Absolute Dental Confirmed Data Breach Affecting Over 1.2 Million Individuals

Posted by Steve Alder

Absolute Dental, a Nevada dental practice with over 50 locations in Las Vegas, Carson City, Reno, Sparks, and Minden, has completed its investigation of a February 2025 cyberattack and has confirmed that more than 1.2 million individuals had some of their personal and protected health information exposed.

Absolute Dental reported the data breach to the HHS’ Office for Civil Rights in May 2025 using a placeholder figure of 501 affected individuals. At the time, it was unclear how many individuals had been affected. While the breach portal has not yet been updated with the new total, the Oregon Attorney General was informed that 1,223,635 individuals have been affected.

Absolute Dental explained in its substitute breach notice that an issue was identified within its information systems on February 26, 2025. Steps were taken to secure its systems and investigate the nature and scope of the activity. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that an unauthorized third party had access to its network between February 26, 2025, and March 5, 2025.

The file review was completed on July 28, 2025, when it was confirmed that sensitive personal data was exposed and potentially stolen. The affected individuals had their name exposed along with one or more of the following: contact information, date of birth, Social Security number, driver’s license or state-issued ID information, passport or other governmental ID information, and health information. Health information may have included health history, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN number or patient identification number. A small subset of the affected individuals also had their financial account and/or payment card information exposed.

Absolute Dental said the third-party forensic investigation revealed that initial access to its network occurred via the execution of a malicious version of a legitimate software tool through an account associated with its managed services provider. Absolute Dental did not state which legitimate software tool was involved. The description suggests that a threat actor breached the network of its managed services provider, then either tricked an Absolute Dental employee into executing a malicious version of the software tool or the threat actor abused the privileged access of the managed services provider to install the tool, thus providing access to Absolute Dental’s information systems.

Absolute Dental has reported the data breach to regulators, notified law enforcement, and has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Notification letters are being mailed to the affected individuals who have been offered two years of complimentary credit monitoring services.

The post Absolute Dental Confirmed Data Breach Affecting Over 1.2 Million Individuals appeared first on The HIPAA Journal.

Couple Plead Guilty to $1M Fraud Scheme Involving Stolen Patient Data

Posted by Steve Alder

A former business clerk at Montefiore Medical Center and his partner have pleaded guilty to stealing thousands of patient records and using the stolen data to defraud government agencies out of almost $1 million.

Wilkins Estrella, 40, of Hackensack, New Jersey, had worked at the Bronx hospital for almost a decade. He was terminated in 2020 after an internal audit of access logs revealed he had been accessing patient records without authorization from at least 2020 to 2022. The review confirmed that more than 4,000 medical records were accessed without any legitimate business purpose for doing so. Montefiore Medical Center reported the data breach to the HHS’ Office for Civil Rights and referred the matter to law enforcement for criminal prosecution.

Along with his romantic partner, Charlene Marte, 31, of the Bronx, New York, Estrella misused patient data to open debit card accounts in patients’ names and had those cards sent to their own addresses and those of family members. The pair then used data from multiple sources to target COVID-19 relief funds from the Internal Revenue Service (IRS) and the New York State Department of Labor, including patients’ names, Social Security numbers, and other personally identifiable information obtained from Montefiore Medical Center.

The pair attempted to obtain $1.6 million in stimulus checks, tax refunds, and unemployment benefits, resulting in almost $1 million in actual losses. The funds were loaded onto the debit cards that the couple had fraudulently obtained.

Marte pled guilty to conspiracy to commit wire fraud and bank fraud on July 28, 2025, and is due to be sentenced on November 5, 2025. She faces up to 30 years in jail.  Estrella pled guilty to conspiracy to commit wire fraud and bank fraud on August 7, 2025, as well as one count of wrongful disclosure of individually identifiable health information. Estrella faces a maximum jail term of 30 years for the bank and wire fraud counts, and up to 10 years in jail for the wrongful disclosure charge, and is due to be sentenced on December 1, 2025. Estrella and Marte are also liable for $951,618.20 in forfeiture and the same amount in restitution.

“Wilkins Estrella stole the personal data of thousands of people, including hospital patients, and used this data along with his partner Charlene Marte to claim money that was intended to assist struggling Americans during the pandemic,” said U.S. Attorney Jay Clayton.  “Defrauding federal programs harms all New Yorkers, and our Office is committed to stopping it.”

The post Couple Plead Guilty to $1M Fraud Scheme Involving Stolen Patient Data appeared first on The HIPAA Journal.

UI Community HomeCare Hacking Incident Affects 211,000 Patients

Posted by Steve Alder

On Friday last week, University of Iowa Health Care and its affiliated UI Community HomeCare, a home infusion and medical equipment service provider, announced a hacking incident that was identified on July 3, 2025.

Immediate action was taken to contain the threat, and its systems were safely restored within one business day. Third-party cybersecurity experts were engaged to conduct a forensic investigation to determine the nature and scope of the unauthorized activity, and it was confirmed that a cybercriminal hacker had access to the UI Community HomeCare network on July 3, 2025.

While the networks of University of Iowa Health Care and affiliated UI Community HomeCare are separate, both entities share some patients, employees, and data files. Some of those data files were exfiltrated by the hacker, although the investigation confirmed that there was no unauthorized access to its electronic medical record system.

The review of the affected data revealed that the files contained the personal and protected health information of approximately 211,000 individuals. Notification letters were mailed to those individuals last week. Information compromised in the incident varies from individual to individual and may include an individual’s name in combination with some or all of the following: address, phone number, date of birth, provider name, medical record number, visit type, date(s) of service, insurance information, and Social Security number.

At the time of issuing the notification letters, no evidence of misuse of any of the affected information had been identified; however, the affected individuals have been encouraged to closely monitor their account statements, credit reports, and explanation of benefits statements, and should report any suspicious activity.

UI Health Care and Health Care and UI Community HomeCare said several steps have been taken to improve security and prevent similar incidents in the future, and monitoring for unauthorized access to its computer systems has been enhanced.

The post UI Community HomeCare Hacking Incident Affects 211,000 Patients appeared first on The HIPAA Journal.

New York Counseling Provider and Florida Cancer Center Announce Data Breaches

Posted by Steve Alder

Family Counseling Services of the Finger Lakes in New York and the Cancer Care Center of North Florida have confirmed that patient data was compromised in recent hacking incidents.

Family Counseling Services of the Finger Lakes

Family Counseling Services of the Finger Lakes in New York has discovered unauthorized access to its email environment. Suspicious activity was identified on or around February 4, 2025, and the forensic investigation confirmed that a limited number of email accounts had been accessed by an unauthorized third party between January 14, 2025, and February 4, 2025.

The email accounts were immediately secured, and a review was conducted to determine the extent of data exposure. The file review was completed on June 30, 2025, and confirmed that the exposed data included full names, in combination with one or more of the following: date of birth, Social Security number, driver’s license number, bank account number, medical information, and health insurance information.

Family Counseling Service is unaware of any misuse of the exposed data; however, the affected individuals have been advised to remain vigilant against identity theft and fraud. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Cancer Care Center of North Florida

Cancer Care Center of North Florida has been affected by two security incidents, one involving unauthorized access to email accounts and a network server hacking incident. Both incidents involved the Integrated Oncology Network (ION).

As previously reported by the HIPAA Journal, the phishing incident affected multiple ION members. Between December 13, 2024, and December 16, 2024, an unauthorized third party gained access to certain emails and SharePoint files. The files contained names, addresses, dates of birth, financial account information, diagnosis, lab results, medication, treatment information, health insurance and claims information, provider names, and/or dates of treatment, and for a limited number of individuals, their Social Security numbers. Cancer Care Center of North Florida notified the HHS’ Office for Civil Rights that 976 patients of its Lake Butler location were affected.

The hacking incident involved unauthorized access to certain ION systems between March 31, 2025, and April 10, 2025.  ION discovered the intrusion on April 11, 2025, and said only limited systems were affected. The review of the affected files is ongoing, but it has been confirmed that the compromised information includes names, address, date of birth, medical record number, diagnoses/conditions, diagnostic imaging, diagnostic test results, lab results, medications, treatment information, health insurance information, provider names, dates of treatment, driver’s license numbers, and/or financial account information.

The breach has affected multiple ION practices, which were notified between July 11, 2025, and August 6, 2025. Cancer Care Center of North Florida has confirmed that 1,789 of its patients were affected.

The post New York Counseling Provider and Florida Cancer Center Announce Data Breaches appeared first on The HIPAA Journal.