George E. Weems & Vibra Hospitals Announce Data Breaches
Data security incidents have recently been announced by George E. Weems Memorial Hospital in Florida, Vibra Hospital of Sacramento in California, the California-based plastic surgeon Michael R. Schwartz, MD, and the California-based biopharmaceutical company Travere Therapeutics.
George E. Weems Memorial Hospital
On October 20, 2025, George E. Weems Memorial Hospital in Apalachicola, Florida, started mailing notification letters to patients affected by a recent security incident involving unauthorized access to two employee email accounts. The intrusion was detected on May 12, 2025, and the investigation confirmed that the email accounts were subject to unauthorized access from May 6, 2025, to May 12, 2025.
The email accounts were reviewed, and on September 22, 2025, the hospital learned that the accounts contained patients’ protected health information, including names, addresses, phone numbers, email addresses, Social Security numbers, driver’s license numbers, account information, patient ID numbers, diagnoses and medical histories, provider names, dates of service, and health insurance information.
No evidence was found to indicate that any of the exposed information has been or will be misused, but as a precaution, individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring services. George E. Weems Memorial Hospital said it had taken many precautions to protect the privacy of patient information and will continue to review and enhance its measures to ensure privacy and security. The HHS’ Office for Civil Rights data breach portal indicates 2,607 individuals were affected
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Vibra Hospital of Sacramento
On October 3, 2025, Vibra Hospital of Sacramento in California started notifying patients about a security incident involving unauthorized access to six employee email accounts. Suspicious activity was identified within certain email accounts on or around March 13, 2025. Assisted by third-party cybersecurity experts, Vibra Hospital determined that the email accounts were accessed by an unauthorized third party from March 11, 2025, to March 22, 2025.
The review of the affected accounts was completed on August 4, 2025, when it was confirmed that protected health information had been exposed. The types of data involved vary from individual to individual and may have included names in combination with addresses, birth dates, Social Security numbers, dates of service, diagnoses, treatment information, physician/facility names, Medicare/Medicaid numbers, patient account numbers, and/or financial account numbers.
No evidence was found to indicate any misuse of the exposed data. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their financial accounts, free credit reports, and explanation of benefits statements, and as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Vibra Hospital has also taken steps to improve email security to prevent similar incidents in the future.
Michael R. Schwartz, MD, FACS
Michael R. Schwartz, MD, FACS, a plastic surgeon based in Westlake Village, California, has recently disclosed a security incident that involved unauthorized access to patient information. The intrusion was identified on or around August 25, 2025, and it was later confirmed that an unauthorized third party had remote access to a single computer from January 20, 2025, to August 26, 2025.
The review revealed that the threat actor may have accessed patients’ personal and protected health information, including names, addresses, email addresses, phone numbers, Social Security numbers, medical record numbers, and patient photographs. As a precaution, all office computers and servers have been replaced, security controls have been strengthened, and additional data security training has been provided to the workforce. The affected individuals have also been offered 12 months of complimentary identity theft protection services. The HHS’ Office for Civil Rights data breach portal indicates that the protected health information of 9,080 individuals was compromised in the incident.
Travere Therapeutics
The San Diego, CA-based biopharmaceutical company, Travere Therapeutics, has recently notified the Massachusetts Attorney General about a recent security incident in which sensitive patient data may have been stolen. The notification letter does not include details of the incident, such as when it was detected, how long the unauthorized access lasted, or how many individuals have been affected, only that the information potentially compromised in the incident included names, addresses, phone numbers, email addresses, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring services for 24 months.
