The breach is already being investigated by multiple legal firms.
What happened
Academic Urology and Urogynecology of Arizona (AUUA), recently notified the public of a data breach impacting 73,281 individuals, according to the Attorney General of Maine.
According to the data breach notice, posted on AUUA’s website, the breach took place between May 18th, 2025, and May 22nd, 2025, but was only discovered on January 30th, 2026. Letters to impacted individuals were sent on February 12th, 2026. The breach has not yet been reported to the Department of Health and Human Services.
Going deeper
After discovering the breach, AUUA enlisted the help of cybersecurity experts, who assisted in an “extensive forensic investigation.” Digital forensics is a common procedure that takes place after a breach, where cybersecurity experts–often from companies like Mandiant or Kroll–recover data relating to an attack. The process is used in part to determine how the attack took place, like what the vulnerability was, and also to retrieve data if it was encrypted.
The forensic team determined the following information from certain patients had been accessed: names, dates of birth, Social Security numbers, diagnosis and treatment information, and health insurance information. Financial information, like account numbers and account types, were also part of the breach.
Why it matters
Currently, AUUA has no evidence that fraud or identity theft has taken place, but having medical and financial data stolen increases the risk. According to the Federal Trade Commission, individuals can create whole identities based on stolen data. When it comes to healthcare, criminals have also been “known to use stolen data to get medical care or prescription drugs in someone else’s name.” When financial data is taken, the risk of fraud can also increase.
When theft or fraud victimize a patient, the victim isn’t the only one who suffers. The financial cost faced by the victim is often passed onto the healthcare company via class action lawsuits. Settlement costs can increase when more victims face actual problems as a result of the breach, rather than just the “risk” of fraud or identity theft.
The big picture
According to Paubox reports, data breach costs now average $11 million, which includes costs from lawsuits, fines, and patching any vulnerabilities. While no lawsuit against AUUA has materialized, multiple firms are investigating the incident and it’s likely that one will develop in the coming months.
FAQs
What caused the data breach at AUUA?
AUUA has not provided specifics, but reported to the Maine Attorney General that the incident was a hacking, leaving room for the possibility that AUUA faced a ransomware attack.
Why did it take so long for AUUA to discover the breach?
Hackers can be savvy with covering their tracks, often avoiding any disruptive or noticeable actions until they have successfully stolen data. Careful monitoring and auditing would have likely made it easier for AUUA to discover the breach.
Why hasn’t the breach been reported to the Department of Health and Human Services?
While this breach should be reported to the HHS, some organizations wait until their investigation is complete or the issue is fully resolved. AUUA may not want to disclose some information if it could impede parts of the investigation that are ongoing.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Abby Grifno
