Healthcare Data Breaches and Patient Data Exposure Reports
Multiple organizations reported or were alleged to have suffered data breaches involving sensitive personal and health information. Telehealth provider Call-On-Doc was allegedly breached in early December, with a hacking-forum listing claiming exfiltration of 1,144,223 patient records including contact details and highly sensitive visit metadata (e.g., medical category/condition, including STD-related entries), though the company had not publicly commented at the time of reporting. Separately, Laurel Health Centers (a Federally Qualified Health Center network in Northern Pennsylvania) reported unauthorized access to its email environment from July 11–25, 2025; emails and attachments may have been viewed or copied, potentially exposing a wide range of PHI/PII (including SSNs, insurance/Medicare data, diagnostic/treatment information, and some financial data). Laurel stated it took time to confirm the threat actor was fully removed, completed mailbox review by Dec. 30, 2025, and then began notifying affected individuals and offering credit monitoring.
Outside healthcare delivery, the Civil Service Employees Association (CSEA) labor union reported a May intrusion (May 3–31) resulting in theft of data for 47,000+ members, including names and Social Security numbers, and said it took systems offline, reset passwords, and implemented additional security controls; it reported no evidence of misuse but advised vigilance for identity theft. A separate HIPAA Journal item summarized academic research on insider risk—finding many students would hypothetically sell patient data for money—which is not tied to a specific breach incident but underscores the broader threat environment for healthcare data.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
DataBreaches reports unconfirmed Call-On-Doc breach claim
DataBreaches published details of the alleged Call-On-Doc incident after reviewing a small sample of the purported data and attempting unsuccessfully to obtain comment from the company. As of publication, no public notice or regulator filing had been identified.
Laurel Health Centers mails breach notification letters
Following completion of its review, Laurel Health Centers sent notification letters to affected individuals and offered complimentary credit monitoring. The total number of affected people was still unclear at the time of reporting.
Modern Health notifies affected individuals by email
Modern Health emailed impacted individuals about the profile-access incident and said it had disabled the affected profiles. The company also reported to the Massachusetts Attorney General that two Massachusetts residents were affected.
Laurel Health Centers completes review of impacted accounts
After investigating the July incident, Laurel Health Centers finished reviewing the affected email accounts to determine what information may have been involved. The review was completed on December 30, 2025.
Alleged Call-On-Doc breach and data theft occurs
A hacking-forum seller claimed telehealth provider Call-On-Doc was breached in early December 2025 and that 1,144,223 patient records were exfiltrated. The allegedly stolen data included personal information and health-related details, with screenshots and a sample offered as proof.
Modern Health discovers unauthorized access to member profiles
Modern Health identified unauthorized access affecting a limited number of member profiles on its behavioral health platform. The company said Social Security numbers and financial information were not exposed.
Unauthorized access window at Laurel Health Centers ends
Laurel Health Centers determined the unauthorized access to affected email accounts continued until July 25, 2025. During this period, protected health information may have been exposed.
Laurel Health Centers detects unusual email activity
Laurel Health Centers began investigating unusual activity in its email environment, which led to discovery of the security incident. The organization identified suspicious activity on July 14, 2025.
Unauthorized access begins in Laurel Health Centers email accounts
Laurel Health Centers later determined that an unauthorized third party accessed certain employee email accounts, with possible viewing or copying of emails and files containing patient information. The exposure window was identified as beginning on July 11, 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Call-On-Doc allegedly had a breach affecting more than 1 million patients. They’ve yet to comment. - DataBreaches.Net
databreaches.net
Open sourcePatients of Philadelphia’s Laurel Health Centers Affected by Data Breach
hipaajournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Data Breaches and Patient Record Exposure at Providers and Vendors
Multiple healthcare entities reported **unauthorized access and patient data exposure**, with incidents spanning direct provider compromises and third-party vendor breaches. **Insight Hospital and Medical Center (Chicago)** disclosed suspicious activity in its IT environment, with investigators confirming **unauthorized network access from Aug 22 to Sep 11, 2025**; the organization said the review is ongoing but potentially impacted data includes **names, DOB, SSNs, passport numbers, financial account data, treatment information, and insurance details**. Two extortion groups publicly claimed responsibility: **LockBit** alleged theft of ~`200 GB` and **Termite** claimed `360 GB`, stating it leaked data in late February 2026. In France, attackers stole about **15.8 million administrative files** after breaching health-ministry software supplier **Cegedim Santé**, impacting its *MonLogicielMedical (MLM)* product used by thousands of doctors; the stolen data reportedly included **identity and contact details**, and in a smaller subset (~**165,000** files) **free-text doctors’ notes** that in limited cases contained sensitive medical-history details. Separately, **OCAT, LLC d/b/a Evoke Wellness at Hilliard** updated a breach notification describing **unauthorized network activity** and potential access to patient information; reporting also tied the matter to an **insider misuse** investigation in which a former employee allegedly accessed and sold patient data, though public filings contained **inconsistent timelines** about when the underlying incident occurred and when it was discovered.
Mar 25, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026
Large US Healthcare Data Breaches Impacting Millions of Patients
Multiple healthcare-sector data breaches were disclosed with significant exposure of **protected health information (PHI)**. TriZetto Provider Solutions (TPS), an insurance verification provider, reported a compromise that began in **November 2024** and was not detected until nearly a year later; the threat was reportedly eradicated on **Oct. 2, 2025**. Notifications to affected healthcare provider customers across several states continued into late 2025 and early 2026, with one Oregon advisory estimating exposure affecting **more than 700,000 people**; impacted providers stated there was no current evidence of misuse and that **financial details were not stolen**. Separately, Healthcare Interactive (*HCIactive*), an AI-powered insurance enrollment and benefits administration vendor, confirmed that an intrusion and data exfiltration tied to activity in mid-2025 ultimately affected **3,056,950 individuals**, after earlier placeholder reporting while scope was still being determined; reported unauthorized access windows vary from **July 8–12, 2025** to a broader **June 17–July 22, 2025**. Another incident involved AI care-coordination platform *Lena Health*, where a threat actor claimed exposure of patient data (including references to a **Twilio call recording database**) and alleged that **2,134 patients’ PHI** was stored in an unencrypted export in a public-facing **AWS S3 bucket**, with follow-on reporting indicating exploitation after a publicly disclosed vulnerability and an available patch that was not applied in time.
Mar 21, 2026