Two mental healthcare providers have recently announced cybersecurity incidents that exposed patient data: Eleos Wellness in Florida and Clinica Family Health & Wellness in Colorado.

Eleos Wellness, Florida

Eleos Wellness, a Pinellas Park, FL-based provider of mental health services, has recently announced a data security incident that potentially involved unauthorized access to client information. Unauthorized network activity was detected on June 11, 2025, and third-party cybersecurity experts were engaged to investigate the activity. The investigation is ongoing; however, it has been confirmed that an unauthorized third party had access to names, addresses, dates of birth, Social Security numbers, and health insurance information. No evidence has been found to indicate that its electronic medical record system was involved.

No fraudulent activity related to the incident has been identified; however, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their personal accounts and explanation of benefits statements. Eleos Wellness has confirmed that steps are being taken to improve security to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Clinica Family Health & Wellness, Colorado

Clinica Family Health & Wellness, a Colorado-based network of mental health clinics, has announced a security breach affecting the Mental Health Partners environment. An intrusion was identified and rapidly contained on March 25, 2025, and third-party cybersecurity experts were engaged to investigate the nature and scope of the unauthorized activity.

No evidence was found to indicate that any data was removed from its network; however, it is possible that patient data may have been accessed. Clinica Family Health & Wellness said a comprehensive and thorough investigation is ongoing, and it has yet to be determined exactly how many individuals have been affected or the types of information involved. Notification letters will be mailed to the affected individuals when the review is concluded.

The post Data Breaches Announced by Florida & Colorado Mental Health Clinics appeared first on The HIPAA Journal.

Think Big Health Care Solutions, a Florida-based practice management company, and Minnesota Epilepsy Group have recently confirmed cyberattacks and data breaches. Ransomware groups have claimed responsibility for attacks on Emerson Chiropractic in Indiana and El Paso Quality Dentistry in Texas.

Think Big Health Care Solutions, Florida

Think Big Health Care Solutions, a Wellington, FL-based practice management company that provides billing, contracting, and credentialing services to medical practices, has identified unauthorized access to an employee’s email account. Suspicious activity within the account was identified on June 20, 2025, and third-party cybersecurity specialists were engaged to investigate the incident.

Evidence was found that suggested some emails and files in the account had been accessed by an unauthorized third party. A review was conducted to determine the types of information involved and the individuals affected, and notification letters will be mailed to those individuals when that process has been completed. Think Big Health Care Solutions has confirmed that the account contained information such as first names, initials, and last names, addresses, telephone/fax numbers, email addresses, dates of birth, Social Security numbers, tax identification numbers, passport numbers, admission dates, health insurance policy numbers, bank/financial account numbers and routing numbers, credit/debit card information, diagnoses/conditions, lab results, medications, claims information, medical record numbers, other medical/health information, CPT codes, and referring provider names.

Additional technical and administrative measures have been implemented to prevent similar incidents in the future, and enhanced training is being provided to the workforce on phishing detection, secure data handling, and incident response procedures.

Minnesota Epilepsy Group

Roseville, MN-based Minnesota Epilepsy Group (MEG) has experienced a cybersecurity incident that affected certain systems within its network and caused some disruption to business operations. According to the April 25, 2025, substitute breach notice, MEG identified the incident on February 27, 2025. Immediate action was taken to secure its systems, and third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the unauthorized activity. The investigation is ongoing, but it has been confirmed that client and employee data were exposed in the incident.

The exact types of data involved have yet to be confirmed, but likely include individuals’ names, addresses, dates of birth, medical record numbers, EEG summaries, neuropsychology reports, medication records, and health insurance information. No evidence of misuse of that information has been identified to date; however, the affected individuals have been advised to remain vigilant and should review their financial account statements for signs of fraudulent activity. MEG said it continually evaluates and modifies its practices to enhance privacy and security and is taking steps to augment existing cybersecurity measures to prevent similar incidents in the future.

Ransomware Groups Claim Responsibility for Attacks on Two Healthcare Providers

Ransomware groups have recently claimed responsibility for attacks on two healthcare providers, Emerson Chiropractic in Indiana and El Paso Quality Dentistry in Texas. The Dragonforce ransomware group claims to have stolen 96 GB of data from Emerson Chiropractic, which provides chiropractic services to individuals in the Southside of Indianapolis. Stolen data has been published on the data leak site, indicating the ransom was not paid.

The Beast ransomware group has added El Paso Quality Dentistry to its data leak site and claims to have stolen approximately 700 GB of data. Screenshots have been uploaded to the data leak site, indicating a broad range of data has been stolen, with some folder names suggesting patient data was involved. Currently, the stolen data has not been leaked. Neither healthcare provider has publicly announced a cyberattack or data breach at the time of writing.

The post Florida Practice Management Company Announces June 2025 Data Breach appeared first on The HIPAA Journal.