Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients

Posted by Steve Alder

Blue Fish Pediatrics in Texas has announced a July 2025 cyberattack that affected more than 41,000 Texas patients. Data breaches have also been announced by Cherry Health in Michigan, Coastal Carolina Centers of Urology and Surgery in South Carolina, and Regence in Oregon.

Blue Fish Pediatrics, Texas

Blue Fish Pediatrics, a Houston, Texas-based network of pediatric medical practices, has notified the Texas Attorney General about a cybersecurity incident last year that exposed the personal and protected health information of its patients.

In a substitute breach notice on its website, Blue Fish Pediatrics explained that unauthorized access to its IT systems was identified on or around July 17, 2025. After securing its systems, an investigation was conducted to determine the nature and scope of the unauthorized activity. The forensic investigation confirmed that a threat actor had access to a limited number of files between July 11, 2025, and July 17, 2025. Some of those files contained personally identifiable information and protected health information and may have been acquired in the incident.

The files have now been reviewed and found to contain full names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, medical record numbers, diagnosis/condition information, lab results, medications, claims information, and clinical/treatment information. Notification letters are now being mailed to the affected individuals, and complementary credit monitoring have been made available to individuals whose Social Security numbers were exposed.

The total number of affected individuals has yet to be disclosed; however, the bulk of the affected individuals reside in Texas. The Texas Attorney General was informed that 41,485 Texas residents were affected.

Cherry Health, Michigan

Cherry Health, Michigan’s largest non-profit Federally Qualified Health Center serving six counties in the state, announced a breach of patients’ protected health information on June 18, 2026. Suspicious network activity was identified on or around April 19, 2026. The forensic investigation confirmed unauthorized access to its network and the copying of files containing patient information.

The file review is ongoing; however, information likely stolen in the incident includes names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID numbers, patient ID numbers, provider names, service dates, and, for a limited number of individuals, Social Security numbers. Cherry Health said it has not identified any misuse of the impacted data. Cherry Health is working on implementing additional safeguards to prevent similar incidents in the future. At present, it is unclear how many individuals have been affected.

Coastal Carolina Centers of Urology and Surgery, South Carolina

Coastal Carolina Centers of Urology and Surgery, LLC, doing business as Rivertown Surgery Center in Conway, South Carolina, has notified the HHS’ Office for Civil Rights about a network server hacking incident involving unauthorized access to the electronic protected health information of 2,886 individuals.

Only limited information has been made public about the breach, such as it involved unauthorized access to names and health records; however, this appears to have been a ransomware attack by the Qilin ransomware group. Qilin added Coastal Carolina Centers of Urology and Surgery to its dark web data leak site on September 4, 2025, along with screenshots of files allegedly stolen in the attack.  According to the notice sent to the Indiana Attorney General, the breach occurred on August 26, 2025, and notifications were mailed on or around May 22, 2026.

Regence, Oregon

Regence Blue Cross Blue Shield of Oregon has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 2,856 individuals. According to a notice on the Regence website, unauthorized actors registered and accessed some Regence digital member accounts between January 1, 2026, and April 15, 2026, and redeemed wellness rewards for gift cards. Information in the accounts may have been accessed.

The post Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients appeared first on The HIPAA Journal.

VA OIG Identifies Lack of Oversight of VA GenAI Chat Tools

Posted by Steve Alder

A review of the use of generative artificial intelligence (GenAI) tools by Department of Veterans Affairs (VA) staff has identified potential patient safety risks from a lack of safeguards and oversight. The review was conducted by the VA Office of Inspector General (OIG) between October 2025 and January 2026 and found that more than 15,000 VA staff members were using general-purpose GenAI chat tools authorized for use by the Veterans Health Administration (VHA) – VA GPT and Microsoft 365 Copilot Chat.

The reviewers identified broad staff engagement with the AI chat tools. An analysis of an internal prompt‑sharing application identified 135 prompts for the GenAI chat tools, 79 of which were clinical. The drafting of clinical notes and summarization of patient care were among the most common uses of the tools. The VA OIG notes that the tools were not specifically developed for clinical use, and while the VA provides clinical users with general training and resources, the VA does not centrally curate or evaluate prompts or the generative output, which may be applied to clinical decision making. The VA OIG notes that studies of genAI usage in medical settings found that prompt techniques can play a critical role in output errors that could impact diagnoses and care management if not corrected.

The Office of Management and Budget’s 2025 memorandum (Accelerating Federal Use of AI through Innovation, Governance, and Public Trust) requires all agencies to identify high-impact AI use and implement safeguards to manage risk. The VA did not identify the use of VA GPT and Copilot Chat as high-impact, and therefore, the required risk management actions did not apply.

The VHA had determined that Ambient AI Scribe was high-impact, which triggered safety requirements such as pre-deployment testing of the AI tool and providing human oversight before use. Ambient AI Scribe is a targeted clinical documentation tool that listens to clinical visits and drafts medical record notes. The VA-OIG said the tool had functionality similar to the clinical documentation prompts VA staff were using with VA GPT and Copilot Chat, which were not considered high-impact.

The VA OIG made three recommendations to the VHA regarding the use and assessment of GenAI chat tools: Evaluating these tools as high-impact, implementing the required safeguards, and integrating monitoring of AI-related risks into existing patient safety programs. The VHA concurred in principle with the recommendation to evaluate the tools as high -impact and concurred with the other two recommendations. The VHA has provided the VA OIG with an action plan, will develop guidance on the use of the GenAI chat tools, and is working on addressing the recommendations by April 2027.

As the use of GenAI tools in healthcare accelerates, concern is growing that sensitive patient data may be shared with publicly accessible chatbots, and that AI tools could generate output that puts patients at risk of harm or even death. Earlier this year, Health-ISAC and the Health Sector Coordinating Council Cybersecurity Working Group issued guidance on developing effective AI governance frameworks – Health-ISAC’s White Paper: Policies and Safeguards for a Safe Use of AI and the HSCC Health Industry AI Cyber Governance Framework Implementation Guide to help healthcare organizations create an effective AI governance and safeguards framework and responsibly use GenAI and LLMs while minimizing risk.

The post VA OIG Identifies Lack of Oversight of VA GenAI Chat Tools appeared first on The HIPAA Journal.

ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data

Posted by Steve Alder

One Medical, the Amazon-owned primary care provider, has recently announced a cybersecurity incident in which an unauthorized third party gained access to a third-party file storage system containing archived information for One Medical Seniors patients. Last week, the ShinyHunters threat group added One Medical to its dark web data leak site and claimed to have exfiltrated 8.8 terabytes of data.

According to the One Medical website data breach notice, the unauthorized access was identified on June 13, 2026, and was limited to the file storage system, which contained legacy data of One Medical Seniors patients. One Medical Seniors is the new name for Iora Health, which One Medical acquired in 2021. When the breach was discovered, the affected system was immediately secured, and all access was revoked. An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that the file storage system was accessed by an unauthorized third party between June 8 and June 11, 2026. While it has only been a few days since the breach was discovered, One Medical has confirmed that the breach was limited to the file storage platform, which only contained legacy data of certain Iora Health/One Medical Seniors patients. No other One Medical clinics, services, or the One Medical electronic medical record system were accessed.

The data review has begun, and One Medical has confirmed that the system contained demographic information and the clinical records of Iora Health/One Medical Seniors patients in Atlanta, Cape Cod, Charlotte, Piedmont Triad, Denver, Houston, Phoenix, Tucson, and Seattle. The exact data types involved have yet to be made public.  In response to the breach, One Medical said it has revoked all user access and is rotating credentials for all employees with access to the system, and has implemented additional safeguards to prevent similar incidents in the future. The number of affected individuals has yet to be publicly disclosed. One Medical has not confirmed the name of the group behind the attack.

ShinyHunters is a prolific data extortion group that targets large companies, breaches their networks, exfiltrates sensitive data, and demands a ransom to prevent a data leak. The group’s previous healthcare victims include dental benefits administrator DentaQuest, and the medical device manufacturer Medtronic. Last week, ShinyHunters claimed it had stolen 8.8 TB of data from One Medical and threatened to publish the stolen data unless One Medical entered ransom negotiations. One Medical was given until June 22, 2026, to do so, or the data would be leaked. The claim has not been verified by One Medical, and currently, no samples of the stolen data have been provided as proof of data theft. “This is a final warning to reach out by 22 June 2026 before we leak along with several annoying (digital) problems that’ll come your way,” states ShinyHunters on its dark web data leak site.

The post ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data appeared first on The HIPAA Journal.

New HHS-OIG Exclusions

Posted by Steve Alder

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has announced new additions to its List of Excluded Individuals and Entities (LEIE). The LEIE, often referred to as the HHS-OIG exclusion list, is a centralized registry for individuals and entities that have been prohibited from participating in federally funded healthcare programs, including Medicare and state healthcare programs.

There are mandatory exclusions for individuals and entities convicted of criminal offenses such as Medicare or Medicaid fraud, patient abuse or neglect, and for felony convictions for other health care-related fraud, theft, or other financial misconduct, and felony convictions related to the unlawful manufacture, distribution, prescription, and dispensing of controlled substances. HHS-OIG also has the authority to exclude individuals and entities on other grounds, termed permissible inclusions. Reasons for permissive inclusions include misdemeanor convictions, engaging in unlawful kickbacks, suspension or revocation of a healthcare license, and defaulting on health education loans or scholarship obligations.

If an excluded individual or entity continues to work in the healthcare industry and participates in a federally funded healthcare program, they can face criminal prosecution, fines, permanent loss of licensure, or disbarment. An employer can face substantial civil monetary penalties, triple damages for all items and services claimed in connection with that individual or entity, and potentially loss of all federal funding or costly and highly intrusive ongoing monitoring by HHS-OIG.

Each healthcare entity is responsible for ensuring that no new hires or existing employees are excluded. The LEIE must be checked prior to any hire, and routine checks should be conducted to ensure that no current employee has been added to the LEIE.

The following entities and individuals have recently been added to the LEIE:

Myers Southern – Myers Southern, LLC, of Bartow, Florida, was excluded for a period of 7 years from participation in federally funded health care programs for failing to respond to an HHS-OIG subpoena that was necessary to determine whether Medicare payments were due, and the amounts associated with those payments.

Dr. Nathan Hanflink and Pain Management Institute – Dr. Nathan Hanflink and Pain Management Institute in Florida, have been excluded from participation in federally funded healthcare programs for 5 years following an HHS-OIG investigation that determined they submitted claims to Medicare Part B for chronic care management services that were never rendered.

Sunshine Care Partners and Rusty McMurray – Sunshine Care Partners, and owner Rusty McMurray have been excluded from participation in healthcare programs for 10 years after knowingly submitting claims for complex chronic care management services for individuals who were never provided with those services. According to HHS-OIG, those complex care management services only involved having employees take the temperature of all individuals entering the facility, sanitizing and cleaning front desk areas, and organizing paperwork.

The post New HHS-OIG Exclusions appeared first on The HIPAA Journal.