Florida Pediatric ENT Specialists Confirm Data Breach Affecting 44,000 Individuals
Pediatric Otolaryngology Head & Neck Surgery Associates has reported a data breach affecting almost 44,000 patients. Anchorage Neighborhood Health Clinic in Alaska is investigating a potential security breach that may have affected up to 10,000 patients, and Valley Mountain Regional Center has exposed data over the Internet.
Pediatric Otolaryngology Head & Neck Surgery Associates, Florida
Pediatric Otolaryngology Head & Neck Surgery Associates (POHNS) in Florida recently reported a data breach to the HHS Office for Civil Rights affecting 43,446 individuals. POHNS first announced the data breach on April 25, 2025. Unusual activity was identified within its computer network on February 24, 2025. The forensic investigation confirmed unauthorized access between February 19 and February 24, 2025, including access to patients’ protected health information. The file review confirmed that a range of patient data had been exposed, although the information involved varied from individual to individual.
Data potentially compromised in the incident included names in combination with one or more of the following: address, email address, phone number, Social Security number, driver’s license/state ID number, financial account information, taxpayer ID number, digital signature, date of birth, medical diagnosis/treatment information, prescription information, date of service, patient ID number, provider name, medical record number, Medicare/Medicaid number, health insurance information, health insurance claim number, health insurance policy number, and/or treatment cost information. Notification letters have been mailed to the affected individuals who have been offered complimentary credit monitoring and identity protection services.
Anchorage Neighborhood Health Clinic, Alaska
Anchorage Neighborhood Health Clinic, a Federally Qualified Health Center in Alaska, has confirmed to local media that it is investigating a claim from a hacker about unauthorized access to the personal and health information of 10,000 patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Notifications have been issued to patients warning them about a potential security incident after the health center learned that the hacker had contacted certain patients directly. In some cases, the emails sent to patients included information such as their name, address, Social Security number, date of birth, phone number, driver’s license, and health insurance information. Patients have been advised not to interact with any communications they receive from the hacker.
On August 26, 2025, the health center posted a notice on its Facebook page explaining that technical difficulties are being experienced with computer systems, which prevent appointment scheduling, and that phone lines are down. Some progress has been made restoring the affected systems; however, a follow-up post on September 2, 2025, warned that there was only limited computer access due to ongoing technical difficulties, and the phone lines had not been restored by September 9, 2025. The Facebook posts suggest that this was a ransomware attack. The investigation is ongoing, and the extent of any data theft has yet to be confirmed.
Valley Mountain Regional Center
Valley Mountain Regional Center, a Stockton, CA-based provider of support services to individuals with intellectual and developmental disabilities and their families, has recently notified 529 individuals about the accidental exposure of some of their protected health information. On July 14, 2025, a list of State Supplemental Payment (SSP) vendors was posted on its website.
An SSP is an additional payment from the state government that is used to help individuals with disabilities who are living independently. Valley Mountain Regional Center said it discovered that the list contained consumer information such as name, address, city, state, zip code, phone number, vendor name, service code, and service description.
The error was identified quickly, and the list was removed within 18 hours of posting. Valley Mountain Regional Center said it is unaware of any misuse of the exposed information and stressed that Social Security numbers and financial account information were not exposed. Steps have been taken to improve policies and protocols to ensure that similar errors are not made in the future.
