New Jersey Medical Groups Warn Patients About Data Breach

Posted by Steve Alder

Two New Jersey medical groups have notified patients that their data may have been compromised in a recent security incident. Family & Community Services in Ohio is investigating a cyberattack that exposed patient data.

Passaic Hospitalist Services/ Passaic River Physicians, New Jersey

Legal counsel for two New Jersey medical groups has notified patients of the medical groups Passaic Hospitalist Services and Passaic River Physicians that some of their protected health information has potentially been stolen in a recent data security incident.

Suspicious activity was identified within its computer systems, and an investigation was launched to determine the cause of the activity, which revealed unauthorized access and acquisition of files from certain systems between May 22 and May 23, 2025. A review was conducted of all files on the compromised parts of the network, and it was determined on September 11, 2025, that protected health information was involved, including names, dates of birth, addresses, diagnosis information, provider names, dates of service, treatment information, and/or health insurance information.

Notification letters are now being mailed to the affected individuals. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Family & Community Services, Ohio

Family & Community Services Inc., a social services organization in Ravenna, Ohio, has recently written to its clients to inform them about the potential theft of some of their personal data. On May 22, 2025, Family & Community Services identified activity within its computer systems indicative of unauthorized access. Third-party cybersecurity experts were engaged to investigate the activity and confirmed unauthorized access to its computer systems.

The investigation and data review are ongoing, and Family & Community Services has not yet determined the number of individuals affected or the exact types of data involved. Notification letters will be mailed to the affected individuals when the file review is completed. The letters will detail the types of data involved. In the meantime, clients have been advised to remain vigilant against incidents of identity theft and fraud. Family & Community Services said it restored operations in a safe and secure manner, and steps have been taken to enhance security. Those measures include hardening remote entry points, which indicates the likely initial access vector in the incident.  Steps have also been taken to strengthen access controls.

The post New Jersey Medical Groups Warn Patients About Data Breach appeared first on The HIPAA Journal.

Goshen Medical Center Notifies 456,000 Individuals About Hacking Incident

Posted by Steve Alder

Goshen Medical Center, a federally qualified healthcare organization serving patients in eastern North Carolina, is notifying 456,385 individuals about a recent security incident that exposed some of their personal and protected health information. Suspicious activity was identified within its computer systems on March 4, 2025. Third-party cybersecurity specialists were engaged to investigate the activity and confirmed that an unauthorized third party had access to its network, and files containing sensitive patient data may have been viewed or acquired on February 15, 2025.

A comprehensive review was conducted of the exposed files, and on September 12, 2025, Goshen Medical Center confirmed that the files contained patient names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and medical record numbers. Goshen Medical Center has implemented additional safeguards to prevent similar incidents in the future and has offered the affected individuals up to 24 months of complimentary credit monitoring and identity theft protection services.

Survival Flight

Survival Flight, an Arkansas-based rapid response air & ground emergency medical service provider, experienced a cybersecurity incident on July 17, 2025, that impacted its IT systems. In an August 12, 2025, website notice, Survival Flight explained that it is currently working to determine the full extent to which patient information has been compromised, although it has been confirmed that information such as names, addresses, treatment information, and health insurance information was likely compromised in the incident.

When the review of the affected data is completed, notification letters will be mailed, and resources will be provided to help the affected patients protect their information. At the time of publishing the website notification, no misuse of patient data had been identified. Survival Flight has confirmed that it has taken steps to improve security to prevent similar breaches in the future. While the name of the threat group behind the attack was not disclosed in the notice, the Worldleaks ransomware group (formerly Hunters International) claimed responsibility for the attack and added Survival Leak to its dark web data leak site. Worldleaks claims to have leaked the full 2.8 TB of data stolen in the attack.

The post Goshen Medical Center Notifies 456,000 Individuals About Hacking Incident appeared first on The HIPAA Journal.

Jefferson Healthcare Agrees to Settle Meta Pixel Class Action Litigation

Posted by Steve Alder

Jefferson Healthcare has agreed to settle a class action lawsuit that alleged sensitive data was transmitted to third parties without patient consent due to its use of Meta Pixel and other tracking technologies on its website. Jefferson Healthcare serves residents of eastern Jefferson County on the Olympic Peninsula in Washington State. According to the lawsuit – Jane Doe et al. v. Jefferson County Public Hospital District No. 2 D/B/A Jefferson Healthcare – Jefferson Healthcare installed computer code, including Meta Pixel, on its website between March 19, 2020, and March 19, 2024.

The plaintiffs allege that the implementation of the code allowed their protected health information to be transmitted to third parties such as Facebook and Google without their knowledge or consent. The complaint was filed on March 19, 2024, and Jefferson Healthcare filed a motion to dismiss, which was granted in its entirety by Jefferson County Superior Court Judge Brandon Mack on July 24, 2024. On August 23, 2024, the plaintiff filed a Notice of Appeal with the Washington Court of Appeals.

The plaintiffs and the defendant agreed that a settlement was in the best interests of all parties to avoid the burden, expense, risk, and uncertainty of continuing the litigation. The terms of the settlement have now been agreed upon, and the settlement has received preliminary court approval. Under the terms of the settlement, class members are entitled to claim a voucher for a 12-month subscription to CyEx Privacy Shield, valued at $330.

Jefferson Healthcare has also agreed not to use Meta Pixel on its website for at least two years, unless it is determined that its use is consistent with applicable laws, and an affirmative disclosure is made in the privacy statement on its website that Meta Pixel is being used.  Jefferson Healthcare has agreed to pay attorneys’ fees of $125,000, awards of $2,500 for the class representatives, and will cover the settlement administration costs.

Class members wishing to exclude themselves or object to the settlement have until October 17, 2025, to do so. Claims for a voucher must be submitted by November 17, 2025, and the final approval hearing has been scheduled for December 5, 2025.

The post Jefferson Healthcare Agrees to Settle Meta Pixel Class Action Litigation appeared first on The HIPAA Journal.