25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Cyberattack Forces North Carolina Radiology Practice to Close for More Than a Month

Posted By on Mar 19, 2025

Pinehurst Radiology Consultants has been closed for more than a month following a January cyberattack. Security incidents and data breaches have been reported by Baylor Scott & White Texas Spine & Joint Hospital and Atlas Healthcare CT.

Pinehurst Radiology Consultants, North Carolina

Pinehurst Radiology Consultants, a small radiology provider serving residents in the Sandhills region of North Carolina, fell victim to a cyberattack in January that disrupted its computer systems, forcing the practice to temporarily close. The practice remains closed more than a month after the attack. The recorded message on its voicemail system states that the practice will remain closed for the foreseeable future.

Work is ongoing to restore its computer systems and while progress has been made, its scheduling system has yet to be restored and patients are unable to schedule mammography or ultrasound services. Patients requiring PET or MRI scans have been advised to visit the affiliated First Imaging, part of FirstHealth of Carolinas for those imaging services. Pinehurst Radiology said cybersecurity experts have been engaged, law enforcement has been notified, and the investigation into the incident is ongoing. Pinehurst Radiology said it is committed to restoring its network environment but must do so in a safe and secure manner. The incident sounds like a ransomware attack; however, no ransomware group appears to have claimed responsibility for the attack.

Baylor Scott & White Texas Spine & Joint Hospital

Baylor Scott & White Texas Spine & Joint Hospital has identified a breach of its Microsoft Office 365 environment. The breach was detected on January 15, 2025, and immediate action was taken to prevent further unauthorized access. The forensic investigation confirmed that an unauthorized third party accessed the account between January 10, 2025, and January 14, 2025, and potentially viewed or acquired patient data. No other systems were compromised in the incident.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The compromised email account was reviewed and found to contain patients’ full names, addresses, dates of birth, medical and treatment information, dates of service, provider and facility names, procedure codes, billing and claims information, patient account identifiers, and payor information. Social Security numbers, driver’s license numbers, financial information and account passwords were not involved. The hospital is enhancing its security and monitoring capabilities to prevent similar incidents in the future, and individual notification letters are being mailed to the affected individuals. The HHS’ Office for Civil Rights breach portal indicates 1,640 individuals were affected.

Atlas Healthcare CT

Atlas Healthcare CT, the operator of several skilled nursing and rehabilitation centers in Connecticut, was targeted by hackers who gained access to its network and acquired certain stored files on January 20, 2023. Third-party cybersecurity experts were engaged to investigate the incident and after a comprehensive investigation and extensive manual file review, Atlas Healthcare CT confirmed on August 16, 2023, that sensitive information had been stolen, including names, addresses, dates of birth, social security numbers, medical information, health insurance information, and a limited number of driver license and financial information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

What is unclear is why it took until March 3, 2025, for the data breach to be reported to the HHS’ Office for Civil Rights. On March 3, 2025, OCR received two breach reports from Vernon Rehabilitation and Healthcare Center (5,416 affected individuals) and Manchester Rehabilitation and Healthcare Center (5,415 affected individuals). Neither entity has previously reported a data breach to OCR.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist