Data Breaches Announced by Heritage Communities & Metrocare Services

Posted by Steve Alder

The senior living company Heritage Communities and the Dallas mental health care company Metrocare Services have announced security incidents that exposed sensitive patient data.

Heritage Communities, Nebraska

Heritage Communities, a senior living company based in Omaha, Nebraska, has recently announced a breach of the personal and protected health information of current and former residents. The data breach affected the company Heritage Holdings LP, a business associate of Heritage Communities, Orchard Pointe, and OnCare Health. On or around September 16, 2025, a network intrusion was identified, and third-party cybersecurity experts were engaged to investigate the incident. The investigation confirmed that an unauthorized actor gained access to its network and a limited amount of protected health information. The forensic investigation could not rule out the possibility that sensitive data was exfiltrated from its network.

The review of the affected data confirmed that a range of data types were exposed, including first and last names, Social Security numbers, driver’s license numbers, bank account information, credit card information, dates of birth, addresses, phone numbers, email addresses, medication information, healthcare diagnosis information, test results, and healthcare provider information. The types of information involved varied from individual to individual.

Additional security measures have been implemented in response to the data breach, and data security policies and procedures are being reviewed. While no misuse of the affected data has been identified, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements. The Worldleaks threat group claimed responsibility for the attack and added Heritage Communities to its dark web data leak site. If the claim is genuine, it suggests that a ransom demand was issued that was not paid.

Metrocare Services, Texas

Metrocare Services, a Dallas, TX-based provider of mental health services to individuals in North Texas, has identified an impermissible disclosure of patient information. On September 9, 2025, an employee sent an encrypted email from their work account to a personal email account, and the email was later shared on an unauthorized network. The investigation confirmed that the encrypted email contained the protected health information of approximately 8,600 patients, including names, medical record numbers, appointment times, doctors’ names, dates of service, and duration and costs of service.

Metrocare Services said it worked with the employee to ensure that the email was deleted from their personal email account, including the trash folder, and said no evidence was found to indicate that the data was further shared  or was accessed by anyone other than the employee who was authorized to access the information.

The post Data Breaches Announced by Heritage Communities & Metrocare Services appeared first on The HIPAA Journal.

North Kansas City Hospital Patients Affected by Cerner Hacking Incident

Posted by Steve Alder

North Kansas City Hospital has notified patients about a January 2025 data breach at its EHR vendor Cerner. Data breaches have also been announced by Shasta County Health and Human Services and OncoHealth in Georgia.

North Kansas City Hospital, Missouri

North Kansas City (NKC) Hospital in Missouri issued a substitute breach notice on November 25, 2025, announcing a data breach at its electronic medical record (EHR) vendor. A hacker gained access to a legacy Cerner (now Oracle Health) server that was awaiting migration to the Oracle Cloud infrastructure. According to Oracle Health, the hacker gained access to the server as early as January 22, 2025, and exfiltrated data, including the personal health information of NKC Hospital patients. NKC Hospital stressed that none of its own systems were compromised in the incident, as the breach was limited to two legacy Cerner servers.

The HIPAA Journal first reported on the Oracle Health data breach in March 2025, and in the months following the announcement, several healthcare providers have issued notifications confirming that they have been affected. The NKC Hospital breach notice does not state when Oracle Health confirmed that NKC Hospital had been affected. NKC Hospital said it requested the information required to issue notifications as soon as it learned that it had been affected, and said notifications were delayed at the request of law enforcement and were issued by NKC Hospital as quickly as possible.

Oracle Health said the data compromised in the incident included names, dates of birth, and Cerner patient identifiers, and potentially also information contained in electronic medical records, such as medical record numbers, doctors’ names, diagnoses, medications, test results, medical images, and care/treatment information. The HHS’ Office for Civil Rights breach portal does not currently list the data breach, so it is unclear how many NKC Hospital patients were affected.

Shasta County Health and Human Services

Officials at the Department of Health and Human Services for Shasta County in California have announced an insider data breach that has affected approximately 164 clients. Unauthorized access to the protected health information of patients was detected on September 30, 2025. The investigation confirmed that a former employee had accessed patient information without authorization.

Data potentially accessed included names, dates of birth, chart numbers, health plan information, County Administrative Office search name, diagnoses/conditions, medications, treatment authorizations, and requests related to Mental Health Behavioral Services. The notice does not state the reason for the unauthorized access or whether any information was copied or has been further disclosed. Shasta County said the investigation is ongoing, and any misuse of patient data will be reported to law enforcement

OncoHealth, Georgia

OncoHealth (formerly Oncology Analytics Inc.), an Atlanta, GA-based oncology-focused virtual medical group that partners with Humana Inc. for medical oncology prior authorizations, has announced a data breach that resulted in an impermissible disclosure of protected health information. As a result of a phishing attempt on the Zendesk customer service system, a fraudulent Zendesk account was created. The email address for the account was mistakenly included in a distribution sent to Humana Inc. that included a file containing the protected health information of 39 individuals.

The file contained personal and health information, including first and last names, birth dates, Humana identification numbers, and authorization numbers. OncoHealth said it has found no evidence of misuse of the disclosed information. Steps have been taken to improve internal security controls, and additional security awareness training has been provided to the workforce.

The post North Kansas City Hospital Patients Affected by Cerner Hacking Incident appeared first on The HIPAA Journal.

Rancho Family Medical Group Agrees to Pay $315K to Settle Data Breach Litigation

Posted by Steve Alder

Rancho Family Medical Group, a primary care medical group serving patients in Southern California, has agreed to pay $315,000 to settle class action litigation stemming from a 2023 data breach that exposed patients’ protected health information.

Rancho FMG was notified on January 11, 2024, about a security incident at its vendor KMJ Health Solutions. KMJ provided the medical group with online signout and charge capture systems and experienced a security incident on November 19, 2023, that exposed patient information such as names, dates of birth, medical record numbers, treatment locations, dates of services, and medical procedure codes.

The vendor was unable to determine exactly which patients had been affected or the exact types of data involved, as the impacted data had been wiped and was unrecoverable. On or around March 12, 2024, Rancho FMG notified all potentially affected patients, including current patients and patients going back ten years. Approximately 11,500 notification letters were mailed, although the HHS’ Office for Civil Rights was informed that 10,480 individuals had been affected.

Shortly after notifications were mailed, a class action lawsuit was filed in the Superior Court of California, County of Riverside, by one of the affected patients, Catrina Brannon, individually and on behalf of similarly situated individuals. The lawsuit asserted claims of violations of the California Confidentiality of Medical Information Act (CMIA) and California’s Unfair Competition Law (UCL).

Rancho FMG denies any wrongdoing and disagrees with all claims and contentions in the lawsuit. Prior to engaging in extensive motion practice, the parties agreed to mediate to avoid unnecessary legal costs, and a settlement was negotiated that was acceptable to all parties. Under the terms of the settlement, Rancho FMG will establish a $315,000 settlement fund to cover notice and administration expenses, fee awards and expenses, service awards, and benefits to the class members. All class members will receive a code to activate three years of three-bureau credit monitoring services.

In addition, class members may submit a claim for reimbursement of up to four hours of lost time remedying issues arising from the data breach at a rate of $17 per hour. Claims may also be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach, and any funds remaining in the settlement will be paid as a pro rata cash payments, which will not exceed $1,000 per class member. The cash payments will depend on the number of valid claims received.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for January 28, 2026. The deadline for objection to and exclusion from the settlement is December 29, 2025, and claims must be submitted by December 29, 2025.

The post Rancho Family Medical Group Agrees to Pay $315K to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Rockhill Women’s Care & Harbor Regional Center Announced Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by the OB/GYN practice Rockhill Women’s Care and Harbor Regional Center, a California provider of services to individuals with developmental disabilities.

Rockhill Women’s Care

Rockhill Women’s Care, an OB/GYN practice with locations in Overland Park in Kansas and Lees Summit in Missouri, has experienced a significant data breach, involving unauthorized access to the electronic protected health information of up to 70,129 patients.

While it is unclear from the notification letters exactly when its network was first compromised, the intrusion was detected on February 26, 2025. Third-party cybersecurity experts were engaged to investigate the intrusion, and law enforcement was notified. The investigation confirmed that patient information had been exposed and may have been exfiltrated. The data mining exercise to determine the exact types of data involved and the individuals affected was completed on August 13, 2025.

The types of data involved vary from individual to individual and include names in combination with one or more of the following: address, date of birth, Social Security number, medical treatment information, and/or health insurance information. After verifying the results and contact information, individual notification letters started to be mailed to the affected individuals on or around September 30, 2025. At the time of issuing notification letters, Rockhill Women’s Care was unaware of any misuse of the exposed data. Rockhill Women’s Care said patient privacy is taken very seriously, and steps have been taken to enhance its security measures to prevent similar incidents from occurring in the future.

Harbor Regional Center

Harbor Regional Center, a nonprofit organization that works with the California Department of Developmental Services to provide services to more than 20,000 adults and children with developmental disabilities in the South Bay, Harbor, Long Beach, and the southeast areas of Los Angeles County, has recently announced a security incident involving unauthorized access to an employee’s email account.

The email account breach was identified on September 2, 2025, and an investigation was launched to determine the nature and scope of the activity. On September 29, 2025, it was determined that a limited amount of protected health information was exposed and may have been obtained by an unauthorized third party.

The types of data involved vary from individual to individual and may include names in combination with one or more of the following: address, date of birth, Social Security number, medical record number, patient ID or account number, Medicare/Medicaid number, health insurance information, medical diagnosis and treatment information, medical history, prescription information, medical lab or test result, treatment location, treatment date, and provider name.

Harbor Regional Center has not identified any misuse of the exposed information; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Harbor Regional Center said it has implemented additional security measures and is reviewing its data policies and procedures. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Rockhill Women’s Care & Harbor Regional Center Announced Data Breaches appeared first on The HIPAA Journal.

VITAS Hospice Services Discovers Month-Long Network Intrusion

Posted by Steve Alder

VITAS Hospice Services, LLC, the largest for-profit hospice chain in the United States, has notified the California and Texas attorneys general about a data security incident that exposed sensitive patient data. An unauthorized individual compromised an account used by one of its vendors, and through that account was able to access certain Vitas systems.

The security breach was identified on October 24, 2025, and the forensic investigation determined that there was unauthorized access to its systems for more than a month between September 21, 2025, and October 27, 2025. During that time, the unauthorized third party was able to view and download the personal information of current and former Vitas patients.

Vitas has been working with a third-party cybersecurity firm to investigate the cause of the breach and has taken steps to strengthen vendor oversight and improve its data protection protocols. At the time of issuing notifications to the affected individuals, Vitas was unaware of any misuse of the exposed data; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.

Data compromised in the incident varies from individual to individual and may include names in combination with some or all of the following: address, phone number, date of birth, Social Security number, driver’s license number, next of kin contact information including name, phone number and email address, diagnosis, medications, lab results, conditions, treatment information, health insurance information, and other personal information.

It is currently unclear exactly how many individuals have been affected, as neither the California nor Texas attorneys general publish figures for the total size of the data breach. The Texas Attorney General was told that 5,633 individuals in the state were affected by the breach. The HIPAA Journal has not found any further attorney general notifications at the time of writing, but the breach could be more expansive, as the company has locations in 15 U.S. states.

The post VITAS Hospice Services Discovers Month-Long Network Intrusion appeared first on The HIPAA Journal.