Multiple healthcare data breaches have been reported this week, with Aitkin County Health and Human Services in Minnesota disclosing that a phishing-related email breach has compromised the protected health information of more than 83,000 individuals.
Aitkin County Health and Human Services
On April 8, 2026, Aitkin County Health and Human Services identified that an email account was sending phishing emails. An immediate investigation, assisted by third-party digital forensics experts, determined that three employee email accounts had been accessed without authorization between April 7 and April 8, 2026. The contents of one account were confirmed to have been downloaded.
The affected accounts contained the protected health information of 83,114 individuals, including names, addresses, dates of birth, Social Security numbers, medical records, diagnosis and treatment information, health insurance identification numbers, and medications. Passwords have been changed, employees received additional cybersecurity training, and the email retention policy has been updated.
Decatur Diagnostic Laboratory Hit by LockBit 5
Decatur Diagnostic Laboratory in Alabama has reported a hacking incident involving data exfiltration to the HHS Office for Civil Rights. The clinical lab confirmed that names, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, and patient codes were among the data stolen. While the lab has not confirmed ransomware, the LockBit 5 ransomware group has claimed responsibility and added the lab to its dark web data leak site.
Gem State Dermatology: Improper Disposal Incident
In a rare improper disposal incident, patient documents containing HIPAA-protected data from Gem State Dermatology in Boise, Idaho, were found in a dumpster three miles from the practice on July 8, 2026. A member of the public discovered boxes of billing statements containing medical and personal information, along with what appeared to be thousands of microscope slides containing patient information and biological samples. The practice has launched an internal investigation.
Park Dental Research and Wabi Sabi Behavioral Health
Park Dental Research Corporation in Oklahoma experienced a security incident on or around April 29, 2026, with the Interlock ransomware group claiming responsibility for exfiltrating 260 GB of data containing names, Social Security numbers, driver’s license numbers, and bank account information. Meanwhile, Wabi Sabi Behavioral Health Center in Nebraska suffered a payroll diversion attack on June 15, 2026, when an unauthorized third party gained access to a QuickBooks Online account using compromised credentials to redirect employee payments.
