Data Breaches Announced by Ennoble Care & Circa Health; Dermatology Associates of Concord

Posted by Steve Alder

Data breaches have recently been announced by Ennoble Care & Circa Health in New Jersey and Dermatology Associates of Concord in Massachusetts.

Ennoble Care/Circa Health, New Jersey

Ennoble Care & Circa Health, LLC, a Hackensack, NJ-based provider of primary care, palliative care, and hospice services to individuals in Georgia, Kansas, Maryland, New York, New Jersey, Oklahoma, Pennsylvania, Virginia, and Washington, D.C., has announced an email account breach that was identified on April 17, 2025.

Ennoble Care said the investigation into the incident is ongoing; however, it has been determined that patient information has been exposed and may have been obtained by an unauthorized individual. The types of information involved include names, addresses, dates of birth, hospice status, status dates, and orders status (CTI, SN, MSW, CH, HHA, etc.). No evidence was found to indicate that its cloud-based electronic health record was compromised.

While no evidence has been found to indicate misuse of the exposed data, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring the explanation of benefits statements that they receive from their health insurance providers. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Dermatology Associates of Concord, Massachusetts

Dermatology Associates of Concord (DAC), a provider of dermatology services to individuals in the greater Boston area, has notified the Massachusetts Attorney General about a recent security incident affecting a currently undisclosed number of individuals. Suspicious activity was identified within its computer systems on September 19, 2025. Assisted by third-party cybersecurity experts, DAC determined that an unauthorized third party accessed a specific computer system between September 18, 2025, and September 19, 2025, and copied files from that system.

The files are being reviewed to determine the types of data involved and the individuals affected, and that process has not yet concluded. While data was stolen, DAC is unaware of any misuse of that information. DAC said it has notified law enforcement about the incident and has augmented its security protocols to prevent similar incidents in the future.

Notification letters will be mailed to the affected individuals when the data review is completed, and complimentary single-bureau credit monitoring, credit report, credit score, and fraud assistance services will be made available to the affected individuals for a period of 24 months.

The post Data Breaches Announced by Ennoble Care & Circa Health; Dermatology Associates of Concord appeared first on The HIPAA Journal.

More Than CMIA and HIPAA: Which Medical Privacy Regulations Apply to You in California?

Posted by PJ Murray

The Confidentiality of Medical Information Act (CMIA) is just one of several state laws and regulations that apply to medical privacy in California and influence how staff handle patient information. Alongside HIPAA and CMIA, healthcare organizations may also have to comply with the Patient Access to Health Records Act (PAHRA), Medi-Cal confidentiality rules, California’s Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA), state rules governing artificial intelligence in healthcare (including CCPA’s automated decision-making regulations), and SB81 on patient access and protection. Together, these laws help explain why privacy and security policies in California can look different from those in other states. 

HIPAA was designed to create a national “floor” of privacy and security standards, but in California that floor is only the starting point. When state law gives patients more rights or stronger protections than HIPAA does in a particular area, the California law takes precedence for that issue, while HIPAA still applies in the background. As a result, California providers often have to reconcile multiple overlapping rules when deciding how to use, disclose, and protect health information.

CMIA is the core California medical privacy statute. It applies broadly to providers, plans, contractors, and many consumer-facing digital health apps when they store or process identifiable medical information. CMIA tightly limits when information can be used or disclosed without authorization, adds extra protections for sensitive services, and requires safeguards for electronic information. A key difference from HIPAA is CMIA’s private right of action, which allows patients to sue for negligent, unauthorized disclosures, even when there was no intent to cause harm. That is a major reason California organizations stress strict access control, “need-to-know” use of records, and zero tolerance for snooping or gossip.

PAHRA strengthens and accelerates patient access rights beyond HIPAA. California providers generally must acknowledge or respond to access requests within a few days and provide copies within a much shorter deadline than HIPAA’s. Patients can also submit an addendum to correct or clarify their records, and that addendum must be attached with future relevant disclosures. PAHRA and CMIA together also limit parental access to minors’ sensitive records when the minor has the right to consent to care, so staff must pay close attention to who is entitled to see what.

Other important laws fill gaps that HIPAA and CMIA do not fully cover. Medi-Cal regulations protect beneficiary information, including social and economic data used for eligibility and benefits, and restrict its use mainly to treatment, billing, and program administration. CCPA/CPRA applies to eligible businesses for personal information that is not PHI or CMIA “medical information,” such as website tracking data, marketing lists, and some HR records. CCPA/CPRA also gives consumers rights to know, correct, and in some cases delete data. California also regulates the use of AI in healthcare through a mix of privacy, consumer, and professional rules that emphasize transparency, security, and maintaining human clinical judgment. In practice, these rules often appear as internal policies: which AI tools may be used, what kind of data may be entered, how outputs must be reviewed, and when patients must be informed.

SB81, California’s Patient Access and Protection law, adds targeted protections for immigration-related information. It treats a patient’s place of birth and immigration status as protected medical information and prohibits disclosures for immigration enforcement without a valid authorization or court order. It also requires healthcare organizations, including public college health centers, to establish “safe” non-public areas where patients can receive care without fear of immigration agents entering unless they have proper legal authority. This law shapes how front desks, security, and clinical teams respond to requests from law enforcement and why staff should receive specific training on these scenarios.

Because all these laws overlap, California healthcare organizations usually design their policies around the most protective rule that applies. CMIA is central, but real-world privacy practice is also shaped by PAHRA, Medi-Cal rules, CCPA/CPRA, AI-related requirements, and SB81. For healthcare staff and students, the safest approach is to follow their organization’s written policies, complete required training, and ask their privacy or compliance team whenever they are unsure. This overview is for training and general information, not legal advice, but it highlights why CMIA is just one piece of a much larger California privacy framework.

The post More Than CMIA and HIPAA: Which Medical Privacy Regulations Apply to You in California? appeared first on The HIPAA Journal.

Data Breaches Announced by Heritage Communities & Metrocare Services

Posted by Steve Alder

The senior living company Heritage Communities and the Dallas mental health care company Metrocare Services have announced security incidents that exposed sensitive patient data.

Heritage Communities, Nebraska

Heritage Communities, a senior living company based in Omaha, Nebraska, has recently announced a breach of the personal and protected health information of current and former residents. The data breach affected the company Heritage Holdings LP, a business associate of Heritage Communities, Orchard Pointe, and OnCare Health. On or around September 16, 2025, a network intrusion was identified, and third-party cybersecurity experts were engaged to investigate the incident. The investigation confirmed that an unauthorized actor gained access to its network and a limited amount of protected health information. The forensic investigation could not rule out the possibility that sensitive data was exfiltrated from its network.

The review of the affected data confirmed that a range of data types were exposed, including first and last names, Social Security numbers, driver’s license numbers, bank account information, credit card information, dates of birth, addresses, phone numbers, email addresses, medication information, healthcare diagnosis information, test results, and healthcare provider information. The types of information involved varied from individual to individual.

Additional security measures have been implemented in response to the data breach, and data security policies and procedures are being reviewed. While no misuse of the affected data has been identified, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements. The Worldleaks threat group claimed responsibility for the attack and added Heritage Communities to its dark web data leak site. If the claim is genuine, it suggests that a ransom demand was issued that was not paid.

Metrocare Services, Texas

Metrocare Services, a Dallas, TX-based provider of mental health services to individuals in North Texas, has identified an impermissible disclosure of patient information. On September 9, 2025, an employee sent an encrypted email from their work account to a personal email account, and the email was later shared on an unauthorized network. The investigation confirmed that the encrypted email contained the protected health information of approximately 8,600 patients, including names, medical record numbers, appointment times, doctors’ names, dates of service, and duration and costs of service.

Metrocare Services said it worked with the employee to ensure that the email was deleted from their personal email account, including the trash folder, and said no evidence was found to indicate that the data was further shared  or was accessed by anyone other than the employee who was authorized to access the information.

The post Data Breaches Announced by Heritage Communities & Metrocare Services appeared first on The HIPAA Journal.

North Kansas City Hospital Patients Affected by Cerner Hacking Incident

Posted by Steve Alder

North Kansas City Hospital has notified patients about a January 2025 data breach at its EHR vendor Cerner. Data breaches have also been announced by Shasta County Health and Human Services and OncoHealth in Georgia.

North Kansas City Hospital, Missouri

North Kansas City (NKC) Hospital in Missouri issued a substitute breach notice on November 25, 2025, announcing a data breach at its electronic medical record (EHR) vendor. A hacker gained access to a legacy Cerner (now Oracle Health) server that was awaiting migration to the Oracle Cloud infrastructure. According to Oracle Health, the hacker gained access to the server as early as January 22, 2025, and exfiltrated data, including the personal health information of NKC Hospital patients. NKC Hospital stressed that none of its own systems were compromised in the incident, as the breach was limited to two legacy Cerner servers.

The HIPAA Journal first reported on the Oracle Health data breach in March 2025, and in the months following the announcement, several healthcare providers have issued notifications confirming that they have been affected. The NKC Hospital breach notice does not state when Oracle Health confirmed that NKC Hospital had been affected. NKC Hospital said it requested the information required to issue notifications as soon as it learned that it had been affected, and said notifications were delayed at the request of law enforcement and were issued by NKC Hospital as quickly as possible.

Oracle Health said the data compromised in the incident included names, dates of birth, and Cerner patient identifiers, and potentially also information contained in electronic medical records, such as medical record numbers, doctors’ names, diagnoses, medications, test results, medical images, and care/treatment information. The HHS’ Office for Civil Rights breach portal does not currently list the data breach, so it is unclear how many NKC Hospital patients were affected.

Shasta County Health and Human Services

Officials at the Department of Health and Human Services for Shasta County in California have announced an insider data breach that has affected approximately 164 clients. Unauthorized access to the protected health information of patients was detected on September 30, 2025. The investigation confirmed that a former employee had accessed patient information without authorization.

Data potentially accessed included names, dates of birth, chart numbers, health plan information, County Administrative Office search name, diagnoses/conditions, medications, treatment authorizations, and requests related to Mental Health Behavioral Services. The notice does not state the reason for the unauthorized access or whether any information was copied or has been further disclosed. Shasta County said the investigation is ongoing, and any misuse of patient data will be reported to law enforcement

OncoHealth, Georgia

OncoHealth (formerly Oncology Analytics Inc.), an Atlanta, GA-based oncology-focused virtual medical group that partners with Humana Inc. for medical oncology prior authorizations, has announced a data breach that resulted in an impermissible disclosure of protected health information. As a result of a phishing attempt on the Zendesk customer service system, a fraudulent Zendesk account was created. The email address for the account was mistakenly included in a distribution sent to Humana Inc. that included a file containing the protected health information of 39 individuals.

The file contained personal and health information, including first and last names, birth dates, Humana identification numbers, and authorization numbers. OncoHealth said it has found no evidence of misuse of the disclosed information. Steps have been taken to improve internal security controls, and additional security awareness training has been provided to the workforce.

The post North Kansas City Hospital Patients Affected by Cerner Hacking Incident appeared first on The HIPAA Journal.

Rancho Family Medical Group Agrees to Pay $315K to Settle Data Breach Litigation

Posted by Steve Alder

Rancho Family Medical Group, a primary care medical group serving patients in Southern California, has agreed to pay $315,000 to settle class action litigation stemming from a 2023 data breach that exposed patients’ protected health information.

Rancho FMG was notified on January 11, 2024, about a security incident at its vendor KMJ Health Solutions. KMJ provided the medical group with online signout and charge capture systems and experienced a security incident on November 19, 2023, that exposed patient information such as names, dates of birth, medical record numbers, treatment locations, dates of services, and medical procedure codes.

The vendor was unable to determine exactly which patients had been affected or the exact types of data involved, as the impacted data had been wiped and was unrecoverable. On or around March 12, 2024, Rancho FMG notified all potentially affected patients, including current patients and patients going back ten years. Approximately 11,500 notification letters were mailed, although the HHS’ Office for Civil Rights was informed that 10,480 individuals had been affected.

Shortly after notifications were mailed, a class action lawsuit was filed in the Superior Court of California, County of Riverside, by one of the affected patients, Catrina Brannon, individually and on behalf of similarly situated individuals. The lawsuit asserted claims of violations of the California Confidentiality of Medical Information Act (CMIA) and California’s Unfair Competition Law (UCL).

Rancho FMG denies any wrongdoing and disagrees with all claims and contentions in the lawsuit. Prior to engaging in extensive motion practice, the parties agreed to mediate to avoid unnecessary legal costs, and a settlement was negotiated that was acceptable to all parties. Under the terms of the settlement, Rancho FMG will establish a $315,000 settlement fund to cover notice and administration expenses, fee awards and expenses, service awards, and benefits to the class members. All class members will receive a code to activate three years of three-bureau credit monitoring services.

In addition, class members may submit a claim for reimbursement of up to four hours of lost time remedying issues arising from the data breach at a rate of $17 per hour. Claims may also be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach, and any funds remaining in the settlement will be paid as a pro rata cash payments, which will not exceed $1,000 per class member. The cash payments will depend on the number of valid claims received.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for January 28, 2026. The deadline for objection to and exclusion from the settlement is December 29, 2025, and claims must be submitted by December 29, 2025.

The post Rancho Family Medical Group Agrees to Pay $315K to Settle Data Breach Litigation appeared first on The HIPAA Journal.