Albany Gastroenterology Consultants: November 2024 Data Breach Affects Almost 58,000 Patients

Posted by Steve Alder

Albany Gastroenterology Consultants and Inlet Care (Communicare) are notifying patients affected by cyberattacks in November 2024 that involved unauthorized access to systems containing patient data.

Albany Gastroenterology Consultants

Albany Gastroenterology Consultants in New York State has notified the Maine Attorney General about a data breach involving the personal and protected health information of up to 57,751 individuals. Unusual network activity was identified on November 19, 2024, which disrupted access to one of its computer systems. Steps were taken to isolate the system, and an investigation was launched to determine the nature of the activity and whether any patient data had been compromised. The investigation confirmed unauthorized access to its network and that certain personal information was accessed and acquired by the threat actor on November 10, 2024.

While notification letters were mailed to some of the affected individuals on September 23, 2025; however, the data breach was first disclosed by Albany Gastroenterology Associates in January 2025. The first batch of notification letters was mailed on January 28, 2025, and stated that the review of the affected files concluded on January 21, 2025. According to the latest batch of notification letters, the file review was completed on September 17, 2025, indicating further individuals were found to have been affected. The letters state that names and Social Security numbers were involved. While data theft was confirmed, at the time of issuing notifications, Albany Gastroenterology Consultants was unaware of any misuse of the affected data. Steps have since been taken to enhance its security posture to reduce the risk of similar incidents in the future. Complimentary credit monitoring and identity theft protection services have been made available.

Inlet Care (Communicare)

Inlet Care, doing business as Communicare, a provider of behavioral health, developmental disabilities, and substance abuse services in Kentucky, has discovered unauthorized access to its computer network. Unusual activity was identified within its network on November 23, 2024. Steps were immediately taken to secure its systems, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had access to its network for a short period on November 23, and while the window of opportunity was short, files containing sensitive information of current and former employees, dependents, and other individuals were exfiltrated from the network.

The review of the affected files has recently been completed, and Communicate has confirmed that they contained names in combination with one or more of the following: Social Security number, date of birth, driver’s license number, state-issued identification number, passport number, military identification number, financial account information, medical information, and health insurance information. Security policies and procedures have been reviewed, and additional cybersecurity measures are being implemented to strengthen security. Notification letters are now being mailed to the affected individuals. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Albany Gastroenterology Consultants: November 2024 Data Breach Affects Almost 58,000 Patients appeared first on The HIPAA Journal.

Business Associate ApolloMD Confirms Breach Affecting Multiple Physician Practices

Posted by Steve Alder

ApolloMD Business Services, LLC (ApolloMD), an Atlanta, GA-based provider of integrated, multispecialty physician, APC, and practice management services, has recently disclosed a security incident affecting several of its physician practice clients.

Unusual activity was identified within the ApolloMD network environment on May 22, 2025. An investigation was launched to determine the nature and scope of the activity, and steps were taken to secure its network. Assisted by a third-party cybersecurity firm, ApolloMD learned that an unauthorized third party had access to its network from May 22, 2025, to May 23, 2025. During that time, files containing the electronic protected health information (ePHI) of ApolloMD’s affiliated physicians and practices may have been accessed or acquired.

The file review determined that the information potentially stolen in the incident included names, addresses, dates of birth, diagnoses, provider names, dates of service, treatment information, and health insurance information. A subset of individuals also had their Social Security numbers exposed. ApolloMD notified the affected physicians and practices between July 21, 2025, and September 11, 2025, and notification letters started to be mailed to the affected individuals on September 17, 2025. ApolloMD has confirmed that complimentary credit monitoring and identity theft protection services are being offered to individuals whose Social Security numbers were exposed.

ApolloMD did not disclose details about the nature of the attack; however, the Qilin ransomware group claimed responsibility and added ApolloMD to its dark web data leak site in June 2025. Qilin claimed to have exfiltrated a large amount of sensitive data and said it would release the data on June 16, 2025, if the ransom was not paid. At the time of writing, the Qilin data leak site is not accessible, and other sites operated by the group are protected by a login. Qilin has been the most active ransomware group in four of the five months up to August 2025, according to cybersecurity firm Cyble, having claimed more than twice the number of victims as the second most active group. It should be stated that ransomware groups have been known to fabricate claims on their data leak sites.

The total number of affected individuals has not been made public by ApolloMD at this stage, and the data breach is not currently shown on the HHS’ Office for Civil Rights website.

ApolloMD is issuing notification letters on behalf of the following covered entity clients.

  • Passaic Hospitalist Services, LLC
  • Passaic River Physicians, LLC
  • Pensacola Hospitalist Physicians, LLC
  • Broad River Physicians Group, LLC
  • Olive Branch Emergency Physicians, LLC
  • Aurora Emergency Physicians, LLC
  • The Bortolazzo Group, LLC
  • Methodist University Emergency Physicians, PLLC
  • Trinity Emergency Physicians, LLC
  • Lorain Emergency Physicians, LLC
  • Pennsylvania Hospitalist Group, LLC

The post Business Associate ApolloMD Confirms Breach Affecting Multiple Physician Practices appeared first on The HIPAA Journal.

Medusind to Pay $5 Million to Settle Data Breach Litigation

Posted by Steve Alder

Medusind has agreed to pay $5,000,000 to settle a consolidated class action lawsuit over a 2023 data breach. Medusind is a revenue cycle management and practice management software vendor based in Florida. On or around December 29, 2023, the firm identified unauthorized access to its computer systems and found evidence to suggest that files had been exfiltrated from its network. The file review confirmed that more than 701,000 individuals had protected health information exposed in the incident, including names, contact information, health insurance information, medical histories, driver’s license numbers, passport numbers, and Social Security numbers. Notification letters were mailed to the affected individuals more than a year after the intrusion was detected.

Victims of the breach took legal action against Medusind, claiming negligence for failing to implement reasonable and appropriate safeguards to protect individuals’ personal and protected health information. Eight separate complaints were filed in response to the data breach. Since they had overlapping claims, they were consolidated into a single action in the United States District Court for the Southern District of Florida – Ashley Owings v. Medusind, Inc. Medusind denies any fault or liability and disagrees with all claims and contentions in the lawsuit. Following mediation on June 10, 2025, all parties agreed to settle the lawsuit, with no admission of wrongdoing by Medusind.

The settlement agreement includes cash benefits for class members, credit monitoring services, statutory awards for the California subclass, and injunctive relief. Medusind will establish a $5 million settlement fund from which the attorneys’ fees and expenses, settlement administration costs, class representative awards for each of the nine named plaintiffs, credit monitoring costs, and cash payments will be paid.

Two cash payments have been offered. Class members may either submit a claim for documented, unreimbursed losses related to the data breach up to a maximum of $5,000. Alternatively, a claim may be submitted for a pro rata cash payment, which is estimated to be around $100 per class member. Cash payments will be paid pro rata after legal costs, expenses, and credit monitoring costs have been deducted from the settlement fund. California residents may claim an additional statutory award, estimated to be $100. All class members are entitled to claim two years of complimentary credit monitoring services.

In addition to the $5,000,000 settlement, Medusind has agreed to implement additional security measures. Prior to receiving final approval, Medusind will provide class counsel with a written attestation regarding the security measures that have been implemented. Class members wishing to exclude themselves from or object to the settlement have until December 14, 2025, to do so. Claims must be submitted by December 29, 2025, and the final approval hearing has been scheduled for January 12, 2026.

The post Medusind to Pay $5 Million to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Michigan Critical Access Hospital Suffers Two Hacking Incidents Affecting Almost 78,000 Individuals

Posted by Steve Alder

Sturgis Hospital, a rural critical access hospital in the Northern Black Hills in Michigan, has recently reported two security incidents to the HHS’ Office for Civil Rights, both of which have potentially affected up to 77,771 individuals. The first incident was identified in December 2024 when unauthorized activity was observed in part of its computer network. Third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity. Unauthorized access was confirmed, the incident was remediated, and the exposed files were reviewed to determine the individuals affected and the types of data involved.

The investigation and file review had not concluded when further unauthorized network activity was detected in June 2025. A separate investigation was launched into the second incident, with assistance provided by third-party experts. Based on the two investigations, Sturgis Hospital concluded that there was potentially unauthorized access to patient and employee information and files containing sensitive patient and employee data may have been exfiltrated from its network.

The file review confirmed that the exposed information included names, contact information, government identification numbers such as Social Security numbers, financial account information, health insurance information, and clinical information, such as treatment information, prescriptions, and other medical information. Sturgis Hospital said it worked with third-party cybersecurity experts to secure its systems and implement additional cybersecurity measures to prevent similar incidents in the future. The affected individuals have been offered complimentary subscriptions to credit monitoring and identity theft protection services. Law enforcement was notified about both incidents, and while law enforcement did not request delaying notifications, it has taken some time to investigate the incidents. Notification letters are now being mailed to the affected individuals.

Only a few weeks ago, Aspire Rural Health System, another rural healthcare provider in Michigan, announced a cyberattack and data breach that affected up to 140,000 individuals, and Endless Mountains Health Systems in Montrose, Pennsylvania, experienced a suspected ransomware attack in March 2025. Many rural healthcare providers are struggling to remain viable, and in some cases are providing care well below the cost of providing their healthcare services. With limited funds available for cybersecurity and difficulties attracting skilled cybersecurity staff, they can be vulnerable to cyberattacks. The HHS has recently confirmed that $50 billion is being made available in grants to transform rural healthcare over the next five years, one of the goals of which is to help rural healthcare providers invest in technology and improve cybersecurity.

The post Michigan Critical Access Hospital Suffers Two Hacking Incidents Affecting Almost 78,000 Individuals appeared first on The HIPAA Journal.