Cooper Health System reports data security breach

Camden, New Jersey-based Cooper Health System was informed of a data security incident that could have impacted data belonging to “certain current and former patients.”

In a notice posted on its website, the three-hospital Southern New Jersey health system said that on March 26, 2025, it learned that certain personal, protected health information was “accessed  and acquired” without permission by an unknown actor around May 14, 2024. 

In May 2024, Cooper said that it became aware of abnormal network activity and promptly took steps to secure its systems. 

“We also engaged cybersecurity experts to assist with this process and to conduct an investigation into what happened and determine if any Cooper data was potentially accessed or acquired without authorization,” Cooper said in the notice.

During the investigation, Cooper discovered that certain data stored in its systems was potentially acquired without authorization. 

Cooper said it began a review of the affected data to identify the people and information involved, which concluded on March 26, 2025. It then took steps to notify the individuals who were most likely impacted.  

The potentially affected information included individuals’ names, dates of birth, Social Security numbers, health insurance information, treatment information, medical record numbers and medical history information. 

The company said not all data elements were affected for all individuals.

Cooper stated that it reported the incident to the FBI and took steps to enhance network security and minimize the risk of a similar incident occurring in the future. 

Per the statement, Cooper stated it is not aware of the misuse of potentially affected individuals’ information.

The notice outlines steps individuals can take to protect themselves and their personal information, including advising them to notify their financial institution of any suspicious activity.

Meanwhile, Cooper established a toll-free call center to answer questions about the incident and to address related concerns.  

Call center representatives are available Monday through Friday, 9:00 a.m.–9:00 p.m. ET, excluding holidays, and can be reached at 1-877-623-0094.

THE LARGER TREND

In April, Blue Shield of California notified 4.7 million individuals of a potential data breach after unknowingly sharing patients’ protected health information with Google in 2021.

Blue Shield used Google Analytics to track members’ use of certain Blue Shield websites.

The health insurer stated that the information potentially compromised includes insurance plan names, types and group numbers, as well as personal details such as patient name, gender, location, family size and patient financial responsibility.  

Blue Shield stated that it “severed the connection” to Google Ads and Google Analytics in January 2024, a year before it became aware of the years-long data collection. 

In 2023, Monument and Tempest unknowingly shared users’ personal information with third-party advertisers for several years, according to a data breach notification filed with California’s attorney general. 

In the notice, Monument stated it utilized pixel-tracking technologies from companies such as Meta, Google, Bing and Pinterest “without the appropriate authorization, consent or agreements required by law.” 

The information shared could include name, birth date, email address, phone number, address, insurance member ID, IP address, selected services, assessment or survey responses, appointment information, associated health information and other details. 

Monument told MobiHealthNews that fewer than 100,000 people were affected. In the notification, the company stated that an internal review found data sharing began in January 2020 for Monument members and in November 2017 for Tempest users.

That same year, medical device company Insulet issued a notice of a data breach that may have compromised the protected health information of 29,000 users of its recently recalled Omnipod DASH Insulin Management System.

In April, The HIPAA Journal reported just 58 breaches in March – the lowest total for the month of March since 2022, and a 46% reduction from the 98 breaches reported in March 2023.

Relatedly, the number of individuals affected by healthcare data breaches is also on the decline, falling for the third straight month to just over 1.7 million people, a 23% reduction from February and a 43.8% reduction since January. 

The number of affected individuals in March was 76.2% lower than the monthly average last year. Excluding the Change Healthcare breach – which was an outlier in terms of its size and impact – an average of almost 7.4 million people were affected by healthcare data breaches each month.

Camden, New Jersey-based Cooper Health System was informed of a data security incident that could have impacted data belonging to “certain current and former patients.”

In a notice posted on its website, the three-hospital Southern New Jersey health system said that on March 26, 2025, it learned that certain personal, protected health information was “accessed  and acquired” without permission by an unknown actor around May 14, 2024. 

In May 2024, Cooper said that it became aware of abnormal network activity and promptly took steps to secure its systems. 

“We also engaged cybersecurity experts to assist with this process and to conduct an investigation into what happened and determine if any Cooper data was potentially accessed or acquired without authorization,” Cooper said in the notice.

During the investigation, Cooper discovered that certain data stored in its systems was potentially acquired without authorization. 

Cooper said it began a review of the affected data to identify the people and information involved, which concluded on March 26, 2025. It then took steps to notify the individuals who were most likely impacted.  

The potentially affected information included individuals’ names, dates of birth, Social Security numbers, health insurance information, treatment information, medical record numbers and medical history information. 

The company said not all data elements were affected for all individuals.

Cooper stated that it reported the incident to the FBI and took steps to enhance network security and minimize the risk of a similar incident occurring in the future. 

Per the statement, Cooper stated it is not aware of the misuse of potentially affected individuals’ information.

The notice outlines steps individuals can take to protect themselves and their personal information, including advising them to notify their financial institution of any suspicious activity.

Meanwhile, Cooper established a toll-free call center to answer questions about the incident and to address related concerns.  

Call center representatives are available Monday through Friday, 9:00 a.m.–9:00 p.m. ET, excluding holidays, and can be reached at 1-877-623-0094.

THE LARGER TREND

In April, Blue Shield of California notified 4.7 million individuals of a potential data breach after unknowingly sharing patients’ protected health information with Google in 2021.

Blue Shield used Google Analytics to track members’ use of certain Blue Shield websites.

The health insurer stated that the information potentially compromised includes insurance plan names, types and group numbers, as well as personal details such as patient name, gender, location, family size and patient financial responsibility.  

Blue Shield stated that it “severed the connection” to Google Ads and Google Analytics in January 2024, a year before it became aware of the years-long data collection. 

In 2023, Monument and Tempest unknowingly shared users’ personal information with third-party advertisers for several years, according to a data breach notification filed with California’s attorney general. 

In the notice, Monument stated it utilized pixel-tracking technologies from companies such as Meta, Google, Bing and Pinterest “without the appropriate authorization, consent or agreements required by law.” 

The information shared could include name, birth date, email address, phone number, address, insurance member ID, IP address, selected services, assessment or survey responses, appointment information, associated health information and other details. 

Monument told MobiHealthNews that fewer than 100,000 people were affected. In the notification, the company stated that an internal review found data sharing began in January 2020 for Monument members and in November 2017 for Tempest users.

That same year, medical device company Insulet issued a notice of a data breach that may have compromised the protected health information of 29,000 users of its recently recalled Omnipod DASH Insulin Management System.

In April, The HIPAA Journal reported just 58 breaches in March – the lowest total for the month of March since 2022, and a 46% reduction from the 98 breaches reported in March 2023.

Relatedly, the number of individuals affected by healthcare data breaches is also on the decline, falling for the third straight month to just over 1.7 million people, a 23% reduction from February and a 43.8% reduction since January. 

The number of affected individuals in March was 76.2% lower than the monthly average last year. Excluding the Change Healthcare breach – which was an outlier in terms of its size and impact – an average of almost 7.4 million people were affected by healthcare data breaches each month.