Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported unauthorized network access and patient data exposure, with several incidents involving confirmed data exfiltration and follow-on notification/credit-monitoring actions. QualDerm Partners disclosed unauthorized access between Dec. 23–24, 2025 with files exfiltrated and notifications being sent on a rolling basis, while Carolina Foot & Ankle Associates reported a Dec. 2025 intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included Cedar Point Health (intrusion detected around June 16, 2025, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from Wee Care Pediatrics and Easterseals Northeast Indiana.
Legal and regulatory consequences continued to surface from earlier healthcare incidents. Asheville Eye Associates agreed to settle consolidated class-action litigation tied to a Nov. 2024 attack claimed by DragonForce ransomware, which allegedly exfiltrated ~540 GB before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting 204,984 individuals. Sector-wide reporting also indicated 46 large healthcare breaches logged for Jan. 2026 on the HHS OCR portal (500+ individuals), exposing ~1.44 million individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
How this story unfolded
19 events from the most recent confirmed update back to the earliest known activity.
Asheville Eye Associates agrees to class action settlement
By February 27, 2026, Asheville Eye Associates had agreed to settle litigation stemming from its November 2024 ransomware attack. The proposed settlement provides reimbursement for certain losses, identity theft protection, and other benefits while the company denies wrongdoing.
Carolina Foot & Ankle reports breach to HHS OCR
By late February 2026, Carolina Foot & Ankle Associates had reported the December 2025 incident to HHS OCR using a placeholder estimate of at least 501 affected individuals. The practice also offered credit monitoring and notified law enforcement.
Inc Ransom claims Easterseals Northeast Indiana attack
By February 2026, the Inc Ransom group claimed responsibility for the Easterseals Northeast Indiana incident, alleging it stole 405 GB of data. The public claim aligned with the provider's description of the event as ransomware-related.
Texas AG filing says 174,837 Texans affected in QualDerm breach
QualDerm informed the Texas Attorney General that 174,837 Texas residents were affected by the breach. The filing suggested the total impact may be larger across the 17 states where QualDerm supports practices.
QualDerm begins rolling notifications to affected individuals
By February 2026, QualDerm Partners was sending notification letters on a rolling basis while continuing to review the impacted data. The company also offered complimentary credit monitoring and identity theft protection.
HHS OCR records 46 large healthcare breaches in January 2026
During January 2026, the HHS Office for Civil Rights breach portal logged 46 healthcare breaches affecting 500 or more individuals. Those incidents exposed or impermissibly disclosed PHI for 1,441,182 people.
Cedar Point Health completes data impact analysis
On January 27, 2026, Cedar Point Health completed its review of the compromised data. The analysis found extensive identifiers and health and financial information were exposed.
QualDerm Partners detects suspicious activity
On December 24, 2025, QualDerm Partners detected suspicious activity on its computer network. The company engaged third-party cybersecurity experts to investigate the incident.
QualDerm Partners unauthorized access and exfiltration occur
QualDerm Partners later determined an unauthorized party accessed its network and exfiltrated sensitive files between December 23 and December 24, 2025. Potentially exposed data included personal, medical, insurance, and for some individuals government-issued ID information.
New Age Dermatology identifies ransomware attack
Around December 20, 2025, New Age Dermatology identified a ransomware attack that rendered an internal server inoperable. The organization said patient-record data may have been exposed, though the full scope was still under review.
Wee Care Pediatrics identifies suspicious activity
Around December 15, 2025, Wee Care Pediatrics discovered suspicious activity and later confirmed unauthorized access to its network. Potentially exposed data included PHI, Social Security numbers, and insurance and government program details.
Marin Cancer Care detects intrusion
Marin Cancer Care detected suspicious activity around December 8, 2025. The provider later determined the incident may have exposed patient information.
Carolina Foot & Ankle Associates detects cyberattack
On December 8, 2025, Carolina Foot & Ankle Associates detected a network disruption. An investigation found an unauthorized party accessed its network and exfiltrated files containing patient information.
Marin Cancer Care intrusion window ends
Marin Cancer Care determined the unauthorized access to its systems continued until December 6, 2025. Its investigation and review of affected files remained ongoing afterward.
Marin Cancer Care unauthorized access window begins
Marin Cancer Care later determined an unauthorized party had access to its environment beginning November 22, 2025. Patient files may have been viewed or acquired during the intrusion.
Easterseals Northeast Indiana confirms data theft
On November 10, 2025, Easterseals Northeast Indiana confirmed that data had been exfiltrated. Exposed information included protected health information and Social Security numbers.
Easterseals Northeast Indiana detects suspicious activity
Easterseals Northeast Indiana identified suspicious activity on its network on September 4, 2025. A later investigation found patient data was stolen in an incident described as consistent with ransomware.
Cedar Point Health network intrusion begins
Cedar Point Health detected unauthorized access to its network around June 16, 2025. The incident exposed patient data, including health, financial, and identity information.
Asheville Eye Associates hit by DragonForce ransomware attack
In November 2024, Asheville Eye Associates suffered a ransomware attack and data breach. DragonForce later claimed it exfiltrated 540 GB of data before encrypting systems and leaked the data after no ransom was paid.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Asheville Eye Associates Settles Lawsuit Stemming from DragonForce Ransomware Attack
hipaajournal.com
Open sourceJanuary 2026 Healthcare Data Breach Report
hipaajournal.com
Open sourceCarolina Foot & Ankle Associates Notifies Patients About December 2025 Cyberattack
hipaajournal.com
Open sourceCedar Point Health; Wee Care Pediatrics; Easterseals NI Announce Data Breaches
hipaajournal.com
Open sourceQualDerm Partners Confirms Significant Data Breach
hipaajournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed **separate data breach incidents** involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after **Pinnacle Holdings Ltd** suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through **NorthGauge Healthcare Advisors**. Meadowlark Hills and MedPeds also disclosed breaches tied to the **Beast ransomware** group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals. A separate legal development involved **Geisinger Health** and **Nuance Communications**, where a judge approved a **$5 million settlement** over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Apr 17, 2026
Delayed patient notifications following healthcare data breaches at providers and vendors
Multiple healthcare organizations and vendors reported **delayed patient notifications** after discovering unauthorized access to protected health information (PHI), in some cases more than a year after the underlying compromise. In Colorado, **Alpine Ear, Nose, and Throat (Alpine ENT)** notified **65,648** individuals that an attacker accessed and exfiltrated files containing PHI in an incident identified on **Nov. 19, 2024**; the **BianLian** ransomware group later claimed responsibility and posted the organization to its leak site. Exposed data was described as highly sensitive, including medical information and, for some individuals, **financial account data and payment card details** (including CVC/expiration) and **Social Security numbers**; Alpine ENT reported no confirmed identity theft at the time of notification and offered credit monitoring. Separately, **Bayada Home Health Care** disclosed exposure risk tied to a **third-party vendor (Doctor Alliance)** after Doctor Alliance reported unauthorized network access during **Oct.–Nov. 2025**, potentially affecting Home Health Certification and Plan of Care forms containing patient identifiers and clinical/insurance details (and **SSNs for a subset**). Bayada said it discontinued using Doctor Alliance and reported the matter to regulators. In another vendor-related incident, **TriZetto Provider Solutions (Cognizant)**—an insurance verification provider—suffered a cyberattack impacting PHI across multiple states; Oregon providers began notifying additional patients after the breach was reported as occurring in **Nov. 2024** but not discovered until **Oct. 2, 2025**, with no financial data reportedly compromised and no evidence of misuse so far; the incident has prompted **class-action lawsuits**, engagement of **Mandiant**, and law enforcement notification.
Mar 21, 2026
Healthcare Data Breaches and Patient Data Exposure Reports
Multiple organizations reported or were alleged to have suffered **data breaches involving sensitive personal and health information**. Telehealth provider **Call-On-Doc** was allegedly breached in early December, with a hacking-forum listing claiming exfiltration of **1,144,223 patient records** including contact details and highly sensitive visit metadata (e.g., *medical category/condition*, including STD-related entries), though the company had not publicly commented at the time of reporting. Separately, **Laurel Health Centers** (a Federally Qualified Health Center network in Northern Pennsylvania) reported **unauthorized access to its email environment** from July 11–25, 2025; emails and attachments may have been viewed or copied, potentially exposing a wide range of PHI/PII (including SSNs, insurance/Medicare data, diagnostic/treatment information, and some financial data). Laurel stated it took time to confirm the threat actor was fully removed, completed mailbox review by Dec. 30, 2025, and then began notifying affected individuals and offering credit monitoring. Outside healthcare delivery, the **Civil Service Employees Association (CSEA)** labor union reported a May intrusion (May 3–31) resulting in theft of data for **47,000+ members**, including names and **Social Security numbers**, and said it took systems offline, reset passwords, and implemented additional security controls; it reported no evidence of misuse but advised vigilance for identity theft. A separate HIPAA Journal item summarized academic research on **insider risk**—finding many students would hypothetically sell patient data for money—which is not tied to a specific breach incident but underscores the broader threat environment for healthcare data.
Mar 21, 2026