Mount Sinai Health System Settles Web Tracking Lawsuit for $5.3 Million

Posted by Steve Alder

Mount Sinai Health System, the largest hospital network in New York City, has agreed to a $5.3 million settlement to resolve allegations it violated federal and state laws by sharing the personal health information of website and patient portal users with Facebook without their knowledge or consent.

Legal action was taken against Mount Sinai Health over its use of the Facebook Pixel and Conversions Application Programming Interface (CAPI) on its website and MyChart patient portal between October 2020 and October 2023. The tool can collect information about website users and transmit that information to Facebook. Mount Sinai Health has denied any wrongdoing and specifically denies that any medical information from either its website or patient portal was shared with Facebook.

The lawsuit – Cooper, et al., v. Mount Sinai Health System, Inc. – was filed in the United States District Court for the Southern District of New York by plaintiffs Ronda Cooper, Coral Fraser, David Gitlin, and Gilbert Manda, who alleged that their personally identifiable health information was being collected and shared with Facebook without their knowledge or consent due to the implementation of CAPI, in violation of the federal Electronic Communications Privacy Act and New York Deceptive Trade Practices. The lawsuit also asserted claims of negligence, invasion of privacy, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, constructive bailment, and breach of implied covenant of good faith and fair dealing.

The lawsuit survived a motion to dismiss and proceeded to discovery. During discovery, the parties engaged in mediation, and a settlement was agreed in principle to bring the litigation to an end to avoid the cost and risk of a trial and related appeals, while giving appropriate benefits to class members. The terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court.

The settlement class consists of 1,314,147 individuals, and claims will be accepted from individuals who logged into their MyChart account via the mountsinai.org website between October 27, 2020, and October 27, 20-23. Under the terms of the settlement, Mount Sinai Health has agreed to establish a $5,256,588 settlement fund to cover legal costs and expenses and claims from class members. The plaintiffs’ attorneys will receive up to 35% of the settlement fund and reimbursement of court-approved attorneys’ expenses. Settlement administration costs of up to $200,000 will also be deducted, along with service awards of $2,500 per named plaintiff. The remainder of the settlement fund will be distributed to class members on a pro rata basis.

The deadline for objecting to the settlement, opting out, and filing a claim for benefits is October 14, 2025. The final approval hearing has been scheduled for October 24, 2025.

The post Mount Sinai Health System Settles Web Tracking Lawsuit for $5.3 Million appeared first on The HIPAA Journal.

Mower County, MN Confirms HIPAA-Data Compromised in June Ransomware Attack

Posted by Steve Alder

Data breaches have recently been announced by Mower County in Minnesota, Seasons Living in Oregon, Dr. Doug’s Pediatric Dentistry in Utah, and Provail in Washington State.

Mower County, Minnesota

Officials in Mower County, Minnesota, have confirmed that HIPAA-protected data was acquired by hackers in a June 2025 ransomware attack. The ransomware attack was identified on June 18, 2025, and an investigation is underway to determine the types of data involved and the individuals affected. The stolen data related to individuals who have previously received services from the County Health and Human Services Department.

Individual notification letters will be mailed to the affected individuals when the investigation is concluded, and County officials have confirmed that complimentary credit monitoring and identity theft protection services will be provided. In the meantime, anyone who has previously received services from the Health and Human Services Department has been advised to be vigilant against identity theft and fraud by reviewing their account statements, explanation of benefits statements, and free credit reports.

Seasons Living

Seasons Living, an assisted living facility in Lake Oswego, Oregon, has disclosed a security incident involving the theft of sensitive data. The security breach was identified on March 4, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network and acquired files containing information related to its vendors, applicants, tenants, owners, and current and former employees.

In a press release about the incident, Seasons Living CEO Eric Jacobsen said the incident has been fully contained, unauthorized access to its network has been blocked, and additional security measures have been implemented to prevent similar incidents in the future. He also confirmed that complimentary credit monitoring services are being provided to all affected individuals.

The press release does not mention the types of data involved; however, a hacker has taken credit for the attack and claims to have stolen information such as names, addresses, birthdates, Social Security and driver’s license numbers, health insurance information, medical records, and financial information. The data breach is not currently listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Dr. Doug’s Pediatric Dentistry

Dr. Doug’s Pediatric Dentistry in Logan, Utah, has recently announced a data security incident that was detected in September 2024. Unusual activity was identified in an employee’s email account. The password was reset, and an investigation was launched, which confirmed that the breach was confined to a single email account and no other systems were affected.

The account was reviewed to determine whether any patient information was present, and contact information was verified to allow notification letters to be mailed. Those processes were concluded in June 2025. The information potentially compromised in the incident includes names, dates of birth, diagnosis or dental treatment information, and Medicaid numbers/health insurance information. A very limited number of patients also had their Social Security numbers and/or driver’s license numbers exposed. The incident has been reported to regulators, although it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals were affected.

Provail

Provail, a nonprofit provider of disability services in Washington State, has recently disclosed a cybersecurity incident that was detected on or around June 8, 2025. Suspicious network activity was identified, and the forensic investigation confirmed that an unauthorized actor had access to its network between June 7, 2025, and June 9, 2025, and viewed or acquired files containing sensitive client data.

The investigation and file review are ongoing; however, it has been confirmed that the data compromised in the incident included names in combination with one or more of the following: diagnosis/condition information, lab results, medications, other treatment information, addresses, dates of birth, driver’s license numbers, Social Security numbers, other identifying information, claims information, credit card numbers, bank account numbers, and other financial information.

Individual notification letters will be mailed to the affected individuals when the investigation and file review are concluded. The OCR breach portal includes a placeholder figure of at least 501 affected individuals.

The post Mower County, MN Confirms HIPAA-Data Compromised in June Ransomware Attack appeared first on The HIPAA Journal.

Business Associate Data Breach Affects 87 Skilled Nursing Facilities

Posted by Steve Alder

Fundamental Administrative Services, LLC, a healthcare management services company in Sparks, Maryland, that manages more than 85 skilled nursing facilities and rehabilitation centers in Indiana, Maryland, Nevada, New Mexico, South Carolina, Texas, and Wisconsin, has confirmed that the protected health information of 56,235 individuals has potentially been compromised in a cyberattack.

Suspicious network activity was identified on or around January 13, 2025, and immediate action was taken to secure its systems and contain the incident. A forensic investigation was launched to determine the nature and scope of the activity, which confirmed unauthorized access to its network for around two and a half months from October 27, 2024, to January 13, 2025. During that time, files were exfiltrated from the network that contained HIPAA-protected data.

The file review confirmed that the information compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, financial account information, medical treatment information, health insurance information, and Medicare/Medicaid plan names. Fundamental Administrative Services said it is reviewing its policies, procedures, and processes related to the storage and access to information.

The data breach was initially reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals, but has been updated now that the file review has concluded. The skilled nursing facilities and rehabilitation centers affected by the incident are listed in the table below:

Affected Facilities
Alamo Heights Health and Rehabilitation Center Harmon Hospital Restore Health Rehabilitation Center
Allegany Health Nursing and Rehabilitation Hearthstone of Northern Nevada Retama Manor Nursing Center/Victoria South
BellTower Health & Rehabilitation Center Hillside Heights Rehabilitation Suites Riverside Health and Rehab
Bennettsville Health & Rehabilitation Center Horizon Health & Rehab Center San Gabriel Rehabilitation and Care Center
Berlin Nursing and Rehabilitation Center Horizon Specialty Hospital of Henderson Sandy Lake Rehabilitation and Care Center
Bremond Nursing and Rehabilitation Center Horizon Specialty Hospital of Las Vegas Sedona Trace Health and Wellness
Bridgecrest Rehabilitation Suites Julia Manor Nursing and Rehabilitation Center Sierra Ridge Health and Wellness Suites
Brownfield Rehabilitation and Care Center Kirkland Court Health and Rehabilitation Center Solidago Health and Rehabilitation
Calhoun Convalescent Center Lake Emory Post Acute Care Southpointe Healthcare and Rehabilitation
Canton Oaks Lancaster Health and Rehabilitation Spanish Hills Wellness Suites
Casa Arena Blanca Nursing Center Las Brisas Rehabilitation and Wellness Suites Spanish Trails Rehabilitation Suites
Casa Maria Health Care Center and Pecos Valley Rehabilitation Suites Las Ventanas de Socorro St. George Healthcare Center
Cedar Pointe Health and Wellness Suites Los Arcos del Norte Care Center Sterling Oaks Rehabilitation
Central Desert Behavioral Health Hospital Magnolia Manor of Greenville Sunset Villa Care Center
College Park Rehabilitation Center Magnolia Manor of Greenwood Terra Bella Health and Wellness Suites
Corinth Rehabilitation Suites on the Parkway Magnolia Manor of Inman The Brazos of Waco
Courtyards at Pasadena Magnolia Manor of Rock Hill The Casitas at Las Brisas ALF
Creekside Terrace Rehabilitation Magnolia Manor of Spartanburg The Hillcrest of North Dallas
Crimson Heights Health & Wellness ALF Meadowbrook Care Center The Pavilion at Creekwood
Crimson Heights Health and Wellness Midlands Behavioral Health Hospital The Pavilion at Glacier Valley
Crosbyton Nursing and Rehabilitation Center Midlands Health & Rehabilitation Center The Terrace at Denison
Devlin Manor Nursing and Rehabilitation Center Mira Vista Court The Village at Richardson
Edgewood Rehabilitation and Care Center Monarch Pavilion Rehabilitation Suites Valley Falls Terrace
Fairfield Nursing and Rehabilitation Center Moran Nursing and Rehabilitation Center Villa Haven Health and Rehabilitation Center
Falcon Ridge Rehabilitation North Las Vegas Care Center Villa Rosa Nursing and Rehabilitation
Forest Haven Nursing and Rehabilitation Center Northampton Manor Nursing and Rehabilitation Center Willow Springs Health & Rehabilitation Center
Founders Plaza Nursing & Rehab Oakbrook Health and Rehabilitation Center Woodlands Place Rehabilitation Suites
Fruitvale Healthcare Center Oakland Nursing and Rehabilitation Center  
Green Valley Health and Wellness Suites Physical Rehabilitation and Wellness Center of Spartanburg  
Hallmark Healthcare Center Rehab Center of Cheraw  

The post Business Associate Data Breach Affects 87 Skilled Nursing Facilities appeared first on The HIPAA Journal.

Cyberattack on Medical Equipment Provider Affects 90,000 Patients

Posted by Steve Alder

Data breaches have been announced by medical equipment provider CPAP Medical Supplies and Services, a Miracle Ear franchisee, and a 20-bed critical access hospital in Washington State.

CPAP Medical Supplies and Services Inc.

CPAP Medical Supplies and Services Inc. (CPAP Medical) has announced a major data breach, potentially involving unauthorized access to the personal and protected health information of up to 90,133 patients. CPAP Medical is a Jacksonville, FL-based medical equipment provider that specializes in sleep therapy products for military families and active duty/retired service members. According to the breach notice provided to the Maine Attorney General, hackers had access to its network between December 13, 2024, and December 21, 2024, and files containing sensitive data may have been viewed or exfiltrated from its network.

After securing its systems, a forensic investigation was conducted, followed by a document review to determine the types of data involved and the individuals affected. The document review was complex and took until June 27, 2025, to complete, when it was confirmed that the compromised data included full names, dates of birth, Social Security numbers, financial and banking information, medical information, and health insurance information. CPAP Medical is unaware of any misuse of patient data as a result of the incident; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Health Services LLC (Miracle Ear)

Health Services LLC has started notifying individuals affected by a security incident that was identified on or around January 28, 2025. Suspicious network activity was detected, and the forensic investigation confirmed that an unauthorized actor had breached its security defenses and had access to its network from January 2, 2025, and January 28, 2025.

Health Services LLC operates a franchise of Miracle Ear, and the data relates to individuals who interacted with the company concerning hearing aid products. On or around May 14, 2025, the data review was completed, and confirmed that the exposed data included full names, phone numbers, email addresses, postal addresses, dates of birth, patient ID numbers, Social Security numbers, health insurance information, and diagnosis and treatment information.

The data breach was initially reported to the HHS’ Office for Civil Rights in April as an incident affecting 2,400 individuals; however, the breach portal has since been updated to 75,906 affected individuals.

East Adams Rural Healthcare

East Adams Rural Healthcare, the operator of a 20-bed critical access hospital in Ritzville, Washington, has recently notified the Washington State Attorney General about a data breach that has affected 8,896 state residents. Suspicious network activity was identified on September 12, 2024, and an investigation was launched to determine the cause of the activity.

Forensic evidence was found to indicate its network had been accessed by an unauthorized third party between September 7, 2024, and September 14, 2024, and patient data may have been viewed or acquired. East Adams Rural Healthcare published a substitute notice on its website about the incident on October 4, 2025; however, at the time, the investigation and data review were ongoing, so it was not possible to confirm how many individuals were affected or the specific information involved.

The file review has now been completed, and it has been confirmed that the compromised information included names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information. No evidence has been found to indicate that any patient data has been misused; however, as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Cyberattack on Medical Equipment Provider Affects 90,000 Patients appeared first on The HIPAA Journal.