Joseph Topping reports: Heywood Hospital and Athol Hospital said a network outage this week was caused by a cybersecurity incident. The hospitals said they took affected systems offline and engaged a third-party cybersecurity firm. The facilities—Heywood Hospital in Gardner, Massachusetts, and Athol Hospital in Athol, Massachusetts—remain open and caring for patients; earlier in the week...

Source

Nicole Aljet reports an update on a data breach that had been disclosed by Regal Medical Group in February 2023. Current and former patients who received a notice in early 2023 stating a data breach involving Heritage Provider Network or its affiliates may have exposed their personal or medical information could qualify to claim a cash payment...

Source

Lauren Giella reports: Oklahoma health system Integris Health reached a $30 million settlement in a data breach class action lawsuit that impacted over two million people over two years ago. This agreement settles a class action lawsuit filed in the U.S. District Court for the Western District of Oklahoma that accuses Integris of negligence after...

Source

Harvey Cashore, Eva Uguen-Csenge,  and Mark Kelley report: Kelowna nurse Ashley Stone sits down at her kitchen table, opens a bulky blue folder containing a paper trail of 10 years of multiple frauds committed in her name by imposters and gets right to the point. “It’s just been a nightmare.” She says she’s had to...

Source

On December 8, 2024, DataBreaches reported that Watsonville Community Hospital in California was continuing to respond to what they referred to as a cyberattack on November 29. No gang had claimed responsibility at that point, patients hadn’t been notified yet, and the hospital wasn’t stating whether the attack involved encryption of any files. Weeks later,...

Source

Theresa Defino reports: Covered entities (CEs) and business associates (BAs) might be forgiven if the most recent HHS Office for Civil Rights (OCR) HIPAA enforcement action evoked little more than a yawn. Yes, the $175,000 payment isn’t a particularly large amount, and the sole alleged violation is a retread. Actually, it’s the 10th in OCR’s...

Source

Over the years, DataBreaches has noted hospitals in APAC countries having data leaked or being hit with ransomware attacks, but I have not seen a lot of reviews. An article by Thai Khang in VietnamNet names mentions some of the bigger hospital breaches in Vietnam since 2024, and then continues: According to Thuy, in the...

Source

Scott Holland reports that a California state appeals court agreed with a hospital that it should not be held liable for employee misbehavior if they had a clear policy in place but the employee knowingly violated it: A state appeals panel has agreed hospitals can’t be sued if one of their employees posts confidential patient...

Source

Here is today’s reminder of the insider threat and why it may be challenging, but it’s still necessary, to monitor and audit employee access to patient records to spot any inappropriate access. Harris Health is notifying more than 5,000 patients that an employee — who was fired and referred to law enforcement when their wrongdoing...

Source

The Times of Israel reports: The Assaf Harofeh Medical Center in the central city of Beer Yaakov was targeted by a cyberattack over Yom Kippur, according to a joint announcement from the hospital, the Health Ministry and the National Cyber Directorate. Authorities were investigating the possibility of a leak as a result of the attack....

Source

From our “No Need to Hack When It’s Leaking” files, a report involving Archer Health, an in-home healthcare provider. Website Planet recently reported a misconfigured bucket that was found by researcher Jeremiah Fowler.  The unencrypted and non-password-protected database reportedly contained approximately 145k files (totaling 23 GB). “In a limited sampling of the exposed files, I...

Source

In May 2024, DataBreaches logged an incident on our worksheets that involved the Columbia University Irving Medical Center in New York. The incident had been reported to HHS as affecting 29,629 patients whose name, medical record number, date of birth, provider name, and laboratory test result had been exposed between Sept. 11, 2023, and March...

Source

On June 12, 2025, Qilin added ApolloMD to their darkweb leak site with a date of June 6. They claimed to have 238 GB of files. ApolloMD, headquartered in Georgia, is a business associate to hospitals and health systems, providing them with services to enhance clinical operations and patient care, and to optimize financial performance....

Source

John Blacksmith reports: Verily, owned by Alphabet, is facing a lawsuit filed by an ex-employee who alleges the misuse of the personally identifiable health information of over 25,000 patients, and the failure of the company to submit HIPAA breach reports, as per the Health Insurance Portability and Accountability Act (HIPAA) requirement. Verily, previously known as...

Source

On January 23, 2025, the Bian Lian ransomware gang added the Medical Associates of Brevard (“MAB”) to its dark web leak site. At the time, they listed the types of data they claimed to have acquired, but did not provide any screenshots or proof of claims. Months later, BianLian went offline. What happened to any...

Source

Alexander Martin reports: Two suspected members of the Scattered Spider cybercrime collective have been arrested and charged in the United Kingdom following an investigation into the hack of Transport for London (TfL) last year. The National Crime Agency (NCA) announced on Thursday that Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall,...

Source

Survival Flight is an Arizona-headquartered firm that provides ground and air emergency medical transportation services. On August 12, they issued a substitute notice saying that on July 17, they had discovered a cybersecurity incident affecting its IT systems. In their substitute notice, which has not been updated as of this publication, they wrote: The investigation...

Source

Giles Bruce reports: Microsoft has seized 338 phishing websites associated with a cybercrime service that targeted at least 20 U.S. healthcare organizations. Using a court order granted by the U.S. District Court for the Southern District of New York, the tech giant’s Digital Crimes Unit disrupted RaccoonO365, which offers subscription-based phishing kits allowing novices to mimic official...

Source

Will Courtney reports: Days after an anonymous hacker group claimed they had leaked an additional 50,000 Anchorage Neighborhood Health Center patient records, an FBI spokesperson confirmed Monday they are aware of the claim. “The FBI Anchorage Field Office is aware of the alleged data breach affecting the Anchorage Neighborhood Health Center and takes allegations of this nature...

Source

Alexander Martin reports: Finnish prosecutors have charged a second individual — U.S. national Daniel Lee Newhard — with attempted extortion of the Vastaamo psychotherapy center. The Finnish Prosecution Service announced on Monday it had charged Newhard with aiding and abetting attempted aggravated extortion. It said the suspect, a 28-year-old, denies the offense. Officials did not...

Source