Data Breaches Announced by Three Oral Healthcare Practices

Posted by Steve Alder

Data breaches have been announced by the Washington dental practice 32 Pearls, West Texas Oral Facial Surgery, and the Indiana dental and general healthcare services provider Mid America Health.

32 Pearls, Washington

Dr. Michael Bilikas and Associates, doing business as 32 Pearls, a dental practice with locations in Seattle and Tacoma in Washington state, has recently disclosed a security incident that was detected on May 22, 2025. Ransomware was used to encrypt files on its systems, and third-party cybersecurity experts were engaged to determine the scope of the incident.  They concluded that the ransomware actor had access to certain systems between May 19, 2025, and May 22, 2025, and may have viewed or acquired files containing patient data.

The file review has recently been completed, and notifications are being sent to 23,517 current and former patients, who have been offered complimentary credit monitoring and identity theft protection services. Information exposed in the incident included full names, addresses, driver’s license numbers, Social Security numbers, and medical information. At the time of issuing notifications, the practice was unaware of any misuse of patient information as a result of the incident. Internal processes are being reviewed, and security measures have been enhanced to prevent similar incidents in the future.

West Texas Oral Facial Surgery

West Texas Oral Facial Surgery in Lubbock, Texas, has notified 11,151 patients about a security incident in which some of their protected health information may have been compromised. The practice experienced network disruption on May 29, 2025, and engaged third-party cybersecurity experts to investigate and determine the nature and scope of any unauthorized activity.

The investigation confirmed that there had been unauthorized access to its network, and patient data may have been compromised. The substitute breach notice does not state when the unauthorized access occurred. The file review was completed on July 18, 2025, and confirmed that the exposed data included first and last names, imaging files, which in some cases included birth dates, and the reason given for seeking treatment. The electronic medical record system was not accessed, and Social Security numbers and financial information were not involved. Cybersecurity experts are conducting a review of systems, security, and practices, and measures will be taken to improve security. The Inc Ransom ransomware group claimed responsibility for the attack and added West Texas Oral Facial Surgery to its data leak site on June 18, 2025.

Mid America Health, Indiana

Mid America Health, a Greenwood, IN-based provider of dental and general healthcare services to state and federal government agencies, has notified the Massachusetts Attorney General about a data incident that involved unauthorized access to personal information. The notification provides no information about the nature of the data incident, such as when it occurred, or what happened, only stating that the breached information included first and last names, Social Security numbers, and financial account information, and that the affected individuals have been offered complimentary credit monitoring services for 24 months.

Individual notification letters were mailed to the affected individuals on July 31, 2025. There is currently no listing on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Data Breaches Announced by Three Oral Healthcare Practices appeared first on The HIPAA Journal.

The Top HIPAA Threats Are Not What You Think

Posted by Ian

The top HIPAA threats are threats from insiders who, either due to a lack of HIPAA training or a lack of security awareness, violate HIPAA standards or make mistakes that allow cybercriminals to access healthcare networks. While more training could help mitigate these top HIPAA threats, a fairly enforced sanctions policy will likely be more effective.

Many articles listing the top HIPAA threats pretty much follow a similar theme. Protect devices against theft, protect data against cybercriminals, and protect yourself against unauthorized third party disclosures by signing a Business Associate Agreement. Unfortunately these articles are way off the mark.

Inasmuch as the recommendations are sensible, and indeed should be followed, they fail to address the top HIPAA threats – employees. According to the recently-published IBM X-Force Threat Intelligence Report, 71% of recorded data breaches in the healthcare industry are attributable to employee actions. Employees responsible for data breaches are divided into two categories – “malicious Insiders” (25%) and “inadvertent actors” (46%).

A Quarter of Healthcare Data Breaches Attributable to Malicious Insiders?

Although IBM´s Intelligence Report focuses on the number of breaches – rather than the number of records breached – the percentage of data breaches attributed to malicious insiders appears high. However, it is not the case that a quarter of the medical profession is stealing Protected Health Information for personal gain. A closer inspection of the data reveals the “malicious insiders” category includes employees snooping on the medical records of friends, colleagues, and celebrity patients.

Snooping was identified as the largest single cause of data breaches in the healthcare industry in a 2013 study conducted by Veriphyr Identity and Access Intelligence. As snooping constitutes an unauthorized disclosure of Protected Health Information, it is classified as a violation of HIPAA and therefore – by the number of violations alone – is one of the top HIPAA threats covered entities should be aware of. It is certainly a threat OCR would expect a covered entity to address in a HIPAA risk assessment.

Other Data Breaches Attributable to Malicious Insiders Tend to Attract Headlines

Whereas snooping can be the biggest cause of employee HIPAA violations by number, the biggest cause of employee HIPAA violations by records breached is insider data theft. In a recent high-profile case, a secretary employed by the Jackson Health System in Florida was charged with accessing more than 24,000 computerized patient records and selling the data to criminals, who subsequently used it to file fraudulent tax returns with the Internal Revenue Service.

A spate of high-volume data breaches around the same time prompted the HHS´ Office for Civil Rights to issue a reminder to covered entities to take action to prevent insider data theft. Unfortunately many covered entities appear not to have responded to the reminder. A survey conducted in late 2016 revealed half of healthcare IT professionals were more concerned about insider data theft than external data theft, but were not given the resources to deal with the threat.

Are Inadvertent Actors Really More of a HIPAA Threat than Cybercriminals?

According to the basic data it would appear so. However, the category of “inadvertent actors” includes victims of phishing attacks and IT professionals who fail to configure their security mechanisms properly; so it may be more accurate to rename this category “employees who inadvertently invited cybercriminals to steal data”. Nonetheless, the percentage of reported data breaches attributable to inadvertent actors is nearly twice that of external hacks.

This would imply another of the top HIPAA threats is a lack of employee awareness. Phishing is a massive threat to HIPAA compliance, but it is one that can mitigated with phishing simulation training. Similarly, errors made by IT security can be reduced by implementing procedures to review the configuration of security mechanisms on a regular basis – which should be part of an annual risk assessment in any case. Basically, data breaches due to inadvertent actors are mostly avoidable.

The Top HIPAA Threats and How to Defend Against Them

At HIPAA Journal we strongly recommend covered entities encrypt data, implement two-factor authentication and conduct due diligence on business associates. These practices – and others provided by HIPAA threat-style articles- will help defend against some HIPAA threats, but not the top HIPAA threats. In order to defend against the top HIPAA threats of snooping, insider data theft and a lack of employee awareness, covered entities need to:

  • Implement strong policies relating to employee conduct and enforce them with an equally strong sanctions policy.
  • Implement effective access controls that monitor who accesses PHI when and where, and what happens to it afterwards.
  • Implement a comprehensive HIPAA training program to raise employee awareness – particularly in the area of Internet security.

More than anything, covered entities need to allocate more resources to eliminating data breaches attributable to employee actions. If the data provided in the IBM X-Force Threat Intelligence Report is taken at face value, covered entities should allocate three times as many resources to defending against the top HIPAA threats that come from within than they allocate to external threats.

The post The Top HIPAA Threats Are Not What You Think appeared first on The HIPAA Journal.

Cencora & The Lash Group Settle Data Breach Litigation for $40 Million

Posted by Steve Alder

Cencora & The Lash Group have agreed to pay $40 million to settle class action data breach litigation over a February 2024 data breach that affected more than 1.43 million individuals.

Cencora, Inc., formerly AmerisourceBergen, is an American drug wholesale company and a contract research organization, and The Lash Group is a pharmaceutical solutions organization. Cencora disclosed the data breach in a February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC), stating that on February 21, 2024, the company learned that data had been exfiltrated from its information systems.

On July 31, 2024, an updated SEC filing confirmed that more data had been stolen than initially thought. At least 27 pharmaceutical companies were affected, and the stolen personal and protected health information included names, addresses, dates of birth, Social Security Numbers, health and insurance information, financial information, transactional information, consumer profile information, racial/ethnic identity, political opinions, sexual orientation/identity, criminal history, IP addresses, other electronic identifiers, biometric information, genetic information, trade union membership information, and driver’s license and passport information.

Since the breach has been reported separately by several different entities, the total number of affected individuals is not known. TechCrunch tracked breach reports submitted to state Attorneys General and reports that at least 1.43 million individuals have been notified that their data was compromised in the February security incident. Only a few states publish breach report data that includes the number of affected individuals, so the total is likely to be significantly higher than 1.43 million.

Several class action lawsuits were filed against Cencora, the Lash Group, and the affected pharmaceutical firms (see the list below). The lawsuits were consolidated in a single action – Anaya et Al. v. Cencora, Inc., et al. – in the U.S District Court for the Eastern District of Pennsylvania. The defendants were alleged to have been negligent by failing to implement reasonable and appropriate safeguards to protect sensitive data, and as a result of that negligence, sensitive data was stolen.

The defendants chose to settle the lawsuit with no admission of wrongdoing or liability and will establish a $40 million settlement fund to cover attorneys’ fees (up to $13,333,333.33), attorneys’ expenses (up to $300,000), service awards to the 28 class representatives (total $42,000), and settlement administration costs (yet to be determined).

The remainder of the settlement fund will be used to pay benefits to class members. Class members may choose to submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses fairly traceable to the data breach, which were incurred on or after September 1, 2023. Claims have been capped at $5,000 per class member, and the total loss payments are capped at $5,000,000. If that total is exceeded, claims will be paid pro rata. Alternatively, class members may claim a cash fund payment, the value of which will depend on the number of valid claims received.

The dates for exclusion from and objection to the settlement will be 150 days from the date the settlement receives preliminary approval from the court. The deadline for submitting a claim will be 180 days from the date of preliminary approval, and the final approval hearing will be scheduled for 230 days after the preliminary approval date. Claims will be paid between 306 and 311 days after the preliminary approval date. Further information can be found on the settlement website, which is not yet live – cencoraincidentsettlement.com

August 2, 2024: Cencora: Additional Data Exfiltrated in February 2024 Cyberattack

On July 31, 2024, in an updated filing with the Securities and Exchange Commission (SEC), the pharmaceutical firm Cencora explained that more data was exfiltrated from its network in its February 2024 cyberattack than was initially thought, including personally identifiable information (PII) and protected health information (PHI). The majority of the additional data was maintained by one of its subsidiaries that provides patient support services.

The review of the exfiltrated data is still ongoing, and notifications will be issued to the affected individuals in due course. Cencora did not state how many individuals have been affected, the name of the subsidiary company, or the types of data that were compromised in the incident.

Three HIPAA breach reports have previously been filed with the HHS Office for Civil Rights as a result of the Cencora cyberattack, two by AmerisourceBergen Specialty Group which affected 252,214 individuals and 3,102 individuals, and one by The Lash Group, which affected 15,196 individuals. Many of the affected companies have also filed breach reports with state attorneys general, as detailed in previous reporting by the HIPAA Journal (see below).

While data has been stolen, Cencora is unaware of any actual or attempted misuse of the affected data and does not believe any of the stolen data has been published online. Cencora believes the incident has been contained; however, the remediation efforts and file review are ongoing. Cencora has engaged cybersecurity experts to assist with reinforcing cybersecurity measures and strengthening cyber threat monitoring.

May 27, 2024: 2 Dozen Pharmaceutical Companies Affected by Cencora Cyberattack

Cencora, Inc. (formerly AmerisourceBergen), and its Lash Group affiliate have been affected by a cyberattack. Cencora announced the attack in a February 2024 filing with the Securities and Exchange Commission (SEC); however, at that point, the extent of the data breach had yet to be determined, although Cencora did confirm in the SEC filing that data was exfiltrated in the attack.

Cencora is a Conshohocken, PA-based company that partners with pharmaceutical firms, healthcare providers, and pharmacies and offers drug distribution, patient support and services, business analytics and technology, and other services. Around 20% of pharmaceutical products sold and distributed in the United States are handled by Cencora.

Last week, clients of Cencora and The Lash Group started notifying state Attorneys General about the data breach. The total number of affected clients has not yet been confirmed, but the breach is known to have affected at least 27 pharmaceutical and biotechnology companies and involved the theft of the personal data of hundreds of thousands of individuals. Based on the notifications sent to state Attorneys General so far, the following pharmaceutical and biotechnology companies have been affected:

  • Abbot
  • AbbVie Inc.
  • Acadia Pharmaceuticals Inc.
  • Acrotech Biopharma Inc.
  • Amgen Inc.
  • Bausch Health Companies Inc.
  • Bayer Corporation
  • Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation
  • CareDx, Inc
  • Dendreon Pharmaceuticals LLC
  • Endo Pharmaceuticals Inc.
  • Genentech, Inc.
  • GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation
  • Heron Therapeutics, Inc.
  • Incyte Corporation
  • Johnson & Johnson Services, Inc.& Johnson & Johnson Patient Assistance Foundation, Inc.
  • Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
  • Novartis Pharmaceuticals Corporation
  • Otsuka America Pharmaceutical, Inc.
  • Pfizer Inc.
  • Pharming Healthcare, Inc.
  • Rayner Surgical Inc.
  • Regeneron Pharmaceuticals, Inc
  • Sandoz Inc.
  • Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc.
  • Takeda Pharmaceuticals U.S.A., Inc.
  • Tolmar

While State Attorneys general often publish notices of data breaches, they do not always state how many individuals have been affected, so the scale of the breach is unknown at this stage. Cencora detected the cyberattack on February 21, 2024, and took immediate action to contain the attack and prevent further unauthorized access. The forensic investigation confirmed that a threat actor had exfiltrated data from its systems, including patient data provided by its clients for its patient support programs. AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. AmerisourceBergen Specialty Group has filed two separate breach reports with the Office for Civil Rights affecting 252,214 and 3,102 patients. The Lash Group has reported the breach to OCR separately as affecting 15,003 individuals

On April 10, 2024, Cencora confirmed that the stolen data included first names, last names, addresses, dates of birth, health diagnoses, and/or medications and prescriptions. Cencora’s investigation found no connection with other major healthcare cyberattacks such as the attacks on Change Healthcare and Ascension; and at the time of issuing notifications, Cencora/LashGroup said they were unaware of any actual or attempted misuse of the stolen data and had not detected any public disclosure of the stolen data. While data misuse has not been identified, the affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost. Steps have also been taken to harden defenses to prevent similar security breaches in the future. At the time of publication, no cybercriminal group appears to have claimed responsibility for the attack.

The post Cencora & The Lash Group Settle Data Breach Litigation for $40 Million appeared first on The HIPAA Journal.