McKenzie Memorial Hospital in Michigan has reported a hacking incident affecting more than 54,000 patients. Arbor Associates in Massachusetts has reported a 17K-record data breach, and data breaches have been confirmed by Blue Shield of California and Human Development Services of Westchester.
McKenzie Memorial Hospital in Sandusky, Michigan, has recently disclosed a cybersecurity incident that was detected on or around April 15, 2025, when suspicious activity was identified within its network. McKenzie Memorial did not state whether ransomware was used, only that the forensic investigation confirmed that its network was accessed by an unauthorized third party between April 14, 2025, and April 15, 2025. During that time, files containing patients’ protected health information may have been accessed.
The investigation and file review were completed on June 19, 2025, and confirmed that the potentially compromised information included names, Social Security numbers, and financial account information. The data breach was recently reported to the Maine Attorney General as affecting 54,016 individuals. Credit monitoring and identity theft protection services have been offered for 12 months, and the hospital is strengthening network security and reviewing its data security policies and procedures.
Arbor Associates, a business associate that helps healthcare organizations collect patient survey analytics, has recently announced a data security incident that involved unauthorized access to patient data. Unusual network activity was detected on April 17, 2025, and independent cybersecurity experts were engaged to investigate the activity. They confirmed that there was unauthorized access to its network between April 15, 2025, and April 17, 2025, during which time files containing patient information may have been acquired.
The file review was completed in May 2025, and the affected healthcare partners were notified. Data potentially compromised in the incident includes first and last name, contact information, age, biological sex, date of birth, service date, CPT or diagnosis code, medical record number, name of insurance, and/or doctor’s name. Arbor Associates started mailing notification letters on behalf of the affected clients on July 3, 2025. The data breach was reported to the HHS’ Office for Civil Rights as a network server incident affecting 17,040 individuals.
The health insurer Blue Shield of California (BSC) has recently notified the California Attorney General about a recent HIPAA breach. On May 22, 2025, BSC learned that a broker with Harmon Insurance Services had passed away, and the late broker’s husband had accessed her online client list after her death. He then asked a friend, who was also a broker, to assist her clients. A former employee of the late broker may also have accessed the client list and client applications between March 25, 2025, and May 22, 2025.
The access was unauthorized, and upon discovery, the login credentials were revoked to prevent further unauthorized access. No evidence was found to indicate any acquisition of members’ information. Information potentially accessed included names, member IDs, Social Security numbers, birth dates, addresses, phone numbers, group ID numbers, and Medicare numbers.
The affected individuals have been notified by mail and offered a one-year membership to an identity theft protection service. The OCR data breach portal lists the incident as affecting 1,543 individuals. A later breach report indicates that an email breach also occurred that affected 673 individuals.
Human Development Services of Westchester, a provider of community-based direct-care services for vulnerable populations in New York State, has recently announced unauthorized access to its email tenant. Suspicious activity was identified within a single email account, and the forensic investigation confirmed unauthorized access between May 19, 2025, and May 20, 2025. The review of the account and attachments is ongoing, so it is not yet possible to determine the exact types of information involved or the number of affected individuals. The account likely contained employee and patient information.
Email security is currently being reviewed, and new cybersecurity tools are being assessed. The breach has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals. The total will be updated when the review concludes.
The post McKenzie Memorial Hospital Announces Data Breach Affecting 54,000 Patients appeared first on The HIPAA Journal.
BJC Health System, doing business as BJC HealthCare, is one of the latest healthcare organizations to settle litigation stemming from the use of website tracking tools. BJC HealthCare has agreed to pay up to $9.25 million to resolve the litigation and provide cash payments to the class members.
BJC HealthCare is a non-profit healthcare organization based in St. Louis, Missouri, which runs the Washington University-affiliated hospitals Barnes–Jewish Hospital and St. Louis Children’s Hospital. According to the lawsuit – John Doe et al v. BJC Health System – BJC HealthCare maintained various web properties, including the websites www.bjc.org and www.barnesjewish.org, through which patients could communicate with BJC HealthCare.
The plaintiffs alleged that tracking tools were added to the websites that collected web user data, including personally identifiable information, and that sensitive information was transmitted to companies such as Facebook (Meta), Google, SiteScout, Invoca, and TradeDesk, without the knowledge or authorization of web users. BJC HealthCare maintains there was no wrongdoing and is no liability; however, it agreed to settle the litigation. All parties believe that a settlement is in the best interests of all parties due to the costs, risks, and uncertainty associated with continuing the lawsuit.
The settlement covers all users who used the BJC HealthCare MyChart patient portal between June 2017 and August 2022. Under the terms of the settlement, BJC Healthcare will initially establish a $5.5 million settlement fund to cover attorneys’ fees, legal expenses, administration costs, class representative awards, and cash payments to class members, which are expected to be $35 per class member. Should the fund not be sufficient to cover claims, a further $3.75 million will be added to the settlement fund. If the $9.25 million settlement fund is not sufficient, claims will be subject to a pro rata reduction.
Attorneys’ fees will be up to $3,000,000, settlement administration costs are expected to cost up to $200,000, and service awards to the class representatives will be $15,000 in total. The deadline for claiming a cash payment is October 8, 2025, and the final fairness hearing is scheduled for October 16, 2025. Individuals wishing to opt out of or exclude themselves from the settlement must do so by September 8, 2025.
Several class action lawsuits have recently been settled over the use of these tracking tools, including lawsuits against Mount Nittany Health, Henry Ford Health, MarinHealth, and Eisenhower Medical Center. More settlements are expected to be announced in the coming weeks.
The post BJC HealthCare Settles Website Tracking Lawsuit for up to $9.25 Million appeared first on The HIPAA Journal.
Homeland Security Investigations (HSI), the investigative arm of the Department of Homeland Security (DHS) and part of U.S. Immigration and Customs Enforcement (ICE), has released further information about last month’s seizure of dark web domains used by the BlackSuit ransomware group.
On July 24, 2025, the U.S. Department of Justice (DoJ) confirmed that an international law enforcement operation codenamed Operation Checkmate resulted in the seizure of domains used by the BlackSuit ransomware group. Banners were added to those sites confirming they were under the control of law enforcement. The sites were used by the BlackSuit ransomware group to leak data stolen and to communicate with victims to negotiate ransom payments.
The HSI confirmed in an August 7, 2025, announcement that BlackSuit was the successor to Royal ransomware. Both groups have terrorized critical infrastructure entities around the world since Royal emerged in 2022. Royal was the successor to Quantum ransomware, which is thought to be one of the groups operated by former members of the disbanded Conti ransomware operation.
Since 2022, Royal and BlackSuit have conducted more than 450 successful ransomware attacks on companies in the United States, including many critical infrastructure entities in healthcare, education, public safety, energy, and the government. The ransomware groups engaged in double extortion, stealing data and encrypting files, demanding payment to prevent the data from being leaked and to obtain the decryption keys. Victims have paid the Royal and BlackSuit more than $370 million in ransom payments, based on current cryptocurrency values.
The operation involved the HSI Cyber Crimes Center, IRS Criminal Investigation’s Cyber Crimes Unit, the U.S. Secret Service, the FBI, Europol, and multiple international law enforcement partners, and resulted in the seizure of the group’s servers, domains, and digital assets used to support the group’s attacks, data theft, extortion, and money laundering.
“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”
A DoJ announcement on August 11, 2025, explained that laundered cryptocurrency valued at $1,091,453 had been seized as part of the operation, along with four servers and nine domains. The DoJ explained that one of the victims of the Royal ransomware group paid a 49.3120227 Bitcoin ransom to decrypt their data, which was valued at $1,445,454.86 at the time of the transaction. Some of the proceeds, $1,091,453, were repeatedly deposited and withdrawn in a virtual currency exchange to hide the source of the funds. The funds were frozen by the exchange on or around January 9, 2024, and were obtained by U.S. authorities after issuing a warrant for seizure.
“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said Assistant Attorney General for National Security John A. Eisenberg. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”
The dark web sites of the BlackSuit ransomware group have been seized as part of an international law enforcement operation. The takedown includes BlackSuit’s negotiation and data leak sites, following a court order that authorized the seizure.
The dark web sites have been replaced with banners advising visitors about the seizure by U.S. Homeland Security Investigations, part of Operation CheckMate. Several law enforcement partners assisted with the operation, including the U.S. Department of Justice, Federal Bureau of Investigation (FBI), the U.S. Office of Foreign Assets Control (OFAC), Europol, the UK National Crime Agency, and law enforcement agencies in Canada, Germany, Ukraine, Lithuania, Ireland, and France. The Romanian cybersecurity firm BitDefender also assisted during the operation. The authorities have yet to make an announcement about the operation and any other achievements.
BlackSuit ransomware first appeared in June 2023, having rebranded following an attack on the City of Dallas in Texas. The group previously operated under the name Royal from September 2022 to June 2023. Prior to that, Royal operated under the name Quantum and is believed to have been started by members of the Conti ransomware group. Operating as BlackSuit, the group is thought to have claimed more than 180 victims worldwide and more than 350 victims under the name Royal.
While the takedown is good news, researchers have suggested that BlackSuit may have already rebranded or that some former members of BlackSuit have formed a new group, Chaos ransomware. Researchers at Cisco Talos explained in a June 24, 2025, blog post that they have assessed with moderate confidence that the new group was formed by members of the BlackSuit ransomware group due to similarities in the encryption methodology, ransom note, and toolset used in attacks. Chaos has already conducted at least ten attacks, mostly in the United States. The new group does not appear to be targeting any specific industries.
“The disruption of BlackSuit’s infrastructure marks another important milestone in the fight against organized cybercrime,” stated a representative of the Draco Team, Bitdefender’s cybercrime unit, who participated in the takedown. “We commend our law enforcement partners for their coordination and determination. Operations like this reinforce the critical role of public-private partnerships in tracking, exposing, and ultimately dismantling ransomware groups that operate in the shadows. When global expertise is aligned, cybercriminals have fewer places to hide.”
On July 28, 2025, FBI Dallas announced the seizure of 20 Bitcoins (now valued at $2.3 million) from a cryptocurrency address belonging to a member of the Chaos ransomware group. The funds were tracked to a Bitcoin wallet used by an affiliate with the moniker “Hors” who is suspected of conducting attacks and extorting payments from companies in the Northern District of Texas and elsewhere. The U.S. Department of Justice filed a civil complaint in the Northern District of Texas on July 24, 2025, seeking the forfeiture of the funds, which were seized by the FBI in Dallas in mid-April.
The post Feds Confirm Seizure of BlackSuit Ransomware Infrastructure appeared first on The HIPAA Journal.