25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Mt. Spokane Pediatrics Data Breach Affects 32,000 Patients

Posted By on May 13, 2026

A cyberattack on Mt. Spokane Pediatrics exposed the data of more than 32,000 patients. Data breaches have also been announced by Cornerstone Care Center in California and Michigan Medicine.

Mt. Spokane Pediatrics

Mt. Spokane Pediatrics in Washington state has started notifying 32,021 individuals about the theft of some of their personal and protected health information in a January 2026 cyberattack. According to its website breach notice, the attack occurred on or around January 1, 2026, and the threat actor was found to have exfiltrated files containing patients’ protected health information. The forensic investigation determined on April 22, 2026, that the data exfiltrated in the attack included full names, dates of birth, Social Security numbers, diagnoses, treatment information, patient numbers, medical record numbers, health plan beneficiary numbers, and dates of service.

Mt. Spokane Pediatrics said it is unaware of any actual or attempted fraud as a result of the data breach. Complementary single-bureau credit monitoring services have been offered to the affected individuals as a precaution. The breach notice does not mention ransomware; however, a ransomware group claimed responsibility for the attack. The Lockbit5 ransomware group added Mt. Spokane Pediatrics to its dark web data leak site on January 3, 2026, and threatened to leak the stolen data in 20 days if the ransom was not paid.

Sanger Skilled Care (Cornerstone Care Center)

Sanger Skilled Care, LLC, doing business as Cornerstone Care Center, a skilled nursing and long-term care facility in Sanger, California, has issued prompt notifications about a recent security incident identified on or around April 7, 2026. According to its substitute data breach notice, unauthorized network access was identified on April 7, 2026. Steps were taken to contain the incident, and an investigation was launched to determine the nature and scope of the activity. On April 16, 2026, the investigation was completed, and it was confirmed that the breach was confined to a single account, which contained some protected health information.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The data review confirmed that the exposed data includes names, dates of birth, lab results, diagnoses, prescription and treatment information, provider names, medical record numbers, patient identification numbers, Social Security numbers, health insurance information, and dates of services. Notification letters were mailed to the affected individuals on May 1, 2026, and 12 months of complimentary credit monitoring services have been offered. At present, the number of affected individuals has not been publicly disclosed.

University of Michigan (Michigan Medicine)

The University of Michigan (Michigan Medicine) has recently announced that it has been affected by a data breach involving its electronic medical record company, Epic Systems Corporation. Michigan Medicine was one of several healthcare providers to be affected by the incident, which involved unauthorized access to patient records through a nationwide health information exchange. Third-party companies accessed patient records for reasons unrelated to patient care. Those companies had been granted access after claiming they had a legitimate need to access patient records; however, patient information was accessed for reasons unrelated to the provision of healthcare services.

Michigan Medicine was informed about the breach by Epic Systems, and its internal review determined in March 2026 that 551 individuals had been affected. The types of information viewed or obtained included names, addresses, phone numbers, email addresses, dates of birth, medical record numbers, diagnoses, medications, allergies, test results, treatment information, and health insurance information. Michigan Medicine is working with Epic and the relevant exchange and network parties to investigate the incident and is monitoring the litigation initiated by Epic Systems in response to the unauthorized access.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist