Six New Healthcare Data Breaches Announced – The HIPAA Journal
Six New Healthcare Data Breaches Announced The HIPAA Journal
Six New Healthcare Data Breaches Announced
Data breaches have been announced by New Horizons Behavioral Health in Georgia, CWA Local 1180 in New York, Coastal Carolina Health Care in North Carolina, West Texas Health, and Nephrology Associates Medical Group and Stockton Cardiology Medical Group in California.
New Horizons Behavioral Health, Georgia
The Columbus, Georgia-based community mental healthcare provider New Horizons Behavioral Health has announced a January 2026 security incident. Suspicious network activity was identified on January 18, 2026, and the forensic investigation confirmed unauthorized access to its network between January 15, 2026, and January 18, 2026. Data review specialists have been engaged to determine which individuals have been affected, and while that process is ongoing, New Horizons Behavioral Health has confirmed that the data exposed in the incident includes names, addresses, birth dates, Social Security numbers, driver’s license numbers, financial account information, diagnosis information, treatment and prescription information, provider names, treatment locations, and health insurance information.
New Horizons Behavioral Health said the affected individuals will be offered complimentary credit monitoring and identity theft protection services, and will receive notifications when the data review is concluded. While not stated in the breach notice, the Devman threat group took credit for the attack. On December 1, 2025, Devman added New Horizons Behavioral Health to its data leak site with a threat to publish 236 GB of data allegedly stolen in the attack.
Stockton Cardiology Medical Group, California
Stockton Cardiology Medical Group, an independent physician practice serving the San Joaquin Valley area of California, has started notifying patients about a recent security incident. According to the breach notice provided to the California Attorney General, suspicious emails were identified that had been sent to its employees. Stockton Cardiology deleted the emails as part of its remediation efforts; however, on January 17, 2026, Stockton Cardiology learned that files containing patient information may have been accessed or acquired.
An investigation was launched to determine the scope of the breach, and the impacted files were found to contain personally identifiable information and protected health information, including patient names, mailing addresses, email addresses, and billing records that may contain limited medical information associated with services provided. The affected individuals have been offered complimentary credit monitoring services, and steps have been taken to improve security. They include shutting down an older remote access service used by staff members, implementing multifactor authentication for internal systems, resetting all passwords, and reviewing data retention policies to minimize the data stored on its systems.
Stockton Cardiology said it learned on February 17, 2026, that some of the stolen data had been published online. That was the date that the Genesis threat group claimed responsibility for the attack. Genesis said 645 GB of data was stolen in the attack, including personal and healthcare data.
Coastal Carolina Health Care, North Carolina
Coastal Carolina Health Care (CCHC), a provider of primary and specialty care services in Craven, Pamlico, and Carteret Counties in North Carolina, has recently notified the New Hampshire Attorney General about a data breach. Unauthorized network activity was first identified on March 25, 2025, and after securing its network and investigating the incident, the healthcare provider determined that there had been unauthorized network access between March 21, 2025, and March 27, 2025. A third-party vendor was engaged to review the affected data, and almost a year later, the types of data involved have been confirmed.
Coastal Carolina Health Care said it was determined on February 26, 2026, that names and Social Security numbers were compromised in the incident, and sufficient information was obtained to effectuate individual notifications. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. Coastal Carolina Health Care said additional security measures have been implemented to prevent similar incidents in the future.
West Texas Health
West Texas Health PLLC has notified 73,720 individuals about a recent data security incident that impacted Privia Medical Groups West Texas, LLC. On or around October 3, 2025, West Texas Health discovered a security incident. Assisted by external cybersecurity professionals, unauthorized access was confirmed between September 12, 2025, and October 3, 2025. West Texas Health said that following an extensive forensic investigation and comprehensive document review, on February 6, 2026, it was confirmed that protected health information was acquired in the incident.
The types of data involved vary from individual to individual and may include names in combination with some or all of the following: first and last names, Social Security numbers, driver’s license/state-issued identification numbers, passports, military identifications, other unique government-issued identification numbers, financial account information, financial account numbers, payment card information, taxpayer identification numbers or IRS identity protection PINs, medical histories, medical diagnosis and treatment information, health insurance policy numbers, claims histories, other health insurance information, and usernames/email addresses with passwords and security questions and answers. West Texas Health said individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.
Nephrology Associates Medical Group, California
Nephrology Associates Medical Group in Riverside, California, has notified the California Attorney General about a May 2025 cybersecurity incident. Suspicious activity was identified within its email system on May 20, 2025. Assisted by third-party cybersecurity professionals, Nephrology Associates confirmed that an employee’s email account had been compromised. The account was reviewed, and on December 12, 2025, the review was completed, confirming that personal information was present in the account, including names, Social Security numbers, dates of birth, medical/health information, treatment/diagnostic information, health insurance information, billing/payment information, and credentialing information.
Nephrology Associates has strengthened password requirements, is now enforcing more frequent password changes, has reduced access permissions, and is storing older data offline. The breach has been reported to the HHS’ Office for Civil Rights; however, there is now a substantial delay in adding breach data to the public-facing section of its breach portal. At present, it is unclear how many individuals have been affected.
Communications Workers of America Local 1180 Security Benefits Fund, New York
Communications Workers of America Local 1180 Security Benefits Fund (CWA Local 1180) has notified regulators about a data breach involving unauthorized access and potential acquisition of the personal and protected health information of 18,550 individuals. In a notification to the Massachusetts Attorney General, CWA Local 1180 said the forensic investigation of the incident determined that its network was breached on December 24, 2025.
The investigation determined that names and Social Security numbers were potentially compromised in the incident, although no evidence has been found to indicate that there has been any misuse of the impacted data. As a precaution against data misuse, the affected individuals have been offered 24 months of complimentary credit monitoring and identity theft protection services. CWA Local 1180 said that it has taken steps to harden security to prevent similar incidents in the future.
The post Six New Healthcare Data Breaches Announced appeared first on The HIPAA Journal.
Data Breaches Reported by New York & Texas Plastic Surgery Practices
Data breaches have recently been reported by Vantage Plastic Surgery in New York City and Austin Plastic and Reconstructive Surgery in Texas.
Vantage Plastic Surgery, New York
Vantage Plastic Surgery, a plastic surgery practice in New York City, has recently disclosed a security incident involving unauthorized access to the protected health information of 4,600 current and former patients. The plastic surgery practice said it first learned about the cyberattack on January 15, 2026, and immediate action was taken to secure its computer environment. Third-party cybersecurity specialists were engaged to assist with the investigation, and on January 22, 2026, the practice confirmed that patient data had been exposed and may have been obtained by an unauthorized third party.
The file review determined that names, addresses, phone numbers, email addresses, dates of birth, and medical record information had been exposed in the incident. The practice announced the data breach on February 14, 2026, and is now notifying the affected patients. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, and steps have been taken to bolster security to prevent similar incidents in the future.
Austin Plastic and Reconstructive Surgery, Texas
Austin Plastic and Reconstructive Surgery in Texas has notified patients about a security incident that involved unauthorized access to its network last summer. The incident was detected on or around July 1, 2025, and the forensic investigation confirmed unauthorized access to its network between June 30, 2025, and July 1, 2025.
Third-party cybersecurity professionals were engaged to investigate the incident, and the affected files were reviewed. On February 28, 2026, it was confirmed that files accessed or acquired in the incident contained names, addresses, dates of birth, financial account information, driver’s license numbers/state identification numbers, passport numbers, Social Security numbers, medical information, and health insurance information.
Notification letters were sent to the affected individuals on March 11, 2026, and at that time, no misuse of the affected data had been identified. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. The breach is not currently listed on the HHS Office for Civil Rights breach portal of the website of the Texas Attorney General, so it is currently unclear how many individuals have been affected.
The post Data Breaches Reported by New York & Texas Plastic Surgery Practices appeared first on The HIPAA Journal.
Urgent Action Required to Fix Critical Citrix NetScaler Vulnerability – The HIPAA Journal
Urgent Action Required to Fix Critical Citrix NetScaler Vulnerability The HIPAA Journal
Urgent Action Required to Fix Critical Citrix NetScaler Vulnerability
Cybersecurity researchers warn that there could potentially be mass exploitation of a critical flaw in Citrix NetScaler products on a scale similar to the CitrixBleed vulnerability in 2023, which was exploited by ransomware groups. Earlier this week, Citrix disclosed a critical vulnerability affecting its NetScaler ADC and NetScaler Gateway application-delivery products. The vulnerability is an input validation flaw that could allow an attacker to leak sensitive information.
The vulnerability occurs in NetScaler ADC and NetScaler Gateway when configured as a SAML IdP, leading to memory overread. The vulnerability is tracked as CVE-2026-3055 and has a CVSS v4 severity score of 9.3. The vulnerability affects the following NetScaler products, but only when the appliance is configured as a SAML identity provider (IdP):
- NetScaler ADC and NetScaler Gateway 1 BEFORE 14.1-66.59
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
- NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262
Citrix has released updated software versions to fix the vulnerability, and all customers are advised to prioritize remediation of this vulnerability due to the high risk of exploitation. NetScaler devices are constantly targeted by threat actors, and the vulnerability is certain to be targeted when a proof-of-concept exploit is released.
This is not the only vulnerability to be disclosed by Citrix this week. Citrix also disclosed a race condition flaw – CVE-2026-4368 – that affects NetScaler ADC and NetScaler Gateway 14.1-66.54, when the appliance is configured as either a gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or a AAA virtual server. The vulnerability is rated high severity, with a CVSS base score of 7.7. Action should be taken to mitigate the vulnerability for customer-managed instances. The vulnerability has been fixed in version 14.1-60.58. Further information on the flaws can be found in the Citrix security bulletin.
The post Urgent Action Required to Fix Critical Citrix NetScaler Vulnerability appeared first on The HIPAA Journal.
Excelsior Orthopaedics; Buffalo Surgery Center Pay $2.4 Million to Settle Data Breach Lawsuit – The HIPAA Journal
Excelsior Orthopaedics; Buffalo Surgery Center Pay $2.4 Million to Settle Data Breach Lawsuit
A settlement has been reached to resolve class action data breach litigation against Excelsior Orthopaedics and Buffalo Surgery Center. The lawsuit was filed in response to a 2024 data breach that affected hundreds of thousands of patients. On or around June 23, 2024, Amherst, New York-based Excelsior Orthopaedics identified suspicious network activity, and its forensic investigation confirmed that an unauthorized third party accessed and copied data from its network. The data breach also affected Northtowns Orthopaedics in Buffalo and Buffalo Surgery Center.
Excelsior Orthopaedics reported the data breach to the HHS’ Office for Civil Rights as affecting 394,752 individuals, and Buffalo Surgery Center reported the breach as affecting 64,000 of its patients. The hackers obtained names, demographic information, driver’s license numbers, Social Security numbers, medical information, health insurance information, and financial information. The affected individuals were notified on December 31, 2024.
Multiple class action lawsuits were filed against Excelsior Orthopaedics and Buffalo Surgery Center over the data breach. The lawsuits were consolidated – Szucs et al. v. Excelsior Orthopaedics, LLP et al. – in the Supreme Court of the State of New York, County of Erie. The consolidated lawsuit alleged that the plaintiffs and class members suffered multiple injuries as a result of the data breach, and that those injuries were caused as a result of the “defendants’ failures to properly secure, safeguard, encrypt, and/or timely and adequately destroy Plaintiffs’ and Class Members’ sensitive personal identifiable and health information.”
The lawsuit alleged that the defendants failed to comply with industry standards for cybersecurity, FTC guidelines, and their obligations under HIPAA. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, and violations of the New York Deceptive Acts and Practices Act.
The defendants deny all claims and contentions in the lawsuit and deny any wrongdoing or liability; however, the defendants and the plaintiffs agreed that a settlement was the best outcome to avoid the costs of protracted litigation and the uncertainty of trial. Under the terms of the settlement, the defendants agreed to pay $2,400,000 to settle the lawsuit, from which attorneys’ fees and expenses, notification and settlement costs, and service awards for the 9 named plaintiffs will be deducted. The remainder of the settlement fund will be used to pay for benefits for the class members.
Those benefits include two years of three-bureau credit monitoring services, the code for which will be automatically sent to the class members, without having to submit a claim. In addition, class members may choose to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, if a claim for reimbursement of losses is not submitted, class members may claim a cash payment. The cash payments will be paid pro rata, and the value will depend on the remaining settlement funds. The deadline for objection to the settlement and exclusion is May 17, 2026. Claims must be submitted by June 11, 2026, and the final fairness hearing has been scheduled for July 8, 2026.
The post Excelsior Orthopaedics; Buffalo Surgery Center Pay $2.4 Million to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.