Cumberland County Hospital Data Breach Affects Almost 37,000 Individuals
While compiling data for last month’s data breach report, the HIPAA Journal identified a data breach that had previously been missed. On June 2, 2025, Cumberland County Hospital Association in Kentucky notified the HHS’ Office for Civil Rights about a hacking-related data breach that affected 36,659 individuals. Cumberland County Hospital detected the hacking incident on April 3, 2025. According to its substitute breach notice, an unauthorized third party had access to its network between February 21, 2025, and April 3, 2025. While its electronic medical record system was not accessed, files on the compromised parts of the network were discovered to include patient information, and some of those files were accessed during the attack.
The review of the files confirmed they contained demographic information (name, date of birth, address, phone number(s), email address, race, and ethnicity), along with Social Security numbers, medications, diagnoses, treatment notes, dates of service, medical record numbers, health plan numbers, and claims and billing information. Some employee data was also compromised in the attack, which may have included additional information such as driver’s license, birth certificate, background check information, W-4s and W-2s, and bank account numbers. Notification letters were mailed to the affected individuals on June 2, 2025, and credit monitoring and identity theft protection services have been offered for 12 months.
Ellis Medicine Discovers Unauthorized Access to Employee Email Account
Ellis Medicine, a Schenectady, NY-based health system serving the Capital District in New York State, has notified the Maine Attorney General about a data incident that involved unauthorized access to an employee’s email account. Suspicious activity was identified in the account, which was immediately secured. Third-party digital forensics specialists were engaged to investigate the activity and confirmed that the account was accessed “for a limited period” between January 17, 2025, through January 24, 2025, and again between March 27, 2025, through April 5, 2025.
The account was reviewed to identify the types of information potentially accessed, and that review was completed on May 14, 2025. Emails and attachments were discovered to include the personal and protected health information of 13,383 individuals. The Notification to the Maine Attorney General includes mail merge fields rather than a list of potentially compromised data, and there is currently no substitute breach notice on the Ellis Medicine website, so the types of information compromised are unknown.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Notification letters are being mailed to the affected individuals, which will state the exact types of information involved for each patient. Ellis Medicine has offered single-bureau credit monitoring, credit report, and credit score services to the affected individuals for 12 months.
