25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

ERMI; McLeod Physician Associates; Centers for Dialysis Care Announce Data Breaches

Data breaches have been announced by the Georgia-based medical equipment company ERMI, McLeod Physician Associates in South Carolina, and the Centers for Dialysis Care in Ohio. More than 101,000 individuals have been affected by these three incidents.

ERMI LLC, Georgia

ERMI LLC, A Georgia manufacturer of medical equipment for orthopedic patients, has experienced a significant data breach involving unauthorized access to systems containing the electronic protected health information of 74,074 patients. Unauthorized access to its systems was identified on or around August 14, 2025. Assisted by third-party cybersecurity experts, ERMI determined that certain systems had been accessed by an unauthorized third party between February 15, 2025, and August 14, 2025, during which time files containing patient information may have been viewed or acquired.

An extensive manual review of the affected data was completed on or around April 17, 2026, and confirmed that the exposed data included names in combination with one or more of the following: Social Security number, driver’s license number, veteran identification number, passport number, username and password, email address with password and security question, date of birth, date of death, taxpayer/employer identification number, financial account information, payment card information, medical information, and health insurance information. The affected individuals have been notified and informed about the steps that can be taken to reduce the risk of data misuse, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were impacted.

McLeod Physician Associates Li, South Carolina

McLeod Physician Associates li, a Florence, SC-based healthcare group practice, has recently reported a data breach to the HHS’ Office for Civil Rights involving unauthorized access to the protected health information of up to 19,553 patients. The affected patients started to be notified about the incident on June 4, 2026. According to the substitute breach notice on the McLeod Health website, on March 5, 2026, a suspicious file was found on a Dillon Family Medicine server that was in the process of being decommissioned. An investigation was launched, which determined that an unauthorized party had accessed the server between October 17 and October 18, 2025.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The investigation confirmed that the incident was limited to the single server, and no McLeod Health systems were involved, including the practice’s current electronic medical record system. The server was reviewed and found to contain patient information such as names, dates of birth, Social Security numbers, and information related to patient care, which may have included diagnoses, medications, test results, medical images, treatment information, and health insurance information.

Steps have been taken to prevent similar incidents in the future, and the practice will continue to implement and evaluate enhanced safeguards. McLeod Health has confirmed that the affected server has been decommissioned and is no longer in use.

Centers for Dialysis Care, Ohio

Centers for Dialysis Care in Shaker Heights, Ohio, has identified a data security incident that potentially involved unauthorized access to the protected health information of up to 8,000 individuals.  Suspicious activity was identified within its computer network on or around March 20, 2026. Assisted by third-party cybersecurity experts, Centers for Dialysis Care confirmed on April 11, 2026, that there had been unauthorized access to its network, and files containing personal and protected health information had been accessed.

The personal and protected health information of current and former patients and employees was involved, including names, dates of birth, Social Security numbers, medical and health information, diagnostic and treatment information, health insurance information, and/or tax/financial information. Centers for Dialysis Care said additional security measures have been implemented to reduce the risk of similar incidents in the future.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist