McKenzie Memorial Hospital Announces Data Breach Affecting Almost 59,000 Patients
McKenzie Memorial Hospital in Michigan has reported a hacking incident affecting almost 59,000 patients. Arbor Associates in Massachusetts has reported a 17K-record data breach, and data breaches have been confirmed by Blue Shield of California and Human Development Services of Westchester.
McKenzie Memorial Hospital, Michigan
McKenzie Memorial Hospital in Sandusky, Michigan, has recently disclosed a cybersecurity incident that was detected on or around April 15, 2025, when suspicious activity was identified within its network. McKenzie Memorial did not state whether ransomware was used, only that the forensic investigation confirmed that its network was accessed by an unauthorized third party between April 14, 2025, and April 15, 2025. During that time, files containing patients’ protected health information may have been accessed.
The investigation and file review were completed on June 19, 2025, and confirmed that the potentially compromised information included names, Social Security numbers, and financial account information. The data breach was recently reported to the Maine Attorney General as affecting 54,016 individuals; however, OCR has been informed that 58,839 individuals had their protected health information exposed. Credit monitoring and identity theft protection services have been offered for 12 months, and the hospital is strengthening network security and reviewing its data security policies and procedures.
Arbor Associates, Massachusetts
Arbor Associates, a business associate that helps healthcare organizations collect patient survey analytics, has recently announced a data security incident that involved unauthorized access to patient data. Unusual network activity was detected on April 17, 2025, and independent cybersecurity experts were engaged to investigate the activity. They confirmed that there was unauthorized access to its network between April 15, 2025, and April 17, 2025, during which time files containing patient information may have been acquired.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The file review was completed in May 2025, and the affected healthcare partners were notified. Data potentially compromised in the incident includes first and last name, contact information, age, biological sex, date of birth, service date, CPT or diagnosis code, medical record number, name of insurance, and/or doctor’s name. Arbor Associates started mailing notification letters on behalf of the affected clients on July 3, 2025. The data breach was reported to the HHS’ Office for Civil Rights as a network server incident affecting 17,040 individuals.
Blue Shield of California
The health insurer Blue Shield of California (BSC) has recently notified the California Attorney General about a recent HIPAA breach. On May 22, 2025, BSC learned that a broker with Harmon Insurance Services had passed away, and the late broker’s husband had accessed her online client list after her death. He then asked a friend, who was also a broker, to assist her clients. A former employee of the late broker may also have accessed the client list and client applications between March 25, 2025, and May 22, 2025.
The access was unauthorized, and upon discovery, the login credentials were revoked to prevent further unauthorized access. No evidence was found to indicate any acquisition of members’ information. Information potentially accessed included names, member IDs, Social Security numbers, birth dates, addresses, phone numbers, group ID numbers, and Medicare numbers.
The affected individuals have been notified by mail and offered a one-year membership to an identity theft protection service. The OCR data breach portal lists the incident as affecting 1,543 individuals. A later breach report indicates that an email breach also occurred that affected 673 individuals.
Human Development Services of Westchester, New York
Human Development Services of Westchester, a provider of community-based direct-care services for vulnerable populations in New York State, has recently announced unauthorized access to its email tenant. Suspicious activity was identified within a single email account, and the forensic investigation confirmed unauthorized access between May 19, 2025, and May 20, 2025. The review of the account and attachments is ongoing, so it is not yet possible to determine the exact types of information involved or the number of affected individuals. The account likely contained employee and patient information.
Email security is currently being reviewed, and new cybersecurity tools are being assessed. The breach has been reported to the HHS’ Office for Civil Rights using an interim figure of 501 affected individuals. The total will be updated when the review concludes.
