The Las Vegas medical billing and coding management company, La Perouse, has announced a data breach that has affected seven of its medical group clients. Data breaches have also been announced by Acadia Healthcare Company, Harbor Regional Center, United Medical Systems, and Ohio ENT & Allergy Physicians. La Perouse La Perouse LLC, a Las Vegas, NV-based medical billing and coding management company, has notified the California Attorney General about a breach of one of its third-party billing platforms. Potential unauthorized activity was first identified on July 8, 2025. The platform and its network environment were secured, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that the unauthorized access was confined to the third-party billing platform and that sensitive data stored within that platform had been copied by the attacker. The review of the affected data was completed in the Spring of 2026, and notification letters were mailed to the affected individuals on April 17, 2026. The data compromised in the incident varies from individual to individual and may have included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, patient identification and medical record numbers, medical information, and health insurance information. La Perouse worked with its third-party billing platform provider to implement additional technical safeguards, enhance security measures, and update security policies and procedures. The affected individuals have been offered at least 12 months of complimentary credit monitoring services. The affected individuals had received medical services from one or more of the following healthcare providers; Beach Emergency Medical Associates Centinela Freeman Emergency Medical Associates Chino Emergency Medical Associates Hollywood Presbyterian Emergency Medical Associates Montclair Emergency Medical Associates Tarzana Emergency Medical Associates Temecula Valley Hospitalist Medical Group The incident was reported to the HHS’ Office for Civil Rights in September 2025 using a placeholder estimate of at least 501 individuals. The total has yet to be updated. Acadia Healthcare Company Acadia Healthcare Company, the operator of a network of almost 280 behavioral healthcare facilities in 40 U.S. states and Puerto Rico, has recently disclosed a data security incident that was first identified in March 2026. Suspicious activity was observed within an employee’s email account. The email account was secured, and an investigation was launched to determine the nature and scope of the activity. The forensic investigation determined that the account and an associated SharePoint account were accessed by an unauthorized third party between March 21 and March 25, 2026, as a result of social engineering attacks. No other systems were involved. The data review was completed on May 15, 2026, and confirmed that the information compromised in the incident included names, addresses, dates of birth, treatment information, health insurance information, admission dates, diagnosis codes, patient statuses, Medicare insurance claim numbers, and, for some individuals, Social Security numbers. Notification letters started to be mailed to the affected individuals on May 22, 2026. Acadia Healthcare Company said additional cybersecurity measures have been implemented to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected. Harbor Regional Center Harbor Developmental Disabilities Foundation, doing business as Harbor Regional Center, a Long Beach, CA-based provider of services to individuals with developmental disorders, identified suspicious activity within its computer network on or around March 7, 2026. The forensic investigation confirmed unauthorized access to its computer network between March 6 and March 7, during which time, files may have been viewed or copied from the network. On May 15, 2026, Harbor Regional Center completed its review of the exposed files. The exact types of information involved are detailed in the individual notification letters that have recently been mailed to the affected individuals. The number of affected individuals has yet to be publicly disclosed. The affected individuals have been offered single-bureau credit monitoring and identity theft protection services, and steps have been taken to improve security to prevent similar breaches in the future. Ohio ENT & Allergy Physicians Ohio ENT & Allergy Physicians in Columbus, Ohio, has recently reported a data breach to the Maine Attorney General that involved unauthorized access to the personal and protected health information of 324 individuals, including 1 Maine resident. A cybersecurity incident was detected on March 30, 2026, when suspicious activity was identified on a workstation within its network environment. The forensic investigation confirmed unauthorized access between March 29, 2026, and March 30, 2026. The review of all potentially exposed files was completed on May 18, 2026. Data exposed in the incident included full names and Social Security numbers. Notification letters were mailed to the affected individuals on May 29, 2026. Ohio ENT & Allergy Physicians has implemented additional technical safeguards and has enhanced its security measures to prevent similar incidents in the future, and complementary credit monitoring services have been offered to the affected individuals. United Medical Systems Westborough, Massachusetts-based mobile specialty healthcare service provider United Medical Systems has disclosed a data breach affecting 485 individuals. According to the notification letters, which were mailed to the affected individuals on May 20, 2026. The forensic investigation confirmed that names, driver’s license numbers, and Social Security numbers we
Originally published at hipaajournal.com
