Recent Healthcare Data Breaches and Regulatory Actions in the United States
Multiple healthcare organizations across the United States have reported significant data breaches affecting the personal and protected health information of hundreds of thousands of patients and employees. Notable incidents include the compromise of NCH Corporation Employee Benefits Plan data via exploitation of a zero-day vulnerability in Oracle E-Business Suite, a ransomware attack on OrthopedicsNY resulting in a $500,000 fine by the New York Attorney General, and a major breach at Murfreesboro Medical Clinic & SurgiCenter attributed to the BianLian ransomware group. Other breaches involved unauthorized access to patient data at Fyzical Therapy & Balance Centers, exposure of client data through a law firm serving Goldman Sachs, and improper storage of thousands of medical records in a Memphis storage unit. Additionally, Health Share of Oregon and CareOregon notified members of unauthorized viewing of their information, though the exact nature of the incident remains unclear.
Regulatory responses have included state attorney general enforcement actions, such as the fine imposed on OrthopedicsNY for failing to implement adequate cybersecurity measures. Organizations affected by these breaches have taken steps such as patching vulnerabilities, enhancing security policies, notifying affected individuals, and offering credit monitoring services. The incidents highlight ongoing risks to healthcare data security from ransomware, insider threats, third-party exposures, and improper data handling, as well as the increasing role of state regulators in enforcing HIPAA compliance and data protection standards.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Final fairness hearing set for Murfreesboro settlement
A final fairness hearing for the Murfreesboro Medical Clinic settlement was scheduled for January 16, 2026. Affected individuals were given until April 14, 2026 to submit claims.
Murfreesboro Medical Clinic reaches breach lawsuit settlement
By December 29, 2025, Murfreesboro Medical Clinic had agreed to settle consolidated class action litigation over its 2023 breach. The settlement provides compensation, credit monitoring, identity theft protection, and requires enhanced security measures for at least three years.
New York Attorney General fines OrthoNY $500,000
On December 29, 2025, the New York Attorney General announced a $500,000 settlement with OrthoNY over its 2023 breach. The agreement requires credit monitoring for victims and major security improvements including MFA, encryption, monitoring, and annual risk assessments.
Fried Frank engages responders and notifies law enforcement
After the law firm breach, Fried Frank retained external cybersecurity experts, reported the incident to law enforcement, and began notifying affected clients. A proposed class action lawsuit was also filed against the firm by an investor in a Goldman Sachs fund.
Goldman Sachs warns fund investors of Fried Frank breach exposure
Goldman Sachs notified some alternative investment fund investors that their data may have been exposed in a cybersecurity incident at law firm Fried Frank Harris Shriver & Jacobson LLP. Goldman said its own systems were not affected.
CareOregon and Health Share breach reported to law enforcement
Following its investigation, Columbia Pacific CCO said it notified law enforcement and remediated the issue by changing access protocols and retraining staff. The organization said the cause had not been clarified and warned of possible fraudulent insurance claim misuse.
Columbia Pacific CCO identifies unauthorized access to member data
Columbia Pacific CCO disclosed unauthorized access to member information affecting CareOregon and Health Share of Oregon members. Exposed data included names, dates of birth, health plan details, Medicaid and Medicare ID numbers, and primary care provider information.
Thousands of medical records left in auctioned Memphis storage unit
After a storage unit owner failed to pay rent for three months, the unit was auctioned and buyer Jason Lederfine discovered thousands of sensitive medical records inside. The records belonged to former Memphis dentist Dr. Ajay Dave and included patient files, X-rays, billing records, and Social Security numbers.
One Community Health reports Trizetto-related PHI exposure
In late 2025, One Community Health disclosed a breach tied to Trizetto Provider Solutions in which unauthorized access to eligibility transaction reports exposed protected health information. The organization said it took remedial steps in response.
Foundation Health Partners discloses mailing error
In late 2025, Foundation Health Partners reported a mailing error that exposed limited patient information. The organization said it took remedial action after the disclosure.
Cl0p exploits Oracle E-Business Suite flaw to breach NCH plan data
In late 2025, the Cl0p ransomware group exploited zero-day CVE-2025-61882 in Oracle E-Business Suite to steal sensitive personal and health information from the NCH Corporation Employee Benefits Plan. The breach affected 3,098 plan members.
Fyzical investigation confirms scope of patient data exposure
On November 25, 2025, Fyzical concluded its investigation into the email breach and confirmed that sensitive patient information had been exposed. Notifications were later sent and credit monitoring was offered to affected individuals.
Fyzical detects unauthorized access to email environment
Around December 9, 2024, Fyzical Acquisition Holdings detected unauthorized access to its email environment. The breach exposed patient personal and protected health information, including Social Security, financial, and medical data.
INC Ransom attacks OrthoNY and steals patient data
In December 2023, Orthopedics NY LLP suffered a ransomware attack by the INC Ransom group using compromised credentials. Attackers exfiltrated unencrypted personal and health data, ultimately affecting 656,086 individuals.
Murfreesboro Medical Clinic hit by BianLian ransomware
In April 2023, Murfreesboro Medical Clinic & SurgiCenter in Tennessee suffered a ransomware attack attributed to the BianLian group. The incident led to the exfiltration of protected health information affecting about 559,000 patients.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
NCH Corporation Employee Benefits Plan Member Data Stolen
hipaajournal.com
Open sourceData Breach Affects Patients of Multiple Fyzical Therapy & Balance Centers
hipaajournal.com
Open sourceNew York Attorney General Fines Capital Region Orthopedic Practice $500K for 2023 Data Breach
hipaajournal.com
Open sourceGoldman Sachs Says Some Clients’ Data May Have Been Exposed in Law Firm Data Breach
databreaches.net
Open sourceMurfreesboro Medical Clinic Settles Lawsuit Over 559K-record Data Breach
hipaajournal.com
Open sourceHealth Share of Oregon and CareOregon notify members of data breach
databreaches.net
Open sourceThousands of medical records found in auctioned storage unit
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Healthcare Data Breaches and Regulatory Actions in the US
Several healthcare providers in the United States have recently disclosed significant data breaches resulting from cyberattacks, with patient and employee information being compromised. AllerVie Health, based in Texas, confirmed unauthorized access to its network, exposing sensitive data such as names, Social Security numbers, and insurance details, allegedly due to a ransomware attack by the Anubis group. The attackers claim to have stolen records of over 30,000 patients, and affected individuals have been offered credit monitoring and identity theft protection. In a separate incident, OrthopedicsNY, a healthcare provider in New York, suffered a breach in 2023 after attackers gained remote access using compromised credentials, leading to the exposure of data belonging to more than 650,000 patients and employees. The New York Attorney General secured a $500,000 penalty from OrthopedicsNY for failing to implement adequate security measures, and the provider is now required to enhance its data protection practices. Additionally, Singing River Health System in Mississippi reported a cyber incident that led to the temporary shutdown of its patient portal and internet access as a precaution. While the threat was reportedly mitigated, the investigation is ongoing to determine if patient records were accessed. These incidents highlight the ongoing risks faced by healthcare organizations from ransomware groups and other cybercriminals, as well as the increasing regulatory scrutiny and financial penalties for failing to protect sensitive health information. Impacted organizations are responding with offers of credit monitoring and reviews of their security policies, but the breaches underscore the need for robust cybersecurity measures in the healthcare sector.
Mar 21, 2026
Healthcare Sector Data Breaches and Regulatory Action on Health Data Privacy
Multiple healthcare organizations have reported significant data breaches involving unauthorized access to patient information. CareOregon and Health Share of Oregon notified patients of a breach where protected health information, including names, dates of birth, health plan details, and Medicaid/Medicare numbers, was accessed without authorization, raising concerns about potential insurance fraud. Canopy Health, a major New Zealand oncology provider, disclosed a cyberattack that resulted in unauthorized access to administrative systems and possible data exfiltration, with the incident being contained and legal action taken to prevent misuse of the compromised data. Additionally, a Manhattan plastic surgery practice suffered a cyberattack in which sensitive patient images and personal information were stolen and published online, with extortion attempts made directly to patients; this attack is linked to a series of similar incidents targeting plastic surgery practices. In parallel to these incidents, California authorities have taken regulatory action against Datamasters, a marketing firm found to be illegally selling health and personal data of millions of individuals without proper registration as a data broker. The company was fined and banned from selling Californians' personal information after it was discovered to have traded in sensitive data, including health conditions and demographic details, for targeted advertising. These events highlight ongoing risks to health data privacy from both cyberattacks and improper commercial data practices, as well as the increasing regulatory scrutiny and enforcement in this sector.
Mar 21, 2026
Healthcare Data Breaches and Legal Responses in the United States
Multiple healthcare organizations in the United States have experienced significant data breaches involving the exposure of protected health information (PHI) and other sensitive personal data. In Albemarle County, Virginia, a ransomware attack compromised the PHI of members of its self-insured health plan, as well as data belonging to current and former government and public school employees, their dependents, and individuals who interacted with the county. The compromised information included names, Social Security numbers, health insurance details, and other identifiers. The county has concluded its investigation, notified affected individuals, and is offering complimentary credit monitoring and identity theft protection services. Separately, class action settlements have been reached with three healthcare providers—Hypertension Nephrology Associates, Asheville Arthritis and Osteoporosis Center, and Intermountain Planned Parenthood—following data breaches that exposed patient health and financial information. In one case, Hypertension Nephrology Associates agreed to a $625,000 settlement after a ransomware attack led to the theft of data from nearly 40,000 patients. The lawsuits alleged failures in security practices and delayed breach notifications, with affected individuals being offered credit monitoring services. These incidents highlight ongoing legal and regulatory consequences for healthcare organizations following data breaches involving PHI.
Mar 21, 2026