Healthcare and public-sector data breaches and breach-related litigation
Multiple organizations reported unauthorized access and data exposure events affecting large populations, with several incidents tied to third-party systems or business associates. The Minnesota Department of Human Services notified nearly 304,000 people after a user associated with a licensed healthcare provider accessed demographic records in the MnChoices system (managed by vendor FEI Systems) beyond what was authorized; most impacted records were demographic data, with a smaller subset including some medical information and, for some, the last four digits of SSNs. Monroe University reported a December 2024 intrusion with data exfiltration affecting about 320,973 individuals, with exposed data potentially including SSNs, government IDs, financial account information, and health/insurance data; notification letters began in early January 2026. Separately, Mid Michigan Medical Billing Service disclosed a March 2025 cyberattack that exposed PHI for 28,185 individuals across healthcare clients, and VillageCareMAX reported a breach involving business associate TMG Health (details referenced as part of a broader business-associate breach update).
Other items in the set describe distinct, unrelated security stories rather than the same incident: an underground-market sale of Raaga user data (10.2M records, including passwords stored as unsalted MD5 hashes), a settlement in litigation tied to the Veradigm breach (over 2M patients; $10.5M class-action settlement), and a ransomware incident at Valley Eye Associates where a group identified as Qilin claimed exfiltration (139 GB) and published data. Additional references include commentary on UK government handling of an Afghan data breach (spreadsheet emailed outside the MoD and use of an injunction) and broader analysis of healthcare breach trends and UK ambulance-service breach reporting; these provide context but do not describe the same specific event as the Minnesota DHS or other named incidents.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Minnesota DHS sends breach notices to nearly 304,000 people
Minnesota DHS sent notification letters dated January 16, 2026, to nearly 304,000 individuals affected by unauthorized access to MnChoices records. The agency said no misuse had been identified and it was not offering free credit monitoring because of the limited nature of the data involved.
Monroe University begins notifying affected individuals
After a nine-month review of affected files, Monroe University began mailing notification letters on January 2, 2026. The university said it had not identified misuse of the stolen data at the time notices were sent.
FEI Systems reports MnChoices incident to Minnesota DHS
Third-party vendor FEI Systems reported the unauthorized MnChoices access issue to the Minnesota Department of Human Services in November 2025. This triggered the state's response and investigation into the scope of affected records.
Minnesota DHS removes user's MnChoices access
Minnesota DHS said the involved user's access to the MnChoices system was fully removed on October 30, 2025. The incident ultimately affected nearly 304,000 individuals, mostly through unauthorized access to demographic data.
Unauthorized MnChoices access ceases
In the Minnesota DHS incident, unauthorized access by a user tied to a licensed healthcare provider stopped on September 21, 2025. The user had legitimate limited access but was found to have viewed additional records beyond authorization.
TMG Health identifies unauthorized activity
TMG Health identified unauthorized activity on September 19, 2025, concluding that an unauthorized third party had maintained network access for about 10 months. The incident potentially affected VillageCareMAX members' protected health information.
Mid Michigan Medical Billing Service detects suspicious activity
Mid Michigan Medical Billing Service identified suspicious network activity on March 27, 2025. A forensic investigation later found an unauthorized party had accessed and copied data affecting 28,185 individuals across its healthcare clients.
Monroe University detects December 2024 cyberattack
Monroe University detected the intrusion on December 23, 2024, ending the attack window that investigators later said lasted from December 9 to December 23, 2024. The incident affected about 320,973 individuals.
Monroe University attacker gains network access
Monroe University determined that an attacker had unauthorized access to its network starting on December 9, 2024. The compromise ultimately led to the exfiltration of sensitive personal, student, financial, and health-related information.
TMG Health network intrusion begins affecting VillageCareMAX data
VillageCareMAX said its business associate TMG Health, owned by Cognizant, was accessed by an unauthorized third party beginning around November 20, 2024. The intrusion potentially exposed member PHI including names, member IDs, health information, and Social Security numbers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Minnesota Department of Human Services Data Breach Affects Over 300K Individuals
hipaajournal.com
Open sourceMonroe University: 320,000 Individuals Affected by December 2024 Cyberattack
hipaajournal.com
Open sourceTens of Thousands of Patients Affected by Two Business Associate Data Breaches
hipaajournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Data Breach Notifications and Settlement Involving Patient Information Exposure
Multiple healthcare-related organizations disclosed **separate** incidents involving exposure or theft of patient data. Delta Medical Systems reported unauthorized access to its email environment on July 15, 2025, with potentially exposed data including names, dates of birth, Social Security numbers, driver’s license information, bank details, insurance information, and medical information. A separate HIPAA Journal report described additional incidents at Cedar Valley Services, Community Nurse, and Health Dimensions Group, including a likely **Qilin ransomware** intrusion at Cedar Valley Services and a vendor-linked compromise affecting Community Nurse through *Doctor Alliance*, where files may have been accessed between October 31 and November 17, 2025. In a different but related healthcare privacy matter, a judge approved a **$5 million settlement** in litigation against Geisinger Health and *Nuance Communications* over the theft of medical records affecting roughly **1.3 million patients** by a former Nuance employee. The stolen records reportedly included names, birthdates, addresses, medical record numbers, treatment details, and insurance information. While all three reports concern healthcare data exposure, they describe **distinct incidents** rather than one unified breach event, spanning direct compromises, third-party/vendor exposure, suspected ransomware activity, and post-incident legal resolution.
Mar 21, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026
Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed **separate data breach incidents** involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after **Pinnacle Holdings Ltd** suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through **NorthGauge Healthcare Advisors**. Meadowlark Hills and MedPeds also disclosed breaches tied to the **Beast ransomware** group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals. A separate legal development involved **Geisinger Health** and **Nuance Communications**, where a judge approved a **$5 million settlement** over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Apr 17, 2026