Genoa Medical Facilities, which operates a 19-bed critical access hospital in Nebraska, has discovered unauthorized access to its email environment.  Email breaches have also been confirmed by Vail Summit Orthopaedics & Neurosurgery in Colorado and Southern Immediate Care in Alabama.

Genoa Community Hospital (Genoa Medical Facilities), Nebraska

Genoa Medical Facilities, which includes Genoa Community Hospital, a 19-bed critical access hospital, a 39-bed nursing home, and a medical clinic in Nebraska, has discovered unauthorized access to an employee’s email account. Suspicious email activity associated with a single email account was identified in March 2025. The forensic investigation confirmed that the breach was limited to a single account, and the account was reviewed to determine whether patient data had been exposed.

The review was completed on July 8, 2025, when it was confirmed that names, dates of birth, Social Security numbers, other government ID numbers, financial account information, medical treatment/diagnosis information, and health insurance information had been exposed. Notification letters are being sent to the affected individuals, and steps have been taken to improve email security. At the time of issuing notification letters, no misuse of the exposed information had been identified. The incident is not currently shown on the HHS’ Office for Civil Rights (OCR) breach portal, so it is unclear how many individuals have been affected.

Vail Summit Orthopaedics & Neurosurgery

Vail Summit Orthopaedics & Neurosurgery in Colorado has recently disclosed a breach of its email environment. Suspicious activity was identified on August 6, 2024. Immediate action was taken to prevent further unauthorized access, and cybersecurity professionals were engaged to investigate the activity. The investigation confirmed that an unauthorized third party accessed and acquired files, and a review has been conducted to determine the types of information involved and the individuals affected.

On July 24, 2025, Vail Summit confirmed that some patient information was copied in the incident, although no evidence has been uncovered to indicate any misuse of that data. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, health insurance information, treatment/insurance cost, diagnosis/treatment/procedure information, medical history/allergies, prescription drugs taken, medical images, test results/vital signs, healthcare provider name, and treatment date and location.

Single-bureau credit monitoring, credit report, and credit score services have been offered to the affected individuals. There is currently no listing on the OCR breach portal, so it is unclear how many individuals have been affected.

Southern Immediate Care, Alabama

Southern Immediate Care, an urgent care provider in Alabama, has announced a security incident involving two employee email accounts. Suspicious activity was identified in the accounts on April 15, 2025. An investigation has been launched, and the accounts are being reviewed to determine the extent to which patient information has been exposed. While that review is ongoing, Southern Immediate Care believes that both email accounts contain patient information. Notification letters will be mailed to the affected individuals when the review is completed. At present, no reports of misuse of patient data have been received.

The post Small Nebraska Critical Access Hospital Announces Data Breach appeared first on The HIPAA Journal.

In April 2025, the kidney dialysis giant DaVita disclosed a security incident in an SEC filing, although at the time, it was unclear how much sensitive data was stolen. Over the past 3 months, the investigation and data review have been progressing. State Attorneys General have been notified about the incident, and the scale of the data breach is becoming clearer.

Based on the state AG reports so far, the breach has affected more than 1 million patients; however, while all states have data breach notification laws, only a few publish breach reports, and only a handful publicly disclose the number of state residents affected. The table below shows the confirmed totals, but given that DaVita operates more than 2,675 outpatient dialysis centers in 43 states, the final total could well be several orders of magnitude larger.

At present, there is no listing on the HHS’ Office for Civil Rights breach portal. There is often a delay of a week or two between OCR receiving a breach report and adding it to the breach portal, so a listing is expected in the coming two weeks that will confirm how many individuals have been affected.

The notification letters provide further information about the data breach, although they do not mention ransomware. As reported below, the Interlock ransomware group claimed responsibility for the attack and claimed to have stolen 20 TB of data.

DaVita described the cyberattack as “a security incident that resulted in unauthorized access to certain DaVita network servers, primarily at its laboratories.” The intrusion was identified on April 12, 2025, and the threat actor was eradicated from its systems the same day. Third-party digital forensics experts were engaged to investigate the incident and assist with containment, eradication, and remediation.

The investigation confirmed that initial access to its network occurred on March 24, 2025, and continued until April 12, 2025. Data compromised in the incident included the dialysis labs database. The Interlock ransomware group claimed that it had stolen 20+ TB of databases, which included more than 200 million rows of patient data.

DaVita said the types of data involved were determined on or around June 18, 2025. The types of information compromised in the incident vary from individual to individual and may include:

• Demographic information – name, address, date of birth, Social Security number, health insurance-related information, and other identifiers internal to DaVita
• Clinical information – health condition, other treatment information, and certain dialysis lab test results
• Tax information – In limited cases, tax Identification numbers and, for a small subset of individuals, images of checks written to DaVita

DaVita said additional security monitoring tools and enhanced system controls have been implemented to prevent similar incidents in the future. DaVita is unaware of any misuse of patient data as a result of the security incident, but as a precaution, is offering the affected individuals a complimentary membership to the Experian IdentityWorks identity theft protection service for 12-24 months.

April 25, 2025: Ransomware Group Claims Responsibility for DaVita Ransomware Attack; Leaks Data

In mid-April, the kidney dialysis service provider DaVita announced in an SEC filing that it was dealing with a ransomware attack that had encrypted parts of its network. An investigation had been launched to determine its impact and whether any patient data was compromised. DaVita said internal operations faced disruption, but care delivery has continued at its dialysis centers and for patients treated at home, and new patients continued to be accepted.

DaVita has yet to make an announcement about a data breach as the investigation and data review are ongoing; however, the Interlock ransomware group has recently claimed responsibility for the attack and has started to leak some of the exfiltrated data. The Interlock ransomware data leak site claims that 20+ terabytes of sensitive data were stolen, including files containing patient data. The group claims to have attempted ransom negotiations before adding DaVita to its data leak site when the negotiations failed. The listing offers 1.5 terabytes of the stolen data for download, spread across 683,104 files in 75,836 folders. The remainder of the data has not been leaked as the group is holding out for a sale. The group claims to be selling 20+ terabytes of SQL databases that include more than 200 million rows of patient data. The HIPAA Journal has not verified whether any patient data is present in the leaked files.

DaVita has confirmed it is aware of the ransomware group’s claims and is currently engaged in a comprehensive data review and is working as quickly as possible to confirm which individuals have been affected and the types of data involved. Any affected parties and individuals will be notified as soon as possible. DaVita has also promised to share the findings of its investigation with its vendors and partners to raise awareness on how to defend against future attacks.

“Interlock first began adding victims to its data leak site in October 2024. As with most ransomware gangs today, it seeks a ransom payment for the decryption of systems and the deletion of stolen data. Since October 2024, we’ve tracked 13 confirmed attacks via this group and a further 13 unconfirmed attacks that haven’t been acknowledged by the organizations in question,” Rebecca Moody, Head of Data Research at Comparitech told The HIPAA Journal. “As we are seeing with DaVita, ransomware attacks on healthcare companies have the potential for widespread disruption. Not only can patient care be affected when systems are encrypted, but these attacks often have ongoing consequences when data is stolen by hackers. In 2024 alone, nearly 25.7 million individual records were breached across 160 ransomware attacks on US healthcare providers.”

At least two class action lawsuits have been filed against DaVita over the ransomware attack, even though DaVita has yet to confirm a data breach. DaVita disclosed the attack in an SEC filing but is still in the process of investigating the incident, and has not yet disclosed the types of information compromised in the attack or the number of affected individuals. The Interlock ransomware group claimed responsibility for the attack and has added DaVita to its data leak site. The lawsuits, Reid v. Davita Inc., and Jenkins et al v. DaVita were both filed in the U.S. District Court for the District of Colorado, allege the stolen data is already being misused, but there has been no confirmation from DaVita that the plaintiffs’ sensitive data has been stolen, nor have they been offered any assistance with credit monitoring and identity theft protection services. More lawsuits are expected to be filed in the coming days and weeks.

April 15, 2025: Dialysis Provider DaVita Hit with Ransomware Attack

The kidney dialysis giant DaVita has fallen victim to a ransomware attack that resulted in the encryption of parts of its network. The attack occurred on Saturday, April 12, 2025, and is impacting some of its operations, according to a Monday, April 14, 2025, 8K filing with the U.S. Securities and Exchange Commission (SEC).

The Denver, CO-based Fortune 500 firm operates more than 2,650 outpatient treatment centers in the United States, 509 centers in 13 other countries, employs 76,000 people globally, and served around 200,000 patients in the United States last year. In 2024, the company reported revenues of $12.82 billion. DaVita outpatient centers are used by patients with kidney disease which requires frequent dialysis. Any disruption to patient services could therefore have serious health implications for patients.

DaVita explained that its incident response protocols were immediately initiated, and the impacted systems were isolated to contain the attack and limit its impact. Backup systems have been activated, and manual processes have been implemented to ensure that care can continue to be provided to patients. While the DaVita ransomware attack is causing some disruption to operations, all dialysis centers remain open and care continues to be provided to patients.

Interim measures have been implemented to allow the rapid restoration of certain functions, but DaVita is currently unable to provide an estimate of the duration or extent of disruption or a timeline for a full recovery. Third-party cybersecurity professionals have been engaged to assist with the investigation and recovery, and law enforcement has been notified. At present, no ransomware group appears to have claimed responsibility for the attack.

“Given the recency of the incident, our investigation and response are ongoing, and the full scope, nature, and potential ultimate impact on the Company are not yet known,” explained DaVita in its 8K filing. While there is a growing trend of ransomware groups eschewing encryption, the majority steal sensitive data and use it as leverage to obtain a ransom payment. At this early stage of the investigation, DaVita is unable to confirm to what extent, if any, sensitive patient data was exposed or stolen.

This post will be updated when further information becomes available.

The post DaVita Ransomware Attack Affects More Than 1 Million Individuals appeared first on The HIPAA Journal.

A January data breach at Northwest Radiologists and Mount Baker Imaging has affected more than 348,000 patients. Data breaches have also been reported by Self Regional Healthcare in South Carolina and Health Care & Rehabilitation Services of SE Vermont.

Northwest Radiologists & Mount Baker Imaging

Northwest Radiologists and Mount Baker Imaging have provided an update on a data breach first announced in March 2025. The incident was described as a security incident that caused network disruption, and evidence had been found to indicate data exfiltration. At the time of the initial announcement, it was unclear how many individuals had been affected.

In a recent notification sent to the Washington Attorney General, Northwest Radiologists and Mount Baker Imaging confirmed that the following information was compromised in the incident: first and last names, addresses, telephone numbers, dates of birth, email addresses, Social Security numbers, driver’s license or state identification card numbers, treatment or diagnosis information, provider names, medical record numbers or patient identification numbers, health insurance information, and/or treatment cost information.

The same description of the incident is used, with no mention of ransomware. The forensic investigation confirmed that there had been unauthorized network access between January 20, 2025, and January 25, 2025. The delay in issuing notifications was due to the time taken to review the exposed files and obtain up-to-date address information.

Northwest Radiologists and Mount Baker Imaging said that, at the time of issuing notification letters, no misuse of the exposed data had been detected and that they have no reason to suspect any of the exposed information will be misused; however, as a precaution, the affected individuals are being offered complimentary credit monitoring and identity theft protection services. There is no data breach listed on the HHS’ Office for Civil Rights breach portal, but there is often a delay in adding data breaches. The Washington Attorney General was informed that the breach affected 348,118 state residents.

Self Regional Healthcare, South Carolina

Self Regional Healthcare, an independent regional referral hospital in Greenwood, South Carolina, has started notifying 26,696 patients that some of their protected health information was compromised in a cyberattack on a business associate in July 2024. The breach occurred at Nationwide Recovery Service, which provides debt collection services. Hackers had access to its network between July 5, 2024, and July 11, 2024, and exfiltrated data. The majority of affected clients were notified about the breach last year; however, Self Regional Healthcare only received a list of the affected individuals from NRS on May 23, 2025.

According to Self Regional Healthcare, “NRS is the successor entity to a vendor that Self Regional Healthcare (“SRH”) used back in 2012 for debt collection services,” and the data compromised in the attack on NRS relates to a period between 2012 and 2013. The compromised data includes names, dates of birth, Social Security numbers, diagnoses, dates of service, provider names, medical information, and/or health insurance information. Self Regional Healthcare has confirmed that the affected patients have been offered complimentary credit monitoring and identity theft protection services and said it no longer does business with NRS.

Health Care & Rehabilitation Services of SE Vermont

Health Care & Rehabilitation Services of SE Vermont (HCRS) has recently notified the Vermont Attorney General about unauthorized access to two employee email accounts. The unauthorized access was detected on December 20, 2025, and the passwords were reset to prevent further unauthorized access. Third-party cybersecurity professionals were engaged to investigate the unauthorized activity and determine the information that was exposed.

Following an extensive investigation and complex manual data review, HCRS learned on May 13, 2025, that the email accounts were subject to unauthorized access between December 4, 2025, and December 9, 2025, and client and staff information may have been viewed or copied. The exposed information included first and last names, dates of birth, Social Security numbers, financial account numbers, driver’s license numbers, dates of service, patient numbers, medical record numbers, billing information, treatment information, medical histories, and health insurance information.

The affected individuals have been advised to remain vigilant against incidents of identity theft and fraud. At present, there is no data breach listed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Medical Imaging Provider Confirms Data Breach Affecting More Than 348,000 Patients appeared first on The HIPAA Journal.