In recent developments, two specialty healthcare providers—VITAS Hospice Services based in Florida and Tri Century Eye Care from Pennsylvania—have reported data breaches affecting nearly 520,000 individuals. These breaches involved unauthorized access to sensitive health information.
On November 14 and October 31, the organizations reported their incidents to the U.S. Department of Health and Human Services (HHS). VITAS disclosed that approximately 319,177 individuals were impacted, while Tri Century reported a breach affecting 200,000 individuals.
Details on the VITAS Hospice Incident
VITAS Hospice revealed that it identified a compromise on October 24, where an “unauthorized party” gained access through a vendor’s account to its systems. Investigations determined the unauthorized access occurred between September 21 and October 27, 2025. During this breach, personal details about patients and former patients were accessed and potentially downloaded.
Compromised data may include names, addresses, dates of birth, Social Security numbers, and medical information such as diagnoses and treatment details. In response, VITAS is collaborating with a cybersecurity firm to investigate and enhance its vendor oversight and data security protocols. Notably, VITAS reported that it has not seen evidence of misuse of the compromised personal information, and it is offering affected individuals complimentary credit monitoring for 24 months.
Tri Century Eye Care’s Breach Details
On September 3, Tri Century Eye Care detected suspicious activity within its network, leading to an immediate investigation. It was later confirmed that an unknown actor had accessed the network and obtained files containing personal and protected health information of both patients and employees.
While the organization indicated that current electronic medical records were not compromised, the investigation revealed that personal information, including Social Security numbers and medical details, may have been affected. In response to the breach, Tri Century has implemented additional security measures, including more stringent password policies and reduced access permissions.
Both organizations have made notifications to regulatory authorities and law enforcement. The incidents underscore a growing trend of data breaches within the healthcare sector, particularly among specialty providers, as noted by the HHS Office for Civil Rights’ HIPAA Breach Reporting Tool, which tracks such incidents.
These breaches reflect potential tactics from the MITRE ATT&CK framework, including initial access and privilege escalation, pointing to the sophistication required in executing such attacks. As the incidents unfold, these organizations are faced with the critical task of reinforcing their cybersecurity infrastructures to mitigate future risks.
