The Change Healthcare data breach affecting more than 190 million patients, stands as the largest single breach ever affecting patients. Threat actors known as BlackCat (aka AlphV) had reportedly used a set of stolen credentials to remotely access the company’s systems that weren’t protected by multifactor authentication. Confronted with a massive breach, UnitedHealth decided to…
Category: HIPAA
Highlands Oncology Group notifies 113,575 people after ransomware attack by Medusa
On August 1, Highlands Oncology Group in Arkansas notified the Maine Attorney General’s Office of a ransomware attack it discovered on June 2, when certain files and systems were inaccessible. Investigation into the incident revealed that there had been unauthorized access at times between January 21, 2025, and June 2, 2025. On June 19, the…
Two Data Breaches in Three Years: McKenzie Health
SuspectFile reports: Between 2022 and 2025, McKenzie Health System, which operates the McKenzie Memorial Hospital in rural Michigan, was hit by two major data breaches. Combined, the attacks compromised the personal and medical information of more than 79,000 patients. Although the incidents are technically distinct, they reveal a troubling pattern of systemic vulnerabilities and raise critical questions about the resilience of smaller…
HHS OCR Settles HIPAA Ransomware Investigation with Syracuse ASC for $250k plus corrective action plan
Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Syracuse ASC, LLC doing business as Specialty Surgery Center of Central New York, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules. Syracuse ASC is a…
Two more entities have folded after ransomware attacks
It is still fairly rare for a ransomware victim to totally shutter its doors permanently as a result of an incident, but a relatively small breach in Georgia was reportedly fatal for Ascension Health Services LLC DBA Alpha Wellness and Alpha Medical Centre. A notice on its website dated April 4, 2025 reads: We are…
Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
Premier Health Partners (“PHP”) in Ohio issued a press release this week and uploaded a substitute notice to its website. Why they first concluded an investigation into a breach they discovered on July 12, 2023 requires more explanation than they provide. Premier Health Partners (“Premier Health”) is providing notice of a cyber incident that may…