Two healthcare organizations have disclosed significant data breaches originating from compromised third-party vendors, highlighting ongoing risks in the healthcare supply chain. Atrium Health Navicent announced it was affected by the January 2025 Oracle Health breach, while Interim HealthCare facilities in Lubbock and Amarillo reported unauthorized access to their vendor Doctor Alliance's systems.

The Oracle Health incident traces back to January 22, 2025, when an attacker gained access to two legacy Cerner servers during a planned migration to Oracle Health's infrastructure. Oracle detected the breach in February 2025, but the complexity of reviewing compromised data delayed notifications for over a year. Atrium Health Navicent only recently learned of its involvement and completed its data review on March 12, 2026.

The Atrium breach exposed comprehensive medical records for patients who received services in the Charlotte, North Carolina area before August 2022 or from Atrium Health Navicent before July 2021. Compromised information includes names, addresses, birth dates, medical record numbers, provider names, diagnoses, medications, test results, and medical images. Social Security numbers were exposed for some individuals. An estimated 2 million people nationwide were affected by the Oracle Health breach across multiple healthcare providers.

Separately, Interim HealthCare of Lubbock and Amarillo reported that unauthorized individuals intermittently accessed Doctor Alliance's web portal between October 31 and November 17, 2025. The breach affected 2,071 patients in Lubbock and 666 in Amarillo. Exposed data included names, birth dates, addresses, diagnoses, treatment plans, medications, and provider information. Interim HealthCare completed its data review on March 18, 2026.

Both organizations are offering affected patients two years of complimentary credit monitoring services. Neither has reported confirmed misuse of the stolen data. The incidents add to growing concerns about healthcare organizations' dependence on third-party vendors and the extended timelines required to assess breach impacts on patient data.

Source: https://www.hipaajournal.com/atrium-health-interim-healthcare-lubbock-amarillo-data-breaches/