HIPAA Breach News

Two California Medical Groups Announce Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by two California medical groups – Valley Radiology Consultants Medical Group, which serves San Diego County, and Nephrology Associates Medical Group, which serves the Riverside and San Bernardino counties.

Valley Radiology Consultants Medical Group

Valley Radiology Consultants Medical Group in California has announced a security incident and data breach that was first identified on September 15, 2025. Immediate action was taken to secure its network, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized access to its network and files containing patient information. On February 18, 2026, the file review was concluded, and Valley Radiology Consultants Medical Group obtained the final list of individuals to notify.

There is currently no substitute data breach notice on its website, and the notice submitted to the California Attorney General has the types of data involved redacted. Individual notices include the types of information compromised in the incident. Valley Radiology Consultants Medical Group said it has changed passwords, enhanced systems security, and taken steps to reduce the risk of future harm. Notification letters are now being mailed, and the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months. The incident is not yet shown on the HHS’ Office for Civil Rights data breach portal, so it is currently unclear how many individuals have been affected.

Nephrology Associates Medical Group

Nephrology Associates Medical Group in California has started notifying patients about a cyberattack and data breach that was first identified on May 20, 2025. Nephrology Associates Medical Group identified suspicious activity within its network and took immediate action to secure its systems and prevent further unauthorized access. Assisted by third-party cybersecurity experts, Nephrology Associates Medical Group confirmed that an unauthorized third party had accessed its network and exfiltrated files, including files containing patient information.

The file review has recently been completed, and Nephrology Associates Medical Group has confirmed that names, dates of birth, Social Security numbers, medical/health information, diagnoses, treatment information, health insurance information, billing/payment information, and credentialing information were involved. The impacted data varies from individual to individual. The substitute data breach notice makes no mention of credit monitoring and identity theft protection services.

Nephrology Associates Medical Group has taken several steps in response to the data breach to strengthen security, including enforcing stronger password requirements, mandating more frequent required password changes, reducing access permissions, and switching to offline storage of older data. The incident is not yet shown on the HHS’ Office for Civil Rights data breach portal, so it is currently unclear how many individuals have been affected.

The post Two California Medical Groups Announce Data Breaches appeared first on The HIPAA Journal.

Insight Hospital and Medical Center Announces Cyberattack & Data Breach

Posted by Steve Alder

Data breaches have been announced by Insight Hospital and Medical Center in Chicago and Community Health Action of Staten Island. BlueCross BlueShield of Tennessee has confirmed it was one of the healthcare organizations affected by the Conduent Business Services data breach.

Insight Hospital and Medical Center

Insight Hospital and Medical Center in Chicago has announced a data security incident that was first identified in September 2025.  Unusual activity was identified within its IT environment, and the forensic investigation confirmed unauthorized access to its network between August 22, 2025, and September 11, 2025.

The data review is ongoing to determine the individuals affected and the data involved; however, the likely information compromised in the incident may include names, dates of birth, Social Security numbers, passport numbers, financial account information, treatment-related information, and health insurance information. Notification letters will be mailed to the affected individuals when the data review is completed.

Two threat groups have claimed attacks on Insight Hospital and Medical Center. The LockBit5 group added the Chicago hospital and medical center to its data leak site on December 4, 2025, along with data allegedly stolen in the attack. LockBit claimed to have stolen “almost 200 gigabytes of medical secrets.” More recently, a group called Termite added Insight Hospital and Medical Center to its data leak site. Termite claims to have exfiltrated 360 GB of data in the attack and leaked the stolen data in late February 2026.

Community Health Action of Staten Island

Community Health Action of Staten Island, the operator of programs and social services for vulnerable individuals in Staten Island, New York, has notified certain individuals about a recent data security incident that may have involved unauthorized access and/or the theft of sensitive data.

The breach notice provided to the Massachusetts Attorney General on February 25, 2026, provides limited information about the incident, only confirming that names, Social Security numbers, driver’s license numbers/non-driver identification card numbers, bank account and routing numbers, medical information, and/or health insurance information were potentially impacted. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for two years.

The nature of the incident was not disclosed in the letters, but this appears to have been a ransomware attack by the Genesis ransomware group, which added Community Health Action of Staten Island to its dark web data leak site. Genesis claims to have exfiltrated around 200,000 records containing sensitive personal and medical data, including approximately 60,000 records from HIV-tested patient databases, HIPAA-covered data, and employee information.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, and Community Health Action of Staten Island has not confirmed how many individuals have been affected. The notice to the Massachusetts Attorney General only states that 2 state residents have been affected.

BlueCross BlueShield of Tennessee

BlueCross BlueShield of Tennessee has confirmed that some of its members have been affected by the data breach at business associate Conduent Business Services. The Conduent data breach is one of the largest healthcare data breaches ever discovered, with current figures indicating that more than 25 million individuals across the United States have been affected. A ransomware group gained access to its network on October 21, 2024, maintained access until January 13, 2025, exfiltrated data, and encrypted files.

Data compromised in the incident included name, Social Security number, medical information, and health insurance information. You can read more about the data breach in this post. BlueCross BlueShield of Tennessee reported the breach to the HHS’ Office for Civil Rights as affecting 1,670 members.

The post Insight Hospital and Medical Center Announces Cyberattack & Data Breach appeared first on The HIPAA Journal.

January 2026 Healthcare Data Breach Report

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) healthcare data breach portal shows a slight month-over-month decline in large healthcare data breaches, which fell by 13.2% from December 2025 to 46 data breaches in January 2026.

Healthcare data breaches in the past 12 months - January 2026

The OCR breach portal lists healthcare data breaches affecting 500 or more individuals, which have been reported far less frequently during the past 5 months than in the first half of 2025. From September 2025 to January 2026, an average of 46.2 large data breaches were reported to OCR each month, compared to an average of 68.6 breaches per month in the preceding 5 months (April to August). Should this trend continue, 2026 could well see the lowest number of data breaches reported for several years.

We previously suggested that there may be a delay in adding data breaches to the OCR breach portal due to the government shutdown in late 2025, which lasted for 43 days between October 1 and November 12, 2025, during which time no healthcare data breaches were added to the OCR data breach portal. Since we last compiled breach data in January, a further two breaches have been added for October, and 7 data breaches for November. Since relatively few data breaches have been added for those months, it suggests that OCR has largely cleared the backlog of breach reports. The reason for the decline in large data breaches since September 2025 is unclear. Data breaches are also down compared to previous years, with this year’s total being the lowest January total since 2023.

January healthcare data breaches - 2022-2026

Across the 46 large healthcare data breaches reported in January, the protected health information of 1,441,182 individuals was exposed or impermissibly disclosed. While that represents a 178% increase in affected individuals compared to December 2025, January’s total is well below the 12-month average of 5,107,388 affected individuals per month, and it is the lowest January total since 2020.

Individuals affected by healthcare data breaches in the past 12 months - January 2026

In addition to reduced breach numbers, there has also been a reduction in data breach size over the past 5 months. In the 5 months from April 2025 to August 2025, 48.1 million individuals had their health information exposed or impermissibly disclosed in healthcare data breaches. During the following 5 months from September 2025 to January 2026, only 7.2 million individuals had data exposed or impermissibly disclosed, an 85% reduction from the preceding 5 months.

Individuals affected by January healthcare data breaches - 2022-2026

While the reduction in affected individuals is good news, two massive healthcare data breaches occurred last year at business associates of HIPAA-covered entities that are not yet reflected in the OCR breach data. A data breach at Trizetto Provider Solutions last year is now known to have affected at least 3.6 million individuals, and a far worse data breach was experienced by Conduent Business Solutions. According to breach reports to state Attorneys General, at least 25 million individuals were affected by that breach in Oregon and Texas alone. Given the fact that Condusent overrated in many U.S. states, the data breach is likely to have affected many more individuals, and it could rank as one of the top 3 healthcare data breaches of all time.

Biggest Healthcare Data Breaches Reported in January 2026

In January, 11 healthcare data breaches were reported to OCR that affected 10,000 or more individuals. Those 11 data breaches accounted for 92.5% of the affected individuals in January. While data breaches of 10,000 or more records are usually mostly due to hacking and other IT incidents, three of the four largest data breaches of the month were unauthorized access/disclosure incidents, and the top two breaches occurred at state Departments of Human Services.

The largest data breach was reported by the Illinois Department of Human Services, which exposed the protected health information of more than 700K state residents. A website created for internal use to help with resource allocation and decision-making was inadvertently made accessible over the public Internet. The second-largest data breach was reported by the Minnesota Department of Human Services, which affected more than 303K individuals. The breach involved unauthorized access to its MnChoices system, which is used by counties, Tribal Nations, and managed care organizations to support their assessment and planning work for state residents requiring long-term services and support. The system was accessed by a user associated with a licensed healthcare provider, who had no legitimate reason to access the data.

As the table below shows, ransomware groups continue to target the healthcare industry and were behind 6 of the top 11 data breaches in January.

HIPAA-Regulated Entity State Covered Entity Type Individuals Affected Data Breach Cause
Illinois Department of Human Services IL Health Plan 705,017 An internal website was inadvertently accessible over the public internet
Minnesota Department of Human Services MN Health Plan 303,965 Unauthorized access to an internal resource by a user associated with a licensed healthcare provider.
Clinic Service Corporation CO Business Associate 82,331 Hacking incident
LifeLong Medical Care CA Healthcare Provider 70,000 Hacking incident at business associate (Trizetto Provider Solutions)
Avosina Healthcare Solutions VA Business Associate 44,425 Ransomware attack (Qilin)
Wakefield & Associates, LLC TN Business Associate 31,751 Ransomware attack (Akira)
Jefferson-Blount-St. Clair Mental Health Authority AL Healthcare Provider 30,434 Ransomware attack (Medusa)
Mid Michigan Medical Billing Service, Inc. MI Business Associate 28,185 Ransomware attack (Qilin)
Pecan Tree Dental, PLLC TX Healthcare Provider 13,300 Ransomware attack (Sinobi)
Central Ozarks Medical Center MO Healthcare Provider 11,818 Hacking incident
360 Dental PC PA Healthcare Provider 11,273 Ransomware attack

The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to the OCR within 60 days of discovery. If the number of affected individuals is not known by the reporting deadline, an estimate of the number of affected individuals should be provided to OCR. It is common for estimates of 500 or 501 affected individuals to be used as placeholders in such cases. In January, three such breaches were reported. The number of affected individuals could be substantially higher for these data breaches.

Regulated Entity State Covered Entity Type Individuals Affected Type of Breach
Precipio, Inc. CT Healthcare Provider 501 Hacking/IT Incident
Middlesex Sheriff’s Office MA Healthcare Provider 501 Hacking/IT Incident
Central Texas MHMR Center dba Center for Life Resource TX Healthcare Provider 501 Hacking/IT Incident

Causes of January 2025 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports and were listed as the cause of 36 of the month’s 46 data breaches (78.3%). The protected health information of 343,359 individuals was exposed or stolen in those incidents. Atypically, the number of individuals affected by those incidents was relatively low, as they accounted for just 23.8% of the month’s breach victims. The average breach size was 9,810 individuals, and the median breach size was 3,722 individuals.

Causes of January 2026 healthcare data breaches

While there were only 10 unauthorized access/disclosure incidents in January (21.7%), those incidents accounted for 76.1% of the month’s breach victims. The average breach size was 109,700 individuals, and the median breach size was 3,188 individuals. One loss incident was reported involving the paper records of 821 individuals, but there were no theft or improper disposal incidents. The most common location of breached protected health information in January was network servers (30 incidents), followed by email accounts (8 incidents).

Location of breached PHI in January 2026 healthcare data breaches

HIPAA-Regulated Entities Affected by Data Breaches

The OCR breach portal data includes 36 data breaches reported by healthcare providers (236,462 affected individuals), 6 data breaches were reported by business associates (190,015 affected individuals), and four data breaches were reported by health plans (1,014,705 affected individuals).

When a data breach occurs at a business associate, it is ultimately the responsibility of each affected HIPAA-covered entity to ensure that the breach is reported in compliance with the HIPAA Breach Notification Rule. Covered entities may delegate the responsibility of reporting the data breach to the business associate, or they may choose to report the breach themselves.

That means that data breaches at business associates are often underrepresented in healthcare data breach reports. The charts below show where the data breaches occurred rather than the reporting entity. As you can see, there is a stark difference this month, as 21 of the month’s data breaches occurred at business associates of HIPAA-covered entities.

Healthcare data breaches at HIPAA-regulated entities in January 2026

Individuals affected by data breaches at HIPAA-regulated entities - January 2026

Geographical Distribution of Healthcare Data Breaches

In January, HIPAA-regulated entities in 24 U.S. states reported data breaches affecting 500 or more individuals. California topped the list with 8 data breaches, although 7 of those breach reports related to the same incident – The data breach at Trizetto Provider Solutions, which was a business associate or subcontractor of the business associate OCHIN.

State Breaches
California 8
Maryland & Texas 4
Alabama & Indiana 3
Idaho, Illinois, Michigan, Oregon & Tennessee 2
Alaska, Colorado, Connecticut, Florida, Kentucky, Louisiana, Massachusetts, Minnesota, Missouri, New Jersey, New York, Pennsylvania, South Carolina & Virginia 1

While California topped the list for data breaches, Illinois and Minnesota were the worst-affected states in terms of affected individuals.

State Individuals Affected
Illinois 705,638
Minnesota 303,965
California 98,241
Colorado 82,331
Virginia 44,425
Alabama 39,287
Tennessee 33,092
Michigan 31,907
Texas 17,951
Missouri 11,818
Pennsylvania 11,273
Idaho 9,721
New Jersey 9,526
Maryland 8,134
Kentucky 7,990
South Carolina 7,020
Lopuisiana 6,530
New York 4,725
Oregon 2,781
Indiana 2,481
Florida 821
Alaska 523
Connecticut 501
Massachusetts 501

HIPAA Enforcement Activity in January 2025

Two enforcement actions were announced in January to resolve alleged violations of the HIPAA Rules. The HHS’ Office for Civil Rights announced a settlement with Top of the World Ranch Treatment Center to resolve an alleged HIPAA Security Rule violation. The behavioral healthcare provider was investigated over a phishing attack that exposed the protected health information of 1,980 individuals.

OCR determined that Top of the World Ranch Treatment Center had not complied with the risk analysis provision of the HIPAA Security Rule, which requires a comprehensive and accurate risk analysis to be conducted to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was resolved with a $103,000 financial penalty, and Top of the World Ranch Treatment Center agreed to adopt a corrective action plan. This was the 11th HIPAA case to be resolved with a financial penalty under OCR’s risk analysis enforcement initiative.

OCR Director Paula M. Stannard has confirmed that the risk analysis enforcement initiative will continue in 2026 and will be expanded to also cover risk management. The enforcement initiative targeting noncompliance with the HIPAA Right of Access will also continue this year.

The other penalty was imposed following an investigation by the Massachusetts Attorney General, in partnership with the Connecticut Attorney General. Comstar LLC, a Massachusetts-based ambulance billing and collections company, was investigated over a March 2022 cyberattack and data breach that affected 585,621 individuals.

The investigation determined that Comstar had violated the HIPAA Security Rule and the Massachusetts Data Security Regulations by failing to maintain an adequate Written Information Security Program (WISP). The case was resolved with a $515,000 financial penalty, which will be shared between the two states. The settlement also includes several cybersecurity requirements. Comstar had previously settled an OCR HIPAA investigation launched in response to the same data breach and paid a $75,000 financial penalty.

The post January 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Apex Spine & Neurosurgery & North Central Behavioral Health Systems Announce Data Breaches

Posted by Steve Alder

Data breaches have been announced by Apex Spine & Neurosurgery in Georgia and North Central Behavioral Health Systems in Illinois.

Apex Spine & Neurosurgery

Apex Spine & Neurosurgery in Georgia has notified 2,500 individuals that some of their electronic protected health information has likely been stolen in a ransomware attack. Apex Spine & Neurosurgery said it learned on December 23, 2025, that a cyber threat actor had accessed its network and used ransomware to encrypt files. The forensic investigation confirmed that the cyber actor accessed its network and copied files on December 9, 2025; however, its electronic medical record system was not involved, as it is maintained in a logically separate computer environment.

The stolen files are still being reviewed; however, they contained information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, other government identifiers, location of health services, dates of service, treatment or condition information, diagnosis/diagnosis codes, prescription information, history information, assigned physician names; health services payment information, such as financial account number without a security code, access code, or password to access an account, patient account numbers, and health insurance information subscriber or identification numbers. The information copied in the attack varies from individual to individual. Apex Spine & Neurosurgery said it is evaluating further technical safeguards to better protect sensitive data on its network.

The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements for suspicious activity. While the ransomware group was not mentioned in the breach notice, the Interlock ransomware group claimed responsibility for the attack and said 20 GB of data was exfiltrated. Interlock proceeded to leak the stolen data as the ransom was not paid. Apex Spine & Neurosurgery said it was able to securely recover the encrypted data from backups.

North Central Behavioral Health Systems

North Central Behavioral Health Systems, a mental health and substance abuse treatment center with locations in La Salle and Ottawa, Illinois, has identified unauthorized access to an employee’s email account. Suspicious activity was identified in a single email account on or around December 2, 2025. The account was secured to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the activity.

The investigation confirmed that the breach was limited to a single email account. The account is currently being reviewed to determine the types of information involved and the individuals affected. Notification letters will be mailed to the affected individuals as soon as the review is concluded. Currently, no misuse of patient data has been identified; however, patients have been advised to remain vigilant against data misuse by monitoring their bank accounts and financial statements for suspicious activity. Email security has been enhanced in response to the incident, and complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Apex Spine & Neurosurgery & North Central Behavioral Health Systems Announce Data Breaches appeared first on The HIPAA Journal.

Carolina Foot & Ankle Associates Notifies Patients About December 2025 Cyberattack

Posted by Steve Alder

Cyberattacks and data breaches have been announced by the healthcare providers Carolina Foot & Ankle Associates, New Age Dermatology, and Marin Cancer Care.

Carolina Foot & Ankle Associates

The North Carolina podiatry practice, Carolina Foot & Ankle Associates, is notifying patients that some of their personal and protected health information was exposed in a December 2025 cybersecurity incident. The incident was detected on December 8, 2025, when it experienced a network disruption. Third-party cybersecurity experts were engaged to investigate the incident and confirmed that an unauthorized third party had accessed its network and exfiltrated files containing patient data.

The file review has recently been completed, and confirmed that patient data had been compromised, including first and last names, phone numbers, dates of birth, medical record numbers, health insurance information, diagnostic/CPT codes, and dates of service. The types of data involved varied from individual to individual. Carolina Foot & Ankle Associates said Social Security numbers and financial information were not compromised in the incident, and there was no unauthorized access to its electronic medical record system.

When the breach was detected, immediate enhancements were made to security to prevent further data security incidents, and law enforcement was notified. As a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The breach has been reported to the HHS’ Office for Civil Rights using a placeholder estimate of at least 501 affected individuals.

New Age Dermatology

New Age Dermatology LLC has notified the Massachusetts Attorney General about a ransomware attack that was identified on or around December 20, 2025. According to the notice, the ransomware attack affected an internal server, which has been rendered inoperable and inaccessible.  Law enforcement has been notified, and an investigation has been launched, with assistance provided by third-party cybersecurity professionals.

At this stage of the investigation, New Age Dermatology has yet to determine the specific types of information involved or the number of individuals affected, but explained that information likely compromised in the incident includes personal and protected health information typically found in patient records, including names, dates of birth, medial and treatment information, diagnostic images, photographs, and Social Security numbers may have been compromised. New Age Dermatology has found no evidence to suggest that its electronic medical record system was compromised in the incident. At the time of writing, no ransomware group appears to have claimed responsibility for the attack.

New Age Dermatology is unaware of any data misuse, but as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Marin Cancer Care

Marin Cancer Care, a provider of cancer treatment in Larkspur, California, has alerted patients to an incident involving unauthorized access to its computer network. An intrusion was detected on or around December 8, 2025, and assisted by third-party investigators, Marin Cancer Center learned that an unauthorized third party had access to its computer network between November 22, 2025, and December 6, 2025, during which time files containing patient information may have been viewed or acquired.

The investigation and file review are ongoing to determine the affected individuals and the types of information involved. Marin Cancer Care has confirmed that names, medical information, and health insurance information were likely involved. Patients have been advised to remain vigilant against incidents of identity theft and fraud by reviewing their account statements and monitoring their free credit reports for suspicious activity.

The post Carolina Foot & Ankle Associates Notifies Patients About December 2025 Cyberattack appeared first on The HIPAA Journal.

Center for Advanced Eye Care; Southwest C.A.R.E Center; Evergreen Healthcare Group Announce Data Breaches

Posted by Steve Alder

The Center for Advanced Eye Care in Pennsylvania/Delaware, Southwest C.A.R.E Center in New Mexico, and Evergreen Healthcare Group in Washington have notified patients about cybersecurity incidents involving unauthorized access to patient information.

Center for Advanced Eye Care

The Center for Advanced Eye Care, a provider of ophthalmology services in Pennsylvania and Delaware, has recently announced a security incident that involved unauthorized access to patient data. Suspicious activity was identified within its legacy environment on December 16, 2025. The affected systems were secured, and an investigation was launched to determine the nature and scope of the activity.

Assisted by third-party cybersecurity experts, The Center for Advanced Eye Care confirmed that protected health information within the legacy environment was accessed by an unauthorized third party and was stolen in the attack. The exact types of data involved have not been publicly disclosed at present, and the types of information involved have been redacted from the notices provided to state attorneys general.

As a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The affected individuals should avail themselves of those services, as a hacker claimed in December to be selling the stolen data. The data breach is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Southwest C.A.R.E Center

Southwest C.A.R.E Center, a nonprofit healthcare provider in New Mexico, has started notifying patients about a cybersecurity incident last summer that impacted some of their protected health information. The cybersecurity incident was detected on or around June 3, 2025. Third-party cybersecurity experts were engaged to conduct a forensic investigation, which confirmed that patient data had been exposed and may have been stolen.

The specific types of data involved were not stated in its substitute data breach notice, only that the data breach may have included first and last names, personal information, and protected health information. Southwest C.A.R.E Center said it has not identified any misuse of patient data as a result of the incident. Southwest C.A.R.E Center has reviewed and enhanced its technical safeguards and has offered complimentary credit monitoring services and identity theft protection services to all affected individuals for 12 months.

While not described as a ransomware attack, the Medusa ransomware group claimed responsibility for the attack. Medusa is a ransomware-as-a-service group that engages in data theft and encryption, and either sells or leaks the stolen data if the ransom is not paid. Medusa claimed to have exfiltrated more than 143 GB of data in the attack. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Evergreen Healthcare Group

Couve Healthcare Consulting, LLC, doing business as Evergreen Healthcare Group, has alerted patients about a breach of its cloud-based healthcare platform. Evergreen Healthcare Group, a Vancouver, WA-based provider of management consulting, administrative, and operational services to skilled nursing homes and assisted living communities, identified unauthorized activity within the cloud-based system on December 3, 2025. The forensic investigation found evidence of data exfiltration. The file review was completed on February 24, 2026, and confirmed that names, dates of birth, Social Security numbers, and medical information were subject to unauthorized access or were acquired in the incident.

The cloud-based platform has been secured, and Evergreen Healthcare Group has verified the security of its internal systems. Additional technical safeguards and enhanced security measures have been implemented to prevent similar incidents in the future, and complementary credit monitoring and identity theft restoration services have been offered to the affected individuals.  The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Center for Advanced Eye Care; Southwest C.A.R.E Center; Evergreen Healthcare Group Announce Data Breaches appeared first on The HIPAA Journal.

Medical Device Manufacturer UFP Technologies Confirms Data Stolen in Cyberattack

Posted by Steve Alder

The U.S. medical device manufacturer UFP Technologies has submitted a FORM 8-K filing to the U.S Securities and Exchange Commission (SEC) to notify the SEC and investors about a cyberattack and data breach that could potentially impact its financial condition or operations.

UFP Technologies is a publicly traded contract manufacturer based in Newburyport, Massachusetts, that makes single-use medical devices and highly engineered components for the aerospace, automotive, healthcare, and defense industries. The company produces a wide range of medical devices and medical components for products used in wound care, implants, and orthopedic and surgical products. UFP Technologies has an annual revenue of $600 million and employs 4,300 people.

According to the filing, UFP Technologies detected an IT systems intrusion on February 14, 2026. Immediate action was taken to assess, contain, and remediate the threat, and third-party cybersecurity experts were engaged to assist with the investigation. UFP Technologies said it believes the cyber threat actor responsible for the attack has been eradicated from its IT environment and confirmed that it has restored access to systems and information impacted by the incident in all material respects. While the attack did not impact all of its IT systems, many were affected, including the systems used for billing and label-making. UFP Technologies implemented its incident response and contingency plans, and since the incident was detected, it was able to continue operations in all material respects.

Some company and company-related data was either stolen or destroyed in the attack, which suggests this was a ransomware attack or that wiper malware was used. No threat group appears to have claimed responsibility for the attack. UFP Technologies explained in the filing that data has been recovered from backups. The company has confirmed that some data was exfiltrated from its system, although it is too early to determine the extent of the data theft, such as whether any personal or protected health information was stolen. The investigation to determine the nature and scope of the incident is ongoing, and the company is exploring the legal and regulatory notifications and filings that may be required.

As of the date of the filing (February 19, 2026), UFP Technologies said the incident has not had any material impact on its financial systems, operations, or financial condition. While costs have naturally been incurred, the company expects a significant proportion of the costs of containment, investigation, and mitigation will be covered by its cyber insurance policy.

The post Medical Device Manufacturer UFP Technologies Confirms Data Stolen in Cyberattack appeared first on The HIPAA Journal.

Cedar Point Health; Wee Care Pediatrics; Easterseals NI Announce Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by Cedar Point Health in Colorado, Wee Care Pediatrics in Utah, and Easterseals Northeast Indiana.

Cedar Point Health

Cedar Point Health, a network of health clinics in Colorado, has recently disclosed a cybersecurity incident involving unauthorized access to parts of its network containing patient and employee information.  The intrusion was detected on or around June 16, 2025, and third-party cybersecurity experts were engaged to investigate the incident.

Cedar Point Health said it has taken several months of extensive efforts to identify, review, and analyze the impacted data, and on January 27, 2026, that process was completed. Data compromised in the incident includes full names, addresses, dates of birth, medical treatment information, diagnosis or procedure information, clinical information, health insurance information, financial account information, driver’s license or state-issued identification numbers, passport numbers, and/or Social Security numbers/ITINs.

No evidence has been found to indicate any fraud as a result of the incident; however, the affected individuals have been advised to remain vigilant against identity theft and fraud by reviewing their accounts and explanation of benefits statements for suspicious activity. Individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services. The data breach is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Wee Care Pediatrics

Wee Care Pediatrics, a pediatric healthcare provider with several locations in northern Utah, has recently announced a cybersecurity incident involving unauthorized access to or the acquisition of patient information. Suspicious activity was identified within its computer network on or around December 15, 2025. Third-party cybersecurity specialists were engaged to investigate the activity and determined that there had been unauthorized access to its network.

The review of the exposed data is ongoing; however, it has been determined that the following types of personal and protected health information were involved: first and last name, contact information, date of birth, Social Security number, treatment/diagnosis information, prescription/medication information, date(s) of service, provider name, medical record number, patient account number, Medicare/Medicaid ID number, and health insurance information.

Immediate action was taken to contain the incident, and steps have been taken to enhance security to prevent similar incidents in the future. Out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Easterseals Northeast Indiana

Easterseals Northeast Indiana, a nonprofit provider of services to individuals with disabilities and their families, has confirmed that protected health information was accessed and acquired in a security breach. Suspicious activity was identified within its computer network on September 4, 2025. Immediate action was taken to secure the network and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity.

On November 10, 2025, data theft was confirmed, including individuals’ first and last names, contact information, birth date, Social Security numbers, diagnostic and treatment information, and health insurance information. While not stated by Easterseals, this appears to have been a ransomware attack. The Inc Ransom ransomware group claimed to have stolen 405 GB of data in the attack. As a precaution against identity theft and fraud, Easterseals has offered complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were involved. At present, it is unclear how many individuals have been affected.

The post Cedar Point Health; Wee Care Pediatrics; Easterseals NI Announce Data Breaches appeared first on The HIPAA Journal.

QualDerm Partners Data Breach Affects More Than 3 Million Individuals

Posted by Steve Alder

In late February, The HIPAA Journal reported on a QualDerm Partners data breach, the scale of which was currently unknown, except that it affected 174,837 Texas residents. The data breach was likely to have affected considerably more individuals, given that QualDerm Partners does business in 17 U.S. states and serves more than 15 million patients annually.

The scale of the data breach is now clearer, as the Oregon Attorney General has been notified that 3,117,874 individuals have been affected. Notification letters started to be mailed to those individuals on February 22, 2026. The incident has yet to be added to the HHS’ Office for Civil Rights data breach portal, so it is still unclear how many individuals had protected health information compromised in the incident.

February 25, 2026: QualDerm Partners Confirms Significant Data Breach

QualDerm Partners, LLC, a provider of healthcare management services to 158 dermatology and skin care practices in 17 U.S. states, has announced a security incident involving unauthorized access to its computer network. Unauthorized network activity was identified on December 24, 2025, and immediate action was taken to contain the incident and secure its network and computer systems. Third-party cybersecurity experts were engaged to conduct a forensic investigation to determine the nature and scope of the unauthorized activity. The investigation confirmed unauthorized access to its network between December 23 and December 24, 2025. During that time, files containing sensitive data were exfiltrated from its network.

The data review is ongoing to determine the individuals and types of information involved. So as not to unduly delay notifications, QualDerm Partners is mailing notification letters to the affected individuals on a rolling basis. Data compromised in the incident varies from individual to individual, and may include names, email addresses, dates of birth/death, doctor names, medical record numbers, diagnoses, treatment information, and health insurance information. A very small subset of individuals may also have had their government-issued identification information, such as driver’s license numbers, compromised in the incident.

QualDerm Partners said it is reviewing its policies, procedures, and protocols related to data security, and while no misuse of patient data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. QualDerm Partners has yet to publicly confirm exactly how many individuals have been affected, and the incident is not yet shown on the HHS’ Office for Civil Rights breach portal. This does appear to be a significant data breach, as the Texas Attorney General has been informed that 174,837 Texas residents have been affected. Since QualDerm Partners works with dermatology practices in 17 U.S. states, the total number of affected individuals is likely to be considerably higher.

This post will be updated when further information becomes available.

The post QualDerm Partners Data Breach Affects More Than 3 Million Individuals appeared first on The HIPAA Journal.