notice submitted to the California Attorney General does not state what types of data were compromised in the incident, other than names and addresses. The individual notification letters state the exact types of data compromised for each patient.

Law enforcement has been notified, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 or 24 months as a precaution. Northwest Medical Homes said it was unaware of any data misuse at the time of issuing notifications. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Alexes Hazen, MD, PLLC, New York

Alexes Hazen, MD, PLLC, a New York-based board-certified plastic surgeon, has recently announced a cybersecurity incident and data breach. The practice learned about the incident on or around January 20, 2026, and started working with law enforcement and third-party cybersecurity experts to determine the nature and scope of the incident.

The investigation confirmed that an unauthorized third party accessed certain computer systems between June 23, 2025, and July 15, 2025, and may have exfiltrated a limited amount of patient data. The review of the affected data is ongoing, but it has been confirmed that the types of information compromised in the incident include names, dates of birth, demographic information, Social Security numbers, government-issued ID numbers, medical histories, conditions, procedure/diagnosis information, medical information, insurance information, payment information, and photographs.

Notification letters are being mailed to the affected individuals, and steps have been taken to harden security to prevent similar incidents in the future. The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals. The total will be updated when the file review is concluded.

The post February 2025 Cyberattack Affected More Than 230K Bell Ambulance Patients appeared first on The HIPAA Journal.

PIH Health, a healthcare provider serving patients in Orange County and the San Gabriel Valley in California, has started notifying patients affected by a December 2024 ransomware attack. The attack disrupted systems used by Downey Hospital, Good Samaritan Hospital, Whittier Hospital, as well as urgent care clinics, home health, hospice services, and physicians’ offices.

The ransomware attack was detected on December 1, 2024, and the forensic investigation confirmed that the threat actor had access to its network between November 14, 2024, and December 23, 2024. As detailed in our December 16, 2024, coverage below, the threat actor claimed to have exfiltrated around 2 terabytes of data in the attack, and claimed the data included around 17 million patient records. A ransom demand was issued, and some of the stolen data was leaked online. PIH Health learned of the hacker’s claims but said at the time that it was unable to verify the authenticity of the ransom note or the data theft claims.

PIH Health has been reviewing the exposed data with the help of third-party specialists, and on or around December 16, 2025, more than a year after the attack was detected, PIH Health confirmed that patient information was present in files on the compromised parts of its network, and the files may have been accessed or acquired by the threat actor.

PIH Health said its detailed review of the affected data was time-intensive, hence the time taken to complete the review. After obtaining the full list of affected individuals in December 2025, PIH Health worked to gather contact information to allow notification letters to be mailed. That process was completed on February 25, 2026, and individuals affected by the breach are now learning that their data was compromised in the attack.

PIH Health said the types of data involved vary from individual to individual and, at the time of issuing notification letters, no evidence has been found of any misuse or attempted misuse of the affected information. The breach included personally identifiable information and protected health information such as names, addresses, medical information, health insurance information, Social Security numbers, taxpayer identification numbers, driver’s license numbers, financial account information, and credit/debit card numbers. PIH Health has offered the affected individuals complimentary credit monitoring and identity theft protection services, and has taken steps to minimize the risk of similar incidents occurring in the future.

What has yet to be confirmed is the scale of the data breach. While there has been a claim that 17 million records were stolen, that claim may have been exaggerated, and if the claim is correct, those records may not relate to unique patients. The data breach is not yet showing on the HHS’ Office for Civil Rights website, and the California Attorney General does not publish details about the scale of a data breach. Most of the affected individuals are likely to reside in California, but we have confirmed that the Texas Attorney General has been notified that 8,434 Texas residents were affected.

Last year, the HHS’ Office for Civil Rights announced that it had agreed to a $600,000 settlement with PIH Health to resolve potential HIPAA violations related to a 2020 phishing attack that affected 189,763 individuals. OCR determined that the HIPAA Security Rule had been violated as PIH Health failed to conduct a comprehensive and accurate risk analysis, as well as the HIPAA Breach Notification Rule, as PIH Health failed to issue timely notifications to OCR, the affected individuals, and the media.

December 16, 2024: Hackers Claim to Have Stolen 17 Million Patient Records from PIH Health

The hacking group behind the cyberattack on the Californian healthcare provider PIH Health on December 1, 2024, claims to have exfiltrated a huge amount of sensitive data before encrypting files. If the hackers are to be believed, they exfiltrated 17 million patient records.

Southern California News Group obtained a copy of a ransom note that had allegedly been faxed to PIH Health. The hackers claimed to have exfiltrated around 2 terabytes of sensitive data in the attack. The note states that the stolen data includes 17 million patient records, data for more than 8.1 million “medical episodes” that include patients’ home addresses, cancer patients’ treatment records, private emails including test results and treatments, confidentiality agreements with employees, and around 100 active nondisclosure agreements between PIH Health and other medical organizations. The hackers also provided a link where screenshots of the stolen data had been uploaded.

Southern California News Group said no hacking group had claimed responsibility for the attack. PIH Health was unable to verify the authenticity of the ransom note or the data theft claims. The PIH website notice states, “PIH Health is working with cyber forensic specialists to assess the issue. Impacted individuals will be notified if protected health information is found to be compromised.”

Multiple systems were taken offline as a result of the incident, and phone lines were also disrupted. The phone system used by PIH Health’s Good Samaritan Hospital in Los Angeles was unaffected, and lines from its Whittier and Downey hospitals have been rerouted there. While the attack has caused major disruption to its computer systems, staff are working on downtime procedures, and care continues to be provided to patients, with patient data recorded manually; however, staff members are struggling with the additional workload that this creates, and delays are being experienced by patients.

PIH Health updated its website FAQ about the incident on December 13, 2024, but was still not able to provide a timeline on when its systems are likely to be restored. PIH Health said local police departments have been notified, and the Federal Bureau of Investigation (FBI) has been engaged and is involved in the criminal investigation. PIH Health said it is doing everything possible to rectify the situation.

Hackers have been known to exaggerate the extent of data theft, and even if 17 million records were stolen, there may be duplicate records in the dataset. If it turns out that 17 million current and former patients have been affected, this would be the second-largest data breach of the year, behind the 100-million-record data breach at Change Healthcare in February.

The post PIH Health Notifies Patients About 2024 Hacking Incident appeared first on The HIPAA Journal.