British Scattered Spider Hacker Pleads Guilty to Cyberattacks on TfL; SSM Health Care; Sutter Health – The HIPAA Journal
Healthcare Breach at AI Vendor Xsolis Exposes 1.4 Million Records Across Seven Major Hospitals – Tech Times
Hillcrest Convalescent Center Settles Class Action Data Breach Litigation – The HIPAA Journal
Hillcrest Convalescent Center Settles Class Action Data Breach Litigation
Hillcrest Convalescent Center, a short-term inpatient rehabilitation and skilled nursing facility in Durham, North Carolina, has agreed to settle class action litigation over a June 2024 cyberattack.
Hackers breached its network, resulting in unauthorized access to and the potential theft of patients’ personal and protected health information. The hackers had access to information such as names, addresses, dates of birth, financial account numbers, driver’s license numbers, Social Security numbers, medical treatment information, and health insurance information. The incident affected more than 106,000 individuals, who were notified by mail in March 2025.
The data breach sparked several class action lawsuits, which were consolidated as they had overlapping claims. The consolidated lawsuit – In re Hillcrest Convalescent Center, Inc. Data Breach Litigation – is pending in the Superior Court of Durham County, North Carolina. Hillcrest Convalescent Center denies the allegations of wrongdoing and liability and, in September 2025, filed a motion to dismiss the consolidated complaint. The plaintiffs filed their response in October 2025, and later that month, the defendant filed their reply in further support of the motion to dismiss. Shortly thereafter, the parties began exploring the possibility of a settlement.
During mediation in January 2026, the parties agreed on the material terms of a settlement, which has now been finalized and has received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for reimbursement of documented out-of-pocket losses due to the data incident up to a maximum of $2,500 per class member. Class members who choose not to submit such a claim may instead claim an alternative cash payment, estimated to be $50 per claimant.
Regardless of the option chosen, class members are eligible to enroll in two years of credit monitoring services, which include a $1 million identity theft insurance policy. Claims must be submitted by August 26, 2026, and the final approval hearing has been scheduled for August 24, 2026. Individuals who do not submit a claim will lose the right to sue the defendant over the data breach and will receive nothing from the settlement. Individuals who want to retain the right to sue can exclude themselves and must do so by July 27, 2026. Objections to the settlement must be filed by July 27, 2026.
The post Hillcrest Convalescent Center Settles Class Action Data Breach Litigation appeared first on The HIPAA Journal.
OneMedical-owned legacy systems breached in cyberattack – Healthcare IT News
British Scattered Spider Hacker Pleads Guilty to Cyberattacks on TfL; SSM Health Care; Sutter Health
Two British hackers have pleaded guilty to a cyberattack on Transport for London (TfL), one of whom also admitted to hacking two U.S. healthcare companies in September 2024: SSM Health Care Corporation and Sutter Health.
Owen Flowers, 18, from Walsall, West Midlands, and Thalha Jubair, 20, from East London, were both teenagers when they conducted the attacks and were members of the cybercriminal group Scattered Spider. In contrast to many cybercriminal groups, Scattered Spider is an English-speaking collective whose members are primarily based in the United States, the United Kingdom, and Canada.
Scattered Spider is believed to have been formed in May 2022 and primarily targeted telecommunications companies before expanding attacks on varied targets. The group has been linked with attacks on more than 120 companies, including Snowflake, Twilio, Mailchimp, DoorDash, American Airlines, WestJet, Hawaiian Airlines, and Aflac. The group was behind the ransomware attacks on Caesars Entertainment and MGM Resorts in September 2023, the TfL attack in late August 2024, and a string of ransomware attacks on UK retailers Marks & Spencer, Harrods, and Co-op Group in April 2025.
The two hackers were arrested at their home addresses on September 16, 2025, in connection with the retail attacks, along with two other individuals. An investigation conducted by the National Crime Agency (NCA) and City of London Police linked the pair to the TfL attack. That attack caused disruption to TfL’s online services, prevented live London Underground train information from appearing in the TfL app and on the TfL website, and forced all 28,000 TfL employees to attend a TfL office for a password reset. The attack cost TfL £29 million ($38 million) in loss and recovery costs.
Investigators searched the residences of the two individuals and recovered laptops, desktop computers, hard drives, and USB sticks, which contained evidence of the pair’s involvement in the TfL attack. Investigators also found evidence on devices owned by Flowers of his involvement in attacks on SSM Health Care and Sutter Health, which resulted in infiltration and damage to computers, according to the UK’s National Crime Agency.
Jubair ran a Telegram channel called Star Chat that was used by a SIM-swapping group that engaged in voice and SMS-based phishing attacks to steal credentials from employees at UK and US wireless providers. The access was then used to redirect individuals’ phone numbers to devices controlled by the attackers, allowing them to intercept calls and text messages.
Jubair has been charged in the United States for his role in Scattered Spider cyberattacks on at least 120 computer networks, involving 47 U.S. entities. New Jersey prosecutors have charged Jubair with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If convicted on all U.S. charges, Jubair faces up to 95 years in jail.
The hackers were scheduled for a 6-week trial in Woolwich Crown Court in London, starting on June 22, 2026. On day 1 of the trial, Flowers and Jubair pleaded guilty to the attack on TfL. Flowers also admitted to conspiring to commit unauthorized acts against the computer systems of SSM Health Care Corporation and Sutter Health in September 2024.
The hackers are both scheduled for a 2-day sentencing hearing starting on July 15, 2026. Jubair also faces a trial in the United States. Depending on negotiations between UK and US authorities, Jubair could be temporarily transferred after sentencing to stand trial for the charges in the United States before returning to complete his sentence, or he may face a trial in the U.S. after serving the entirety of his UK sentence.
“This has been a lengthy, highly complex, and painstaking investigation. The perseverance and meticulousness of our officers, and the work of our partner organisations, meant that Jubair and Flowers had no option other than to plead guilty and take responsibility for their offending,” said Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit. “The profile of offenders like Flowers and Jubair demonstrates the increasing threat from cyber criminals based in the UK and other English-speaking countries, epitomised by Scattered Spider. This is why we work closely with partners at home and abroad to identify offenders within these networks and bring them to justice.”
The post British Scattered Spider Hacker Pleads Guilty to Cyberattacks on TfL; SSM Health Care; Sutter Health appeared first on The HIPAA Journal.
Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company
Florida Retina Center has identified unauthorized access to systems containing the protected health information of more than 13,600 patients. Acadia Healthcare Company has experienced a breach affecting 1,800 patients.
Florida Retina Center
Bonita Springs-based Florida Retina Center has announced a cybersecurity incident that was first identified on January 30, 2026. Immediate action was taken to secure its network, and an investigation was launched to determine the nature and scope of the unauthorized activity. On May 19, 2026, Florida Retina Center confirmed unauthorized access to parts of its network containing patient data.
The file review confirmed that the data of 13,652 patients was exposed and potentially acquired in the incident. The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Notification letters have been mailed to the affected individuals, and 12 months of complimentary credit monitoring and identity theft protection services have been made available. At the time of issuing notification letters, no misuse of the affected data had been identified.
Acadia Healthcare Company
Franklin, Tennessee-based Acadia Healthcare Company, Inc., a provider of psychiatric and chemical dependency services, has announced a data breach affecting 1,807 individuals. Unusual activity was identified within an employee’s email account on March 25, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to a single employee’s email account and associated SharePoint files between March 21, 2026, and March 25, 2026. There was no unauthorized access to any other email accounts, other systems, or the electronic medical record system.
The types of data involved varied from individual to individual, and for the majority of affected individuals, involved one or more of the following data elements in addition to their names: address, date of birth, treatment information, dates of treatment, type of treatment, and health insurance information. Certain individuals also had their Medicare Health Insurance Claim Number (HICN) exposed, which may include their Social Security number. Notification letters were mailed to the affected individuals on May 22, 2026, and additional safeguards have been implemented to prevent similar incidents in the future.
The post Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company appeared first on The HIPAA Journal.