Data Breaches Announced by Watsonville Community Hospital & Palomar Health Medical Group
Data breaches have recently been announced by Watsonville Community Hospital and Palomar Health Medical Group in California, and the Phia Group in Massachusetts.
Watsonville Community Hospital
Watsonville Community Hospital in California is notifying individuals affected by a November 2024 security incident. Suspicious activity was identified within its computer systems on November 29, 2024, and the investigation confirmed that there had been unauthorized access to its network from November 25, 2024, to November 30, 2024, when the hackers were ejected from its network. The investigation confirmed that files containing patient information were either accessed or downloaded during those five days.
The file review confirmed that the data compromised in the incident included names, addresses, and driver’s license numbers or government ID numbers, with the exposed data varying from individual to individual. Notification letters started to be sent to the affected individuals on December 30, 2024; however, the file review was not completed until September 22, 2025. The final batch of notification letters started to be mailed on October 15, 2025.
The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. Watsonville Community Hospital has implemented additional cybersecurity safeguards and has provided further training to its workforce. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.
Palomar Health Medical Group
Arch Health Partners, Inc., doing business as Palomar Health Medical Group, in Poway, California, has started notifying patients about a data security incident first identified on May 5, 2024. Palomar Health Medical Group launched an investigation into suspicious network activity and confirmed that an unauthorized threat actor gained access to certain files on its network on April 23, 2024, and maintained access until the data breach was detected on May 5, 2024. During that time, files may have been copied that contained patient information.
The data compromised in the incident included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, military identification numbers, passport numbers, U.S. alien registration numbers, financial account information, payment card information, health savings account information, medical histories, diagnostic information, treatment information, biometric data, medical record numbers, Medicare/ Medicaid identification numbers, patient account numbers, health insurance information, email addresses and passwords, and usernames and passwords.
Palomar Health Medical Group had previously announced the cyberattack and data breach; however, it took until September 4, 2025, to finish the review of the affected files to allow notification letters to be sent. Complimentary credit monitoring and identity theft protection services have been made available for 12 or 24 months, and steps have been taken to improve security to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.
The Phia Group
The Phia Group, a Canton, Massachusetts-based provider of outsourced cost containment and payment integrity solutions to healthcare payers, has recently notified the Massachusetts Attorney General about a recent data security incident. The notice is a copy of the data breach notifications sent to the affected individuals, and it provides no information about the nature of the data breach, such as when it occurred, when it was detected, or the cause of the breach. The data potentially compromised in the incident includes names, Social Security numbers, and medical record numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.
This post will be updated when further information becomes available.
The post Data Breaches Announced by Watsonville Community Hospital & Palomar Health Medical Group appeared first on The HIPAA Journal.
Cybersecurity Firm Reports 36% YOY Increase in Ransomware Attacks – The HIPAA Journal
Cybersecurity Firm Reports 36% YOY Increase in Ransomware Attacks The HIPAA Journal
Cybersecurity Firm Reports 36% YOY Increase in Ransomware Attacks
Cybersecurity firm Black Fog has released its Q3 2025 State of Ransomware Report, which shows ransomware attacks have increased by 36% compared to the same quarter in 2024. Each month in the quarter saw an increase in attacks compared to the corresponding month last year, with July the worst month with a 50% increase. Over the whole quarter, 270 ransomware attacks were reported, although Black Fog notes that the majority of attacks remain in the shadows and go unreported. In Q3, an estimated 1,510 ransomware attacks were not disclosed, which represents a 21% increase from the previous quarter.
Healthcare remains a key target for ransomware groups, with the sector experiencing 86 attacks, which represents 32% of all disclosed attacks – more than twice as many ransomware attacks as were disclosed by entities in the next most attacked sectors, government and technology, which each had 28 disclosed incidents. Black Fog reports that 85% of ransomware attacks are not reported, and taking those attacks into account, manufacturing was the hardest hit sector, accounting for 22% of the 1,510 undisclosed attacks, followed closely by the services sector. Even with the HIPAA reporting requirements, healthcare ranked 5th for undisclosed incidents, which suggests that healthcare organizations are slow to investigate and report attacks. Law firms are increasingly being targeted, with the sector experiencing at least 79 attacks, the highest level since Black Fog started publishing ransomware reports in 2020.
Data theft almost always occurs with ransomware attacks, with some groups now abandoning encryption altogether. Black Fog reports that a new record was set in Q3 for data exfiltration, with 96% of attacks involving data theft. As reported by the Identity Theft Resource Center this month in its Q3 analysis of compromises, almost three-quarters (71%) of victim notifications do not mention the root cause of the attack, such as whether ransomware was used, which puts victims at a great risk of identity theft and fraud. Black Fog identified 449 victim listings on ransomware groups’ dark web data leak sites in Q3, 2025, with an average of 527.65 GB exfiltrated per victim. Black Fog CEO, Darren Williams, recommends that organizations should be more proactive at detecting the signs of data exfiltration by looking for unusual patterns in outbound traffic, anomalous MFA behaviors, and sudden file movement, as by the time files are encrypted, the damage from an attack is often irreversible.
The Qilin ransomware group retained its position as the most prolific ransomware group with 20 disclosed attacks (7%) and 242 undisclosed attacks (16%). INC Ransom ranked second with 18 (7%) disclosed attacks and 111 (7%) undisclosed attacks. Akira remains a highly active group with 139 (9%) undisclosed attacks. In Q3, a further 18 ransomware groups emerged, bringing the total number of active groups engaging in double extortion up to 80.
One notable newcomer is the Devman ransomware group, which has conducted 19 attacks in just a few months. The group stands out due to the high number of attacks for a new group, together with exorbitant ransom demands, including a $93 million ransom demand in the attack on the Chinese real estate firm, Shimao Group, which ranks as the largest ransom demand of the year.
“As ransomware volumes show a continued upward trend, the best option for organizations is to make it as hard as possible for cybercriminals to take advantage of them. That means protecting data so that they have no leverage for extortion and, critically, no incentive to return,” suggests Williams. That means improving monitoring and encrypting stored data.
The post Cybersecurity Firm Reports 36% YOY Increase in Ransomware Attacks appeared first on The HIPAA Journal.
Eastern Radiologists Agrees to $3.35 Million Data Breach Settlement – The HIPAA Journal
Eastern Radiologists Agrees to $3.35 Million Data Breach Settlement The HIPAA Journal
Eastern Radiologists Agrees to $3.35 Million Data Breach Settlement
Eastern Radiologists in North Carolina has agreed to pay $3.25 million to settle a class action lawsuit over a 2023 data breach that was reported to the HHS’ Office for Civil Rights as involving the protected health information of 886,746 patients. The Eastern Radiologists data breach that prompted the class action lawsuit was detected on November 24, 2023. The investigation confirmed that a threat actor had access to its network from November 20, 2023, to November 24, 2023, and copied files containing patient information. Data compromised in the incident included names, contact information, Social Security numbers, driver’s license numbers, financial account numbers, insurance information, procedure information, diagnoses, and imaging results.
Several class action lawsuits were filed in response to the data breach. Due to the lawsuits having overlapping claims, they were consolidated into a single lawsuit, Powers et al. v. Eastern Radiologists, Inc., in the General Court of Justice, Superior Court Division, in Pitt County, North Carolina. The consolidated class action complaint alleges that Eastern Radiologists failed to implement reasonable and appropriate cybersecurity measures, did not adhere to FTC guidelines on cybersecurity or follow industry standards, and that its conduct violated the Health Insurance Portability and Accountability (HIPAA). In addition to negligence, the lawsuit asserted claims of negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, invasion of privacy, and violations of North Carolina’s Unfair and Deceptive Trade Practices Act.
Eastern Radiologists deny all claims and contentions in the lawsuit and maintain that there was wrongdoing. After considering the risks associated with the litigation and the costs of continuing with the lawsuit, all parties agreed to settle the litigation. Under the terms of the settlement, Eastern Radiologists will establish a $3,250,000 settlement fund out of which attorneys’ fees and expenses, settlement administration costs, and service awards for the named plaintiffs will be deducted. The remainder of the fund will be used to pay benefits to the class members.
All class members may claim one year of medical account monitoring services and one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $5,000 per class member. The cash payments for losses have been capped at $200,000 and will be paid pro rata should that total be reached. Alternatively, class members may claim a cash payment, which may be subject to a pro rata increase or decrease.
The deadline for exclusion and objection is October 28, 2025. Claims must be submitted by December 1, 2025, and the final approval hearing has been scheduled for December 15, 2025. Claims will be paid between 30 and 60 days after the final approval hearing.
The post Eastern Radiologists Agrees to $3.35 Million Data Breach Settlement appeared first on The HIPAA Journal.
ITRC: 23 Million individuals Affected by Data Breaches in Q3, 2025 – The HIPAA Journal
ITRC: 23 Million individuals Affected by Data Breaches in Q3, 2025 The HIPAA Journal
ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025
The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.
Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record. While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.
In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).
Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).
The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.
The post ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025 appeared first on The HIPAA Journal.
ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025
The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.
Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record. While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.
In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).
Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).
The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.
The post ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025 appeared first on The HIPAA Journal.