Endue Software Confirms Data Breach Affecting Multiple Providers

Posted by Steve Alder

Cybersecurity incidents have been announced by Endue Software, Whitman County Public Hospital District No. 3, Palo Verde Hospital, and Northern California Children’s Therapy Center.

Endue Software

Endue Software, an infusion management platform provider, has recently confirmed it has been affected by a cyberattack that involved unauthorized access to patient data. In its April 11, 2025, substitute breach notice, Endue Software explained that unauthorized access to some of its systems was identified on February 17, 2025. The forensic investigation confirmed that an unauthorized actor gained access to some of its systems for a brief period on February 16, 2025. While the window of opportunity was short, files were copied from its systems during that time. Since February, Endue Software has been reviewing the compromised data to determine which clients and patients have been affected. It has now been confirmed that the compromised data included patients’ full names, addresses, dates of birth, Social Security numbers, and medical record numbers.

It is unclear how many of Endue Software’s clients have been affected in total. Endue Software has reported the breach to the HHS’ Office for Civil Rights as a data breach affecting 118,028 individuals; however, some of its customers may be reporting the data breach separately, as was the case with Rheumatology Associates of Baltimore (RAB), which recently reported the breach to OCR as affecting 28,968 of its patients.

Whitman County Public Hospital District No. 3

Whitman County Public Hospital District No. 3 in Washington State has recently announced a data breach that has affected 63,453 individuals, including patients and members of its Group Health Plan. Suspicious activity was identified within its IT network on February 28, 2025. Its IT environment was immediately secured, law enforcement was notified, and an investigation was launched to determine the cause of the activity.

The investigation confirmed that an unauthorized third party had access to its IT environment between December 26, 2024, and February 28, 2025, during which time, files containing patient and health plan member data may have been viewed or acquired.  The file review confirmed that the exposed data included names plus some or all of the following: date of birth, address, Social Security number, financial account information, diagnosis, lab results, medications, other treatment information, health insurance information, provider names, and/or dates of treatment.

Notification letters started to be sent to the affected individuals on April 11, 2025. Complimentary credit monitoring and identity theft protection services have been offered to eligible individuals. Whitman County Public Hospital District No. 3 said additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.

Palo Verde Hospital

Palo Verde Hospital, a 51-bed hospital in Blythe, California, has recently notified the California Attorney General about a security incident “that disrupted the operations of some of its IT systems,” which suggests it was the victim of a ransomware attack. The incident was detected on March 6, 2025, and action was immediately taken to contain the threat. Assisted by third-party cybersecurity experts, the hospital determined there had been unauthorized access to its network between March 3, 2025, and March 6, 2025.  During that time, files containing patient data were accessed and acquired by the threat actor.

The file review confirmed that patient data was involved such as names, contact information, demographic information, Social Security numbers, dates of birth, medical record numbers, patient account numbers, diagnosis/treatment information, prescription information, provider name(s), date(s) of service, and health insurance information. A subset of individuals also had financial account information and routing numbers exposed.

Steps have been taken to improve security to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Northern California Children’s Therapy Center

Northern California Children’s Therapy Center in Woodland, California, has confirmed that patient data has been compromised in a recent security incident. On March 16, 2025, an unauthorized individual exploited a vulnerability in a cloud-based system used to collect and manage information to facilitate developmental screenings and connect families with appropriate resources.

The screenings were provided through the Help Me Grow Yolo County Program, through which community programs such as early childhood services are provided. When the breach was detected, action was immediately taken to secure the system, and the incident was fully resolved by March 19, 2025. An internal review has been completed, and the compromised data has been confirmed as:

  • Referring provider information: agency name, address, phone number; provider name and email address
  • Child’s information: name, gender, date of birth, language(s), and developmental skills
  • Parent/caregiver information: name, relationship to the child, preferred method of contact, phone number, email address, and broad health-related issues
  • Other information: Broad questions or concerns of the family or provider

It was not possible to determine whether any specific child’s data was accessed or acquired. As a precaution, all individuals who had screenings have been notified. Northern California Children’s Therapy Center is working with cybersecurity experts to ensure the ongoing security of systems and records, has reconfigured the impacted storage system, and is looking to implement additional measures to strengthen security.

The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Endue Software Confirms Data Breach Affecting Multiple Providers appeared first on The HIPAA Journal.

Alternate Solutions Health Network Notifies Patients About May 2024 Email Breach

Posted by Steve Alder

Email accounts have been compromised at four HIPAA-regulated organizations: Alternate Solutions Health Network in Ohio; Park Royal Hospital in Florida; 90 Degree Benefits in Minnesota; and the Charleston Fire Department in West Virginia. Almost 107,000 individuals have been affected.

Alternate Solutions Health Network, Ohio

Alternate Solutions Health Network, LLC, a Kettering, Ohio-based provider of home healthcare services, has identified unauthorized access to an employee’s email account that contained patient data. It is unclear for how long the threat actor had access to the account or when the breach was detected; however, it has taken almost a year for the affected individuals to be notified.

Alternate Solutions Health Network explained in its substitute breach notice that the forensic investigation confirmed that the account was breached on or around May 30, 2024. When the breach was detected, the account was secured, and third-party cybersecurity professionals were engaged to investigate the incident. “After an extensive investigation and manual document review, we discovered on February 14, 2025, that some personal and/or protected health information of individuals was contained in the compromised email account that was subject to unauthorized access and acquisition,” explained Alternate Solutions Health Network in the notification letters.

The types of information involved vary from individual to individual and may include first and last names, dates of birth, addresses, driver’s license numbers, physician/clinician names, clinical information, diagnostic information, and treatment information. A subset of the affected individuals also had their Social Security numbers stolen. Alternate Solutions Health Network said it will implement additional cybersecurity safeguards, enhance its employee cybersecurity training, and improve its cybersecurity policies, procedures, and protocols. The data breach was reported to the HHS’ Office for Civil Rights on April 14, 2025, as a breach affecting 93,589 individuals. Individual notification letters also started to be mailed on April 14, 2025.

Park Royal Hospital, Florida

The Pavilion at HealthPark, LLC, has announced a data breach affecting patients of Park Royal Hospital in Fort Myers, Florida. The private psychiatric hospital provides inpatient and outpatient behavioral health services, including treatment for mental health and substance use disorders. On January 14, 2025, an employee responded to a phishing email and disclosed their credentials, allowing a threat actor to access the employee’s email account and associated SharePoint account between January 14 and January 15, 2025. The breach was detected on January 17, 2025, and the email account was immediately secured.

The forensic investigation confirmed that the breach was limited to a single email account and the associated SharePoint account. No other systems or accounts were affected. The account review confirmed that the sensitive data of 9,349 patients was present in the account, including personally identifiable and protected health information such as names, admission dates, provider information, and patient status information. Individual notification letters started to be mailed to the affected individuals on March 18, 2025. Since Social Security numbers and financial information were not compromised, credit monitoring services are not being offered. Patients have been advised to monitor the statements they receive from their providers and health plans and should report any services listed that have not been received.

90 Degree Benefits, Inc., Minnesota

90 Degree Benefits, St. Paul, a third-party administrator that processes claims for companies that operate self-funded health plans, has identified an email account breach. Suspicious activity was identified in an employee’s email account in October 2024. The forensic investigation confirmed that a threat actor gained access to the account on October 18, 2024, and on or around December 17, 2024, it was confirmed that the threat actor had accessed emails and attachments in the account that contained sensitive data.

The emails and attachments were reviewed and found to contain information such as names, Social Security numbers, and/or member identification numbers. The breach was reported to the HHS’ Office for Civil Rights on April 18, 2025, as a data breach affecting 1,268 individuals. Individual notification letters were mailed to the affected individuals on April 18, 2025, and complimentary credit monitoring services have been made available. 90 Degree Benefits, St. Paul said several steps have already been taken to improve the security of its IT environment, including a review of security policies and processes and the provision of additional training to employees.

Charleston Fire Department, West Virginia

The Charleston Fire Department in West Virginia has identified unauthorized access to an employee’s email account. An account breach was suspected when the email account was used to send spam emails. The account was immediately secured, and third-party cybersecurity experts were engaged to conduct a forensic investigation. They confirmed that the breach was limited to a single email account, which was accessible between February 18, 2025, and February 21, 2025. The review of emails and attachments revealed the protected health information of 2,583 individuals had been exposed.

The exposed information was related to ambulance trips and EMS billing and included names, addresses, dates of birth, Social Security numbers, other demographic identifiers, clinical information (diagnoses/conditions, medications, dates of services), and/or insurance information. The majority of affected individuals only had their names, date of services, insurance carriers, and billing amounts exposed. Steps are being taken to strengthen email security, and complimentary credit monitoring services have been offered to the affected individuals. Individual notification letters were mailed to the affected individuals on April 22, 2025.

The post Alternate Solutions Health Network Notifies Patients About May 2024 Email Breach appeared first on The HIPAA Journal.