Mindcore Technologies Launches Secure Workspace Solution to Stren – The National Law Review
Mindcore Technologies Launches Secure Workspace Solution to Stren The National Law Review
Ransomware Groups’ Evolving Tactics Spur 44% Increase in Ransom Demands – The HIPAA Journal
Ransomware Groups’ Evolving Tactics Spur 44% Increase in Ransom Demands The HIPAA Journal
Ransomware Groups’ Evolving Tactics Spur 44% Increase in Ransom Demands
Ransomware groups are conducting fewer attacks than a year ago, and are increasingly adopting a more targeted approach using stealthy tactics to achieve more impactful results, according to the 2025 Global Threat Landscape Report from the network detection and response (NDR) company ExtraHop.
Indiscriminate attacks are being dropped in favor of targeted, sophisticated attacks that allow ransomware actors to spend longer inside victims’ networks as they move undetected to achieve an extensive compromise before deploying their file-encrypting payloads. Attacks are designed to cause maximum damage and extensive downtime, which both increases the likelihood of a ransom being paid and allows them to obtain higher ransom payments. ExtraHop reports that in the space of a year, the average ransom demand has increased by more than one million dollars, from $2.5 million a year ago to $3.6 million, although ransom demands are higher for healthcare organizations and government entities. 70% of victims end up paying the ransom.
Last year, ExtraHop tracked an average of 8 incidents per organization compared to 5-6 incidents this year. Ransomware actors typically have access to victims’ networks for almost two weeks before they launch their attack, during which time sensitive data is exfiltrated. It typically takes victims more than two weeks to respond to a security alert and contain an attack, with the attacks causing an average downtime of around 37 hours.
Only 17% of attacks are detected during the reconnaissance phase, with 29% detected during initial access, but 30% of attacks are detected later on in the attack phase when file exfiltration has commenced (12%), data is encrypted (13%), or the ransom note is received (5%). While attacks are becoming increasingly sophisticated and harder to detect with traditional security tools, the initial access vectors have largely remained unchanged, with phishing and social engineering the most common means of infiltration. Phishing/social engineering was the infiltration method in 33.7% of attacks, software vulnerabilities were exploited in 19.4% of attacks, supply chain compromises were behind 13.4% of attacks, and software misconfigurations were exploited in 13% of attacks. ExtraHop has observed a marked increase in the use of compromised credentials for initial access, which were used in 12.2% of attacks. Legitimate credentials allow attackers to access networks, move laterally, and remain in networks undetected for extended periods, often escalating privileges to compromise more sensitive systems.
The biggest areas of cybersecurity risk for defenders were the public cloud (53.8%), third-party services and integrations (43.7%), and generative AI applications (41.87%). The main challenges faced by defenders were limited visibility into their entire environment (41%), insufficient staffing or a skills gap (35.5%), alert fatigue due to an overwhelming number of security alerts (34%), poorly integrated tools (34%), insufficient or manual SOC workflows (33%), insufficient budget and executive support (29%), and organizational silos (26%). The problem for many organizations is that they are grappling with a complex range of equally pressing obstacles.
ExtraHop’s advice is to first understand the full attack surface, which means knowing exactly what is in the network and where vulnerabilities exist. While it is important to have robust perimeter defenses, internal traffic must be monitored as attackers are increasingly able to penetrate defenses. Through effective monitoring, organizations can identify and block attacks before escalation, data theft, and encryption. While it is essential to understand what threat actors are doing today, it is important to keep abreast of evolving tactics to be prepared for what will happen tomorrow, including attackers’ use of emerging technologies.
The post Ransomware Groups’ Evolving Tactics Spur 44% Increase in Ransom Demands appeared first on The HIPAA Journal.
Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement – The HIPAA Journal
Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement The HIPAA Journal
Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement
Fraser Child and Family Center has agreed to pay $750,000 to settle class action litigation over a 2024 data breach. Fraser Child and Family Center is a Minnesota-based provider of autism, mental health, behavioral health, and disability services. Between May 30, 2024, and June 2, 2024, an unauthorized third party was able to access parts of its IT environment that contained the protected health information of approximately 67,000 individuals. Information potentially stolen in the incident included names, addresses, dates of birth, Social Security numbers, and medical information. The affected individuals were notified about the breach in September 2024.
Class action lawsuits were filed in response to the data breach by four plaintiffs, individually and on behalf of their minor children and similarly situated individuals. Since the lawsuits had overlapping claims and were based on the same facts, they were consolidated into a single lawsuit – In re: Fraser Child and Family Center – which was filed in the District Court for Hennepin County, Minnesota.
The lawsuit asserted several claims, including negligence, breach of contract, breach of fiduciary duty, invasion of privacy – intrusion upon seclusion, unjust enrichment, and a failure to provide adequate breach notifications. Fraser Child and Family Center denies wrongdoing and liability and filed a motion to dismiss. Shortly thereafter, all parties began to explore the possibility of early resolution of the litigation, and a settlement was agreed upon that was acceptable to all parties. The settlement agreement has now been finalized and has received preliminary approval from the court.
Following the data breach, Fraser Child and Family Center implemented additional safeguards to further protect information stored on its network. In addition, a $750,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, service awards for the plaintiffs, and benefits for the class members.
All class members are entitled to claim two years of credit monitoring services, which can be either the CyEx Identity Defense Complete package for adults or the CyEx Minor Defense package for minors. In addition, a claim may be submitted for reimbursement of documented, out-of-pocket losses due to the data breach up to a maximum of $2,500 per class member. In lieu of a claim for reimbursement of losses, class members may submit a claim for a cash payment. Cash payments will be paid after all the above costs and expenses have been paid, and the funds will be divided equally between class members who submit a claim for a cash payment.
Class members wishing to object to the settlement or exclude themselves must do so by November 3, 2025. Claims must be submitted by December 1, 2025, and the final fairness hearing has been scheduled for November 20, 2025.
The post Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement appeared first on The HIPAA Journal.
September 2025 Healthcare Data Breach Report – The HIPAA Journal
September 2025 Healthcare Data Breach Report The HIPAA Journal
September 2025 Healthcare Data Breach Report – The HIPAA Journal
September 2025 Healthcare Data Breach Report The HIPAA Journal
September 2025 Healthcare Data Breach Report
While the figures in our September 2025 data breach report look encouraging, there is a major caveat. Due to the government shutdown, the HHS’ Office for Civil Rights (OCR) has largely stopped adding data breaches to its data breach portal. The figures for September are therefore likely to increase considerably when the furlough comes to an end, staff return to work, and the backlog of data breach reports is addressed. While we do not generally update our monthly breach reports after publication, we will revise the figures and re-publish this report when the government shutdown comes to an end.
September 2025 Healthcare Data Breach Report
As of October 22, 2025, OCR has added 26 data breaches affecting 500 or more individuals to its data breach portal – the lowest monthly total since December 2018. While data breaches are down 56% from August’s 64 data breaches, there are likely to be several more breaches added to that total. That said, there has been a downward trend in healthcare data breaches since April, and the year-to-date total from January 1 to September 30 is 469 data breaches, compared to 554 data breaches in the corresponding period in 2024. Even accounting for missing breach reports due to the government shutdown, data breaches are down considerably from last year.
Across the 26 September data breaches on the OCR data breach portal, the protected health information of at least 1,294,769 individuals was exposed or impermissibly disclosed, marking the third consecutive month with a fall in the number of affected individuals, and currently down 65.9% from August. That number could increase considerably, but currently, for the year-to-date, 42,216,193 individuals have had their protected health information exposed or impermissibly disclosed. While this year’s total is higher than in the whole of 2019 and 2020, the number of affected individuals is down 85% compared to last year and 75% compared to 2023.
The Biggest Healthcare Data Breaches Announced in September
Currently, 42% of the month’s breaches (11 incidents) involved the exposure or impermissible disclosure of the protected health information of 10,000 or more individuals. All but one of the 11 data breaches were hacking incidents involving unauthorized access to protected health information stored on network servers, with one incident involving a compromised email account. Goshen Medical Center was the worst-affected covered entity, with more than 456,000 patients affected by its hacking incident. One provider that stands out is Sturgis Hospital, which was investigating a cyberattack that occurred in December 2024, when another intrusion was experienced in June 2025.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Goshen Medical Center | NC | Healthcare Provider | 456,385 | Network server hacking incident |
| Medical Associates of Brevard, LLC | FL | Healthcare Provider | 246,711 | Network server hacking incident |
| Doctors Imaging Group | FL | Healthcare Provider | 171,862 | Network server hacking incident – Data theft confirmed |
| Retina Group of Florida | FL | Healthcare Provider | 152,691 | Network server hacking incident |
| Sturgis Hospital | MI | Health Plan | 77,771 | Network server hacking incident |
| Sturgis Hospital | MI | Healthcare Provider | 77,771 | Network server hacking incident |
| PGA Development, Inc. | PA | Healthcare Provider | 23,899 | Network server hacking/IT Incident |
| Teamsters Union 25 Health Services & Insurance Plan | MA | Health Plan | 19,231 | Network server hacking incident |
| Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice (“Treasure Health ”) | FL | Healthcare Provider | 13,234 | Email account breach |
| People Encouraging People | MD | Healthcare Provider | 13,083 | Ransomware attack – Data theft confirmed |
The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to OCR and issue notifications within 60 days of the discovery of a data breach; however, if the total number of affected individuals is not known at that point, an estimate should be provided to OCR. Many regulated entities submit a breach report using a placeholder figure of 500 or 501 affected individuals, then provide an updated total when the file review is concluded. Four data breaches were reported in September using 500 or 501 totals indicative of a placeholder. These data breaches could affect considerably more individuals than the initial breach report suggests.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach |
| Cookeville Regional Medical Center | TN | Healthcare Provider | 500 | Hacking/IT Incident |
| Hampton Regional Medical Center | SC | Healthcare Provider | 501 | Hacking/IT Incident |
| Coos County Family Health Services | NH | Healthcare Provider | 501 | Hacking/IT Incident |
| La Perouse, LLC | NV | Business Associate | 501 | Hacking/IT Incident |
Causes of September 2025 Healthcare Data Breaches
Out of the 23 large healthcare data breaches added to the OCR breach portal in September, 23 (88.5%) were reported as hacking/IT incidents, involving unauthorized access to the protected health information of 1,279,139 individuals, which is 98.8% of the total individuals affected by data breaches in September. The average number of individuals affected by these incidents was 55,615 (median: 6,243 individuals).
The exact nature of the hacking incidents, such as whether ransomware was used to encrypt files, if a ransom demand was received, or even if data was stolen, is often not disclosed. This trend has been growing for several years and is not confined to the healthcare industry. The Identity Theft Resource Center (ITRC) has reported that this trend is evident across many industry sectors.
The remaining three data breaches were unauthorized/disclosure incidents, affecting 15,630 individuals. On average, 5,210 individuals were affected (median: 1,700 individuals). Based on the available data, no loss, theft, or improper disposal incidents were reported to OCR in September. There have been no loss/theft incidents reported since March 2025, and the last reported improper disposal incident was in May 2025.
Where Did the Data Breaches Occur?
Geographical Distribution of Healthcare Data Breaches in September
Florida and North Carolina were the worst-affected states, with four data breaches affecting 500 or more individuals reported by entities based in those states, and both states top the list in terms of the number of affected individuals, with 584,498 and 465,721 individuals affected, respectively.
| State | Breaches |
| Florida & North Carolina | 4 |
| Michigan, Pennsylvania & Tennessee | 2 |
| Louisiana, Massachusetts, Maryland, Minnesota, Missouri, New Hampshire, Nevada, Oregon, South Carolina, Texas, Virginia, and Washington | 1 |
The table below shows the number of individuals affected by healthcare data breaches based on the state where the regulated entity is based, not necessarily where the affected individuals reside.
| State | Individuals Affected |
| Florida | 584,498 |
| North Carolina | 465,721 |
| Michigan | 155,542 |
| Pennsylvania | 26,150 |
| Massachusetts | 19,231 |
| Maryland | 13,083 |
| Missouri | 11,538 |
| Louisiana | 6,243 |
| Minnesota | 3,572 |
| Tennessee | 2,957 |
| Oregon | 1,700 |
| Texas | 1,236 |
| Washington | 1,099 |
| Virginia | 696 |
| New Hampshire | 501 |
| Nevada | 501 |
| South Carolina | 501 |
HIPAA Enforcement Activity in September 2025
It has been a busy year of HIPAA enforcement for OCR, with 20 enforcement actions involving settlements or civil monetary penalties announced this year, including one enforcement action in September. OCR agreed to settle alleged violations of the HIPAA Privacy Rule and Breach Notification Rule with Cadia Healthcare facilities, which agreed to pay $182,000 to resolve the alleged violations.
Cadia Healthcare is a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware. An employee had posted success stories about its patients to its social media channel; however, it had not obtained valid HIPAA authorizations for that purpose, and therefore, the use of PHI in the stories was an impermissible disclosure of PHI. After being notified by OCR, Cadia found that 150 patients had PHI posted online without valid authorizations, deleted the posts, and shut down the success story program; however, notification letters about the HIPAA breach were not issued. The corrective action plan requires policies and procedures to be revised, training to be provided to staff members, and notification letters to be issued.
The post September 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.