The covered entity (CE), Lexington Diagnostic Center, reported that it experienced a hacking incident that affected the protected health information (PHI) of 29,819 individuals. The PHI involved included names, addresses, birthdates, Social Security numbers, diagnoses, lab results, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE offered free credit monitoring to affected individuals and implemented additional administrative, technical, and security safeguards.

The covered entity (CE), Ardon Health, LLC, reported that several employees were the subjects of an email phishing scheme that affected the protected health information (PHI) of 10,098 individuals. The PHI involved included names, addresses, medications, birthdates, and treatment information. The CE notified HHS, affected individuals and the media. In response to the breach and OCR’s investigation, the CE has updated its technical safeguards. OCR also provided technical assistance to the CE regarding the HIPAA Security Rule.

The covered entity (CE), Green Castle Recovery Center dba Sanford Behavioral Health, reported that several employees were the subjects of an email phishing scheme that compromised the protected health information (PHI) of 703 individuals. The PHI involved included names, birthdates, addresses, drivers’ license and Social Security numbers, diagnoses/conditions, lab results, medications and other treatment information. The CE notified HHS, affected individuals and the media. In its mitigation efforts, the CE implemented additional administrative and technical safeguards to better protect its PHI. Staff were retrained in email security.

The covered entity (CE), Village Pharmacy Group, reported that an employee experienced a phishing incident that affected the protected health information (PHI) of 584 individuals. The PHI involved included names, diagnoses, and other treatment information. The CE notified HHS and effected individuals. In response to the breach the CE implemented additional administrative, technical, and security safeguards. Staff were also retrained in its requirements to protect and secure PHI.

The covered entity (CE), Option Care Health, reported that an employee was the subject of an email phishing scheme that compromised the protected health information (PHI) of 2,897 individuals. The PHI involved included Social Security numbers, birthdates, addresses, and diagnoses. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE sanctioned and retrained the workforce member involved.

The covered entity (CE), Missouri Department of Mental Health, reported that an employee erroneously sent an unencrypted email message containing the protected health information (PHI) of 537 individuals to the wrong individuals. The PHI involved included names, Social Security numbers, addresses, and dates of birth. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE implemented additional administrative, technical, and security safeguards. Staff were retrained.

The covered entity (CE), Universal Health Corporation, reported that an employee was subject to an email phishing scheme that affected the protected health information (PHI) of 583 individuals. The PHI involved included names, dates of birth, addresses, claims and financial information, diagnoses, lab results, medications and Social Security and drivers’ license numbers. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE implemented additional administrative, technical, and security safeguards to better protect its PHI. In addition, the CE retrained its workforce members on email security precautions and on the proper methods of identifying fraudulent email communications.

The covered entity (CE), Regence BlueCross BlueShield, reported that employees of its business associate (BA) mailed documents containing the protected health information (PHI) of 610 individuals to the wrong recipients. The PHI involved included names and treatment information. The CE notified HHS and affected individuals. In response to the breach, the BA sanctioned the workforce members and implemented additional administrative safeguards.

The covered entity (CE), Southwest Colorado Mental Health Center, dba Axis Health System, reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 23,385 individuals. The PHI involved included clinical, demographic, and financial information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE implemented improved technical and administrative safeguards and retrained its staff. OCR provided technical assistance to the CE.

The covered entity (CE), Stanislaus County Behavioral Health and Recovery Services, reported that it mailed letters containing the protected health information (PHI) of 767 individuals to the wrong recipients. The PHI involved included names, addresses, and treatment information. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE implemented additional administrative and technical safeguards to better protect its PHI.

Survival Flight, the covered entity (CE), reported that it experienced a ransomware incident that affected the protected health information (PHI) of 10,989 individuals. The PHI involved included names, addresses, drivers’ license and Social Security numbers, dates of birth, diagnoses, financial information, and claims information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE implemented additional administrative, technical, and security safeguards.

The covered entity (CE), Seven Counties Services, Inc., reported that multiple employees were the subjects of an email phishing incident that affected the protected health information (PHI) of 132,609 individuals. The PHI involved included names, dates of birth, addresses, Social Security numbers, diagnoses/conditions, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE retrained its staff and implemented additional administrative, technical, and security safeguards.

The covered entity (CE), Judge Rotenberg Educational Cetner, reported that it experienced a ransomware incident that affected the protected health information (PHI) of 2,579 individuals. The PHI involved included names, social security numbers, addresses, drivers’ license and government identification numbers, birthdates, and diagnoses. The CE notified HHS, affected individuals, and the media. To mitigate harm the CE offered complimentary credit monitoring and identity protection services and implemented additional technical safeguards.

The covered entity (CE), Access Ambulatory Surgery Center, reported that its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 5,205 individuals. The PHI involved included names, dates of birth, Social Security numbers, claims information, and treatment information. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE offered free credit protection services to affected individuals.

The covered entity (CE), Centers for Medicare and Medicaid Services, reported that a software application used by its business associate (BA) exposed the protected health information (PHI) of 3,112,815 individuals. The PHI involved included names, dates of birth, addresses, Social Security numbers, claims and health insurance information, and other treatment information. The CE notified HHS, the media, and provided substitute notice; the CE and BA notified affected individuals. In response to the breach, the CE and BA implemented additional administrative and technical safeguards to better protect PHI.

Guam Seventh-Day Adventist Clinic, the covered entity (CE), reported that several employees were the subjects of an email phishing scheme that compromised the protected health information (PHI) of 56,635 individuals. The PHI involved included names, addresses, phone numbers, email addresses, dates of birth, financial information, drivers’ license numbers, government identification numbers, passport numbers, Social Security numbers, taxpayer identification numbers, diagnoses, and treatment and health insurance information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE implemented additional administrative and technical safeguards and retrained its staff.

The business associate (BA), United Way of Connecticut, reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 8,039 individuals. The PHI involved included names, addresses, dates of birth, medications, diagnoses, and other treatment information. The BA notified HHS, affected individuals and the media. In response to the breach, the BA offered free credit monitoring and implemented additional administrative, technical, and security safeguards. Staff were also retrained on email security.

The business associate (BA), Panoramic Health, reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 6,228 individuals. The PHI involved included names, dates of birth, Social Security and drivers’ license numbers, addresses, diagnoses/conditions, lab results, medications, claims and financial information, and other treatment information. The BA notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. Staff were retrained on email security precautions.

The covered entity (CE), Okanogan Behavioral HealthCare, reported that it experienced a ransomware attack that compromised the protected health information (PHI) of 26,429 individuals. The PHI involved included names, Social Security and drivers’ license numbers, dates of birth, diagnoses, and health insurance and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE implemented additional administrative, technical, and security safeguards to better protect its PHI. In addition, the CE retrained its workforce members on cybersecurity precautions. OCR provided technical assistance regarding the HIPAA Rules.

The covered entity (CE), Baker Places, reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 971 individuals. The PHI involved included names, Social Security numbers, addresses, drivers’ license numbers, dates of birth, financial and claims information, diagnoses, medications, and other treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. Staff were retrained on email security precautions.

The covered entity (CE), Vasinda's Around the Clock Care dba ATC Home Care, reported that it experienced a cybersecurity incident that affected the protected health information (PHI) of 3,785 individuals. The PHI involved included names, addresses, claims information, diagnoses/conditions, lab results, medications, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. Staff were retrained.

Packaging Corporation of America, the covered entity (CE), reported that a vendor of its business associate (BA) experienced a cyber-attack that compromised the protected health information of 783 individuals. The PHI involved included names, addresses, dates of birth Social Security numbers, account identifiers, and other identifiers. The CE notified HHS and the affected individuals. In its mitigation efforts, the CE provided complimentary credit monitoring services. The BA and vendor are currently under investigation.

University of Connecticut Health Center Finance Corporation, the covered entity (CE), reported that an employee was the subject of an email phishing scheme that compromised the protected health information (PHI) of 1,123 individuals. The PHI involved included names, dates of birth, drivers’ license and Social Security numbers, addresses, diagnoses, and financial information. The CE notified HHS, affected individuals, and the media. In response to the breach the CE implemented additional administrative and technical safeguards. Staff were retrained on email security.

The covered entity (CE), Julie D. Kinsler DDS dba Kinsler Family Dentistry, reported that it was the subject of a ransomware attack that affected the protected health information (PHI) of 5,500 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, lab results, medications, diagnoses, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE implemented additional administrative, technical, and security safeguards to better protect PHI.

The covered entity (CE), PG Dental dba Aire Dental Arts, reported that it experienced a hacking incident that affected the protected health information (PHI) of 10,200 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, and medical information. The CE notified HHS, affected individuals, and provided media notification. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards.

The covered entity (CE), Harborview Oral & Facial Surgery Center reported that its business associate (BA) experienced a cybersecurity incident that compromised the protected health information (PHI) of 3,247 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, and other treatment information. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the BA implemented additional administrative, technical, and security safeguards.

The covered entity (CE), PRM Management Company, reported that an employee was the subject of an email phishing scheme that compromised the protected health information (PHI) of 3,359 individuals. The PHI involved included names, addresses, dates of birth, claims information, diagnoses/conditions, medications, and other treatment information. The CE notified HHS, affected individuals, and provided substitute notice on its website. In response to the breach, the CE implemented additional administrative, technical, and security safeguards to better protect its PHI.

The covered entity (CE), Providence Pediatrics Manito, reported that a mailing error by an employee of its business associate (BA) resulted in the protected health information (PHI) of 1,166 individuals being mailed to incorrect addresses. The PHI involved included names and treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the BA implemented additional administrative safeguards and retrained workforce members to better protect PHI.

The covered entity (CE), Advantage Orthopedic & Sports Medicine, reported that it experienced a cybersecurity attack that affected the protected health information (PHI) of 1,914 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license information, claims and financial information, diagnoses and conditions, medications, and other treatment information. In response to the breach, the CE provided complimentary credit monitoring and implemented additional administrative and technical safeguards.

The covered entity (CE), American Clinical Solutions, reported that it experienced a ransomware attack that compromised the protected health information (PHI) of 300,000 individuals. The PHI involved included names, dates of birth, addresses, and lab results. The CE notified HHS, affected individuals, the media, and provided substitute notice. The CE consequently ceased operation and the investigation was closed.

The business associate (BA), Allcare Medical Management, reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 16,378 individuals. The PHI involved included names, dates of birth, Social Security numbers, and other demographic information. The BA notified HHS, affected individuals, the media, and posted substitute notice online. In its mitigation efforts, the BA implemented additional administrative, technical, and security safeguards to better protect its PHI. In addition, the BA retrained its workforce members on email security precautions. OCR provided technical assistance regarding the HIPAA Rules.

The covered entity (CE), Arisa Health, reported that it was the subject of a ransomware attack that affected the protected health information (PHI) of 375,436 individuals. The PHI involved included names, addresses, dates of birth, email addresses, Social Security numbers, medical records numbers, diagnoses/conditions, and other treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE implemented additional administrative, technical, and security safeguards. Staff were retrained.

The covered entity (CE), Northeast Rehabilitation Hospital Network, reported that it experienced a cyber-attack that affected the protected health information (PHI) of 136,724 individuals. The PHI involved included names, Social Security and drivers’ license numbers, patient identification numbers, medical record numbers, diagnoses, birthdates, and health insurance and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice to its website. In response to the breach the CE provided complimentary identity theft protection services and implemented additional administrative, technical, and security safeguards to better protect its PHI.

The covered entity (CE), Kaiser Foundation Hospitals, Northern California and The Permanente Medical Group, reported that an employee impermissibly accessed the medical records of 3,435 individuals. The protected health information (PHI) involved included names, dates of birth, addresses, email addresses, clinical information, phone numbers, and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE revised its policies and procedures and sanctioned the workforce member involved.

The covered entity (CE), Aveanna Healthcare reported that multiple employees emailed the protected health information (PHI) of 10,482 individuals to their personal email accounts. The PHI involved included names, dates of birth, health insurance information, diagnoses, lab results, medications, Social Security numbers, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE provided complimentary credit monitoring services and strengthened its administrative, technical, and security safeguards to further protect its sensitive data.

New Jersey Oral & Maxillofacial Surgery, the covered entity (CE), reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 74,413 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license and Social Security numbers, claims and financial information, diagnoses, lab results, and medications. The CE notified HHS, the affected individuals, the media, and law enforcement officials. In its mitigation efforts, the CE implemented additional technical, administrative and security safeguards.

The covered entity (CE), Family Dynamics Counseling Services, reported that its business associate (BA) impermissibly disposed of a laptop which contained the protected health information (PHI) of 4,373 individuals. The PHI involved included names, phone numbers, address, dates of birth, and other treatment information. The CE notified HHS, the affected individuals, and the media. In response to the breach, the CE terminated its business relationship with the BA and implemented new administrative and technical safeguards.

The covered entity (CE), Janna Pharmacy, reported that an employee impermissibly emailed the protected health information (PHI) of 26,372 individuals to her personal email account. The PHI involved included names, dates of birth, addresses, prescriptions, and health insurance information. The CE notified HHS and the affected individuals. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards to better protect its sensitive data.

The covered entity (CE), Sheet Metal Workers Local Union #83 Insurance Fund and Annuity Fund, reported that an employee was the subject of an email phishing scheme that compromised the protected health information (PHI) of 2,184 individuals. The PHI involved included names, addresses, phone numbers, email addresses, dates of birth, Social Security and drivers’ license numbers, diagnoses, financial and health insurance information, medications, and claims information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE offered free credit monitoring services and implemented additional administrative, technical, and security safeguards.

Aultman Hospital, the covered entity (CE), reported that an email phishing scheme affected the protected health information (PHI) of 6,892 individuals. The PHI involved included names, medical record numbers, and claims and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE implemented additional administrative and technical safeguards. OCR provided technical assistance to the CE.

The covered entity (CE), Maryville, reported that an employee was the subject of an email phishing attack that affected the protected health information (PHI) of 24,827 individuals. The PHI involved included names, addresses, Social Security and drivers’ license numbers, dates of birth, diagnoses/conditions, lab results, mediations, and claims and treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE implemented additional administrative, technical, and security safeguards to better protect its PHI.

The covered entity (CE), Marana Health Center, Inc., reported that a workforce member sent an email to patients containing the protected health information (PHI) of 542 individuals. The PHI involved included email addresses. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards.

AmeriHealth Caritas Delaware, the covered entity (CE), reported that a vendor of its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of 2,823 individuals. The PHI involved included names, phone numbers, diagnoses, and other treatment and computer access information. The CE notified HHS, affected individuals, and the media. In its mitigation efforts, the CE, BA and its vendor, implemented additional administrative and technical safeguards to better protect sensitive data.

Human Technology Inc., the covered entity (CE), reported that it experienced a ransomware attack that compromised the protected health information (PHI) of 24,580 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, government identification information, financial information, health insurance information and clinical information. The CE notified HHS, the affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE strengthened its technical safeguards. OCR provided technical assistance to the CE pertaining to the HIPAA Breach Notification and Security Rules.

The covered entity (CE), SkinCure Oncology, reported that it multiple employees were the subjects of an email phishing attack that affected the protected health information (PHI) of 13,434 individuals. The PHI involved included names, addresses, dates of birth, Social Security and drivers’ license numbers, claims information, diagnoses, medications, and other treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE implemented additional administrative, technical, and security safeguards.

Mass General Brigham Health Plan, the covered entity (CE), reported that an employee impermissibly shared her system credentials with an unauthorized individual in an effort to outsource her job duties. This breach affected the protected health information (PHI) of 3,659 individuals. The PHI involved included names, addresses, medical record numbers, dates of birth, email addresses, phone numbers, Social Security numbers, health insurance and claims information, and diagnoses. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE provided complimentary credit monitoring services and established a call center for questions or concerns. In addition, the employee was sanctioned and all staff were retrained on the requirement to protect and secure sensitive data.

Mass General Brigham, the covered entity (CE), reported that several employees impermissibly shared their system credentials with an unauthorized individual in an effort to outsource their job duties. This breach affected the protected health information (PHI) of 655 individuals. The PHI involved included names, addresses, medical record numbers, dates of birth, email addresses, phone numbers, Social Security numbers, health insurance and claims information, diagnoses, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE provided complimentary credit monitoring services and established a call center for questions or concerns. In addition, the employees were sanctioned and all staff were retrained on the requirement to protect and secure sensitive data.

The covered entity (CE), Samaritan Health Services, reported that a workforce member impermissibly accessed the protected health information (PHI) of 1,296 individuals without authority. The PHI involved included names, dates of birth, addresses, Social Security numbers, claims information, diagnoses, lab results, medications, and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE sanctioned the workforce member and provided free credit monitoring services to affected individuals.

The covered entity (CE), Memorial Sloan Kettering Cancer Center, reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 12,274 individuals. The PHI involved names, addresses, dates of birth, diagnoses, lab results, medications, and other treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE implemented additional administrative, technical, and security safeguards. Staff were retrained on email security.

The covered entity (CE), The Mount Kisco Surgery Center dba The Ambulatory Surgery Center of Westchester, reported that it experienced a hacking incident that affected the protected health information (PHI) of 22,139 individuals. The PHI involved included names, Social Security and drivers’ license or state identification numbers, dates of birth, diagnoses, medications, claims and financial information, and health insurance and treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. The responsible employee was sanctioned.

The covered entity (CE), Pinnacle Orthopaedics & Sports Medicine Specialists, reported that it was the subject of a ransomware attack that affected the protected health information (PHI) of 1,100 individuals. The PHI involved included names, dates of birth, addresses, lab results, medications, diagnoses/conditions, and other treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. Staff were retrained to better protect its PHI.

Aultman Hospital, the covered entity (CE), reported that an email phishing scheme affected the protected health information (PHI) of 26,062 individuals. The PHI involved included names, addresses, birthdates, Social Security numbers, health insurance information, diagnoses, and claims and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE implemented additional administrative and technical safeguards. OCR provided technical assistance to the CE.

The covered entity (CE), County of Los Angeles Department of Health Services, reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 41,444 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license and Social Security numbers, financial information, diagnoses and conditions, lab results, medications, and other treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional technical safeguards. Staff were retrained on email security.

The covered entity (CE), Ambulnz Holdings, reported that it experienced a cybersecurity incident that affected the protected health information (PHI) of 43,773 individuals. The PHI involved included names, Social Security numbers, addresses, drivers’ license numbers, dates of birth, diagnoses, and other treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards to better protect its PHI.

The covered entity (CE), Access Sports Medicine & Orthopaedics, reported that it experienced a ransomware incident that affected the protected health information (PHI) of 88,044 individuals. The PHI involved included names, dates of birth, Social Security numbers, financial information and treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE offered free credit monitoring to affected individuals and implemented additional administrative, technical, and security safeguards. OCR provided technical assistance to the CE.

The covered entity (CE), Zwanger-Pesiri Radiology, reported that a computer glitch caused the protected health information (PHI) of 985 individuals to be sent to the wrong recipient. The PHI involved included names, addresses, dates of birth, and treatment information. The CE notified HHS, affected individuals, and the media. In response to the breach, the CE implemented additional administrative and technical safeguards to better protect PHI.

Kaiser Foundation Health Plan of the Northwest, the covered entity (CE), reported that an employee mailed the protected health information (PHI) of 578 individuals to the wrong recipients. The PHI involved included names and health insurance information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE implemented additional administrative and technical safeguards. OCR provided technical assistance regarding the HIPAA Rules.

The covered entity (CE), Heart South Cardiovascular Group experienced a ransomware attack that compromised the protected health information (PHI) of 20,577 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license numbers, diagnoses, lab results, medications, health insurance information, claims and financial information, Social Security numbers, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice on its website. In its mitigation efforts, the CE implemented new technical safeguards, and retrained workforce members. OCR provided technical assistance regarding the HIPAA Breach Notification Rule.

The covered entity (CE), Aptihealth, reported that its business associate (BA) experienced a hacking incident that affected the protected health information (PHI) of 19,805 individuals. The PHI involved included claims information, addresses, dates of birth, and names. The CE notified HHS, affected individuals, and provided media notification. In response to the breach, the CE strengthened its administrative, technical, and security safeguards.

The business associate (BA), Benefit Management, reported that an employee was the subject of an email phishing attack that affected the protected health information (PHI) of 8,777 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license and Social Security numbers, claims and financial information, diagnoses, lab results, medications, and other treatment information. The BA notified HHS, affected individuals, and the media. In its mitigation efforts, the BA provided complimentary credit monitoring services and implemented additional administrative and technical safeguards.

The covered entity (CE), Looking Glass Counseling, reported its business associate (BA) may have altered security settings on its online platform that potentially affected the protected health information (PHI) of 2,739 individuals. The PHI involved included names, email addresses, phone numbers, diagnoses, and other treatment information. The CE notified HHS and the affected individuals. In response to the breach, the CE implemented additional administrative, technical, and security safeguards to better protect PHI.

The covered entity (CE), IACT Health, reported that its business associate (BA) experienced a hacking incident that affected the protected health information (PHI) of 676 individuals. The PHI involved included names, addresses, dates of birth, and diagnoses/conditions. The CE notified HHS, the affected individuals, and provided substitute notice. In response to the breach, the CE and BA implemented additional administrative, technical, and security safeguards to better protect PHI.

Adventist Health Tulare, the covered entity (CE), reported that its business associate (BA) experienced a cyber-attack that compromised the protected health information (PHI) of approximately 70,802 individuals. The PHI involved included names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, diagnoses, drivers’ license/state identification numbers, and health insurance information. The BA notified affected individuals and the CE notified HHS, the media, and posted a substitute notice on its website. In its mitigation efforts, the CE and BA implemented additional administrative and technical safeguards. Ultimately, the CE terminated its business relationship with the BA.

The covered entity (CE), Boston IVF, reported that an employee mailed billing statements that contained the protected health information (PHI) of 604 individuals to the wrong recipients. The PHI involved included names, addresses, medications, and other treatment information. The CE notified HHS and the affected individuals. In response to the breach, the CE has sanctioned the team member involved, implemented additional administrative safeguards, and retrained staff on the requirement to protect and secure sensitive data.

The covered entity (CE), Lakeview Health Systems, reported that it experienced a ransomware incident that affected the protected health information (PHI) of 10,772 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, diagnoses, prescription information, financial and health insurance information, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE offered free credit monitoring services and implemented additional administrative, technical, and security safeguards.

Orchard Park Fire District and Orchard Park EMS, the covered entity (CE), reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 2,089 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, drivers’ license/state ID numbers, financial and health insurance information, and other treatment information. The CE notified HHS, the affected individuals, the media, and law enforcement officials. In its mitigation efforts, the CE implemented additional technical, administrative and security safeguards.

The covered entity (CE), FORA Health, reported that several employees were the subjects of an email phishing attack that affected the protected health information (PHI) of 1,568 individuals. The PHI involved included names, addresses, dates of birth, Social Security numbers, diagnoses, and medications. The CE notified HHS, the affected individuals, and provided substitute notice. In response to the breach, the CE implemented additional administrative, technical, and security safeguards. Staff were retrained on email security. OCR provided technical assistance regarding the HIPAA Rules.

The covered entity (CE), Moffitt Cancer Center and Research Institute, reported that an employee emailed the protected health information (PHI) of 756 individuals to their personal email account. The PHI involved included names, treatment information, dates of service, and health insurance information. The CE notified HHS, the affected individuals, and the media. In response to the breach, the CE sanctioned the employee involved and retrained workforce members to better protect its PHI.

The covered entity (CE), University of Chicago Medical Center, reported that multiple employees were the subjects of an email phishing attack that affected the protected health information (PHI) of 10,332 individuals. The PHI involved included names, dates of birth, Social Security numbers, passport numbers, drivers’ license or state identification numbers, financial information, diagnoses, medications, and health insurance and other treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. Staff were retrained on email security.

The covered entity (CE), Summit Healthcare Regional Medical Center, reported that several employees impermissibly accessed the protected health information (PHI) of 905 individuals. The PHI involved included names, diagnoses, medications, and birthdates. The CE notified HHS, the affected individuals, and the media. In response to the breach, the CE updated its technical safeguards to better protect sensitive data. OCR provided technical assistance regarding the HIPAA Rules.

The covered entity (CE), McLean Hospital, reported that an employee inadvertently made an internal link that contained the protected health information (PHI) of 2,231 individuals available to anyone receiving the link via email. The PHI involved included names, email addresses, dates of birth, Social Security and drivers’ license numbers, telephone numbers, diagnoses, medications, and health insurance and other treatment information. The CE notified HHS, the affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards.

The covered entity (CE), County of Los Angeles Department of Mental Health, reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 1,598 individuals. The PHI involved included names, dates of birth, Social Security Numbers. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards.

The business associate (BA), Call 4 Health reported that it experienced a ransomware attack that affected the protected health information (PHI) of 10,434 individuals. The PHI involved included names, dates of birth, addresses, phones numbers, Social Security numbers, and treatment information. The BA notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the BA implemented additional administrative, technical, and security safeguards. In addition, the BA provided complimentary credit monitoring and related services to affected individuals.

The business associate (BA), TimeDoc, reported that a password-protected laptop containing the protected health information (PHI) of 1,894 individuals was stolen. The PHI involved included names, birthdates, and diagnoses. The BA notified HHS, affected individuals, and the media. In its mitigation efforts, the BA implemented additional administrative and technical safeguards to better protect PHI.

The covered entity (CE), Children’s Health Care, dba Children’s Minnesota, reported that several employees were the subjects of an email phishing attack that affected the protected health information (PHI) of 24,183 individuals. The PHI involved included names, addresses, dates of birth, health insurance information, diagnoses, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE implemented additional administrative, technical, and security safeguards. Staff were retrained on email security.

The covered entity (CE), Precision Medical Products, reported that an employee was the subject of an email phishing attack that affected the protected health information (PHI) of 1,094 individuals. The PHI involved included names, email addresses, health insurance information, and financial information. The CE notified HHS and the affected individuals. In response to the breach, the CE implemented additional administrative, technical, and security safeguards. Staff were retrained on email security.

The covered entity (CE), The Kennedy Collective, reported that an employee was the subject of an email phishing scheme that affected the protected health information (PHI) of 851 individuals. The PHI involved included names, addresses, Social Security numbers, dates of birth, drivers’ license information, claims information, and diagnoses. The CE notified HHS, the affected individuals, and the media. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative and technical safeguards.

The covered entity (CE), Columbia University Irving Medical Center, reported that an employee posted the protected health information (PHI) of 29,629 individuals on the Internet. The PHI involved included names, dates of birth, and a single laboratory test result. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE secured the data and provided staff additional training in its requirements to protect and secure PHI.

The covered entity (CE), Redwood Coast Regional Center, reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 24,937 individuals. The PHI involved included names, dates of birth, addresses, Social Security numbers, financial and claims information, diagnoses, lab results, medications, and other treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards to better protect its sensitive data.

The covered entity (CE), Affiliated Dermatologists and Dermatologic Surgeons, reported that it experienced a ransomware attack that affected the protected health information (PHI) of 373,680 individuals. The PHI involved included names, dates of birth, Social Security and drivers’ license numbers, health insurance and claims information, passport numbers, and treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE offered free credit monitoring services and implemented additional administrative, technical, and security safeguards.

The covered entity (CE), Marpai Health, Inc. reported that employees were the subject of an email phishing incident that affected the protected health information (PHI) of 1,129 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license numbers, diagnoses, medications, claims and health insurance information, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE implemented additional administrative, technical, and security safeguards. Staff were also retrained on email security precautions.

The covered entity (CE), Merchants Benefit Administration, reported that three employees were the subjects of an email phishing attack that affected the protected health information (PHI) of 767 individuals. The PHI involved included names, Social Security numbers, and financial information. The CE notified HHS and affected individuals. In response to the breach the CE improved its technical and administrative safeguards. OCR provided technical assistance to the CE.

The covered entity (CE), Allergy Medical Group of the North Area, reported that it experienced a cybersecurity incident that affected the protected health information (PHI) of 6,934 individuals. The PHI involved included names, dates of birth, and financial and health insurance information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In its mitigation efforts, the CE implemented additional administrative, technical, and security safeguards to better protect its PHI. In addition, the CE retrained its workforce members on security awareness precautions. OCR provided technical assistance to the CE regarding the HIPAA Rules.

The covered entity (CE), Inland Physicians Billing Services, reported that experienced a ransomware attack that compromised the protected health information (PHI) of 77,434 individuals. The PHI involved included names, dates of birth, Social Security numbers, lab results, diagnoses, and health insurance and treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach and OCR’s investigation, the CE updated its administrative and technical safeguards to better protect PHI. OCR provided technical assistance regarding the HIPAA Rules.

The covered entity (CE), OrthoConnecticut, reported that it was the subject of a ransomware incident that affected the protected health information (PHI) of 178,742 individuals. The PHI involved included, names, Social Security numbers, addresses, dates of birth, diagnoses, lab results, medications, and other treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional administrative, technical, and security safeguards. Staff were retrained.

The covered entity (CE), Aspire Health Alliance, reported that it experienced a ransomware incident that affected the protected health information (PHI) of 17,490 individuals. The PHI involved included named, addresses, dates of birth, Social Security and drivers’ license numbers, and financial information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE offered free credit monitoring to affected individuals and implemented additional administrative, technical, and security safeguards. OCR provided technical assistance to the CE.

The covered entity (CE), Bay Oral Surgery & Implant Center, reported that an employee was the subject of an email phishing attack that affected the protected health information (PHI) of 13,055 individuals. The PHI involved included names, dates of birth, addresses, email addresses, phone numbers, Social Security and drivers’ license numbers, health insurance and financial information, diagnoses, medication information, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In response to the breach, the CE implemented additional administrative, technical, and security safeguards. Staff were retrained on email security precautions.

The covered entity (CE), County of Los Angeles Department of Health Services and Public Health, reported that multiple employees were the subjects of an email phishing scheme that affected the protected health information (PHI) of 252,856 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license and Social Security numbers, financial information, diagnoses and conditions, lab results, medications, and other treatment information. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE provided complimentary credit monitoring services and implemented additional technical safeguards. Staff were retrained on email security.

The covered entity (CE), Moffitt Cancer Center and Research Institute, learned that its business associate (BA) experienced cybersecurity incident that affected the protected health information (PHI) of 26,577 individuals. The PHI involved included names, Social Security numbers, dates of birth, claims information, diagnoses. and medications. The CE notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the CE and BA provided complimentary credit monitoring services and the BA implemented additional administrative, technical, and security safeguards to better protect PHI.

The covered entity (CE), Blackstone Valley Community Health Care, reported that it was the victim of a ransomware attack affecting the protected health information (PHI) of 34,518 individuals. The PHI involved included names, social security and drivers’ license numbers, address, dates of birth, and treatment information. The CE notified HHS, affected individuals, and the media. Following the incident, the CE provided free credit monitoring and implemented additional administrative, technical, security, and physical safeguards.

The covered entity (CE), The Georgia Institute for Plastic Surgery, reported that it experienced a cyber-attack that affected the protected health information (PHI) of 8,111 individuals. The PHI involved included names, addresses, dates of birth, email addresses, and treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE implemented additional administrative, technical, and security safeguards. Staff were retrained on the requirement to protect and secure PHI.

The covered entity (CE), Health First Urgent Care, reported that a workforce member sent an email that contained the protected health information (PHI) of 4,169 individuals to an unauthorized recipient. The PHI involved included names and other identifiers. The CE notified HHS and the affected individuals. In its mitigation efforts, the CE sanctioned the workforce member involved and implemented additional administrative safeguards to better protect its PHI.

The covered entity (CE), Bluebonnet Trails Community Services, reported that several employees were the subjects of an email phishing incident that affected the protected health information (PHI) of 76,165 individuals. The PHI involved included names, addresses, dates of birth, drivers’ license numbers, financial information, diagnoses/conditions, lab results, medications, and other treatment information. The CE notified HHS, affected individuals, the media, and posted substitute notice on its website. In response to the breach, the CE offered free credit monitoring services and implemented additional administrative, technical, and security safeguards. Staff were also retrained in its requirements to protect and secure PHI.

The business associate (BA), Advarra, reported that it experienced a hacking attack of an employee’s email account which compromised the protected health information (PHI) of 596 individuals. The PHI involved included names, dates of birth, addresses, Social Security numbers, financial information, and treatment information. The BA notified HHS, the affected individuals, the media, and provided substitute notice. In response to the breach, the BA provided complimentary credit monitoring and implemented additional administrative, technical, and security safeguards. Staff were retrained to better protect sensitive data.