Healthcare Provider Email and Network Intrusions Expose Patient Data
General Physician, P.C. agreed to pay $2.5 million to settle consolidated class-action litigation tied to a 2024 email-environment compromise that exposed sensitive patient data. The organization detected suspicious activity on June 12, 2024, and a forensic investigation found an unauthorized party had accessed its email system from April 6 to June 12, 2024. Potentially exposed data included SSNs, financial account information, dates of birth, medical and treatment details, diagnoses, medical record numbers, and insurance information; the affected population was later updated to 167,387 individuals (after an initial placeholder report of 501 to HHS OCR). The settlement fund is intended to provide class benefits after fees/expenses, and the company did not admit wrongdoing.
Two additional California healthcare providers reported separate security incidents involving unauthorized access to systems containing patient information. Valley Radiology Consultants Medical Group identified a breach on September 15, 2025, engaged third-party incident response support, confirmed unauthorized access to its network and files, and began mailing notifications after completing file review on February 18, 2026; it also offered 12 months of credit monitoring and reported taking remediation steps (e.g., password changes and security enhancements). Nephrology Associates Medical Group separately began notifying patients about a cyberattack first identified on May 20, 2025 (details in the provided excerpt are truncated), indicating another healthcare-sector intrusion with patient data exposure risk.
Related Entities
Organizations
Sources
Related Stories
Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. **Kaiser Permanente** agreed to a **$46 million** settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including **Google, Microsoft Bing, Twitter/X, and Adobe**) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans **2017–2024**. Separately, two healthcare entities reached settlements following **network intrusions** that allegedly exposed protected health information and other sensitive identifiers. **Mystic Valley Elder Services** agreed to pay **$520,000** to settle claims stemming from an **April 2024** incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting **~89,600** people; plaintiffs also alleged delayed detection and notification. **Consulting Radiologists Ltd.** received approval for a **$2.2 million** settlement after a 2024 intrusion affecting up to **583,824** individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
2 months ago
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
2 weeks ago
Healthcare Data Breach Disclosures and Legal Fallout
French healthcare software provider **Cegedim Santé** confirmed a major breach affecting its *MonLogicielMedical (MLM)* product after unusual activity was detected in late 2025. The incident exposed administrative data tied to roughly **1,500 doctors** (out of ~3,800 users) and patient data at large scale—reported as **15.8 million records**, including **165,000 files** that may contain doctors’ notes; while structured medical records were reported as intact, some administrative comments may include sensitive clinical notes and highly sensitive details (e.g., HIV/AIDS status or sexual orientation). Cegedim Santé reported notifying French authorities including **CNIL** and filing a complaint. In the US, **Cornerstone Specialty Hospitals** agreed to a **$2.35M** class-action settlement tied to a **December 2023** network intrusion that ultimately affected **484,957 individuals**, with potentially exposed data spanning identifiers (including SSNs and government IDs), financial data, credentials, and health/insurance information; the suit also alleged delayed notification (letters mailed around July 2024). Separately, **PIH Health** began notifying patients about a **December 2024 ransomware attack** that disrupted multiple hospitals and services; investigators concluded the attacker had network access from **Nov 14–Dec 23, 2024**, and after a prolonged review PIH Health confirmed in **Dec 2025** that patient information was present in files on compromised systems and may have been accessed or acquired, with notification letters prepared by **Feb 25, 2026** amid claims of large-scale data theft and some data leakage online.
1 weeks ago