Last Update: 06/03/2026 at 6:50 AM EST
Healthcare Data Breaches And PHI Exposure
Coverage from Security Today, ClassAction.org, and others
Articles
136
Latest Article
06/02
Active Days
512
Executive Summary
Healthcare organizations continue to report breaches that expose patient identity data, Social Security numbers, and medical records, often after unauthorized network access, ransomware, or phishing. Notification, credit monitoring, and class action activity remain common follow-on responses.
Key Points
- Healthcare breach reports repeatedly involve protected health information, especially names, dates of birth, Social Security numbers, insurance details, and treatment records.
- Unauthorized access, ransomware, phishing, and social engineering are the most common intrusion paths across the material.
- Many incidents affect email systems, SharePoint, or other non-EHR repositories even when core electronic health record systems are said to be intact.
- Breach notifications are often followed by credit monitoring, identity theft protection, and guidance such as credit freezes.
- Class action investigations and settlements are a recurring downstream response, suggesting sustained litigation pressure after large PHI exposures.
- Several providers report delayed discovery or long investigation timelines, with incidents often disclosed months after initial access.
- The signal is coherent and fairly dense: the same operational privacy failure keeps recurring across different healthcare entities and states.
Featured Article
nephrology associates medical group reports data breach around may 20 2025 in southern california
Coverage Timeline: 512 Days
Hover over any logo to see coverage summary, click for full article.
Additional Articles
⭐⭐⭐⭐⭐
Bridewell and US HHS data show over 2,200 US medical center breaches since 2023, with fewer affected individuals in 2025 amid HIPAA segmentation and faster detection.
ASC Ortho Management Company disclosed an email-environment data breach in 2025 that may have exposed personal and protected health information, with notifications mailed starting April 17, 2026 across Washington, D.C., Maryland, and Virginia.
Western Orthopaedics disclosed a 2025 ransomware data breach affecting Texas and Massachusetts patients after PEAR claimed data access on the dark web.
In April 2026, Exitium ransomware claims targeted Gastroenterology & Hepatology of CNY in Syracuse, potentially exposing HIPAA medical records for over 167,000 patients.
Federman & Sherwood is investigating an NYC Health + Hospitals data breach reported to U.S. HHS after unauthorized network server access impacted about 5,086 patients.
Two healthcare providers disclosed data breaches in 2025, exposing patient identifiers and health information, prompting breach notifications and identity protection measures.
Florida Physician Specialists disclosed an April 2026 investigation finding that late-2025 unauthorized access may have exposed identity, financial, and medical data for affected patients.
Texas received a breach filing on April 17, 2026, after ransomware group Payouts King claimed 435 GB of Eyemart Express data including PII and protected health information.
Goshen Medical Center and Survival Flight disclosed 2025 data breach incidents exposing patient information in North Carolina and Arkansas.
Federman & Sherwood investigates a Florida Physician Specialists network intrusion reported to the Maine Attorney General, alleging possible exposure of Social Security, financial, and medical data.
Schubert Jonckheer & Kolbe LLP investigated a Community Health Systems patient data breach disclosed around April 29, 2026 after access around February 28, 2026 in California.
Dental Group of Amarillo and Heart South Cardiovascular Group settled 2023–2024 patient data breach lawsuits with monetary funds and credit monitoring for affected patients in Texas and Alabama.
NYC Health + Hospitals disclosed a data breach reported to U.S. HHS on March 24, 2026, affecting about 1.8 million people in New York City.
In 2025, hospitals report email and vendor driven data breaches exposing protected health information across California, Louisiana, Connecticut, South Dakota, and Tennessee.
Radiology Associates of Richmond disclosed a 266,000-person breach after unauthorized acquisition of PHI and financial data around July 25, 2025, with notifications beginning May 21, 2026.
Community Bank disclosed a May 7 SEC filing after unauthorized employee use of an external AI tool exposed customer names, birth dates, and Social Security numbers.
Community Bank disclosed an AI-linked breach in a May 2026 SEC filing, exposing Social Security numbers and dates of birth for customers in Pennsylvania.
Rocky Mountain Associated Physicians reported on February 2, 2026 that an unauthorized systems access may have exposed patient and financial data for 50,640 people in Salt Lake City.
Medtronic disclosed on April 24, 2026 an IT breach tied to ShinyHunters claims of stolen PII and internal data, with investigation and potential notifications under HIPAA and state breach laws.
Acadia Healthcare reported a social-engineering incident accessing email and SharePoint from March 21-25, 2026, with patient notifications starting May 22, 2026.
In February 2024, ALPHV/BlackCat ransomware disrupted Change Healthcare systems and exposed Social Security numbers and medical records for about 192.7 million people in the United States.
⭐⭐⭐
Radiology Associates of Richmond notified 266,000 patients after unauthorized access on or around July 25, 2025, exposing health and personal information.
Schubert Jonckheer & Kolbe LLP is investigating a Medtronic data breach after ShinyHunters claimed unauthorized access and Medtronic confirmed the incident in April 2026.
West Pharmaceutical Services disclosed a May 4 ransomware incident involving data theft and encrypted systems, with recovery ongoing and investigation led by Palo Alto Networks Unit 42.
Pediatric Products disclosed suspicious network activity in February 2026 and reported unauthorized access exposing customers' medical and personal data across multiple U.S. states.
Florida Physician Specialists reported a late-November 2025 data breach, with April 2026 mail notifications and class-action investigation efforts underway in Jacksonville, Florida.
ClassAction.org attorneys are assessing potential class action after Mid-South Pulmonary & Sleep Specialists detected suspicious activity in November 2025 and found exposure of Social Security and medical diagnosis data.
Tri-Cities Gastroenterology notified 67,115 individuals in April 2026 after a third-party data breach exposed Social Security numbers and medical record numbers.
ClassAction.org attorneys investigated whether a class action can be filed after Integrated Pain Associates disclosed an unauthorized systems access around February 24, 2026 in Texas.
Western Orthopaedics reported a 2025 unauthorized access incident that potentially exposed identity, financial, and health data, with legal teams seeking class action filings.
ClassAction.org attorneys are investigating a reported DentaQuest data breach after ShinyHunters claimed responsibility on May 23, 2026, and threatened release for May 27.
Longevity Health Plan reported a data breach affecting about 15,000 U.S. Medicare plan members after disclosure to HHS on March 4, 2026.
Aligned Orthopedic Partners reported an email system intrusion between Nov. 16 and Dec. 16, 2025, potentially exposing PII and protected health information.
Skin & Beauty Center Inc. and DermCare Management reported an unauthorized patient-data copy from Feb. 26, 2025, and mailed breach notices after a March 2, 2026 review in California.
Sandhills Medical Foundation disclosed on April 28, 2026 a ransomware breach that affected 169,017 patients after unauthorized access to company servers and potential exposure of personal health information.
Greater Boston Urology reported a protected health information breach affecting 4,717 people to the U.S. Department of Health and Human Services on Feb. 28, 2026.
Community Health Systems Inc. disclosed a suspected data breach in late February 2026 affecting potential PII and protected health information across California clinic locations.
Integrated Pain Associates notified patients on April 30, 2026 after investigation found possible unauthorized access to sensitive data around February 24, 2026 in Killeen, Texas.
Hematology Oncology Consultants reported a ransomware data breach targeting its Michigan network in 2025, exposing medical records and Social Security numbers, with notifications in 2026.
Belmont Aesthetic & Reconstructive Plastic Surgery disclosed a U.S. health-data breach impacting 528 individuals after an Insomnia ransomware dark-web claim on March 3, 2026.
Champion Healthcare disclosed a May 8, 2026 consumer notification after a late-January 2026 incident involving unauthorized access to internal systems.
FMRS Health Systems disclosed in 2026 an intrusion from January to February that potentially exposed PII and PHI, after Qilin claimed responsibility.
Lumio Dental disclosed a ransomware-linked breach to HHS on March 29, 2026, involving passport, driver license, and medical record extracts.
Vacation Myrtle Beach disclosed a ransomware-linked breach on June 16-19, 2025, potentially exposing Social Security numbers, financial data, and possible health records for about 10,750 people.
Medi-Rents & Sales Inc. disclosed an email data breach in early 2026 affecting 1,524 U.S. individuals, with potentially exposed insurance and limited health information.
Rochester Philharmonic Orchestra disclosed an Akira ransomware incident in late 2025 that may have exposed personal identifiers and protected health information for about 1,726 people.
Murphy Law Firm said a Florida Physician Specialists data breach exposed Social Security, financial, and health information, with cybercriminal risks and class-action legal outreach.
Brian Magadan filed a proposed nationwide class action in the Middle District of Louisiana against Grace Design Studios over alleged PII and PHI exposure after a Payouts King ransomware attack.
Sandhills Medical Foundation discovered a May 2, 2025 ransomware incident on May 8, 2025, potentially exposing personal and medical data of 169,017 patients.
Shamis & Gentile investigated a ransomware-linked breach at Tampa Bay Dental Implants & Periodontics in St. Petersburg, Florida, affecting 6,400 people via backed electronic medical records.
Tennessee officials investigated reports from consumers in Minnesota, New York, and Idaho of Medicare and private insurance charges for unreceived medical supplies traced to Memphis DME Supply.
Integrated Pain Associates reported a 2026 data breach in Killeen, Texas, exposing patient Social Security numbers and medical records and offering 12 months of credit monitoring.
Verber Dental Group notified patients and state regulators on May 7, 2026, after unauthorized access potentially exposed sensitive personal and protected health information in January.
Federman & Sherwood began investigating a Verber Dental Group PC network-server data breach reported June 2, 2026, affecting about 8,598 people in Pennsylvania.
Central Ozarks Medical Center disclosed a data breach in January 2026 in Missouri affecting personal identifiers and protected health information.
MMMBS disclosed a data breach on January 2, 2026 in Michigan exposing pii and phi for over 28,000 individuals.
Select Medical began June 6, 2025 notifications after a July 2024 unauthorized third-party access to patient systems potentially exposed personal identifiers and protected health information.
CPAP Medical reported to the California Attorney General a breach discovered June 27, 2025, involving potential access to sensitive data between December 2024.
Radiology Associates of Richmond reported a healthcare data breach beginning around July 25, 2025, with PHI access discovered and investigated through April 6, 2026.
Schubert Jonckheer & Kolbe LLP described investigation of a DermCare Management patient data breach affecting 9,724 Texas residents after file exfiltration in February 2025.
Erie Family Health Centers confirmed unauthorized access between December 10, 2025 and January 27, 2026, potentially exposing health and identity data for about 570,000 people in Chicago.
Lumexa Imaging reported a vendor network incident on April 9, 2026, with unauthorized access between March 31 and April 9 potentially exposing patient records.
Radiology Associates of Richmond faced an alleged 2025 systems intrusion exposing patient PII and protected health information, with notifications mailed starting May 21, 2026, in Richmond, Virginia.
NCH Corporation disclosed an unauthorized access incident reported to the Maine Attorney General, potentially exposing Social Security numbers and health data between January and February 2026.
Federman & Sherwood is investigating the Pathfinder LL&D Insurance Group data breach after Texas Attorney General reporting, affecting about 7,382 residents.
Federman & Sherwood is investigating Nacogdoches Memorial Hospital after HHS OCR received a breach notification describing a hacking incident affecting about 2,507,073 people.
Verber Dental Group reported a Jan 27 data breach in Pennsylvania with potential access to medical and identity information, followed by a May 11 class action investigation.
Lumio Dental reported an HHS Breach Portal submission on March 29 for a ransomware-linked breach affecting 500 people in Jenks, Oklahoma.
McShane & Brady, LLC announced a Tennessee data breach involving unauthorized email access that exposed PII and protected health information for 3,171 individuals in December 2025.
CardioFit Medical Group discovered a patient-data email incident on February 17, 2026, and issued notifications around April 10, 2026.
Alta Orthopaedics reported a March 2026 discovery of unauthorized access to patient data affecting systems during February 3-6, 2026, with remediation and credit monitoring offered.
LifeSpring Home Care in Oklahoma reported a hacking or IT data breach affecting 7,509 people, listed in April 2026 on the HHS OCR portal.
Vital Imaging Diagnostic Centers reported a 2025 network intrusion in Miami involving unauthorized file removal that may have exposed medical and government identification data and issued notifications in 2026.
Edelson Lechtzin LLP is investigating potential class action privacy claims after New York Life confirmed April 8, 2026 that an agent email account compromise exposed clients personal information.
Florida Physician Specialists disclosed a late-November 2025 network breach exposing sensitive identifiers and medical data, with Edelson Lechtzin LLP considering class-action litigation.
On April 24, 2026, Medtronic confirmed a corporate IT breach after ShinyHunters claimed terabytes of internal data exposure.
OCH Regional Medical Center filed an HHS Office for Civil Rights breach notice on March 11, 2025 and began notifying affected individuals after unauthorized access to sensitive consumer information.
Health data breaches at CPAP Medical Services, Health Services LLC, and East Adams Rural Healthcare affect patients in Florida, Maine, and Washington during 2024 and 2025.
Frederick Health Medical Group confirmed a ransomware breach affecting 934,326 patients in Maryland in 2025, triggering class action lawsuits alleging cybersecurity and breach-notice failures.
Healthcare providers in the United States reported 2024 to 2025 data breaches, with investigations finding unauthorized access to patient identifiers and medical information.
UChicago Medicine disclosed a July 2024 third-party vendor cybersecurity incident through Nationwide Recovery Services that may have exposed personal data of nearly 40,000 patients.
Altos disclosed on June 17 that an unauthorized party accessed an internet exposed internal system containing personal and health data of patients in Southern California.
Goshen Medical Center detected a data breach on February 15 2025 in the United States and notified affected individuals.
Maria Gomez filed a Nike class action in Oregon over an alleged January 21, 2026 ransomware breach and February 25, 2026 consumer notification delay.
Fort Wayne Medical Education Program data breach affects 29,485 individuals in Indiana; unauthorized access occurred December 12-17, 2024; notices mailed October 2, 2025.
Beverly Hills Oncology Medical Group reports a data breach in February 2025 affecting patients in California.
Attorneys sought individuals affected by a January 2025 Sierra Vista Hospital & Clinics breach in Truth or Consequences, New Mexico, to assess a possible class action.
BMC Health System identified unauthorized access to Workday-linked user accounts on March 9, 2025, and attorneys sought breach-notified individuals for a potential class action.
Stockton Cardiology disclosed a breach in California between December 2025 and February 2026, exposing patient identifiers and billing records and triggering class-action intake for affected individuals.
ClassAction.org attorneys evaluate a potential class action after Emanuel Medical Center reported a May 2025 breach affecting 28,963 people.
ClassAction.org attorneys investigated a potential class action after Bank3 reported unauthorized access from July 25 to August 7, 2025 that may exposed identity, financial, and health data.
Secure Health Plans of Georgia confirmed a 2026 data breach in Georgia after alleged unauthorized access to medical and insurance files emerged by Feb 3-12, 2026.
Florida Physician Specialists notified potentially affected individuals starting April 24, 2026 after unauthorized access in late 2025 may have compromised SSNs, payment data, and medical records.
Community Bank disclosed a May 2026 data breach after unauthorized AI-based software use, exposing Social Security numbers and dates of birth.
On April 16, 2026, threat-actor claims linked to New York-based Empower Group led to attorney outreach for potential class action over alleged Social Security number exposure.
Attorneys investigating a Gastro Health phishing-driven data breach on February 25 and March 2, 2026 seek class action plaintiffs in the U.S.
Goshen Medical Center in Fayetteville disclosed a ransomware driven data breach affecting 456385 patients on March 4 2025
Legend Senior Living LLC disclosed a March 2026 data breach discovered after unauthorized access between July 2025 and August 2025, with April 10, 2026 notices to Texas and other state attorneys general.
Aligned Orthopedic Partners identified unusual activity in its email system on December 8, 2025, reporting potential exposure of personal and health information after unauthorized access in late 2025.
Claim Depot’s class action settlements database lists privacy-related breach, biometric, and health-data cases with instructions for claim submission across the 2020s.
U.S. consumers receive settlement and refund claim options through 2026 for Comcast Xfinity exposure, Google Assistant audio recordings, and Sprouts FACTA receipt printing.
Hackers breached Healthcare Interactive between July 8 and July 12, 2025, exposing customer personal and health data in the United States.
Healthcare breaches involving unsecured PHI trigger HIPAA notification duties to individuals and HHS, with ransomware, phishing, and cloud misconfiguration cited as common causes.
Richmond University Medical Center reported a healthcare data breach in New York involving accessed or removed files around May 6, 2023, with potential exposure of protected health information for 674,000 people.
IPPC reported an unauthorized network access in September 2025 that potentially exposed PHI and PII for over 133,000 customers across six states.
McShane & Brady, LLC is investigating a Doctor Alliance vendor breach that potentially exposed health records of 724 Duncan Regional Hospital patients in Oklahoma between Oct. 31 and Nov. 17, 2025.
DermCare Management notified of a healthcare data breach in 2025, exposing Social Security, financial, and medical records across Florida, Texas, Virginia, and California.
DermCare Management notified affected individuals in March 2026 after a February 2025 unauthorized access event potentially impacted patient information.
Springfield Hospital notified individuals starting February 10, 2026, after a December 17, 2025 employee email account compromise potentially exposed personal and health information.
The Oncology Institute disclosed a May 2026 Kroll notification about unauthorized access to patient-data systems tied to a third-party vendor breach.
DermCare Management found suspicious activity on February 26, 2025 and reported an intrusion between February 14 and February 26 that may have exposed patient PII and PHI.
Federman & Sherwood is investigating a Providence St. Joseph Orange healthcare data breach reported in 2026 after unauthorized network-server access exposed patient information to about 11,329 people.
Qilin claimed a mid-May 2026 ransomware attack on Spirit Medical Transport, potentially exposing protected health information for patients in Western Ohio and Eastern Indiana.
Southern California University of Health Sciences disclosed unauthorized access on or about March 24, 2026, with personal information exposed in accessed files.
Sterling Seacrest Pritchard notified people about possible unauthorized access to email-environment data between August 12 and 13, 2025, with notifications through April 2026.
⭐️⭐️
Hackers accessed CPAP Medical Supplies and Services systems in December 2024, exposing personal and health information for more than 90,000 individuals in the United States.
Columbia Medical Practice in Maryland reported a data breach on November 5, 2025 exposing personal and health information of approximately 3000 patients.
Emanuel Medical Center in Georgia detected unauthorized third party access to sensitive information from May 21 to May 24, 2025, with breach notice posted February 17, 2026.
Beverly Hills Cancer Center reported unauthorized network access between February 7 and February 11, 2025 in California, potentially exposing personal data and protected health information.
LifeLong Medical Care in California reports a data breach involving sensitive PII and PHI, with notices issued on January 14 2026.
Two New Jersey medical groups report a May 2025 PHI breach affecting patients in New Jersey and Ohio.
Medical Associates of Brevard in Melbourne, Florida, disclosed a January 2025 data breach affecting about 246,711 individuals.
Vida Y Salud-Health Systems in Texas disclosed a data breach on October 8, 2025, with unauthorized access on October 7-8.
MedRevenu announced in December 2024 a data breach potentially exposing patient data among clients in the healthcare sector.
Medical Associates of Brevard in Melbourne, Florida disclosed a cyberattack around July 7, 2025 exposing patient data.
Harmony Health Medical Clinic and Family Resource Center disclosed a data breach on December 12, 2025 affecting patients in northern California.
Consumers affected by Catalyst RCM data breach consider class action in November 2025.
February 13 2025 breach at Vital Imaging affected 260000 patients in Florida, with investigators probing medical and demographic data exposure.
attorneys with classaction.org seek affected patients for potential class action over gaylord specialty healthcare data breach disclosed in 2024 in wallingford connecticut
florida based doctors imaging group suffered a november 2024 data breach affecting patient information in florida.
Delta Medical Systems detected a data breach on July 15 2025 in Wisconsin and notified affected individuals by February 11 2026.
Unauthorized access occurred December 13-21, 2024 on CPAP Medical Supplies and Services, Inc.'s Florida network, affecting 90,133 patients and clients.
ID Care discovered suspicious network activity on November 5, 2025, leading to unauthorized access to Social Security numbers and medical records and HHS notification.
Goshen Medical Center reports data breach on March 4 2025 after unauthorized access to patient files in its network
Arizona healthcare data breach affects about 73,281 patients between May 18 and May 22, 2025.