Healthcare Sector Data Breaches and Regulatory Action on Health Data Privacy
Multiple healthcare organizations have reported significant data breaches involving unauthorized access to patient information. CareOregon and Health Share of Oregon notified patients of a breach where protected health information, including names, dates of birth, health plan details, and Medicaid/Medicare numbers, was accessed without authorization, raising concerns about potential insurance fraud. Canopy Health, a major New Zealand oncology provider, disclosed a cyberattack that resulted in unauthorized access to administrative systems and possible data exfiltration, with the incident being contained and legal action taken to prevent misuse of the compromised data. Additionally, a Manhattan plastic surgery practice suffered a cyberattack in which sensitive patient images and personal information were stolen and published online, with extortion attempts made directly to patients; this attack is linked to a series of similar incidents targeting plastic surgery practices.
In parallel to these incidents, California authorities have taken regulatory action against Datamasters, a marketing firm found to be illegally selling health and personal data of millions of individuals without proper registration as a data broker. The company was fined and banned from selling Californians' personal information after it was discovered to have traded in sensitive data, including health conditions and demographic details, for targeted advertising. These events highlight ongoing risks to health data privacy from both cyberattacks and improper commercial data practices, as well as the increasing regulatory scrutiny and enforcement in this sector.
Timeline
Jan 12, 2026
CareOregon and Health Share notify patients and warn of fraud risk
CareOregon and Health Share of Oregon notified affected patients about the breach and warned of potential insurance fraud. They also reported the incident to law enforcement, remediated the issue, and retrained staff.
Jan 11, 2026
CalPrivacy penalizes Datamasters over health data resale
The California Privacy Protection Agency took enforcement action against Rickenbacher Data LLC, doing business as Datamasters, for operating as an unregistered data broker and reselling sensitive health and personal data. The agency fined the company $45,000, barred further sales of Californians' personal information, and ordered deletion of previously purchased Californians' data.
Jan 11, 2026
CalPrivacy fines S&P Global for unregistered data broker lapse
The California Privacy Protection Agency fined S&P Global Inc. $62,600 for failing to register as a data broker for 2024 by the required deadline. The agency said the company remained unregistered for 313 days before the enforcement action was announced.
Oct 27, 2025
CareOregon breach discovered after unauthorized access to PHI
CareOregon and Health Share of Oregon discovered unauthorized access to protected health information on 2025-10-27. Exposed data included names, dates of birth, health plan information, Medicaid/Medicare numbers, and primary care provider details, but not Social Security or financial data.
Jun 1, 2025
Andover Eye Associates discovers email account breach
Andover Eye Associates discovered in June 2025 that two employee email accounts had been accessed without authorization. The incident exposed names and Social Security numbers of 1,638 patients.
Jan 31, 2025
California deadline passes for 2024 data broker registration
California required data brokers to register annually, and S&P Global Inc. missed the January 31, 2025 deadline for 2024 registration. CalPrivacy later said the lapse continued for 313 days and was attributed to an administrative error.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Recent Healthcare Data Breaches and Regulatory Actions in the United States
Multiple healthcare organizations across the United States have reported significant data breaches affecting the personal and protected health information of hundreds of thousands of patients and employees. Notable incidents include the compromise of NCH Corporation Employee Benefits Plan data via exploitation of a zero-day vulnerability in Oracle E-Business Suite, a ransomware attack on OrthopedicsNY resulting in a $500,000 fine by the New York Attorney General, and a major breach at Murfreesboro Medical Clinic & SurgiCenter attributed to the BianLian ransomware group. Other breaches involved unauthorized access to patient data at Fyzical Therapy & Balance Centers, exposure of client data through a law firm serving Goldman Sachs, and improper storage of thousands of medical records in a Memphis storage unit. Additionally, Health Share of Oregon and CareOregon notified members of unauthorized viewing of their information, though the exact nature of the incident remains unclear. Regulatory responses have included state attorney general enforcement actions, such as the fine imposed on OrthopedicsNY for failing to implement adequate cybersecurity measures. Organizations affected by these breaches have taken steps such as patching vulnerabilities, enhancing security policies, notifying affected individuals, and offering credit monitoring services. The incidents highlight ongoing risks to healthcare data security from ransomware, insider threats, third-party exposures, and improper data handling, as well as the increasing role of state regulators in enforcing HIPAA compliance and data protection standards.
1 months ago
Healthcare Data Breaches and Patient Data Exposure Reports
Multiple organizations reported or were alleged to have suffered **data breaches involving sensitive personal and health information**. Telehealth provider **Call-On-Doc** was allegedly breached in early December, with a hacking-forum listing claiming exfiltration of **1,144,223 patient records** including contact details and highly sensitive visit metadata (e.g., *medical category/condition*, including STD-related entries), though the company had not publicly commented at the time of reporting. Separately, **Laurel Health Centers** (a Federally Qualified Health Center network in Northern Pennsylvania) reported **unauthorized access to its email environment** from July 11–25, 2025; emails and attachments may have been viewed or copied, potentially exposing a wide range of PHI/PII (including SSNs, insurance/Medicare data, diagnostic/treatment information, and some financial data). Laurel stated it took time to confirm the threat actor was fully removed, completed mailbox review by Dec. 30, 2025, and then began notifying affected individuals and offering credit monitoring. Outside healthcare delivery, the **Civil Service Employees Association (CSEA)** labor union reported a May intrusion (May 3–31) resulting in theft of data for **47,000+ members**, including names and **Social Security numbers**, and said it took systems offline, reset passwords, and implemented additional security controls; it reported no evidence of misuse but advised vigilance for identity theft. A separate HIPAA Journal item summarized academic research on **insider risk**—finding many students would hypothetically sell patient data for money—which is not tied to a specific breach incident but underscores the broader threat environment for healthcare data.
1 months ago
Multiple Healthcare Data Breaches and Regulatory Actions in the US
Several healthcare providers in the United States have recently disclosed significant data breaches resulting from cyberattacks, with patient and employee information being compromised. AllerVie Health, based in Texas, confirmed unauthorized access to its network, exposing sensitive data such as names, Social Security numbers, and insurance details, allegedly due to a ransomware attack by the Anubis group. The attackers claim to have stolen records of over 30,000 patients, and affected individuals have been offered credit monitoring and identity theft protection. In a separate incident, OrthopedicsNY, a healthcare provider in New York, suffered a breach in 2023 after attackers gained remote access using compromised credentials, leading to the exposure of data belonging to more than 650,000 patients and employees. The New York Attorney General secured a $500,000 penalty from OrthopedicsNY for failing to implement adequate security measures, and the provider is now required to enhance its data protection practices. Additionally, Singing River Health System in Mississippi reported a cyber incident that led to the temporary shutdown of its patient portal and internet access as a precaution. While the threat was reportedly mitigated, the investigation is ongoing to determine if patient records were accessed. These incidents highlight the ongoing risks faced by healthcare organizations from ransomware groups and other cybercriminals, as well as the increasing regulatory scrutiny and financial penalties for failing to protect sensitive health information. Impacted organizations are responding with offers of credit monitoring and reviews of their security policies, but the breaches underscore the need for robust cybersecurity measures in the healthcare sector.
1 months ago