Primary Health Services Center announces breach

The Louisiana-based non-profit healthcare provider recently notified individuals of a data breach. 

What happened

In an online statement, Primary Health Services Center (PHSC) disclosed that a cybersecurity incident impacted its network. The notice did not disclose when the incident occurred nor how many individuals were impacted. PHSC also engaged third-party cybersecurity experts to help assess, contain, and remediate the incident. 

PHSC launched an investigation to determine what information may have been accessed or acquired by the unauthorized party. The investigation is still ongoing. 

Currently, PHSC does not have any evidence to suggest that fraud or identity theft has occurred as a result of the incident, but are still notifying patients out of caution. Patients who have had their personal or protected health information (PHI) involved should begin seeing notices in the mail shortly.  

Going deeper

Although PHSC’s notice was fairly vague, some evidence suggests PHSC was the victim of a ransomware attack. On X, formerly Twitter, Ransom-DB, a ransomware intelligence provider, found that INC Ransom had added PHSC to its list of victims.  INC Ransom added PHSC to its dark web leak site on December 24th, 2024, and appeared to have uploaded the stolen data on January 15th, 2025. Uploading user data, which included employee data and financial information, would suggest that the ransom demanded went unpaid. 

Despite these claims, PHSC has not stated what caused the attack, nor have they posted a notice to the Department of Health and Human Services (HHS).

The big picture

In this situation, information about the data breach is fairly limited, which could lead victims to speculate about what happened to their data. Now, nearly 8 months later, it seems that PHSC is ready to contact victims. While a delayed notification is better than none, it’s possible that victims have already felt the impacts of the incident. The breach is a reminder that just because an individual hasn’t seen a data breach notice does not mean that their data is secure. Individuals should update their contact information and pay attention to notices posted on organizational websites. 

FAQs

How can patients find data breach notices? 

Generally, if a provider has the patient’s address, they will mail a letter. However, in some cases, providers may not have the necessary information, or it may be outdated. For this reason, practices also post their notices online. They can generally be found on the home page of the website, as is the case with PHSC.  

Should organizations provide the HHS with data breach information if the investigation is ongoing?

Organizations should notify the HHS within 60 days if the breach impacted more than 500 individuals. If the organization believes the breach impacted more than 500 people, but doesn’t have the final number, they can still submit a notice and include a placeholder number.