Florida Internal Medicine Practices Discloses November 2024 Data Breach

Posted by Steve Alder

Hacking-related data breaches have been announced by Mid Florida Primary Care, Northwest Denture Center in Washington, Forward, The National Databank for Rheumatic Diseases in Kansas, and Equilibria Mental Health Services in Massachusetts. Inc Ransom claims to have attacked the West Virginia Primary Care Association.

Mid Florida Primary Care

On July 29, 2025, Mid Florida Primary Care, a specialized internal medicine practice in Leesburg, Florida, disclosed a cyberattack and data breach that was identified on or around January 23, 2025. An investigation was launched to determine the nature and scope of the activity, which confirmed that an unauthorized third party accessed its network and copied files between November 29, 2024, and December 11, 2024. The data review was completed on June 19, 2025.

The information compromised in the incident includes names, addresses, dates of birth, email addresses, Social Security numbers, driver’s license numbers, health insurance information, Medicare/Medicaid numbers, health insurance information, diagnosis and/or treatment information, medical histories, allergies, prescription information, test results, and treatment locations.

Mid Florida Primary Care has confirmed that the affected individuals will be offered at least 12 months of complimentary credit monitoring and identity theft restoration services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Northwest Denture Center, Washington

Northwest Denture Center in Burlington, Washington, has confirmed that the protected health information of 12,209 individuals has been exposed in a recent hacking incident. Suspicious network activity was identified on or around May 28, 2025, and action was taken to isolate the network to prevent further unauthorized access. The investigation confirmed that an unauthorized third party first gained access to its network on May 27, 2025.

The review of the affected files was completed on June 27, 2025, and notification letters started to be sent to the affected individuals on July 25, 2025. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Additional training is being provided to the workforce, and additional security measures are being implemented. Complimentary credit monitoring services have been provided to the affected individuals for 12 months.

Equilibria Mental Health Services, Massachusetts

Equilibria Mental Health Services in Massachusetts has discovered that the personal and protected health information of up to 2,000 individuals was potentially compromised in a phishing attack. The incident was identified on June 24, 2025, when two employee email accounts were discovered to have been compromised following responses to phishing emails. The email accounts were accessed by an unauthorized third party for a short period on June 24, 2025.

There was unauthorized access to the email addresses of multiple clients, and individuals who had previously contacted Equilibria Mental Health Services to inquire about mental health services. Some of those individuals have reported receiving phishing emails from a compromised Equilibria email account.

The compromised accounts were reviewed and found to contain mailing addresses, physical addresses, telephone numbers, health insurance plan information, and reasons for making contact. The aim of the attack appears to have been to use the compromised accounts for further phishing attempts. Equilibria Mental Health Services said it is evaluating its cybersecurity protocols and taking action to strengthen email security.

Forward, The National Databank for Rheumatic Diseases

Forward, The National Databank for Rheumatic Diseases in Wichita, Kansas, has announced a security incident that was detected on March 21, 2025. Suspicious activity was identified within certain systems, and the forensic investigation confirmed unauthorized access between March 17, 2025, and March 22, 2025. During that time, files containing sensitive information were potentially viewed and copied from its network.

The file review was completed on June 22, 2025, when it was confirmed that personally identifiable information (PII) and protected health information (PHI) had been compromised, including names, contact information, dates of birth, Social Security numbers, medical information/histories, disability information, mental and physical treatment information, diagnoses, prescription information, treating or referring physicians, and medical record numbers. Forward is reviewing its policies, procedures, and processes to reduce the likelihood of a similar future event, and notification letters are being mailed to the affected individuals.

It is currently unclear how many individuals have been affected. The Maine Attorney General was informed that the breach involved the personal information of 38 Maine residents, but the total size of the data breach was not disclosed.

Ransomware Group Claims Attack on West Virginia Primary Care Association

West Virginia Primary Care Association (WVPCA), in Charleston, West Virginia, has recently been added to the dark web data leak site of the Inc Ransom ransomware group. In Ransom is a prolific hacking group that engages in double extortion ransomware attacks, stealing data, encrypting files, and demanding payment for the decryptors and to prevent publication of the stolen data. Inc Ransom claims to have exfiltrated 296 GB of data.

The addition of an entity on a dark web data leak site does not necessarily mean data has been stolen. There have been several cases where claims of attacks have been partially or entirely fabricated. West Virginia Primary Care Association has yet to announce any cyberattack or data breach, or issue a statement about the posting. The HIPAA Journal has not accessed any of the leaked data, so is unable to verify whether the claim is legitimate.

The post Florida Internal Medicine Practices Discloses November 2024 Data Breach appeared first on The HIPAA Journal.

Dermatology Clinics Affected by Practice Management Company Data Breach

Posted by Steve Alder

Several dermatology practices have recently announced data breaches following an attack on their management company. The number of attacks reported this year by dermatology practices suggests they are being targeted by one or more threat actors.

In May 2025, DermCare Management, a Florida-based company that provides support services for dermatologists and dermatology specialists, notified the HHS’ Office for Civil Rights (OCR) about a network server hacking/IT incident, using a placeholder estimate of 501 affected individuals as the number of affected individuals had yet to be established. Several of the affected practices have now issued substitute breach notifications about the incident.

DermCare Management has more than 60 locations in Florida, Texas, California, and Virginia, and primarily provides services related to platform building and development, revenue growth, operational improvement, and improving the patient experience. At least 10 practices are known to have been affected. The list of affected providers is not exhaustive and mostly consists of practices in Florida. Further practices may announce that they have been affected in the coming days and weeks. None of the practices below are currently listed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Confirmed Affected Practices

  • Miami Plastic Surgery, Florida
  • Keys Dermatology, Florida
  • Hollywood Dermatology, Florida
  • Jacksonville Beach Dermatology, Florida
  • Skin Center of South Miami, Florida
  • Florida West Coast Skin Center, Florida
  • Dania Dermatology, Florida
  • Florida Academic Dermatology Center, Florida
  • Rendon Center, Florida
  • Dermatology Treatment and Research Center, Texas

According to the substitute breach notices on the websites of the above practices, the attack was identified on February 26, 2025. Suspicious network activity was identified, and networks were rapidly secured. The investigation confirmed on March 3, 2025, that patient information may have been copied from the network. Files are still being reviewed to determine the number of affected individuals and the types of data involved; however, the compromised information likely includes names, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their account statements and free credit reports.

String of Cyberattacks Affecting Dermatology Practices

Major data breaches have been reported by other dermatology practices in recent weeks. One hacking incident that stands out is Anne Arundel Dermatology, which recently reported a hacking-related data breach affecting 1,905,000 individuals. Shelby Dermatology (Dermatologists of Birmingham) has reported a hacking incident affecting 86,414 individuals, Mountain Laurel Dermatology has reported a data breach affecting 3,324 individuals, and a hacking incident has been announced by U.S. Dermatology Partners, a network of 100 dermatology practices. That incident occurred in June and is not yet shown on the HHS’ Office for Civil Rights breach portal, although one of the affected practices appears to be Oliver Street Dermatology Management LLC, which reported that 13,717 individuals were affected.

The post Dermatology Clinics Affected by Practice Management Company Data Breach appeared first on The HIPAA Journal.

HCA Healthcare Multi-Million Dollar Data Breach Settlement Approved

Posted by Steve Alder

HCA Healthcare Inc. has agreed to settle class action litigation stemming from a July 2023 data breach that was reported to the HHS’ Office for Civil Rights as affecting 11,270,000 patients. The affected individuals had received healthcare services at HCA hospitals and doctors’ offices in 20 U.S. states.

HCA Healthcare was targeted by hackers who accessed and stole data from an external storage location, which was used to automate the formatting of email messages. A database was stolen that contained 27.7 million records. The hackers listed the database for sale when the ransom was not paid. Data compromised in the incident included names, contact information, dates of birth, and appointment information.

HCA Healthcare announced the data breach on or around July 10, 2024, and the first class action lawsuit was filed within a couple of days of the announcement. In total, 27 putative class action lawsuits were filed against HCA Healthcare in response to the data breach, which alleged negligence for inadequate cybersecurity practices and for failing to properly safeguard patient data. The lawsuits were consolidated – In re HCA Healthcare, Inc. Data Security Litigation – in the U.S. District Court for the Middle District of Tennessee.

HCA Healthcare denies the claims and contentions in the lawsuit; however, it negotiated a settlement to resolve the litigation, with no admission of liability or wrongdoing. While the total settlement amount has not been disclosed, attorneys for the plaintiffs may claim up to $3.1 million in fees. Attorneys usually claim one-third of the total settlement amount, which suggests the total settlement fund is greater than $9 million. The fifteen class representatives will each be paid a service award of up to $5,000.

Claims from class members will be paid once attorneys’ fees, expenses, settlement administration costs, and service awards have been deducted from the settlement fund. Class members may claim a one-year membership to a credit monitoring, fraud consultation, and identity theft restoration service, which includes a $1 million identity theft insurance policy. Class members may also submit a claim for reimbursement of documented, unreimbursed losses fairly traceable to the data breach up to a maximum of $5,000 per class member. HCA Healthcare has also confirmed that it will adopt, implement, and maintain security commitments to prevent similar incidents for at least two years from the settlement date. Those commitments have been filed under seal.

The deadline for exclusion from and objection to the settlement is August 25, 2025. Claims must be submitted by September 25, 2025, and the final fairness hearing is scheduled for October 27, 2025.

The post HCA Healthcare Multi-Million Dollar Data Breach Settlement Approved appeared first on The HIPAA Journal.