MACT Health Board Patients Affected by November 2025 Ransomware Attack
MACT Health Board has confirmed that patient data was stolen in a November 2025 cyberattack, for which the INC Ransom ransomware group claimed credit. Data breaches have also been announced by TriCity Family Services in Illinois, HAP (Health Alliance Plan) in Michigan, and Zenflow in California.
MACT Health Board, California
MACT Health Board, a provider of healthcare services to the American Indian and Alaskan Native population in Mariposa, Amador, Alpine, Calaveras & Tuolumne counties in California, has notified individuals affected by a November 2025 security incident. MACT Health board launched an investigation into a potential security breach when it experienced disruption to its IT systems. The investigation confirmed that an unauthorized third party had access to its computer network from November 12, 2025, to November 20, 2025. A review of the exposed files commenced on November 25, 2025, and was completed on January 9, 2026.
Patient information compromised in the incident included names in combination with one or more of the following: diagnoses, test results, medical images, treatment information, doctors’ names, and or Social Security numbers. Notification letters started to be mailed to the affected individuals on January 23, 2026, and individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. Additional safeguards and technical security measures have been implemented to prevent similar incidents in the future. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected. The Rhysida ransomware group has claimed responsibility for the attack, has uploaded samples of identity documents to its data leak site, and is threatening to auction the stolen data if the ransom is not paid.
TriCity Family Services, Illinois
TriCity Family Services, a provider of counseling and mental health services to residents in Kane County, Illinois, has started notifying 2,511 patients about a data security incident. In the spring of 2025, suspicious activity was identified within its computer network. An investigation was launched, and it was confirmed that an unauthorized actor had access to its computer network from November 11, 2024, to May 14, 2025. During that time, sensitive data was exfiltrated from its network.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The file review confirmed that the following information was included in the exfiltrated files: names, dates of birth, presenting health issues, requested treatment, treatment location, and provider names. Its electronic medical record system was not accessed in the attack. TriCity Family Services said it is reviewing its policies, procedures, and processes related to the storage and access of sensitive information and will take steps to improve security to prevent similar incidents in the future.
While the nature of the incident was not disclosed, the INC Ransom ransomware group claimed responsibility for the attack and added TriCity Family Services to its dark web data leak site. INC Ransom claimed to have exfiltrated 22 GB of data in the attack.
HAP (Health Alliance Plan), Michigan
HAP (Health Alliance Plan) in Michigan has notified 1,059 individuals about the exposure of some of their protected health information as a result of a phishing attack. On October 24, 2025, an employee responded to a phishing email and inadvertently disclosed their credentials, allowing the threat actor to access their account. The investigation was unable to determine if any member information was accessed or acquired in the incident, so notification letters were sent to all potentially affected individuals. Protected health information in the account was limited to names, addresses, dates of birth, and HAP ID numbers, and for a limited number of individuals, Social Security numbers. The affected individuals have been offered two years of complimentary identity theft protection services as a precaution.
Zenflow, California
Zenflow, a San Francisco-based medical device company, has recently notified individuals about a security incident. Limited information about the incident has been released to date, such as when the incident occurred, the nature of the security breach, or for how long its computer systems were subject to unauthorized access. The data breach notice submitted to the Massachusetts Attorney General indicates that names and Social Security numbers were involved, and that single-bureau credit monitoring and identity theft protection services have been offered to the affected individuals for 24 months. It is currently unclear how many individuals have been affected.
