Excerpt from HIPAA Journal Article, Published on Dec 17, 2025
NS Support LLC, a healthcare provider based in Boise, Idaho, confirmed that a cyberattack exposed sensitive patient data. The incident affected up to 92,845 individuals and was reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). As a result, the organization initiated a formal investigation into the security breach.
The organization identified the breach on May 29, 2025, after security teams noticed unusual network activity. In response, NS Support immediately began an internal review and brought in third – party digital forensic specialists. Following the investigation, experts confirmed that an external actor accessed the network and removed files containing patient data.
The exposed information included patients’ first and last names and medical notes created during physician appointments. Although the breach did not include Social Security numbers or financial data, the exposure of clinical records still poses a serious privacy risk. In many cases, healthcare information remains sensitive long after an incident occurs. NS Support started notifying affected individuals around November 21, 2025. During this process, the company explained the incident and detailed the actions taken to secure its systems. Additionally, NS Support wiped and rebuilt affected servers, strengthened security controls, and reviewed internal data protection policies to limit future risk.
Cybersecurity experts warn that incidents involving PHI can weaken patient trust. For example, attackers may exploit health-related details to carry out targeted social engineering campaigns. At this time, NS Support has found no evidence of data misuse. Nevertheless, experts advise affected individuals to remain alert and regularly review their medical records.
Overall, this incident highlights the growing cyber threats facing healthcare organizations. As attacks continue to rise, threat actors increasingly target medical data due to its high value. Therefore, organizations must maintain strong security controls, continuous monitoring, and tested incident response plans. Equally important, transparent communication and timely regulatory reporting help maintain compliance and public trust.
To delve deeper into this topic, Visit – HIPAA Journal .
