Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement – The HIPAA Journal
Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement The HIPAA Journal
Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement
Fraser Child and Family Center has agreed to pay $750,000 to settle class action litigation over a 2024 data breach. Fraser Child and Family Center is a Minnesota-based provider of autism, mental health, behavioral health, and disability services. Between May 30, 2024, and June 2, 2024, an unauthorized third party was able to access parts of its IT environment that contained the protected health information of approximately 67,000 individuals. Information potentially stolen in the incident included names, addresses, dates of birth, Social Security numbers, and medical information. The affected individuals were notified about the breach in September 2024.
Class action lawsuits were filed in response to the data breach by four plaintiffs, individually and on behalf of their minor children and similarly situated individuals. Since the lawsuits had overlapping claims and were based on the same facts, they were consolidated into a single lawsuit – In re: Fraser Child and Family Center – which was filed in the District Court for Hennepin County, Minnesota.
The lawsuit asserted several claims, including negligence, breach of contract, breach of fiduciary duty, invasion of privacy – intrusion upon seclusion, unjust enrichment, and a failure to provide adequate breach notifications. Fraser Child and Family Center denies wrongdoing and liability and filed a motion to dismiss. Shortly thereafter, all parties began to explore the possibility of early resolution of the litigation, and a settlement was agreed upon that was acceptable to all parties. The settlement agreement has now been finalized and has received preliminary approval from the court.
Following the data breach, Fraser Child and Family Center implemented additional safeguards to further protect information stored on its network. In addition, a $750,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, service awards for the plaintiffs, and benefits for the class members.
All class members are entitled to claim two years of credit monitoring services, which can be either the CyEx Identity Defense Complete package for adults or the CyEx Minor Defense package for minors. In addition, a claim may be submitted for reimbursement of documented, out-of-pocket losses due to the data breach up to a maximum of $2,500 per class member. In lieu of a claim for reimbursement of losses, class members may submit a claim for a cash payment. Cash payments will be paid after all the above costs and expenses have been paid, and the funds will be divided equally between class members who submit a claim for a cash payment.
Class members wishing to object to the settlement or exclude themselves must do so by November 3, 2025. Claims must be submitted by December 1, 2025, and the final fairness hearing has been scheduled for November 20, 2025.
The post Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement appeared first on The HIPAA Journal.
September 2025 Healthcare Data Breach Report – The HIPAA Journal
September 2025 Healthcare Data Breach Report The HIPAA Journal
September 2025 Healthcare Data Breach Report – The HIPAA Journal
September 2025 Healthcare Data Breach Report The HIPAA Journal
September 2025 Healthcare Data Breach Report
While the figures in our September 2025 data breach report look encouraging, there is a major caveat. Due to the government shutdown, the HHS’ Office for Civil Rights (OCR) has largely stopped adding data breaches to its data breach portal. The figures for September are therefore likely to increase considerably when the furlough comes to an end, staff return to work, and the backlog of data breach reports is addressed. While we do not generally update our monthly breach reports after publication, we will revise the figures and re-publish this report when the government shutdown comes to an end.
September 2025 Healthcare Data Breach Report
As of October 22, 2025, OCR has added 26 data breaches affecting 500 or more individuals to its data breach portal – the lowest monthly total since December 2018. While data breaches are down 56% from August’s 64 data breaches, there are likely to be several more breaches added to that total. That said, there has been a downward trend in healthcare data breaches since April, and the year-to-date total from January 1 to September 30 is 469 data breaches, compared to 554 data breaches in the corresponding period in 2024. Even accounting for missing breach reports due to the government shutdown, data breaches are down considerably from last year.
Across the 26 September data breaches on the OCR data breach portal, the protected health information of at least 1,294,769 individuals was exposed or impermissibly disclosed, marking the third consecutive month with a fall in the number of affected individuals, and currently down 65.9% from August. That number could increase considerably, but currently, for the year-to-date, 42,216,193 individuals have had their protected health information exposed or impermissibly disclosed. While this year’s total is higher than in the whole of 2019 and 2020, the number of affected individuals is down 85% compared to last year and 75% compared to 2023.
The Biggest Healthcare Data Breaches Announced in September
Currently, 42% of the month’s breaches (11 incidents) involved the exposure or impermissible disclosure of the protected health information of 10,000 or more individuals. All but one of the 11 data breaches were hacking incidents involving unauthorized access to protected health information stored on network servers, with one incident involving a compromised email account. Goshen Medical Center was the worst-affected covered entity, with more than 456,000 patients affected by its hacking incident. One provider that stands out is Sturgis Hospital, which was investigating a cyberattack that occurred in December 2024, when another intrusion was experienced in June 2025.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Goshen Medical Center | NC | Healthcare Provider | 456,385 | Network server hacking incident |
| Medical Associates of Brevard, LLC | FL | Healthcare Provider | 246,711 | Network server hacking incident |
| Doctors Imaging Group | FL | Healthcare Provider | 171,862 | Network server hacking incident – Data theft confirmed |
| Retina Group of Florida | FL | Healthcare Provider | 152,691 | Network server hacking incident |
| Sturgis Hospital | MI | Health Plan | 77,771 | Network server hacking incident |
| Sturgis Hospital | MI | Healthcare Provider | 77,771 | Network server hacking incident |
| PGA Development, Inc. | PA | Healthcare Provider | 23,899 | Network server hacking/IT Incident |
| Teamsters Union 25 Health Services & Insurance Plan | MA | Health Plan | 19,231 | Network server hacking incident |
| Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice (“Treasure Health ”) | FL | Healthcare Provider | 13,234 | Email account breach |
| People Encouraging People | MD | Healthcare Provider | 13,083 | Ransomware attack – Data theft confirmed |
The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to OCR and issue notifications within 60 days of the discovery of a data breach; however, if the total number of affected individuals is not known at that point, an estimate should be provided to OCR. Many regulated entities submit a breach report using a placeholder figure of 500 or 501 affected individuals, then provide an updated total when the file review is concluded. Four data breaches were reported in September using 500 or 501 totals indicative of a placeholder. These data breaches could affect considerably more individuals than the initial breach report suggests.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach |
| Cookeville Regional Medical Center | TN | Healthcare Provider | 500 | Hacking/IT Incident |
| Hampton Regional Medical Center | SC | Healthcare Provider | 501 | Hacking/IT Incident |
| Coos County Family Health Services | NH | Healthcare Provider | 501 | Hacking/IT Incident |
| La Perouse, LLC | NV | Business Associate | 501 | Hacking/IT Incident |
Causes of September 2025 Healthcare Data Breaches
Out of the 23 large healthcare data breaches added to the OCR breach portal in September, 23 (88.5%) were reported as hacking/IT incidents, involving unauthorized access to the protected health information of 1,279,139 individuals, which is 98.8% of the total individuals affected by data breaches in September. The average number of individuals affected by these incidents was 55,615 (median: 6,243 individuals).
The exact nature of the hacking incidents, such as whether ransomware was used to encrypt files, if a ransom demand was received, or even if data was stolen, is often not disclosed. This trend has been growing for several years and is not confined to the healthcare industry. The Identity Theft Resource Center (ITRC) has reported that this trend is evident across many industry sectors.
The remaining three data breaches were unauthorized/disclosure incidents, affecting 15,630 individuals. On average, 5,210 individuals were affected (median: 1,700 individuals). Based on the available data, no loss, theft, or improper disposal incidents were reported to OCR in September. There have been no loss/theft incidents reported since March 2025, and the last reported improper disposal incident was in May 2025.
Where Did the Data Breaches Occur?
Geographical Distribution of Healthcare Data Breaches in September
Florida and North Carolina were the worst-affected states, with four data breaches affecting 500 or more individuals reported by entities based in those states, and both states top the list in terms of the number of affected individuals, with 584,498 and 465,721 individuals affected, respectively.
| State | Breaches |
| Florida & North Carolina | 4 |
| Michigan, Pennsylvania & Tennessee | 2 |
| Louisiana, Massachusetts, Maryland, Minnesota, Missouri, New Hampshire, Nevada, Oregon, South Carolina, Texas, Virginia, and Washington | 1 |
The table below shows the number of individuals affected by healthcare data breaches based on the state where the regulated entity is based, not necessarily where the affected individuals reside.
| State | Individuals Affected |
| Florida | 584,498 |
| North Carolina | 465,721 |
| Michigan | 155,542 |
| Pennsylvania | 26,150 |
| Massachusetts | 19,231 |
| Maryland | 13,083 |
| Missouri | 11,538 |
| Louisiana | 6,243 |
| Minnesota | 3,572 |
| Tennessee | 2,957 |
| Oregon | 1,700 |
| Texas | 1,236 |
| Washington | 1,099 |
| Virginia | 696 |
| New Hampshire | 501 |
| Nevada | 501 |
| South Carolina | 501 |
HIPAA Enforcement Activity in September 2025
It has been a busy year of HIPAA enforcement for OCR, with 20 enforcement actions involving settlements or civil monetary penalties announced this year, including one enforcement action in September. OCR agreed to settle alleged violations of the HIPAA Privacy Rule and Breach Notification Rule with Cadia Healthcare facilities, which agreed to pay $182,000 to resolve the alleged violations.
Cadia Healthcare is a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware. An employee had posted success stories about its patients to its social media channel; however, it had not obtained valid HIPAA authorizations for that purpose, and therefore, the use of PHI in the stories was an impermissible disclosure of PHI. After being notified by OCR, Cadia found that 150 patients had PHI posted online without valid authorizations, deleted the posts, and shut down the success story program; however, notification letters about the HIPAA breach were not issued. The corrective action plan requires policies and procedures to be revised, training to be provided to staff members, and notification letters to be issued.
The post September 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.
Oregon Eye Care Provider and New York Children’s Center Announce Hacking Incidents – The HIPAA Journal
Oregon Eye Care Provider and New York Children’s Center Announce Hacking Incidents
Cyberattacks have recently been announced by River City Eye in Oregon and Elmcrest Children’s Center in New York.
River City Eye Care
River City Eye Care, an eye care provider with locations in Portland and Happy Valley, Oregon, has started notifying patients about a recent security incident involving the theft of files containing patient information. Unusual network activity was detected on or around September 8, 2025, and an investigation was launched to determine the nature and scope of the activity.
The investigation confirmed unauthorized access to its network and the exfiltration of files. The affected files were reviewed, and River City Eye Care completed the review on October 1, 2025. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: address, email address, phone number, and date of birth. Driver’s license numbers and Social Security numbers were involved for a limited number of individuals. Notification letters started to be mailed on October 16, 2025, and steps are being taken to reduce the risk of similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.
The Genesis threat group claimed responsibility for the attack and has added River City Eye to its data leak site. The group claims it operates a data extraction operation (no file encryption) and says it exfiltrated 200 GB of data from company management hosts and file servers, which has been made available for download. The HIPAA Journal has not downloaded any data, so cannot verify the legitimacy of the group’s claim.
Elmcrest Children’s Center
Elmcrest Children’s Center, a Syracuse, NY-based provider of support services to children with emotional, behavioral, and developmental limitations and their families, has recently disclosed a security incident involving unauthorized access to its network. The investigation into the incident is ongoing, but it has been confirmed that its network was subject to unauthorized access between March 10, 2025, and July 24, 2025, during which time files were accessed and acquired by the threat actor.
The files are still being reviewed, but based on the initial findings, the types of information involved include names, dates of birth, and medical information. Technical and administrative policies and procedures are being reviewed and will be updated to reduce the risk of similar incidents in the future. Elmcrest Children’s Center has yet to disclose how many individuals have been affected; however, the data breach does appear to be significant. The Interlock ransomware group has claimed responsibility for the attack and says almost 450 GB of data was copied.
The post Oregon Eye Care Provider and New York Children’s Center Announce Hacking Incidents appeared first on The HIPAA Journal.
Massachusetts Hospitals Experiencing Disruption Due to Cyberattack – The HIPAA Journal
Massachusetts Hospitals Experiencing Disruption Due to Cyberattack The HIPAA Journal
Massachusetts Hospitals Experiencing Disruption Due to Cyberattack
A cyberattack has caused a network outage that has disrupted operations at two hospitals in North Central Massachusetts – the 134-bed non-profit Heywood Hospital in Gardner, and Athol Hospital, a 25-bed critical access hospital in Athol, both owned and operated by Heywood Healthcare.
The attack was detected last week, and systems were immediately taken offline to protect the network and patients. Incident response protocols were activated, a Code Black was declared, and the emergency department was closed to all patients arriving by ambulance. Ambulances were diverted to other facilities due to the inability to access certain systems. Radiology and laboratory services have also been disrupted.
The attack affected its Internet connection, email system, and phone lines, and while communications are back up and running, some issues are still being experienced. On Thursday, October 16, 2025, the hospital confirmed that the network outage was caused by a cybersecurity incident and that a third-party cybersecurity firm has been engaged to assist with the investigation and recovery. The Athena portal is online, and patients are encouraged to use the portal to communicate with the hospital and providers, and its answering service is operational if the portal cannot be accessed.
Heywood Hospital said its main priority is ensuring that care continues to be provided to patients, and has confirmed that both hospitals and Heywood Medical Group have remained open throughout and are continuing to provide care to patients. Heywood Healthcare is working with the cybersecurity experts to restore systems as quickly as possible, but no timeline has been provided for when full functionality will be restored. The exact nature of the attack, such as whether ransomware was involved, has not been disclosed. No ransomware group appears to have claimed responsibility for the attack. At such an early stage of the investigation, it is unclear to what extent, if any, patient data has been exposed or if sensitive data was stolen in the attack. Heyward Healthcare said it will provide further updates as more is learned about the incident.
Patient care is often disrupted by cyberattacks, the extent of which was recently explored in a survey conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint. The survey found that 93% of healthcare organizations in the study had experienced a cybersecurity incident in the past 12 months, and 72% had experienced a cybersecurity incident that disrupted patient care. Healthcare providers reported negative impacts such as cancelled appointments, delayed intake, longer patient stays, poorer outcomes, increased complications from medical procedures, and an increase in mortality rate following a cyberattack.
The post Massachusetts Hospitals Experiencing Disruption Due to Cyberattack appeared first on The HIPAA Journal.