Full List

Search

Search Results (data leak)

• Merck Sharp & Dohme LLC December 19, 2024 • [ data leak, supply chain attack ] Merck stated it was informed that its data was found within files impacted by a security incident at vendor Graebel Companies, Inc. After internal review, Merck determined certain current and former employees personal information was included in the impacted data and began notifying affected individuals. Reported potentially impacted elements included names and financial account information. The underlying vendor incident involved unauthorized access to or taking of certain files from the vendors network during a defined window in December 2024, with subsequent file review and customer notifications occurring later.
• Sunflower Medical Group December 15, 2024 • [ ransomware, data leak ] The Rhysida ransomware group attacked Sunflower Medical Group around 2024-12-15, exfiltrating approximately 3 TB of patient and administrative data and disrupting clinical systems. Suspicious activity was detected 2025-01-07 and public disclosure followed.
• Oral Roberts University December 15, 2024 • [ data leak ] Between December 15 and December 17, 2024, an unauthorized actor accessed ORU systems and took certain files. Investigation determined some files contained names and Social Security numbers. Notifications were mailed by February 19, 2025.
• VectraRx Mail Pharmacy Services December 13, 2024 • [ data leak ] Unusual activity discovered Dec 13, 2024; review confirmed potential access/acquisition; notifications in Feb 2025.
• Integrated Oncology Network (multiple practices) December 13, 2024 • [ phishing, data leak ] Phishing incident Dec 1316, 2024 led to unauthorized access to a small number of email and SharePoint accounts; by late June 2025, notices mailed; HHS lists grew to 22 locations affecting 116,557 patients.
• Kelly & Associates Insurance Group, Inc. December 12, 2024 • [ data leak ] Kelly Benefits (Kelly & Associates Insurance Group, Inc.) disclosed that an unauthorized actor accessed its network between Dec 1217, 2024 and stole data affecting ~553,660 people. No encryption or operational disruption was reported; notifications began April 9, 2025.
• Orthominds December 11, 2024 • [ data leak ] Dental software vendor began sending data breach notifications to affected clients and individuals.
• Ottawa Family Physicians December 10, 2024 • [ data leak, unencrypted data, healthcare ] Between December 1015, 2024, an unauthorized actor accessed Ottawa Family Physicians systems and exfiltrated patient data from an internal server. The EMR database was not affected. Data types included personal identifiers, financial, and health information. No encryption was used, and no operational disruption occurred. The incident was reported to HHS on February 13, 2025.
• WK Kellogg Company December 7, 2024 • [ ransomware, data leak ] WK Kellogg Company filed a data breach notification with the Maine Attorney General on April 7 2025 after discovering unauthorized access to its systems on December 7 2024. According to the company and BleepingComputer, threat actors affiliated with the Cl0p ransomware group exploited a MOVEit Transfer vulnerability to exfiltrate employee data containing names and Social Security numbers. No evidence of encryption or operational disruption was reported.
• Texas Health and Human Services Commission December 5, 2024 • [ insider threat, data leak ] HHSC update: following insider wrongdoing identified in 2024, the agency added 33,529 more affected, bringing the total to ~94,000 individuals; misconduct spanned 2021Jan 2025 and led to terminations and OIG referral.
• Muswellbrook Shire Council December 4, 2024 • [ ransomware, data leak ] On December 4 2024, Muswellbrook Shire Council (NSW, Australia) detected a ransomware attack by the SafePay group. The attack encrypted portions of internal servers and resulted in theft and dark-web publication of sensitive employee and resident information. Council systems were progressively restored; investigation ongoing as of February 2025.
• Hamilton County Healthcare System December 4, 2024 • [ data leak, healthcare, PII ] Unauthorized actor breached Hamilton County Healthcare System servers in Dec 2024, stealing tens of thousands of patient records; breach verified through Maine AG notification and HIPAA disclosure.
• Racine Unified School District December 3, 2024 • [ data leak ] Security breach of RUSD internal network; forensic probe said staff data may have been accessed; student data hosted externally unaffected.
• Check Point Software Technologies December 1, 2024 • [ data leak ] On March 30 2025, hacker CoreInjection advertised alleged Check Point internal data for sale on BreachForums for 5 BTC. Check Point confirmed a past, limited incident with no customer impact and no encryption or disruption. Scope and amount of data remain unverified.
• Hertz Global Holdings December 1, 2024 • [ data leak, supply chain attack, vulnerability exploit ] Hertz confirmed that customer personal data was stolen through exploitation of zero-day vulnerabilities in its vendor Cleo Communications managed file transfer platform between October and December 2024. The company completed analysis on April 2 2025 and disclosed the breach publicly on April 10 2025. The compromised data included names, contact information, drivers license numbers, and limited payment and identification information. No encryption or operational disruption was reported.
• Fourlis Group (IKEA franchise operator) November 27, 2024 • [ ransomware, data leak ] A ransomware attack on November 27 2024 disrupted Fourlis Groups IT infrastructure supporting IKEA operations in Greece and other regional markets. The company reported that forensic investigators did not prove the leakage of personal data, confirming no verified exfiltration. The attack caused significant operational disruption, with reported recovery costs of approximately 20 million ( US $23 million) but no ransom payment.
• Douglasville-Douglas County Water & Sewer Authority November 26, 2024 • [ ransomware, data leak ] The DouglasvilleDouglas County Water & Sewer Authority was targeted by the Lynx ransomware group on November 26 2024. Attackers claimed responsibility on a leak site on January 14 2025, later removed. The authority rebuilt and restored its systems with minimal data loss and reported no evidence of customer or employee data theft. Data exfiltration remains unconfirmed.
• University Diagnostic Medical Imaging (UDMI) November 26, 2024 • [ data leak ] On November 26 2024, University Diagnostic Medical Imaging in New York detected unauthorized access to its systems that exposed patient information including names, addresses, dates of birth, referring physicians, and treatment data. The breach affected 138,080 individuals and was disclosed publicly in February 2025.
• Concord Orthopaedics November 21, 2024 • [ data leak, third-party breach ] Vendor breach exposed patient Pii/phi; notifications sent months after discovery.
• Hazleton Anesthesia Services November 21, 2024 • [ data leak ] On Nov 21, 2024, Somnia (management company) identified suspicious activity in its email environment and later confirmed unauthorized access to a limited number of accounts that included Hazleton Anesthesia Services. Review completed Mar 10, 2025; public substitute notice issued Mar 31, 2025. No encryption or operational disruption reported.