The sensitive data of more than 23,000 Florida Medicare members has been impermissibly shared with overseas companies, putting Medicare members’ sensitive health data at risk. The data was shared by Mirra Health, a provider of administrative services to health maintenance organizations (HMOs) in Florida.

Mirra Health had contracts with three HMOs in Florida: Secure Inc, Solis Health Plans Inc., and Ultimate Health Plans Inc. Under those contracts, Mirra Health agreed to provide certain administrative services, including member enrollment, claims adjudication and payment, utilization management, and grievance and appeals processing. Mirra Health engaged four unlicensed companies in India and the Philippines to perform claims processing and other functions and provided those companies with the necessary data to perform those functions.

While Mirra Health may choose to delegate certain functions to subcontractors, sensitive data was shared with unlicensed companies without the knowledge or prior approval of the HMOs or their enrollees. Under the terms of its contracts with the HMOs, prior authorization must be received before passing any data to offshore partners.

An investigation conducted by the Florida Office of Insurance Regulation determined that Mirra Health had engaged in business practices that pose an imminent threat to the public health, safety, and welfare of state residents. Mirra Health was found to have disclosed the sensitive data of 23,119 Florida Medicare Advantage enrollees to those unlicensed companies. The majority of the affected individuals participated in Chronic Condition Special Needs Plans (C-SNPs), Dual Eligible Special Needs Plans (D-SNPs), and Institutional Special Needs Plans (I-SNPs). When the Florida Office of Insurance Regulation requested that Mirra Health produce the contracts it had signed, it failed to produce all contracts with overseas companies, in violation of section 626.884 of the Florida Insurance Code.

This week, Florida Insurance Commissioner Michael Yaworsky suspended Mirra Health LLC’s certificate of authority. Yaworsky said the company demonstrated it is not competent or trustworthy, as it disclosed sensitive Medicare data to foreign entities that are beyond the regulatory reach of the Office of Insurance Regulation, depriving both the Office and the HMOs of the ability to protect vulnerable state residents.

The post Florida Insurance Commissioner Suspends Mirra Health for Medicare Data Transfers to Foreign Companies appeared first on The HIPAA Journal.

A major data breach has been reported by the telehealth platform provider OpenLoop Health Inc. While the total number of affected individuals has yet to be publicly disclosed, it could well be one of the largest healthcare data breaches of the year to date. According to the breach notice provided to the California Attorney General, OpenLoop Health learned on January 7, 2026, that an unauthorized third party had gained access to some of its systems and copied files containing sensitive data. Third-party cybersecurity specialists were engaged to investigate and determine the nature and scope of the incident and ensure that its systems were secured and could no longer be accessed.

The forensic investigation confirmed that the unauthorized third party had access to its network from January 7, 2026, to January 8, 2026, and the files exfiltrated from its systems included information such as names, addresses, email addresses, dates of birth, and medical information. OpenLoop Health said Social Security numbers were not accessed or stolen. Steps have since been taken to harden security, and the affected individuals are being notified by mail. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

A threat actor with the moniker Stuckin2019 claimed responsibility for the incident in a hacking forum listing and claims to have obtained the information of 1.6 million patients. Threat actor claims may be exaggerated, the records may not all be unique, and in some cases, the claims are entirely fabricated. In this case, Stuckin2019 published samples of patient data as proof of data theft. OpenLoop Health has yet to publicly confirm the scale of the data breach or the validity of Stuckin2019’s claims. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, although the website of the Office of the Texas Attorney General lists an OpenLoop Health data breach affecting 68,160 state residents. That incident was published by the Texas Attorney General on March 18, 2026.

Databreaches.net reports that the Stuckin2019 is male and an individual rather than a group, who seemingly has form attacking telehealth companies. He claimed earlier this year to have attacked the New York telehealth company Zealthy, although the company has yet to publicly disclose any data breach. Databreaches reports that the OpenLoop Health forum post was only live for two days before being taken down, and in conversation with the hacker on Tox, was informed that payment was received and the data had been deleted.

The post Telehealth Platform Provider OpenLoop Health Disclosed Data Breach appeared first on The HIPAA Journal.

The National Association on Drug Abuse Problems has experienced a data breach affecting up to 90,000 individuals. An insider data breach has been discovered by Weill Cornell Medicine, and Commonwealth Care Alliance has identified a mis-mailing incident.

The National Association on Drug Abuse Problems Hacking Incident Affects 90K Individuals

The National Association on Drug Abuse Problems (NADAP), a New York-based nonprofit, has disclosed a cybersecurity incident that has affected up to 90,000 individuals. Suspicious activity was identified within its network on or around January 10, 2026. Immediate action was taken to secure its network, and an investigation was launched to determine the nature and scope of the activity. On or around January 27, 2026, NADAP determined that the protected health information of certain clients, employees, and related individuals was present in files that were subject to unauthorized access.

The files have been reviewed and found to contain names, Social Security numbers, dates of birth, medical or health information, health care treatment or diagnostic information, health insurance information, and tax or financial information. The types of data involved vary from individual to individual. NADAP has implemented additional measures to enhance network security, including strengthening password requirements and implementing conditional access policies, and the incident has been reported to regulators and law enforcement. No known threat group has claimed responsibility for the incident.

The substitute data breach notice makes no mention of complimentary credit monitoring services. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements for suspicious activity.

Weill Cornell Medicine Identifies Insider Data Breach

Weill Cornell Medicine, the medical school of Cornell University in New York, has identified an insider breach involving the electronic medical records of 516 patients. Following an internal investigation, Weill Cornell Medicine confirmed that a former employee had accessed patient records for reasons unrelated to their job duties.

The potential for misuse of patient data is limited due to the nature of the data accessed, which was limited to name, contact information, and reason for visit. No Social Security numbers, clinical information, or financial information were accessed. Weill Cornell Medicine did not state the reason for the access but confirmed that the employee is no longer with the organization. All affected individuals have been notified by mail, and additional security measures have been implemented to reduce the risk of similar incidents in the future.

Commonwealth Care Alliance Announces Mis-Mailing Incident

Commonwealth Care Alliance, a Massachusetts-based health plan and care delivery system, has notified 634 individuals about a recent mis-mailing incident. The incident was identified on December 29, 2025, and involved letters intended for one member being mailed to an incorrect member. The letters included a member’s name, CCA Member ID number, and their Medicare eligibility status only. An investigation was launched to identify the cause of the error, and additional safeguards have been implemented to reduce the risk of similar incidents in the future, including supplemental quality checks with its mailing process.

The post National Association on Drug Abuse Problems Announces Data Breach Affecting 90,000 Individuals appeared first on The HIPAA Journal.