Main Line Fertility Center in Pennsylvania will pay cash payments to individuals whose sensitive data may have been disclosed to third parties via website tracking technologies. Like many healthcare providers, Main Line Fertility Center deployed third-party tracking tools and analytics code on its public website, including Meta Pixel. While these tools can provide valuable data to website owners, their use is problematic in healthcare due to the potential for sensitive data to be transferred to the providers of those tools. Depending on how and where these tools are deployed, they can potentially transfer personally identifiable and health information to those third parties.

In the case of Main Line Fertility Center, it was alleged to have used these tools without patients’ knowledge or consent, resulting in individually identifiable information being transferred to third parties, such as Meta. Anonymous plaintiff Jane Doe filed a lawsuit – Jane Doe v. Main Line Fertility, Ltd. – in the Court of Common Pleas of Philadelphia County, Pennsylvania, alleging the use of these tools without the knowledge or consent of patients amounted to negligence and violated the Pennsylvania Unfair Trade Practices Act. The lawsuit also asserted claims of invasion of privacy, breach of implied contract, and unjust enrichment.

Main Line Fertility Center maintains that there was no wrongdoing and filed its preliminary objections to the complaint on September 19, 2024; however, the court overruled the objections and ordered Main Line Fertility Center to file its answer to the plaintiff’s complaint, which was filed on February 6, 2024. Following substantive discovery efforts and extensive settlement discussions, Main Line Fertility Center agreed to participate in private mediation, and the material terms of a settlement were agreed upon. The full terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court.

Similar to several other pixel-related settlements in recent months, class members will be provided with a cash payment and membership to a Privacy Shield Pro product. Class members wishing to submit a claim can elect to receive a one-time cash payment of $35, and if they submit a valid and timely claim, they will receive a code to enroll in the PRivacy Shield Pro product. Main Line Fertility Center has also agreed to pay attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives.

The deadline for opting out of and objecting to the settlement is December 1, 2025, and claims must be submitted by December 29, 2025. The final fairness hearing has been scheduled for January 6, 2026.

The post Main Line Fertility Center Settles Tracking Technology Lawsuit appeared first on The HIPAA Journal.

Rancho Family Medical Group, a primary care medical group serving patients in Southern California, has agreed to pay $315,000 to settle class action litigation stemming from a 2023 data breach that exposed patients’ protected health information.

Rancho FMG was notified on January 11, 2024, about a security incident at its vendor KMJ Health Solutions. KMJ provided the medical group with online signout and charge capture systems and experienced a security incident on November 19, 2023, that exposed patient information such as names, dates of birth, medical record numbers, treatment locations, dates of services, and medical procedure codes.

The vendor was unable to determine exactly which patients had been affected or the exact types of data involved, as the impacted data had been wiped and was unrecoverable. On or around March 12, 2024, Rancho FMG notified all potentially affected patients, including current patients and patients going back ten years. Approximately 11,500 notification letters were mailed, although the HHS’ Office for Civil Rights was informed that 10,480 individuals had been affected.

Shortly after notifications were mailed, a class action lawsuit was filed in the Superior Court of California, County of Riverside, by one of the affected patients, Catrina Brannon, individually and on behalf of similarly situated individuals. The lawsuit asserted claims of violations of the California Confidentiality of Medical Information Act (CMIA) and California’s Unfair Competition Law (UCL).

Rancho FMG denies any wrongdoing and disagrees with all claims and contentions in the lawsuit. Prior to engaging in extensive motion practice, the parties agreed to mediate to avoid unnecessary legal costs, and a settlement was negotiated that was acceptable to all parties. Under the terms of the settlement, Rancho FMG will establish a $315,000 settlement fund to cover notice and administration expenses, fee awards and expenses, service awards, and benefits to the class members. All class members will receive a code to activate three years of three-bureau credit monitoring services.

In addition, class members may submit a claim for reimbursement of up to four hours of lost time remedying issues arising from the data breach at a rate of $17 per hour. Claims may also be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach, and any funds remaining in the settlement will be paid as a pro rata cash payments, which will not exceed $1,000 per class member. The cash payments will depend on the number of valid claims received.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for January 28, 2026. The deadline for objection to and exclusion from the settlement is December 29, 2025, and claims must be submitted by December 29, 2025.

The post Rancho Family Medical Group Agrees to Pay $315K to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Trinity Health in Michigan and Precision Imaging Centers in Florida have agreed to settle class action lawsuits that alleged negligence and violations of state laws in related to breaches of patients’ electronic protected health information.

Trinity Health Settles Litigation Stemming from Accellion FTA Data Breach

The Livonia, Michigan-based Catholic Health System, Trinity Health Corporation, and co-defendants Valley Surgical Specialists Medical Group, Inc., Daniel Evan Swartz, MD, and Rame Deme Iberdemaj, have agreed to settle class action litigation stemming from a 2021 data breach involving its secure file transfer platform, Accellion FTA.

On or around January 29, 2021, Accellion notified Trinity Health that hackers had gained access to the Accellion FTA by exploiting a zero-day vulnerability. Trinity Heath used the Accellion FTA for sending secure email, and determined that the files on the Accellion FTA had likely been downloaded by an unauthorized third party. The files contained names, addresses, email addresses, dates of birth, medical record numbers, lab results, medications, claims information, Social Security numbers, and credit card information. Notification letters were sent to 18,153 California residents, who were offered one year of complimentary credit monitoring, identity theft protection, and fraud resolution services.

A class action lawsuit – Jane Doe v. Trinity Health Corporation – was filed on May 20, 2021, in the Fresno County Superior Court over the data breach, seeking damages, restitution, and injunctive relief. The lawsuit alleged that Trinity Health had failed to adequately secure patient data by failing to encrypt the data on the Accellion FTA. The lawsuit asserted claims of violations of the California Confidentiality of Medical Information Act, California Security Notification Laws, and claimed the defendants had engaged in unlawful and unfair business acts and practices, in violation of Cal. Bus. & Prof. Code §§ 17200 et seq.

Trinity Health and the other defendants deny any wrongdoing; however, they chose to settle the lawsuit rather than incur additional costs continuing with the litigation and face the uncertainty of trial and any related appeals. Class counsel and the class representative believe the settlement is fair and is in the best interests of the class members.

Trinity Health has agreed to establish a $450,000 settlement fund to pay attorneys’ fees (maximum $150,000), attorneys’ expenses (maximum $25,000), service awards (maximum $5,000), and settlement administration costs. The remainder of the fund will be used to pay benefits to the class members. Class members may submit a claim for reimbursement of documented out-of-pocket expenses due to the data breach and can claim a one-off cash payment.

Claims for reimbursement of losses are capped at $1,000 per class member, and the cash payments are anticipated to be $231 if 5% of class members submit a claim, $115 if 10% of class members submit a claim, and $11 if all class members submit a claim. The deadline for filing a claim is January 19, 2026, and the final fairness hearing has been scheduled for April 29, 2026. Individuals wishing to object to or opt out of the settlement have until December 19, 2025, to do so.

Precision Imaging Centers to Pay Up to $200,000 to Settle Data Breach Litigation

Precision Imaging Centers, a Jacksonville, Florida-based provider of MRI, PET, CT, ultrasound, and X-ray imaging services, has agreed to settle class action litigation stemming from a cybersecurity incident that was identified on November 2, 2022. Hackers breached its network and gained access to files containing the personally identifiable information (PII) and protected health information (PHI) of current and former patients, including names, dates of birth, contact information, Social Security numbers, driver’s license numbers, diagnoses, and other medical and health information. Individual notification letters were mailed to the affected individuals on or around June 27, 2023, and the data was reported to the Maine Attorney General as affecting 31,010 individuals.

The first class action lawsuit in response to the data breach was filed by plaintiff Lauren Boyle, which was followed by complaints by four other individuals: Philipp Groebe, Natalie Luttrell, Bijoy Shroff, Cheryl Wearing, and Paige Demaio. The lawsuits asserted overlapping claims and were consolidated in a single complaint, In Re Precision Imaging Centers Data Breach Litigation, in the Circuit Court for the Fourth Judicial Circuit in and for Duval County, Florida.

The consolidated lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and violation of the Florida Deceptive and Unfair Trade Practices Act, all of which were denied by the defendant, who maintains there was no wrongdoing or liability. The plaintiffs believe all claims are legitimate and that the data breach could have and should have been prevented had reasonable and appropriate cybersecurity measures been implemented.

Precision Imaging Centers sought to have the complaint dismissed; however, the court denied the motion with prejudice, with the plaintiffs voluntarily dropping the Florida Deceptive and Unfair Trade Practices Act violation claim. On April 17, 2025, all parties attended mediation, and an agreement in principle was reached to settle the litigation with no admission of wrongdoing. The terms of the settlement have now been finalized and given preliminary approval by the court.

Under the terms of the settlement, Precision Imaging Centers has agreed to pay up to $200,000 to settle the litigation. Class members may submit a claim for reimbursement of documented out-of-pocket ordinary expenses and attested lost time (up to 4 hours at $20 per hour) up to a maximum of $500 per class member. Class members may also submit a claim for reimbursement of extraordinary losses, including up to 8 hours of lost time at $20 per hour, capped at $5,000 per class member.

Class members who submit a valid claim are also entitled to receive two years of credit monitoring services. The settlement has been capped at $200,000, and if that total is reached, claims will be paid pro rata. Precision Imaging Centers has also agreed to implement a range of cybersecurity measures to address the causes of the cyberattack, which will be maintained for at least three years. Further, any patient who has not received services from the company for five years or more will have their Social Security numbers purged from its systems or encrypted.

The final fairness hearing has been scheduled for January 8, 2026, and the deadline for submitting a claim is January 31, 2026. Individuals who wish to object to the settlement or exclude themselves have until January 1, 2026, to do so.

The post Trinity Health; Precision Imaging Centers Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Goshen Health System and Hancock Health in Indiana have agreed to settle class action lawsuits that alleged patients’ protected health information was disclosed to unauthorized third parties via website tracking technologies.

Goshen Health Hospital Data Breach Settlement

On May 23, 2023, a class action lawsuit – Kaitlin Lamarr v. Goshen Health System, Inc. d/b/a Goshen Health Hospital – was filed in the Elkhart County Superior Court, Indiana, against Goshen Health System, doing business as Goshen Health Hospital, over the use of tracking technologies on its website. The lawsuit alleged that these tools, which included Meta Pixel, disclosed patients’ personally identifiable information to Meta and other unauthorized third parties without patients’ knowledge or permission.

The lawsuit asserted claims of negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Indiana Deceptive Consumer Sales Act and the Indiana Wiretapping Act. Goshen Health Hospital denies any wrongdoing, disagrees with the claims and contentions in the lawsuit, and believes that it would have prevailed at summary judgment and/or trial; however, after considering the uncertainty, risks, and expense of proceeding with the litigation, it was more desirable and beneficial to settle the litigation. The plaintiff and class counsel believe that the settlement negotiated with the defendant is reasonable and fair and is in the best interests of the class.

The class consists of individuals who logged into the Goshen Health patient portal between January 1, 2020, and December 31, 2023. Under the terms of the settlement, class members are entitled to submit a claim for a one-off cash payment of $25, and will automatically receive a code to enroll in a Privacy Shield Pro product, which includes dark web watchlist, VPN in touch, password scan, private search functionality, password defense, digital vault, and data broker opt-out services.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 16, 2025. The deadline for submitting a claim is November 29, 2025.

Hancock Regional Hospital Data Breach Settlement

A similar lawsuit – Jennifer Fleece v. Board of Trustees of Hancock Regional Hospital – was filed against Hancock Regional Hospital in the Marion County Superior Court, Indiana, over the use of tracking technologies on its website, which were alleged to have impermissibly disclosed patients’ protected health information to Meta and other third parties without patients’ knowledge or consent.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Indiana Deceptive Consumer Sales Act. Hancock Regional Hospital maintains that there was no wrongdoing and disputes that it committed, or threatened or attempted to commit, any wrongful act, omission, or violation of law or duty alleged in the lawsuit, and while believing it had a good defense against all of the asserted claims, determined that a settlement was the best course of action. The plaintiff and class counsel believe the settlement is fair.

The settlement class consists of individuals who logged into the patient portal between January 1, 2020, and December 31, 2023. Claims may be submitted for a one-off $25 cash payment, and class members who submit a claim will receive a code to enroll in a Privacy Shield Pro product, which includes dark web watchlist, VPN in touch, password scan, private search functionality, password defense, digital vault, and data broker opt-out services. The final fairness hearing has been scheduled for December 18, 2025, and claims must be submitted by December 1, 2025.

The post Goshen Health & Hancock Health Settle Pixel Data Breach Lawsuits appeared first on The HIPAA Journal.

Florida’s Watson Clinic has agreed to pay $10,000,000 to settle class action litigation over a January 2024 data breach that affected 280,278 individuals. The hackers stole sensitive data, including digital images, and posted them on the dark web.

The Lakeland-based medical group serves approximately one million patients annually and employs around 1,600 team members and 350 physicians. Watson Clinic identified unauthorized access to its computer network on February 6, 2024, and the forensic investigation confirmed that hackers first gained access to its network on January 26.

The review of the exposed files confirmed that they contained the protected health information of current and former patients, including names, addresses, dates of birth, Social Security numbers, government identifiers, driver’s license numbers, financial account information, and medical information, including diagnoses, treatments, medical record numbers, and pre- and/or post-operative medically necessary images.

Watson Clinic received the results of the third-party file review in July 2024, announced the data breach in August 2024, and issued notifications to the affected individuals. Shortly thereafter, the first class action lawsuit was filed by plaintiff Charles Viviani in the U.S. District Court for the Middle District of Florida. A second class action lawsuit was filed by plaintiff David Thorpe in the same court, and the two complaints were consolidated in a single action – Viviani v. Watson Clinic, LLP. Additional notifications were mailed in February 2025 following a further investigation into the extent of the data breach.

The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and violation of the Florida Deceptive and Unfair Trade Practices Act. Watson Clinic denies all material claims and contentions in the lawsuit and charges of wrongdoing or liability. While Watson Clinic believes it has a solid defense against all claims, the litigation would likely be protracted and expensive, and any litigation has inherent risks. Therefore, the decision was made to settle the lawsuit. Class counsel believes the settlement is in the best interests of all class members.

Watson Clinic has agreed to establish a $10,000,000 settlement fund, from which attorneys’ fees and expenses, service awards for the named plaintiffs, and settlement administration and notification costs will be deducted. The benefits for class members are considerable compared to many class action settlements, including cash payments of up to $75,000 for certain class members, based on the types of digital images posted on the dark web.

Class members who had one or more digital images published on the dark web will be sent a check without having to submit a claim. The compensation amounts are detailed in the table below. Class members are only eligible to receive one of the payments below, whichever is greater.

In addition to the one-off cash payments, class members may also submit a claim for the following benefits:

*The residual cash payments will be paid pro rata from the settlement fund once costs and expenses have been deducted, and digital image exposure cash payments and claims for reimbursement of losses have been paid. The funds will be divided equally between the class members electing to receive a residual cash payment. The cash payment will be a maximum of $50, but may be less, depending on the number of valid claims.

The deadline for objection to and exclusion from the settlement is January 6, 2025. The deadline for submitting a claim is February 5, 2025, and the final fairness hearing has been scheduled for March 9, 2025. Further information can be found on the settlement website: https://watsondatasettlement.com/

The post Watson Clinic Agrees to $10 Million Data Breach Settlement appeared first on The HIPAA Journal.

Omni Family Health, a network of 39 community health centers in Kern, Kings, Tulare, and Fresno counties in California, experienced a cyberattack in 2024. A $6.5 million settlement has recently been agreed to resolve the resultant class action litigation.

Omni Family Health experienced a cyberattack in February 2024 that caused a 5-day outage of its IT systems. The cyberattack was investigated at the time; however, no evidence was found to indicate that any patient data had been compromised in the incident. On August 7, 2024, Omni Family Health was made aware that a threat actor (Hunters International) had claimed to have compromised its network and had posted data allegedly stolen in the attack on the dark web.

Omni Family Health investigated and concluded that the data was real and issued notifications to the 468,344 affected individuals, who included current and former patients and employees. Data potentially stolen in the attack included names, addresses, Social Security numbers, dates of birth, health insurance information, and medical information. The affected individuals were notified about the data breach on October 10, 2024.

The first three class action lawsuits were filed in the Eastern District of California on October 20, 2024, and subsequently, 19 separate actions were filed in the Superior Court of the State of California, Kern County. All 21 actions were consolidated into a single action first in the Eastern District of California, and were then remanded to the Superior Court on January 14, 2025, with the case Pace v. Omni Family Health designated as the lead case.

Omni Family Health denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. Despite believing that it had good defenses to all of the claims, Omni Family Health moved to settle the litigation to avoid the time, expense, risk, exposure, inconvenience, and uncertainty of a trial and related appeals. Class counsel evaluated the costs, risks, and uncertainty of continuing with the litigation, and based on an analysis of comparable settlements, determined that the settlement was in the best interests of all class members. The settlement has recently been granted preliminary approval by the court, and the final fairness hearing has been scheduled for February 26, 2026.

Omni Family Health has agreed to establish a $6,500,000 settlement fund, from which attorneys’ fees and expenses (approximately $2.2 million), class representative awards ($1,500 per named plaintiff, totaling $30,000), and settlement notification and administration costs will be deducted. The remainder of the settlement will be used to pay benefits to the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a pro rata cash payment, which has been calculated to be $105.56 per class member based on a 4% claim rate. All class members are also entitled to claim two years of single-bureau credit monitoring and identity theft protection services, and members of the California resident subclass may claim an additional pro rata cash payment of $100. The cash payments may be adjusted based on the number of valid claims received, and will be calculated after credit monitoring costs have been deducted from the settlement fund.

Omni Family Health has also agreed to implement changes to its business practices and make several security enhancements to prevent similar incidents in the future. The cost of those security enhancements will not be paid from the settlement fund. Individuals wishing to object to the settlement or exclude themselves have until December 5, 2025, to do so, and claims must be submitted by January 5, 2026.

The post $6.5 Million Settlement Resolves Omni Family Health Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

The Iowa-based healthcare company, CarePro Health Services, has agreed to pay $1.3 million to settle class action litigation stemming from a November 2023 cyberattack and data breach affecting up to 151,499 individuals.

The cyberattack that triggered the lawsuit was first identified by CarePro on November 16, 2023. Unauthorized individuals remotely accessed a system where unencrypted patient data was stored. Files containing patients’ protected health information were exfiltrated from the network before the intrusion was detected and blocked. Data compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial account information, and medical/health information. The affected individuals were offered complimentary credit monitoring and identity theft protection services.

A lawsuit was filed shortly after notifications were mailed to the affected individuals by CarePro patient Brandi Bell, individually and on behalf of similarly situated individuals. The lawsuit was soon followed by another complaint filed by Brandie Keegan, individually and on behalf of her minor child, and similarly situated individuals. The lawsuits were consolidated into a single complaint, Bell et al. v. C.R. Pharmacy Services, Inc. d/b/a CarePro Health Services – in the Iowa District Court for Linn County.

The lawsuit claimed that the plaintiffs suffered concrete injuries as a direct result of the data breach, including invasion of privacy, lost or diminished value of private information, lost time and opportunity costs, and loss of benefit of the bargain. The plaintiffs’ and class members’ personal and protected health information remain in the hands of cybercriminals, placing them at an increased risk of identity theft and fraud for years to come.

The plaintiffs claim that the data breach could have and should have been prevented, as the defendant failed to implement adequate and reasonable cybersecurity measures to protect patient data, recklessly maintaining patient information. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, breach of fiduciary duty, breach of confidence, unjust enrichment, invasion of privacy-intrusion upon seclusion, and violations of the Iowa Consumer Fraud Act and Iowa Personal Information Security Breach Protection Act.

CarePro denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. All parties agreed that further litigation, a trial, and any related appeals would likely be protracted and expensive and involve risks and uncertainties for all parties, so the decision was taken to settle the litigation. It took several months of negotiations; however, a settlement has been agreed upon that is acceptable to all parties.

The settlement includes three benefits for class members, which will be paid for from a $1,300,000 settlement fund after attorneys’ fees and expenses, class representative service awards, and settlement administration costs have been deducted.

A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. In addition to or instead of a claim for reimbursement of losses, class members may claim a pro rata cash payment, which is expected to be $100 per class member. The cash payment will be adjusted upwards or downwards depending on the number of valid claims received.

All class members are also entitled to claim two years of three-bureau credit monitoring, dark web monitoring, and identity theft protection services. The cost of the credit monitoring services will be deducted from the settlement fund before the cash payments are calculated. The deadline for exclusion from and opting out of the settlement is December 3, 2025. Claims must be submitted by December 3, 2025, and the final fairness hearing has been scheduled for January 23, 2025.

The post CarePro to Pay $1.3 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Discovery Practice Management, a California-based healthcare provider, has agreed to settle a class action lawsuit stemming from a June 2020 breach of its email environment. An unauthorized third party accessed employee email accounts between June 22, 2020, and June 26, 2020, and obtained sensitive information relating to patients of the Authentic Recovery Center and Cliffside Malibu facilities in California. The data breach was reported to the HHS’ Office for Civil Rights as affecting up to 12,859 individuals.

Data potentially compromised in the incident included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license numbers, and clinical information, such as diagnosis, treatment information, and prescription information. It took almost a year for the emails to be reviewed and notification letters to be issued to the affected individuals.

In February 2021, a class action lawsuit – JeanPaul Magallanes, et al v. Discovery Practice Management, Inc. – was filed in response to the data breach by JeanPaul Magallanes that alleged that Discovery Practice Management failed to implement appropriate measures to safeguard sensitive data stored on its network, then failed to issue adequate and timely notification letters when its email environment was compromised.

The alleged cybersecurity failures included insufficient monitoring of inbound emails, insufficient training of its workforce on email-based threats, and the failure to encrypt a data server that became accessible to unauthorized individuals who compromised two employee email accounts. Despite the significant risk to the affected patients, it took 335 days from the date of discovery to issue notification letters, which the lawsuit claims violated HIPAA and the California Consumer Records Act.

The lawsuit claims the actions of the defendant violated the California Confidentiality of Medical Information Act, California Unfair Competition Law, and the California Consumer Records Act. All parties agreed to engage in settlement discussions to avoid the cost and risk of a trial, and a settlement has been agreed upon with no admission of wrongdoing by Discovery Practice Management. The settlement has recently been granted preliminary approval by Judge Glenda Sanders of the Superior Court of the State of California, for the County of Orange.

Under the terms of the settlement, all class members are entitled to claim a three-year membership to CyEx’s Identity Defense Total Service, and must enroll by December 9, 2025. In addition, claims may be submitted for reimbursement of documented, unreimbursed ordinary and extraordinary losses caused by the data breach. Claims for reimbursement of ordinary losses are capped at $250 per class member, and claims for reimbursement of extraordinary losses are capped at $1,000 per class member.

The deadline for objection to the settlement, exclusion from the settlement, and submitting a claim is November 24, 2025. The final fairness hearing has been scheduled for February 5, 2026.

The post Discovery Practice Management Settle Lawsuit Over 2020 Data Breach appeared first on The HIPAA Journal.

Data breaches have recently been identified by Sun Valley Surgery Center in Nevada and American Associated Pharmacies in Alabama.

Sun Valley Surgery Center

Sun Valley Surgery Center in North Las Vegas, Nevada, has identified unauthorized access to its computer network. Anomalous activity was identified within its information systems on September 3, 2025. The forensic investigation confirmed that an unauthorized third party accessed parts of its network where sensitive patient information was stored.

Data potentially compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license/state-issued identification numbers, passport/other government identification numbers, and health information such as health histories, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN numbers/patient identification numbers. Sun Valley Surgery Center has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Approximately 27,000 individuals were potentially affected.

American Associated Pharmacies

One of the largest independent pharmacy organizations in the United States has recently fallen victim to a ransomware attack that resulted in the encryption of data on its systems. Scottsboro, AL-based American Associated Pharmacies (AAP) identified suspicious activity, including file encryption, within its computer network on October 23, 2024. Immediate action was taken to contain and mitigate the incident, including shutting down all affected systems and changing passwords to prevent further unauthorized access. The forensic investigation confirmed that initial access occurred ten days prior to the attack on October 13, 2024.

Assisted by third-party cybersecurity professionals, AAP determined that before file encryption, the attackers exfiltrated files from its network. The review of those files has recently been completed, and individual notifications are now being mailed to the affected individuals. Data compromised in the incident varies from individual to individual and may include names, addresses, birth dates, Social Security numbers, passport numbers, driver’s license number/other government-issued identification numbers, bank/financial account numbers/routing numbers, clinical/treatment information, medical information, provider names, medical record numbers, health insurance information, prescription information and/or usernames and passwords.

Several steps have been taken to augment security to prevent similar incidents in the future, including implementing further monitoring tools and expanding the use of multifactor authentication. The affected individuals have been advised to monitor their free credit reports, account statements, and explanation of benefits statements for suspicious activity. Credit monitoring and identity theft protection services have been offered to certain individuals, according to the notification sent to the Maine Attorney General. That notification indicates 8,032 individuals have been affected, including 25 Maine residents.

The post Data Breaches Announced by Sun Valley Surgery Center & American Associated Pharmacies appeared first on The HIPAA Journal.