Data Breaches Announced by Heritage Communities & Metrocare Services
The senior living company Heritage Communities and the Dallas mental health care company Metrocare Services have announced security incidents that exposed sensitive patient data. Heritage Communities, Nebraska Heritage Communities, a senior living company based in Omaha, Nebraska, has recently announced a breach of the personal and protected health information of current and former residents. The data breach affected the company Heritage Holdings LP, a business associate of Heritage Communities, Orchard Pointe, and OnCare Health. On or around September 16, 2025, a network intrusion was identified, and third-party cybersecurity experts were engaged to investigate the incident. The investigation confirmed that an unauthorized actor gained access to its network and a limited amount of protected health information. The forensic investigation could not rule out the possibility that sensitive data was exfiltrated from its network. The review of the affected data confirmed that a range of data types were exposed, including first and last names, Social Security numbers, driver’s license...
North Kansas City Hospital Patients Affected by Cerner Hacking Incident
North Kansas City Hospital has notified patients about a January 2025 data breach at its EHR vendor Cerner. Data breaches have also been announced by Shasta County Health and Human Services and OncoHealth in Georgia. North Kansas City Hospital, Missouri North Kansas City (NKC) Hospital in Missouri issued a substitute breach notice on November 25, 2025, announcing a data breach at its electronic medical record (EHR) vendor. A hacker gained access to a legacy Cerner (now Oracle Health) server that was awaiting migration to the Oracle Cloud infrastructure. According to Oracle Health, the hacker gained access to the server as early as January 22, 2025, and exfiltrated data, including the personal health information of NKC Hospital patients. NKC Hospital stressed that none of its own systems were compromised in the incident, as the breach was limited to two legacy Cerner servers. The HIPAA Journal first reported on the Oracle Health data breach in March 2025, and in the months following the announcement, several healthcare providers have issued notifications confirming that they have...
Rancho Family Medical Group Agrees to Pay $315K to Settle Data Breach Litigation
Rancho Family Medical Group, a primary care medical group serving patients in Southern California, has agreed to pay $315,000 to settle class action litigation stemming from a 2023 data breach that exposed patients’ protected health information. Rancho FMG was notified on January 11, 2024, about a security incident at its vendor KMJ Health Solutions. KMJ provided the medical group with online signout and charge capture systems and experienced a security incident on November 19, 2023, that exposed patient information such as names, dates of birth, medical record numbers, treatment locations, dates of services, and medical procedure codes. The vendor was unable to determine exactly which patients had been affected or the exact types of data involved, as the impacted data had been wiped and was unrecoverable. On or around March 12, 2024, Rancho FMG notified all potentially affected patients, including current patients and patients going back ten years. Approximately 11,500 notification letters were mailed, although the HHS’ Office for Civil Rights was informed that 10,480 individuals...
Rockhill Women’s Care & Harbor Regional Center Announce Data Breaches
Data breaches have recently been announced by the OB/GYN practice Rockhill Women’s Care and Harbor Regional Center, a California provider of services to individuals with developmental disabilities. Rockhill Women’s Care Rockhill Women’s Care, an OB/GYN practice with locations in Overland Park in Kansas and Lees Summit in Missouri, has experienced a significant data breach, involving unauthorized access to the electronic protected health information of up to 70,129 patients. While it is unclear from the notification letters exactly when its network was first compromised, the intrusion was detected on February 26, 2025. Third-party cybersecurity experts were engaged to investigate the intrusion, and law enforcement was notified. The investigation confirmed that patient information had been exposed and may have been exfiltrated. The data mining exercise to determine the exact types of data involved and the individuals affected was completed on August 13, 2025. The types of data involved vary from individual to individual and include names in combination with one or more of the...
VITAS Hospice Services Discovers Month-Long Network Intrusion Affecting 319K Patients
VITAS Hospice Services, LLC, the largest for-profit hospice chain in the United States, has notified the California and Texas attorneys general about a data security incident that exposed sensitive patient data. An unauthorized individual compromised an account used by one of its vendors, and through that account was able to access certain Vitas systems. The security breach was identified on October 24, 2025, and the forensic investigation determined that there was unauthorized access to its systems for more than a month between September 21, 2025, and October 27, 2025. During that time, the unauthorized third party was able to view and download the personal information of current and former Vitas patients. Vitas has been working with a third-party cybersecurity firm to investigate the cause of the breach and has taken steps to strengthen vendor oversight and improve its data protection protocols. At the time of issuing notifications to the affected individuals, Vitas was unaware of any misuse of the exposed data; however, as a precaution against identity theft and fraud, the...



