25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Vendor Breaches Announced by Illinois and Virginia Healthcare Providers

Posted By on Nov 20, 2025

Personic Management Company (Personic Health) and Innovative Physical Therapy have recently confirmed that patient information was compromised in vendor security incidents. Anchorage Neighborhood Health Center has recently disclosed an August cyberattack that exposed patient data.

Personic Management Company (Personic Health)

Vienna, VA-based Personic Management Company LLC, doing business as Personic Health, a wound care specialist, has recently disclosed a data breach involving a third-party software platform used to process patient data. Personic Health was informed on September 1, 2025, that there had been unauthorized access to the platform. Assisted by third-party digital forensics experts, Personic Health launched a comprehensive investigation to determine how the breach occurred and the types of information potentially compromised in the incident.

The investigation confirmed that an unauthorized actor accessed the platform on August 29, 2025, and acquired certain data. The data review was completed on October 13, 2025, and confirmed that the protected health information had been stolen.  The breach was reported to the Maine Attorney General as involving the personal and protected health information of up to 10,929 individuals; however, the types of information involved were redacted. The individual notification letters state the exact types of information involved.

Personic Health has taken steps to strengthen security to prevent similar breaches in the future and has offered the affected individuals 24 months of complimentary credit monitoring and identity protection services.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Innovative Physical Therapy

Innovative Physical Therapy (IPT), a network of outpatient physical therapy and rehabilitation centers, has recently disclosed a security incident involving its third-party practice management software provider. The vendor assisted IPT with administrative services, which required access to patients’ protected health information.

On August 25, 2025, IPT’s software vendor notified IPT about a phishing incident that involved unauthorized access to two employee email accounts. The phishing incident was identified on June 26, 2025, and the accounts were immediately secured. The vendor engaged a third-party digital forensics firm to investigate the incident, which confirmed that an unauthorized third party accessed the accounts between June 25 and June 26, 2025.

The vendor reviewed the emails and associated files and identified names in combination with one or more of the following types of information: address, date of birth, diagnosis, lab results, medications, treatment information, health insurance information, provider name, and dates of service. A limited number of individuals also had their Social Security numbers exposed.

In total, 2,023 patients were affected by the breach and were notified by mail by the practice management vendor on October 3, 2025. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. IPT said it has received assurances that its vendor is taking steps to prevent similar incidents in the future, including providing additional cybersecurity awareness training for its workforce.

Anchorage Neighborhood Health Center

Anchorage Neighborhood Health Center in Alaska has started notifying 70,555 patients about a criminal cyberattack that involved unauthorized access to or acquisition of some of their protected health information. The cyberattack was detected on August 25, 2025, and the investigation confirmed unauthorized access to its network from August 24 to August 25, 2025.

The review of the exposed files was completed on October 10, 2025, when it was confirmed that the data exposed in the incident included names, dates of birth, Social Security numbers, driver’s license/state identification numbers, medical treatment information, and/or health insurance information. Anchorage Neighborhood Health Center said it has already implemented a series of cybersecurity enhancements and plans to take other steps to strengthen security. While data misuse has not been detected, as a precaution, the affected individuals have been offered up to 24 months of complimentary credit monitoring services.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist