Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed separate data breach incidents involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after Pinnacle Holdings Ltd suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through NorthGauge Healthcare Advisors. Meadowlark Hills and MedPeds also disclosed breaches tied to the Beast ransomware group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals.
A separate legal development involved Geisinger Health and Nuance Communications, where a judge approved a $5 million settlement over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Timeline
Mar 28, 2026
Corewell Health discloses Pinnacle breach affected 19,000 patients
Corewell Health disclosed that the 2024 Pinnacle Holdings vendor breach affected about 19,000 of its patients after reviewing the exposure. The compromised data included personal and medical information such as names, contact details, Social Security numbers, medical information, and insurance details.
Mar 17, 2026
Beast ransomware group claims MedPeds attack
By 2026-03-17, the Beast ransomware group had claimed the MedPeds Associates of Sarasota breach and said it stole 400 GB of data. The allegedly stolen MedPeds data had not been published at the time of reporting.
Mar 17, 2026
Beast ransomware group claims Meadowlark Hills attack
By 2026-03-17, the Beast ransomware group had claimed an attack on Meadowlark Hills, alleging it stole 750 GB of data. Meadowlark Hills had reported unauthorized network access and data exfiltration between 2025-07-12 and 2025-07-21 affecting 14,442 individuals.
Mar 16, 2026
SafePay ransomware group claims Children's Council attack
By the time of public reporting, the SafePay ransomware group had claimed responsibility for the Children's Council of San Francisco breach. The claim followed the organization's investigation into the August 2025 intrusion.
Mar 2, 2026
Children's Council mails breach notifications and offers protection
On 2026-03-02, Children's Council of San Francisco mailed notification letters to affected individuals and offered complimentary credit monitoring and identity theft protection. The organization had also notified the FBI.
Feb 2, 2026
NorthGauge notifies CommonSpirit Health of vendor breach
On 2026-02-02, NorthGauge informed CommonSpirit Health that patient data had been affected through the Pinnacle ransomware incident. CommonSpirit then moved toward notifying impacted patients.
Jan 30, 2026
NorthGauge identifies affected individuals in Pinnacle breach
NorthGauge Healthcare Advisors confirmed the identities of individuals affected by the Pinnacle incident on 2026-01-30. The breach was later disclosed as affecting CommonSpirit Health patients, including 19,027 Washington residents.
Jan 11, 2026
Tieu Dental confirms what patient data was exposed
On 2026-01-11, Tieu Dental confirmed the categories of patient data affected by the 2025 intrusion. The company said it had not identified misuse of the data at the time of disclosure.
Dec 31, 2025
Tieu Dental begins notifying affected patients
Tieu Dental said it began notifying affected patients in 2025 following its July network intrusion. The company later offered credit monitoring and identity theft protection services.
Nov 1, 2025
Pinnacle notifies NorthGauge after exposed-data review
In November 2025, Pinnacle notified NorthGauge Healthcare Advisors after a third-party review of exposed data from the 2024 ransomware incident. This set in motion downstream notifications involving CommonSpirit Health.
Sep 2, 2025
MedPeds discovers ransomware and unauthorized access
MedPeds Associates of Sarasota discovered unauthorized access and ransomware-based file encryption on 2025-09-02. The breach affected 21,430 individuals and exposed sensitive personal and protected health information.
Aug 3, 2025
Children's Council detects network-disrupting incident
On 2025-08-03, Children's Council of San Francisco identified a network-disrupting incident that led to an investigation. The breach ultimately affected 12,655 individuals.
Aug 1, 2025
Children's Council of San Francisco network accessed
Children's Council of San Francisco later determined that an unknown hacker accessed its network on 2025-08-01 and acquired files containing names and Social Security numbers.
Jul 28, 2025
Tieu Dental network accessed by unauthorized third party
Tieu Dental Corporation said an unauthorized third party accessed its network between 2025-07-28 and 2025-07-29, exposing patient data including Social Security numbers, medical records, treatment plans, prescription information, and insurance data.
Jul 27, 2025
Legend Senior Living breach begins with unauthorized access
Legend Senior Living discovered unauthorized access on or around 2025-08-15, and forensic investigators determined attackers had access between 2025-07-27 and 2025-08-15. Files containing personal and protected health information may have been viewed or acquired, and Texas was later told 5,006 residents were affected.
Nov 25, 2024
Ransomware disrupts Pinnacle Holdings' network
Pinnacle Holdings Ltd suffered a ransomware attack that caused network disruption on 2024-11-25. The company was a vendor to NorthGauge Healthcare Advisors, a business associate of CommonSpirit Health.
Nov 11, 2024
Pinnacle vendor attackers gain access and exfiltrate data
In a downstream incident later affecting CommonSpirit Health patients, attackers had access to Pinnacle Holdings Ltd's network from 2024-11-11 to 2024-11-25 and exfiltrated files during that period.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Healthcare Data Breach Notifications and Settlement Involving Patient Information Exposure
Multiple healthcare-related organizations disclosed **separate** incidents involving exposure or theft of patient data. Delta Medical Systems reported unauthorized access to its email environment on July 15, 2025, with potentially exposed data including names, dates of birth, Social Security numbers, driver’s license information, bank details, insurance information, and medical information. A separate HIPAA Journal report described additional incidents at Cedar Valley Services, Community Nurse, and Health Dimensions Group, including a likely **Qilin ransomware** intrusion at Cedar Valley Services and a vendor-linked compromise affecting Community Nurse through *Doctor Alliance*, where files may have been accessed between October 31 and November 17, 2025. In a different but related healthcare privacy matter, a judge approved a **$5 million settlement** in litigation against Geisinger Health and *Nuance Communications* over the theft of medical records affecting roughly **1.3 million patients** by a former Nuance employee. The stolen records reportedly included names, birthdates, addresses, medical record numbers, treatment details, and insurance information. While all three reports concern healthcare data exposure, they describe **distinct incidents** rather than one unified breach event, spanning direct compromises, third-party/vendor exposure, suspected ransomware activity, and post-incident legal resolution.
1 months ago
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
1 months ago
Multiple Healthcare Data Breaches and Regulatory Actions in the US
Several healthcare providers in the United States have recently disclosed significant data breaches resulting from cyberattacks, with patient and employee information being compromised. AllerVie Health, based in Texas, confirmed unauthorized access to its network, exposing sensitive data such as names, Social Security numbers, and insurance details, allegedly due to a ransomware attack by the Anubis group. The attackers claim to have stolen records of over 30,000 patients, and affected individuals have been offered credit monitoring and identity theft protection. In a separate incident, OrthopedicsNY, a healthcare provider in New York, suffered a breach in 2023 after attackers gained remote access using compromised credentials, leading to the exposure of data belonging to more than 650,000 patients and employees. The New York Attorney General secured a $500,000 penalty from OrthopedicsNY for failing to implement adequate security measures, and the provider is now required to enhance its data protection practices. Additionally, Singing River Health System in Mississippi reported a cyber incident that led to the temporary shutdown of its patient portal and internet access as a precaution. While the threat was reportedly mitigated, the investigation is ongoing to determine if patient records were accessed. These incidents highlight the ongoing risks faced by healthcare organizations from ransomware groups and other cybercriminals, as well as the increasing regulatory scrutiny and financial penalties for failing to protect sensitive health information. Impacted organizations are responding with offers of credit monitoring and reviews of their security policies, but the breaches underscore the need for robust cybersecurity measures in the healthcare sector.
1 months ago