25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Lake Washington Vascular Ransomware Attack Affects 21,500 Patients

Posted By on Mar 20, 2025

Hacking incidents have been announced by Lake Washington Vascular, Topy America, HealthRev Partners, and St. Charles County Ambulance District and a mobile device has been stolen from an employee of Roswell Park Comprehensive Cancer Center.

Lake Washington Vascular

Lake Washington Vascular, a surgical center in Bellevue, Washington, has fallen victim to a ransomware attack. According to the substitute breach notice on the Lake Washington Vascular website, the cyberattack occurred shortly before 5.00 a.m. on February 14, 2025. Alerts were generated that an unauthorized third party was attempting to install malware, and its technology team responded quickly and was able to stop the attack and minimize its impact; however, the ransomware encrypted its electronic health record and practice management systems.

The Qilin ransomware group claimed responsibility for the attack and demanded a ransom payment; however, Lake Washington Vascular was able to restore files from secure off-site backups with minimal information loss, and the ransom was not paid. Lake Washington Vascular’s investigation and file review confirmed the data of 21,534 patients was potentially compromised in the attack.

Lake Washington Vascular was unable to determine exactly what information was viewed or extracted from its systems and said the information likely compromised included names, dates of birth, addresses, diagnostic test results, medical histories, diagnosis and treatment information, payer identification numbers, and government-issued identifiers. Credit/debit card and financial account information was not stored in its systems so were not compromised in the incident. Individual notification letters have been mailed to the affected individuals.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Roswell Park Comprehensive Cancer Center

Roswell Park Comprehensive Cancer Center in Buffalo, New York, has notified 11,435 patients about the exposure of some of their protected health information. In late October 2024, an unidentified individual stole the mobile phone of a Roswell Park employee. Systems had been installed that allowed the service to be disabled; however, the investigation confirmed that a Roswell Park email account was accessible through the Microsoft Outlook app on the phone.

Roswell Park’s investigation found no evidence that the account was accessed or information in the account was viewed or copied but it was not possible to rule out the possibility that patient data had been compromised. The account review confirmed that a limited amount of patient data had been exposed including names, medical record numbers, dates of birth, treatment dates, encounter numbers, and patients’ ages. Roswell Park said it is continuing to work with Microsoft on improving account security, security policies and procedures are being strengthened, and the workforce has been retrained on securing and protecting mobile devices.

Topy America

Topy America Inc., a Frankfort, Kentucky-based manufacturer of automotive products, has had its network accessed by unauthorized individuals. The intrusion was detected on January 13, 2025, and the investigation confirmed that an unauthorized third party had access to its network between December 8, 2024, and January 11, 2025. During that time, files were copied from its systems, some of which contained the information of current and former employees, as well as beneficiaries and dependents of those employees. The compromised data included files maintained by its human resources department in connection with its self-insured health plan.

The data varied from individual to individual and may have included names, addresses, Social Security numbers, dates of birth, claims information (including medical or health treatment information such as provider name and/or medical treatment information), and information related to enrollment in a medical, dental or vision plan, which may have included member ID, gender, coverage type, and effective dates.

Individual notification letters were mailed to the affected individuals on March 14, 2025, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were involved. Topy America said it has already taken steps to improve data security to prevent similar incidents in the future. The data breach was recently reported to the HHS’ Office for Civil Rights as involving the protected health information of 1,827 individuals.

St. Charles County Ambulance District

St. Charles County Ambulance District (SCCAD) in St. Peters, Missouri, has notified 1,265 individuals about a security incident on January 17, 2025. The district’s technology team identified a single user account that had been accessed by an unauthorized individual based outside the United States in “a sophisticated malware attack.” The threat was rapidly neutralized; however, the account review confirmed that sensitive data had been exposed and may have been obtained by the threat actor.

The exposed information related to individuals who previously had received treatment or transportation services from SCCAD and included names, addresses, dates of birth, and certain care interventions performed during treatment. For certain individuals, the destination hospital and other treatment-related data were also exposed. The affected individuals have been offered complimentary identity theft protection services for 12 months. Steps taken in response to the incident include enhancing system monitoring and threat detection, strengthening employee cybersecurity training, and conducting a comprehensive review of its security policies.

HealthRev Partners

HealthRev Partners, an Ozark, MO-based company that provides software solutions for home health and hospice agencies, has identified unauthorized access to employee email accounts. The data breach was detected on February 20, 2025, and immediate action was taken to secure the accounts and prevent further unauthorized access. The account reviews confirmed they contained the protected health information of 1,446 patients. Affected individuals are being notified by mail and will be informed about the exact types of information involved.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist