Healthcare Data Breaches and Patient Record Exposure at Providers and Vendors
Multiple healthcare entities reported unauthorized access and patient data exposure, with incidents spanning direct provider compromises and third-party vendor breaches. Insight Hospital and Medical Center (Chicago) disclosed suspicious activity in its IT environment, with investigators confirming unauthorized network access from Aug 22 to Sep 11, 2025; the organization said the review is ongoing but potentially impacted data includes names, DOB, SSNs, passport numbers, financial account data, treatment information, and insurance details. Two extortion groups publicly claimed responsibility: LockBit alleged theft of ~200 GB and Termite claimed 360 GB, stating it leaked data in late February 2026.
In France, attackers stole about 15.8 million administrative files after breaching health-ministry software supplier Cegedim Santé, impacting its MonLogicielMedical (MLM) product used by thousands of doctors; the stolen data reportedly included identity and contact details, and in a smaller subset (~165,000 files) free-text doctors’ notes that in limited cases contained sensitive medical-history details. Separately, OCAT, LLC d/b/a Evoke Wellness at Hilliard updated a breach notification describing unauthorized network activity and potential access to patient information; reporting also tied the matter to an insider misuse investigation in which a former employee allegedly accessed and sold patient data, though public filings contained inconsistent timelines about when the underlying incident occurred and when it was discovered.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Insight attack publicly claimed by LockBit5 and Termite
By the time of Insight Hospital's disclosure, the LockBit5 and Termite extortion groups had each claimed responsibility for the attack and alleged that large volumes of stolen data had been leaked on their sites.
Evoke breach notification filed with Maine AG
External counsel for Evoke Wellness at Hilliard submitted a breach notification to the Maine Attorney General on February 27, 2026, describing unauthorized network activity and possible access to patient data. The filing reportedly listed 261 affected individuals, adding to inconsistencies in the case record.
Deaconess discloses MediCopy vendor data breach
Deaconess Health System disclosed that an unauthorized actor accessed MediCopy's cloud-based file-sharing software on January 13, 2026 and downloaded files tied to release-of-information requests. Deaconess said the incident, reported to it on February 2, affected patients of Deaconess Henderson Hospital and Deaconess Union County Hospital, while its own IT and EHR systems were not accessed.
Cegedim Santé breach confirmed after theft of 15.8M records
A breach affecting Cegedim Santé, a software supplier to France's health ministry, was confirmed in late 2025. Attackers stole about 15.8 million patient administrative files, including roughly 165,000 records containing doctors' free-text notes with limited sensitive medical details.
Insight Hospital identifies data security incident
Insight Hospital and Medical Center disclosed that it identified the security incident in September 2025 after the period of unauthorized access. Its review of affected individuals and data types remained ongoing at the time of reporting.
Insight Hospital network accessed by unauthorized actor
Insight Hospital and Medical Center said unauthorized access to its network occurred between August 22 and September 11, 2025. The organization later began assessing what information and how many individuals were affected.
FTC finalizes separate settlement with Evoke
DataBreaches.net noted that the FTC finalized a settlement with Evoke in July 2025 over advertising-related allegations. The settlement was described as unrelated to the breach matter.
Evoke says it learned of issue from law enforcement
Evoke Wellness at Hilliard's amended patient notice stated the organization was informed by law enforcement of the issue on May 20, 2025, contradicting other accounts that suggested internal discovery later in the year.
Unauthorized activity allegedly begins at Evoke Wellness at Hilliard
Notification materials cited by DataBreaches.net state an incident at OCAT, LLC dba Evoke Wellness at Hilliard occurred on July 7, 2024, though the reporting notes conflicting timelines and uncertainty around the breach chronology.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Deaconess Health System Affected by Vendor Data Breach
hipaajournal.com
Open sourceInsight Hospital and Medical Center Announces Cyberattack & Data Breach
hipaajournal.com
Open source15.8M medical records stolen from French health ministry • The Register
go.theregister.com
Open sourceEvoke Wellness at Hilliard updates its breach notification - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Data Breaches and Patient Data Exposure Reports
Multiple organizations reported or were alleged to have suffered **data breaches involving sensitive personal and health information**. Telehealth provider **Call-On-Doc** was allegedly breached in early December, with a hacking-forum listing claiming exfiltration of **1,144,223 patient records** including contact details and highly sensitive visit metadata (e.g., *medical category/condition*, including STD-related entries), though the company had not publicly commented at the time of reporting. Separately, **Laurel Health Centers** (a Federally Qualified Health Center network in Northern Pennsylvania) reported **unauthorized access to its email environment** from July 11–25, 2025; emails and attachments may have been viewed or copied, potentially exposing a wide range of PHI/PII (including SSNs, insurance/Medicare data, diagnostic/treatment information, and some financial data). Laurel stated it took time to confirm the threat actor was fully removed, completed mailbox review by Dec. 30, 2025, and then began notifying affected individuals and offering credit monitoring. Outside healthcare delivery, the **Civil Service Employees Association (CSEA)** labor union reported a May intrusion (May 3–31) resulting in theft of data for **47,000+ members**, including names and **Social Security numbers**, and said it took systems offline, reset passwords, and implemented additional security controls; it reported no evidence of misuse but advised vigilance for identity theft. A separate HIPAA Journal item summarized academic research on **insider risk**—finding many students would hypothetically sell patient data for money—which is not tied to a specific breach incident but underscores the broader threat environment for healthcare data.
Mar 21, 2026
Healthcare Data Breach Disclosures and Legal Fallout
French healthcare software provider **Cegedim Santé** confirmed a major breach affecting its *MonLogicielMedical (MLM)* product after unusual activity was detected in late 2025. The incident exposed administrative data tied to roughly **1,500 doctors** (out of ~3,800 users) and patient data at large scale—reported as **15.8 million records**, including **165,000 files** that may contain doctors’ notes; while structured medical records were reported as intact, some administrative comments may include sensitive clinical notes and highly sensitive details (e.g., HIV/AIDS status or sexual orientation). Cegedim Santé reported notifying French authorities including **CNIL** and filing a complaint. In the US, **Cornerstone Specialty Hospitals** agreed to a **$2.35M** class-action settlement tied to a **December 2023** network intrusion that ultimately affected **484,957 individuals**, with potentially exposed data spanning identifiers (including SSNs and government IDs), financial data, credentials, and health/insurance information; the suit also alleged delayed notification (letters mailed around July 2024). Separately, **PIH Health** began notifying patients about a **December 2024 ransomware attack** that disrupted multiple hospitals and services; investigators concluded the attacker had network access from **Nov 14–Dec 23, 2024**, and after a prolonged review PIH Health confirmed in **Dec 2025** that patient information was present in files on compromised systems and may have been accessed or acquired, with notification letters prepared by **Feb 25, 2026** amid claims of large-scale data theft and some data leakage online.
Mar 21, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026