Small Nebraska Critical Access Hospital Announces Data Breach

Genoa Medical Facilities, which operates a 19-bed critical access hospital in Nebraska, has discovered unauthorized access to its email environment.  Email breaches have also been confirmed by Vail Summit Orthopaedics & Neurosurgery in Colorado and Southern Immediate Care in Alabama.

Genoa Community Hospital (Genoa Medical Facilities), Nebraska

Genoa Medical Facilities, which includes Genoa Community Hospital, a 19-bed critical access hospital, a 39-bed nursing home, and a medical clinic in Nebraska, has discovered unauthorized access to an employee’s email account. Suspicious email activity associated with a single email account was identified in March 2025. The forensic investigation confirmed that the breach was limited to a single account, and the account was reviewed to determine whether patient data had been exposed.

The review was completed on July 8, 2025, when it was confirmed that names, dates of birth, Social Security numbers, other government ID numbers, financial account information, medical treatment/diagnosis information, and health insurance information had been exposed. Notification letters are being sent to the affected individuals, and steps have been taken to improve email security. At the time of issuing notification letters, no misuse of the exposed information had been identified. The incident is not currently shown on the HHS’ Office for Civil Rights (OCR) breach portal, so it is unclear how many individuals have been affected.

Vail Summit Orthopaedics & Neurosurgery

Vail Summit Orthopaedics & Neurosurgery in Colorado has recently disclosed a breach of its email environment. Suspicious activity was identified on August 6, 2024. Immediate action was taken to prevent further unauthorized access, and cybersecurity professionals were engaged to investigate the activity. The investigation confirmed that an unauthorized third party accessed and acquired files, and a review has been conducted to determine the types of information involved and the individuals affected.

On July 24, 2025, Vail Summit confirmed that some patient information was copied in the incident, although no evidence has been uncovered to indicate any misuse of that data. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, health insurance information, treatment/insurance cost, diagnosis/treatment/procedure information, medical history/allergies, prescription drugs taken, medical images, test results/vital signs, healthcare provider name, and treatment date and location.

Single-bureau credit monitoring, credit report, and credit score services have been offered to the affected individuals. There is currently no listing on the OCR breach portal, so it is unclear how many individuals have been affected.

Southern Immediate Care, Alabama

Southern Immediate Care, an urgent care provider in Alabama, has announced a security incident involving two employee email accounts. Suspicious activity was identified in the accounts on April 15, 2025. An investigation has been launched, and the accounts are being reviewed to determine the extent to which patient information has been exposed. While that review is ongoing, Southern Immediate Care believes that both email accounts contain patient information. Notification letters will be mailed to the affected individuals when the review is completed. At present, no reports of misuse of patient data have been received.

The post Small Nebraska Critical Access Hospital Announces Data Breach appeared first on The HIPAA Journal.

Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data

Users of the Flo Period & Ovulation Tracker app (Flo App) who sued Facebook (Meta) and others over the alleged collection and interception of their sensitive data without consent have won a landmark victory after a jury ruled in their favor and found that Meta had violated the California Invasion of Privacy Act.

The Flo App, developed and owned by Flo Health, is one of the most popular health and wellness apps. According to Flo Health, the app is the #1 mobile product for women’s health. At the time the lawsuit was filed, the app had been downloaded more than 180 million times and had over 38 million active monthly users. When individuals download the Flo App, they are asked to enter personal data and answer a series of personal questions about their sexual health, gynecological health, general health and well-being, and menstruation cycles. As they continue to use the app, they are asked to provide further sensitive information, including when they have their period, if they have had sex, whether they masturbated, any health symptoms, and their mood. Flo Health uses the information provided to predict their likely ovulation date and offers tailored health and wellness advice.

Flo Health provided repeated assurances that the information provided would remain private and confidential and would not be shared with any third parties, unless the user provided explicit consent; however, that was not the case, as sensitive data was shared with third parties via software development kits (SDKs) incorporated into the Flo App.

Several class action lawsuits were filed in response to the data disclosures against Flo Health, Facebook, Google, Appflyer, and Flurry. The lawsuits were consolidated in 2021, Frasco v. Flo Health, in the U.S. District Court for the Northern District of California. The plaintiffs alleged that “Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ and Class members’ intimate health data to third parties, including the non-Flo defendants,” through SDKs incorporated into the app. Data was shared with third parties such as Facebook, and could be used to assist with targeted advertising.

Flo Health was also alleged to have incorporated non-Flo defendants’ SDKs into the app and transmitted sensitive information to those companies. According to the lawsuit, “the Non-Flo Defendants, including two of the largest digital advertisers in the world, incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements, with the plaintiffs alleging occurred without their knowledge or consent.”

The lawsuit asserted fourteen claims for relief against Flo Health, the Flo defendants, and non-Flo defendants. Google and Flurry previously chose to settle with the plaintiffs, and Flo Halth followed suit last Thursday, settling for an undisclosed sum. Meta chose not to settle, and the trial proceeded to a jury verdict. The jury was asked to answer three questions, unanimously answering yes to the first two questions and no to the last.

  • Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device?
  • Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that they had a reasonable expectation that the conversation was not being overheard and/or recorded?
  • Did Meta have the consent of all parties to the conversation to eavesdrop on and/or record it?

The verdict could help to rein in tech firms’ collection of sensitive user data for use in targeted advertising. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” explained the plaintiffs’ lawyers in a statement about the verdict. “Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data.”

Meta vigorously disagrees with the outcome of the trial and is exploring all legal options and will likely appeal. “The plaintiffs’ claims against Meta are simply false,” according to a statement from Meta. “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.

Hundreds of class action lawsuits have been filed over the use of tracking tools on websites and health apps, and there has been a flurry of settlements in recent weeks. It is rare for these lawsuits to proceed to trial due to the risk of verdicts such as this, with most defendants opting to limit their financial exposure by settling the litigation. Many of those lawsuits have yet to be resolved, including several complaints against Meta.

The post Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data appeared first on The HIPAA Journal.

Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data

Users of the Flo Period & Ovulation Tracker app (Flo App) who sued Facebook (Meta) and others over the alleged collection and interception of their sensitive data without consent have won a landmark victory after a jury ruled in their favor and found that Meta had violated the California Invasion of Privacy Act.

The Flo App, developed and owned by Flo Health, is one of the most popular health and wellness apps. According to Flo Health, the app is the #1 mobile product for women’s health. At the time the lawsuit was filed, the app had been downloaded more than 180 million times and had over 38 million active monthly users. When individuals download the Flo App, they are asked to enter personal data and answer a series of personal questions about their sexual health, gynecological health, general health and well-being, and menstruation cycles. As they continue to use the app, they are asked to provide further sensitive information, including when they have their period, if they have had sex, whether they masturbated, any health symptoms, and their mood. Flo Health uses the information provided to predict their likely ovulation date and offers tailored health and wellness advice.

Flo Health provided repeated assurances that the information provided would remain private and confidential and would not be shared with any third parties, unless the user provided explicit consent; however, that was not the case, as sensitive data was shared with third parties via software development kits (SDKs) incorporated into the Flo App.

Several class action lawsuits were filed in response to the data disclosures against Flo Health, Facebook, Google, Appflyer, and Flurry. The lawsuits were consolidated in 2021, Frasco v. Flo Health, in the U.S. District Court for the Northern District of California. The plaintiffs alleged that “Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ and Class members’ intimate health data to third parties, including the non-Flo defendants,” through SDKs incorporated into the app. Data was shared with third parties such as Facebook, and could be used to assist with targeted advertising.

Flo Health was also alleged to have incorporated non-Flo defendants’ SDKs into the app and transmitted sensitive information to those companies. According to the lawsuit, “the Non-Flo Defendants, including two of the largest digital advertisers in the world, incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements, with the plaintiffs alleging occurred without their knowledge or consent.”

The lawsuit asserted fourteen claims for relief against Flo Health, the Flo defendants, and non-Flo defendants. Google and Flurry previously chose to settle with the plaintiffs, and Flo Halth followed suit last Thursday, settling for an undisclosed sum. Meta chose not to settle, and the trial proceeded to a jury verdict. The jury was asked to answer three questions, unanimously answering yes to the first two questions and no to the last.

  • Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that Meta intentionally eavesdropped on and/or recorded their conversation by using an electronic device?
  • Did plaintiffs prove, by a preponderance of the evidence and in accordance with the instructions given to you, that they had a reasonable expectation that the conversation was not being overheard and/or recorded?
  • Did Meta have the consent of all parties to the conversation to eavesdrop on and/or record it?

The verdict could help to rein in tech firms’ collection of sensitive user data for use in targeted advertising. “Companies like Meta that covertly profit from users’ most intimate information must be held accountable,” explained the plaintiffs’ lawyers in a statement about the verdict. “Today’s outcome reinforces the fundamental right to privacy — especially when it comes to sensitive health data.”

Meta vigorously disagrees with the outcome of the trial and is exploring all legal options and will likely appeal. “The plaintiffs’ claims against Meta are simply false,” according to a statement from Meta. “User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.

Hundreds of class action lawsuits have been filed over the use of tracking tools on websites and health apps, and there has been a flurry of settlements in recent weeks. It is rare for these lawsuits to proceed to trial due to the risk of verdicts such as this, with most defendants opting to limit their financial exposure by settling the litigation. Many of those lawsuits have yet to be resolved, including several complaints against Meta.

The post Jury Rules Meta Violated California Privacy Law by Collecting Flo App Users’ Sensitive Data appeared first on The HIPAA Journal.

DaVita Ransomware Attack Affects More Than 1 Million Individuals

In April 2025, the kidney dialysis giant DaVita disclosed a security incident in an SEC filing, although at the time, it was unclear how much sensitive data was stolen. Over the past 3 months, the investigation and data review have been progressing. State Attorneys General have been notified about the incident, and the scale of the data breach is becoming clearer.

Based on the state AG reports so far, the breach has affected more than 1 million patients; however, while all states have data breach notification laws, only a few publish breach reports, and only a handful publicly disclose the number of state residents affected. The table below shows the confirmed totals, but given that DaVita operates more than 2,675 outpatient dialysis centers in 43 states, the final total could well be several orders of magnitude larger.

State Individuals Affected
Oregon 915,952
Texas 81,740
Washington 13,404
Massachusetts 7,829
Confirmed Total 1,018,925

At present, there is no listing on the HHS’ Office for Civil Rights breach portal. There is often a delay of a week or two between OCR receiving a breach report and adding it to the breach portal, so a listing is expected in the coming two weeks that will confirm how many individuals have been affected.

The notification letters provide further information about the data breach, although they do not mention ransomware. As reported below, the Interlock ransomware group claimed responsibility for the attack and claimed to have stolen 20 TB of data.

DaVita described the cyberattack as “a security incident that resulted in unauthorized access to certain DaVita network servers, primarily at its laboratories.” The intrusion was identified on April 12, 2025, and the threat actor was eradicated from its systems the same day. Third-party digital forensics experts were engaged to investigate the incident and assist with containment, eradication, and remediation.

The investigation confirmed that initial access to its network occurred on March 24, 2025, and continued until April 12, 2025. Data compromised in the incident included the dialysis labs database. The Interlock ransomware group claimed that it had stolen 20+ TB of databases, which included more than 200 million rows of patient data.

DaVita said the types of data involved were determined on or around June 18, 2025. The types of information compromised in the incident vary from individual to individual and may include:

  • Demographic information – name, address, date of birth, Social Security number, health insurance-related information, and other identifiers internal to DaVita
  • Clinical information – health condition, other treatment information, and certain dialysis lab test results
  • Tax information – In limited cases, tax Identification numbers and, for a small subset of individuals, images of checks written to DaVita

DaVita said additional security monitoring tools and enhanced system controls have been implemented to prevent similar incidents in the future. DaVita is unaware of any misuse of patient data as a result of the security incident, but as a precaution, is offering the affected individuals a complimentary membership to the Experian IdentityWorks identity theft protection service for 12-24 months.

April 25, 2025: Ransomware Group Claims Responsibility for DaVita Ransomware Attack; Leaks Data

In mid-April, the kidney dialysis service provider DaVita announced in an SEC filing that it was dealing with a ransomware attack that had encrypted parts of its network. An investigation had been launched to determine its impact and whether any patient data was compromised. DaVita said internal operations faced disruption, but care delivery has continued at its dialysis centers and for patients treated at home, and new patients continued to be accepted.

DaVita has yet to make an announcement about a data breach as the investigation and data review are ongoing; however, the Interlock ransomware group has recently claimed responsibility for the attack and has started to leak some of the exfiltrated data. The Interlock ransomware data leak site claims that 20+ terabytes of sensitive data were stolen, including files containing patient data. The group claims to have attempted ransom negotiations before adding DaVita to its data leak site when the negotiations failed. The listing offers 1.5 terabytes of the stolen data for download, spread across 683,104 files in 75,836 folders. The remainder of the data has not been leaked as the group is holding out for a sale. The group claims to be selling 20+ terabytes of SQL databases that include more than 200 million rows of patient data. The HIPAA Journal has not verified whether any patient data is present in the leaked files.

DaVita has confirmed it is aware of the ransomware group’s claims and is currently engaged in a comprehensive data review and is working as quickly as possible to confirm which individuals have been affected and the types of data involved. Any affected parties and individuals will be notified as soon as possible. DaVita has also promised to share the findings of its investigation with its vendors and partners to raise awareness on how to defend against future attacks.

“Interlock first began adding victims to its data leak site in October 2024. As with most ransomware gangs today, it seeks a ransom payment for the decryption of systems and the deletion of stolen data. Since October 2024, we’ve tracked 13 confirmed attacks via this group and a further 13 unconfirmed attacks that haven’t been acknowledged by the organizations in question,” Rebecca Moody, Head of Data Research at Comparitech told The HIPAA Journal. “As we are seeing with DaVita, ransomware attacks on healthcare companies have the potential for widespread disruption. Not only can patient care be affected when systems are encrypted, but these attacks often have ongoing consequences when data is stolen by hackers. In 2024 alone, nearly 25.7 million individual records were breached across 160 ransomware attacks on US healthcare providers.”

At least two class action lawsuits have been filed against DaVita over the ransomware attack, even though DaVita has yet to confirm a data breach. DaVita disclosed the attack in an SEC filing but is still in the process of investigating the incident, and has not yet disclosed the types of information compromised in the attack or the number of affected individuals. The Interlock ransomware group claimed responsibility for the attack and has added DaVita to its data leak site. The lawsuits, Reid v. Davita Inc., and Jenkins et al v. DaVita were both filed in the U.S. District Court for the District of Colorado, allege the stolen data is already being misused, but there has been no confirmation from DaVita that the plaintiffs’ sensitive data has been stolen, nor have they been offered any assistance with credit monitoring and identity theft protection services. More lawsuits are expected to be filed in the coming days and weeks.

April 15, 2025: Dialysis Provider DaVita Hit with Ransomware Attack

The kidney dialysis giant DaVita has fallen victim to a ransomware attack that resulted in the encryption of parts of its network. The attack occurred on Saturday, April 12, 2025, and is impacting some of its operations, according to a Monday, April 14, 2025, 8K filing with the U.S. Securities and Exchange Commission (SEC).

The Denver, CO-based Fortune 500 firm operates more than 2,650 outpatient treatment centers in the United States, 509 centers in 13 other countries, employs 76,000 people globally, and served around 200,000 patients in the United States last year. In 2024, the company reported revenues of $12.82 billion. DaVita outpatient centers are used by patients with kidney disease which requires frequent dialysis. Any disruption to patient services could therefore have serious health implications for patients.

DaVita explained that its incident response protocols were immediately initiated, and the impacted systems were isolated to contain the attack and limit its impact. Backup systems have been activated, and manual processes have been implemented to ensure that care can continue to be provided to patients. While the DaVita ransomware attack is causing some disruption to operations, all dialysis centers remain open and care continues to be provided to patients.

Interim measures have been implemented to allow the rapid restoration of certain functions, but DaVita is currently unable to provide an estimate of the duration or extent of disruption or a timeline for a full recovery. Third-party cybersecurity professionals have been engaged to assist with the investigation and recovery, and law enforcement has been notified. At present, no ransomware group appears to have claimed responsibility for the attack.

“Given the recency of the incident, our investigation and response are ongoing, and the full scope, nature, and potential ultimate impact on the Company are not yet known,” explained DaVita in its 8K filing. While there is a growing trend of ransomware groups eschewing encryption, the majority steal sensitive data and use it as leverage to obtain a ransom payment. At this early stage of the investigation, DaVita is unable to confirm to what extent, if any, sensitive patient data was exposed or stolen.

This post will be updated when further information becomes available.

The post DaVita Ransomware Attack Affects More Than 1 Million Individuals appeared first on The HIPAA Journal.

Boston Children’s Health Physicians Pays $5.15M to Settle Data Breach Lawsuit

Valhalla, NY-based Boston Children’s Health Physicians (BCHP) and ATSG Inc. have agreed to pay $5,150,000 to settle a class action lawsuit stemming from a September 2024 cyberattack and data breach that affected approximately 918,000 individuals.

BCHP is a multi-specialty pediatric group serving newborns and children in New York and Connecticut. On September 6, 2024, BCHP learned that a hacking group had gained access to systems of its managed services provider (ATSG Inc. – now XTIUM Inc.), and on September 10, 2024, the hacking group abused the IT vendor’s access to breach its own systems.

The Bianlian hacking group claimed responsibility for the attack and gained access to names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record numbers, health insurance information, billing information, and limited treatment information. The breach was reported to the HHS as involving the protected health information of 909,469 patients, and employee data was also compromised, with approximately 918,000 individuals in total affected by the breach.

Five lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Noni Wahab, et al. v. Boston Children’s Health Physicians, LLP and ATSG Inc.– in the Supreme Court of the State of New York, County of Westchester. The consolidated class action complaint alleged negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and a violation of New York General Business Law.

The defendants maintain there was no wrongdoing and no liability; however, they chose to settle the lawsuit to avoid the litigation costs, expenses, distractions, burden, and disruption to business operations associated with continuing with the litigation. Under the terms of the settlement, the defendants will establish a $5,150,000 settlement fund to cover attorneys’ fees (up to $1,716,667), attorneys’ expenses (yet to be determined), service awards to the class representatives ($2,500 for each of the named plaintiffs), credit monitoring costs (yet to be determined), settlement administration costs (yet to be determined), and payments to class members.

Two cash payments are available. Class members may submit a claim for reimbursement of documented, unreimbursed losses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may choose to receive a pro rata cash payment, which will be paid after all costs and claims have been paid. The cash payment is expected to be $100, but may be increased or decreased depending on the number of claims received.

In addition to a cash payment, class members may claim two years of Cyex Medical Shield Medical Data Monitoring, which includes medical identity monitoring, real-time alerts, and a $1 million identity theft insurance policy. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 10, 2025. Class members wishing to object to or exclude themselves from the settlement must do so by November 10, 2025, and claims must be submitted by November 25, 2025. Further information is available on the settlement website: https://bchpsettlement.com/

The post Boston Children’s Health Physicians Pays $5.15M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Medical Imaging Provider Confirms Data Breach Affecting More Than 348,000 Patients

A January data breach at Northwest Radiologists and Mount Baker Imaging has affected more than 348,000 patients. Data breaches have also been reported by Self Regional Healthcare in South Carolina and Health Care & Rehabilitation Services of SE Vermont.

Northwest Radiologists & Mount Baker Imaging

Northwest Radiologists and Mount Baker Imaging have provided an update on a data breach first announced in March 2025. The incident was described as a security incident that caused network disruption, and evidence had been found to indicate data exfiltration. At the time of the initial announcement, it was unclear how many individuals had been affected.

In a recent notification sent to the Washington Attorney General, Northwest Radiologists and Mount Baker Imaging confirmed that the following information was compromised in the incident: first and last names, addresses, telephone numbers, dates of birth, email addresses, Social Security numbers, driver’s license or state identification card numbers, treatment or diagnosis information, provider names, medical record numbers or patient identification numbers, health insurance information, and/or treatment cost information.

The same description of the incident is used, with no mention of ransomware. The forensic investigation confirmed that there had been unauthorized network access between January 20, 2025, and January 25, 2025. The delay in issuing notifications was due to the time taken to review the exposed files and obtain up-to-date address information.

Northwest Radiologists and Mount Baker Imaging said that, at the time of issuing notification letters, no misuse of the exposed data had been detected and that they have no reason to suspect any of the exposed information will be misused; however, as a precaution, the affected individuals are being offered complimentary credit monitoring and identity theft protection services. There is no data breach listed on the HHS’ Office for Civil Rights breach portal, but there is often a delay in adding data breaches. The Washington Attorney General was informed that the breach affected 348,118 state residents.

Self Regional Healthcare, South Carolina

Self Regional Healthcare, an independent regional referral hospital in Greenwood, South Carolina, has started notifying 26,696 patients that some of their protected health information was compromised in a cyberattack on a business associate in July 2024. The breach occurred at Nationwide Recovery Service, which provides debt collection services. Hackers had access to its network between July 5, 2024, and July 11, 2024, and exfiltrated data. The majority of affected clients were notified about the breach last year; however, Self Regional Healthcare only received a list of the affected individuals from NRS on May 23, 2025.

According to Self Regional Healthcare, “NRS is the successor entity to a vendor that Self Regional Healthcare (“SRH”) used back in 2012 for debt collection services,” and the data compromised in the attack on NRS relates to a period between 2012 and 2013. The compromised data includes names, dates of birth, Social Security numbers, diagnoses, dates of service, provider names, medical information, and/or health insurance information. Self Regional Healthcare has confirmed that the affected patients have been offered complimentary credit monitoring and identity theft protection services and said it no longer does business with NRS.

Health Care & Rehabilitation Services of SE Vermont

Health Care & Rehabilitation Services of SE Vermont (HCRS) has recently notified the Vermont Attorney General about unauthorized access to two employee email accounts. The unauthorized access was detected on December 20, 2025, and the passwords were reset to prevent further unauthorized access. Third-party cybersecurity professionals were engaged to investigate the unauthorized activity and determine the information that was exposed.

Following an extensive investigation and complex manual data review, HCRS learned on May 13, 2025, that the email accounts were subject to unauthorized access between December 4, 2025, and December 9, 2025, and client and staff information may have been viewed or copied. The exposed information included first and last names, dates of birth, Social Security numbers, financial account numbers, driver’s license numbers, dates of service, patient numbers, medical record numbers, billing information, treatment information, medical histories, and health insurance information.

The affected individuals have been advised to remain vigilant against incidents of identity theft and fraud. At present, there is no data breach listed on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Medical Imaging Provider Confirms Data Breach Affecting More Than 348,000 Patients appeared first on The HIPAA Journal.