Arizona Orthopedics Practice Announces Data Breach

Posted by Steve Alder

Data breaches have recently been reported by Integrated Orthopedics of Arizona, Glen Falls Hospital in New York, and South Coast Pediatrics in California.

Integrated Orthopedics of Arizona

Integrated Orthopedics of Arizona (IOA) in Phoenix, Arizona, has recently notified patients about a breach of its email tenant. Unauthorized activity was identified on or around April 7, 2025. Assisted by third-party cybersecurity experts, IOA confirmed unauthorized access to the email system, and some emails had been copied.

The email system was reviewed to determine the individuals affected and the types of data involved, and that process was completed on June 19, 2025. The affected individuals had either visited IOA for healthcare services or their information was provided by other healthcare providers. The breached information included some or all of the following: name, address, date of birth, medical record number, patient ID/ account number, Medicare number, Medicaid number, health insurance information, diagnosis information, treatment information including date(s) and location, doctor’s name, lab or test results, and for a small subset of individuals, driver’s license number and/or Social Security number. IOA has offered the affected individuals 24 months of complimentary credit monitoring and identity theft protection services, and has taken steps to improve email security.

Glens Falls Hospital, New York

Glens Falls Hospital in New York has recently confirmed that patient data was compromised in an Oracle Health/Cerner cybersecurity incident in January this year. The data was stored on legacy servers that were awaiting migration to Oracle Cloud, when hackers gained access. The hackers may have breached the servers as early as January 22, 2025, and accessed medical records stored on those servers. The compromised information included patients’ names, Social Security numbers, medical record numbers, physicians’ names, diagnoses, medications, test results, medical images, and treatment information.

Glen Falls Hospital said it was not using Oracle Health or Cerner as its electronic health vendor at the time, having terminated that relationship on November 2, 2024, yet it was still affected by the incident. Glen Falls Hospitals was provided with a list of the affected individuals on June 6, 2025, and has been working with Oracle Health to notify those individuals and provide them with 24 months of complimentary credit monitoring and identity theft protection services. There is currently no entry relating to the breach on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

South Coast Pediatrics, California

South Coast Pediatrics, a pediatric medical group with locations in Bristol, Spurgeon, and Anaheim in California, has notified 7,000 individuals about a June 2025 cyberattack that involved unauthorized access to computers containing patient information. The attack was identified on June 12, 2025, and steps were immediately taken to contain the threat, assess the impact, and restore its systems.

The forensic investigation confirmed that patient data was present on the affected computers, including name, address, date of birth, medical record number, diagnosis, and treatment codes/descriptions. Steps have been taken to enhance network security and prevent similar incidents in the future. The affected patients have been advised to remain vigilant against instances of identity theft and fraud.

The post Arizona Orthopedics Practice Announces Data Breach appeared first on The HIPAA Journal.

Data Breaches Announced by Langdon & Company; Michigan Medicine

Posted by Steve Alder

A cyberattack has been announced by the North Carolina accountancy firm Langdon & Company, and Michigan Medicine has experienced a mailing incident that exposed patient information.

Langdon & Company, North Carolina

Langdon & Company, LLP, a certified public accountancy firm based in Garner, North Carolina, has recently notified 46,061 individuals about a breach of some of their protected health information. Langdon & Company is a business associate of Easterseals North Carolina & Virginia, which provides services to individuals with disabilities.

Unusual network activity was identified by the accountancy firm on April 28, 2024. Cybersecurity experts were engaged to investigate the activity and determine the nature and scope of the activity. The forensic investigation revealed unauthorized network access between April 21, 2024, through April 28, 2024, during which time files were exfiltrated from its network.

It has taken more than a year to review the affected files and issue notification letters. Langdon & Company said the delay was due to the extensive analysis required to review all the affected data. The data review was not finalized until June 3, 2025, and notification letters were mailed on or around August 1, 2025. The data involved varied from individual to individual and may have included names in combination with one or more of the following: address, birth date, Taxpayer identification number, Social Security number, financial account information, medical information, health insurance information, and/or digital signature.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services, steps have been taken to improve data security, and any information that does not need to be retained for business purposes or legal reasons is being destroyed.

Michigan Medicine

Michigan Medicine has notified 1,015 patients about the exposure of a limited amount of their protected health information as a result of a mailing error. On June 27, 2025, potential participants in a research study were contacted by mail regarding the study. The requests were sent on postcards, which were not in envelopes, resulting in the exposure of protected health information to anyone who may have come into contact with the postcards. When the error was identified, the research study staff took immediate action to prevent any further postcards from being mailed.

The incident was investigated, and revealed that the University of Michigan’s Institutional Review Board (IRB), which is responsible for oversight of research studies, had mistakenly approved the use of postcards for contacting study participants. IRB is taking steps to ensure that similar incidents are prevented in the future, including improving education about protecting PHI in communication materials.

Michigan Medicine has experienced eight reportable data breaches since 2018 that have affected more than 500 individuals, including two phishing incidents last year that each affected more than 50,000 individuals. “We take patient privacy very seriously, and we regret this incident. Whenever situations like this occur, we immediately take steps to investigate,” said Jeanne Strickland, Michigan Medicine Chief Compliance Officer. “We will analyze this incident and review our safeguards and make changes if needed to protect those we care for.”

The post Data Breaches Announced by Langdon & Company; Michigan Medicine appeared first on The HIPAA Journal.

Nuance Communications Settles MOVEit Lawsuit for $8.5 Million

Posted by Steve Alder

A District Court judge has recently given preliminary approval of an $8.5 million settlement to resolve a consolidated class action complaint against the HIPAA business associate Nuance Communications over a May 2023 data breach.

Nuance Communications is a Microsoft-owned computer software company based in Burlington, Massachusetts. The company provides speech recognition solutions and is a vendor to the healthcare industry.  Its AI-powered healthcare software solutions are used by physicians and radiologists to deliver personalized and connected experiences to improve care management.

Nuance used Progress Software’s MOVEit Transfer software solution for file transfers. In May 2023, a hacking group known to target file transfer solutions found and exploited a zero-day vulnerability that allowed access to data stored within the MOVEit environment.  Nuance has previously confirmed that 13 of its healthcare provider clients were affected. The breached data included names, addresses, email addresses, birth dates, and information related to health records and health insurance. Nuance said 1,225,054 individuals were affected. In total, the breach involved unauthorized access to the personal data of approximately 93 million individuals.

Many class action lawsuits were filed in relation to the MOVEIt data breach, six of which were filed against Nuance Communications and were consolidated into a single complaint – In Re: MOVEit Customer Data Security Breach Litigation – as the lawsuits had overlapping claims. The lawsuits alleged that Nuance Communications was negligent by failing to implement appropriate safeguards to ensure all data within the MOVEit system was protected against unauthorized access.

Nuance denies liability for all claims and maintains that there was no wrongdoing, has not violated anyone’s privacy, nor breached any contract; however, it chose to settle the litigation. Under the terms of the settlement, Nuance has agreed to create an $8.5 million settlement fund to cover attorneys’ fees (up to $2,833,333.33), attorneys’ expenses, settlement administration and notice costs ($550,000), and class representative awards ($2,500 per named plaintiff). After those costs have been deducted from the settlement, the remainder will be used to pay for benefits to class members.

Under the terms of the settlement, class members may submit a claim for reimbursement of out-of-pocket expenses and losses linked to the data breach. Claims may be submitted for ordinary losses up to a maximum of $2,500 per class member, and up to $10,000 for reimbursement of extraordinary losses. Claims for losses can include up to 4 hours of lost time at $25 per hour.

Alternatively, class members may submit a claim for a cash payment, which is expected to be appropriately $100 per class member, although it is subject to a pro rata adjustment depending on the number of claims received. All class members are entitled to claim 2 years of credit monitoring and identity theft protection, and insurance services.

The Honorable Allision D. Burroughs of the U.S. District Court for the District of Massachusetts has recently given preliminary approval of the settlement, and the final approval hearing is scheduled for March 18, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 24, 2025, and the deadline for submitting claims is 30 days later.  More than 100 other lawsuits filed over the MOVEit data breach are pending. Some of the other affected companies have already announced settlements.

The post Nuance Communications Settles MOVEit Lawsuit for $8.5 Million appeared first on The HIPAA Journal.