Goshen Medical Center Notifies 456,000 Individuals About Hacking Incident

Posted by Steve Alder

Goshen Medical Center, a federally qualified healthcare organization serving patients in eastern North Carolina, is notifying 456,385 individuals about a recent security incident that exposed some of their personal and protected health information. Suspicious activity was identified within its computer systems on March 4, 2025. Third-party cybersecurity specialists were engaged to investigate the activity and confirmed that an unauthorized third party had access to its network, and files containing sensitive patient data may have been viewed or acquired on February 15, 2025.

A comprehensive review was conducted of the exposed files, and on September 12, 2025, Goshen Medical Center confirmed that the files contained patient names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and medical record numbers. Goshen Medical Center has implemented additional safeguards to prevent similar incidents in the future and has offered the affected individuals up to 24 months of complimentary credit monitoring and identity theft protection services.

Survival Flight

Survival Flight, an Arkansas-based rapid response air & ground emergency medical service provider, experienced a cybersecurity incident on July 17, 2025, that impacted its IT systems. In an August 12, 2025, website notice, Survival Flight explained that it is currently working to determine the full extent to which patient information has been compromised, although it has been confirmed that information such as names, addresses, treatment information, and health insurance information was likely compromised in the incident.

When the review of the affected data is completed, notification letters will be mailed, and resources will be provided to help the affected patients protect their information. At the time of publishing the website notification, no misuse of patient data had been identified. Survival Flight has confirmed that it has taken steps to improve security to prevent similar breaches in the future. While the name of the threat group behind the attack was not disclosed in the notice, the Worldleaks ransomware group (formerly Hunters International) claimed responsibility for the attack and added Survival Leak to its dark web data leak site. Worldleaks claims to have leaked the full 2.8 TB of data stolen in the attack.

The post Goshen Medical Center Notifies 456,000 Individuals About Hacking Incident appeared first on The HIPAA Journal.

Jefferson Healthcare Agrees to Settle Meta Pixel Class Action Litigation

Posted by Steve Alder

Jefferson Healthcare has agreed to settle a class action lawsuit that alleged sensitive data was transmitted to third parties without patient consent due to its use of Meta Pixel and other tracking technologies on its website. Jefferson Healthcare serves residents of eastern Jefferson County on the Olympic Peninsula in Washington State. According to the lawsuit – Jane Doe et al. v. Jefferson County Public Hospital District No. 2 D/B/A Jefferson Healthcare – Jefferson Healthcare installed computer code, including Meta Pixel, on its website between March 19, 2020, and March 19, 2024.

The plaintiffs allege that the implementation of the code allowed their protected health information to be transmitted to third parties such as Facebook and Google without their knowledge or consent. The complaint was filed on March 19, 2024, and Jefferson Healthcare filed a motion to dismiss, which was granted in its entirety by Jefferson County Superior Court Judge Brandon Mack on July 24, 2024. On August 23, 2024, the plaintiff filed a Notice of Appeal with the Washington Court of Appeals.

The plaintiffs and the defendant agreed that a settlement was in the best interests of all parties to avoid the burden, expense, risk, and uncertainty of continuing the litigation. The terms of the settlement have now been agreed upon, and the settlement has received preliminary court approval. Under the terms of the settlement, class members are entitled to claim a voucher for a 12-month subscription to CyEx Privacy Shield, valued at $330.

Jefferson Healthcare has also agreed not to use Meta Pixel on its website for at least two years, unless it is determined that its use is consistent with applicable laws, and an affirmative disclosure is made in the privacy statement on its website that Meta Pixel is being used.  Jefferson Healthcare has agreed to pay attorneys’ fees of $125,000, awards of $2,500 for the class representatives, and will cover the settlement administration costs.

Class members wishing to exclude themselves or object to the settlement have until October 17, 2025, to do so. Claims for a voucher must be submitted by November 17, 2025, and the final approval hearing has been scheduled for December 5, 2025.

The post Jefferson Healthcare Agrees to Settle Meta Pixel Class Action Litigation appeared first on The HIPAA Journal.