Healthcare Data Breaches Reported in Georgia, Washington & New Hampshire
Cyberattacks and data breaches have recently been announced by Pineland Community Service Board in Georgia, Klickitat Valley Health in Washington, and Concord Orthopaedics and Welts, White, & Fontaine in New Hampshire.
Pineland Community Service Board, Georgia
Pineland Community Service Board, a Statesboro, GA-based provider of behavioral health and developmental disability services, has suffered a cyberattack and data breach. On March 20, 2025, Pineland Community Service Board disclosed a security incident detected on January 20, 2025. Suspicious activity was identified within its network, and an investigation was launched to determine the cause of the activity and return functionality to its network. The forensic investigation confirmed unauthorized network access between November 24, 2024, and January 20, 2025, during which time the threat actor viewed or copied information from its network.
The review of the affected files is ongoing, and it has yet to be confirmed how many individuals have been affected; however, Pineland Community Service Board said information likely compromised in the incident includes names, dates of birth, Social Security numbers, and medical information such as billing information, medical treatment information, dates of service, diagnosis information, medical record information, and guardian information, and potentially other types of information. Notification letters will be mailed to the affected individuals when the file review is concluded.
A ransomware group called Space Bears has added Pineland Community Service Board to its data leak site. The listing claims the stolen data was published a month ago; however, the listing contains no data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Concord Orthopaedics, New Hampshire
Concord Orthopaedics in New Hampshire has started notifying certain patients about a security incident at a third-party vendor used to check in patients for appointments. The unnamed vendor notified Concord Orthopaedics about the security incident on November 21, 2024, after it was determined there had been unauthorized access to the patient registration and appointment scheduling software. The investigation found no evidence that the threat actor accessed any other systems, such as Concord’s electronic medical record system and internal network.
The data in the appointment software included names, dates of birth, Social Security numbers, health insurance information, and appointment information, which may have included the treating physician name, date/location of the appointment, and the appointment type (surgical, MRI, etc). Driver’s license numbers or state identification numbers were involved for a portion of the affected individuals.
Concord Orthopaedics did not state the nature of the incident, but this was a ransomware attack by the Everest Ransomware group, which added the stolen data to its data leak site. It is not clear how many individuals have been affected at this stage, as the incident is yet to appear on the HHS’ Office for Civil Rights Breach portal. The New Hampshire Attorney General was notified that the breach involved the data of 67,835 state residents.
Welts, White, & Fontaine, New Hampshire
The law firm Welts, White, & Fontaine has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 500 individuals. The 500 total is a commonly used placeholder figure when the total number of affected individuals has yet to be established. The New Hampshire law firm explained that an unauthorized actor accessed its network on or around January 8, 2025, and copied files from its file server. Third-party cybersecurity experts were engaged to investigate the incident and analyze the extent of data theft.
On January 14, 2025, it was confirmed that data had been exfiltrated, including personal and protected health information provided to the firm in connection with the services it provides. The types of data involved were not disclosed in the substitute breach notice. No misuse of the stolen data has been detected, but as a precaution, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months.
Klickitat Valley Health, Washington
Klickitat Valley Health in Washington State has notified 531 individuals about a recent security breach. Unauthorized network activity was detected on February 23, 2025, and on February 18, 2025, it was confirmed that an unauthorized actor copied data from its network. The data review confirmed that names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and patient account numbers were involved and, for certain individuals, information related to care received, such as dates of service, physician names/departments, and diagnosis/treatment information. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved.
