Gateway Community Services Announces 34,500-Record Data Breach
Data breaches have recently been announced by Gateway Community Services, the Mental Health Association in Massachusetts, Horizon Blue Cross Blue Shield NJ, CareOregon, and Health Share of Oregon.
Gateway Community Services, Inc.
Gateway Community Services, Inc. (GCS), a behavioral health and addiction treatment service provider in Jacksonville, Florida, has recently notified 34,498 current and former patients that some of their protected health information was stolen in an April 2025 network security incident.
The notification letters do not state when the network intrusion was detected, only that hackers gained access to its network environment on April 11, 2025. When the intrusion was detected, GCS took immediate action to secure its network and engaged third-party cybersecurity experts to conduct a forensic investigation to determine the nature and scope of the unauthorized activity.
The investigation revealed that certain data had been exfiltrated from its network. A comprehensive review was conducted to determine which individuals had been affected and the types of data involved, and that process was completed on May 16, 2025. The types of data compromised in the incident vary from individual to individual and include first and last names, addresses, Social Security numbers, dates of birth, driver’s license numbers or state identification numbers, medical treatment information, and health insurance information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
GCS said it has no reason to believe that any of the compromised information has been misused; however, it has arranged for complimentary credit monitoring and identity theft protection services to be provided to all affected individuals for 12 months, regardless of the types of data compromised in the incident. GCS has also reviewed and enhanced its technical safeguards to prevent similar incidents in the future.
Mental Health Association
Mental Health Association (MHA), a Chicopee, MA-based healthcare provider, has notified the Maine Attorney General about a hacking-related data breach affecting 12,633 individuals. MHA identified suspicious activity within its computer network on December 2, 2024, and worked with its managed service provider to secure its systems. A third-party digital forensics company was engaged to investigate the activity and confirmed there had been unauthorized access to its network by a threat actor, who may have exfiltrated data.
All files on the compromised parts of its network were reviewed over the following months to determine the individuals affected and the types of data involved. That process was completed on May 20, 2025, when a final list of the affected individuals was obtained. The affected individuals had some or all of the following information stolen in the incident: name, address, Social Security number, date of birth, financial account information, driver’s license number, medical diagnosis/condition, medications, medical record number, and other medical information.
MHA has implemented additional safeguards to better protect information stored on its network and will continue to make enhancements to mitigate the risk of further security incidents. Notification letters have been mailed to the affected individuals, and complimentary credit monitoring and identity theft protection services have been made available.
CareOregon/ Health Share of Oregon
Health insurers CareOregon and Health Share of Oregon have recently announced an impermissible disclosure of plan members’ protected health information. A mismailing incident was identified on April 4, 2025, when it was discovered that documents intended for a local hospital and its clinics had been sent to an incorrect address.
The documents included plan members’ first and last names, their health plan, ID number, claim number, and the clinic where they received services. No Social Security numbers or financial information were impermissibly disclosed. CareOregon and Health Share of Oregon identified the issue that caused the mailing error and are in the process of implementing new procedures for checking addresses to prevent similar mismailing errors in the future. All relevant staff members have also been provided with additional training.
Individuals who received services from Jackson Care Connect, a provider of physical, behavioral, and dental healthcare to Oregon Health Plan members in Jackson County, Oregon, are known to have been affected. The breach was reported to the HHS’ Office for Civil Rights on May 30, 2025, as affecting 1,786 individuals.
Horizon Blue Cross Blue Shield NJ
Horizon Blue Cross Blue Shield NJ, has notified 781 individuals about a recent Horizon Member Portal incident that potentially involved unauthorized access to their protected health information. On April 3, 2025, the Horizon cybersecurity team observed an unauthorized third party attempting to register accounts on the member portal for individuals who had not previously registered for an account.
The information used to open accounts was likely obtained in a previous data breach at a non-Horizon entity. When accounts were successfully created, the threat actor was able to access protected health information such as full names, mailing addresses, email addresses, phone numbers, dates of birth, dates of service, group numbers, claim numbers, provider names, and generic descriptions of the services provided. Horizon Blue Cross Blue Shield NJ stressed that the attacker did not gain access to financial information or Social Security numbers.
All of the accounts that were created by the threat actor have now been disabled, security policies and procedures have been reinforced, and additional safeguards have been implemented to prevent further unauthorized account creation. As a precaution, the affected individuals have been advised to review their explanation of benefits statements and should report any healthcare services listed that have not been received.
