All About Women’s Care Data Breach Affects Up to 12,000 Patients – The HIPAA Journal
All About Women’s Care Data Breach Affects Up to 12,000 Patients
All About Women’s Care in Colorado has notified 12,000 patients that their data has been compromised in a data breach, and Mid-South Pulmonary Sleep Specialists in Tennessee is assessing the impact of a November 2025 ransomware attack.
All About Women’s Care, Colorado
All About Women’s Care, an Englewood, CO-based obstetrics and gynecology practice, has identified unauthorized access to its IT environment. Suspicious activity was identified involving an employee VPN account. Third-party cybersecurity experts were engaged to investigate the activity and confirmed that an unauthorized actor obtained the credentials for the VPN account and used them to access its network environment. Files were copied in the attack, the review of which was completed on June 5, 2026.
The file review confirmed that the impacted data included names, dates of birth, Social Security numbers, driver’s license numbers, other ID numbers, clinical/treatment information, lab results, prescription information, provider information, medical documents, ultrasound images, copies of identification documents (such as passports), and health insurance information.
The practice is working with cybersecurity professionals to enhance security and prevent similar incidents in the future, and policies and procedures related to data privacy and security are being reviewed. The data breach was recently reported to the HHS’ Office for Civil Rights as affecting up to 12,000 patients.
Mid-South Pulmonary Sleep Specialists, Tennessee
Mid-South Pulmonary Sleep Specialists, a Memphis, Tennessee-based pulmonary and sleep medicine practice, has started notifying certain patients about a cybersecurity incident that exposed their personal and protected health information.
Suspicious activity was identified within its computer network on November 2, 2025. The network was secured, and assisted by third-party cybersecurity experts, the practice confirmed unauthorized network access and the exposure and potential theft of patient data. The data review was completed on May 18, 2026, and revealed that a wide range of data was exposed in the incident. The types varied from individual to individual, and may have included names in combination with one or more of the following: address, date of birth, date of service, driver’s license or state ID number, financial account information, health insurance information, medical diagnosis information, medical history, medical provider name, medical record number, medical treatment information, Medicare/Medicaid number, mental or physical condition, other patient identifier, patient account number, prescription information, and/or Social Security number.
Regulators have been notified, but the incident is not yet shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected. The website breach notice does not state the nature of the attack, or for how long the threat actors had access to its network.
This appears to have been a ransomware attack, as the Anubis ransomware claimed responsibility and added Mid-South Pulmonary Sleep Specialists to its data leak site in late November 2025, along with samples of data allegedly stolen in the attack. Anubis claims that the data stolen includes patient information.
The post All About Women’s Care Data Breach Affects Up to 12,000 Patients appeared first on The HIPAA Journal.
Atrium Health Pays Up to $1.8M to Resolve Pixel Lawsuit
Charlotte-Mecklenburg Hospital Authority, doing business as Atrium Health, has agreed to pay up to $1,800,000 to settle a class action lawsuit stemming from its use of pixels and other tracking technologies on its MyAtriumHealth (formerly called MyCarolinas) patient portal.
North Carolina-based Atrium Health operates a dozen hospitals in North and South Carolina, along with more than 900 care facilities in the two states. Like many health systems, Atrium Health used tracking technologies on its patient portal. These tools have important uses for website operators; however, their use on healthcare websites risks impermissible disclosures of sensitive data.
When these tools are added to authenticated web pages such as patient portals, patients’ protected health information may be disclosed to the third-party providers of the tools, such as Meta (Facebook) and Google. Following an investigation, Atrium Health determined that between January 1, 2015, and July 31, 2019, the protected health information of up to 585,959 patients may have been impermissibly disclosed to third parties as a result of the use of these tools. When reporting the data breach, Atrium Health assumed that all patients who used the portal had their ePHI impermissibly disclosed.
The data potentially compromised included IP addresses and third-party identifiers/cookies. If forms were filled out, that disclosed information may also have included full names, email addresses, phone numbers, city/state/zip code, gender, and any other information entered into the forms.
Multiple class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Julie Roberts, et al. v. The Charlotte-Mecklenburg Hospital Authority – in the Superior Court of Mecklenburg County, North Carolina, naming Julie Roberts, Judith Sigmon, Darielle Hill, and Chrisanna Brown as representatives of a national class.
The plaintiffs alleged that their privacy had been violated by the defendant’s use of these tools, which they claim were added to the patient portal without their knowledge or consent. The lawsuit asserted claims for breach of express contract, breach of implied duty of good faith and fair dealing, breach of implied contract, negligence, breach of fiduciary duty, and unjust enrichment.
Atrium Health denies all wrongdoing and maintains it has not violated any laws and filed a motion to dismiss, which was partially successful; however, the lawsuit was allowed to proceed. The parties ultimately agreed to a settlement to avoid the costs and risks associated with continuing the litigation.
The settlement covers all individuals residing in the United States who had patient portal accounts – MyAtriumHealth or MyCarolinas – between January 1, 2025, and April 10, 2024, with limited exceptions. Atrium Health has agreed to establish a $1,800,000 settlement fund, from which $1,500,000 will be used to cover attorneys’ fees and expenses, administration costs (for Group 1 claims), and payments to individuals who used their accounts between January 1, 2015, and July 31, 2019.
The settlement also includes up to $300,000 to pay for claims from individuals who had a Patient Portal account between January 1, 2015, and April 10, 2024, but did not access their account between January 1, 2015, and July 31, 2019. (Group 2). The remainder of the funds in the Group 1 settlement will be paid pro rata to individuals who submit a claim, and individuals in Group 2 will receive a payment of up to $10 if they submit a claim. The deadline for opting out and objection is August 31, 2026. Claims must be submitted by September 28, 2026, and the final fairness hearing has been scheduled for September 30, 2026.
The post Atrium Health Pays Up to $1.8M to Resolve Pixel Lawsuit appeared first on The HIPAA Journal.
Free Webinar: Making Sense of HIPAA Compliance for Your Small Practice – The HIPAA Journal
Free Webinar: Making Sense of HIPAA Compliance for Your Small Practice

For most small practices, your team is already wearing a lot of hats, and compliance is one that can feel like an impossible task to even know where to start.
But the risks keep growing. Breaches are rising fast, with hackers targeting small medical practices’ sensitive patient data. With major new HIPAA requirements potentially on the horizon as soon as 2027, it’s never been a better time to ensure your practice has built and maintains a HIPAA compliance program with a strong, compliant foundation.
Join Bradley King, Senior Compliance Consultant, as he provides a clear explanation for small medical practices on what they actually need to do when it comes to becoming HIPAA compliant.
You’ll Discover:
The timeline of HIPAA – how we got here and why it matters now
What actually triggers a HIPAA investigation
Current HIPAA enforcement initiatives to watch
What your practice needs to do to become (and stay) compliant
Real examples of investigation letters
WEBINAR DETAILS
Making Sense of HIPAA Compliance for Your Small Practice
Live Webinar | Wednesday, July 22 | 12:00–12:30 PM ET
Click Here Register for the Free Webinar
Speaker: Bradley King, Senior Compliance Consultant, Abyde

Bradley King is a Senior Compliance Consultant at Abyde with several years of experience in HIPAA and OSHA compliance consulting. He has spoken at national conferences and delivered continuing education webinars on HIPAA and OSHA compliance best practices, and has worked directly with thousands of practices, from solo, owner-operator practices to multi-location, multistate healthcare organizations, on building and maintaining compliance programs. Abyde is a leader in the compliance software industry, streamlining HIPAA & OSHA requirements for thousands of practices across the United States.
The post Free Webinar: Making Sense of HIPAA Compliance for Your Small Practice appeared first on The HIPAA Journal.
Ohio Living; Erlanger; Heart of America Eye Care Announce Data Breaches – The HIPAA Journal
Vision Care Providers Settle Data Breach Class Actions – The HIPAA Journal
Vision Care Providers Settle Data Breach Class Actions
Settlements have been agreed to resolve class action lawsuits against two vision care providers: Total Vision in California and Naper Grove Vision Care in Illinois. Both providers fell victim to hacking incidents that exposed patient data.
Total Vision Settlement
A settlement has been agreed to resolve class action litigation against Total Vision LLC, which owns and operates a network of optometry centers throughout California. Total Vision experienced a hacking incident on or around October 30, 2020, in which hackers accessed a database server. The server contained sensitive patient information such as names, addresses, dates of birth, Social Security numbers, and prescription information. The data breach was reported to the HHS’ Office for Civil Rights as affecting 138,402 current and former patients.
Total Vision faced two class action lawsuits over the data breach, which were consolidated into a single complaint – Ramey, et al. v. Total Vision, LLC, et al. – in the Superior Court of California, County of San Diego, naming Anjanette Ramey and Jane Doe as class representatives. In addition to Total Vision, John C. Pack, O.D., and Beverly Bianes, O.D., Inc., and John C. Pack, O.D., and Beverly Bianes, O.D., were named as defendants.
The lawsuit alleged the data breach occurred as a result of the negligence of the defendants, who failed to properly secure the server and protect patient information, then failed to issue adequate breach notices. The plaintiffs allege that they experienced numerous instances of attempted data misuse and identity theft as a result of the security incident. The lawsuit asserted claims for negligence, breach of implied contract, and violations of California’s unfair competition law, the Confidentiality of Medical Information Act, and California security notification laws, all of which were denied by the defendants, along with the allegations of wrongdoing and liability.
During mediation on November 21, 2023, the terms of a settlement were agreed by all parties, and the settlement has now been finalized and has received preliminary approval from the court. The defendants have agreed to establish a $475,000 settlement fund, from which attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives will be deducted. The remaining funds will be used to pay for class member benefits.
Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $1,000 per class member, and/or a claim may be submitted for a pro rata cash payment, the value of which will depend on the number of valid claims received. The defendants have also agreed to implement improved data security measures, valued at $224,000. The exclusion/objection deadline is September 4, 2026. Claims must be submitted by October 5, 2026, and the final fairness hearing has been scheduled for December 18, 2026.
Naper Grove Vision Care Settlement
Naper Grove Vision Care in Naperville, Illinois, has settled class action litigation stemming from a May 2025 security incident that involved unauthorized access to the protected health information of 20,093 individuals. On May 24, 2025, Naper Grove Vision Care identified unauthorized network access. The Interlock ransomware group claimed responsibility for the attack and obtained patient information such as names, addresses, birth dates, driver’s license numbers, patient numbers, health insurance information, explanation of benefits documents, and medical condition and treatment information. Some Social Security numbers were also among the accessed data.
Multiple class action lawsuits were filed in response to the data breach, which were consolidated – In re Naper Grove Data Breach Litigation – in the Circuit Court of the Eighteenth Judicial Circuit, Dupage County, Illinois. The consolidated lawsuit names Ashley Fett and Paul Mifsud as class representatives. The lawsuit alleged that the data breach occurred due to the failure to implement reasonable and appropriate cybersecurity measures, and asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act. All claims and contentions continue to be denied by Naper Grove Vision Care.
All parties have agreed to settle the litigation, with no admission of fault, liability, or wrongdoing. The defendant will cover the cost of attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. Claims may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member.
If a claim for reimbursement of losses is not submitted, class members may submit a claim for an alternative cash payment. The cash payments will be paid pro rata from a $50,000 settlement fund. Regardless of which option is chosen, class members qualify for a one-year membership to a credit and medical data monitoring service. The deadline for objection/exclusion is September 18, 2026. Claims must be submitted by September 18, 2026, and the final approval hearing has been scheduled for October 20, 2026.
The post Vision Care Providers Settle Data Breach Class Actions appeared first on The HIPAA Journal.