Tri Century Eye Care & Pittsburgh Gastroenterology Associates Announce Data Breaches
Data breaches have recently been announced by Tri Century Eye Care in Pennsylvania, Pittsburgh Gastroenterology Associates, NAHGA Claims Services, and the Texas revenue cycle management company, Legacy Health.
Tri Century Eye Care
Tri Century Eye Care, P.C., in Pennsylvania, has recently started notifying patients about a September 2025 data security incident involving the theft of files containing sensitive data. Suspicious network activity was identified on September 3, 2025, and immediate steps were taken to secure its network. Third-party cybersecurity specialists were engaged to investigate and determine the nature and scope of the activity, and on September 19, 2025, Tri Century Eye Care learned that an unknown actor had accessed its network and acquired files. There was no unauthorized access to its electronic medical record system.
The files were reviewed and found to contain personal and protected health information of patients and employees. The types of information involved varied from individual to individual and may have included names in combination with one or more of the following: Social Security number, date of birth, medical or health information, diagnostic and treatment information, health insurance information, billing or payment information, and/or tax/financial information.
Tri Century Eye Care has implemented additional security measures to reduce the risk of similar incidents in the future, including enforcing stronger password requirements, requiring more frequent password changes, reducing access permissions, and ensuring older data is stored offline. The HHS’ Office for Civil Rights has been notified about the incident, as has the FBI. The OCR breach portal is not currently showing the data breach, so it is unclear how many individuals have been affected.
The Pear threat group claimed responsibility for the incident. Pear (Pure Extraction And Ransom) is a private hacking group that does not engage in data encryption. While no specific industry is targeted, the group has claimed several healthcare victims. Pear claims to have exfiltrated 3.3 GB of data, and appears to have leaked the full dataset.
Pittsburgh Gastroenterology Associates
Pittsburgh Gastroenterology Associates has notified patients about an August 2025 cyberattack that involved unauthorized access to patient information. This appears to have been a ransomware attack, based on the description in its breach notification letters. Network disruption was experienced on August 12, 2025, and after taking steps to secure its IT systems, an investigation was launched to determine the nature and scope of the activity. Assisted by digital forensics specialists, Pittsburgh Gastroenterology Associates determined on August 28, 2025, that a threat actor had accessed its network and may have exfiltrated files containing patient information.
The exposed files were reviewed and found to contain first and last names, birth dates, treatment and procedure information, and health insurance information. Social Security numbers and financial information were not involved, and there was no unauthorized access to its electronic medical record system. Third-party experts have been engaged to conduct a full review of its security practices, and enhancements have been made to improve network and data security.
The Sinobi ransomware group claimed responsibility for the attack and added Pittsburgh Gastroenterology Associates to its dark web data leak site. The dark web leak site appears to list the full 198 Gb of data stolen in the attack.
NAHGA Claims Services
The National Accident Health General Agency (NAHGA) Claims Servicers, a Bridgton, Maine-based third-party administrator specializing in accident and health insurance claims, has recently notified state attorneys general about a recent security incident involving unauthorized access to its computer network. Suspicious network activity was identified on April 13, 2025, and third-party cybersecurity experts were engaged to investigate the activity.
The investigation revealed that its computer network had been accessed by an unauthorized third party between April 8, 2025, and April 10, 2025, during which time certain files on its network may have been acquired. A review was conducted to determine the types of information compromised in the incident, and that process was completed in October. NAHGA has been working with the affected clients to issue notifications to the affected individuals.
At present, it is unclear how many individuals have been affected; however, given that NAHGA provides services nationally, the data breach has the potential to be significant. NAHGA is offering the affected individuals complimentary credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy. NAHGA has also taken steps to improve network and data security to prevent similar data breaches in the future.
Legacy Health
Legacy Health, a Texas revenue cycle management company that works with more than 12,000 healthcare providers, has recently disclosed a security incident that has exposed patient data. Little is currently known about the data breach, other than it potentially involves unauthorized access to individuals’ names, medical information, and health insurance information. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected in total, although the Texas Attorney General was informed that 4,031 Texas residents have been affected.
The post Tri Century Eye Care & Pittsburgh Gastroenterology Associates Announce Data Breaches appeared first on The HIPAA Journal.
Pomona Valley Hospital Medical Center Pays $600K to Settle Meta Pixel Lawsuit – The HIPAA Journal
Pomona Valley Hospital Medical Center Pays $600K to Settle Meta Pixel Lawsuit
Pomona Valley Hospital Medical Center in California has agreed to pay $600,000 to resolve all claims in class action litigation over its use of Meta Pixel and similar tracking technologies on its public website. According to the lawsuit, the tracking tools resulted in an impermissible disclosure of personally identifiable information to third parties such as Meta (Facebook).
The lawsuit – Warren v. Pomona Valley Hospital Medical Center – was filed in the Superior Court of the State of California, County of Los Angeles, and alleged the use of these tools violated wiretapping and other statutes. Pomona Valley Hospital Medical Center denies all material allegations in the lawsuit and maintains there was no wrongdoing or liability; however, the decision was made to settle the litigation to avoid the costs and risks associated with a trial and related appeals.
Following extensive arm’s-length negotiations, a settlement in principle was reached, and the full terms of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Pomona Valley Hospital Medical Center has agreed to establish a $600,000 settlement fund to cover attorneys’ fees, administrative expenses, service awards, and benefits to the class members.
After all fees and expenses have been deducted from the settlement fund, the remainder will be paid to class members as a pro rata cash payment. Class members are California residents who visited the Pomona Valley Hospital Medical Center website and logged into the patient portal between January 1, 2019, and December 31, 2022.
The deadline for objection to and exclusion from the settlement is December 9, 2025, and the final fairness hearing has been scheduled for January 5, 2026. Class members will be contacted directly about the settlement and may choose how they receive their cash payment (check, PayPal, Venmo, etc.), or may do so via the settlement website: https://pvhmcsettlement.com/
The post Pomona Valley Hospital Medical Center Pays $600K to Settle Meta Pixel Lawsuit appeared first on The HIPAA Journal.
ImageTrend earns SOC 2 Type 2 and HIPAA/HITECH compliance certification – FireRescue1
ImageTrend earns SOC 2 Type 2 and HIPAA/HITECH compliance certification – EMS1
Levitate Announces Launch of New HIPAA-Compliant Solution for Healthcare Practices to Deliver Digital, Personalized Patient Care – citybiz
Neuromusculoskeletal Center of The Cascades Settlement Provides Cash Benefits for Breach Victims
Neuromusculoskeletal Center of The Cascades, PC, and Cascade Surgicenter LLC in Oregon have agreed to settle class action litigation stemming from an October 2023 data incident. An unauthorized third party gained access to employee email accounts between October 2, 2023, and October 3, 2023. While the unauthorized access was detected and remediated promptly, the hackers had access to sensitive data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial information, medical information, health insurance information, and digital signatures.
Notification letters were mailed to the affected individuals on December 1, 2023. The Oregon Attorney General was informed that the breach affected 22,796 individuals, and the HHS’ Office for Civil Rights was notified that the protected health information of 19,373 individuals was potentially compromised in the attack.
A class action lawsuit was filed by plaintiff Krysta Hakkila individually and on behalf of similarly situated individuals, which was followed by a second lawsuit filed by plaintiff Ida Vetter. The two lawsuits were consolidated in the Circuit Court of Deschutes County, Oregon – Hakkila et al. v. Neuromusculoskeletal Center of The Cascades, PC.
The lawsuit claimed that the Neuromusculoskeletal Center of The Cascades failed to implement appropriate security measures and could have prevented the data breach, asserting claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, invasion of privacy, and violations of the Oregon Unlawful Trade Practices Act. Neuromusculoskeletal Center of The Cascades disagrees with the claims and maintains there was no wrongdoing and is no liability.
The defendants and the plaintiffs agreed to settle the lawsuit with no admission of wrongdoing or liability to avoid the cost and risks of a trial. The settlement has recently received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for two years of medical data monitoring (CyEx Medical Shield Total), reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $500 per class member, reimbursement for documented lost time dealing with the effects of the data breach (up to four hours at $25 per hour), and reimbursement of losses to identity theft and fraud, up to a maximum of $2,500 per class member. Class members who do not wish to claim any of the above benefits may submit a claim for an alternative one-time cash payment of $80.
The deadline for submitting a claim is December 26, 2025. The final approval hearing has been scheduled for January 9, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 25, 2025.
The post Neuromusculoskeletal Center of The Cascades Settlement Provides Cash Benefits for Breach Victims appeared first on The HIPAA Journal.
New Jersey Medical Center Suffers Ransomware Attack – The HIPAA Journal
New Jersey Medical Center Suffers Ransomware Attack The HIPAA Journal