Small Nebraska Critical Access Hospital Announces Data Breach
Genoa Medical Facilities, which operates a 19-bed critical access hospital in Nebraska, has discovered unauthorized access to its email environment. Email breaches have also been confirmed by Vail Summit Orthopaedics & Neurosurgery in Colorado and Southern Immediate Care in Alabama.
Genoa Community Hospital (Genoa Medical Facilities), Nebraska
Genoa Medical Facilities, which includes Genoa Community Hospital, a 19-bed critical access hospital, a 39-bed nursing home, and a medical clinic in Nebraska, has discovered unauthorized access to an employee’s email account. Suspicious email activity associated with a single email account was identified in March 2025. The forensic investigation confirmed that the breach was limited to a single account, and the account was reviewed to determine whether patient data had been exposed.
The review was completed on July 8, 2025, when it was confirmed that names, dates of birth, Social Security numbers, other government ID numbers, financial account information, medical treatment/diagnosis information, and health insurance information had been exposed. Notification letters are being sent to the affected individuals, and steps have been taken to improve email security. At the time of issuing notification letters, no misuse of the exposed information had been identified. The HHS’ Office for Civil Rights (OCR) breach portal indicates 2,544 individuals have been affected.
Vail Summit Orthopaedics & Neurosurgery
Vail Summit Orthopaedics & Neurosurgery in Colorado has recently disclosed a breach of its email environment. Suspicious activity was identified on August 6, 2024. Immediate action was taken to prevent further unauthorized access, and cybersecurity professionals were engaged to investigate the activity. The investigation confirmed that an unauthorized third party accessed and acquired files, and a review has been conducted to determine the types of information involved and the individuals affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
On July 24, 2025, Vail Summit confirmed that some patient information was copied in the incident, although no evidence has been uncovered to indicate any misuse of that data. The types of information involved vary from individual to individual and may include names in combination with one or more of the following: address, email address, phone number, date of birth, Social Security number, health insurance information, treatment/insurance cost, diagnosis/treatment/procedure information, medical history/allergies, prescription drugs taken, medical images, test results/vital signs, healthcare provider name, and treatment date and location.
Single-bureau credit monitoring, credit report, and credit score services have been offered to the affected individuals. There is currently no listing on the OCR breach portal, so it is unclear how many individuals have been affected.
Southern Immediate Care, Alabama
Southern Immediate Care, an urgent care provider in Alabama, has announced a security incident involving two employee email accounts. Suspicious activity was identified in the accounts on April 15, 2025. An investigation has been launched, and the accounts are being reviewed to determine the extent to which patient information has been exposed. While that review is ongoing, Southern Immediate Care believes that both email accounts contain patient information. Notification letters will be mailed to the affected individuals when the review is completed. At present, no reports of misuse of patient data have been received.
