25% off all training courses Offer ends June 26, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends June 26, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Medical Billing Company Data Breach Affects 7 Medical Groups

Posted By on Jun 1, 2026

The Las Vegas medical billing and coding management company, La Perouse, has announced a data breach that has affected seven of its medical group clients. Data breaches have also been announced by Acadia Healthcare Company, Harbor Regional Center, United Medical Systems, and Ohio ENT & Allergy Physicians.

La Perouse

La Perouse LLC, a Las Vegas, NV-based medical billing and coding management company, has notified the California Attorney General about a breach of one of its third-party billing platforms. Potential unauthorized activity was first identified on July 8, 2025. The platform and its network environment were secured, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The investigation confirmed that the unauthorized access was confined to the third-party billing platform and that sensitive data stored within that platform had been copied by the attacker. The review of the affected data was completed in the Spring of 2026, and notification letters were mailed to the affected individuals on April 17, 2026. The data compromised in the incident varies from individual to individual and may have included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, patient identification and medical record numbers, medical information, and health insurance information.

La Perouse worked with its third-party billing platform provider to implement additional technical safeguards, enhance security measures, and update security policies and procedures. The affected individuals have been offered at least 12 months of complimentary credit monitoring services. The affected individuals had received medical services from one or more of the following healthcare providers;

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Beach Emergency Medical Associates
  • Centinela Freeman Emergency Medical Associates
  • Chino Emergency Medical Associates
  • Hollywood Presbyterian Emergency Medical Associates
  • Montclair Emergency Medical Associates
  • Tarzana Emergency Medical Associates
  • Temecula Valley Hospitalist Medical Group

The incident was reported to the HHS’ Office for Civil Rights in September 2025 using a placeholder estimate of at least 501 individuals. The total has yet to be updated.

Acadia Healthcare Company

Acadia Healthcare Company, the operator of a network of almost 280 behavioral healthcare facilities in 40 U.S. states and Puerto Rico, has recently disclosed a data security incident that was first identified in March 2026. Suspicious activity was observed within an employee’s email account. The email account was secured, and an investigation was launched to determine the nature and scope of the activity. The forensic investigation determined that the account and an associated SharePoint account were accessed by an unauthorized third party between March 21 and March 25, 2026, as a result of social engineering attacks. No other systems were involved.

The data review was completed on May 15, 2026, and confirmed that the information compromised in the incident included names, addresses, dates of birth, treatment information, health insurance information, admission dates, diagnosis codes, patient statuses, Medicare insurance claim numbers, and, for some individuals, Social Security numbers. Notification letters started to be mailed to the affected individuals on May 22, 2026. Acadia Healthcare Company said additional cybersecurity measures have been implemented to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Harbor Regional Center

Harbor Developmental Disabilities Foundation, doing business as Harbor Regional Center, a Long Beach, CA-based provider of services to individuals with developmental disorders, identified suspicious activity within its computer network on or around March 7, 2026. The forensic investigation confirmed unauthorized access to its computer network between March 6 and March 7, during which time, files may have been viewed or copied from the network.

On May 15, 2026, Harbor Regional Center completed its review of the exposed files. The exact types of information involved are detailed in the individual notification letters that have recently been mailed to the affected individuals. The number of affected individuals has yet to be publicly disclosed. The affected individuals have been offered single-bureau credit monitoring and identity theft protection services, and steps have been taken to improve security to prevent similar breaches in the future.

Ohio ENT & Allergy Physicians

Ohio ENT & Allergy Physicians in Columbus, Ohio, has recently reported a data breach to the Maine Attorney General that involved unauthorized access to the personal and protected health information of 324 individuals, including 1 Maine resident. A cybersecurity incident was detected on March 30, 2026, when suspicious activity was identified on a workstation within its network environment. The forensic investigation confirmed unauthorized access between March 29, 2026, and March 30, 2026. The review of all potentially exposed files was completed on May 18, 2026. Data exposed in the incident included full names and Social Security numbers. Notification letters were mailed to the affected individuals on May 29, 2026.

Ohio ENT & Allergy Physicians has implemented additional technical safeguards and has enhanced its security measures to prevent similar incidents in the future, and complementary credit monitoring services have been offered to the affected individuals.

United Medical Systems

Westborough, Massachusetts-based mobile specialty healthcare service provider United Medical Systems has disclosed a data breach affecting 485 individuals. According to the notification letters, which were mailed to the affected individuals on May 20, 2026. The forensic investigation confirmed that names, driver’s license numbers, and Social Security numbers were exposed in the incident. As a precaution against identity theft and fraud, the affected individuals have been offered complimentary single-bureau credit monitoring and identity theft protection services for 24 months, and steps have been taken to enhance security to prevent similar incidents in the future.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist