25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Texas Centers for Infectious Disease Associates Announces 19K-Record Data Breach

Posted By on Jul 3, 2025

Data breaches have recently been announced by Texas Centers for Infectious Disease Associates, Shelby County Chris A. Myrtue Memorial Hospital, and Radiology Associates of Richmond, and ransomware groups have claimed responsibility for attacks on seven healthcare organizations.

Texas Centers for Infectious Disease Associates

Texas Centers for Infectious Disease Associates, a private practice infectious disease group serving the Dallas-Fort Worth Metroplex, has announced a cyberattack and data breach first detected on July 19, 2024. Suspicious activity was identified within its computer network, and the forensic investigation confirmed that an unauthorized third party accessed its systems as a result of a security breach at a former third-party billing vendor.

An analysis of the exposed files confirmed they contained patient information such as names, Social Security numbers, birth dates, medical record numbers, driver’s license numbers, health insurance numbers, Medicare numbers, Medicaid numbers, health insurance information, and medical and treatment information. While no mention was made in the breach notice about the group responsible for the attack, the BianLian threat group claimed responsibility and said it exfiltrated 300 GB of data. The data breach was recently reported to the Maine Attorney General as affecting 19,776 individuals. The notification to the HHS’ Office for Civil Rights indicates that the protected health information of 19,481 patients was compromised. Notification letters started to be mailed to the affected individuals on June 26, 2025.

Myrtue Medical Center, Iowa

On June 27, 2025, Shelby County Chris A. Myrtue Memorial Hospital (Myrtue Medical Center) in Iowa announced it had fallen victim to a cyberattack identified on or around June 13, 2025. A prompt substitute data breach notice was added to its website, alerting patients that an unauthorized third party accessed its network and may have viewed or acquired files containing patient information.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Third-party cybersecurity experts were engaged to investigate to determine the nature and scope of the unauthorized activity, and the investigation and data review are ongoing. No information has been released at the time of writing about the number of individuals affected or the types of data involved. Myrtue Medical Center said written notifications will be mailed to the affected individuals when the investigation and file review have concluded, and has warned that those processes will take time to complete.

Myrtue Medical Center reassured patients that data privacy and security are among its highest priorities, and it is committed to doing everything possible to protect the privacy and security of sensitive data in its care, including enhancing security measures to prevent similar incidents in the future.

Radiology Associates of Richmond

Radiology Associates of Richmond, Inc. (RAR), a provider of medical imaging services to hospitals in central Virginia and through three outpatient imaging centers, has recently disclosed a cybersecurity incident.  RAR has been working closely with third-party cybersecurity experts to investigate the incident and determine whether any patient data was compromised.

The investigation confirmed there had been unauthorized access to its computer network between April 2, 2024, and April 6, 2024, and following an extensive review of the affected data, RAR confirmed on May 2, 2025, that patient data had been exposed and potentially stolen. The data exposed included names, addresses, Social Security numbers, dates of birth, financial account or payment card numbers, medical records, and health insurance information. Individuals who had their Social Security numbers compromised in the incident have been offered complimentary credit monitoring and identity theft protection services.

When this article was published, the incident was not listed on the HHS’ Office for Civil Rights breach portal. The OCR breach portal now indicates that the protected health information of 1,419,091 individuals was compromised in the cyberattack.

Ransomware Gangs Claim Attacks on Multiple Healthcare Organizations

Ransomware groups have claimed responsibility for attacks on several healthcare organizations over the past few days. None of the organizations below have confirmed the attacks at present, ransomware groups’ claims are not always accurate, and attacks may not have resulted in the theft of patient data.

  • Dealmed Medical Supplies (DragonForce)
  • Medical Center of Marin (Inc Ransom)
  • Nationwide Care Services (Teamxxx)
  • Mission City Community Network (SafePay)
  • Covenant Health of Tewksbury (Qilin)
  • Family & Community Services, Inc. (Qilin)
  • Alert Medical Alarms (Qilin)

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist