Cyberattack on Fort Worth Revenue Cycle Management Firm Affects 77,000 Individuals
Data breaches have been announced by the revenue cycle management company ESHA Inc., the pulmonary rehabilitation provider Citadel of Northbrook, the health IT company Datavant Group, and the Florida dental practice operator Smile Design Management.
ESHA, Inc., Texas
ESHA, Inc., a Fort Worth, TX-based revenue cycle management company, has notified 76,922 individuals that some of their personal and protected health information was potentially viewed and/or copied in a security incident over the summer. Unauthorized access to its server infrastructure was detected on July 19, 2024, and the servers were immediately taken offline to prevent further unauthorized access. Digital forensics specialists were engaged to investigate the incident and determine the nature and scope of the unauthorized activity. The investigation confirmed that an unauthorized actor accessed its servers from July 13 to July 17, 2024. The file review was completed on or around September 16, 2024, and individual notifications were mailed to the affected individuals on November 15, 2024. Complimentary credit monitoring services have been offered.
According to the notification letter, “ESHA has obtained confirmation to the best of its ability that the information is no longer in possession of the third party(ies) associated with this incident.” ESHA said it is working with leading cybersecurity experts to identify areas where security can be improved, and additional measures will be implemented to improve cybersecurity.
Citadel of Northbrook, Illinois
Citadel Healthcare’s Citadel of Northbrook, a Glenview, IL-based pulmonary rehabilitation specialist, has confirmed it was affected by a security incident at its electronic health record provider, PointClickCare. According to PointClickCare, unauthorized access was detected on July 20, 2024, and the incident was promptly investigated. PointClickCare confirmed that a threat actor used compromised end-user credentials for access and viewed or acquired the information of a limited number of Citadel of Northbrook patients, including names, dates of birth, Social Security numbers, Medicare/Medicaid identification numbers, treatment and diagnosis information, admission dates, discharge dates, prescription information, and/or health insurance policy numbers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
PointClickCare deactivated the compromised credentials when the breach was discovered and notified Citadel of Northbrook on September 26, 2024. PointClickCare has increased password complexity requirements and Citadel of Northbrook has implemented enhanced security measures. Citadel of Northbrook has mailed notification letters to the affected individuals and credit monitoring and identity protection services have been offered. Another Omnia Healthcare Group-owned healthcare company, Pavillion Healthcare, was also impacted, exposing the data of residents of the Illinois nursing home Pavilion of Bridgeview.
Ciox Health / Datavant Group, Arizona
On October 7, 2024, Ciox Health, dba Datavant Group, a Phoenix, AZ-based health IT company, notified the HHS’ Office for Civil Rights about an email-related data breach using a placeholder figure of 501 affected individuals. That total has since been updated to 22,897 affected individuals. On December 6, 2024, Datavant Group’s legal counsel notified the Maine Attorney General that the breach involved the personal data of 10,639 individuals. On February 11, 2025, a supplemental notice was issued to the Maine Attorney General, increasing the victim count to 49,454 individuals.
Suspicious activity was identified in its email system on May 9, 2024, and it was confirmed on or around August 9, 2024, that there had been unauthorized access to a single employee email account between May 8 and May 9, 2024. Phishing emails had been sent to a limited number of email users, and one employee responded, allowing their email accounts to be accessed.
From May to August, emails and attachments were analyzed to determine the individuals affected, and from August to October Datavant worked to associate the impacted individuals with the correct data controllers. That process was completed in early October and the data controllers were notified and given until the end of November to respond and accept Datavant’s offer to issue notifications. Datavant has now sent notification letters for itself as a data controller and the data controllers that opted in. The February 2025 notice to the Maine Attorney General says the additional notification letters were mailed to the affected individuals between January 31, 2025, and February 11, 2025.
The compromised data included names, Social Security numbers, financial account information, driver’s licenses, passports, health information, account credentials, and digital signatures. Datavant has offered the affected individuals 24 months of complimentary credit monitoring and identity protection services and has taken steps to improve email security, including implementing additional technical safeguards, reconfiguring its email security settings, and updating its security software rules.
Smile Design Management, Florida
Smile Design Management, the operator of dozens of dental offices in Florida, notified the HHS’ Office for Civil Rights about a data breach on October 7, 2024, involving the protected health information of 500 individuals – a commonly used placeholder when the number of affected individuals has yet to be determined.
According to the notification letters mailed to the affected individuals, unusual network activity related to third-party software was detected on February 22, 2024. The forensic investigation confirmed there had been unauthorized access to its network between February 22 and February 23, 2024, and during that time, patient data may have been viewed or acquired. The file review was completed on August 15, 2024, and notification letters were mailed in early October. The affected individuals have been offered complimentary one-year memberships to credit monitoring and identity theft protection services through IDX. The website notice does not state what types of data were involved.
