25% off all training courses Offer ends June 26, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends June 26, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Blue Fish Pediatrics Data Breach Affects More Than 41,000 Texas Patients

Posted By on Jun 22, 2026

Blue Fish Pediatrics in Texas has announced a July 2025 cyberattack that affected more than 41,000 Texas patients. Data breaches have also been announced by Cherry Health in Michigan, Coastal Carolina Centers of Urology and Surgery in South Carolina, and Regence in Oregon.

Blue Fish Pediatrics, Texas

Blue Fish Pediatrics, a Houston, Texas-based network of pediatric medical practices, has notified the Texas Attorney General about a cybersecurity incident last year that exposed the personal and protected health information of its patients.

In a substitute breach notice on its website, Blue Fish Pediatrics explained that unauthorized access to its IT systems was identified on or around July 17, 2025. After securing its systems, an investigation was conducted to determine the nature and scope of the unauthorized activity. The forensic investigation confirmed that a threat actor had access to a limited number of files between July 11, 2025, and July 17, 2025. Some of those files contained personally identifiable information and protected health information and may have been acquired in the incident.

The files have now been reviewed and found to contain full names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, medical record numbers, diagnosis/condition information, lab results, medications, claims information, and clinical/treatment information. Notification letters are now being mailed to the affected individuals, and complementary credit monitoring have been made available to individuals whose Social Security numbers were exposed.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The total number of affected individuals has yet to be disclosed; however, the bulk of the affected individuals reside in Texas. The Texas Attorney General was informed that 41,485 Texas residents were affected.

Cherry Health, Michigan

Cherry Health, Michigan’s largest non-profit Federally Qualified Health Center serving six counties in the state, announced a breach of patients’ protected health information on June 18, 2026. Suspicious network activity was identified on or around April 19, 2026. The forensic investigation confirmed unauthorized access to its network and the copying of files containing patient information.

The file review is ongoing; however, information likely stolen in the incident includes names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID numbers, patient ID numbers, provider names, service dates, and, for a limited number of individuals, Social Security numbers. Cherry Health said it has not identified any misuse of the impacted data. Cherry Health is working on implementing additional safeguards to prevent similar incidents in the future. At present, it is unclear how many individuals have been affected.

Coastal Carolina Centers of Urology and Surgery, South Carolina

Coastal Carolina Centers of Urology and Surgery, LLC, doing business as Rivertown Surgery Center in Conway, South Carolina, has notified the HHS’ Office for Civil Rights about a network server hacking incident involving unauthorized access to the electronic protected health information of 2,886 individuals.

Only limited information has been made public about the breach, such as it involved unauthorized access to names and health records; however, this appears to have been a ransomware attack by the Qilin ransomware group. Qilin added Coastal Carolina Centers of Urology and Surgery to its dark web data leak site on September 4, 2025, along with screenshots of files allegedly stolen in the attack.  According to the notice sent to the Indiana Attorney General, the breach occurred on August 26, 2025, and notifications were mailed on or around May 22, 2026.

Regence, Oregon

Regence Blue Cross Blue Shield of Oregon has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 2,856 individuals. According to a notice on the Regence website, unauthorized actors registered and accessed some Regence digital member accounts between January 1, 2026, and April 15, 2026, and redeemed wellness rewards for gift cards. Information in the accounts may have been accessed.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist