Beacon Health System, based in South Bend, Indiana, has reported two data breaches associated with two business associates. The non-profit health care system added two breach notices on its website. The incident at business associate CPS Solutions was posted on March 24, 2025. CPS Solutions offers services to help pharmacy operations.
On December 4, 2025, CPS Solutions discovered the security incident involving unauthorized access to the email account of a CPS Solutions staff member. The security team blocked the attacker from accessing the email account on the same day. According to the forensic investigation, the breach occurred between December 2 and December 4, 2024. The account review confirmed on January 24, 2025, that the account stored the protected health information (PHI) of patients from Three Rivers Health Hospital System in Michigan.
The compromised information included full names, birth dates, medical insurance data, Medicare/Medicaid numbers, and medical data like medical record numbers, provider data, clinical details, prescription data, and/or diagnosis/treatment details. Notification letters were sent to the impacted people on February 10, 2025. The impacted individuals were provided free credit monitoring and identity theft protection services for two years.
Beacon Health System added a second breach notice on its website on March 26, 2025. The breach affected some patients of Elkhart General Hospital in Indiana. This security incident happened at business associate Restorix, which offers hospitals wound care services. Restorix discovered the breach involving a compromised email account on May 30, 2024. The forensic investigation showed that an unauthorized person accessed the account from May 7 to May 29, 2024.
On November 27, 2024, Beacon Health System received information on the compromise of the personal data and protected health information (PHI) of Elkhart General Hospital patients. Exposed data included first and last names, birth dates, driver’s license numbers, government ID numbers, passport numbers, Social Security numbers, medical data, patient ID numbers, prescription details, dates of service, diagnosis/condition/treatment data, medical insurance details, and/or certificate and/or license numbers. Restorix mailed the notification letters to the impacted individuals on December 18, 2024.
Restorix implemented extra cybersecurity protection and updated the HIPAA training for employees with cybersecurity measures. The two incidents are not yet posted on the HHS’ Office for Civil Rights breach portal; thus, the exact number of affected patients is still unclear.
Image credit: golubovy, AdobeStock
