Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed separate data breach incidents involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after Pinnacle Holdings Ltd suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through NorthGauge Healthcare Advisors. Meadowlark Hills and MedPeds also disclosed breaches tied to the Beast ransomware group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals.
A separate legal development involved Geisinger Health and Nuance Communications, where a judge approved a $5 million settlement over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
17 events from the most recent confirmed update back to the earliest known activity.
Corewell Health discloses Pinnacle breach affected 19,000 patients
Corewell Health disclosed that the 2024 Pinnacle Holdings vendor breach affected about 19,000 of its patients after reviewing the exposure. The compromised data included personal and medical information such as names, contact details, Social Security numbers, medical information, and insurance details.
Beast ransomware group claims MedPeds attack
By 2026-03-17, the Beast ransomware group had claimed the MedPeds Associates of Sarasota breach and said it stole 400 GB of data. The allegedly stolen MedPeds data had not been published at the time of reporting.
Beast ransomware group claims Meadowlark Hills attack
By 2026-03-17, the Beast ransomware group had claimed an attack on Meadowlark Hills, alleging it stole 750 GB of data. Meadowlark Hills had reported unauthorized network access and data exfiltration between 2025-07-12 and 2025-07-21 affecting 14,442 individuals.
SafePay ransomware group claims Children's Council attack
By the time of public reporting, the SafePay ransomware group had claimed responsibility for the Children's Council of San Francisco breach. The claim followed the organization's investigation into the August 2025 intrusion.
Children's Council mails breach notifications and offers protection
On 2026-03-02, Children's Council of San Francisco mailed notification letters to affected individuals and offered complimentary credit monitoring and identity theft protection. The organization had also notified the FBI.
NorthGauge notifies CommonSpirit Health of vendor breach
On 2026-02-02, NorthGauge informed CommonSpirit Health that patient data had been affected through the Pinnacle ransomware incident. CommonSpirit then moved toward notifying impacted patients.
NorthGauge identifies affected individuals in Pinnacle breach
NorthGauge Healthcare Advisors confirmed the identities of individuals affected by the Pinnacle incident on 2026-01-30. The breach was later disclosed as affecting CommonSpirit Health patients, including 19,027 Washington residents.
Tieu Dental confirms what patient data was exposed
On 2026-01-11, Tieu Dental confirmed the categories of patient data affected by the 2025 intrusion. The company said it had not identified misuse of the data at the time of disclosure.
Tieu Dental begins notifying affected patients
Tieu Dental said it began notifying affected patients in 2025 following its July network intrusion. The company later offered credit monitoring and identity theft protection services.
Pinnacle notifies NorthGauge after exposed-data review
In November 2025, Pinnacle notified NorthGauge Healthcare Advisors after a third-party review of exposed data from the 2024 ransomware incident. This set in motion downstream notifications involving CommonSpirit Health.
MedPeds discovers ransomware and unauthorized access
MedPeds Associates of Sarasota discovered unauthorized access and ransomware-based file encryption on 2025-09-02. The breach affected 21,430 individuals and exposed sensitive personal and protected health information.
Children's Council detects network-disrupting incident
On 2025-08-03, Children's Council of San Francisco identified a network-disrupting incident that led to an investigation. The breach ultimately affected 12,655 individuals.
Children's Council of San Francisco network accessed
Children's Council of San Francisco later determined that an unknown hacker accessed its network on 2025-08-01 and acquired files containing names and Social Security numbers.
Tieu Dental network accessed by unauthorized third party
Tieu Dental Corporation said an unauthorized third party accessed its network between 2025-07-28 and 2025-07-29, exposing patient data including Social Security numbers, medical records, treatment plans, prescription information, and insurance data.
Legend Senior Living breach begins with unauthorized access
Legend Senior Living discovered unauthorized access on or around 2025-08-15, and forensic investigators determined attackers had access between 2025-07-27 and 2025-08-15. Files containing personal and protected health information may have been viewed or acquired, and Texas was later told 5,006 residents were affected.
Ransomware disrupts Pinnacle Holdings' network
Pinnacle Holdings Ltd suffered a ransomware attack that caused network disruption on 2024-11-25. The company was a vendor to NorthGauge Healthcare Advisors, a business associate of CommonSpirit Health.
Pinnacle vendor attackers gain access and exfiltrate data
In a downstream incident later affecting CommonSpirit Health patients, attackers had access to Pinnacle Holdings Ltd's network from 2024-11-11 to 2024-11-25 and exfiltrated files during that period.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Two Senior Care Providers Affected by Ransomware Attacks
hipaajournal.com
Open sourceThousands of Corewell Health patients affected by security breach - DataBreaches.Net
databreaches.net
Open sourceCommonSpirit Health Patients Affected by Vendor Data Breach
hipaajournal.com
Open sourceRansomware Group Claims Attacks on Meadowlark Hills Retirement Community & MedPeds
hipaajournal.com
Open sourceCalifornia Dental Care Provider Announces Data Breach
hipaajournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Data Breach Notifications and Settlement Involving Patient Information Exposure
Multiple healthcare-related organizations disclosed **separate** incidents involving exposure or theft of patient data. Delta Medical Systems reported unauthorized access to its email environment on July 15, 2025, with potentially exposed data including names, dates of birth, Social Security numbers, driver’s license information, bank details, insurance information, and medical information. A separate HIPAA Journal report described additional incidents at Cedar Valley Services, Community Nurse, and Health Dimensions Group, including a likely **Qilin ransomware** intrusion at Cedar Valley Services and a vendor-linked compromise affecting Community Nurse through *Doctor Alliance*, where files may have been accessed between October 31 and November 17, 2025. In a different but related healthcare privacy matter, a judge approved a **$5 million settlement** in litigation against Geisinger Health and *Nuance Communications* over the theft of medical records affecting roughly **1.3 million patients** by a former Nuance employee. The stolen records reportedly included names, birthdates, addresses, medical record numbers, treatment details, and insurance information. While all three reports concern healthcare data exposure, they describe **distinct incidents** rather than one unified breach event, spanning direct compromises, third-party/vendor exposure, suspected ransomware activity, and post-incident legal resolution.
Mar 21, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026
Multiple Healthcare Data Breaches and Regulatory Actions in the US
Several healthcare providers in the United States have recently disclosed significant data breaches resulting from cyberattacks, with patient and employee information being compromised. AllerVie Health, based in Texas, confirmed unauthorized access to its network, exposing sensitive data such as names, Social Security numbers, and insurance details, allegedly due to a ransomware attack by the Anubis group. The attackers claim to have stolen records of over 30,000 patients, and affected individuals have been offered credit monitoring and identity theft protection. In a separate incident, OrthopedicsNY, a healthcare provider in New York, suffered a breach in 2023 after attackers gained remote access using compromised credentials, leading to the exposure of data belonging to more than 650,000 patients and employees. The New York Attorney General secured a $500,000 penalty from OrthopedicsNY for failing to implement adequate security measures, and the provider is now required to enhance its data protection practices. Additionally, Singing River Health System in Mississippi reported a cyber incident that led to the temporary shutdown of its patient portal and internet access as a precaution. While the threat was reportedly mitigated, the investigation is ongoing to determine if patient records were accessed. These incidents highlight the ongoing risks faced by healthcare organizations from ransomware groups and other cybercriminals, as well as the increasing regulatory scrutiny and financial penalties for failing to protect sensitive health information. Impacted organizations are responding with offers of credit monitoring and reviews of their security policies, but the breaches underscore the need for robust cybersecurity measures in the healthcare sector.
Mar 21, 2026