Florida Radiology Practice Announces 171K-record Data Breach
Data breaches have been announced by Doctors Imaging Group in Florida, Rectangle Health in New York, and Care N’ Care in Texas.
Doctors Imaging Group, Florida
Doctors Imaging Group, a Gainesville, Florida-based physician-owned radiology practice, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 171,862 current and former patients. Suspicious activity was identified within its computer network on or around November 11, 2024, and the forensic investigation confirmed that unknown actors accessed its network between November 5, 2024, and November 11, 2024. During that time, files were copied from its systems, some of which contained the protected health information of patients. The substitute breach notice does not say if this was an extortion attempt, such as a ransomware attack, and the HIPAA Journal has not identified any posts by ransomware groups claiming responsibility for the attack.
Doctors Imaging Group conducted a file review to identify the types of information exposed in the incident, which was completed on August 29, 2025. Data potentially compromised in the attack includes names, addresses, birth dates, admission dates, medical treatment information, claims information, Social Security numbers, patient account numbers, medical record numbers, financial account numbers, and account types. The affected individuals have been advised to monitor their account statements, explanation of benefits statements, and free credit reports for suspicious activity. Doctors Imaging Group has reviewed its data security policies and procedures and is evaluating additional cybersecurity tools to reduce the risk of similar incidents in the future.
Rectangle Health, New York
Rectangle Health, a Valhalla, NY-based software company that provides practice management software to healthcare providers, has recently notified the Maine Attorney General about a breach affecting 2,095 individuals, including 11 Maine residents. The incident involved unauthorized access to its Salesforce platform on August 14, 2025. The platform was used to store customer information. Rectangle Health did not state which cybercriminal group was involved.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The file review was completed on September 4, 2025, and confirmed that the stolen data includes names, dates of birth, and Social Security numbers. Notification letters were mailed to the affected individuals on October 8, 2025. Complimentary credit monitoring services are being offered to the affected individuals. Rectangle Health has confirmed to The HIPAA Journal that no patient data was compromised in the incident.
“Rectangle Health was informed by Salesforce that its platform storing customer information was subject to unauthorized access. Patient information is not stored on this platform. Our team conducted a review to determine what information could have been impacted and notified all potentially affected individuals. To date, Rectangle Health has seen no evidence of any fraudulent use of data as a result of this event. Rectangle Health maintains a mature security and compliance program grounded in HIPAA, SOC 2 Type II, and HITRUST frameworks. These independent certifications demonstrate that our controls for data protection, vendor oversight, and incident response are both tested and verified by third-party auditors.”
There has been a spate of attacks on Salesforce environments over the past few months, prompting the Federal Bureau of Investigation (FBI) to issue a Flash Alert in September. The alert warned that two cybercriminal groups – UNC6040 (ShinyHunters) and UNC6395 – were targeting Salesforce environments. In September, a hacking group called Scattered Lapsus$ Hunters started leaking stolen Salesforce data. Some members are believed to also be part of the ShinyHunters group. The group has attempted to extort Salesforce and has threatened to extort companies directly if Salesforce refuses to pay the ransom.
Care N’ Care, Texas
Care N’ Care, a Medicare Advantage health plan provider serving Medicare beneficiaries in North Texas, has recently notified the Texas Attorney General about a data breach affecting 32,452 Texas residents. While little is currently known about the data breach, this was a hacking incident that involved unauthorized access to protected health information, which may also have been stolen in the attack. The date of the cyberattack has not been publicly disclosed. The file review has confirmed that the exposed data includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information.
