Multiple Healthcare and Retail Data Breaches Impacting US Organizations
Several US organizations have reported significant data breaches affecting thousands of individuals. Pearlman Aesthetic Surgery in New York disclosed a hacking incident compromising the protected health information of nearly 12,000 patients, though specific details remain undisclosed. Methodist Homes of Alabama and Northwest Florida notified residents and employees of a second breach within seven months, involving unauthorized access to an employee email account containing sensitive personal and medical information. Gulshan Management Services, which operates over 150 gas stations and convenience stores, confirmed a breach that exposed the personal data of more than 377,000 people, including Social Security numbers and financial information, with delayed notification to affected individuals. Community First Medical Center in Chicago reached a $1 million preliminary settlement following a 2023 breach that exposed the data of approximately 216,000 patients, with allegations of inadequate cybersecurity measures and delayed response.
These incidents have led to regulatory filings, class action lawsuits, and increased scrutiny over the timeliness and adequacy of breach notifications. The breaches highlight ongoing challenges in protecting sensitive data across healthcare and retail sectors, with attackers exploiting both network vulnerabilities and email accounts. Organizations are facing legal and reputational consequences, emphasizing the need for robust cybersecurity practices and prompt communication with affected individuals.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Methodist Homes began notifying people about second breach
Methodist Homes of Alabama and Northwest Florida began notifying residents and employees about the 2025 email-account breach, its second disclosed data breach in seven months. The total number of people affected by the latest incident had not yet been publicly disclosed.
Healthcare entities reported additional patient data incidents
Associated Radiologists of the Finger Lakes reported unauthorized network access over two days and began reviewing the scope of exposed patient data, while Fast Pace Urgent Care disclosed that a business associate employee mistakenly emailed PHI for 2,072 patients to the wrong recipient, who confirmed deletion.
Pearlman Aesthetic Surgery disclosed hacking incident
Pearlman Aesthetic Surgery in Manhattan disclosed a hacking and IT incident affecting 11,764 individuals. Specific details about the intrusion were not provided in the report.
Judge preliminarily approves $1M Community First settlement
A federal judge preliminarily approved a $1 million settlement to resolve consolidated class action claims against Community First Medical Center over its 2023 breach. The proposed deal includes reimbursement for losses, a cash payment option, and one year of credit and medical monitoring for affected individuals.
Gulshan notified affected individuals of data breach
Gulshan Management Services notified affected individuals on January 5, 2026, more than three months after discovering the breach. Multiple class action lawsuits and investigations followed the disclosure.
Gulshan discovered the breach
Gulshan Management Services discovered the unauthorized access incident on September 27, 2025. The company later faced scrutiny over the delay in notifying affected individuals.
Gulshan attackers accessed external system over 10 days
Attackers gained unauthorized access to an external system used by Gulshan Management Services between September 17 and September 27, 2025, exposing personal and financial data of more than 377,000 individuals.
Community First Medical Center breach exposed 216,000 patients
Community First Medical Center suffered a data breach in July 2023 that exposed protected health information of about 216,000 patients, including Social Security and Medicare numbers. The incident later led to consolidated class action litigation.
Methodist Homes employee email account was compromised
An employee email account at Methodist Homes of Alabama and Northwest Florida was accessed without authorization between May 8 and May 21, 2025, exposing residents' and employees' sensitive personal and medical information.
Methodist Homes reports first breach to HHS after October 2024 incident
Methodist Homes of Alabama and Northwest Florida experienced a data breach in October 2024. It was initially reported to HHS as affecting 908 patients, though later notifications indicated 25,579 people were impacted.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
12,000-Record Data Breach Announced by New York Plastic Surgery Practice
hipaajournal.com
Open sourceMethodist Homes of Alabama and Northwest Florida is notifying residents and employees of its second data breach in seven months.
databreaches.net
Open sourceJudge Gives First Nod to $1M Community First Medical Center Data Breach Settlement
hipaajournal.com
Open sourceMajor Data Breach Hits Company Operating 150 Gas Stations in the US
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Recent Healthcare Data Breaches and Regulatory Actions in the United States
Multiple healthcare organizations across the United States have reported significant data breaches affecting the personal and protected health information of hundreds of thousands of patients and employees. Notable incidents include the compromise of NCH Corporation Employee Benefits Plan data via exploitation of a zero-day vulnerability in Oracle E-Business Suite, a ransomware attack on OrthopedicsNY resulting in a $500,000 fine by the New York Attorney General, and a major breach at Murfreesboro Medical Clinic & SurgiCenter attributed to the BianLian ransomware group. Other breaches involved unauthorized access to patient data at Fyzical Therapy & Balance Centers, exposure of client data through a law firm serving Goldman Sachs, and improper storage of thousands of medical records in a Memphis storage unit. Additionally, Health Share of Oregon and CareOregon notified members of unauthorized viewing of their information, though the exact nature of the incident remains unclear. Regulatory responses have included state attorney general enforcement actions, such as the fine imposed on OrthopedicsNY for failing to implement adequate cybersecurity measures. Organizations affected by these breaches have taken steps such as patching vulnerabilities, enhancing security policies, notifying affected individuals, and offering credit monitoring services. The incidents highlight ongoing risks to healthcare data security from ransomware, insider threats, third-party exposures, and improper data handling, as well as the increasing role of state regulators in enforcing HIPAA compliance and data protection standards.
Mar 21, 2026
Multiple Healthcare and Insurance Data Breaches Impacting Millions
Several major organizations in the healthcare and insurance sectors have disclosed significant data breaches affecting millions of individuals. ARC Community Services reported a ransomware attack by the INC Ransom group, resulting in the exfiltration of sensitive patient data, including health and financial information. Aflac confirmed that a June cyberattack led to the theft of files containing insurance claims, health data, and Social Security numbers for over 22 million customers, with no operational disruption but widespread exposure of personal information. The Louisiana Office of Student Financial Assistance (LOSFA) notified students of unauthorized access to its systems, exposing names and Social Security numbers, though certain savings accounts were not affected. Oklahoma Spine Hospital agreed to a $1.1 million settlement following a July breach that compromised the data of nearly 39,000 patients, including medical and financial details. These incidents highlight the ongoing threat posed by cybercriminals targeting sensitive data in the healthcare and insurance industries. Victims in these breaches are being offered credit monitoring and identity protection services, and regulatory notifications have been issued. The attacks have prompted legal action, regulatory scrutiny, and, in some cases, leadership changes within affected organizations. Law enforcement and cybersecurity experts have been engaged to investigate and mitigate the impact of these breaches, which are part of a broader trend of targeted attacks against organizations handling large volumes of personal and health-related information.
Mar 21, 2026
Multiple Healthcare Data Breaches Impacting U.S. Medical Providers
Several U.S. healthcare organizations have disclosed significant data breaches involving unauthorized access to patient and employee information. MedStar Health reported that an unauthorized third party accessed internal systems containing sensitive patient data, including names, dates of birth, Social Security numbers, and medical information. The Rhysida threat group claimed responsibility for this attack, alleging the exfiltration and leak of over 7 million pieces of patient data. Brevard Skin and Cancer Center also confirmed a cyberattack in which the Pear threat group claimed to have stolen 1.8 terabytes of data, affecting both patient and employee records with information such as Social Security numbers, health conditions, and billing details. Both organizations have offered complimentary credit monitoring and identity theft protection to affected individuals and are reviewing their cybersecurity measures. Henry Ford Health in Michigan disclosed an insider data breach affecting nearly 2,000 patients, resulting in the termination of the responsible employee and notification to those impacted. While details on the specific data accessed were not provided, credit monitoring services have been offered. These incidents highlight the ongoing risks faced by healthcare providers from both external threat actors and insider threats, emphasizing the need for robust security policies and continuous evaluation of protective measures to safeguard sensitive health information.
Mar 21, 2026