Healthcare Data Breach Notifications Following Ransomware and EHR Vendor Compromise
MACT Health Board confirmed patient data theft tied to a November 2025 ransomware attack claimed by INC Ransom. The organization reported network access by an unauthorized party from Nov 12–20, 2025, followed by a file review completed Jan 9, 2026; exposed data may include patient names plus clinical information (e.g., diagnoses, test results, treatment details, medical images) and, for some individuals, Social Security numbers. MACT began mailing notification letters Jan 23, 2026 and is offering credit monitoring/identity theft protection where SSNs were involved.
Munson Healthcare separately notified more than 100,000 patients impacted by a Cerner (Oracle Health) compromise involving access to two legacy Cerner servers (unauthorized access beginning as early as Jan 22, 2025, detected Feb 20, 2025) containing data awaiting migration to the Oracle Cloud. Reported exposed data includes names, SSNs, and typical EHR content (medical record numbers, diagnoses, medications, test results, care details, and providers’ names); Cerner/Oracle Health engaged third-party incident response and notified law enforcement, and reporting indicates notification delays were influenced by law-enforcement requests and ongoing investigation, with litigation alleging the incident may have affected up to 80 hospitals.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Michigan AG issues alert after Munson disclosure
Michigan Attorney General Dana Nessel issued a consumer alert in response to the Munson Healthcare breach disclosure. She also called for stronger state data-protection laws.
Munson Healthcare discloses 101,891 patients affected
Munson Healthcare notified patients that data in its electronic medical record system was exposed through the Cerner/Oracle Health cyberattack. The health system said 101,891 current and former patients were affected and offered two years of credit monitoring and identity theft protection.
MACT Health Board starts notifying affected patients
MACT Health Board began notifying affected individuals on January 23, 2026 about the November 2025 breach. It offered credit monitoring to people whose Social Security numbers were involved.
INC Ransom claims MACT Health Board attack
The INC Ransom ransomware group claimed responsibility for the MACT Health Board incident. The same group was also reported to have listed TriCity Family Services on its leak site and claimed to have stolen 22 GB of data there.
MACT Health Board intrusion ends after days of access
MACT Health Board determined the unauthorized access lasted until November 20, 2025. Exposed information included patient and clinical data, and for some individuals Social Security numbers.
MACT Health Board network intrusion begins
MACT Health Board said unauthorized access to its network started on November 12, 2025. The intrusion disrupted IT systems and was later tied to theft of patient information.
HAP phishing-related credential compromise occurs
Health Alliance Plan said employee credentials were compromised in a phishing incident on October 24, 2025. HAP later notified potentially affected members even though it could not confirm that their data was actually accessed.
TriCity Family Services intrusion ends
TriCity Family Services said the unauthorized access to its network continued until May 14, 2025. The organization later linked the incident to data theft and said the EMR environment was not compromised.
Oracle Health publicly confirms Cerner breach
Oracle Health publicly confirmed the Cerner cyberattack in March 2025. Later reporting indicated as many as 80 hospitals may have been affected.
Cerner detects cyberattack on legacy servers
Cerner detected the intrusion on February 20, 2025 and said a hacker had accessed two legacy servers. The incident ultimately affected multiple healthcare organizations and patient records.
Cerner servers first exposed in Oracle Health incident
In the Cerner/Oracle Health breach affecting healthcare providers including Munson Healthcare, unauthorized access may have begun as early as January 22, 2025 on two legacy Cerner servers awaiting migration to Oracle Cloud.
TriCity Family Services intrusion begins
TriCity Family Services said an unauthorized party gained access to its network beginning on November 11, 2024. The organization later determined files were copied during the intrusion, though its electronic medical record system was not accessed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Delayed patient notifications following healthcare data breaches at providers and vendors
Multiple healthcare organizations and vendors reported **delayed patient notifications** after discovering unauthorized access to protected health information (PHI), in some cases more than a year after the underlying compromise. In Colorado, **Alpine Ear, Nose, and Throat (Alpine ENT)** notified **65,648** individuals that an attacker accessed and exfiltrated files containing PHI in an incident identified on **Nov. 19, 2024**; the **BianLian** ransomware group later claimed responsibility and posted the organization to its leak site. Exposed data was described as highly sensitive, including medical information and, for some individuals, **financial account data and payment card details** (including CVC/expiration) and **Social Security numbers**; Alpine ENT reported no confirmed identity theft at the time of notification and offered credit monitoring. Separately, **Bayada Home Health Care** disclosed exposure risk tied to a **third-party vendor (Doctor Alliance)** after Doctor Alliance reported unauthorized network access during **Oct.–Nov. 2025**, potentially affecting Home Health Certification and Plan of Care forms containing patient identifiers and clinical/insurance details (and **SSNs for a subset**). Bayada said it discontinued using Doctor Alliance and reported the matter to regulators. In another vendor-related incident, **TriZetto Provider Solutions (Cognizant)**—an insurance verification provider—suffered a cyberattack impacting PHI across multiple states; Oregon providers began notifying additional patients after the breach was reported as occurring in **Nov. 2024** but not discovered until **Oct. 2, 2025**, with no financial data reportedly compromised and no evidence of misuse so far; the incident has prompted **class-action lawsuits**, engagement of **Mandiant**, and law enforcement notification.
Mar 21, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026
Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed **separate data breach incidents** involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after **Pinnacle Holdings Ltd** suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through **NorthGauge Healthcare Advisors**. Meadowlark Hills and MedPeds also disclosed breaches tied to the **Beast ransomware** group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals. A separate legal development involved **Geisinger Health** and **Nuance Communications**, where a judge approved a **$5 million settlement** over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Apr 17, 2026