Florida Medical Imaging Provider Notifies 260,000 Patients About February Data Breach
Vital Imaging Medical Diagnostic Centers in Florida has disclosed a February 2025 hacking incident involving unauthorized access and potential acquisition of patient data. The HHS’ Office for Civil Rights has been informed that the protected health information of up to 260,000 patients was compromised in the incident.
In its August 22, 2025, substitute data breach notice, Vital Imaging explained that the intrusion was discovered on February 13, 2025. Cybersecurity experts were engaged to investigate the activity, and the investigation is ongoing. Vital Imaging said there is a reasonable belief that personally identifiable information and protected health information were accessed and acquired by the attackers.
An independent data mining team was retained to assist with the investigation and review the files on the compromised parts of its network to determine the individuals affected and the types of data involved, and has confirmed that medical information, insurance information, and demographic information were compromised, including names, dates of birth, and contact information was involved.
Notification letters will be mailed to the affected individuals when the file review is concluded. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their credit reports, financial account statements, and explanation of benefits statements.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
ESHYFT
Security researcher Jeremiah Fowler has identified an exposed database linked to ESHYFT, a provider of a platform that allows nurses to find available per diem shifts at long-term care facilities across the country. The 100 GB database could be accessed without authorization and contained 86,341 records, including sensitive data such as names, IDs, medical reports, profile information, facial images, work schedule logs, professional certificates, work assignment information, CVs/resumes, and other information.
Fowler was unable to determine if the database was maintained by ESHYFT or a third-party service provider, nor how long the database was exposed online, or if it was accessed by any unauthorized individuals. The exposed database was reported to ESHYFT and was secured around a month later. Since ESHYFT works with nurses rather than patients, it is unlikely to be a HIPAA-covered entity, and its website does not include a Notice of Privacy Practices, further indicating the data was not HIPAA-protected.
