Wayne Memorial Hospital patients have recently been notified that some of their protected health information was stolen by a ransomware group fifteen months ago. Wayne Memorial Hospital, a rural 84-bed hospital in Jessup, Georgia, has recently mailed individual notifications to the 163,400 patients affected by the incident. The ransomware attack was first identified on June 3, 2024, and the forensic investigation revealed that the ransomware group had access to its network from May 30, 2024, to June 3, 2024.

The ransomware group exfiltrated files containing patient data, encrypted files on its network, and demanded a ransom payment to prevent the publication of the data and to obtain the keys to decrypt data. When the attack was identified, the network was disconnected, and systems were taken offline to contain the attack. The ransom was not paid, and files were successfully recovered from backups. The Monti ransomware group claimed responsibility for the attack and added Wayne Memorial Hospital to its data leak site. While the leak site is not currently accessible, the posting received almost 300,000 views while it was live.

The breach notification letters explain that the information involved varies from individual to individual and includes names in combination with some or all of the following: name, date of birth, Social Security number, driver’s license number, state identification number, user identification and password, financial account number, credit or debit card number, credit card expiration date or CVV code, Medicare or Medicaid number, health insurance member number, healthcare provider number, diagnoses, medical history, treatment information, prescription information, and lab test results or images.

Wayne Memorial Hospital said its systems were quickly secured, and additional cybersecurity measures have been implemented to prevent similar incidents in the future. The data breach was first announced more than a year ago on August 2, 2024, and a press release was issued to local media to put patients on alert that their sensitive data had been exposed; however, it has taken a considerable amount of time to review the affected files and issue notifications.

Individual notification letters started to be mailed on August 27, 2025, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The data breach was initially reported to the HHS’ Office for Civil Rights as affecting up to 2,500 individuals; however, the breach turned out to be more severe than that initial estimate, based on the notification to the Maine Attorney General. The HHS’ Office for Civil Rights breach portal has yet to be updated with the latest figure.

The post Wayne Memorial Hospital Notifies 163,000 Patients About May 2024 Ransomware Attack appeared first on The HIPAA Journal.

Officials in Somerset County, Pennsylvania, have confirmed an email hacking incident affecting Children and Youth Services patients. Beech Acres Parenting Center in Cincinnati has notified more than 19,000 clients that their personal information was compromised in a November 2024 hacking incident.

Somerset County Children and Youth Services

Officials in Somerset County, Pennsylvania, have identified unauthorized access to the email accounts of certain employees of the Department of Children and Youth Services. Suspicious activity was identified in an employee’s email account on June 26, 2025. Third-party cybersecurity experts were engaged to investigate the activity and confirmed that multiple email accounts had been accessed by an unauthorized third party between June 26 and June 30, 2025.

Some of the emails and attachments in the compromised accounts contained patients’ protected health information. The data review confirmed that the affected individuals had some or all of the following exposed: name, date of birth, Social Security number, date(s) of service, information related to the services received, physician/facility information, medical condition/diagnosis, treatment information, health insurance information, and/or Medicare/Medicaid number. A small subset of individuals may also have had financial information exposed or information related to paternity tests.

The review is ongoing, so it is not yet possible to say how many individuals have been affected. Notification letters will be mailed to the affected individuals when the review is completed, and complimentary credit monitoring services will be offered, where appropriate. County officials have confirmed that several steps have been taken in response to the incident, including changing email passwords, strengthening authentication requirements, providing further cybersecurity training for the workforce, communicating with staff about the risks from phishing emails, and enhancing email security procedures. Additional tools, training, and third-party monitoring partnerships are also being evaluated.

Beech Acres Parenting Center

Beech Acres Parenting Center, a provider of support services to parents and caregivers in the Greater Cincinnati area in Ohio, has started notifying 19,315 individuals about a November 2024 security incident. Unusual activity was identified within its network on November 24, 2024. Immediate action was taken to contain the incident and prevent further unauthorized access, and third-party cybersecurity experts were engaged to investigate the activity.

The forensic investigation confirmed unauthorized access to its network, and the threat actor may have viewed or acquired files containing sensitive information. The review of the affected files confirmed that the exposed data included the names of current and former clients in combination with one or more of the following: date of birth, Social Security number, driver’s license number, bank account and routing number, health insurance information, and medical or treatment information. The affected individuals were notified by mail on August 22, 2025.

The post Somerset County Children and Youth Services Department Data Breach appeared first on The HIPAA Journal.