Verisource Services, an employee benefits administration service provider, has determined that a previously announced data breach was far worse than initially thought and has affected up to 4 million individuals. The Houston, Texas-based company detected a hacking incident on February 28, 2024, that disrupted access to some of its systems. Third-party cybersecurity and incident response experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed hackers had access to its network and exfiltrated files on February 27, 2024. At the time of the initial announcement, Verisource Services said names, dates of birth, genders, and Social Security numbers had been stolen. The affected individuals included employees and dependents of clients who used its services, which include HR outsourcing, benefits enrollment, billing, and administrative services.

The data breach was initially reported as affecting 1,382 individuals, but as the investigation progressed, it became clear that the breach was worse than initially thought. In August 2024, the data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 112,726 individuals. The most recent notification to the Maine Attorney General indicates up to 4 million individuals have been affected, a sizeable increase from previous estimates. The OCR breach portal still lists the incident as affecting 112,726 patients and plan members of its HIPAA-regulated entity clients, although that total may well be updated in the coming days.

Verisource Services explained in the breach notice that the data review was not completed until April 17, 2025, almost 14 months after the security incident was detected. Verisource Services reported the security incident to the Federal Bureau of Investigation, and several additional security measures have been implemented to improve its security posture. Notification letters had previously been sent to some affected individuals; however, the bulk of the notification letters have only recently been mailed. Verisource Services said complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, who will also be protected with a $1,000,000 identity theft insurance policy.

Since sensitive data was stolen many months ago, data may already have been misused. In addition to signing up for the credit monitoring and identity theft protection services, affected individuals should also check their account statements for signs of data misuse going back to February 2024. Verisource Services was already facing several class action lawsuits over the data breach. Now that the breach total has been substantially increased, further lawsuits are expected to be filed. The lawsuits already filed alleged that Verisource Services was negligent due to the failure to implement reasonable and appropriate cybersecurity measures and follow industry-standard cybersecurity best practices. The lawsuits seek a jury trial, attorneys’ fees, and compensatory and punitive damages.

The post Verisource Services Increases Data Breach Victim Count to 4 Million appeared first on The HIPAA Journal.

Cybersecurity incidents have been announced by Endue Software, Whitman County Public Hospital District No. 3, Palo Verde Hospital, and Northern California Children’s Therapy Center.

Endue Software

Endue Software, an infusion management platform provider, has recently confirmed it has been affected by a cyberattack that involved unauthorized access to patient data. In its April 11, 2025, substitute breach notice, Endue Software explained that unauthorized access to some of its systems was identified on February 17, 2025. The forensic investigation confirmed that an unauthorized actor gained access to some of its systems for a brief period on February 16, 2025. While the window of opportunity was short, files were copied from its systems during that time. Since February, Endue Software has been reviewing the compromised data to determine which clients and patients have been affected. It has now been confirmed that the compromised data included patients’ full names, addresses, dates of birth, Social Security numbers, and medical record numbers.

It is unclear how many of Endue Software’s clients have been affected in total. Endue Software has reported the breach to the HHS’ Office for Civil Rights as a data breach affecting 118,028 individuals; however, some of its customers may be reporting the data breach separately, as was the case with Rheumatology Associates of Baltimore (RAB), which recently reported the breach to OCR as affecting 28,968 of its patients.

Whitman County Public Hospital District No. 3

Whitman County Public Hospital District No. 3 in Washington State has recently announced a data breach that has affected 63,453 individuals, including patients and members of its Group Health Plan. Suspicious activity was identified within its IT network on February 28, 2025. Its IT environment was immediately secured, law enforcement was notified, and an investigation was launched to determine the cause of the activity.

The investigation confirmed that an unauthorized third party had access to its IT environment between December 26, 2024, and February 28, 2025, during which time, files containing patient and health plan member data may have been viewed or acquired.  The file review confirmed that the exposed data included names plus some or all of the following: date of birth, address, Social Security number, financial account information, diagnosis, lab results, medications, other treatment information, health insurance information, provider names, and/or dates of treatment.

Notification letters started to be sent to the affected individuals on April 11, 2025. Complimentary credit monitoring and identity theft protection services have been offered to eligible individuals. Whitman County Public Hospital District No. 3 said additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.

Palo Verde Hospital

Palo Verde Hospital, a 51-bed hospital in Blythe, California, has recently notified the California Attorney General about a security incident “that disrupted the operations of some of its IT systems,” which suggests it was the victim of a ransomware attack. The incident was detected on March 6, 2025, and action was immediately taken to contain the threat. Assisted by third-party cybersecurity experts, the hospital determined there had been unauthorized access to its network between March 3, 2025, and March 6, 2025.  During that time, files containing patient data were accessed and acquired by the threat actor.

The file review confirmed that patient data was involved such as names, contact information, demographic information, Social Security numbers, dates of birth, medical record numbers, patient account numbers, diagnosis/treatment information, prescription information, provider name(s), date(s) of service, and health insurance information. A subset of individuals also had financial account information and routing numbers exposed.

Steps have been taken to improve security to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Northern California Children’s Therapy Center

Northern California Children’s Therapy Center in Woodland, California, has confirmed that patient data has been compromised in a recent security incident. On March 16, 2025, an unauthorized individual exploited a vulnerability in a cloud-based system used to collect and manage information to facilitate developmental screenings and connect families with appropriate resources.

The screenings were provided through the Help Me Grow Yolo County Program, through which community programs such as early childhood services are provided. When the breach was detected, action was immediately taken to secure the system, and the incident was fully resolved by March 19, 2025. An internal review has been completed, and the compromised data has been confirmed as:

• Referring provider information: agency name, address, phone number; provider name and email address
• Child’s information: name, gender, date of birth, language(s), and developmental skills
• Parent/caregiver information: name, relationship to the child, preferred method of contact, phone number, email address, and broad health-related issues
• Other information: Broad questions or concerns of the family or provider

It was not possible to determine whether any specific child’s data was accessed or acquired. As a precaution, all individuals who had screenings have been notified. Northern California Children’s Therapy Center is working with cybersecurity experts to ensure the ongoing security of systems and records, has reconfigured the impacted storage system, and is looking to implement additional measures to strengthen security.

The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Endue Software Confirms Data Breach Affecting Multiple Providers appeared first on The HIPAA Journal.