Healthcare Data Breach Disclosures and Legal Fallout
French healthcare software provider Cegedim Santé confirmed a major breach affecting its MonLogicielMedical (MLM) product after unusual activity was detected in late 2025. The incident exposed administrative data tied to roughly 1,500 doctors (out of ~3,800 users) and patient data at large scale—reported as 15.8 million records, including 165,000 files that may contain doctors’ notes; while structured medical records were reported as intact, some administrative comments may include sensitive clinical notes and highly sensitive details (e.g., HIV/AIDS status or sexual orientation). Cegedim Santé reported notifying French authorities including CNIL and filing a complaint.
In the US, Cornerstone Specialty Hospitals agreed to a $2.35M class-action settlement tied to a December 2023 network intrusion that ultimately affected 484,957 individuals, with potentially exposed data spanning identifiers (including SSNs and government IDs), financial data, credentials, and health/insurance information; the suit also alleged delayed notification (letters mailed around July 2024). Separately, PIH Health began notifying patients about a December 2024 ransomware attack that disrupted multiple hospitals and services; investigators concluded the attacker had network access from Nov 14–Dec 23, 2024, and after a prolonged review PIH Health confirmed in Dec 2025 that patient information was present in files on compromised systems and may have been accessed or acquired, with notification letters prepared by Feb 25, 2026 amid claims of large-scale data theft and some data leakage online.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Cornerstone agrees to $2.35 million breach settlement
Cornerstone Healthcare Group Management Services agreed to a $2.35 million settlement to resolve class action litigation over the December 2023 cyberattack and data breach. The settlement provides funds for legal fees, reimbursement of losses, credit monitoring for some class members, and pro rata cash payments.
PIH Health begins notifying patients about 2024 breach
In early 2026, PIH Health began notifying patients that personal and medical information was exposed in the 2024 ransomware attack. The provider said exposed data varied by individual and included PII and PHI, and it offered credit monitoring and identity theft protection.
Cegedim Santé notifies CNIL and files complaint
Following discovery of the breach, Cegedim Santé notified French authorities including the CNIL and filed a complaint. Reports said some exposed data may have included highly sensitive personal details and doctors' notes.
Cegedim Santé detects unusual activity and confirms data exfiltration
Cegedim Santé detected unusual activity in late 2025 and confirmed a major cyberattack affecting its MonLogicielMedical product. The breach involved exfiltration of administrative and patient data tied to roughly 1,500 doctors and 15.8 million records.
PIH Health unauthorized access period ends
PIH Health said its investigation found the threat actor's access to compromised systems lasted until December 23, 2024. Later review determined patient information was present in affected files and may have been accessed or acquired.
PIH Health detects ransomware attack and service disruption
PIH Health detected a ransomware attack on December 1, 2024, which disrupted multiple hospitals and care services. Attackers later claimed to have exfiltrated about 2 TB of data and 17 million patient records and issued a ransom demand.
PIH Health attackers gain access to network
A forensic investigation later determined that the threat actor had access to PIH Health's network beginning on November 14, 2024. This marked the start of the ransomware-related compromise affecting the California healthcare provider.
Cornerstone mails breach notifications to affected individuals
Cornerstone mailed notices to affected individuals around July 1, 2024 regarding the December 2023 cyberattack and data breach. The later lawsuit alleged the company delayed notification.
Cornerstone network allegedly accessed in cyberattack
Cornerstone Specialty Hospitals' network was allegedly accessed by a threat actor around December 19, 2023, beginning the incident that later led to a data breach lawsuit. The attacker potentially accessed and copied patient and personal information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
teiss - News - PIH Health begins notifying patients after 2024 ransomware attack exposed sensitive data
teiss.co.uk
Open sourceFrench healthcare software provider Cegedim Santé suffers major data breach | brief | SC Media
scworld.com
Open source$2.35 Million Settlement Agreed to Resolve Cornerstone Specialty Hospitals Data Breach Lawsuit
hipaajournal.com
Open sourcePIH Health Notifies Patients About 2024 Hacking Incident
hipaajournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Data Breaches and Patient Record Exposure at Providers and Vendors
Multiple healthcare entities reported **unauthorized access and patient data exposure**, with incidents spanning direct provider compromises and third-party vendor breaches. **Insight Hospital and Medical Center (Chicago)** disclosed suspicious activity in its IT environment, with investigators confirming **unauthorized network access from Aug 22 to Sep 11, 2025**; the organization said the review is ongoing but potentially impacted data includes **names, DOB, SSNs, passport numbers, financial account data, treatment information, and insurance details**. Two extortion groups publicly claimed responsibility: **LockBit** alleged theft of ~`200 GB` and **Termite** claimed `360 GB`, stating it leaked data in late February 2026. In France, attackers stole about **15.8 million administrative files** after breaching health-ministry software supplier **Cegedim Santé**, impacting its *MonLogicielMedical (MLM)* product used by thousands of doctors; the stolen data reportedly included **identity and contact details**, and in a smaller subset (~**165,000** files) **free-text doctors’ notes** that in limited cases contained sensitive medical-history details. Separately, **OCAT, LLC d/b/a Evoke Wellness at Hilliard** updated a breach notification describing **unauthorized network activity** and potential access to patient information; reporting also tied the matter to an **insider misuse** investigation in which a former employee allegedly accessed and sold patient data, though public filings contained **inconsistent timelines** about when the underlying incident occurred and when it was discovered.
Mar 25, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026
Delayed patient notifications following healthcare data breaches at providers and vendors
Multiple healthcare organizations and vendors reported **delayed patient notifications** after discovering unauthorized access to protected health information (PHI), in some cases more than a year after the underlying compromise. In Colorado, **Alpine Ear, Nose, and Throat (Alpine ENT)** notified **65,648** individuals that an attacker accessed and exfiltrated files containing PHI in an incident identified on **Nov. 19, 2024**; the **BianLian** ransomware group later claimed responsibility and posted the organization to its leak site. Exposed data was described as highly sensitive, including medical information and, for some individuals, **financial account data and payment card details** (including CVC/expiration) and **Social Security numbers**; Alpine ENT reported no confirmed identity theft at the time of notification and offered credit monitoring. Separately, **Bayada Home Health Care** disclosed exposure risk tied to a **third-party vendor (Doctor Alliance)** after Doctor Alliance reported unauthorized network access during **Oct.–Nov. 2025**, potentially affecting Home Health Certification and Plan of Care forms containing patient identifiers and clinical/insurance details (and **SSNs for a subset**). Bayada said it discontinued using Doctor Alliance and reported the matter to regulators. In another vendor-related incident, **TriZetto Provider Solutions (Cognizant)**—an insurance verification provider—suffered a cyberattack impacting PHI across multiple states; Oregon providers began notifying additional patients after the breach was reported as occurring in **Nov. 2024** but not discovered until **Oct. 2, 2025**, with no financial data reportedly compromised and no evidence of misuse so far; the incident has prompted **class-action lawsuits**, engagement of **Mandiant**, and law enforcement notification.
Mar 21, 2026