This week’s news highlights why health‑care compliance and IT teams cannot afford complacency. The days leading up to 22 September saw a mix of breach disclosures, ransomware warnings and an important win against phishing gangs. Covered entities and business associates should review their incident‑response plans, harden remote‑access portals and ensure staff are trained to recognise credential‑harvesting emails. Below is a digest of the week’s most consequential stories with recommendations for compliance teams.
Breach & Incident Notices
Eye‑care providers continue to be prime targets
Black Hills Regional Eye Institute (South Dakota) – Bank Info Security reported that the institute discovered suspicious activity in its network on January 8 2025 and later determined attackers had access between January 4 and January 8. The breach impacted 106,862 people, and stolen data included names, Social Security numbers, addresses, medical information, insurance details and credit‑card data. Although no misuse has been detected, the provider is offering a year of identity‑protection services.
Retina Group of Florida (RGF) – On September 3 2025 the group told HHS that a cyber‑attack had compromised 153,018 patients’ records, but no public breach notice had been posted as of mid‑September. Law firms are investigating potential class‑action suits. Bank Info Security notes that at least eleven eye‑care providers have reported hacks to OCR this year and that small practices often lack the resources to implement robust cybersecurity measures.
Why it matters: These incidents show that ophthalmology practices are increasingly targeted. Compliance officers should verify that vendors handling patient billing and imaging data perform regular risk analyses and that encryption and multifactor authentication are in place. Small practices may need extra support from managed‑service providers to address patching and network monitoring.
New Jersey medical groups & Ohio social services agency investigate intrusions
Passaic Hospitalist Services and Passaic River Physicians (New Jersey) – On September 19 2025 the HIPAA Journal reported that attorneys for these groups notified patients about a security incident. Investigators discovered that attackers accessed files between May 22 and May 23 2025 and potentially stole names, dates of birth, addresses, diagnosis details, provider names, dates of service, treatment information and health‑insurance data. Notification letters are being mailed; the incident was not yet listed on the OCR portal, so the number of affected individuals remains unknown.
Family & Community Services, Inc. (Ohio) – The same report noted that this social‑services organization detected signs of unauthorized access on May 22 2025. Third‑party experts confirmed that attackers accessed its computer systems. The investigation is ongoing and the organisation has not yet determined how many individuals were affected; it has restored operations and taken steps to harden remote entry points and strengthen access controls.
Compliance takeaway: Breaches often remain undiscovered for months. Ensure that intrusion‑detection systems and log monitoring are active, and review vendor contracts to confirm obligations for reporting and remediation. When a breach occurs, regulators expect timely notification and evidence that risk assessments have been conducted.
Non‑profit health center notifies 456k patients after BianLian ransomware attack
Goshen Medical Center (North Carolina) – According to a Maine Attorney General breach notice, Goshen Medical Center detected suspicious network activity on March 4 2025; consultants later determined that an unauthorised actor accessed systems on February 15 2025. After a thorough review concluded September 12 2025, the centre began notifying 456,385 individuals that their names, addresses, dates of birth, Social Security numbers, driver’s‑license numbers and medical‑record numbers were exposed. The provider is offering 12–24 months of credit‑monitoring services and says it has strengthened security controls.
BianLian’s data‑leak posting and breach rankings – CyberNews noted that the BianLian ransomware gang posted Goshen Medical Center to its leak site. The article highlighted that this breach is the third‑largest ransomware attack on a U.S. health‑care organisation this year; Medical Associates of Brevard (nearly 247,000 patients affected) and New York Blood Center Enterprises (about 194,000 patients) occupy the fourth and sixth spots in this grim ranking. Rebecca Moody of Comparitech remarked that these attacks underscore how healthcare remains a dominant ransomware target and that it often takes months for the full extent of breaches to become clear.
Action items: Verify that incident‑response plans address ransomware exfiltration. Ensure backups are offline or immutable and that third‑party providers (such as billing and EMR vendors) are assessed for ransomware resilience. Organisations should also confirm that they are capturing system logs needed to prove when and how breaches occurred.
Industry & Threat Trends
Microsoft disrupts major phishing operation targeting healthcare
Microsoft announced that it dismantled a phishing operation known as RaccoonO365, which had targeted at least 20 U.S. health‑care organisations. With a court order from the U.S. District Court for the Southern District of New York, Microsoft seized 338 domains used by the threat actors. RaccoonO365 sold subscription‑based phishing kits that mimicked legitimate Microsoft messages to steal Microsoft 365 credentials; since July 2024, the kits have been used to harvest over 5,000 credentials across 94 countries. The group recently offered an AI‑powered service to accelerate its attacks. John Riggi, national adviser for cybersecurity at the American Hospital Association, warned that stolen credentials have enabled ransomware attacks against hospitals and stressed the need for evolving social‑engineering training.
What to do: Conduct regular phishing‑simulation exercises and update security awareness programs to cover AI‑enhanced scams. Review identity‑and‑access management policies, enforce multifactor authentication for all external access and disable legacy protocols that attackers often exploit.
Compliance & Risk Management Insights
Risk analyses remain essential. Recent breaches show that vulnerabilities often lie in ageing systems or unmanaged remote‑access portals. Small practices should document regular security‑risk assessments and implement remediation plans to satisfy HIPAA Security Rule requirements.
Vendor oversight. Many breaches originated at third‑party service providers. Covered entities must ensure that business‑associate agreements require prompt breach notification and mandate adequate security controls.
Incident‑response readiness. The lag between intrusion and disclosure demonstrates the importance of monitoring, retaining logs and having a tested incident‑response plan. OCR expects regulated entities to notify patients “without unreasonable delay” once a breach is confirmed.
Staff education. From targeted phishing kits to credential‑harvesting ransomware, human factors remain a primary attack vector. Ongoing training on phishing recognition, secure password practices and appropriate handling of PHI is critical.
Closing Thoughts
This week’s events illustrate how ransomware gangs, phishing operations and opportunistic hackers continue to exploit gaps across the healthcare ecosystem. Even though some breaches occurred months ago, the full scope is only now being disclosed. Compliance teams should use these reports as reminders to strengthen risk assessments, validate the security posture of vendors and ensure rapid breach‑notification protocols. With regulators signalling a tougher stance on information blocking and security lapses, organisations that take proactive steps now will be better positioned to protect patients’ data and avoid enforcement action in the months ahead.
