The Healthcare Management company recently notified the Department of Health and Human Services (HHS) of a large breach.
What happened
Nice Healthcare has notified the HHS of a data breach, citing that the incident impacted 10,000 individuals. The breach is listed as a “hacking/IT” incident, and little more information has been provided by Nice Healthcare. Nice Healthcare reported the breach on March 10, 2025.
The company has yet to publicly announce the breach on its website or to impacted individuals.
Nice Healthcare works directly with patients, aiming to provide a less complex healthcare experience. The company offers virtual visits in 12 states and home visits in some cities, namely in Minnesota, where the company is based. The company utilizes an app for patients to get started with primary care, mental health care, and physical therapy.
What’s next
For Nice Healthcare, the company is likely currently undergoing an investigation process. Right now, the data stolen or accessed has not been announced, and it’s likely that Nice is still reviewing its files and IT environment to determine what went wrong.
After the investigation is complete, Nice will need to send breach notifications to those impacted. For many organizations, this process can be complicated and time-intensive, as it may require gathering patients’ addresses, which may be especially challenging for their virtual patients.
Once more patients are aware of the breach, it will be up to Nice to regain patient trust and ensure their cybersecurity policies and procedures prevent future attacks.
The big picture
Nice’s Healthcare breach highlights the process organizations undergo after a breach takes place. The process of investigating, updating cybersecurity policies, and notifying patients can be time-consuming, expensive, and challenging–especially for smaller or newer organizations. How these organizations handle breaches can also impact if patients will continue to trust these companies with their data.
So far, Nice is following all legal requirements; organizations must submit a data breach notice involving protected health information (PHI) within 60 days to the HHS. While this notification is required by law, it doesn’t necessarily mean that patients will be informed yet. Once the public is more informed, it will become clearer how this breach will impact Nice.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
How long do data breach investigations take?
Breach investigations can take anywhere from months to even years to conclude. Most organizations work with a third-party firm to investigate the incident, which may include manually going through files to see who had their data accessed.
How can breaches impact healthcare organizations?
Breaches can be costly for organizations, as they have to pay for third-party firms and any potential penalties. Companies may also have to divert attention from other projects to focus on resolving the breach. If the breach was caused by lax security standards, companies may also need to spend additional money on new software and tools to prevent future breaches.
Abby Grifno
