Wood River Health Notifies 54K Patients About August 2024 Data Breach

Posted by Steve Alder

Data incidents have recently been announced by Wood River Health in Rhode Island, Jack L Marcus in Wisconsin, and Avala and Primary Health Services Center in Louisiana.

Wood River Health, Rhode Island

Wood River Health, a provider of medical, dental, and social services to communities in southwestern Rhode Island and southeastern Connecticut, has recently announced a data breach that has affected 54,926 individuals. Suspicious activity was identified in an employee’s email account on or around September 6, 2024. Assisted by third-party cybersecurity experts, Wood River Health investigated the activity and confirmed that an unauthorized third party had access to the email account between August 8, 2024, and September 6, 2024, and may have viewed or acquired names and Social Security numbers.

The review of the affected account was completed on or around May 29, 2025, and notification letters were mailed to the affected individuals on or around July 28, 2025. The affected individuals have been offered 12 months of complimentary credit monitoring services, additional safeguards have been implemented to improve security, and employees have been provided with further security awareness training.

Avala, Louisiana

Avala, a Covington, LA-based physician-led health network that operates a 21-bed hospital in St. Tammany Parish, a surgery center in Metairie, and a medical imaging center in Covington, has recently announced a cybersecurity incident, discovered on May 30, 2025, that impacted its IT systems. Third-party cybersecurity experts were engaged to assist with containment and remediation and determine if patient data was exposed. No instances of identity theft or fraud have been identified; however, the investigation confirmed on July 23, 2025, that patient data had been exposed and was potentially exfiltrated from its network.

The exposed data varied from individual to individual and may have included names, addresses, birth dates, treatment information, health insurance information, and Social Security numbers. Notification letters are now being sent to the affected individuals. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Primary Health Services Center, Louisiana

Primary Health Services Center (PHSC), a Monroe, LA-based non-profit healthcare provider that operates several clinics serving the Ouachita, Morehouse, and Lincoln Parishes, has started notifying individuals affected by a recent cybersecurity incident. The nature of the incident was not detailed in the website data breach announcement, nor was the date the incident was detected.

Third-party cybersecurity professionals were engaged to investigate the incident, and the investigation and file review are ongoing. The number of affected individuals and the types of exposed data have yet to be publicly disclosed. PHSC is currently unaware of any misuse of patient information as a result of the incident and said data security policies and procedures have been enhanced to reduce the risk of similar incidents in the future.

The security breach appears to be a ransomware attack by the Inc Ransom ransomware group, which added PHSC to its dark web data leak site on December 24, 2024. Inc Ransom uploaded the stolen data on January 15, 2025, which includes user data, employee data, and financial information.

Jack L Marcus Inc.

Jack L Marcus Inc., a Milwaukee, WI-based retailer that allows orders to be placed for incarcerated individuals under an agreement with the Wisconsin Department of Corrections, has announced a data breach affecting 712 individuals. According to the substitute breach notice, a website misconfiguration allowed limited information to be displayed that should have been hidden.

Between August 15, 2024, and May 16, 2025, the name of the treatment facility where an individual was located was displayed to individuals placing orders for that individual. The facility address was masked, but the name of the treatment facility was displayed.  No other information was impermissibly disclosed. The error was identified on March 15, 2025, and was corrected the following day.  Jack L Marcus has reviewed and updated its processes and technology to prevent similar incidents in the future.

The post Wood River Health Notifies 54K Patients About August 2024 Data Breach appeared first on The HIPAA Journal.

Average Cost of a Healthcare Data Breach Falls to $7.42 Million

Posted by Steve Alder

IBM has published the 2025 Cost of a Data Breach Report, which shows a fall in the global average cost of a data breach, but an increase in the cost of U.S. data breaches, which have set a new record at $10.22 million, increasing by 9.2% from an average of $9.36 million in 2024. The higher data breach costs in the United States were largely due to higher regulatory fines and detection and escalation costs. Globally, data breach costs have fallen for the first time in five years to an average of $4.44 million.

global average cost of a data breach 2025. Source: IBM

Global average cost of a data breach in 2025 (in millions). Source: IBM

IBM has been releasing data breach cost reports for the past 20 years. This year, the study was conducted on 600 organizations of various sizes from 16 countries and geographic regions. Out of the 600 organizations participating in the study, 16% were located in the United States and Canada. The report is based on an analysis of data from organizations in 17 industries, 2% of which are in the healthcare industry.

There has been a fall in the cost of healthcare data breaches in the United States, which dropped by $2.35 million year-over-year to an average of $7.42 million. While the cost of a healthcare data breach has fallen significantly, healthcare data breaches are still the costliest out of all industries studied by IBM, and have been for the past 14 years.

Globally, the time to identify and contain a data breach fell to a 9-year low of 241 days, reducing by 17 days compared to 2024. IBM explains that the reduction in average containment time was largely due to a higher number of organizations detecting the data breach internally rather than being notified by an attacker. Healthcare data breaches took the longest to identify and contain, at an average of 279 days, five weeks longer than the global average breach lifecycle.

Phishing was the leading initial access vector in 2025, accounting for almost 16% of data breaches, replacing stolen credentials (10%), last year’s leading initial access vector, which fell to third spot behind supply chain compromise (15%). Ransomware continues to be a problem for healthcare organizations; however, more organizations are choosing not to pay ransoms. Last year, 59% of organizations that experienced a ransomware attack refused to pay the ransom, increasing to 63% this year.  With fewer organizations making payments, ransom demands have remained high, with an average of $5.08 million demanded for attacker-disclosed attacks. Fewer victims of ransomware attacks involve law enforcement, even though law enforcement involvement shaved an average of $1 million off data breach costs last year. In 2024, 52% of ransomware victims contacted and involved law enforcement, compared to 40% in 2025.

Data breaches invariably result in operational disruption, with almost all breached organizations reporting at least some disruption to operations as a result of a breach. The majority of breached organizations took more than 100 days to recover from a data breach. While breached organizations often absorb the cost of a data breach, this year, almost half of the organizations that suffered a data breach said they would be raising the price of goods and services as a result, with almost one-third planning to increase costs by 15% or more due to a data breach.

Each year, the cost of a data breach report identifies the main factors that increase or decrease breach costs. The biggest components in breach costs were detection and escalation ($1.47 million), lost business ($1.38 million), and post-breach response ($1.2 million), although IBM notes that detection and escalation costs fell by almost 10% compared to last year, and lost business and post-breach response costs also fell.

Based on a global average cost of $4.88 million, the most important factors for reducing data breach costs were adoptiong a DevSecOps approach (-$227K), AI-driven and ML-driven insights (-$223K), security analytics or SIEM (-$212K), threat intelligence (-$211K), and data encryption (-$208K). The main factors that increased breach costs were supply chain breaches (+$227K), security systems complexity (+$207K), shadow IT (+$200K), and AI tool adoption (+$193.5K).

Shadow IT – unauthorized use of software and devices – was a new addition to this year’s top three factors increasing data breach costs. Shadow IT increases the attack surface and creates a security blind spot, and IBM warns that many organizations are failing to look for shadow IT, so it remains undetected and can provide an easily exploitable backdoor into networks. On average, organizations with a high level of shadow IT experienced data breach costs $670K higher than organizations with a low level of shadow IT.

For this year’s report, IBM looked at the adoption of AI and found that AI adoption is outpacing governance. The majority of organizations that have adopted AI solutions said they did not have AI governance policies to mitigate or manage the risk of AI. Organizations lacking AI governance paid higher costs when breached. IBM has determined that AI models and applications are an emerging attack surface, especially in the case of shadow AI. This year, 13% of organizations reported a security incident involving an AI model or application that resulted in a data breach, and an overwhelming majority of those breached organizations – 97% – said they lacked proper AI access controls.

There has been growing concern about the use of generative AI by threat actors, such as for accelerating malware development and creating text and images for phishing and social engineering campaigns. IBM looked at the prevalence of AI-driven attacks and found that 16% of breaches involved the use of AI by attackers, with the majority of those attacks involving phishing (37%) or deepfakes (35%).

Last year, almost two-thirds of organizations said they would be increasing investment in cybersecurity over the next 12 months, but only 49% of organizations are planning to increase investment in the next 12 months. Fewer than half of the organizations planning to increase security investment said they were focusing on AI-driven solutions or services.

The post Average Cost of a Healthcare Data Breach Falls to $7.42 Million appeared first on The HIPAA Journal.

Texas Gastroenterology Clinic Falls Victim to Interlock Ransomware Attack

Posted by Steve Alder

Ransomware groups have attacked three healthcare providers: Gastroenterology Consultants of South Texas, Infinite Services in New York, and High Point Treatment Center in Massachusetts.

Gastroenterology Consultants of South Texas (Texas Digestive Specialists)

Gastroenterology Consultants of South Texas, which does business as Texas Digestive Specialists, has recently disclosed a May 2025 cybersecurity incident and data breach. According to the substitute data breach notice, an unauthorized third party gained access to its network in late May 2025 and may have obtained files containing personally identifiable information (PII) and protected health information (PHI). The Texas Attorney General was informed that the exposed information may have included names, addresses, dates of birth, medical records, and health insurance information.

The breach notification does not state when the attack was detected or for how long the hackers had access to the network. Third-party cybersecurity experts assisted with the investigation, and the lessons learned will be used to enhance the security of its IT systems. It is currently unclear how many individuals have been affected in total. The Texas Attorney General was informed that the PII and PHI of 41,521 Texans was exposed in the incident. The affected individuals have been offered complimentary credit monitoring services.

The breach notification letters do not mention ransomware; however, the Interlock ransomware group claimed responsibility for the attack and added the practice to its dark web data leak site. The group claims to have stolen 263 GB of data, which has been leaked online. Interlock was recently the subject of a joint alert from the FBI, CISA, HHS, and MS-ISAC following an increase in attacks on critical infrastructure entities.

Infinite Services, New York

Infinite Services, a New York-based provider of physical therapy, occupational therapy, speech therapy, and home health services, has fallen victim to a ransomware attack that exposed patient and employee data. The attack was detected on May 5, 2025, when employees were prevented from accessing the network. Third-party cybersecurity experts were engaged to investigate the incident and confirmed there was unauthorized access to one of its servers.

Ransomware was used to encrypt files, although the server was powered off, interrupting the encryption process. On June 23, 2025, Infinite Services determined that the affected server contained patient and employee information, and the decision was made to send notification letters to all potentially affected individuals, rather than wait for data mining to determine exactly which individuals had been affected.  That decision ensured that notification letters were mailed promptly.

The ransomware group was not named; however, Infinite Services said no ransom was paid, and at the time notification letters were issued, none of the stolen data had been published online. Since data may be leaked, the affected individuals should take advantage of the complimentary credit monitoring and identity theft protection services that have been offered. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals were affected or notified.

High Point Treatment Center, Massachusetts

High Point Treatment Center in New Bedford, Massachusetts, a provider of mental health and substance abuse treatment, has been added to the dark web data leak site of the Abyss ransomware group. The group claims to have exfiltrated 1.8 TB of data, although it has not listed any of the stolen data on its data leak site so far. High Point Treatment Center has yet to announce the attack or data breach.

The post Texas Gastroenterology Clinic Falls Victim to Interlock Ransomware Attack appeared first on The HIPAA Journal.

Bone & Joint Clinic Settles Ransomware Class Action Lawsuit for $575,000

Posted by Steve Alder

Bone & Joint Clinic S.C. has agreed to pay $575,000 to settle a class action lawsuit stemming from a January 2023 security incident that affected 105,094 current and former patients and employees.

Bone & Joint is an orthopedic and pain management clinical practice in Northcentral Wisconsin. On January 16, 2025, a security incident was identified that caused network disruption. An unauthorized third party accessed its network, used ransomware to encrypt files, and may have obtained protected health information such as names, contact information, dates of birth, Social Security numbers, health insurance information, diagnoses, treatment information, and other sensitive data.

Lawsuits were filed by four Bone & Joint Clinic patients, which were consolidated into a single complaint – Keith Tesky, et al. vs. Bone & Joint Clinic, S.C., – in the U.S. District Court for the Western District of Wisconsin. The lawsuits claimed that the practice failed to implement reasonable and appropriate safeguards to protect sensitive employee and patient data. The consolidated lawsuit asserted claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, invasion of privacy, unjust enrichment, unfair and deceptive business practices, and a violation of Wisconsin law, which prohibits the unauthorized release of healthcare information.

Bone & Joint Clinic denies any wrongdoing and maintains there is no liability; however, a settlement was agreed to avoid the burden and expense of litigation. Under the terms of the settlement, class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses fairly traceable to the data breach up to a maximum of $5,000 per class member.

Class members may also submit a claim for a pro rata cash payment, which is expected to be $75, but may be higher or lower depending on the number of valid claims received. The cash payments will be paid from the remainder of the settlement after attorneys’ fees (up to $191,475), attorneys’ expenses (up to $20,000), service awards (up to $2,000 for each of the four named plaintiffs), and settlement administration costs have been deducted.

The deadline for exclusion from and objection to the settlement is September 15, 2025. Claims must be submitted by October 15, 2025, and the final fairness hearing has been scheduled for January 7, 2025.

The post Bone & Joint Clinic Settles Ransomware Class Action Lawsuit for $575,000 appeared first on The HIPAA Journal.