Cumberland County Hospital Data Breach Affects Almost 37,000 Individuals

Posted by Steve Alder

While compiling data for last month’s data breach report, the HIPAA Journal identified a data breach that had previously been missed. On June 2, 2025, Cumberland County Hospital Association in Kentucky notified the HHS’ Office for Civil Rights about a hacking-related data breach that affected 36,659 individuals. Cumberland County Hospital detected the hacking incident on April 3, 2025. According to its substitute breach notice, an unauthorized third party had access to its network between February 21, 2025, and April 3, 2025. While its electronic medical record system was not accessed, files on the compromised parts of the network were discovered to include patient information, and some of those files were accessed during the attack.

The review of the files confirmed they contained demographic information (name, date of birth, address, phone number(s), email address, race, and ethnicity), along with Social Security numbers, medications, diagnoses, treatment notes, dates of service, medical record numbers, health plan numbers, and claims and billing information. Some employee data was also compromised in the attack, which may have included additional information such as driver’s license, birth certificate, background check information, W-4s and W-2s, and bank account numbers. Notification letters were mailed to the affected individuals on June 2, 2025, and credit monitoring and identity theft protection services have been offered for 12 months.

Ellis Medicine Discovers Unauthorized Access to Employee Email Account

Ellis Medicine, a Schenectady, NY-based health system serving the Capital District in New York State, has notified the Maine Attorney General about a data incident that involved unauthorized access to an employee’s email account. Suspicious activity was identified in the account, which was immediately secured. Third-party digital forensics specialists were engaged to investigate the activity and confirmed that the account was accessed “for a limited period” between January 17, 2025, through January 24, 2025, and again between March 27, 2025, through April 5, 2025.

The account was reviewed to identify the types of information potentially accessed, and that review was completed on May 14, 2025. Emails and attachments were discovered to include the personal and protected health information of 13,383 individuals. The Notification to the Maine Attorney General includes mail merge fields rather than a list of potentially compromised data, and there is currently no substitute breach notice on the Ellis Medicine website, so the types of information compromised are unknown.

Notification letters are being mailed to the affected individuals, which will state the exact types of information involved for each patient. Ellis Medicine has offered single-bureau credit monitoring, credit report, and credit score services to the affected individuals for 12 months.

The post Cumberland County Hospital Data Breach Affects Almost 37,000 Individuals appeared first on The HIPAA Journal.

New York Surgery Center Pays $250K to Settle HIPAA Risk Analysis; Breach Notification Violations

Posted by Steve Alder

Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Director, Paula M. Stannard, has announced OCR’s 18th HIPAA penalty of the year.  Syracuse ASC, which does business as Specialty Surgery Center of Central New York, a single-facility ambulatory surgery center in Liverpool, New York, has agreed to settle alleged violations of the HIPAA Security Rule and HIPAA Breach Notification Rule and will pay a $250,000 financial penalty.

OCR launched an investigation of Syracuse ASC after receiving a data breach notification report on October 14, 2021, about a hacking incident involving unauthorized access to the protected health information of 24,891 current and former patients. A threat actor had access to its network from March 14, 2021, through March 31, 2021, and potentially obtained names, dates of birth, Social Security numbers, financial information, and clinical treatment information. OCR investigation confirmed that this was a ransomware attack involving PYSA ransomware.

OCR’s investigation uncovered no evidence to suggest that Syracuse ASC had ever conducted a risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information, as required by the HIPAA Security Rule – 45 C.F.R. §164.308(a)(1)(ii)(A). OCR also determined that Syracuse ASC had failed to issue timely notifications to the HHS Secretary and the affected individuals. The data breach was identified on March 31, 2021, yet notifications were not issued for six and a half months. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach – 45 C.F.R. § 164.404(b) and 45 C.F.R. § 164.408(b).

Syracuse ASC was given the opportunity to resolve the alleged HIPAA violations informally, and the case was settled. Syracuse ASC has agreed to pay a $250,000 penalty and adopt a corrective action plan to ensure compliance with the HIPAA Rules. The corrective action plan requires Syracuse ASC to conduct an accurate and thorough risk analysis; develop and implement a risk management plan; develop, implement and maintain policies and procedures to ensure compliance with the HIPAA Rules; distribute those policies and procedures to the workforce; and provide the workforce with training on those policies and procedures at least every 12 months.

“Conducting a thorough HIPAA-compliant risk analysis (and developing and implementing risk management measures to address any identified risks and vulnerabilities) is even more necessary as sophisticated cyberattacks increase,” said OCR Director Paula M. Stannard. “HIPAA covered entities and business associates make themselves soft targets for cyberattacks if they fail to implement the HIPAA Security Rule requirements.”

OCR penalties for HIPAA violations - 2017 - 2025

The post New York Surgery Center Pays $250K to Settle HIPAA Risk Analysis; Breach Notification Violations appeared first on The HIPAA Journal.