25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

DealMed Medical Supplies Announces July 2025 Cyberattack

Posted By on Nov 11, 2025

DealMed Medical Supplies has confirmed that sensitive data was stolen in a July ransomware attack, the Wisconsin Department of Corrections has identified a HIPAA breach, and Healthcare Therapy Services in Indiana has experienced a breach of its email system.

DealMed Medical Supplies

Dealmed Medical Supplies, a Brooklyn, NY-based manufacturer and distributor of medical supplies, has recently announced a data security incident that was identified on July 7, 2025. Immediate action was taken to secure its network, and an investigation was launched to determine the nature of the activity. The investigation confirmed that an unauthorized third party accessed its network and may have viewed or obtained sensitive company data on or around June 7, 2025. DealMed has been reviewing the affected files, and on October 31, 2025, it was confirmed that protected health information had been exposed and potentially stolen. The impacted data included names and Social Security numbers.

Notification letters are being sent to the affected individuals, and complimentary single-bureau credit monitoring, credit score, and credit report services have been offered. DealMed has also confirmed that steps have been taken to enhance security to prevent similar incidents in the future.

In July, the HIPAA Journal reported that the DragonForce ransomware group had added DealMed to its dark web data leak site. The ransomware group claimed to have exfiltrated almost 106 GB of data in the attack. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Wisconsin Department of Corrections

The Wisconsin Department of Corrections (DOC) has recently announced a HIPAA violation involving an impermissible disclosure of the protected health information of 1,723 inmates. The HIPAA breach was identified on September 16, 2025, although the impermissible disclosure occurred on July 17, 2025, when an employee responded to a public records request.

The disclosed information included the names of individuals who had been evaluated by the DOC’s Bureau of Health Statistics under a Chapter 980 Special Purpose Evaluation, along with diagnostic test scores and mental health diagnoses. The data was disclosed to a state agency office in Kenosha, WI. When the error was identified, the state agency office was contacted to ensure that the data was permanently deleted.

The DOC said additional safeguards have been implemented for public record requests to ensure that all records are thoroughly reviewed to ensure that they do not contain HIPAA-protected data. Should any records contain protected health information, the DOC will ensure that appropriate written authorizations are obtained from the patients, or the DOC will ensure that protected health information is redacted.

The affected individuals had Special Purpose Evaluations up to October 2022, and include current inmates and individuals who have been discharged from DOC custody. Notifications are now being sent to those individuals to advise them about the HIPAA breach.

Healthcare Therapy Services

Healthcare Therapy Services (HTS), a physical therapy clinic in Greenwood, Indiana, has started notifying patients about a recent data security incident. On April 29, 2025, HTS identified unusual activity within its email system. Assisted by third-party cybersecurity specialists, HTS confirmed unauthorized access to employee email accounts.

The accounts were reviewed, and on September 9, 2025, HTS determined that patients’ personal and protected health information had been exposed and may have been obtained by unauthorized individuals.  The impacted data included names, Social Security numbers, driver’s license numbers, medical information, and financial account information. Notification letters started to be sent to the affected individuals on November 7, 2025. At the time of issuing notification letters, HTS was unaware of any misuse of the exposed data. HTS engaged cybersecurity professionals to identify the cause of the breach and identify additional safeguards that could be implemented to prevent similar data breaches in the future.

The HHS Office for Civil Rights breach portal shows 15,027 individuals were affected.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist