OCR Announces Settlements of Four Ransomware Investigations that Affected Over 427,000 Individuals
The U.S. Department of Health and Human Services Office for Civil Rights announced settlements with four HIPAA‑covered entities after ransomware breaches that exposed the protected health information of more than 427,000 individuals. Regional Women’s Health Group, Assured Imaging, Consociate Health and SG Health Plan will each implement a two‑year corrective‑action plan under OCR monitoring and together paid $1.165 million in penalties. The resolutions represent the 19th ransomware investigation closed by OCR and highlight persistent gaps in risk‑analysis practices. OCR also released a set of eight recommendations to strengthen ePHI security.
South Korea’s Regulator Fines Matchmaking Service Duo $830,000 over Data Breach
South Korea’s Personal Information Protection Commission fined matchmaking leader Duo Info $830,000 after a December 2025 hack exposed the personal data of about 430,000 members. The breach revealed 24 data points, ranging from basic identifiers to religion, hobbies, marital history,...
Healthcare AI Firm Sued Over Alleged Unlawful Disclosures of Genetic Data
Tempus AI, a publicly traded healthcare‑AI company, faces multiple class‑action lawsuits alleging it collected and disclosed genetic test results from Ambry Genetics without proper consent. Plaintiffs claim Tempus used Ambry’s genetic database to train its machine‑learning models, violating privacy protections....
Mile Bluff Medical Center Says Security Incident that Involved Data Encryption Disrupted Phone, Computer Systems
Mile Bluff Medical Center in Mauston, Wisconsin, reported a security incident that encrypted data and disrupted phone and computer systems. Clinical teams immediately shifted to downtime procedures to keep patient care flowing while the hospital activated its security protocols. An...
NOT for Sale! BlueLeaks 2.0 Hacktivist Decides Not to Sell Dataset with Sensitive Data
Hacktivist "Internet Yiff Machine" (IYM) initially listed the 8.3 million‑tip BlueLeaks 2.0 dataset for $10,000 and offered a $15‑per‑lookup service, but after media scrutiny withdrew both offers. IYM announced the data will not be sold and will eventually be deleted, citing ethical...
Outside FDA, Inside the Crosshairs: Cybersecurity Risks for General Wellness and Fitness Products
The FTC’s Health Breach Notification Rule (HBNR) now reaches low‑risk general‑wellness apps that aggregate personal health data, even though the FDA’s 2026 guidance excludes them from device regulation. Developers risk being classified as personal health record (PHR) vendors when their...
BlueLeaks 2.0: 7,300+ Schools, Referral Systems Reported, and a Breach Navigate360 Still Hasn’t Publicly Confirmed
A hacktivist group called Internet Yiff Machine (IYM) obtained over 93 GB of data containing 8.3 million anonymous tips submitted to Crime Stoppers and school‑reporting platforms owned by P3 Global Intel, now part of Navigate360. The tips, some dating back to 1987,...
Dutch Warship Compromised with $5 Tracker and a Postcard
A journalist mailed a $5 Bluetooth tracker hidden inside a postcard through the Dutch military postal system, and it arrived aboard the HNLMS Eversten without detection. The frigate, currently supporting France's carrier Charles de Gaulle in the Eastern Mediterranean, passed...
Vercel Confirms Cyber Incident After Sophisticated Attacker Exploits Third‑Party Tool
Vercel, the Next.js and cloud infrastructure provider, confirmed a cyber‑incident involving a highly sophisticated attacker. The breach originated from an employee’s use of the third‑party tool Context.ai, which allowed the threat actor to commandeer the employee’s Google Workspace account. Through...
Minidoka Memorial Hospital Updates Easter Morning Cyberattack
Minidoka Memorial Hospital in Rupert, Idaho experienced a cyber incident on Easter morning, April 5, that temporarily disabled imaging services and forced the transfer of some emergency patients. The hospital’s clinics continued treating patients, and a follow‑up update on April 17 confirmed...
Breach at BE PRIME Cybersecurity Company Exposes Client Data and Surveillance Systems; Be Prime Threatens Journalists
Mexican cybersecurity firm BePrime confirmed a breach that exposed roughly 12.6 GB of client data and video‑surveillance feeds. The attacker claims they accessed administrator accounts that lacked multi‑factor authentication, a basic security control. BePrime’s response included a press release threatening legal...
Tax Documents for School Employees Potentially Stolen Across Los Angeles County
The Los Angeles County Office of Education (LACOE) is probing a possible breach that exposed electronic tax documents of teachers and administrators after fraudulent filings were reported. Two school districts received letters about fake tax returns, but LACOE has not...
Judge Lets State Auditor’s Investigation Into Data Breach Affecting Blue Cross Blue Shield Members Move Forward
A Montana state district judge dismissed Health Care Service Corporation’s lawsuit, allowing the state auditor to continue probing a data breach that may have exposed the protected health information of roughly 462,000 Blue Cross Blue Shield of Montana members. The...
AI Ghost Narratives Create a Minefield for Entities and Journalists
A recent CyberScoop op‑ed highlights three AI‑driven "ghost" breach narratives that have forced companies into costly crisis mode, resurrected old incidents, and fabricated expert quotes. In the first scenario, a language model fabricated a detailed data‑breach story that media outlets...
Brussels Launched an Age Checking App. It Took 2 Minutes to Hack It.
European Commission President Ursula von der Leyen unveiled a mobile age‑verification app intended to protect minors online. Within minutes, cybersecurity researchers demonstrated that the app could be hacked, exposing hard‑coded credentials and insecure data handling. The flaws raise serious privacy...