California Radiology Provider Announces 13,000-Record Data Breach
Data breaches have been reported by Radiology Associates of San Luis Obispo, North Oaks Health System, The Children’s Center of Hamden, Huron Regional Medical Center, and Franklin Dermatology Group.
Pacific Imaging Management (Radiology Associates of San Luis Obispo)
Pacific Imaging Management, doing business as Radiology Associates of San Luis Obispo in California, has identified unauthorized access to certain employee email accounts. Suspicious activity was identified within its email environment on March 13, 2025. An investigation was launched, which revealed that certain email accounts were accessed by an unauthorized third party at various times between February 3, 2025, and March 17, 2025.
The accounts were reviewed and found to contain the protected health information of 13,158 individuals. The types of data involved vary from individual to individual and are detailed in the individual notification letters that started to be mailed on September 10, 2025. Policies and procedures are being reviewed and enhanced, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.
North Oaks Health System, Louisiana
North Oaks Health System, one of the largest community hospital organizations in Louisiana, has experienced a breach of its email system, which exposed the protected health information of 6,243 patients. Suspicious activity was identified in certain employee email accounts on June 4, 2025. The affected accounts were immediately secured, and an investigation was launched to determine the extent of the breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The investigation confirmed that certain emails and attachments in the compromised accounts were accessed between May 28, 2025, and June 5, 2025, and some of those emails contained patient information such as names, birth dates, health insurance information, and clinical information related to the services received at North Oaks. A limited number of Social Security numbers were also exposed. North Oaks is enhancing its security protocols, technical safeguards, monitoring, and employee cybersecurity training to prevent similar incidents in the future.
Children’s Center of Hamden, Connecticut
The Children’s Center of Hamden (TCCOH), a nonprofit behavioral health center in Hamden, Connecticut, has recently announced a security incident that was first identified on December 28, 2025. Unusual activity was identified within its computer systems, and third-party digital forensics experts were engaged to investigate. They confirmed unauthorized access to its network, including systems that contained patient information. On June 29, 2025, it was confirmed that files containing patients’ protected health information were accessed or acquired in the attack.
The file review was completed on August 7, 2025, and confirmed that names, dates of birth, Social Security numbers, driver’s license information, passport information, biometric data, and diagnosis and treatment information had been exposed. Notification letters have been mailed to the 5,213 individuals, and steps have been taken to enhance security.
Huron Regional Medical Center, South Dakota
Huron Regional Medical Center in South Dakota identified suspicious activity within its computer network on or around May 31, 2025. An investigation was launched to determine the nature and scope of the suspicious activity, with assistance provided by third-party digital forensics experts. Unauthorized network access was confirmed, and the exposed files were reviewed and found to contain information such as names, addresses, phone numbers, dates of birth, dates of service, cost of services, health insurance information, lab results, medical diagnostic images, prescription information, Medicare/Medicaid numbers, diagnoses, and treatment information.
Huron Regional Medical Center is reviewing its policies, procedures, and data security measures and will make enhancements to better defend against future attacks. Individual notification letters started to be mailed to the affected individuals on September 9, 2025. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Franklin Dermatology Group
Franklin Dermatology Group in Tennessee has recently confirmed that it was affected by the cyberattack and data breach at the collections vendor, Nationwide Recovery Service (NRS). A hacking group had access to the NRS network between July 5, 2024, and July 11, 2024, and copied certain files from its network. Those files contained names, dates of birth, Social Security numbers, health insurance information, financial account information, and/or protected health information.
Franklin Dermatology Group was notified that it had been affected on February 7, 2025, and NRS said it would be issuing notifications to the affected individuals, although Franklin Dermatology Group said NRS reneged on that promise on April 3, 2025. Franklin Dermatology Group issued notifications to the affected individuals in September 2025 and has offered them complimentary single-bureau credit monitoring, credit score, and credit report services for 12 months. The breach was recently reported to the Maine Attorney General as affecting 2,457 individuals. In total, the NRS data breach has affected more than 545,000 individuals.
