Patient Data Compromised in Cyberattacks on Sleep Specialists

Posted by Steve Alder

Two sleep specialists, Persante Health Care in New Jersey and SomnoSleep Consultants in Virginia, have recently disclosed security incidents that exposed patient information.

Persante Health Care Patients Informed About January 2025 Cyberattack

Persante Health Care, a Mount Laurel Township, NJ-based national provider of sleep and balance center management services to hospitals and physician practices, has announced a security incident that was detected on or around January 28, 2025.

Unusual activity was identified within its computer network and, assisted by third-party cybersecurity experts, it was determined that an unauthorized third party accessed its network between January 23 and January 28, 2025. During that time, files containing patient information may have been accessed or acquired. It took more than 8 months to review the affected files to determine whether patient data had been exposed. On October 3, 2025, the data review confirmed that personal and protected health information was involved.

The exposed data varied from individual to individual and may have included names in combination with one or more of the following: date of birth, Social Security number, driver’s license number, state identification number, passport number, government identification number, taxpayer identification number, date(s) of service, physician or facility name, patient account number, medical record number, financial account information, payment card number, medical device identifier(s), and/or biometric identifier(s).

The Federal Bureau of Investigation was informed about the cyberattack, and Persante Health Care is assisting with the investigation. Additional measures have been implemented to reduce the risk of similar incidents in the future, and the affected individuals were notified by mail on November 26, 2025. The number of affected individuals has yet to be publicly disclosed.

SomnoSleep Consultants’ Patients Affected by Business Associate Data Breach

Patients of Annadale, VA-based SomnoSleep Consultants have been notified about a security incident at a third-party billing vendor, Avosina Healthcare Solutions. The vendor detected unauthorized access to its network on July 29, 2025, in what appears to have been a ransomware attack. Avosina said it was able to restore its services from backups; therefore, no ransom was paid. The FBI was notified, and third-party cybersecurity experts were engaged to determine the nature and scope of the incident and implement additional security measures to protect against further attacks.

The investigation confirmed that some documents were exfiltrated from its network. The analysis of those files confirmed that they contained patients’ names, addresses, medical information, and health insurance information. SomnoSleep said there was no unauthorized access to any files part of its electronic medical record system.

Avosina notified SomnoSleep about the attack on September 29, 2025, and on November 17, 2025, SomnoSleep provided additional information on the affected patients and delegated the responsibility for sending notification letters to its business associate. SomnoSleep said that no evidence has been found to indicate that any of the impacted patient data has been misused.

Avosina confirmed to SomnoSleep that steps have been taken to correct the vulnerability that was exploited by the threat actor, and other security measures have been implemented to protect against any further unauthorized network access. Internal data management protocols have also been reviewed.

The post Patient Data Compromised in Cyberattacks on Sleep Specialists appeared first on The HIPAA Journal.

Liberty Resources Announces July 2024 Data Breach

Posted by Steve Alder

Liberty Resources, a Syracuse, NY-based human services agency, has announced a security incident that was first identified 16 months ago, on July 22, 2024. Liberty Resources said an immediate and thorough investigation was conducted, and that the investigation into the incident is still ongoing. It is unclear why the investigation has taken so long.

According to its website data breach notice, the specific information compromised in the incident has yet to be confirmed. Employees and patients have been warned that the impacted data likely includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information. Since the investigation has not yet concluded, it is unclear how many individuals have been affected.

While no evidence has been found to indicate any misuse of the affected information, employees and clients have been advised to remain vigilant against identity theft and fraud. While not stated by Liberty Resources, this appears to have been a cyberattack by the Rhysida threat group, which added Liberty Resources to its data leak site and threatened to sell the 665 GB of data allegedly stolen in the attack. Rhysida claims on its data leak site that the data that has not been sold has been published. The group claims the leaked data includes 885,433 files, and if the claim is true, that may go some way to explaining why the investigation and data review have taken so long.

Gold Coast Health Plan Members Affected by Conduent Data Breach

Gold Coast Health Plan in Camarillo, CA, confirmed on December 2, 2025, that members’ protected health information was potentially compromised in a cyberattack on its business associate, Conduent Business Solutions. Conduent, a long-term provider of administrative services to Gold Coast Health Plan, determined on January 13, 2025, that the email account of one of its employees was accessed by an unauthorized individual between October 21, 2024, and January 13, 2025. The forensic investigation has taken several months to complete, and recently, Gold Coast Health Plan learned that the protected health information of 540 members was compromised in the incident, including their names, health plan identification numbers, dates of service, costs of service, and claim numbers. Social Security numbers and financial information were not involved.

“We deeply regret that the private information of some [of] our members was possibly exposed during this cyberattack,” said Robert Franco, GCHP’s chief compliance officer. “We are working closely with Conduent to ensure the necessary safeguards are in place to prevent a future breach.”

The post Liberty Resources Announces July 2024 Data Breach appeared first on The HIPAA Journal.

High Severity Vulnerabilities Patched in Mirion Medical EC2 Software NMIS BioDose

Posted by Steve Alder

Mirion Medical has issued patches to fix five high-severity vulnerabilities in its EC2 Software NMIS BioDose software. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to the application, modify program executables, access sensitive information, and potentially remotely execute code.

Mirion Medical EC2 Software NMIS BioDose is tracking software used by healthcare providers to keep track of inventory, doses, patient information, and billing. The vulnerabilities affect software versions prior to v23.0. Users have been urged to update to v23.0 or later versions to prevent the vulnerabilities from being exploited. Users with an active support contract can update to the latest version via the software. At the time of issuing the updated version, there had been no known exploitation of the vulnerabilities in the wild.

CVE-2025-64298 – CVSS v3.1: 8.4 | CVSS v4: 8.6

NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQL Server Express is used are exposed in the Windows share accessed by clients in networked installs. The directory has insecure directory paths by default, allowing access to the SQL Server database and configurations, which may contain sensitive data.

CVE-2025-61940 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database, and while users must supply a password in the client software, the underlying database connection always has access. An option has been added to use Windows user authentication with the database to restrict the database connection.

CVE-2025-62575 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account – nmdbuser – and other created accounts have the sysadmin role, which could lead to remote code execution through the use of certain built-in stored procedures.

CVE-2025-64642 – CVSS v3.1: 8.0 | CVSS v4: 7.1

In NMIS/BioDose V22.02 and previous versions, installation directory paths have insecure file permissions by default. In certain deployments, this can allow users to modify program executables and libraries.

CVE-2025-64778 – CVSS v3.1: 7.3 | CVSS v4: 8.4

NMIS/BioDose software V22.02 and previous versions have executable binaries with plaintext hard-coded passwords, which could be exploited to gain unauthorized access to the application and database.

The post High Severity Vulnerabilities Patched in Mirion Medical EC2 Software NMIS BioDose appeared first on The HIPAA Journal.

Europol Takes Down Illegal Crypto Mixing Laundering Service Used by Ransomware Actors

Posted by Steve Alder

A cryptocurrency mixing service used by criminals to launder the proceeds from their illegal activities has been shut down by Europol, Eurojust, and law enforcement agencies in Switzerland and Germany.

Cybercriminals, such as ransomware actors, typically receive payment for their attacks in cryptocurrency. Cryptocurrency transactions are not anonymous, as all transactions are recorded on the public blockchain and can be traced to the wallets receiving the funds. That means the proceeds from cybercrime can be traced to individuals if the wallet address is linked to a real-world identity. Cybercriminals use cryptocurrency mixing services to launder the proceeds from their attacks, then redirect their anonymized funds to cryptocurrency exchanges to cash out.

The law enforcement operation was a week-long effort – Operation Olympia – between November 24 and November 26, targeting Cryptomixer, an illegal cryptocurrency mixing service that law enforcement agencies have been trying to shut down since its creation in 2016. According to Europol, Cryptomixer was the mixing service of choice for cybercriminals, and was used by ransomware gangs, payment card fraudsters, drug and weapons traffickers, and nation state hackers such as North Korea’s Lazarus Group to launder funds from their illegal activities. Since 2016, more than €1.3 billion in Bitcoin ($1.5 billion) has passed through Cryptomixer infrastructure.

Funds were deposited in the mixing service, pooled for a long and randomized period, then redistributed to destination addresses at random times. Mixing services such as Cryptomixer make pseudonymous cryptocurrency transactions anonymous, concealing the origin of cryptocurrency by making it difficult to trace specific coins, allowing cybercriminals to launder funds from their activities without the risk of being identified. More than €25 million ($28 million) in Bitcoin was confiscated, three servers in Switzerland and the cryptomixer.io clear web domain were seized, along with more than 12 terabytes of data.

The operation was part of a broader international effort by law enforcement agencies to tackle cybercrime by targeting the services that cybercriminals use to hide their financial transactions. Operation Olympia mirrors a similar effort in 2023 by Europol and law enforcement agencies in the United States and Germany that resulted in the seizure of the infrastructure behind the ChipMixer mixing service, which at the time was the go-to mixing service for cybercriminals, through which more than $3 billion in cryptocurrency had passed. In that operation, as well as seizing the infrastructure, more than $50 billion in Bitcoin was confiscated.

The post Europol Takes Down Illegal Crypto Mixing Laundering Service Used by Ransomware Actors appeared first on The HIPAA Journal.