St. Anthony Hospital in Chicago Notifies Patients About February Data Breach

Posted by Steve Alder

Data breaches have recently been announced by St. Anthony Hospital in Chicago, Intercommunity Action in Pennsylvania, and Munson Healthcare in Michigan.

St. Anthony Hospital

St. Anthony Hospital in Chicago, IL, has recently discovered unauthorized access to certain employees’ email accounts. The unauthorized access was identified on February 6, 2025, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity and the extent of any data exposure or theft.

The investigation confirmed that the compromised email accounts contained the personal and protected health information of patients and staff members. The HHS’ Office for Civil Rights breach portal shows that the protected health information of 6,679 was exposed. Information potentially compromised in the incident included names, addresses, telephone numbers, birth dates, Social Security numbers, dates of service, medical record numbers, patient account numbers, medical histories, diagnoses/conditions, treatment information, and prescription information. While sensitive information has been exposed, St. Anthony Hospital has not detected any misuse of the exposed data.

Intercommunity Action Inc.

Intercommunity Action, a Philadelphia, PA-based provider of resources for aging, behavioral health, and individuals with intellectual and developmental disabilities, has notified 2,680 individuals about a recent data security incident involving unauthorized access to its computer network. The security breach was identified on May 29, 2025, and the forensic investigation confirmed that unauthorized connections had been made to its network from May 28, 2025, to May 29, 2025. During that time, files were exfiltrated from its network, and Intercommunity Action warned that the stolen data had potentially been made available online. Intercommunity Action is unaware of any instances of data misuse as a result of the incident.

A review of the affected files revealed that they contained patient information such as first and last names, dates of birth, addresses, Social Security Numbers, driver’s license numbers, state identification numbers, bank account information, credit card numbers, other financial information, claims information, diagnosis/conditions, medications, or other treatment information. The types of information involved varied from individual to individual.

As a precaution against misuse of the affected data, individuals whose Social Security numbers, driver’s license numbers, state ID numbers, and/or bank account information were involved have been offered complimentary identity theft protection services. Steps have also been implemented to prevent similar incidents in the future, including changing passwords, blocking the unauthorized users’ IP addresses, and implementing additional safeguards to strengthen security.

Munson Healthcare

Munson Healthcare, the largest health system in Northern Michigan, has notified 1,186 patients about a mis-mailing incident caused by an error when migrating patient information to a new computer system. The error occurred on January 25, 2025, and resulted in the individual responsible for paying bills being accidentally changed to someone who was previously responsible. The issue was not detected until June 2, 2025.

As a result of the error, some patients’ bills were sent to the wrong individuals. An investigation was launched to determine the root cause of the error and the patients affected. The errors in the data were changed and updated to the correct bill payer, and a technical fix was implemented on June 24, 2025, to prevent further bills from being sent to incorrect individuals. Data impermissibly disclosed was limited to a patient’s name, location of services, balance owed, insurance type, and the type of service. The affected individuals have been advised to review the bills issued after January 25, 2025, to ensure that the billing information is correct.

The post St. Anthony Hospital in Chicago Notifies Patients About February Data Breach appeared first on The HIPAA Journal.

Discovery Practice Management Settle Lawsuit Over 2020 Data Breach

Posted by Steve Alder

Discovery Practice Management, a California-based healthcare provider, has agreed to settle a class action lawsuit stemming from a June 2020 breach of its email environment. An unauthorized third party accessed employee email accounts between June 22, 2020, and June 26, 2020, and obtained sensitive information relating to patients of the Authentic Recovery Center and Cliffside Malibu facilities in California. The data breach was reported to the HHS’ Office for Civil Rights as affecting up to 12,859 individuals.

Data potentially compromised in the incident included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license numbers, and clinical information, such as diagnosis, treatment information, and prescription information. It took almost a year for the emails to be reviewed and notification letters to be issued to the affected individuals.

In February 2021, a class action lawsuit – JeanPaul Magallanes, et al v. Discovery Practice Management, Inc. – was filed in response to the data breach by JeanPaul Magallanes that alleged that Discovery Practice Management failed to implement appropriate measures to safeguard sensitive data stored on its network, then failed to issue adequate and timely notification letters when its email environment was compromised.

The alleged cybersecurity failures included insufficient monitoring of inbound emails, insufficient training of its workforce on email-based threats, and the failure to encrypt a data server that became accessible to unauthorized individuals who compromised two employee email accounts. Despite the significant risk to the affected patients, it took 335 days from the date of discovery to issue notification letters, which the lawsuit claims violated HIPAA and the California Consumer Records Act.

The lawsuit claims the actions of the defendant violated the California Confidentiality of Medical Information Act, California Unfair Competition Law, and the California Consumer Records Act. All parties agreed to engage in settlement discussions to avoid the cost and risk of a trial, and a settlement has been agreed upon with no admission of wrongdoing by Discovery Practice Management. The settlement has recently been granted preliminary approval by Judge Glenda Sanders of the Superior Court of the State of California, for the County of Orange.

Under the terms of the settlement, all class members are entitled to claim a three-year membership to CyEx’s Identity Defense Total Service, and must enroll by December 9, 2025. In addition, claims may be submitted for reimbursement of documented, unreimbursed ordinary and extraordinary losses caused by the data breach. Claims for reimbursement of ordinary losses are capped at $250 per class member, and claims for reimbursement of extraordinary losses are capped at $1,000 per class member.

The deadline for objection to the settlement, exclusion from the settlement, and submitting a claim is November 24, 2025. The final fairness hearing has been scheduled for February 5, 2026.

The post Discovery Practice Management Settle Lawsuit Over 2020 Data Breach appeared first on The HIPAA Journal.

Cyberattack Volume Increases Fueled by 48% YOY Increase in Ransomware Attacks

Posted by Steve Alder

Cyber threat actors had a busy October, with attack volume up 2% month-over-month and 5% year-over-year. In October, organizations experienced an average of 1,938 cyberattacks per week, according to the latest data from cybersecurity firm Check Point.

While attacks are up across all sectors, there was a 15% year-over-year fall in attacks on the health and medical sector, with 2,094 reported attacks in October. The biggest increases were seen in the agriculture (+71%) and information technology sectors (+48%). Education was the most targeted sector with 4,470 attacks, up 5% from October 2024. Latin America experienced the highest number of attacks, with attacks up 16% from October 2024, but the biggest increase was seen in North America, with an average of 1,464 attacks per week, up 18% from October 2024.

Check Point reports that the rise in attacks was fueled by the growing sophistication of ransomware, with attacks dramatically increasing in October. Check Point tracked 801 reported attacks in October, which is a 48% increase compared to September. While Latin America experiences more attacks than any other region, North America was the main target of ransomware groups, accounting for 62% of incidents, ahead of Europe with 19% of attack volume. In October, 57% of reported victims were in the United States, and there was a 56.8% increase in attacks compared to September.

Qilin was the most active ransomware group, accounting for 22.7% of attacks in October. The group has evolved into a sophisticated ransomware-as-a-service organization, attracting new affiliates due to its extensive affiliate support. Akira took second spot with 8.7% of attacks, and the recently emerged Sinobi ransomware group took third spot with 7.8% of attacks.

While all three groups attack healthcare organizations, the healthcare sector appears to be a key focus of the Sinobi group. Sinobi is a ransomware-as-a-service group with a professional structure, highly skilled internal operators, and a team of carefully vetted affiliates. Sinobi primarily targets mid- to large-sized organizations, primarily in the United States and allied countries.

Sinobi claims on its dark web data leak site to have attacked East Jefferson General Hospital, Greater Mental Health of New York, Johnson Regional Medical Center, Judson Center, Middlesex Endodontics, Newmark Healthcare Services, Phoenix Village Dental, Queens Counseling for Change, South Atlanta Medical Clinic, and Watsonville Community Hospital since the group emerged in mid-2025.

Check Point also cautioned about the expanding risks associated with generative AI (GenAI) as enterprise use of GenAI tools continues to grow. One of the biggest threats is the exposure of sensitive data. Check Point reports that in October, 1 out of every 44 GenAI prompts submitted through business networks posed a high risk of sensitive data leakage, something that is especially concerning in healthcare due to the risk of exposure of protected health information.

Check Point reports that 87% of organizations that use GenAI tools regularly experience this type of sensitive data exposure, and many organizations are unaware of the risk. While workers use authorized and managed GenAI tools, on average, 11 different GenAI tools are used by organizations each month, most of which are likely to be unsupervised.

“As ransomware groups evolve and GenAI risks proliferate, organizations must strengthen their threat prevention, data security, and AI governance strategies to stay ahead of adversaries,” suggests Check Point.

The post Cyberattack Volume Increases Fueled by 48% YOY Increase in Ransomware Attacks appeared first on The HIPAA Journal.