Data Breaches Announced by Four Healthcare Providers
Data breaches have recently been announced by Western Orthopaedics in Colorado, Community Health Systems in California, Tri-Cities Gastroenterology in Tennessee, and Integrated Pain Associates in Texas.
Western Orthopaedics
Western Orthopaedics, an Englewood, Colorado-based healthcare provider with locations throughout Colorado, has disclosed a security incident that was first identified on October 2, 2025. Assisted by third-party cybersecurity experts, Western Orthopaedics confirmed unauthorized access to its network between September 17, 2025, and September 25, 2025, during which time files containing personal and protected health information may have been viewed or acquired.
The analysis of those files was completed on March 3, 2026, when it was confirmed that the following data elements were potentially compromised: full name, address, phone number, Social Security number, date of birth, password, and/or financial account information, which may include credit/debit card number with or without security or access code, and protected health information such as health insurance information, health insurance plan or subscriber identification number, medical provider name, medical dates of service, and medical cost or billing information.
Additional measures have been taken to improve security, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. At present, it is unclear how many individuals have been affected. The PEAR cyber extortion group claimed responsibility for the attack and proceeded to leak the stolen data when the ransom was not paid.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Community Health Systems
Community Health Systems Inc., a California healthcare provider serving patients in San Bernardino, Riverside, and San Diego Counties, has recently disclosed a data security incident. According to its April 28, 2026, media notice, suspicious activity was identified within its computer network on or around February 28, 2026. Assisted by third-party security experts, Community Health Systems confirmed unauthorized access to parts of the network where patient data was stored.
The review of the exposed files confirmed that they contained information such as names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, treatment/diagnosis information, prescription information, dates of service, provider names, medical record numbers, patient ID numbers, Medicare/Medicaid ID numbers, health insurance information, and/or medical billing/claims information. Community Health Systems said it is reviewing its policies and procedures related to data protection. At present, it is unclear how many individuals have been affected.
Tri-Cities Gastroenterology
Tri-Cities Gastroenterology, a gastroenterology practice with five locations in Tennessee, has announced a data security incident that occurred on or around December 11, 2025. External cybersecurity professionals assisted with the investigation and confirmed that files were exfiltrated from its network on or around December 11, 2026. The file review confirmed on or around April 22, 2026, that the files contained information such as full names, Social Security numbers, dates of birth, addresses, email addresses, telephone numbers, gender, and medical record numbers.
Notification letters started to be mailed to the affected individuals on April 29, 2026. At that time, no misuse of the stolen data had been identified. Tri-Cities Gastroenterology said it will continue to evaluate and modify its cybersecurity practices and is taking steps to strengthen security. The Insomnia threat group claimed responsibility for the attack and added Tri-Cities Gastroenterology to its dark web data leak site in December. The group proceeded to leak the stolen data, indicating the ransom was not paid.
Integrated Pain Associates
On April 30, 2026, Integrated Pain Associates, a Killeen, Texas-based team of spine and pain specialists, announced a data security incident that was identified in February 2026. The forensic review confirmed unauthorized network access on or around February 24, 2026, and that patient data may have been accessed or acquired.
The review of the affected files is ongoing; however, Integrated Pain Associates has confirmed that the types of data involved include names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnosis/condition information, medication information, health insurance information, provider names, other treatment information, and/or financial account information. Integrated Pain Associates has confirmed that it is offering complimentary credit monitoring and identity theft protection services to the affected individuals. Additional security measures have been implemented to reduce the risk of similar incidents in the future. At present, the breach is not shown on the website of the Office of the Texas Attorney General nor the HHS’ Office for Civil Rights breach portal.
