PHI Compromised in Cyber Incidents at Medenet; United Medical Doctors; Stewart Home & School
Cybersecurity incidents involving unauthorized access to protected health information have been announced by the revenue cycle management company Medenet, the California medical group United Medical Doctors, and the Kentucky residential school, Stewart Home & School.
Medenet Inc.
Medenet Inc., a Florida-based medical billing, EMR software, and revenue cycle management service provider to physician practices, has started issuing notifications about a cyberattack identified on December 26, 2025. Assisted by third party cybersecurity experts, Medenet determined that personal and protected health information was likely compromised in the incident, including medical records and Social Security numbers.
Medenet said it is unaware of any misuse of the impacted data; however, as a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services. The data breach has yet to be added to the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.
United Medical Doctors
United Medical Doctors, a Murrieta, California-based multi-specialty medical and surgical group, has discovered unauthorized access to its computer systems. Suspicious activity was identified within its computer systems on March 26, 2026, and the forensic investigation determined that a threat actor had access to its systems for around three and a half months, between December 12, 2025, and March 31, 2026. During that time, files containing patient information may have been viewed or acquired.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The May 20, 2026, substitute breach notice states that the types of information compromised in the incident have yet to be determined, and the number of affected individuals has yet to be publicly disclosed.
Stewart Home & School
Stewart Home & School (formerly Stewart Home School), a residential school in Franklin County, Kentucky, has recently announced that it was the victim of a criminal cyberattack on its computer network. The attack occurred in the early hours of August 4, 2025, with the threat actor gaining access to its network using stolen credentials.
Those credentials allowed the threat actor to access two of its internal electronic drives. Data on those drives was accessed and exfiltrated, then ransomware was used to encrypt the data. Stewart Home & School said the nature of the attack and the design of its electronic network meant it has taken a significant amount of time to determine the types of data involved and the individuals affected.
The data analysis has recently concluded, and confirmed that 3,677 individuals potentially had data stolen in the incident, including personal information and protected health information. That information included names, demographic information such as phone numbers, email addresses, addresses, and Social Security numbers, financial information, and protected health information such as health insurance information, diagnoses, medical conditions, test results, and medications, and education-related information, including evaluation and testing information.
The affected individuals were notified about the incident in April 2026 and have been offered 24 months of complimentary credit monitoring and identity theft protection services. The Sinobi ransomware group claimed responsibility for the attack.
