Apex Spine & Neurosurgery & North Central Behavioral Health Systems Announce Data Breaches
Data breaches have been announced by Apex Spine & Neurosurgery in Georgia and North Central Behavioral Health Systems in Illinois.
Apex Spine & Neurosurgery
Apex Spine & Neurosurgery in Georgia has notified 2,500 individuals that some of their electronic protected health information has likely been stolen in a ransomware attack. Apex Spine & Neurosurgery said it learned on December 23, 2025, that a cyber threat actor had accessed its network and used ransomware to encrypt files. The forensic investigation confirmed that the cyber actor accessed its network and copied files on December 9, 2025; however, its electronic medical record system was not involved, as it is maintained in a logically separate computer environment.
The stolen files are still being reviewed; however, they contained information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, other government identifiers, location of health services, dates of service, treatment or condition information, diagnosis/diagnosis codes, prescription information, history information, assigned physician names; health services payment information, such as financial account number without a security code, access code, or password to access an account, patient account numbers, and health insurance information subscriber or identification numbers. The information copied in the attack varies from individual to individual. Apex Spine & Neurosurgery said it is evaluating further technical safeguards to better protect sensitive data on its network.
The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements for suspicious activity. While the ransomware group was not mentioned in the breach notice, the Interlock ransomware group claimed responsibility for the attack and said 20 GB of data was exfiltrated. Interlock proceeded to leak the stolen data as the ransom was not paid. Apex Spine & Neurosurgery said it was able to securely recover the encrypted data from backups.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
North Central Behavioral Health Systems
North Central Behavioral Health Systems, a mental health and substance abuse treatment center with locations in La Salle and Ottawa, Illinois, has identified unauthorized access to an employee’s email account. Suspicious activity was identified in a single email account on or around December 2, 2025. The account was secured to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the activity.
The investigation confirmed that the breach was limited to a single email account. The account is currently being reviewed to determine the types of information involved and the individuals affected. Notification letters will be mailed to the affected individuals as soon as the review is concluded. Currently, no misuse of patient data has been identified; however, patients have been advised to remain vigilant against data misuse by monitoring their bank accounts and financial statements for suspicious activity. Email security has been enhanced in response to the incident, and complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.
