Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches

Data security incidents have been announced by the Colorado Health Network and Kentucky Mountain Health Alliance. In both cases, only limited information has been released about the nature of the incidents. Colorado Health Network Colorado Health Network Inc.

, a nonprofit organization that provides health and support services to individuals with HIV/AIDS across Colorado, has recently disclosed a data security incident. The breach notification does not state when the breach was detected or for how long the threat actors had access to its network, only that an unauthorized third-party accessed and removed files from its systems.

The files have been reviewed and found to contain patient names in combination with one or more of the following: Social Security number, driver’s license/state identification card number, passport number, financial account information, debit/credit card information, health insurance information (which may include Medicaid/Medicare information), and medical information.

The medical information may include, but is not limited to, diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s/location. Colorado Health Network started mailing notification letters to the affected individuals on June 18, 2026, and said it has received no reports to suggest that any of the exposed or copied information has been misused.

The affected individuals have been advised to monitor their account statements, free credit reports, and explanation of benefits statements for suspicious activity, and to sign up for the complimentary credit monitoring and identity theft protection services that have been offered. This appears to have been a ransomware attack by the Cephalus ransomware group.

Cephalus claimed on its dark web data leak site on August 28, 2025, that it was behind the attack and obtained more than 900 GB of data. The group’s data leak site is not currently accessible, so it is unclear whether the data was leaked online. The Texas attorney general was informed that 257 Texas residents were affected by the breach.

Given that the primary location of business is Colorado, that would suggest that the incident affected more than 500 individuals and should have been reported to the HHS’ Office for Civil Rights (OCR) and added to the OCR data breach portal; however, it is not currently shown on the breach portal. Kentucky Mountain Health Alliance Kentucky Mountain Health Alliance, a Hazard, KY-based nonprofit organization that provides primary and specialty care to the homeless, has disclosed a data breach that involved unauthorized access to patient data, some of which was copied in the incident.

While data breach notices should be placed in a prominent location on the home page of the provider’s website under HIPAA, users are required to click on the “more” section and then select the notice from the drop-down menu. The notice states that the information compromised in the includes names plus one or more of the following: Social Security numbers, driver’s license numbers/state identification numbers, passport numbers, financial account information, debit/credit card information, health insurance information, and medical information such as diagnosis, diagnosis code, mental/physical condition, prescription information, provider’s name and location, and health insurance information.

Notification letters were issued to the affected individuals on June 12, 2026. As with the data breach at Colorado Health Network (above), the breach notifications do not elaborate further on the nature of the incident, such as who potentially accessed the data (internal/external), when the incident was detected, or for how long the data was exposed. The website notice makes no mention of credit monitoring services; however, the notice issued to the Massachusetts Office of Consumer Affairs and Business Regulation states that 24 months of complimentary credit monitoring and identity theft protection services are being provided through Epiq.

The number of affected individuals has yet to be publicly disclosed. The post Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches appeared first on The HIPAA Journal .