Healthcare Data Breaches and Legal Responses in the United States
Multiple healthcare organizations in the United States have experienced significant data breaches involving the exposure of protected health information (PHI) and other sensitive personal data. In Albemarle County, Virginia, a ransomware attack compromised the PHI of members of its self-insured health plan, as well as data belonging to current and former government and public school employees, their dependents, and individuals who interacted with the county. The compromised information included names, Social Security numbers, health insurance details, and other identifiers. The county has concluded its investigation, notified affected individuals, and is offering complimentary credit monitoring and identity theft protection services.
Separately, class action settlements have been reached with three healthcare providers—Hypertension Nephrology Associates, Asheville Arthritis and Osteoporosis Center, and Intermountain Planned Parenthood—following data breaches that exposed patient health and financial information. In one case, Hypertension Nephrology Associates agreed to a $625,000 settlement after a ransomware attack led to the theft of data from nearly 40,000 patients. The lawsuits alleged failures in security practices and delayed breach notifications, with affected individuals being offered credit monitoring services. These incidents highlight ongoing legal and regulatory consequences for healthcare organizations following data breaches involving PHI.
Sources
Related Stories
Recent Healthcare Data Breaches and Regulatory Actions in the United States
Multiple healthcare organizations across the United States have reported significant data breaches affecting the personal and protected health information of hundreds of thousands of patients and employees. Notable incidents include the compromise of NCH Corporation Employee Benefits Plan data via exploitation of a zero-day vulnerability in Oracle E-Business Suite, a ransomware attack on OrthopedicsNY resulting in a $500,000 fine by the New York Attorney General, and a major breach at Murfreesboro Medical Clinic & SurgiCenter attributed to the BianLian ransomware group. Other breaches involved unauthorized access to patient data at Fyzical Therapy & Balance Centers, exposure of client data through a law firm serving Goldman Sachs, and improper storage of thousands of medical records in a Memphis storage unit. Additionally, Health Share of Oregon and CareOregon notified members of unauthorized viewing of their information, though the exact nature of the incident remains unclear. Regulatory responses have included state attorney general enforcement actions, such as the fine imposed on OrthopedicsNY for failing to implement adequate cybersecurity measures. Organizations affected by these breaches have taken steps such as patching vulnerabilities, enhancing security policies, notifying affected individuals, and offering credit monitoring services. The incidents highlight ongoing risks to healthcare data security from ransomware, insider threats, third-party exposures, and improper data handling, as well as the increasing role of state regulators in enforcing HIPAA compliance and data protection standards.
2 months ago
Multiple Healthcare Data Breaches and Regulatory Actions in the US
Several healthcare providers in the United States have recently disclosed significant data breaches resulting from cyberattacks, with patient and employee information being compromised. AllerVie Health, based in Texas, confirmed unauthorized access to its network, exposing sensitive data such as names, Social Security numbers, and insurance details, allegedly due to a ransomware attack by the Anubis group. The attackers claim to have stolen records of over 30,000 patients, and affected individuals have been offered credit monitoring and identity theft protection. In a separate incident, OrthopedicsNY, a healthcare provider in New York, suffered a breach in 2023 after attackers gained remote access using compromised credentials, leading to the exposure of data belonging to more than 650,000 patients and employees. The New York Attorney General secured a $500,000 penalty from OrthopedicsNY for failing to implement adequate security measures, and the provider is now required to enhance its data protection practices. Additionally, Singing River Health System in Mississippi reported a cyber incident that led to the temporary shutdown of its patient portal and internet access as a precaution. While the threat was reportedly mitigated, the investigation is ongoing to determine if patient records were accessed. These incidents highlight the ongoing risks faced by healthcare organizations from ransomware groups and other cybercriminals, as well as the increasing regulatory scrutiny and financial penalties for failing to protect sensitive health information. Impacted organizations are responding with offers of credit monitoring and reviews of their security policies, but the breaches underscore the need for robust cybersecurity measures in the healthcare sector.
2 months ago
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
2 weeks ago