Connecticut Medicaid Portal Breach Affects 22,500 Hartford HealthCare Patients

Posted by Steve Alder

The personal and protected health information of approximately 22,500 Hartford HealthCare patients has been exposed in a security incident. Data breaches have also been announced by the New York City cosmetic surgery practice of Ira L. Savetsky, MD, and the mobility and rehabilitation product provider ERMI, LLC.

Hartford HealthCare

The Connecticut Department of Social Services and Gainwell Technologies, a vendor that provides fiscal agent and account administration services for the Connecticut Medicaid program (HUSKY), have identified unauthorized access to certain payment accounts on the HUSKY provider portal website.

Suspicious activity was identified on March 25, 2026, and the forensic investigation confirmed unauthorized access to a small number of Hartford HealthCare’s payment accounts on the website. The accounts were accessed on March 4, 2026, using the compromised credentials of Hartford Healthcare employees. Immediate action was taken to prevent further unauthorized access, and assisted by third-party cybersecurity experts, the incident was determined to have been contained and further unauthorized access blocked; however, the threat actor had downloaded files containing the data of approximately 22,500 individuals.

The review of those files revealed they contained information such as full names, ID numbers associated with Hartford HealthCare accounts or Medicaid claims, dates of medical services, information about services received and how they were billed, payment information including amounts paid, and information about applicable non-Medicaid health insurance, including policy and group number. Social Security numbers were not stored in the system, and were not obtained in the attack.

This appears to have been a financially motivated attack, and the primary purpose does not appear to have been patient data theft; however, patient information was compromised and, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. DSS and Gainwell Technologies began sending notification letters to the affected Hartford HealthCare patients on May 22, 2026.

Ira L. Savetsky, MD

The New York City cosmetic surgery practice of Ira L. Savetsky, MD, has experienced a breach of its email environment. The security incident was detected in January 2026, and the forensic investigation confirmed that a single employee’s email account had been accessed by an unauthorized third party. The first instance of unauthorized access occurred in November 2024, and access to the account remained possible until January 2026. Over that 14-month period, information in the account may have been viewed or copied. The account was reviewed and found to contain patient information such as scheduling information and correspondents related to patient care, along with first and last names, birth dates, telephone numbers, driver’s license numbers, medical records, health information, health insurance information, and photographs.

Notification letters started to be mailed to the affected individuals on May 21, 2026. Complimentary credit monitoring and identity theft protection services do not appear to have been offered. The incident has been reported to regulators, but it is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

ERMI LLC

ERMI LLC, an Atlanta, GA-based provider of mobility and rehabilitation products, has identified a cybersecurity incident that exposed sensitive data. Unauthorized access to certain employee email accounts was identified on or around August 14, 2025. The accounts were secured, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed unauthorized access to a limited number of employee email accounts between February 15, 2025, and August 14, 2025. The review of the accounts was completed on or around April 17, 2026. Individual notification letters are being sent to the affected individuals, which detail the exact types of data exposed in the incident. As a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit score, and credit report services. The number of affected individuals has yet to be publicly disclosed.

The post Connecticut Medicaid Portal Breach Affects 22,500 Hartford HealthCare Patients appeared first on The HIPAA Journal.

Extortion Group Conducts Social Engineering Campaign Impersonating Victim’s IT Department

Posted by Steve Alder

Silent Ransom Group, a data theft and extortion group that targets law firms, healthcare organizations, and insurance and finance companies, is conducting a social engineering campaign posing as IT support workers. Silent Ransom Group (aka Luna Moth, Chatty Spider, UNC3753) is a financially motivated threat group that, as the name suggests, quietly infiltrates networks, exfiltrates sensitive data, and demands payment to prevent the stolen data from being publicly leaked or sold. The group does not use ransomware to encrypt files.

Silent Ransom Group has demonstrated a penchant for attacking U.S. law firms, although it has conducted attacks on other sectors such as insurance, finance, and healthcare, where the leaking of sensitive data can cause significant reputational harm and regulatory scrutiny. Silent Ransom Group has conducted phishing campaigns in the past, using social engineering techniques to trick employees into installing remote access software.

One such campaign involved phishing emails notifying the recipient about a subscription for a service that was about to incur a charge. The recipient was told that in order to prevent that charge, they must call the telephone number provided in the email. The call would be answered, and the user would be tricked into downloading remote access software, which was used to gain persistent access to the user’s systems. Data would be identified and exfiltrated, and a ransom demand would then be issued.

The latest campaign has been running since at least Spring 2026, according to a recent Federal Bureau of Investigation (FBI) Cyber Alert. A Silent Ransom Group actor poses as an employee of the victim’s IT department, contacting the victim over the telephone. In some cases, email will be used, requesting the victim contact the threat actor by phone.

Over the telephone, the user will be directed to grant access to a remote desktop session under the guise of fixing an IT issue. Should that attempt fail, the threat actor will arrange to visit the victim’s location in person to fix the issue. On an in-person visit, the threat actor will insert a storage device into the victim’s computer. The victim is told that they need to image the device or create a backup file to address potential impacts from the phishing email.

Once access is gained to a device, either physically or via a remote session, privileges are escalated minimally, and data is quickly exfiltrated, either to internal file-sharing platforms such as Google Drive or Microsoft OneDrive, or using WinSCP or Rclone. For the in-person visits, data is copied onto an external hard drive or USB drive.

In addition to raising awareness of the scam with employees, it is important to verify the identity of any individual attempting to gain physical access to company spaces. The FBI  has made several recommendations for improving defenses against Silent Ransom Group attacks in the alert, including strengthening authentication controls, informing employees about the scam, and strengthening physical security controls, including conducting checks of identification documentation before granting access to the facility.

The post Extortion Group Conducts Social Engineering Campaign Impersonating Victim’s IT Department appeared first on The HIPAA Journal.

The Oncology Institute Confirms Unauthorized Access to Systems Due to Vendor Breach

Posted by Steve Alder

The Oncology Institute, a publicly traded provider of cancer care through more than 100 clinics in California, Oregon, Nevada, Arizona, and Florida, has recently confirmed that patient data was potentially accessed by an unauthorized third party as a result of a security incident at one of its vendors.

In a November 3, 2025, filing with the U.S. Securities and Exchange Commission (SEC), The Oncology Institute said that it determined on November 3, 2025, that a cybersecurity incident at one of its information technology software providers would potentially delay fee-for-service collections. At the time of the notice, The Oncology Institute said its vendor was unable to confirm whether patient data had been accessed in the attack, and that at the time of issuing the filing, it was unaware of any unauthorized access to patient data as a result of the incident, but the investigation into the incident was ongoing.

In an updated SEC filing, the Oncology Institute said further information has come to light indicating that certain Oncology Institute systems were subject to unauthorized access by a third party as a result of the incident, including systems containing patient data.  Kroll, the third-party administrator for the vendor, had made that determination and notified the Oncology Institute on May 20, 2026.

The Oncology Institute said it is working with its vendor to provide complimentary credit monitoring and identity theft protection services to the affected individuals. At the time of issuing the SEC filing on May 20, 2026, The Oncology Institute said the cybersecurity incident had not had a material impact on the company’s operations, financial systems, or the quality of care provided to patients. The Oncology Institute has yet to publicly disclose the types of data potentially compromised in the incident.

The Oncology Institute provides cancer care to around 2 million patients. It is currently unclear how many of those patients have been affected by the incident. The Oncology Institute has not disclosed the name of the vendor that experienced the cybersecurity incident, although certain media outlets have suggested that the vendor was TriZetto Provider Solutions, which experienced a major data breach last year affecting many of its healthcare provider clients.

The post The Oncology Institute Confirms Unauthorized Access to Systems Due to Vendor Breach appeared first on The HIPAA Journal.