Data Breaches Announced by Lumexa Imaging; FMRS Health Systems

Posted by Steve Alder

The diagnostic imaging service provider Lumexa Imaging has been affected by a security incident at one of its vendors. FMRS Health Systems, a West Virginia-based provider of mental health services, is investigating a January 2026 data breach.

Lumexa Imaging

Lumexa Imaging, a diagnostic imaging provider that, together with its affiliates, has the second-largest diagnostic imaging footprint in the United States, has notified regulators about a data security incident involving one of its vendors. The unnamed vendor provided non-clinical support services in connection with the administrative services Lumexa Imaging provided to its affiliated radiology practices. On April 9, 2026, the vendor notified Lumexa Imaging that it was investigating suspicious activity within part of its computer network. Lumexa Imaging immediately terminated the vendor’s access to its systems while the incident was investigated and remediated.

The investigation confirmed a breach of the vendor’s systems between March 31, 2026, and April 9, 2026. On April 15, 2026, Lumexa Imaging learned that an unauthorized actor may have used the connection between itself and the vendor to view or obtain documents associated with its affiliated radiology practices. The documents were reviewed and found to contain patient information such as names, birth dates, addresses, phone numbers, patient account numbers, insurance information, and clinical information such as diagnoses, visit dates, and other information related to the radiology services received. A small subset of patients had their Social Security numbers exposed.

The vendor has provided assurances that steps have been taken to secure its systems to prevent similar incidents in the future, including scrubbing and validating the affected systems and implementing additional cybersecurity monitoring and detection tools. Lumexa Imaging is unaware of any misuse of the exposed data and is offering complementary credit monitoring services to individuals whose Social Security numbers were exposed. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

FMRS Health Systems

FMRS Health Systems, Inc., a West Virginia-based nonprofit mental health center, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 500 individuals. That figure will likely increase, as at the time of issuing its substitute breach notice, the investigation was still ongoing. According to the substitute breach notice on the FMRS Health Systems website, suspicious activity was identified within its computer systems on February 27, 2026. Steps were immediately taken to secure its systems, and a forensic investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed unauthorized access between January 20, 2026, and February 27, 2026, during which time files containing patient information were copied by the threat actor. Electronic medical records were not subject to unauthorized access. The file review confirmed that names were stolen in combination with one or more of the following: address, birth date, Social Security number, driver’s license number, financial account information, medical history information, diagnostic and treatment information, prescription information, physician’s name, medical record number, and health insurance information. FMRS Health Systems did not state whether ransomware was used; however, a ransomware group – Qilin – claimed responsibility for the attack.

The post Data Breaches Announced by Lumexa Imaging; FMRS Health Systems appeared first on The HIPAA Journal.

Endue Software Agrees to $870,000 Data Breach Settlement

Posted by Steve Alder

Endue Software has agreed to pay $870,000 to settle a class action lawsuit that was filed in response to a cyberattack and data breach that affected more than 118,000 individuals. Endue Software is a software-as-a-service company that provides an infusion management platform to healthcare providers for managing infusion operations. On February 17, 2025, suspicious activity was identified within its systems. The forensic investigation confirmed unauthorized access for a short period on February 17, 2025, during which time files containing patient information were copied. Data compromised in the incident included full names, addresses, dates of birth, Social Security numbers, and medical record numbers. The affected individuals were notified on April 11, 2025.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated – Pauley, et al. v. Endue Inc. d/b/a Endue Software – in the United States District Court for the District of Maine. The consolidated lawsuit alleged that the data breach occurred as a result of the failure to implement reasonable and appropriate cybersecurity measures and should have been prevented.

The lawsuit asserted claims for negligence/negligence per se, breach of third-party beneficiary contract, unjust enrichment, and declaratory judgment/injunctive relief. Endue Software denies all claims and contentions in the lawsuit, and maintains there is no liability and that there was no wrongdoing. Shortly after filing the lawsuit, the parties explored the possibility of an early resolution and agreed that the appropriate venue was the 17th Judicial Circuit in and for Broward County, Florida, for settlement discussions. The consolidated lawsuit was dismissed and refiled in Florida, asserting claims for negligence/negligence per se, and breach of third-party beneficiary contract.

The terms of a settlement were agreed upon, and the settlement has received preliminary approval from the court. The settlement provides two years of medical data and credit monitoring services, and class members may claim one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or a claim may be submitted for an alternative one-time cash payment of $65.

A $260,000 fund has been established to cover the alternative cash payments, which will be subject to a pro rata increase or decrease depending on the number of claims received. The total settlement fund is capped at $870,000. The deadline for objection to and exclusion from the settlement is June 30, 2026. The deadline for filing a claim is June 30, 2026, and the final fairness hearing has been scheduled for July 15, 2026.

The post Endue Software Agrees to $870,000 Data Breach Settlement appeared first on The HIPAA Journal.