80 Hospitals May Have Been Affected by the Oracle Health Data Breach
The number of individuals affected by the hacking incident at Oracle Health has yet to be confirmed; however, the data breach is known to have affected up to 80 hospitals. Oracle Health has been notifying the affected healthcare provider clients, some of whom have only recently learned that they have been affected. Lake Regional Health System in Missouri, OSF Saint Clare Medical Center in Illinois, Aultman Health System in Ohio, and NKC Health in North Kansas City have all recently confirmed that they were affected by the hacking incident and had patient data stolen. Each of those healthcare providers has started issuing notifications to the affected patients and has offered complimentary credit monitoring services. The data compromised in the hacking incident varies from provider to provider and generally includes information typically stored in medical records, such as names, dates of birth, Social Security numbers, medical record numbers, diagnoses, medications, test results, and medical images. While data was compromised in the incident, there have been no known instances of...
Murfreesboro Medical Clinic Settles Lawsuit Over 559K-record Data Breach
Murfreesboro Medical Clinic & SurgiCenter in Tennessee has agreed to settle class action litigation over a major data breach in April 2023 that involved unauthorized access to the protected health information of 559,000 patients. Murfreesboro Medical Clinic determined that “a well-known cyber extortion operation” gained access to its network on or around April 22, 2023, and exfiltrated patient and employee data. Data compromised in the incident included names, dates of birth, home addresses, phone numbers, copies of driver’s licenses, full or partial social security numbers, dependent information, dates of service, medical and diagnostic information related to those dates of service, test results, procedure notes, prescription information, medical record numbers, and insurance and enrolment information. The affected individuals were notified about the attack in May 2023. The BianLian ransomware group claimed responsibility for the attack. Six class action lawsuits were filed in response to the data breach, which were consolidated on September 7, 2023, into a single action...
NCH Corporation Employee Benefits Plan Member Data Stolen
Personal and protected health information has been compromised in security incidents affecting NCH Corporation Employee Benefits Plan members, and patients of Foundation Health Partners in Alaska and One Community Health in California. NCH Corporation The global industrial solutions provider, NCH Corporation, has announced a breach of the protected health information of 3,098 members of its Employee Benefits Plan. Like many organizations of its size, NCH Corporation uses Oracle’s E-Business Suite (EBS) software to help with the management of its operations. A previously unknown vulnerability in the software – CVE-2025-61882 – was exploited by a threat actor to gain access to the Oracle EBS application, and sensitive data was exfiltrated. NCH Corporation was one of several organizations to be attacked in this manner in mid to late 2025. While not stated by NCH Corporation in its data breach notification letters, this was a mass exploitation by the Cl0p ransomware group, which specializes in exploiting zero-day vulnerabilities. Assisted by third-party cybersecurity...
Data Breach Affects Patients of Multiple Fyzical Therapy & Balance Centers
Fyzical Acquisition Holdings LLC, the parent company of Fyzical Therapy & Balance Centers, has announced a security incident involving unauthorized access to the personal and protected health information of its patients. Fyzical Therapy & Balance Centers is a large physical therapy franchise with more than 500 locations in 46 U.S. states. On or around December 9, 2024, suspicious activity was identified within its email environment. An investigation was launched to determine the cause of the activity, and it was confirmed that there had been unauthorized access to its email environment. The substitute data breach notice does not state for how long its email environment was compromised, only that during that time, emails and attached files may have been viewed or acquired. The review of the affected data has taken almost a year to complete, concluding on November 25, 2025, when it was confirmed that the affected data included names, dates of birth, Social Security numbers, driver’s license numbers, state IDs, financial account information, credit card information, medical...
New York Attorney General Fines Capital Region Orthopedic Practice $500K for 2023 Data Breach
Orthopedics NY LLP (aka OrthoNY; OrthopedicsNY), a New York orthopedic medicine practice, has been fined $500,000 by the New York Attorney General over a December 2023 ransomware attack and data breach, according to several media outlets serving the Capital District in New York State. OrthopedicsNY operates almost 20 orthopedic, physical therapy, MRI Imaging, and surgery clinics in the Capital Region in New York State. On or around December 28, 2023, OrthopedicsNY fell victim to an INC Ransom ransomware attack. The investigation took around 9 months and revealed on September 5, 2024, that the personal and protected health information of current and former patients and employees was compromised in the incident. The data breach was initially reported as affecting around 5,100 individuals, but the total was later updated to 656,086 individuals. Those individuals had to wait 10 months to discover their information had been stolen in the attack. While the ransomware attack occurred in late December 2023, the affected individuals did not start to be notified until October 30, 2024....



