Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach

Posted by Steve Alder

Healthcare Services Group, Inc. (HSG), a Bensalem, PA-based provider of environmental, dining, and nutritional support services to healthcare facilities, has recently notified the Maine Attorney General about a major data breach involving unauthorized access to systems containing the personal and protected health information of 624,496 individuals, including 3,871 Maine residents.

HCSG provides its services to more than 3,000 healthcare facilities in 48 U.S. states and employs more than 45,000 individuals. HSG first disclosed the security incident on October 16, 2024, in a FORM 8-K filing with the U.S. Securities and Exchange Commission (SEC), explaining that a cybersecurity incident was identified on October 9, 2024, when unauthorized activity was identified within some of its systems.

HSG initiated its cybersecurity incident response process, and an investigation was launched to determine the cause of the activity, with assistance provided by third-party cybersecurity specialists. At the time, the full nature of the incident was unknown, although it was not expected to have a material impact on its financial condition or the results of operations. The breach report indicates initial access to its network occurred on September 27, 2024, twelve days before the intrusion was detected. HSG has been reviewing the exposed files and determined on June 3, 2025, that personal and protected health information was potentially stolen.

Notification letters started to be mailed to the affected individuals on August 25, 2025, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, in Maine at least. While the Maine Attorney General has published a copy of the breach notification letter, a website error means it is not currently viewable, and there is currently no substitute breach notice on the HSG website, so the types of information exposed in the incident and the nature of the cyberattack are currently unknown.

This post will be updated when further information becomes available.

The post Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach appeared first on The HIPAA Journal.

Vulnerability Identified in FujiFilm Synapse Mobility Medical Image Viewer

Posted by Steve Alder

A medium-severity privilege escalation vulnerability has been identified in FujiFilm Healthcare Americas Synapse Mobility medical image viewing software that could be exploited to bypass authentication and access sensitive data.

The vulnerability is tracked as CVE-2025-54551 and affects all versions of Fujifilm Healthcare Americas Synapse Mobility prior to version 8.2 (Versions 8.0, 8.0.1, 8.0.2, 8.1, 8.1.1). The vulnerability is remotely exploitable in a low complexity attack and can allow an attacker to escalate privileges and access data that they do not have permission to view. Authenticated user interaction is required to exploit the vulnerability.

The vulnerability is due to external control of a Web parameter and can be exploited by altering the parameters of the search function, thereby providing results beyond the intended design of role-based access controls. The vulnerability has been assigned a CVSS v4 base score of 5.3 and a CVSS v3.1 base score of 4.3.

Fujifilm Healthcare Americas has fixed the vulnerability in version 8.2 and later versions and has released patches for versions 8.0 to 8.1.1. Users are encouraged to upgrade to the latest version of the software and ensure that patches are applied before the end-of-support date. If the version in use is past the end-of-support date, users should ensure they update to a supported version.

If an immediate upgrade is not possible, administrators should consider disabling the search function in the configurator settings until the software can be updated. This can be achieved by unchecking the “Allow plain text accession number” checkbox in the security section of the admin interface. This will limit the site to use of the product only via the SecureURL feature.

The post Vulnerability Identified in FujiFilm Synapse Mobility Medical Image Viewer appeared first on The HIPAA Journal.

Michigan Rural Health System Notifies 140,000 About Hacking Incident

Posted by Steve Alder

Aspire Rural Health in Michigan is notifying almost 140,000 patients about unauthorized access to its network and the theft of their personal and healthcare data. Aspire Rural Health consists of more than 70 providers and serves patients in rural areas in Huron County, Sanilac County, Tuscola County, and Lapeer County. Aspire detected the intrusion on or around January 6, 2025, and third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.  The forensic investigation confirmed that an unauthorized third party had access to its network for more than two months from November 4, 2024, to January 6, 2025.

According to the substitute data breach notice on the Aspire website, files containing patients’ protected health information were accessed and/or acquired in the incident. Following a manual review of the affected files, Aspire confirmed that a wide range of data types were compromised in the incident.

Current and former patients had their first and last names stolen, in combination with one or more of the following: date of birth, Social Security number, financial account number and routing number, diagnosis information, medical treatment information, prescription information, health insurance information, payment card number/PIN/expiry date, lab results, provider information, driver’s license number, username/password, biometric identifiers, patient identification number, medical record number, and passport number.

Aspire is unaware of any misuse of the affected data; however, as a precaution, complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. The data breach is not yet listed on the HHS’ Office for Civil Rights breach portal; however, the Maine Attorney General has been informed that 138,386 individuals have been affected, including 4 Maine residents. While not described as a ransomware attack, the BianLian threat group claimed responsibility for the attack and added Aspire to its dark web data leak site.

The post Michigan Rural Health System Notifies 140,000 About Hacking Incident appeared first on The HIPAA Journal.

July 2025 Healthcare Data Breach Report

Posted by Steve Alder

U.S. healthcare data breaches are down 34.1% month-over-month, and 44.5% fewer individuals had their healthcare data exposed. HIPAA-regulated entities reported 48 data breaches affecting 500 or more individuals in July, 12 fewer than the monthly average over the past 12 months.

Healthcare data breaches in the past 12 months - July 2025

July saw the lowest number of reported healthcare data breaches since September 2024, although the monthly total is likely to increase as there is often a delay between an entity reporting a data breach to the HHS’ Office for Civil Rights (OCR) and it being added to the OCR breach portal. For instance, in August 2024, when we compiled the July 2024 healthcare data breach report, there were 43 data breaches, with the total increasing to 49 over the next few months.

July healthcare data breaches 2020-2025

July’s total is therefore likely to be slightly higher than July 2024, and data breaches are up slightly year-over-year. When we compiled our July 2024 data breach report on July 20, 2024, 435 data breaches affecting 500 or more individuals had been reported to OCR. This year’s total for January 1, 2025, to July 31, 2025, stands at 444 data breaches – a 2% year-over-year increase.

Individuals affected by healthcare data breaches in the past 12 months

There has also been a fall in the number of individuals affected by healthcare data breaches. Across the 48 reported data breaches, 4,397,900 individuals had their healthcare data exposed or impermissibly disclosed – a 44.5% month-over-month reduction, and 1.37 million fewer individuals than the 12-month average of 5,769,912 individuals a month.

Individuals affected by july data breaches 2020 - 2025

While there has been a month-over-month fall in affected individuals based on current data, July’s total will increase further as breached organizations complete their data breach investigations and file reviews. As it stands, the number of affected individuals is down 97.8% from the 200 million+ individuals affected by data breaches last year. It should be noted that the July 2024 total includes the data breach at Change Healthcare, which affected 192.7 million individuals. When we compiled the data for last July’s data breach report, the OCR breach portal only showed 1.2 million affected individuals.

Biggest Healthcare Data Breaches in July 2025

In July, 16 HIPAA-regulated entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates reported data breaches affecting 10,000 or more individuals, all of which were hacking incidents. Two data breaches stand out in terms of the number of affected individuals – the hacking incident at Anne Arundel Dermatology and Radiology Associates of Richmond (RAR), which combined affected more than 3.3 million individuals, 75.6% of the month’s total affected individuals.

It is unclear from the breach reports whether ransomware was used in either of these incidents. Hackers had access to the RAR network for four days in April 2024, but were camped in the Anne Arundel network for three months before the intrusion was detected. Several dermatology practices and medical imaging providers have reported data breaches in recent months, which suggests these types of entities may have been targeted specifically by threat actors.

Three of the top 16 data breaches were reported as ransomware attacks, although ransomware may have been used in more attacks. It is now common for data breach notification letters to omit the cause of the breach, and relatively few mention ransomware, even when ransomware groups have claimed responsibility for an attack.

Name of Regulated Entity State Entity Type Individuals Affected Cause of Breach
Anne Arundel Dermatology MD Healthcare Provider 1,905,000 Hacking incident
Radiology Associates of Richmond, Inc. VA Healthcare Provider 1,419,091 Hacking incident
Zumpano Patricios, P.A. FL Business Associate 279,275 Hacking incident
Cierant Corporation CT Business Associate 232,506 Hacking incident (Cleo VL Trader MFT)
Alera Group, Inc. IL Business Associate 155,567 Hacking incident
McKenzie Memorial Hospital MI Healthcare Provider 58,839 Hacking incident
Wood River Health RI Healthcare Provider 54,926 Hacking incident (Email accounts)
Gastroenterology Consultants of South Texas TX Healthcare Provider 44,579 Ransomware attack (Interlock)
Infinite Services, Inc. NY Healthcare Provider 31,742 Ransomware attack
Self Regional Healthcare SC Healthcare Provider 26,696 Hacking incident at business associate (Nationwide Recovery Service)
Dr. Michael Bilikas and Associates d.b.a. 32 Pearls WA Healthcare Provider 23,517 Ransomware attack
AVALA Holdings LA Healthcare Provider 22,732 Hacking incident
Keys Pathology Associates, PA FL Healthcare Provider 20,000 Hacking incident
Northwest Denture Center, Inc. WA Healthcare Provider 19,419 Hacking incident
Arbor Associates, Inc. MI Business Associate 17,040 Hacking incident
Florida Lung, Asthma & Sleep Specialists (FLASS) FL Healthcare Provider 10,000 Hacking incident

The above list could grow as data breach investigations conclude. The HIPAA Breach Notification Rule requires HIPAA-regulated entities to report a data breach within 60 days of discovery, and when that deadline is reached, data breach investigations may not have concluded. In such cases, many regulated entities submit a breach report with a placeholder figure of 500 or 501 affected individuals as an interim total. In July, five regulated entities reported data breaches using a 500 or 501 figure.

Name of Regulated Entity State Entity Type Breach Size Cause of Breach
Kettering Adventist Healthcare OH Healthcare Provider 501 Hacking/IT Incident (Network server)
Human Development Services of Westchester NY Healthcare Provider 501 Hacking/IT Incident (Email)
Naper Grove Vision Care IL Healthcare Provider 501 Hacking/IT Incident (Network server)
Doctors’ Memorial Hospital FL Healthcare Provider 500 Hacking/IT Incident (Network server)
Northwest Medical Homes, LLC OR Healthcare Provider 500 Hacking/IT Incident (Network server)

Causes of July 2025 Healthcare Data Breaches

Hacking is now the leading cause of data breaches, with July seeing 83.3% of incidents involving hacking or other IT-related issues. On average, 109,620 individuals were affected by these types of data breaches (median: 5,137 individuals).  Hacking/IT incidents accounted for 99.7% of breached healthcare records in July (4,384,794 individuals).

causes of July 2025 healthcare data breaches

There were 8 unauthorized access/disclosure incidents in July, affecting just 13,638 individuals. The average breach size was 1,638 individuals, and the median breach size was 892 individuals. There were no theft incidents, loss incidents, or improper disposal incidents in July, as was the case in June 2025. The most common location of breached protected health information was network servers, followed by email accounts, with just 6 breaches involving protected health information stored in other locations.

Location of breached healthcare data - July 2025

Affected HIPAA Regulated Entities

In July, large data breaches were reported by 37 healthcare providers (3,700,390 affected individuals), 10 business associates (696,727 affected individuals), and one health plan (783 affected individuals). Under HIPAA, it is ultimately the responsibility of each covered entity to ensure the requirements of the HIPAA Breach Notification Rule are met, and some covered entities report breaches that occur at business associates. Many healthcare data breach reports are based on the reporting entity, rather than the entity that suffered the data breach. The charts below show where the breach occurred rather than the entity reporting the data breach.

Data breaches at HIPAA-regulated entities in July 2025

Individuals affected by healthcare data breaches at HIPAA-regulated entities - July 2025

Geographical Distribution of July 2025 Healthcare Data Breaches

HIPAA-regulated entities in 22 U.S. states reported data breaches in July. Florida was the worst-affected state with 9 entities reporting data breaches, although three of those reports were about the same incident, which affected multiple skilled nursing facilities. Texas was the second-worst affected state with 4 data breaches, followed by California, Massachusetts & Michigan, which each had three breaches.

State Individuals Affected
Florida 9
Texas 4
California, Massachusetts & Michigan 3
Georgia, Illinois, New York, Ohio, South Carolina, Virginia & Washington 2
Colorado, Connecticut, Louisiana, Maryland, North Carolina, Pennsylvania, Rhode Island, Tennessee, Wisconsin & West Virginia 1

In terms of affected individuals, Maryland topped the list with 1,905,000 individuals affected by a single data breach, followed by Virginia with 1,421,658 individuals affected by two data breaches. Florida was the third-worst-affected state, with 328,471 individuals affected by its 9 data breaches.

HIPAA Enforcement Activity in July 2025

It has been a busy year of HIPAA enforcement, with 18 settlements and civil monetary penalties announced by OCR up to July 31, 2025. Based on the announcements so far, 2025 looks set to be a record-breaking year for HIPAA penalties.

In October 2024, OCR announced a new enforcement initiative looking at compliance with the risk analysis provision of the HIPAA Security Rule. OCR has targeted this HIPAA provision as it is the most commonly identified HIPAA Security Rule violation, and is a foundational requirement that arguably has the biggest impact on security posture. Two enforcement actions were announced in July, both of which resolved risk analysis failures.

Deer Oaks – The Behavioral Health Solution was investigated over an August 2023 ransomware attack that involved the exfiltration of files containing the protected health information of 171,871 individuals. OCR determined that there had been an impermissible disclosure of patients’ electronic protected health information, and Deer Oaks was unable to provide evidence to show that a thorough and accurate risk analysis had been conducted. The case was settled with a $225,000 penalty and a corrective action plan.

Syracuse ASC (Specialty Surgery Center of Central New York) was investigated over a 2021 ransomware attack that exposed the data of 24,891 current and former patients. Syracuse ASC was unable to provide evidence to show that it had ever conducted a risk analysis to identify risks and vulnerabilities to protected health information. Further, the data breach was identified on March 31, 2021, but OCR and the affected individuals were not notified for six and a half months, four and a half months later than the maximum reporting time under the HIPAA Breach Notification Rule. The case was settled with a $250,000 financial penalty and a corrective action plan. Across the 18 HIPAA penalties in 2025, OCR has collected $7,860,566 to resolve alleged violations of the HIPAA Rules.

The post July 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.