Medical Billing Company Data Breach Affects 7 Medical Groups

Posted by Steve Alder

The Las Vegas medical billing and coding management company, La Perouse, has announced a data breach that has affected seven of its medical group clients. Data breaches have also been announced by Acadia Healthcare Company, Harbor Regional Center, United Medical Systems, and Ohio ENT & Allergy Physicians.

La Perouse

La Perouse LLC, a Las Vegas, NV-based medical billing and coding management company, has notified the California Attorney General about a breach of one of its third-party billing platforms. Potential unauthorized activity was first identified on July 8, 2025. The platform and its network environment were secured, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed that the unauthorized access was confined to the third-party billing platform and that sensitive data stored within that platform had been copied by the attacker. The review of the affected data was completed in the Spring of 2026, and notification letters were mailed to the affected individuals on April 17, 2026. The data compromised in the incident varies from individual to individual and may have included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, patient identification and medical record numbers, medical information, and health insurance information.

La Perouse worked with its third-party billing platform provider to implement additional technical safeguards, enhance security measures, and update security policies and procedures. The affected individuals have been offered at least 12 months of complimentary credit monitoring services. The affected individuals had received medical services from one or more of the following healthcare providers;

  • Beach Emergency Medical Associates
  • Centinela Freeman Emergency Medical Associates
  • Chino Emergency Medical Associates
  • Hollywood Presbyterian Emergency Medical Associates
  • Montclair Emergency Medical Associates
  • Tarzana Emergency Medical Associates
  • Temecula Valley Hospitalist Medical Group

The incident was reported to the HHS’ Office for Civil Rights in September 2025 using a placeholder estimate of at least 501 individuals. The total has yet to be updated.

Acadia Healthcare Company

Acadia Healthcare Company, the operator of a network of almost 280 behavioral healthcare facilities in 40 U.S. states and Puerto Rico, has recently disclosed a data security incident that was first identified in March 2026. Suspicious activity was observed within an employee’s email account. The email account was secured, and an investigation was launched to determine the nature and scope of the activity. The forensic investigation determined that the account and an associated SharePoint account were accessed by an unauthorized third party between March 21 and March 25, 2026, as a result of social engineering attacks. No other systems were involved.

The data review was completed on May 15, 2026, and confirmed that the information compromised in the incident included names, addresses, dates of birth, treatment information, health insurance information, admission dates, diagnosis codes, patient statuses, Medicare insurance claim numbers, and, for some individuals, Social Security numbers. Notification letters started to be mailed to the affected individuals on May 22, 2026. Acadia Healthcare Company said additional cybersecurity measures have been implemented to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Harbor Regional Center

Harbor Developmental Disabilities Foundation, doing business as Harbor Regional Center, a Long Beach, CA-based provider of services to individuals with developmental disorders, identified suspicious activity within its computer network on or around March 7, 2026. The forensic investigation confirmed unauthorized access to its computer network between March 6 and March 7, during which time, files may have been viewed or copied from the network.

On May 15, 2026, Harbor Regional Center completed its review of the exposed files. The exact types of information involved are detailed in the individual notification letters that have recently been mailed to the affected individuals. The number of affected individuals has yet to be publicly disclosed. The affected individuals have been offered single-bureau credit monitoring and identity theft protection services, and steps have been taken to improve security to prevent similar breaches in the future.

Ohio ENT & Allergy Physicians

Ohio ENT & Allergy Physicians in Columbus, Ohio, has recently reported a data breach to the Maine Attorney General that involved unauthorized access to the personal and protected health information of 324 individuals, including 1 Maine resident. A cybersecurity incident was detected on March 30, 2026, when suspicious activity was identified on a workstation within its network environment. The forensic investigation confirmed unauthorized access between March 29, 2026, and March 30, 2026. The review of all potentially exposed files was completed on May 18, 2026. Data exposed in the incident included full names and Social Security numbers. Notification letters were mailed to the affected individuals on May 29, 2026.

Ohio ENT & Allergy Physicians has implemented additional technical safeguards and has enhanced its security measures to prevent similar incidents in the future, and complementary credit monitoring services have been offered to the affected individuals.

United Medical Systems

Westborough, Massachusetts-based mobile specialty healthcare service provider United Medical Systems has disclosed a data breach affecting 485 individuals. According to the notification letters, which were mailed to the affected individuals on May 20, 2026. The forensic investigation confirmed that names, driver’s license numbers, and Social Security numbers were exposed in the incident. As a precaution against identity theft and fraud, the affected individuals have been offered complimentary single-bureau credit monitoring and identity theft protection services for 24 months, and steps have been taken to enhance security to prevent similar incidents in the future.

The post Medical Billing Company Data Breach Affects 7 Medical Groups appeared first on The HIPAA Journal.

California AG Files Lawsuit Over 23andMe Data Breach

Posted by Steve Alder

California Attorney General Rob Bonta has filed a lawsuit against the genetic testing company formerly known as 23andMe over its 2023 data breach that affected almost 7 million Americans. The lawsuit alleges multiple violations of state consumer privacy and data protection laws.

23andMe is a provider of direct-to-consumer DNA testing services. Consumers purchase kits for collecting saliva samples, which are sent to the company for DNA analysis. Consumers are given a report detailing their ancestry, ethnicity, and genetic health predispositions, and can access a platform that allows them to trace their biological relatives.

In 2023, 23andMe discovered that around 14,000 accounts had been subject to unauthorized access over a period of around 5 months, resulting in a breach of the personal and genetic information of 6.9 million individuals, including 855,541 California residents. Access to the accounts was gained using a technique known as credential stuffing. Credentials obtained in a data breach on one platform are used to try to access accounts another platform. The technique only works if users reuse their usernames and passwords on multiple platforms. In the case of the 23andMe attack, some of the credentials were stolen from MyHeritage, a separate genealogy site that 23andMe encouraged its users to set up an account with.

The data breach was discovered when the threat actor offered the stolen data for sale on a dark web hacking forum in October 2023. Initially, 23andMe downplayed the incident, maintaining that there had been no breach of its systems, placing the blame on customers for the poor security practice of re-using credentials on multiple platforms. 23andMe also said the breach involved data from its DNA Relatives feature, which was essentially publicly available information. 23andMe paid the threat actor to remove data that had been posted online, stop any sale of stolen data, and to receive information about the vulnerabilities that were exploited by the threat actor to access data.

23andMe, which filed for Chapter 11 bankruptcy protection in March 2025, faced class action litigation over the data breach and agreed to pay $30 million to settle claims related to the data breach, then increased the settlement fund to up to $50 million. The settlement received final approval from a judge in January 2026.

The California Department of Justice, part of a multistate coalition that investigated the data breach, determined that security vulnerabilities were exploited that should not have existed, and that the company’s handing of the breach was “entirely unacceptable.” The investigation determined that there was a well-known risk of unauthorized account access through credential stuffing, yet 23and Me failed to implement reasonable and appropriate security procedures to reduce risk. The data breach was only detected when the threat actor offered stolen data for sale in October 2023. AG Bonta alleged that 23andMe missed several opportunities to detect the credential stuffing attack, such as a suspicious spike in login attempts in July 2023, and a Reddit post discussing a potential 23andMe data breach in August 2023.

A coding error in the DNA Relatives feature meant doctored queries could be sent to the 23andMe database, and when creating and implementing its data security protocols, 23andMe failed to properly account for genetic data and its high level of sensitivity. 23andMe informed its customers that it adhered to the highest industry standards for data security; when its security practices were far below industry standards. Further, when the breach was announced, AG Bonta alleges that 23andMe made misleading statements, repeatedly stating that there had been no breach of 23andMe systems, despite the threat actor informing the company of multiple exploitable vulnerabilities within its systems, some of which were exploited in the attack.

The state Attorney General’s lawsuit was filed in the San Francisco Superior Court, California, and alleges that the company failed to implement and maintain reasonable and appropriate security procedures and practices, made untrue and misleading statements regarding its security measures and practices prior to the data breach, as well as misleading statements about the circumstances of the breach. Those failures are alleged to have violated the California Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act. The lawsuit seeks millions of dollars in civil fines to resolve the alleged violations.

The California Attorney General has also challenged 23andMe’s sale of consumers’ genetic information and materials in bankruptcy. That lawsuit is pending in the in U.S. Bankruptcy Court for the Eastern District of Missouri.

The post California AG Files Lawsuit Over 23andMe Data Breach appeared first on The HIPAA Journal.