Business Associate Hacking Incident Affects Keys Pathology Patients
A cyberattack on a business associate has resulted in unauthorized access to the protected health information of patients of Keys Pathology Associates in Texas. Assisted Living patients of Pharmacy Service in Wisconsin and the American Association of Critical-Care Nurses in California have also announced data breaches.
Keys Pathology Associates, Texas
In July 2025, Keys Pathology Associates in Marathon, Texas, reported a hacking-related data breach to the HHS’ Office for Civil Rights that affected up to 20,000 individuals. The Maine Attorney General has now been notified, and the breach report indicates fewer individuals were affected than the initial estimate: 13,756 individuals, including 26 Maine residents.
The incident did not occur at Keys Pathology, but rather at a business associate that Keys Pathology used for billing services. The vendor, Genesis Billing Services in North Carolina, was provided with patient data, which was maintained on a third-party server outside the control of Keys Pathology. Keys Pathology was notified by its vendor on May 27, 2025, that an unauthorized third party had accessed the server on or around May 20, 2025, and deployed ransomware after downloading all data from the server. On August 21, 2025, Keys Pathology was provided with an unstructured data file containing the copied data, and work commenced on deciphering patient names and contact information. Notification letters are now being sent, and complimentary single-bureau credit monitoring, credit score, and credit report services have been offered.
Data potentially stolen in the incident varies from individual to individual and may include first and last names, addresses, dates of birth, phone numbers, Social Security numbers, driver’s license numbers, and health information. Keys Pathology said it takes data security seriously, which was a major reason why a third-party vendor was used to host patient data. As a result of the data breach, Keys Pathology has stopped using Genesis for billing services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Assisted Living Pharmacy Service, Wisconsin
Assisted Living Pharmacy Service LLC (ALPS) in Menomonee Falls, Wisconsin, has announced a cyberattack that was identified on or around June 26, 2025. According to its substitute breach notice, the investigation confirmed unauthorized access to its network between June 25, 2025, and June 27, 2025, during which time certain data on the network was either accessed or acquired.
A review of the affected files determined that they included faxes sent to ALPS in connection with the prescription services it provided between January 2024 and June 2025. The faxes contained names along with addresses, dates of birth, driver’s license/state identification numbers, other identifiers, Social Security numbers, diagnosis/condition information, lab test results, medications, other treatment information, claims information, financial account or payment card information, and/or other financial information.
The affected individuals have been advised to monitor their accounts, explanation of benefits statements, and free credit reports for suspicious activity. While not mentioned in the breach notice, the attack appears to have been conducted by the Qilin ransomware group, which claimed responsibility for the attack and added ALPS to its dark web data leak site on August 12, 2025. The listing includes limited examples of files stolen in the attack, some of which are face sheet profiles of residents. Currently, there has been no data dump. The incident has been reported to the HHS’ Office for Civil Rights as affecting 5,590 individuals.
The American Association of Critical-Care Nurses, California
The American Association of Critical-Care Nurses (AACN) in Aliso Viejo, California, has recently disclosed a data breach that has affected 57,526 individuals. AACN is a nonprofit specialty nursing organization that provides professional and personal support to its members. While not a HIPAA-regulated entity, AACN likely provides support services to some HIPAA Journal readers.
On July 31, 2025, AACN determined that its website payment system had been accessed by an unauthorized third party beginning on March 8, 2025. Payment card information associated with certain website transactions was accessed by an unauthorized third party. Since it was not possible to determine whose payment card information was accessed, notification letters were sent to all potentially affected individuals. Data potentially accessed included names, card numbers, expiry dates, CVVs, and contact information associated with transactions on the site, which may have included billing and shipping addresses, phone numbers, and email addresses. The affected individuals have been offered two years of complimentary credit and identity monitoring services, and security enhancements have been made to prevent similar incidents in the future.
