OCH Regional Medical Center Notifies 51,000 Patients About September 2023 Data Breach
OCH Regional Medical Center in Mississippi is issuing notification letters to more than 51,000 patients about a data breach detected in September 2023. Data breaches have also been announced by Blue Cross and Blue Shield of Montana, and Northwest Radiologists/Mt. Baker Imaging in Washington state.
OCH Regional Medical Center
OCH Regional Medical Center in Starkville, Mississippi, has recently disclosed a security incident that occurred 19 months ago. A security breach was identified by its security team in September 2023, and immediate action was taken to block the unauthorized access. The forensic investigation confirmed that a threat actor first accessed its systems on September 6, 2023; however, the unauthorized access was not detected and blocked until September 14, 2023.
The subsequent file review confirmed that the threat actor gained access to the protected health information of 67,000 patients, including names, Social Security numbers, dates of birth, phone numbers, addresses, diagnoses, disability codes, account numbers, and insurance and payer information. OCH Regional Medical Center said forensics experts were engaged to assist with protecting patient data, and that “in compliance with HHS regulations, affected individuals will receive a formal notice with additional details.” The breach was reported to the HHS’ Office for Civil Rights on March 11, 2025, as involving the protected health information of 51,266 individuals.
What is lacking from the substitute breach notice is why it has taken so long to issue those notifications, when the HIPAA Breach Notification Rule requires notification letters to be issued without undue delay and no later than 60 days from the date of discovery of a data breach. OCH Regional Medical Center said additional cybersecurity measures are being implemented to prevent similar incidents in the future, and “OCH regrets any inconvenience and appreciates the community’s patience as the hospital continues working to enhance system security.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Northwest Radiologists & Mt. Baker Imaging
Northwest Radiologists and Mt. Baker Imaging in Bellingham, Washington, have recently disclosed a security incident that involved network disruption that affected some of its information technology systems. The incident was detected on January 25, 2025, and an investigation was launched, with assistance provided by third-party cybersecurity experts and the Federal Bureau of Investigation (FBI).
The substitute breach notice does not state for how long the threat actor had access to its network, but it has been confirmed that sensitive data was exfiltrated. The review of the affected files is ongoing, so the exact types of data for each individual have yet to be confirmed. In general, the information likely stolen in the incident included an individual’s name in combination with one or more of the following: address, telephone number, date of birth, email address, Social Security number, driver’s license or state identification card number, treatment or diagnosis information, provider name, medical record number or patient identification number, health insurance information, and/or treatment cost information. Northwest Radiologists and Mt. Baker Imaging said they are reviewing their data security policies and procedures and have already implemented additional network security measures. An update can be found in this post.
Blue Cross and Blue Shield of Montana, Illinois, Texas, & Oklahoma
Several Blue Cross and Blue Shield organizations have been affected by a security incident and are notifying members that some of their protected health information may have been accessible to unauthorized individuals through the Blue Access for Members (BAM) portal system. The substitute breach notice states that activity was identified in the BAM portal on February 11, 2025, that may have caused PHI to be viewed by unauthorized individuals. The investigation confirmed that the potential impermissible disclosures occurred between November 8, 2024, and March 5, 2025, although no evidence was found to indicate any access or misuse of the exposed data.
The BAM portal is used by members to find out information related to their membership, and includes information such as names, addresses, dates of birth, dates of service, telephone numbers, fax numbers, email addresses, medical record numbers, health plan beneficiary numbers, account numbers, medical/dental service and billing information. The affected individuals have been advised to review their Explanation of Benefits statements and report any services listed but not received. As a precaution against identity theft and fraud, the affected members have been offered complimentary identity theft protection services for 12 months.
Affected Entities
| Blue Cross and Blue Shield Organization | Individuals Affected |
| Blue Cross and Blue Shield of Illinois | 6,903 |
| Blue Cross and Blue Shield of Oklahoma | 1,020 |
| Blue Cross and Blue Shield of Texas | 593 |
| Blue Cross and Blue Shield of Montana | Currently unknown |
