Also new by me:

Cherry Health provides preliminary notice of recent data breach:

https://databreaches.net/2026/06/22/cherry-health-provides-preliminary-notice-of-recent-data-breach/

They had an earlier breach in December 2023 that affected pretty much the same types of patient information. How did these attackers gain access compared to the 2023 attackers? None of that has been made public.

#databreach #healthsec #transparency #infosec #HIPAA #HHS

New by me:

Xsolis breach affected 1,396,519 of its clients' patients:

https://databreaches.net/2026/06/22/xsolis-breach-affected-1396519-of-its-clients-patients/

#databreach #healthsec #hack #infosec #HIPAA #BAA #PHI

A bit of data breach history:

Today, The Gentlemen added Athens Orthopedic Clinic (AOC) to its DLS without any proof of claims.

I looked at the name and blinked because it is almost a decade to the day that I first notified AOC that they had been hacked by thedarkoverlord (TDO). I did extensive reporting on that incident, including exposing the business associate responsible for the breach, civil litigation by upset patients, and HHS charges against AOC that were settled with a corrective action plan and a $1.5 million monetary penalty. I also reported on the arrest and sentencing of one member of TDO who was involved in that incident.

At one point I learned that I was doing so much exclusive reporting on TDO that the FBI served Twitter with legal process to get my information because they weren't sure whether I was a co-conspirator or not (they eventually realized I wasn't).

For my multi-year reporting on that incident and follow-up, search databreaches.net for "Athens Orthopedic."

For the HHS settlement, see:
https://databreaches.net/2020/09/21/athens-orthopedic-clinic-pays-1-5-million-to-settle-hhs-charges-of-systemic-noncompliance-with-hipaa-rules/

As to the civil suit (Collins v. Athens Orthopedic), the case went up to the Georgia Supreme Court, which reversed the lower court's dismissal of the case and ruled that the plaintiffs did have standing to sue for negligence. They remanded, and the Court of Appeals adopted their decision as their own (see https://caselaw.findlaw.com/court/ga-court-of-appeals/2087515.html)

Having had their attempt to get the case dismissed, Athens Orthopedic then settled privately with the plaintiffs. I do not know the terms of that settlement.

I just wonder how AOC will respond to this incident in light of their disastrous experience in 2016. And I wonder what #HHS will find when they investigate.

#databreach #extortion #HIPAA #healthsec #cybersecurity #infosec
#TDO #thedarkoverlord #athensorthopedic

UK: More than one year later, HCRG is first notifying patients of a ransomware attack:

https://databreaches.net/2026/06/18/uk-more-than-one-year-later-hcrg-is-first-notifying-patients-of-ransomware-attack/

This is the one where they ran to the High Court in the UK to get injunctions that their lawyers sent to @amvinfe and me.

It seems they are first notifying patients now -- 16 months after the attack.

#healthsec #cybersecurity #incidentresponse #HCRG #injunction
#databreach #ransomware

NEW:

Yesterday, the USAO in Maryland issued a press release stating that Matthew Bathula, a clinical pharmacy specialist, had been charged with unauthorized access and ID theft involving patients at "Company A" -- a medical system in Maryland. 195 patients have been notified.

If you read the DOJ presser, it alleges a lot of activities that go waaaay beyond the usual insider "snooping."

A little digging revealed that "Company A" is the University of Maryland Medical Center, where Bathula was employed during the years of alleged wrongdoing.

Read the presser and more at:

https://databreaches.net/2026/05/02/maryland-pharmacist-indicted-on-unauthorized-computer-access-related-to-u-maryland-medical-center/

#databreach #IDtheft #HIPAA #infosec #insider #healthsec

Almost one year after discovery, Sandhills Medical Foundation notifies 169,017 people affected by a cyberattack

This was an attack by INC Ransom, who dumped the data in June 2025. INC didn't tag it as an encryption invcident -- just as hack, exfil, ransom demand. So I'm not sure why it took Sandhills about a year to make notifications

https://databreaches.net/2026/04/29/almost-one-year-after-discovery-sandhills-medical-foundation-notifies-169017-people-affected-by-a-cyberattack/

#databreach #HIPAA #incidentresponse #INCransom #healthsec

If you were or are a federal employee or are a family member of one, you might want to read this and share it with others who might be concerned:

Trump’s Personnel Agency Is Asking for Federal Workers’ Medical Records

https://kffhealthnews.org/news/article/trump-opm-federal-workers-medical-records-privacy/view/republish/

#privacy #healthsec #workplace #infosec

NEW by me:

Two Breaches, One Quarter: Valley Family Health Care’s Challenging Start to 2026

https://databreaches.net/2026/04/06/two-breaches-one-quarter-valley-family-health-cares-challenging-start-to-2026/

#databreach #healthsec #cybersecurity #infosec #HIPAA #Insomnia