A cyberattack at Pediatric Otolaryngology Head & Neck Surgery Associates has compromised sensitive personal and health information of tens of thousands of patients.
Pediatric Otolaryngology Head & Neck Surgery Associates (POHNS), with multiple Florida locations, reported a data breach to the U.S. Department of Health and Human Services affecting 43,446 individuals. The practice detected unusual activity on its systems on February 24, 2025, and confirmed that hackers had gained unauthorized access between February 19 and February 24. The breach was disclosed publicly on April 25, 2025.
Investigators confirmed that protected health information (PHI) and personally identifiable information (PII) were compromised. The data varied across patients but may have included names, addresses, Social Security numbers, driver’s license details, financial account information, dates of birth, medical diagnoses, treatment information, prescription records, and insurance details.
The breadth of information exposed creates multiple risks, from identity theft to insurance fraud. Notification letters have been mailed to affected individuals, who have been offered complimentary credit monitoring and identity protection services.
The medical group stated that it took immediate action after detecting suspicious activity and is cooperating with federal disclosure requirements. POHNS has urged patients to monitor financial accounts and credit reports, place fraud alerts or freezes if needed, and remain alert for phishing attempts.
Healthcare breaches often involve both medical and financial data, making them more useful for identity theft, insurance fraud, and black-market resale.
Patients are advised to enroll in credit monitoring, review financial and insurance statements for unusual activity, and be cautious of unsolicited requests for personal information.
Under HIPAA, covered entities generally must notify affected individuals without unreasonable delay, and no later than 60 days after discovering a breach.
Yes. Patients may join class action lawsuits or pursue individual claims if they can demonstrate harm resulting from the breach.
Measures include implementing multi-factor authentication, encrypting sensitive data, conducting regular security audits, and training staff to recognize phishing or suspicious activity.