Healthcare Data Breach Disclosures and Legal Fallout
French healthcare software provider Cegedim Santé confirmed a major breach affecting its MonLogicielMedical (MLM) product after unusual activity was detected in late 2025. The incident exposed administrative data tied to roughly 1,500 doctors (out of ~3,800 users) and patient data at large scale—reported as 15.8 million records, including 165,000 files that may contain doctors’ notes; while structured medical records were reported as intact, some administrative comments may include sensitive clinical notes and highly sensitive details (e.g., HIV/AIDS status or sexual orientation). Cegedim Santé reported notifying French authorities including CNIL and filing a complaint.
In the US, Cornerstone Specialty Hospitals agreed to a $2.35M class-action settlement tied to a December 2023 network intrusion that ultimately affected 484,957 individuals, with potentially exposed data spanning identifiers (including SSNs and government IDs), financial data, credentials, and health/insurance information; the suit also alleged delayed notification (letters mailed around July 2024). Separately, PIH Health began notifying patients about a December 2024 ransomware attack that disrupted multiple hospitals and services; investigators concluded the attacker had network access from Nov 14–Dec 23, 2024, and after a prolonged review PIH Health confirmed in Dec 2025 that patient information was present in files on compromised systems and may have been accessed or acquired, with notification letters prepared by Feb 25, 2026 amid claims of large-scale data theft and some data leakage online.
Timeline
Mar 5, 2026
Cornerstone agrees to $2.35 million breach settlement
Cornerstone Healthcare Group Management Services agreed to a $2.35 million settlement to resolve class action litigation over the December 2023 cyberattack and data breach. The settlement provides funds for legal fees, reimbursement of losses, credit monitoring for some class members, and pro rata cash payments.
Mar 5, 2026
PIH Health begins notifying patients about 2024 breach
In early 2026, PIH Health began notifying patients that personal and medical information was exposed in the 2024 ransomware attack. The provider said exposed data varied by individual and included PII and PHI, and it offered credit monitoring and identity theft protection.
Dec 1, 2025
Cegedim Santé notifies CNIL and files complaint
Following discovery of the breach, Cegedim Santé notified French authorities including the CNIL and filed a complaint. Reports said some exposed data may have included highly sensitive personal details and doctors' notes.
Dec 1, 2025
Cegedim Santé detects unusual activity and confirms data exfiltration
Cegedim Santé detected unusual activity in late 2025 and confirmed a major cyberattack affecting its MonLogicielMedical product. The breach involved exfiltration of administrative and patient data tied to roughly 1,500 doctors and 15.8 million records.
Dec 23, 2024
PIH Health unauthorized access period ends
PIH Health said its investigation found the threat actor's access to compromised systems lasted until December 23, 2024. Later review determined patient information was present in affected files and may have been accessed or acquired.
Dec 1, 2024
PIH Health detects ransomware attack and service disruption
PIH Health detected a ransomware attack on December 1, 2024, which disrupted multiple hospitals and care services. Attackers later claimed to have exfiltrated about 2 TB of data and 17 million patient records and issued a ransom demand.
Nov 14, 2024
PIH Health attackers gain access to network
A forensic investigation later determined that the threat actor had access to PIH Health's network beginning on November 14, 2024. This marked the start of the ransomware-related compromise affecting the California healthcare provider.
Jul 1, 2024
Cornerstone mails breach notifications to affected individuals
Cornerstone mailed notices to affected individuals around July 1, 2024 regarding the December 2023 cyberattack and data breach. The later lawsuit alleged the company delayed notification.
Dec 19, 2023
Cornerstone network allegedly accessed in cyberattack
Cornerstone Specialty Hospitals' network was allegedly accessed by a threat actor around December 19, 2023, beginning the incident that later led to a data breach lawsuit. The attacker potentially accessed and copied patient and personal information.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Healthcare Data Breaches and Patient Record Exposure at Providers and Vendors
Multiple healthcare entities reported **unauthorized access and patient data exposure**, with incidents spanning direct provider compromises and third-party vendor breaches. **Insight Hospital and Medical Center (Chicago)** disclosed suspicious activity in its IT environment, with investigators confirming **unauthorized network access from Aug 22 to Sep 11, 2025**; the organization said the review is ongoing but potentially impacted data includes **names, DOB, SSNs, passport numbers, financial account data, treatment information, and insurance details**. Two extortion groups publicly claimed responsibility: **LockBit** alleged theft of ~`200 GB` and **Termite** claimed `360 GB`, stating it leaked data in late February 2026. In France, attackers stole about **15.8 million administrative files** after breaching health-ministry software supplier **Cegedim Santé**, impacting its *MonLogicielMedical (MLM)* product used by thousands of doctors; the stolen data reportedly included **identity and contact details**, and in a smaller subset (~**165,000** files) **free-text doctors’ notes** that in limited cases contained sensitive medical-history details. Separately, **OCAT, LLC d/b/a Evoke Wellness at Hilliard** updated a breach notification describing **unauthorized network activity** and potential access to patient information; reporting also tied the matter to an **insider misuse** investigation in which a former employee allegedly accessed and sold patient data, though public filings contained **inconsistent timelines** about when the underlying incident occurred and when it was discovered.
1 months ago
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
1 months ago
Delayed patient notifications following healthcare data breaches at providers and vendors
Multiple healthcare organizations and vendors reported **delayed patient notifications** after discovering unauthorized access to protected health information (PHI), in some cases more than a year after the underlying compromise. In Colorado, **Alpine Ear, Nose, and Throat (Alpine ENT)** notified **65,648** individuals that an attacker accessed and exfiltrated files containing PHI in an incident identified on **Nov. 19, 2024**; the **BianLian** ransomware group later claimed responsibility and posted the organization to its leak site. Exposed data was described as highly sensitive, including medical information and, for some individuals, **financial account data and payment card details** (including CVC/expiration) and **Social Security numbers**; Alpine ENT reported no confirmed identity theft at the time of notification and offered credit monitoring. Separately, **Bayada Home Health Care** disclosed exposure risk tied to a **third-party vendor (Doctor Alliance)** after Doctor Alliance reported unauthorized network access during **Oct.–Nov. 2025**, potentially affecting Home Health Certification and Plan of Care forms containing patient identifiers and clinical/insurance details (and **SSNs for a subset**). Bayada said it discontinued using Doctor Alliance and reported the matter to regulators. In another vendor-related incident, **TriZetto Provider Solutions (Cognizant)**—an insurance verification provider—suffered a cyberattack impacting PHI across multiple states; Oregon providers began notifying additional patients after the breach was reported as occurring in **Nov. 2024** but not discovered until **Oct. 2, 2025**, with no financial data reportedly compromised and no evidence of misuse so far; the incident has prompted **class-action lawsuits**, engagement of **Mandiant**, and law enforcement notification.
1 months ago