Healthcare Data Breach Disclosures and Litigation Affecting Hundreds of Thousands of Patients
Bell Ambulance reported that a February 2025 network intrusion led to the compromise of protected health information for 237,830 individuals, after unauthorized activity was detected on Feb. 13, 2025. The organization said the exposed data can include names, dates of birth, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information; it offered 12–24 months of credit monitoring/identity protection and stated it was not aware of misuse at the time of notification. The incident response included third-party forensic support, and notifications were issued in phases as the data review progressed, with additional letters sent into March 2026.
Separately, Cornerstone Specialty Hospitals agreed to pay $2.35 million to settle a class action lawsuit tied to a data breach that reportedly affected nearly 500,000 individuals. The available reporting focuses on the settlement amount and impacted population size, indicating ongoing legal and financial consequences for large-scale healthcare data exposure even when technical details of the underlying intrusion are not publicly described in the same source.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Cornerstone Specialty Hospitals agrees $2.35M breach settlement
Cornerstone Specialty Hospitals agreed to pay $2.35 million to settle a class action lawsuit tied to a data breach affecting nearly 500,000 individuals. The provided reference does not include further technical details about the underlying incident.
Bell Ambulance notifies consumers reported to Maine AG
Bell Ambulance reported to the Maine Attorney General that written notice to affected consumers was sent on March 9, 2026. The filing said 237,830 people were affected, including 30 Maine residents.
Bell Ambulance completes internal review
Bell Ambulance completed its internal review of the incident on February 20, 2026. The review concluded that 237,830 individuals were affected and clarified the categories of compromised data.
Second Bell Ambulance notification wave issued
Bell Ambulance sent another wave of notifications on January 15, 2026 after identifying more affected individuals. The company continued offering 12 months of free credit monitoring and identity protection.
Bell Ambulance breach discovered in later review
A Maine Attorney General filing states the Bell Ambulance breach was discovered on December 23, 2025. This appears to reflect a later determination or reporting milestone tied to the broader incident review.
Additional Bell Ambulance victims identified in later review
Bell Ambulance identified additional affected individuals through the fall of 2025, expanding the scope of the breach. This led to later notification waves beyond the initial April 2025 notices.
Alexes Hazen practice suffers unauthorized system access
An unauthorized party accessed systems at Alexes Hazen, MD, PLLC between June and July 2025 and may have exfiltrated limited patient data. The practice later reported the incident to HHS OCR with a placeholder count of 500 affected individuals while its review continued.
Northwest Medical Homes identifies cybersecurity incident
Northwest Medical Homes in Oregon identified a cybersecurity incident on May 13, 2025 that may have exposed protected health information. The organization notified law enforcement, but the total number of affected individuals was not yet public.
First Bell Ambulance victim notifications begin
Bell Ambulance began notifying affected individuals in the first wave on April 18, 2025. The company also offered credit monitoring and identity protection services to impacted people.
Bell Ambulance publicly discloses cyberattack
Bell Ambulance publicly disclosed the breach on April 14, 2025, after the Medusa ransomware group claimed responsibility for the attack. Reports said Medusa alleged it stole about 219 GB of data and demanded $400,000.
Bell Ambulance detects unauthorized network activity
Bell Ambulance detected unauthorized activity on its network on February 13, 2025 and began investigating the incident with forensic specialists. The company later determined data had been compromised.
Bell Ambulance network intrusion begins
Attackers gained unauthorized access to Bell Ambulance systems during a breach window later reported as running from February 7 to February 14, 2025. Sensitive personal, financial, and health information was exposed during the incident.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Bell Ambulance breach impacts over 237K | brief | SC Media
scworld.com
Open sourceBell Ambulance data breach impacted over 238,000 people
securityaffairs.com
Open sourceBell Ambulance data breach impacted over 238,000 people - DataBreaches.Net
databreaches.net
Open source235,000 affected by cyberattack on largest ambulance provider in Wisconsin | The Record from Recorded Future News
therecord.media
Open sourceFebruary 2025 Cyberattack Affected More Than 230K Bell Ambulance Patients
hipaajournal.com
Open sourceteiss - News - Cornerstone Specialty Hospitals pays $2.35m to settle data breach class action lawsuit
teiss.co.uk
Open sourceOffice of the Maine AG: Consumer Protection: Privacy, Identity Theft and Data Security Breaches
maine.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Data Breach Disclosures and Legal Fallout
French healthcare software provider **Cegedim Santé** confirmed a major breach affecting its *MonLogicielMedical (MLM)* product after unusual activity was detected in late 2025. The incident exposed administrative data tied to roughly **1,500 doctors** (out of ~3,800 users) and patient data at large scale—reported as **15.8 million records**, including **165,000 files** that may contain doctors’ notes; while structured medical records were reported as intact, some administrative comments may include sensitive clinical notes and highly sensitive details (e.g., HIV/AIDS status or sexual orientation). Cegedim Santé reported notifying French authorities including **CNIL** and filing a complaint. In the US, **Cornerstone Specialty Hospitals** agreed to a **$2.35M** class-action settlement tied to a **December 2023** network intrusion that ultimately affected **484,957 individuals**, with potentially exposed data spanning identifiers (including SSNs and government IDs), financial data, credentials, and health/insurance information; the suit also alleged delayed notification (letters mailed around July 2024). Separately, **PIH Health** began notifying patients about a **December 2024 ransomware attack** that disrupted multiple hospitals and services; investigators concluded the attacker had network access from **Nov 14–Dec 23, 2024**, and after a prolonged review PIH Health confirmed in **Dec 2025** that patient information was present in files on compromised systems and may have been accessed or acquired, with notification letters prepared by **Feb 25, 2026** amid claims of large-scale data theft and some data leakage online.
Mar 21, 2026
Healthcare Provider Email and Network Intrusions Expose Patient Data
**General Physician, P.C.** agreed to pay **$2.5 million** to settle consolidated class-action litigation tied to a **2024 email-environment compromise** that exposed sensitive patient data. The organization detected suspicious activity on **June 12, 2024**, and a forensic investigation found an unauthorized party had accessed its email system from **April 6 to June 12, 2024**. Potentially exposed data included **SSNs, financial account information, dates of birth, medical and treatment details, diagnoses, medical record numbers, and insurance information**; the affected population was later updated to **167,387 individuals** (after an initial placeholder report of 501 to HHS OCR). The settlement fund is intended to provide class benefits after fees/expenses, and the company did not admit wrongdoing. Two additional California healthcare providers reported separate security incidents involving unauthorized access to systems containing patient information. **Valley Radiology Consultants Medical Group** identified a breach on **September 15, 2025**, engaged third-party incident response support, confirmed unauthorized access to its network and files, and began mailing notifications after completing file review on **February 18, 2026**; it also offered **12 months of credit monitoring** and reported taking remediation steps (e.g., password changes and security enhancements). **Nephrology Associates Medical Group** separately began notifying patients about a cyberattack first identified on **May 20, 2025** (details in the provided excerpt are truncated), indicating another healthcare-sector intrusion with patient data exposure risk.
Mar 21, 2026
Healthcare Data Breach Notifications and Settlement Involving Patient Information Exposure
Multiple healthcare-related organizations disclosed **separate** incidents involving exposure or theft of patient data. Delta Medical Systems reported unauthorized access to its email environment on July 15, 2025, with potentially exposed data including names, dates of birth, Social Security numbers, driver’s license information, bank details, insurance information, and medical information. A separate HIPAA Journal report described additional incidents at Cedar Valley Services, Community Nurse, and Health Dimensions Group, including a likely **Qilin ransomware** intrusion at Cedar Valley Services and a vendor-linked compromise affecting Community Nurse through *Doctor Alliance*, where files may have been accessed between October 31 and November 17, 2025. In a different but related healthcare privacy matter, a judge approved a **$5 million settlement** in litigation against Geisinger Health and *Nuance Communications* over the theft of medical records affecting roughly **1.3 million patients** by a former Nuance employee. The stolen records reportedly included names, birthdates, addresses, medical record numbers, treatment details, and insurance information. While all three reports concern healthcare data exposure, they describe **distinct incidents** rather than one unified breach event, spanning direct compromises, third-party/vendor exposure, suspected ransomware activity, and post-incident legal resolution.
Mar 21, 2026