Healthcare Data Breach Disclosures Involving Unauthorized Access to Patient Information
Multiple healthcare organizations disclosed data security incidents involving potential exposure of patient and personal information. Jackson Hospital and Clinic (Montgomery, Alabama) notified 14,485 individuals about a breach at its former debt-collection vendor Nationwide Recovery Services, where suspicious activity was identified in July 2024 and an unauthorized party accessed the vendor’s network between July 5–15, 2024. Jackson Hospital stated its own IT systems were not affected, but data shared for collections work may have been compromised, including names, contact details, dates of birth, Social Security numbers, account/insurance information, and dates of service; affected individuals were offered credit monitoring and identity theft protection.
Separately, Community Health Action of Staten Island reported a data security incident that may have involved unauthorized access to sensitive personal and medical information, and Insight Hospital and Medical Center (Chicago) reported a cyber incident involving unauthorized access to its network between Aug. 22 and Sept. 11, 2025, with potential exposure of patient and financial data. The disclosures underscore ongoing third-party and direct-network intrusion risks in the healthcare sector, with notification timing and scope varying by organization and investigation status.
Timeline
Mar 9, 2026
Insight Hospital disclosed investigation into cyberattack
Insight Hospital and Medical Center reported on 2026-03-09 that it was investigating a cybersecurity incident involving unauthorized network access. The notice said patient, medical, and financial data may have been exposed.
Mar 9, 2026
Community Health Action of Staten Island disclosed security incident
Community Health Action of Staten Island disclosed a data security incident that may have involved unauthorized access to sensitive personal and medical information. No additional technical details, scope, or incident timeline were provided in the available report.
Feb 27, 2026
Jackson Hospital began notifying 14,485 affected individuals
On 2026-02-27, Jackson Hospital and Clinic began mailing breach notifications to 14,485 individuals affected by the 2024 vendor incident. The hospital also offered complimentary credit monitoring and identity theft protection.
Jan 27, 2026
Jackson Hospital told it was affected by vendor breach
Jackson Hospital and Clinic said it was not informed that it was impacted by the Nationwide Recovery Services breach until 2026-01-27. The hospital stated its own IT systems were not affected and that it no longer uses the vendor.
Aug 22, 2025
Insight Hospital network intrusion occurred over Aug.-Sept. 2025
Insight Hospital and Medical Center later disclosed that unauthorized access to its network occurred between 2025-08-22 and 2025-09-11. The incident may have exposed sensitive personal, medical, and financial information.
Feb 1, 2025
Nationwide Recovery Services notified HIPAA-regulated clients
Nationwide Recovery Services notified affected HIPAA-regulated clients about the 2024 breach between February and March 2025. Public reporting indicated the incident may have affected more than 560,000 individuals across its client base.
Jul 5, 2024
Nationwide Recovery Services network accessed in July 2024 breach
A forensic investigation found an unauthorized party accessed Nationwide Recovery Services' network between 2024-07-05 and 2024-07-15 after suspicious activity was detected in July 2024. The breach potentially exposed sensitive personal and health-related data belonging to clients' patients.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Healthcare Data Breaches and Patient Data Exposure Reports
Multiple organizations reported or were alleged to have suffered **data breaches involving sensitive personal and health information**. Telehealth provider **Call-On-Doc** was allegedly breached in early December, with a hacking-forum listing claiming exfiltration of **1,144,223 patient records** including contact details and highly sensitive visit metadata (e.g., *medical category/condition*, including STD-related entries), though the company had not publicly commented at the time of reporting. Separately, **Laurel Health Centers** (a Federally Qualified Health Center network in Northern Pennsylvania) reported **unauthorized access to its email environment** from July 11–25, 2025; emails and attachments may have been viewed or copied, potentially exposing a wide range of PHI/PII (including SSNs, insurance/Medicare data, diagnostic/treatment information, and some financial data). Laurel stated it took time to confirm the threat actor was fully removed, completed mailbox review by Dec. 30, 2025, and then began notifying affected individuals and offering credit monitoring. Outside healthcare delivery, the **Civil Service Employees Association (CSEA)** labor union reported a May intrusion (May 3–31) resulting in theft of data for **47,000+ members**, including names and **Social Security numbers**, and said it took systems offline, reset passwords, and implemented additional security controls; it reported no evidence of misuse but advised vigilance for identity theft. A separate HIPAA Journal item summarized academic research on **insider risk**—finding many students would hypothetically sell patient data for money—which is not tied to a specific breach incident but underscores the broader threat environment for healthcare data.
1 months ago
Healthcare Data Breaches and Patient Record Exposure at Providers and Vendors
Multiple healthcare entities reported **unauthorized access and patient data exposure**, with incidents spanning direct provider compromises and third-party vendor breaches. **Insight Hospital and Medical Center (Chicago)** disclosed suspicious activity in its IT environment, with investigators confirming **unauthorized network access from Aug 22 to Sep 11, 2025**; the organization said the review is ongoing but potentially impacted data includes **names, DOB, SSNs, passport numbers, financial account data, treatment information, and insurance details**. Two extortion groups publicly claimed responsibility: **LockBit** alleged theft of ~`200 GB` and **Termite** claimed `360 GB`, stating it leaked data in late February 2026. In France, attackers stole about **15.8 million administrative files** after breaching health-ministry software supplier **Cegedim Santé**, impacting its *MonLogicielMedical (MLM)* product used by thousands of doctors; the stolen data reportedly included **identity and contact details**, and in a smaller subset (~**165,000** files) **free-text doctors’ notes** that in limited cases contained sensitive medical-history details. Separately, **OCAT, LLC d/b/a Evoke Wellness at Hilliard** updated a breach notification describing **unauthorized network activity** and potential access to patient information; reporting also tied the matter to an **insider misuse** investigation in which a former employee allegedly accessed and sold patient data, though public filings contained **inconsistent timelines** about when the underlying incident occurred and when it was discovered.
1 months ago
Multiple Healthcare and Retail Data Breaches Impacting US Organizations
Several US organizations have reported significant data breaches affecting thousands of individuals. Pearlman Aesthetic Surgery in New York disclosed a hacking incident compromising the protected health information of nearly 12,000 patients, though specific details remain undisclosed. Methodist Homes of Alabama and Northwest Florida notified residents and employees of a second breach within seven months, involving unauthorized access to an employee email account containing sensitive personal and medical information. Gulshan Management Services, which operates over 150 gas stations and convenience stores, confirmed a breach that exposed the personal data of more than 377,000 people, including Social Security numbers and financial information, with delayed notification to affected individuals. Community First Medical Center in Chicago reached a $1 million preliminary settlement following a 2023 breach that exposed the data of approximately 216,000 patients, with allegations of inadequate cybersecurity measures and delayed response. These incidents have led to regulatory filings, class action lawsuits, and increased scrutiny over the timeliness and adequacy of breach notifications. The breaches highlight ongoing challenges in protecting sensitive data across healthcare and retail sectors, with attackers exploiting both network vulnerabilities and email accounts. Organizations are facing legal and reputational consequences, emphasizing the need for robust cybersecurity practices and prompt communication with affected individuals.
1 months ago