Alternate Solutions Health Network Notifies Patients About May 2024 Email Breach

Posted by Steve Alder

Email accounts have been compromised at four HIPAA-regulated organizations: Alternate Solutions Health Network in Ohio; Park Royal Hospital in Florida; 90 Degree Benefits in Minnesota; and the Charleston Fire Department in West Virginia. Almost 107,000 individuals have been affected.

Alternate Solutions Health Network, Ohio

Alternate Solutions Health Network, LLC, a Kettering, Ohio-based provider of home healthcare services, has identified unauthorized access to an employee’s email account that contained patient data. It is unclear for how long the threat actor had access to the account or when the breach was detected; however, it has taken almost a year for the affected individuals to be notified.

Alternate Solutions Health Network explained in its substitute breach notice that the forensic investigation confirmed that the account was breached on or around May 30, 2024. When the breach was detected, the account was secured, and third-party cybersecurity professionals were engaged to investigate the incident. “After an extensive investigation and manual document review, we discovered on February 14, 2025, that some personal and/or protected health information of individuals was contained in the compromised email account that was subject to unauthorized access and acquisition,” explained Alternate Solutions Health Network in the notification letters.

The types of information involved vary from individual to individual and may include first and last names, dates of birth, addresses, driver’s license numbers, physician/clinician names, clinical information, diagnostic information, and treatment information. A subset of the affected individuals also had their Social Security numbers stolen. Alternate Solutions Health Network said it will implement additional cybersecurity safeguards, enhance its employee cybersecurity training, and improve its cybersecurity policies, procedures, and protocols. The data breach was reported to the HHS’ Office for Civil Rights on April 14, 2025, as a breach affecting 93,589 individuals. Individual notification letters also started to be mailed on April 14, 2025.

Park Royal Hospital, Florida

The Pavilion at HealthPark, LLC, has announced a data breach affecting patients of Park Royal Hospital in Fort Myers, Florida. The private psychiatric hospital provides inpatient and outpatient behavioral health services, including treatment for mental health and substance use disorders. On January 14, 2025, an employee responded to a phishing email and disclosed their credentials, allowing a threat actor to access the employee’s email account and associated SharePoint account between January 14 and January 15, 2025. The breach was detected on January 17, 2025, and the email account was immediately secured.

The forensic investigation confirmed that the breach was limited to a single email account and the associated SharePoint account. No other systems or accounts were affected. The account review confirmed that the sensitive data of 9,349 patients was present in the account, including personally identifiable and protected health information such as names, admission dates, provider information, and patient status information. Individual notification letters started to be mailed to the affected individuals on March 18, 2025. Since Social Security numbers and financial information were not compromised, credit monitoring services are not being offered. Patients have been advised to monitor the statements they receive from their providers and health plans and should report any services listed that have not been received.

90 Degree Benefits, Inc., Minnesota

90 Degree Benefits, St. Paul, a third-party administrator that processes claims for companies that operate self-funded health plans, has identified an email account breach. Suspicious activity was identified in an employee’s email account in October 2024. The forensic investigation confirmed that a threat actor gained access to the account on October 18, 2024, and on or around December 17, 2024, it was confirmed that the threat actor had accessed emails and attachments in the account that contained sensitive data.

The emails and attachments were reviewed and found to contain information such as names, Social Security numbers, and/or member identification numbers. The breach was reported to the HHS’ Office for Civil Rights on April 18, 2025, as a data breach affecting 1,268 individuals. Individual notification letters were mailed to the affected individuals on April 18, 2025, and complimentary credit monitoring services have been made available. 90 Degree Benefits, St. Paul said several steps have already been taken to improve the security of its IT environment, including a review of security policies and processes and the provision of additional training to employees.

Charleston Fire Department, West Virginia

The Charleston Fire Department in West Virginia has identified unauthorized access to an employee’s email account. An account breach was suspected when the email account was used to send spam emails. The account was immediately secured, and third-party cybersecurity experts were engaged to conduct a forensic investigation. They confirmed that the breach was limited to a single email account, which was accessible between February 18, 2025, and February 21, 2025. The review of emails and attachments revealed the protected health information of 2,583 individuals had been exposed.

The exposed information was related to ambulance trips and EMS billing and included names, addresses, dates of birth, Social Security numbers, other demographic identifiers, clinical information (diagnoses/conditions, medications, dates of services), and/or insurance information. The majority of affected individuals only had their names, date of services, insurance carriers, and billing amounts exposed. Steps are being taken to strengthen email security, and complimentary credit monitoring services have been offered to the affected individuals. Individual notification letters were mailed to the affected individuals on April 22, 2025.

The post Alternate Solutions Health Network Notifies Patients About May 2024 Email Breach appeared first on The HIPAA Journal.

Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients

Posted by Steve Alder

Frederick Health Medical Group is facing several potential class action lawsuits over a recent data breach that affected more than 900,000 patients.  Frederick Health Medical Group, a Maryland-based healthcare group, announced on January 27, 2025, that it had fallen victim to a ransomware attack and had called in cybersecurity experts to investigate the incident. At the time, it was unclear to what extent patient data had been compromised in the incident, but it has now been confirmed that the electronic protected health information of 934,326 patients was stolen.

According to its March 28, 2025, substitute breach notice, the ransomware group stole data such as patient names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and/or clinical information related to patients’ care. The electronic medical record system was not compromised in the attack. The name of the ransomware group behind the attack was not disclosed, and no ransomware group is known to have claimed responsibility for the attack. It is also unclear if the ransom was paid. In late March, individual notification letters started to be mailed to the affected individuals, and complimentary credit monitoring and identity theft protection services have been made available. Frederick Health Medical Group said additional cybersecurity safeguards have been implemented to better protect patient data and monitor its systems for unauthorized access.

At least five class action lawsuits have already been filed in response to the data breach. The lawsuits all assert similar claims, including negligence for failing to implement reasonable and appropriate cybersecurity measures to safeguard patient data and a failure to follow industry-standard cybersecurity best practices. The lawsuits also claim that the breach notification letters failed to disclose adequate information about the data breach, including the steps taken to prevent further attacks and even the types of data compromised in the incident. The lawsuits name Frederick Health Medical Group patients Ernest Farkas, Joseph Kingsman, Jaquelyn Chaillet, James Shoemaker, Wesley Kibler, and Jennifer McCreary as plaintiffs.

The lawsuits claim patients have suffered harm from the data breach, including an elevated and ongoing risk of identity theft and fraud, and out-of-pocket costs mitigating the harmful effects of the data breach. The lawsuits seek a jury trial, attorneys’ fees, and compensatory and punitive damages.

The post Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients appeared first on The HIPAA Journal.

New York Neurology Practice Pays $25,000 to Resolve Alleged Risk Analysis Violation

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) has announced another settlement to resolve an alleged violation of the risk analysis implementation specification of the HIPAA Security Rule. Comprehensive Neurology PC, a small neurology practice in New York City that specializes in diagnosing and treating neurological conditions such as dementia, Parkinson’s disease, epilepsy, and memory loss, has agreed to settle the alleged violation and pay a $25,000 financial penalty.

The alleged HIPAA violation was identified by OCR during an investigation of a 2020 data breach that involved unauthorized access to the electronic protected health information (ePHI) of 6,800 individuals. OCR was informed of the data breach on December 17, 2020. Comprehensive Neurology discovered it had been attacked with ransomware on December 14, 2020, when staff were prevented from accessing patients’ medical records. The forensic investigation confirmed that the ePHI of 6,800 individuals had been exposed and potentially stolen in the attack, including names, clinical information, health insurance information, demographic information, Social Security numbers, driver’s license numbers, and state identification numbers.

OCR’s investigation revealed that Comprehensive Neurology had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. §164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Comprehensive Neurology was given an opportunity to settle the alleged HIPAA violation informally and agreed to pay a financial penalty and adopt a corrective action plan. OCR will monitor Comprehensive Neurology for compliance with the corrective action plan for two years.

The corrective action plan requires Comprehensive Neurology to:

  • Conduct a comprehensive, accurate, and organization-wide risk analysis
  • Develop and implement a risk management plan to reduce the identified risks and vulnerabilities to a low and acceptable level
  • Develop, implement, and maintain policies and procedures to ensure compliance with the HIPAA Rules
  • Distribute those policies and procedures to members of the workforce
  • Provide training to the workforce on those policies and procedures
  • Submit an implementation report to OCR and annual reports confirming compliance with the corrective action plan
  • Ensure that any data breaches or compliance violations are reported to OCR promptly

It has been a busy month of HIPAA enforcement for OCR. So far this month, OCR has announced four settlements with HIPAA-regulated entities to resolve alleged violations of the HIPAA Rules, and seven penalties this year under the Trump administration. All seven of the enforcement actions include penalties for risk analysis failures.  The settlement with Comprehensive Neurology was OCR’s 12th investigation of a ransomware attack to result in a financial penalty for HIPAA compliance failures, and the 8th enforcement action under OCR’s risk analysis enforcement initiative. OCR explained that by focusing on risk analyses, the most commonly identified HIPAA violation, OCR can increase the number of closed investigations and highlight the importance of compliance with this foundational HIPAA Security Rule requirement.

“Effective cybersecurity requires proactively implementing the HIPAA Security Rule requirements before a breach or cybersecurity incident occurs,” said OCR Acting Director Anthony Archeval. “OCR urges health care entities to prioritize compliance with the HIPAA Security Rule risk analysis requirement.”

HIPAA violation penalties 2020-2025 HIPAA violation penalties 2020-2025

The post New York Neurology Practice Pays $25,000 to Resolve Alleged Risk Analysis Violation appeared first on The HIPAA Journal.