Business Associate Data Breach Affects 87 Skilled Nursing Facilities – The HIPAA Journal
Business Associate Data Breach Affects 87 Skilled Nursing Facilities The HIPAA Journal
Business Associate Data Breach Affects 87 Skilled Nursing Facilities
Fundamental Administrative Services, LLC, a healthcare management services company in Sparks, Maryland, that manages more than 85 skilled nursing facilities and rehabilitation centers in Indiana, Maryland, Nevada, New Mexico, South Carolina, Texas, and Wisconsin, has confirmed that the protected health information of 56,235 individuals has potentially been compromised in a cyberattack.
Suspicious network activity was identified on or around January 13, 2025, and immediate action was taken to secure its systems and contain the incident. A forensic investigation was launched to determine the nature and scope of the activity, which confirmed unauthorized access to its network for around two and a half months from October 27, 2024, to January 13, 2025. During that time, files were exfiltrated from the network that contained HIPAA-protected data.
The file review confirmed that the information compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, financial account information, medical treatment information, health insurance information, and Medicare/Medicaid plan names. Fundamental Administrative Services said it is reviewing its policies, procedures, and processes related to the storage and access to information.
The data breach was initially reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals, but has been updated now that the file review has concluded. The skilled nursing facilities and rehabilitation centers affected by the incident are listed in the table below:
|
Affected Facilities |
||
| Alamo Heights Health and Rehabilitation Center | Harmon Hospital | Restore Health Rehabilitation Center |
| Allegany Health Nursing and Rehabilitation | Hearthstone of Northern Nevada | Retama Manor Nursing Center/Victoria South |
| BellTower Health & Rehabilitation Center | Hillside Heights Rehabilitation Suites | Riverside Health and Rehab |
| Bennettsville Health & Rehabilitation Center | Horizon Health & Rehab Center | San Gabriel Rehabilitation and Care Center |
| Berlin Nursing and Rehabilitation Center | Horizon Specialty Hospital of Henderson | Sandy Lake Rehabilitation and Care Center |
| Bremond Nursing and Rehabilitation Center | Horizon Specialty Hospital of Las Vegas | Sedona Trace Health and Wellness |
| Bridgecrest Rehabilitation Suites | Julia Manor Nursing and Rehabilitation Center | Sierra Ridge Health and Wellness Suites |
| Brownfield Rehabilitation and Care Center | Kirkland Court Health and Rehabilitation Center | Solidago Health and Rehabilitation |
| Calhoun Convalescent Center | Lake Emory Post Acute Care | Southpointe Healthcare and Rehabilitation |
| Canton Oaks | Lancaster Health and Rehabilitation | Spanish Hills Wellness Suites |
| Casa Arena Blanca Nursing Center | Las Brisas Rehabilitation and Wellness Suites | Spanish Trails Rehabilitation Suites |
| Casa Maria Health Care Center and Pecos Valley Rehabilitation Suites | Las Ventanas de Socorro | St. George Healthcare Center |
| Cedar Pointe Health and Wellness Suites | Los Arcos del Norte Care Center | Sterling Oaks Rehabilitation |
| Central Desert Behavioral Health Hospital | Magnolia Manor of Greenville | Sunset Villa Care Center |
| College Park Rehabilitation Center | Magnolia Manor of Greenwood | Terra Bella Health and Wellness Suites |
| Corinth Rehabilitation Suites on the Parkway | Magnolia Manor of Inman | The Brazos of Waco |
| Courtyards at Pasadena | Magnolia Manor of Rock Hill | The Casitas at Las Brisas ALF |
| Creekside Terrace Rehabilitation | Magnolia Manor of Spartanburg | The Hillcrest of North Dallas |
| Crimson Heights Health & Wellness ALF | Meadowbrook Care Center | The Pavilion at Creekwood |
| Crimson Heights Health and Wellness | Midlands Behavioral Health Hospital | The Pavilion at Glacier Valley |
| Crosbyton Nursing and Rehabilitation Center | Midlands Health & Rehabilitation Center | The Terrace at Denison |
| Devlin Manor Nursing and Rehabilitation Center | Mira Vista Court | The Village at Richardson |
| Edgewood Rehabilitation and Care Center | Monarch Pavilion Rehabilitation Suites | Valley Falls Terrace |
| Fairfield Nursing and Rehabilitation Center | Moran Nursing and Rehabilitation Center | Villa Haven Health and Rehabilitation Center |
| Falcon Ridge Rehabilitation | North Las Vegas Care Center | Villa Rosa Nursing and Rehabilitation |
| Forest Haven Nursing and Rehabilitation Center | Northampton Manor Nursing and Rehabilitation Center | Willow Springs Health & Rehabilitation Center |
| Founders Plaza Nursing & Rehab | Oakbrook Health and Rehabilitation Center | Woodlands Place Rehabilitation Suites |
| Fruitvale Healthcare Center | Oakland Nursing and Rehabilitation Center | |
| Green Valley Health and Wellness Suites | Physical Rehabilitation and Wellness Center of Spartanburg | |
| Hallmark Healthcare Center | Rehab Center of Cheraw | |
The post Business Associate Data Breach Affects 87 Skilled Nursing Facilities appeared first on The HIPAA Journal.
Cyberattack on Medical Equipment Provider Affects 90,000 Patients
Data breaches have been announced by medical equipment provider CPAP Medical Supplies and Services, a Miracle Ear franchisee, and a 20-bed critical access hospital in Washington State.
CPAP Medical Supplies and Services Inc.
CPAP Medical Supplies and Services Inc. (CPAP Medical) has announced a major data breach, potentially involving unauthorized access to the personal and protected health information of up to 90,133 patients. CPAP Medical is a Jacksonville, FL-based medical equipment provider that specializes in sleep therapy products for military families and active duty/retired service members. According to the breach notice provided to the Maine Attorney General, hackers had access to its network between December 13, 2024, and December 21, 2024, and files containing sensitive data may have been viewed or exfiltrated from its network.
After securing its systems, a forensic investigation was conducted, followed by a document review to determine the types of data involved and the individuals affected. The document review was complex and took until June 27, 2025, to complete, when it was confirmed that the compromised data included full names, dates of birth, Social Security numbers, financial and banking information, medical information, and health insurance information. CPAP Medical is unaware of any misuse of patient data as a result of the incident; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.
Health Services LLC (Miracle Ear)
Health Services LLC has started notifying individuals affected by a security incident that was identified on or around January 28, 2025. Suspicious network activity was detected, and the forensic investigation confirmed that an unauthorized actor had breached its security defenses and had access to its network from January 2, 2025, and January 28, 2025.
Health Services LLC operates a franchise of Miracle Ear, and the data relates to individuals who interacted with the company concerning hearing aid products. On or around May 14, 2025, the data review was completed, and confirmed that the exposed data included full names, phone numbers, email addresses, postal addresses, dates of birth, patient ID numbers, Social Security numbers, health insurance information, and diagnosis and treatment information.
The data breach was initially reported to the HHS’ Office for Civil Rights in April as an incident affecting 2,400 individuals; however, the breach portal has since been updated to 75,906 affected individuals.
East Adams Rural Healthcare
East Adams Rural Healthcare, the operator of a 20-bed critical access hospital in Ritzville, Washington, has recently notified the Washington State Attorney General about a data breach that has affected 8,896 state residents. Suspicious network activity was identified on September 12, 2024, and an investigation was launched to determine the cause of the activity.
Forensic evidence was found to indicate its network had been accessed by an unauthorized third party between September 7, 2024, and September 14, 2024, and patient data may have been viewed or acquired. East Adams Rural Healthcare published a substitute notice on its website about the incident on October 4, 2025; however, at the time, the investigation and data review were ongoing, so it was not possible to confirm how many individuals were affected or the specific information involved.
The file review has now been completed, and it has been confirmed that the compromised information included names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information. No evidence has been found to indicate that any patient data has been misused; however, as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.
The post Cyberattack on Medical Equipment Provider Affects 90,000 Patients appeared first on The HIPAA Journal.
Patient Data Lost in Ransomware Attack on EHR Vendor – The HIPAA Journal
Patient Data Lost in Ransomware Attack on EHR Vendor The HIPAA Journal
Patient Data Lost in Ransomware Attack on EHR Vendor – The HIPAA Journal
Patient Data Lost in Ransomware Attack on EHR Vendor The HIPAA Journal
Patient Data Lost in Ransomware Attack on EHR Vendor
The electronic medical record vendor MDLand International Corporation has fallen victim to a ransomware attack that resulted in the encryption of some of its computer systems. The ransomware attack was detected on May 2, 2025, when certain systems became inaccessible. Immediate action was taken to isolate its network, and a forensic investigation was launched with the assistance of third-party cybersecurity specialists.
The forensic investigation confirmed that an unknown actor encrypted a limited number of MDLand’s systems on May 1, 2025, and may have gained access to patient information stored in one specific database on its network. There was no unauthorized access to the networks or systems of its clients, and no evidence was found to indicate any information in the impacted database was viewed or exfiltrated in the attack, although unauthorized data access and data theft could not be ruled out.
Certain data was encrypted and rendered inaccessible; however, it was possible to restore some of the impacted data, but despite MDLand’s best efforts, some records could not be recovered or recreated. Those records related to the period from April 1, 2025, to May 1, 2025. Data input into patients’ medical records during that time has been lost, including patient names, treatment plan information, and providers’ notes about patients.
The impacted database includes the following data elements: name, date of birth, gender, marital status, address, phone number, and prescription information. Financial account information, Social Security numbers, and health benefits information were not involved.
The incident has been reported to the HHS’ Office for Civil Rights as affecting 22,586 individuals. Additional security measures have been implemented, and security policies and procedures are being reviewed to identify any areas for improvement. At the time of issuing notifications, no evidence of misuse of patient data had been identified; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.
The post Patient Data Lost in Ransomware Attack on EHR Vendor appeared first on The HIPAA Journal.
Insider Breaches Identified by Three Healthcare Providers – The HIPAA Journal
Insider Breaches Identified by Three Healthcare Providers The HIPAA Journal
Insider Breaches Identified by Three Healthcare Providers
Three insider incidents have recently been identified by healthcare providers in Florida, Massachusetts, and Indiana, including one privacy breach that has been ongoing for more than two and a half years.
University of Miami Health System
University of Miami Health System (UMHS) is notifying almost 3,000 patients about an insider data breach that has been ongoing for more than two and a half years. In June 2025, UMHS discovered that an employee had been accessing the medical records of patients when there was no legitimate business or clinical reason for doing so.
The review of access logs showed the unauthorized access started in September 2022 and continued until May 2025. Under HIPAA, medical records may only be accessed by employees for reasons related to treatment, payment for healthcare, and healthcare operations. If unauthorized medical record access is identified, individuals face sanctions, which in this case was termination of employment. UMHS is also collaborating with law enforcement over the incident.
The former employee did not have the necessary access rights to view financial information or Social Security numbers, but was able to view patient information such as names, dates of birth, medical record numbers, provider names, diagnosis/condition information, insurance information, and vaccination status. In total, the medical records of 2,928 patients were accessed over the space of more than two and a half years.
The affected individuals are being notified by Kroll and are being offered complimentary credit monitoring and identity theft protection services. UMHS is also enhancing its security measures and practices to better safeguard patient data.
Berkshire Health Systems
Berkshire Health Systems (BHS) in Massachusetts has discovered that an employee has been accessing patients’ medical records without authorization. An investigation was launched after BHS received a report about an employee potentially accessing patients’ medical records without a legitimate work reason for doing so. The privacy team immediately launched an investigation, which involved a review of access logs.
The access logs confirmed there had been unauthorized access to patient records, but no evidence was found to indicate any of the information in those records was downloaded, printed, or copied. BHS believes the employee was acting independently, with no other individuals involved. The employee was interviewed and denied disclosing any patient information to other individuals and was terminated for the HIPAA violation.
BHS said it has optimized its privacy monitoring software to help prevent further incidents of this nature in the future, and wrote to the affected patients on August 12, 2025, informing them about the privacy breach. The former employee only had limited access to patient data and could not view highly sensitive information such as financial information, health insurance information, or Social Security numbers. Information potentially viewed includes patient names, dates of birth, medical record numbers, diagnoses, and visit notes. BHS has not publicly disclosed how many individuals were affected, and the incident is not currently shown on the HHS’ Office for Civil Rights breach portal.
Life in Motion Family Wellness Center
Life in Motion Family Wellness Center in Evansville, Indiana, has discovered that patient data has been provided to a local physician and used to try to solicit business. The data breach occurred on July 22, 2025, and involved an individual who had previously rented office space in the center. That individual obtained a list of patient names, addresses, telephone numbers, and dates of birth, which she provided to the physician for marketing purposes.
The HHS’ Office for Civil Rights has been notified, law enforcement has been informed, and individual notification letters have been sent to the affected patients. Steps have also been taken to prevent similar incidents in the future, including reviewing system access and adding new layers of protection.
The post Insider Breaches Identified by Three Healthcare Providers appeared first on The HIPAA Journal.