Patients Learn Their Health Data Was Compromised More Than a Year Ago

Posted by Steve Alder

Alpine Ear, Nose, and Throat in Colorado, The Phia Group in Massachusetts, and Community Health Northwest Florida have started notifying patients that their personal and health information was impermissibly accessed over a year ago.

Alpine Ear, Nose, and Throat, Colorado

Alpine Ear, Nose, and Throat in Fort Collins, Colorado, has mailed notification letters to 65,648 individuals warning them that some of their protected health information was exposed in a security incident identified by Alpine ENT on November 19, 2024. Alpine ENT engaged its managed service provider to investigate the incident, and it was confirmed that an unauthorized third party accessed and exfiltrated files containing patients’ protected health information.

Alpine ENT’s legal counsel explained in the notification letters that a substitute data breach notice was published on the Alpine ENT website on January 17, 2025, although at the time, the investigation was ongoing. The data mining and review processes were completed on October 9, 2025, and in the subsequent months, Alpine ENT worked to verify the impacted individuals and obtained up-to-date contact information. Notification letters were mailed to the affected individuals on January 30, 2026, 14 months after the breach was first identified.

The BianLian ransomware group claimed responsibility for the attack and added Alpine ENT to its data leak site in early December 2024. Data compromised in the incident included names, demographic information, dates of birth, medical information, health information, financial account information, credit card numbers, CVC, and expiration dates, and Social Security numbers. At the time of issuing notifications, Alpine ENT said it had not identified any instances of identity theft as a result of the incident; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The Phia Group, Massachusetts

The Phia Group, LLC, a Canton, Massachusetts-based provider of healthcare cost containment services to health benefit plans and their third-party administrators, has recently notified individuals about a July 2024 security incident that exposed personal and protected health information. According to The Phia Group, an intrusion was detected on July 9, 2024, and the investigation confirmed that its network had been subject to unauthorized access between July 8, 2024, and July 9, 2024. During that time, files containing sensitive data may have been acquired.

A review was conducted to identify the affected clients, the types of data involved, and the affected individuals. The affected clients were notified, and The Phia Group coordinated with them to issue notifications. Data potentially compromised in the incident included names, addresses, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, health insurance information, and medical information, including provider information, treatment information, prescriptions, and Medicare/Medicaid information. Data security has been enhanced to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Community Health Northwest Florida

On January 26, 2026, Community Health Northwest Florida (CHNF) started notifying individuals about a security incident that was identified on December 24, 2024. CHNF engaged third-party cybersecurity experts to investigate the activity, who confirmed that an unauthorized third party had accessed files on its network that contained patient information.

CHNF said it conducted a comprehensive and time-consuming review and engaged a data mining company to identify the affected individuals. It took until January 19, 2026, to obtain the full list of affected individuals, and notification letters were mailed 10 days later. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, financial account numbers, credit or debit card numbers, patient identification and medical record numbers, medical information, and health insurance information.

CHNF has updated its policies and procedures, implemented additional technical safeguards, and enhanced its security measures to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Patients Learn Their Health Data Was Compromised More Than a Year Ago appeared first on The HIPAA Journal.

Bayada Home Health Care Affected by Doctor Alliance Data Breach

Posted by Steve Alder

Bayada Home Health Care, a New Jersey-based home healthcare provider serving 22 U.S. states, has recently announced a data breach involving a third-party vendor, Doctor Alliance. Doctor Alliance provides services that facilitate physician signatures on clients’ Home Health Certifications and Plans of Care, which involve access to patients’ protected health information.

On December 4, 2025, Doctor Alliance notified Bayada Home Health Care about a cybersecurity incident involving access and potential acquisition of client data by an unauthorized third party. According to Doctor Alliance, an unauthorized third party had access to the Doctor Alliance network between October 31 and November 6, 2025, and November 14 and 17, 2025. During that time, Home Health Certification and Plan of Care forms may have been acquired.

Bayada Home Health Care said it is not aware that any of its forms were copied; however, unauthorized data access could not be ruled out. The exposed forms contained a range of sensitive patient information, including names, dates of birth, diagnoses, medical/physical treatment information, provider information, health insurance plan information, prescription information, hospital admissions/discharges, and disability information, and for a subset of individuals, Social Security numbers.

Bayada Home Health Care said it has discontinued using Doctor Alliance as a vendor in response to the data breach. A review has been conducted of its policies and procedures relating to third-party vendors, and steps have been taken to minimize the risk of similar incidents in the future. The data breach has been reported to state attorneys general and the HHS’ Office for Civil Rights. The incident is not currently listed on the OCR data breach portal, so it is unclear how many individuals have been affected.

Marion County Public Health Department, Indiana

Marion County Public Health Department in Indiana has identified an insider incident involving unauthorized access to the protected health information of 792 clients. An employee was discovered to have accessed more than the necessary patient information to complete their job duties, including names, addresses, dates of birth, and lab test results for clients who received tests that were processed by the Marion County Public Health Department lab.

Marion County Public Health Department said it has found no evidence to suggest that any of the accessed information has been misused and stressed that no financial information was accessed by the employee. In response to the incident, further training has been provided to staff members on the HIPAA minimum necessary standard and its internal policies, and technical safeguards have been enhanced to limit access to protected health information to the minimum necessary for job duties.

The post Bayada Home Health Care Affected by Doctor Alliance Data Breach appeared first on The HIPAA Journal.

December 2025 Healthcare Data Breach Report

Posted by Steve Alder

In the final month of 2025, a further 41 healthcare data breaches affecting 500 or more individuals were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) by HIPAA-regulated entities. December’s total was the joint second-lowest monthly total of the year and the fourth month in a row where data breaches have been reported in unusually low numbers. Over the past four months, an average of 40.75 large data breaches have been reported per month, compared to an average of 66.5 large data breaches per month for the preceding four months. December 2025’s total is the lowest December total since 2019.

Healthcare data breaches in 2025

One possible explanation for the unusually low total is the 43-day government shutdown, due to the failure of Congress to pass appropriations legislation. All but non-essential staff at the HHS were furloughed, during which time no breach reports were added to the OCR breach portal. While data breach reports have now been added to the breach portal for that period, it is possible that OCR has yet to fully clear the backlog, and the totals for September to December may increase over the coming weeks.

December healthcare data breaches 2021-2025

As it stands, there are currently 697 data breaches listed for 2025, a 6% reduction from the 742 large data breaches reported in 2024. The 697 total will almost certainly increase. When we compiled our December 2024 healthcare data breach report on January 20, 2025, 721 large healthcare data breaches were listed. A further 21 were added to the breach portal for 2024 in the following weeks and months.

Individuals affected by healthcare data breaches in 2025

Across the 41 healthcare data breaches currently listed for December 2025, the protected health information of only 345,564 individuals was exposed or impermissibly disclosed. The number of affected individuals in each of the past four months has also been atypically low, with an average of 1,336,061 individuals affected each month. For the preceding four months (May to August), the average monthly total was 8,181,449 individuals. The totals for the past four months will certainly increase, as many data breach investigations are ongoing, and it has yet to be determined how many individuals have been affected.

Individuals affected by December healthcare data breaches 2021-2025

December 2025’s 346,564 affected individuals is the lowest monthly total since December 2017, when 343,260 individuals were affected. Currently, 60,976,942 individuals are known to have been affected by healthcare data breaches in 2025, a 78.9% reduction from 2024, although 2024’s total includes the gargantuan data breach at Change Healthcare, which affected 192,700,000 individuals.

Largest Healthcare Data Breaches Reported in December 2025

Only five data breaches were reported in December that affected 10,000 or more individuals, the largest of which was a hacking incident at the Rochester, NY-based medical supply fulfillment organization, Fieldtex Products. While Fiedtex Products reported a breach affecting 104,071 individuals, in December, a total of four separate breach reports were filed with OCR by Fieldtex Products, affecting a total of 139,009 individuals, plus a further breach report was filed in November, affecting 35,748 individuals. These five incidents are thought to be due to the same hacking incident detected by Fieldtex Products on August 19, 2025.

AllerVie Health, a Texas-based network of allergy and asthma centers, fell victim to a ransomware attack in November 2025, with the hackers found to have had access to its network from October 24, 2025, to November 3, 2025. The Anubis ransomware group claimed responsibility for the attack. Medical Center LLP, doing business as Dublin Medical Center in Georgia, experienced a hacking incident that affected 20,641 individuals, and Variety Care in Oklahoma was affected by a cyberattack on its business associate TriZetto, a provider of administrative services to HIPAA-regulated entities. Variety Care was one of many covered entities affected by the data breach. While the total number of affected individuals has yet to be confirmed, the Trizetto data breach is now known to have affected more than 700,000 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Fieldtex Products, Inc. NY Business Associate 104,071 Hacking incident
AllerVie Health TX Healthcare Provider 80,521 Ransomware attack (Anubis)
Medical Center, LLP GA Healthcare Provider 32,090 Hacking incident
Fieldtex Products, Inc. NY Business Associate 20,641 Hacking incident
Variety Care OK Healthcare Provider 17,163 Hacking incident at business associate (TriZetto Provider Solutions)

Six data breaches were reported in December 2025, with totals of 500 or 501 affected individuals. These are commonly used ‘placeholder’ estimates when the investigation is still ongoing as the deadline for reporting the data breach to OCR approaches. These totals will almost certainly increase and will be updated when the data breach investigations are concluded.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Associated Radiologists of the Finger Lakes, P.C. NY Business Associate 501 Hacking Incident
Glendale Obstetrics & Gynecology PCA AZ Healthcare Provider 501 Hacking Incident
Reproductive Medicine Associates of Michigan MI Healthcare Provider 501 Hacking incident – Data theft confirmed
Mitchell County Department of Social Services NC Healthcare Provider 501 Ransomware attack – Data theft confirmed
Greater St. Louis Oral & Maxillofacial Surgery PC MO Healthcare Provider 501 Compromised email account in a phishing attack
Madison Healthcare Services MN Healthcare Provider 500 Hacking incident – Worldleaks threat group claimed responsibility

Causes of December 2025 Healthcare Data Breaches

Hacking and other IT incidents accounted for 80.5% of the month’s data breaches, with 33 such incidents reported, affecting 327,095 individuals – 94.4% of the month’s total. The average breach size was 9,912 individuals, and the median breach size was 2,511 individuals. There were 8 unauthorized access/disclosure incidents in December, affecting 19,469 individuals. The average breach size was 2,434 individuals, and the median breach size was 1,469 individuals. No loss, theft, or improper disposal incidents were reported in December.

Causes of December 2025 healthcare data breaches

The most common location of breached protected health information was network servers, followed by six incidents involving compromised email accounts.

Location of breached PHI in December 2025

Where did the Data Breaches Occur?

Healthcare providers were the worst-affected regulated entities in December, reporting 29 of the month’s 41 data breaches (191,900 individuals). Six data breaches were reported by health plans (12,272 individuals) and six by business associates (142,392 individuals). When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure that breach notifications are sent and OCR is notified. The covered entities may choose to delegate the notification responsibilities to the business associate, although oftentimes, the affected HIPAA-covered entities report the breach. For instance, covered entities affected by the data breach at Trizetto Provider Solutions reported the breach, even though it occurred at their business associate (or subcontractor of their business associate). To better reflect business associates, the charts below show data breach figures based on where the data breach occurred, rather than the entity reporting the data breach.

Data breaches at HIPAA-regulated entities in December 2025

 

Data breaches at HIPAA-regulated entities in December 2025 - individuals affected

Geographic Distribution of Healthcare Data Breaches

California was the worst-affected state in December in terms of data breaches, with nine HIPAA-regulated entities known to have been affected. The high total is due to the data breach at Trizetto Provider Solutions, which was either a business associate of a subcontractor of a business associate of six of the nine affected entities. New York ranked second, but four of its five data breaches were reported by the same entity, Fieldtex Products.

State Data Breaches
California 9
New York 5
Texas 4
Maryland, Michigan, Minnesota, Missouri, Oklahoma, Oregon & Tennessee 2
Arizona, Florida, Georgia, Illinois, Louisiana, Maine, Massachusetts, North Carolina & Ohio 1

While California topped the list for data breaches, New York was the worst state in terms of the number of affected individuals, followed by Texas.

State Individuals Affected
New York 140,320
Texas 85,728
Georgia 32,090
California 31,013
Oklahoma 18,275
Missouri 9,343
Oregon 6,473
Louisiana 4,519
Maryland 4,027
Tennessee 3,138
Illinois 2,511
Massachusetts 1,638
Ohio 1,629
Michigan 1,560
Maine 1,259
Florida 1,036
Minnesota 1,003
Arizona 501
North Carolina 501

HIPAA Enforcement Activity in December 2025

In December, OCR announced one HIPAA enforcement action that involved a financial penalty. Texas-based Concentra, Inc., was investigated after OCR received a complaint from an individual who had not been provided with timely access to his medical and billing records. Concentra agreed to settle the alleged HIPAA Right of Access violation and paid a $112,500 penalty. This was the 54th financial penalty under the HIPAA Right of Access enforcement initiative, which commenced in late 2019 and is ongoing. It has been a busy year of HIPAA enforcement, with OCR resolving 21 HIPAA violation cases with regulated entities in 2025 with a financial penalty. OCR collected $8,330,066 in penalties from those enforcement actions.

State attorneys general also enforce the HIPAA Rules, although 2025 was a quiet year, with only one financial penalty imposed to resolve a data breach investigation. Orthopedics NY LLP (OrthoNY) paid $500,000 to settle alleged cybersecurity failures that led to a breach of the protected health information of more than 656,000 individuals. The New York Attorney General cited violations of HIPAA and state cybersecurity laws.

The post December 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.