Cabot Medical Center provides notice of a data breach

Cabot Medical Center recently provided a notice of a data breach to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). 

What happened

Cabot Medical Center (CMC) released a notice to the HHS on April 10th, 2025, confirming that the healthcare provider had experienced a data breach.  

According to the notice, approximately 21,467 individuals were impacted in what was considered a “hacking/IT incident” on CMC’s network. 

Going deeper

In a notice posted online, CMC, an Alabama-based healthcare provider, said they experienced a network disruption on January 26th, 2025, and immediately began investigating the incident. CMC also used a third party to help with the investigation. The investigation determined that certain files may have been accessed or acquired without authorization between January 25th and 26th, 2025. 

After the investigation, CMC began a review process that ended in March 2025. The health provider ultimately determined that the impacted data came from current and former patients and may have included names, dates of birth, Social Security numbers, diagnosis or treatment information, and/or other health-related information. 

CMC does not believe that its electronic medical records system was impacted. The group has provided notices to all impacted individuals. The health center is recommending individuals review their account statements and credit reports for suspicious activity. CMS is also operating a call center to answer questions about the breach. 

The big picture

Throughout the process, CMC has followed all of the requirements laid out by HIPAA, including timely notification. For many breaches, it’s common for organizations to need extended time to investigate the incident and notify patients. Thankfully, CMC’s process was fairly quick and represents a speedy reaction to the attack. 

While responding quickly to a breach is imperative, the best strategy is prevention. CMC’s breach was caused by a network hacking, which could mean a variety of things. One of the most common attack strategies is through email, when employees open seemingly legitimate emails from malicious actors or emails get intercepted by malicious actors. The best  preventative measures is using a HIPAA compliant email software, like Paubox. 

FAQs

How does a network get hacked? 

A network can be breached through a variety of attacks, like phishing, malware, or insider threats. 

Does every healthcare organization have to report its data breach to the HHS?

If a covered entity experiences a breach impacting 500 or more individuals, the organization must notify the HHS within 60 calendar days of discovering the breach. If the breach impacts less than 500 individuals, the entity must notify the HHS within 60 days of the end of the calendar year in which the breach occurred.