Neuromusculoskeletal Center of The Cascades Settlement Provides Cash Benefits for Breach Victims

Posted by Steve Alder

Neuromusculoskeletal Center of The Cascades, PC, and Cascade Surgicenter LLC in Oregon have agreed to settle class action litigation stemming from an October 2023 data incident. An unauthorized third party gained access to employee email accounts between October 2, 2023, and October 3, 2023. While the unauthorized access was detected and remediated promptly, the hackers had access to sensitive data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial information, medical information, health insurance information, and digital signatures.

Notification letters were mailed to the affected individuals on December 1, 2023. The Oregon Attorney General was informed that the breach affected 22,796 individuals, and the HHS’ Office for Civil Rights was notified that the protected health information of 19,373 individuals was potentially compromised in the attack.

A class action lawsuit was filed by plaintiff Krysta Hakkila individually and on behalf of similarly situated individuals, which was followed by a second lawsuit filed by plaintiff Ida Vetter. The two lawsuits were consolidated in the Circuit Court of Deschutes County, Oregon – Hakkila et al. v. Neuromusculoskeletal Center of The Cascades, PC.

The lawsuit claimed that the Neuromusculoskeletal Center of The Cascades failed to implement appropriate security measures and could have prevented the data breach, asserting claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, invasion of privacy, and violations of the Oregon Unlawful Trade Practices Act. Neuromusculoskeletal Center of The Cascades disagrees with the claims and maintains there was no wrongdoing and is no liability.

The defendants and the plaintiffs agreed to settle the lawsuit with no admission of wrongdoing or liability to avoid the cost and risks of a trial. The settlement has recently received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for two years of medical data monitoring (CyEx Medical Shield Total), reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $500 per class member, reimbursement for documented lost time dealing with the effects of the data breach (up to four hours at $25 per hour), and reimbursement of losses to identity theft and fraud, up to a maximum of $2,500 per class member. Class members who do not wish to claim any of the above benefits may submit a claim for an alternative one-time cash payment of $80.

The deadline for submitting a claim is December 26, 2025. The final approval hearing has been scheduled for January 9, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 25, 2025.

The post Neuromusculoskeletal Center of The Cascades Settlement Provides Cash Benefits for Breach Victims appeared first on The HIPAA Journal.

New Jersey Medical Center Suffers Ransomware Attack

Posted by Steve Alder

Central Jersey Medical Center in New Jersey has experienced a ransomware attack. David A. Nover, M.D, is notifying patients about a hacking incident, and Goglia Nutrition (FuturHealth) has announced an October 2024 data breach.

Central Jersey Medical Center, New Jersey

Central Jersey Medical Center, Inc., a Federally Qualified Health Center with locations in Perth Amboy, Newark, and Carteret, New Jersey, has started notifying dental patients about a recent security incident. On August 25, 2025, a cybercriminal actor gained access to its dental server’s network and used ransomware to encrypt files.

An investigation was launched to determine the nature and scope of the activity, and a review was conducted to identify the patients affected and the types of information that were exposed. The electronic medical record system was unaffected; however, files containing patient information were potentially accessed or obtained. At the time of issuing notification letters, Central Jersey Medical Center had not found any evidence to indicate any misuse of the exposed data. The Sinobi ransomware group claimed responsibility for the attack and added the healthcare provider to its data leak site. Sinobi claims to have exfiltrated 930 GB of data.

The types of information involved varied from patient to patient and may have included names in combination with one or more of the following: address, telephone number, email address, date of birth, race/ethnicity, Social Security number, dental record number, health insurance information, dental diagnosis, treatment history, and/or billing information.

Third-party cybersecurity experts were engaged to investigate the incident and review and enhance security, and internal procedures have been strengthened to prevent similar incidents in the future. The data breach has been reported to regulators; however, it is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

David A. Nover, M.D., P.C., Pennsylvania

David A. Nover, M.D., P.C., a psychiatry and psychotherapy practice in Warrington, Pennsylvania, is notifying patients about a recent security incident that exposed patient information. On or around June 3, 2025, unusual activity was identified within the practice’s computer network. An investigation was launched, with assistance provided by legal counsel and third-party digital forensics specialists. The investigation confirmed unauthorized access to the network on June 3, 2025, and some files containing patient information were copied from the network. The exposed files have been reviewed, and that process was completed on October 29, 2025.

Information potentially compromised in the incident included names, dates of birth, Social Security numbers, payment card information (number, expiration date, access information), medical record numbers, patient IDs or account numbers, Medicare numbers, health insurance ID numbers, health insurance group numbers, medical diagnosis information, medical treatment information, medical treatment location, doctors’ names, treatment dates, and medical lab or test results. Credit monitoring and identity protection services have been offered to the affected individuals. The data breach is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

FuturHealth, California

Goglia Nutrition, doing business as FuturHealth, Inc., a California-based health and wellness company specializing in nutrition plans and weight management, has experienced a data security incident. According to the notification letters mailed on October 17, 2025, the data breach occurred in October 2024.

According to the notification letters, on October 16, 2024, an unknown actor gained access to a data storage environment containing G-Plan data. The review of the affected storage environment has recently concluded and confirmed that the data compromised in the incident included names and information provided by customers as part of their subscription. Highly sensitive information such as Social Security numbers, driver’s license numbers, and financial information was not involved. The number of affected individuals has yet to be publicly disclosed.

The post New Jersey Medical Center Suffers Ransomware Attack appeared first on The HIPAA Journal.

U.S. Nationals Indicted for BlackCat Ransomware Attacks on Healthcare Organizations

Posted by Steve Alder

Two U.S. nationals have recently been indicted for using BlackCat ransomware to attack targets in the United States. A third individual is suspected of involvement but was not included in the indictment. All three individuals worked at cybersecurity companies and conducted the attacks while they were employed there.

Ryan Clifford Goldberg was employed by the cybersecurity firm Sygnia as an incident response professional, and Kevin Tyler Martin and an unnamed co-conspirator were both employed by the Chicago-based cyber threat intelligence and incident response firm DigitalMint as ransomware threat negotiators.

The two indicted individuals are alleged to have engaged in a conspiracy to enrich themselves by breaching company networks, stealing their data, using ransomware to encrypt files, and extorting the companies to obtain cryptocurrency payments. A medical device company was attacked on or around May 13, 2023, resulting in a $10 million ransom demand.  The medical device company negotiated and paid a $1,274,000 ransom payment.

A pharmaceutical company was also attacked in May 2023, but the ransom demand was not disclosed. Then came a July 2023 attack on a doctor’s office in California, which included a $5,000,000 ransom demand. In October 2023, an engineering company was attacked and told to pay $1 million, then in November 2023, a drone manufacturer in Virginia was attacked, and the defendants allegedly demanded a $300,000 ransom payment. Only the medical device company paid the ransom.

Kevin Tyler Martin, who resides in Texas, was employed as a ransomware negotiator by DigitalMint between May 2023 and April 2025, where the unnamed Florida-based co-conspirator also worked. Both individuals are thought to have been rogue employees and have been fired by DigitalMint, which has been cooperating with the law enforcement operation. Ryan Clifford Goldberg was employed as an incident response manager at Sygnia Cybersecurity Services at the time of the attacks, but no longer works for the company.

There are no indications that either company was aware of the attacks, which were conducted outside of their infrastructure and systems. DigitalMint said client data was not compromised in the incident, and no one alleged to have been involved in the scheme has worked for the company in over four months.

The FBI raided the home of the unnamed co-conspirator in April 2025, and Goldberg was interviewed by the FBI the following month, initially denying involvement in the scheme. Goldberg later claimed to have been recruited by the unnamed co-conspirator and said he conducted the attacks to get out of debt. He claims that, along with the other two members of the scheme, he received payment of $200,000 for the attack. Martin denies any involvement in the scheme.

Martin and Goldberg were indicted on October 2, 2025, on charges of conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce, and intentional damage to a protected computer. Martin has been released on a $400,000 bond and is prohibited from working in cybersecurity before the trial.

Goldberg is being held pending trial as he is considered a flight risk. Goldberg booked a one-way flight from Atlanta to Paris in June and traveled with his wife. He remained in France until September 21. Goldberg flew from Amsterdam to Mexico City and was arrested when he landed and deported to the United States. If found guilty, Martin and Goldberg face up to 50 years in jail.

The post U.S. Nationals Indicted for BlackCat Ransomware Attacks on Healthcare Organizations appeared first on The HIPAA Journal.

Oglethorpe Hacking Incident Affects More Than 92,000 Patients

Posted by Steve Alder

A Tampa, FL-based network of mental health and addiction recovery treatment facilities has recently disclosed a security incident that involved unauthorized access to patient data. Oglethorpe offers management solutions for health centers, wellness clinics, and hospitals that specialize in psychiatric services, substance abuse treatment programs, and behavioral health counseling, and has facilities in Florida, Louisiana, and Ohio.

In June 2025, Oglethorpe experienced a hacking incident that rendered its systems inoperable for a limited time.  Third-party cybersecurity experts were engaged to help contain, investigate, and remediate the incident. The investigation revealed that the hackers first gained access to its network on May 15, 2025, and maintained access until June 6, 2025. The investigation concluded on September 16, 2025, when it was confirmed that files containing patient information had been exfiltrated from its network. Those files were reviewed, and that process was completed on October 23, 2025, when Oglethorpe learned that first and last names, birth dates, Social Security numbers, driver’s license numbers, and medical information were involved.

Oglethorpe said no evidence has been found to indicate any misuse of the impacted information; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months.

In response to the breach, all systems were wiped and rebuilt, and data was restored from backups. Steps have also been taken to improve network security to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights website; however, the Maine Attorney General was informed that the breach affected 92,332 individuals, including 85 Maine residents.

Northern Montana Health Care Affected by Business Associate Hacking Incident

Havre, MT-based Northern Montana Health Care (NMHC) has been affected by a data breach at one of its business associates. NMHC contracted with Wakefield & Associates, LLC, which provides debt collection services. On October 29, 2025, NMHC published a notice warning patients about a security incident at Wakefield & Associates, which involved unauthorized access to certain files. The incident was confined to the Wakefield & Associates network. No NMHC systems were affected.

Wakefield & Associates is notifying the affected individuals directly, and the individual letters state the types of information involved. NMHC has confirmed that Wakefield & Associates is offering the affected individuals complimentary credit monitoring and identity theft protection services. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Oglethorpe Hacking Incident Affects More Than 92,000 Patients appeared first on The HIPAA Journal.