Mitchell County Dept. Social Services; 360 Dental; GiaCare Announce Data Breaches
Protected health information has been exposed in data security incidents at Mitchell County Department of Social Services in North Carolina, 360 Dental in Pennsylvania, and GiaCare in Florida.
Mitchell County Department of Social Services
Individuals who received services from Mitchell County Department of Social Services in North Carolina have had their sensitive information stolen in a ransomware attack. The investigation into the October 2025 ransomware attack on Mitchell County was initiated on October 20, 2025, following the encryption of files. The attack caused email and phone outages that lasted for several days. The forensic investigation confirmed that there had been unauthorized network access between October 16, 2025, and October 20, 2025, during which time files were exfiltrated.
The data review and investigation are ongoing to determine the types of information involved and the individuals affected. After that information has been confirmed and up-to-date contact information has been obtained, notification letters will be mailed to the affected individuals. Complimentary credit monitoring and identity theft protection services will be offered to the affected individuals, if appropriate, for instance, if their Social Security numbers were compromised in the incident.
The data breach has been reported to the HHS’ Office for Civil Rights using an interim total of 501 individuals. The total will be updated when County officials have confirmed the total number of affected individuals. County officials have confirmed that steps have been or will be taken in response to the incident to strengthen security. Those measures include upgrading the County email system, deploying additional software to enhance detection and accelerate the County’s response to cyber incidents, updating password policies, and strengthening restrictions for access to computer systems.
360 Dental
360 Dental in Philadelphia, PA, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 11,273 individuals. According to its substitute breach notice, this was a ransomware attack that resulted in file encryption. The incident was detected on November 16, 2025, and the file review confirmed that sensitive patient data had been exposed in the incident.
The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: date of birth, address, telephone number, email, patient account or chart number, dental and clinical records (such as treatment history, clinical notes, x -rays, and diagnostic information), insurance provider and member ID, appointment information, and emergency contacts. A limited number of Social Security numbers were also exposed.
360 Dental has taken steps to improve security following the ransomware attack. The affected computers have been replaced, the affected server has been rebuilt, software has been updated, and additional security tools have been implemented, including firewalls, antivirus software, multifactor authentication, and VPN-only remote access.
GiaCare
GiaCare, a Coral Springs, Florida-based company that provides healthcare staffing and IT services to government entities and healthcare organizations, has recently announced a data security incident, first identified on or around December 23, 2025.
GiaCare learned that a vulnerability existed Gladinet CentreStack, a third-party file sharing platform. GiaCare worked closely with its IT vendor to investigate and confirm the security of its systems and data. The IT vendor confirmed that GiaCare’s systems were secure and had not been accessed; however, the vulnerability had been exploited, and data within the Gladinet CentreStack platform had been accessed and exfiltrated by an unauthorized third-party on December 6, 2025. While the threat actor involved was not named, several cybersecurity firms linked the Gladinet CentreStack attacks to the Cl0p ransomware group – a group known to target zero-day vulnerabilities in file-sharing platforms.
The file review confirmed that names, Social Security numbers, and driver’s license numbers were compromised in the incident. The affected individuals are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The number of affected individuals has yet to be publicly disclosed.
The post Mitchell County Dept. Social Services; 360 Dental; GiaCare Announce Data Breaches appeared first on The HIPAA Journal.
Texas & New Jersey Dermatology Practices Settle Class Action Data Breach Lawsuits
Two U.S. dermatology practices have agreed to settle class action lawsuits stemming from cybersecurity incidents that exposed patient data. The settlements provide cash benefits to class members and credit monitoring and identity theft protection services.
Affiliated Dermatologists & Dermatologic Surgeons Class Action Settlement
Affiliated Dermatologists & Dermatologic Surgeons, a dermatology practice based in Morristown, New Jersey, learned about a cybersecurity incident on March 4, 2025. The forensic investigation determined that an unauthorized third party had access to its computer network from December 19, 2023, to March 5, 2024. The review of the exposed files determined that they contained the protected health information of 373,630 individuals, including names, mailing addresses, birth dates, Social Security numbers, medical treatment information, and health insurance claims information. Compromised employee information includes names, mailing addresses, birth dates, Social Security numbers, driver’s license numbers, and passport numbers.
Notification letters were mailed to the affected individuals in late May 2024. Shortly thereafter, class action lawsuits were filed in the Superior Court of New Jersey Law Division for Morris County and the United States District Court for the District of New Jersey. The six class action lawsuits were consolidated – Lepore, et al. v. Affiliated Dermatologists & Dermatologic Surgeons, P.A. – in the Superior Court of New Jersey Law Division for Morris County as they had overlapping claims.
Affiliated Dermatologists & Dermatologic Surgeons deny all claims of wrongdoing and liability and filed a motion to dismiss the consolidated lawsuit. The legal challenge was partially successful, with a judge agreeing to dismiss some of the plaintiffs’ claims; however, the lawsuit was allowed to proceed. Following mediation, all parties reached an agreement on the material terms of a settlement, and after several weeks of negotiations, a settlement was finalized, which has received preliminary approval from the court.
The settlement provides cash payments for class members, which have been capped at an aggregate of $1,000,000. Should the total claims exceed that amount, the cash payments will be reduced pro rata. Class members may submit a claim for reimbursement of up to $5,000 for documented, unreimbursed losses related to the data breach. Alternatively, class members may claim a cash payment, in the preset amount of $40. Regardless of the cash payment chosen, class members are entitled to three years of single-bureau credit monitoring and identity theft insurance services.
The deadline for exclusion from and objection to the settlement is January 31, 2026. The deadline for submitting a claim is February 15, 2026, and the final fairness hearing has been scheduled for March 2, 2026.
U.S. Dermatology Partners Class Action Settlement
U.S. Dermatology Partners, a network of more than 100 dermatology practices in Arizona, Colorado, Kansas, Maryland, Missouri, Oklahoma, Texas, and Virginia, experienced a cyberattack and data breach in June 2024. The incident was detected on June 19, 2024, when network disruption was experienced. The forensic investigation determined that a threat actor exfiltrated files to an external location on June 19, 2024. The file review confirmed that the protected health information of 13,986 individuals was stolen in the incident, including names, dates of birth, medical record numbers, health insurance information, and other information related to the dermatology services received at one of its managed practices. Notification letters were mailed to the affected individuals on May 30, 2025.
On April 27, 2025, a class action lawsuit – Olson v. Oliver Street Dermatology Management LLC d/b/a U.S. Dermatology Partners – was filed in the United States District Court for the Northern District of Texas in response to the data breach. The litigation was determined to be more appropriate for state court and was dismissed and refiled in the appropriate court. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, and unjust enrichment.
While the defendant denies all claims of wrongdoing and liability, all parties ultimately agreed to settle the litigation. Under the terms of the settlement, all class members are entitled to claim two years of credit monitoring and identity theft protection services. In addition, a claim may be submitted for reimbursement of lost time and documented losses due to the data breach. The lost time claims have been capped at $80 per class member (up to 4 hours at $20 per hour). Claims for reimbursement of ordinary losses have been capped at $400 per class member, and claims for reimbursement of extraordinary losses have been capped at $4,000 per class member. There is no alternative cash payment.
The deadline for objection to and exclusion from the settlement is February 2, 2026. The deadline for submitting a claim is February 17, 2026, and the final fairness hearing has been scheduled for April 1, 2026.
The post Texas & New Jersey Dermatology Practices Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.
MethodHub Achieves HIPAA Certification, Strengthening Its Commitment to Healthcare Data Security – gadsdentimes.com
Microsoft Issues Emergency Patch for Actively Exploited Office Vulnerability – The HIPAA Journal
Microsoft Issues Emergency Patch for Actively Exploited Office Vulnerability
Microsoft has issued an out-of-band security update to fix an actively exploited zero-day vulnerability in Microsoft Office. The vulnerability is tracked as CVE-2026-21509 and has a CVSS v3.1 base score of 7.8 out of 10. The vulnerability is due to reliance on untrusted inputs in a security decision in Microsoft Office, which could allow an unauthorized actor to bypass a security feature locally.
In order to exploit the vulnerability, user interaction is required. An attacker would need to send a specially crafted Microsoft Office file and convince the user to open it, such as via email, using social engineering techniques to trick the user into opening the file. The security bypass vulnerability affects multiple Microsoft Office versions, including Office 2021 and later, and Microsoft 365 Apps for Enterprise. Some of the affected Office versions are automatically protected via a server-side change, although in order to be protected, Office applications will need to be restarted.
Affected office versions that require an update to be applied are listed below, along with the update version that must be installed.
| Affected Microsoft Office Version | Update Version |
| Microsoft Office 2019 (32-bit edition) | 16.0.10417.20095 |
| Microsoft Office 2019 (64-bit edition) | 16.0.10417.20095 |
| Microsoft Office 2016 (32-bit edition) | 16.0.5539.1001 |
| Microsoft Office 2016 (64-bit edition) | 16.0.5539.1001 |
If the update cannot be installed immediately, Microsoft has recommended mitigations to reduce the risk of exploitation. Those mitigations are:
- Close all Office applications
- Create a backup of the Windows Registry – Creating a backup of the Registry is important, as incorrect Windows Registry changes can cause serious problems.
- Open the Registry Editor (Start Menu > type regedit > press enter)
- Locate the appropriate registry key, and add a subkey per Microsoft’s Security Advisory
- A better explanation of the steps that should be taken has been published by Bleeping Computer
- Exit Registry Editor and start the Office application
Microsoft has not shared information about the extent to which the vulnerability is being exploited in the wild; however, since an out-of-band update has been published to fix the vulnerability, it should be assumed that the risk of exploitation is high, and the patch or mitigations should be applied as soon as possible.
The post Microsoft Issues Emergency Patch for Actively Exploited Office Vulnerability appeared first on The HIPAA Journal.
MACT Health Board Patients Affected by November 2025 Ransomware Attack – The HIPAA Journal
MACT Health Board Patients Affected by November 2025 Ransomware Attack The HIPAA Journal
MACT Health Board Patients Affected by November 2025 Ransomware Attack
MACT Health Board has confirmed that patient data was stolen in a November 2025 cyberattack, for which the INC Ransom ransomware group claimed credit. Data breaches have also been announced by TriCity Family Services in Illinois, HAP (Health Alliance Plan) in Michigan, and Zenflow in California.
MACT Health Board, California
MACT Health Board, a provider of healthcare services to the American Indian and Alaskan Native population in Mariposa, Amador, Alpine, Calaveras & Tuolumne counties in California, has notified individuals affected by a November 2025 security incident. MACT Health board launched an investigation into a potential security breach when it experienced disruption to its IT systems. The investigation confirmed that an unauthorized third party had access to its computer network from November 12, 2025, to November 20, 2025. A review of the exposed files commenced on November 25, 2025, and was completed on January 9, 2026.
Patient information compromised in the incident included names in combination with one or more of the following: diagnoses, test results, medical images, treatment information, doctors’ names, and or Social Security numbers. Notification letters started to be mailed to the affected individuals on January 23, 2026, and individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. Additional safeguards and technical security measures have been implemented to prevent similar incidents in the future. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
TriCity Family Services, Illinois
TriCity Family Services, a provider of counseling and mental health services to residents in Kane County, Illinois, has started notifying 2,511 patients about a data security incident. In the spring of 2025, suspicious activity was identified within its computer network. An investigation was launched, and it was confirmed that an unauthorized actor had access to its computer network from November 11, 2024, to May 14, 2025. During that time, sensitive data was exfiltrated from its network.
The file review confirmed that the following information was included in the exfiltrated files: names, dates of birth, presenting health issues, requested treatment, treatment location, and provider names. Its electronic medical record system was not accessed in the attack. TriCity Family Services said it is reviewing its policies, procedures, and processes related to the storage and access of sensitive information and will take steps to improve security to prevent similar incidents in the future.
While the nature of the incident was not disclosed, the INC Ransom ransomware group claimed responsibility for the attack and added TriCity Family Services to its dark web data leak site. INC Ransom claimed to have exfiltrated 22 GB of data in the attack.
HAP (Health Alliance Plan), Michigan
HAP (Health Alliance Plan) in Michigan has notified 1,059 individuals about the exposure of some of their protected health information as a result of a phishing attack. On October 24, 2025, an employee responded to a phishing email and inadvertently disclosed their credentials, allowing the threat actor to access their account. The investigation was unable to determine if any member information was accessed or acquired in the incident, so notification letters were sent to all potentially affected individuals. Protected health information in the account was limited to names, addresses, dates of birth, and HAP ID numbers, and for a limited number of individuals, Social Security numbers. The affected individuals have been offered two years of complimentary identity theft protection services as a precaution.
Zenflow, California
Zenflow, a San Francisco-based medical device company, has recently notified individuals about a security incident. Limited information about the incident has been released to date, such as when the incident occurred, the nature of the security breach, or for how long its computer systems were subject to unauthorized access. The data breach notice submitted to the Massachusetts Attorney General indicates that names and Social Security numbers were involved, and that single-bureau credit monitoring and identity theft protection services have been offered to the affected individuals for 24 months. It is currently unclear how many individuals have been affected.
The post MACT Health Board Patients Affected by November 2025 Ransomware Attack appeared first on The HIPAA Journal.
More than 100K Munson Healthcare Patient Affected by Cerner Cyberattack – The HIPAA Journal
More than 100K Munson Healthcare Patient Affected by Cerner Cyberattack The HIPAA Journal