Arizona & Texas Clinics Notify Patients About Ransomware Incidents
Ransomware attacks have been announced by Glendale Obstetrics & Gynecology in Arizona and Lymphedema Therapy Specialists in Texas, and City Health in California has notified patients about a recent data breach. City Health City Health, a California healthcare provider with locations in San Leandro and Oakland, has notified certain patients about a hacking incident that was identified on March 30, 2026. Assisted by third-party cybersecurity specialists, City Health determined that an unauthorized third party accessed its electronic medical record system network between March 2, 2026, and March 11, 2026, and viewed or acquired sensitive information. The electronic medical record system was accessed using credentials associated with a third-party account. “The individual involved was a former business counterparty whose access to City Health’s systems had been previously terminated,” explained City Health. “Upon discovery, City Health immediately revoked the unauthorized access and initiated an investigation into the scope and impact of the incident.” Data...
Court Rules State Regulator’s Investigation of Blue Cross Blue Shield of Montana May Proceed
A district court judge in Montana has ruled that the State Auditor and Insurance Commissioner’s investigation of Blue Cross Blue Shield of Montana (BCBSMT) over a data breach affecting 462,000 individuals may proceed. The data breach involved BCBSMT’s third-party vendor Conduent Business Services. The Safepay ransomware group claimed responsibility for the attack and stole 8.5 TB of data. While the full scale of the data breach is still unclear, at least 25 million Americans were affected nationwide. BCBSMT reported the data breach separately as affecting 462,000 Montanans. Commissioner Brown launched the investigation into BCBSMT and Conduent over the data breach to help educate the public about data breaches, improve the regulation of insurance companies to prevent further breaches, and determine if there have been any unlawful acts that warrant a financial penalty, namely, whether BCBSMT complied with state law requiring insurers to provide timely notice when a data breach occurred. The data breach was significant, as one-third of state residents had their data compromised, and...
Free Webinar: How to Stop Phishing Attacks Before They Reach Your Team
Phishing has long been a leading cause of healthcare data breaches. Hackers target employees as they are a weak link in the security chain, and many healthcare ransomware attacks start with credentials stolen in phishing attacks. Phishing attacks are often blamed on the employees who respond to phishing attempts. A survey of healthcare IT leaders found 85% of respondents believe employee negligence is a top email security risk, yet despite that, only 16% of respondents said they train their workforce on how to recognize phishing attempts quarterly or more frequently. The majority of healthcare organizations only provide training to their workforce once a year, and hope that the training sticks and employees will remain vigilant throughout the year, which is seldom the case. Unfortunately, the risk from phishing is getting worse as AI-generated phishing campaigns are difficult for employees to identify. AI-generated phishing emails are grammatically correct, free of spelling mistakes, and use advanced impersonation techniques. An analysis of phishing emails by KnowBe4 between late...
$3.75M Settlement Resolves Data Breach Lawsuit Against Chattanooga Heart Institute
Memorial Heart Institute, doing business as Chattanooga Heart Institute in Tennessee, was sued over a data breach in 2023. A $3.75 million settlement has been agreed upon and has received the first nod from a judge. The final fairness hearing has been scheduled for May 28, 2026. The cyberattack was identified on April 17, 2023. The investigation determined that a threat actor had access to the Chattanooga Heart Institute network between March 8 and March 16, 2023, and exfiltrated files, some of which contained patients’ protected health information. The file review confirmed that data compromised in the incident included names, addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information. The Karakurt ransomware group claimed responsibility for the attack. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of...
Illinois Bone and Joint Institute Settles Class Action Data Breach Lawsuit for $4M
Illinois Bone and Joint Institute (IBJI), one of the largest orthopedic group practices in Illinois, has agreed to settle a consolidated class action lawsuit stemming from a 2024 cyberattack and data breach that affected up to 665,321 individuals. IBJI identified unauthorized access to its computer systems on or around July 4, 2024. The forensic investigation determined that hackers had access to its network from May 30, 2024, to July 4, 2024, and copied files containing patient information. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, diagnosis and treatment information, and health insurance/claims information. The breach was initially reported to the HHS’ Office for Civil Rights as affecting approximately 183,000 individuals. The total was later amended to 665,321 individuals, although the lawsuit states that approximately 568,000 individuals are in the settlement class. The first class action lawsuit over the data breach was filed by plaintiff Guy Redman in the Circuit Court of Cook County, Illinois, County Department,...



