25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Cyberattack on Michigan Plastic Surgery Practice Affects Almost 20,000 Patients

Posted By on Mar 19, 2025

Data breaches have been announced by the Hand & Plastic Surgery Centre in Michigan, Dove Healthcare in Wisconsin, and Southeast Series of Lockton Companies in Georgia.

Hand & Plastic Surgery Centre, Michigan

The Hand & Plastic Surgery Centre, PLC, which does business as Elite Plastic Surgery, has reported a data breach to the HHS’ Office for Civil Rights that affects 19,846 individuals. The Michigan-based aesthetic surgery provider detected unauthorized third-party access to its computer network on January 29, 2025. Independent IT security and digital forensics specialists were engaged to investigate and determine the nature and scope of the unauthorized activity.

While no evidence was found to indicate any individual’s information was specifically accessed for misuse, it is possible that personal and protected health information was viewed or stolen. The exposed data included names, birth dates, Social Security numbers, and health insurance information. At the time of issuing notification letters on March 7, 2025, the Hand & Plastic Surgery Centre was unaware of any reports of identity theft or fraud as a result of the incident. As a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Dove Healthcare, Wisconsin

Dove Healthcare, a Wisconsin-based rehabilitation, senior living, and nursing care provider, has recently notified the Maine Attorney General about a data breach that affects 16,255 individuals, including 1 Maine resident. On or around July 6, 2024, an unauthorized third party accessed the network and viewed or acquired individuals’ protected health information. The affected data was reviewed, and that process was completed on March 6, 2025. The breach notice sent to the Maine Attorney General has the types of compromised information redacted; however, individual notification letters state the exact types of information involved. The affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services, and Dove Healthcare has confirmed that it is enhancing its security measures and monitoring tools.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Southeast Series of Lockton Companies, Georgia

The data breach was initially reported to the HHS’ Office for Civil Rights on February 28, 2025, as involving the protected health information of 1,704 individuals; however, the total has been substantially increased. At some point between March 20, 2025, and April 22, 2025, the OCR breach portal was updated to 1,025,956 affected individuals, making it the second-largest healthcare data breach to be reported to OCR as of April 22, 2025. The Lockton breach notice states, “an unauthorized party accessed a single individual account and computer.” The breach was reported to OCR not as involving a desktop computer, but a network server, which helps to explain why the breach was so extensive.

March 19, 2025

Southeast Series of Lockton Companies (Lockton) in Georgia, an insurance brokerage firm that provides employee benefit services, has notified the HHS’ Office for Civil Rights about a data breach that affects 1,706 individuals. Suspicious activity was identified in a single computer on November 20, 2024. Third-party cybersecurity experts were engaged to investigate the activity and confirmed that there had been unauthorized access to a single account and computer within the Lockton network. The attacker was able to copy files from the account and device on November 20, 2024.

The files were reviewed to determine the data obtained in the attack, and notification letters were mailed to the affected individuals on February 28, 2025. The stolen data included names and Social Security numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months and Lockton has implemented additional safeguards to prevent similar incidents in the future.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist