Data breaches have been announced by Doctors Imaging Group in Florida, Rectangle Health in New York, and Care N’ Care in Texas.

Doctors Imaging Group, Florida

Doctors Imaging Group, a Gainesville, Florida-based physician-owned radiology practice, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 171,862 current and former patients. Suspicious activity was identified within its computer network on or around November 11, 2024, and the forensic investigation confirmed that unknown actors accessed its network between November 5, 2024, and November 11, 2024. During that time, files were copied from its systems, some of which contained the protected health information of patients. The substitute breach notice does not say if this was an extortion attempt, such as a ransomware attack, and the HIPAA Journal has not identified any posts by ransomware groups claiming responsibility for the attack.

Doctors Imaging Group conducted a file review to identify the types of information exposed in the incident, which was completed on August 29, 2025. Data potentially compromised in the attack includes names, addresses, birth dates, admission dates, medical treatment information, claims information, Social Security numbers, patient account numbers, medical record numbers, financial account numbers, and account types. The affected individuals have been advised to monitor their account statements, explanation of benefits statements, and free credit reports for suspicious activity. Doctors Imaging Group has reviewed its data security policies and procedures and is evaluating additional cybersecurity tools to reduce the risk of similar incidents in the future.

Rectangle Health, New York

Rectangle Health, a Valhalla, NY-based software company that provides practice management software to healthcare providers, has recently notified the Maine Attorney General about a breach affecting 2,095 individuals, including 11 Maine residents. The incident involved unauthorized access to its Salesforce platform on August 14, 2025. The platform was used to store customer information. Rectangle Health did not state which cybercriminal group was involved. The file review was completed on September 4, 2025, and confirmed that the stolen data includes names, dates of birth, and Social Security numbers. Notification letters were mailed to the affected individuals on October 8, 2025. Complimentary credit monitoring services are being offered to the affected individuals.

There has been a spate of attacks on Salesforce environments over the past few months, prompting the Federal Bureau of Investigation (FBI) to issue a Flash Alert in September. The alert warned that two cybercriminal groups – UNC6040 (ShinyHunters) and UNC6395 – were targeting Salesforce environments. In September, a hacking group called Scattered Lapsus$ Hunters started leaking stolen Salesforce data. Some members are believed to also be part of the ShinyHunters group. The group has attempted to extort Salesforce and has threatened to extort companies directly if Salesforce refuses to pay the ransom.

Care N’ Care, Texas

Care N’ Care, a Medicare Advantage health plan provider serving Medicare beneficiaries in North Texas, has recently notified the Texas Attorney General about a data breach affecting 32,452 Texas residents. While little is currently known about the data breach, this was a hacking incident that involved unauthorized access to protected health information, which may also have been stolen in the attack. The date of the cyberattack has not been publicly disclosed. The file review has confirmed that the exposed data includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information.

The post Florida Radiology Practice Announces 171K-record Data Breach appeared first on The HIPAA Journal.

Harris Health in Texas has recently started notifying more than 5,000 patients that their electronic health records may have been impermissibly accessed by a former employee. Concerningly, the unauthorized access had been ongoing for a decade before it was identified.

Harris Health operates Ben Taub Hospital and Lyndon B. Johnson Hospital, and a network of 37 clinics, health centers, and specialty locations in and around Houston, Texas.  While notification letters are now being mailed to the affected individuals, the unauthorized access was detected on February 10, 2021. An investigation was launched to determine the extent of the employee’s HIPAA violation, with assistance provided by a nationally recognized digital forensics firm. The investigation confirmed unauthorized access to patient records from January 4, 2011, to March 8, 2021.

After confirming that patients’ medical records had been accessed without any legitimate work purpose, the employee was terminated, and the Federal Bureau of Investigation (FBI) was notified. Harris Health has been assisting with the investigation, which confirmed that the employee had disclosed some patient information to unauthorized individuals. The substitute breach notice on the Harris Health website doesn’t provide any indication as to why patients’ records were being accessed or the purpose of the disclosure of patient data.

Harris Health was unable to determine the specific patients whose protected health information was disclosed to other individuals, so notification letters are being sent to all individuals whose data may have been impermissibly disclosed. Notification letters were delayed at the request of law enforcement so as not to interfere with the investigation. While law enforcement requests to delay notifications are not unusual, a 4-year delay is unusually long. Typically, notifications are only delayed by a few weeks or months.

Data potentially accessed and disclosed includes demographic information such as names, dates of birth, addresses, email addresses, telephone numbers, and medical record numbers; clinical information such as diagnoses, medical history, medications, immunizations, dates of service, and provider names; health insurance information, and, for a limited number of individuals, Social Security numbers. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services.

All individuals potentially affected have been advised to monitor their explanation of benefits statements and should report any suspicious activity to their health insurer. Harris Health said it is providing further training to the workforce on the importance of protecting patient privacy, and additional tools have been implemented that allow proactive monitoring of employee access to patient records and provide enhanced auditing capabilities to help Harris Health identify unauthorized access more quickly in the future.

Under HIPAA, all employees should be provided with unique logins to allow their interactions with patient information to be tracked. Logs should be maintained to support investigations of unauthorized access to patient records, and those logs should be regularly reviewed. Regular reviews of access logs will help to limit the harm caused if employees impermissibly access patient records. HIPAA-covered entities should also ensure that they provide HIPAA training to their employees during onboarding, as well as annual refresher training sessions to remind employees of their responsibilities under HIPAA and the importance of protecting patient privacy.

The post Harris Health Notifies Patients About 10-Year Insider Data Breach appeared first on The HIPAA Journal.