Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported unauthorized network access and patient data exposure, with several incidents involving confirmed data exfiltration and follow-on notification/credit-monitoring actions. QualDerm Partners disclosed unauthorized access between Dec. 23–24, 2025 with files exfiltrated and notifications being sent on a rolling basis, while Carolina Foot & Ankle Associates reported a Dec. 2025 intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included Cedar Point Health (intrusion detected around June 16, 2025, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from Wee Care Pediatrics and Easterseals Northeast Indiana.
Legal and regulatory consequences continued to surface from earlier healthcare incidents. Asheville Eye Associates agreed to settle consolidated class-action litigation tied to a Nov. 2024 attack claimed by DragonForce ransomware, which allegedly exfiltrated ~540 GB before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting 204,984 individuals. Sector-wide reporting also indicated 46 large healthcare breaches logged for Jan. 2026 on the HHS OCR portal (500+ individuals), exposing ~1.44 million individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
Delayed patient notifications following healthcare data breaches at providers and vendors
Multiple healthcare organizations and vendors reported **delayed patient notifications** after discovering unauthorized access to protected health information (PHI), in some cases more than a year after the underlying compromise. In Colorado, **Alpine Ear, Nose, and Throat (Alpine ENT)** notified **65,648** individuals that an attacker accessed and exfiltrated files containing PHI in an incident identified on **Nov. 19, 2024**; the **BianLian** ransomware group later claimed responsibility and posted the organization to its leak site. Exposed data was described as highly sensitive, including medical information and, for some individuals, **financial account data and payment card details** (including CVC/expiration) and **Social Security numbers**; Alpine ENT reported no confirmed identity theft at the time of notification and offered credit monitoring. Separately, **Bayada Home Health Care** disclosed exposure risk tied to a **third-party vendor (Doctor Alliance)** after Doctor Alliance reported unauthorized network access during **Oct.–Nov. 2025**, potentially affecting Home Health Certification and Plan of Care forms containing patient identifiers and clinical/insurance details (and **SSNs for a subset**). Bayada said it discontinued using Doctor Alliance and reported the matter to regulators. In another vendor-related incident, **TriZetto Provider Solutions (Cognizant)**—an insurance verification provider—suffered a cyberattack impacting PHI across multiple states; Oregon providers began notifying additional patients after the breach was reported as occurring in **Nov. 2024** but not discovered until **Oct. 2, 2025**, with no financial data reportedly compromised and no evidence of misuse so far; the incident has prompted **class-action lawsuits**, engagement of **Mandiant**, and law enforcement notification.
1 months ago
Healthcare Data Breaches and Patient Data Exposure Reports
Multiple organizations reported or were alleged to have suffered **data breaches involving sensitive personal and health information**. Telehealth provider **Call-On-Doc** was allegedly breached in early December, with a hacking-forum listing claiming exfiltration of **1,144,223 patient records** including contact details and highly sensitive visit metadata (e.g., *medical category/condition*, including STD-related entries), though the company had not publicly commented at the time of reporting. Separately, **Laurel Health Centers** (a Federally Qualified Health Center network in Northern Pennsylvania) reported **unauthorized access to its email environment** from July 11–25, 2025; emails and attachments may have been viewed or copied, potentially exposing a wide range of PHI/PII (including SSNs, insurance/Medicare data, diagnostic/treatment information, and some financial data). Laurel stated it took time to confirm the threat actor was fully removed, completed mailbox review by Dec. 30, 2025, and then began notifying affected individuals and offering credit monitoring. Outside healthcare delivery, the **Civil Service Employees Association (CSEA)** labor union reported a May intrusion (May 3–31) resulting in theft of data for **47,000+ members**, including names and **Social Security numbers**, and said it took systems offline, reset passwords, and implemented additional security controls; it reported no evidence of misuse but advised vigilance for identity theft. A separate HIPAA Journal item summarized academic research on **insider risk**—finding many students would hypothetically sell patient data for money—which is not tied to a specific breach incident but underscores the broader threat environment for healthcare data.
1 months ago
Large US Healthcare Data Breaches Impacting Millions of Patients
Multiple healthcare-sector data breaches were disclosed with significant exposure of **protected health information (PHI)**. TriZetto Provider Solutions (TPS), an insurance verification provider, reported a compromise that began in **November 2024** and was not detected until nearly a year later; the threat was reportedly eradicated on **Oct. 2, 2025**. Notifications to affected healthcare provider customers across several states continued into late 2025 and early 2026, with one Oregon advisory estimating exposure affecting **more than 700,000 people**; impacted providers stated there was no current evidence of misuse and that **financial details were not stolen**. Separately, Healthcare Interactive (*HCIactive*), an AI-powered insurance enrollment and benefits administration vendor, confirmed that an intrusion and data exfiltration tied to activity in mid-2025 ultimately affected **3,056,950 individuals**, after earlier placeholder reporting while scope was still being determined; reported unauthorized access windows vary from **July 8–12, 2025** to a broader **June 17–July 22, 2025**. Another incident involved AI care-coordination platform *Lena Health*, where a threat actor claimed exposure of patient data (including references to a **Twilio call recording database**) and alleged that **2,134 patients’ PHI** was stored in an unencrypted export in a public-facing **AWS S3 bucket**, with follow-on reporting indicating exploitation after a publicly disclosed vulnerability and an available patch that was not applied in time.
1 months ago