25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Data Breaches Announced by Morton Drug Company & Physicians to Children & Adolescents

Posted By on Dec 10, 2025

Data breaches have been announced by Morton Drug Company in Wisconsin, Physicians to Children & Adolescents in Kentucky, and the Center for Urologic Care of Berks County in Pennsylvania. Across the three incidents, the protected health information of more than 50,000 patients was exposed.

Morton Drug Company, Wisconsin

Morton Drug Company (Morton LTC), a Wisconsin-based pharmacy specializing in long-term care, has recently disclosed a security incident that has affected 40,051 individuals. The incident impacted its IT systems and was detected on or around August 20, 2025. Third-party cybersecurity experts were engaged to investigate, contain, and remediate the incident, and law enforcement was notified.

Unauthorized network access was confirmed, and a review was conducted to determine the extent to which sensitive data had been exposed. On or around October 21, 2025, Morton LTC determined that patient data had been exposed and may have been stolen. The types of data involved vary from individual to individual and may include name in combination with address, prescription information, and, for certain individuals, Social Security numbers.

No evidence has been found to indicate misuse of the affected data; however, the affected individuals have been advised to remain vigilant against identity theft and fraud. Morton LTC has confirmed that steps have been taken to improve security to prevent similar incidents in the future.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Physicians to Children & Adolescents, Kentucky

Physicians to Children & Adolescents (PTCA) in Bardstown, Kentucky, has announced a cybersecurity and data security incident that occurred around a year ago. On or around November 20, 2025, suspicious network activity was discovered. The investigation confirmed that an unauthorized individual had access to its network between November 14, 2024, and November 20, 2024.

While immediate action was taken to contain the incident and prevent further unauthorized access, it has taken a considerable amount of time to conduct the forensic investigation and an extensive document review. PTCA said it discovered on or around August 27, 2025, that files containing patients’ personal and protected health information had been accessed or acquired in the incident, including names in combination with some or all of the following: address, date of birth, Social Security number, diagnosis information, treatment information, medical history information, lab results, diagnostic imaging results, prescription information, health insurance information, and/or medical record number.

Notification letters started to be mailed to the 9,536 affected individuals on October 24, 2025. Individuals who had their Social Security numbers exposed have been offered complimentary credit monitoring and identity theft protection services.

The Center for Urologic Care of Berks County, Pennsylvania

On November 26, 2025, the Center for Urologic Care of Berks County in Wyomissing, Pennsylvania, started notifying certain patients about a cybersecurity incident detected on or around October 13, 2025. An unauthorized third party had access to its network between September 24 and October 13, 2025. The intrusion was detected when some of its IT systems were disrupted. Third-party digital forensics experts were engaged to investigate the incident and confirmed that the unauthorized third party accessed certain files on its network, and potentially copied some of those files.

Urologic Care of Berks County reviewed the affected files and, on or around November 6, 2025, it was determined that 543 individuals had been affected. The compromised files contained names, Social Security numbers, diagnoses, medications, doctors’ names, test results, medical images, and care and treatment information. Steps have been taken to improve security to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist