Tens of Thousands of Patients Affected by Two Business Associate Data Breaches
Mid Michigan Medical Billing Service, a Flint, MI-based revenue cycle management company that provides billing support services to HIPAA-covered entities, has fallen victim to a cyberattack that exposed the sensitive data of patients of its healthcare clients.
Suspicious network activity was identified on March 27, 2025, and the forensic investigation confirmed that an unauthorized third party accessed and copied data from its network. The affected data was reviewed to determine the types of information involved and the affected individuals. Mid Michigan Medical Billing Service then notified the affected covered entity clients and worked with them to provide notice to the affected individuals. The Qilin ransomware group claimed responsibility for the attack.
The file review confirmed that the protected health information of 28,185 individuals had been exposed in the cyberattack. The compromised data varied from individual to individual and may have included names in combination with one or more of the following: date of birth, driver’s license/ government issued identification number, Medicare/Medicaid identification number, diagnosis/treatment information, medical record number/patient account number, health insurance information, payment card number, employer identification number, passport number, treating/referring provider name, and biometric data. For a limited number of individuals, Social Security numbers were involved.
VillageCareMAX, New York
VillageCareMAX, a New York, NY-based provider of health plans and community healthcare services to seniors and individuals with chronic diseases, has announced a data breach involving one of its business associates, TMG Health.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
VillageCareMAX uses the Cognizant-owned TMG Health to assist with the administration of its members’ health plans. TMG Health identified unauthorized activity within its information system on September 19, 2025. The unauthorized access was immediately terminated, and an investigation was launched to determine the nature and scope of the unauthorized activity. TMG Health determined that an unauthorized third party had access to its network for 10 months from November 20, 2024, to September 19, 2025. During that time, VillageCareMAX members’ protected health information may have been accessed and acquired.
The affected data included names, member identification numbers, health information, and Social Security numbers. While no misuse of that data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft recovery services. VillageCareMAX has received assurances that TMG Health has implemented technological and procedural enhancements to prevent similar incidents in the future.
VillageCareMAX provides services to more than 35,000 individuals each year. It is currently unclear how many of those individuals have been affected.
