Albany College of Pharmacy and Health Sciences Cyberattack Affects 28,600 Individuals
Data breaches have recently been announced by Albany College of Pharmacy and Health Sciences, Central Kentucky Radiology, TRG Medical Imaging, and Elmore County in Idaho.
Albany College of Pharmacy and Health Sciences
Albany College of Pharmacy and Health Sciences (ACPHS) in New York has notified 28,600 individuals about a September 2024 data security incident. Unusual network activity was identified on September 14, 2024, and an investigation was launched to determine the cause of the activity. Assisted by third-party cybersecurity experts, ACPHS determined that an unauthorized third party had access to its network between August 31, 2024, and September 14, 2024, during which time, files may have been copied.
The types of information potentially compromised in the incident vary from individual to individual and include names in combination with one or more of the following: date of birth, birth certificate, account number, routing number, security code, marriage certificate, mother’s maiden name, digital signature, passport number, government identification number, Social Security number, taxpayer ID number, driver’s license number, payment card number, payment card expiration date, alien registration number, username and password, health insurance information, medical record number, mental or physical condition, diagnosis/treatment information, procedure type, provider name, prescription information, biometric data, and student information.
Individual notification letters started to be sent to the affected individuals on or around June 16, 2025, and complementary credit monitoring services are being made available.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Central Kentucky Radiology
Central Kentucky Radiology in Lexington, KY, is notifying certain patients about a recent hacking incident. The intrusion was detected on October 18, 2024, when the practice experienced network disruption. The forensic investigation confirmed that an unauthorized actor had access to its network between October 16 and October 18, 2024, and copied files from the network.
Central Kentucky Radiology conducted a comprehensive file review and confirmed on May 7, 2025, that the exposed files contained patient names, addresses, Social Security numbers, dates of birth, dates of service, charges for medical services, and in some cases, payment card information. Individuals whose payment card information and/or Social Security numbers were compromised in the incident have been offered complimentary credit monitoring services.
Central Kentucky Radiology has reviewed its data security policies and practices and has implemented additional technical security measures to prevent similar incidents in the future. Since this article was published, it has been confirmed that the protected health information of 166,953 individuals was compromised in the attack.
TRG Medical Imaging
TRG Medical Imaging in Portland, Oregon, also known as the Radiology Group, has recently announced that it was affected by the cyberattack and data breach at the debt collection agency, Nationwide Recovery Service (NRS). Hackers had access to the NRS network between July 5, 2024, and July 11, 2024, and copied files from the network that included names, addresses, Social Security numbers, dates of birth, medical information, and account balances. NRS informed TRG about the data breach on March 31, 2025.
TRG has arranged for the affected individuals to be provided with complimentary credit monitoring and identity theft protection services for two years. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Elmore County, Idaho
Elmore County in Idaho has notified 931 individuals about a recent email security incident. On April 15, 2025, the County learned that an employee’s email account was being used to send spam emails. A digital forensics firm was engaged to investigate the incident and determine the nature and scope of the unauthorized activity. The investigation revealed several employee email accounts had been compromised between April 14, 2025, and April 19, 2025. During that time, certain emails were downloaded from the accounts.
The email account reviews were completed on May 12, 2025, when it was confirmed that the compromised information included names, dates of birth, dates of service, individual identifying numbers, the names of healthcare providers, diagnosis information, treatment information, lab test results, and medications received from the County Emergency Medical Services. The County has enhanced its cybersecurity policies and procedures, provided additional security awareness training to employees, and is evaluating additional security tools to strengthen email security.
