Pinnacle Holdings notifies multiple covered entities of 2024 breach

A VPN vulnerability gave attackers access to a healthcare consulting company's network for two weeks in November 2024, exposing patient data across multiple health systems that did not receive notification until late 2025 or early 2026.

What happened

Pinnacle Holdings, a Colorado-based healthcare consulting firm operating across 20 states, has notified multiple covered entity clients that an unauthorized actor accessed its network between November 11 and November 25, 2024, by exploiting a vulnerability in a VPN. According to HAP Michigan's breach disclosure, a primary source published by one of the affected health plans, the attacker copied data from Pinnacle's network but did not encrypt systems, allowing Pinnacle to continue operations. The breach exposed a broad range of protected health information (PHI) and personally identifiable information depending on each individual's relationship with Pinnacle's clients, including names, addresses, Social Security numbers, dates of birth, medical diagnosis and treatment information, prescription details, Medicare and Medicaid numbers, health insurance policy and claim numbers, and treatment cost information. Providence St. Joseph Orange in California reported to the HHS Office for Civil Rights on February 27, 2026, that 11,329 of its patients were affected, having received notification from Pinnacle on December 30, 2025, more than 13 months after the breach occurred.

Going deeper

Pinnacle provides compensation valuation, revenue cycle solutions, compliance consulting, transaction support, and cost reduction services to hospitals, medical practices, ambulatory surgery centers, private equity firms, and law firms. The breadth of its client base means a single network intrusion can expose patient data from multiple covered entities simultaneously, with each downstream organization relying on Pinnacle's own investigation timeline before they can assess their own exposure. The Providence St. Joseph Orange timeline illustrates that gap directly: the breach occurred in November 2024, Pinnacle notified Providence in December 2025, and Providence filed with HHS in February 2026. Patients at Providence had no formal notification for well over a year after their data was potentially accessed. HAP Michigan's disclosure confirms that the attacker exploited a VPN vulnerability to gain initial access, a common entry point for network intrusions that organizations can address through patching, network segmentation, and monitoring of VPN authentication activity.

What was said

In its breach notice, HAP Michigan stated that Pinnacle's investigation determined that between November 11 and November 25, 2024, "An individual accessed a limited portion of their network by exploiting a vulnerability in a VPN. The individual did not encrypt Pinnacle Holdings' data, and Pinnacle Holdings was able to continue operations; however, the individual copied certain information from Pinnacle Holdings' network." Pinnacle confirmed it launched an investigation immediately upon discovering the disruption on November 25, 2024, and subsequently began a review to identify affected individuals and notify downstream clients.

In the know

The Pinnacle breach is one of several vendor-originating incidents that have expanded healthcare's third-party exposure picture in 2025 and 2026. According to Paubox's Top 3 Healthcare Email Attacks report, 28 percent of all email-related healthcare breaches in 2025 involved a business associate or vendor, with third-party breach sizes typically larger and more expensive than direct organizational incidents. The Pinnacle case extends that pattern beyond email: a single consulting firm breach propagated across at least six covered entities, each of which faced its own notification timeline, regulatory filing obligations, and patient exposure window independent of anything their own security controls could have detected or prevented.

The big picture

The most consequential detail in the Pinnacle breach is not the data categories exposed but the notification timeline. Patients whose information was accessed in November 2024 did not receive formal notice until 2026 in some cases, a gap driven entirely by the pace of the vendor's investigation and its downstream notification to covered entity clients. HIPAA's Breach Notification Rule places the 60-day notification clock on covered entities from the point of discovery, but when the breach occurs at a business associate, the covered entity cannot begin that clock until the business associate notifies them. A 13-month vendor notification delay means the covered entity's HIPAA timeline did not even start until well after patients had spent more than a year unaware of their exposure. Healthcare organizations that rely on business associate agreements as their primary third-party risk control have no mechanism to accelerate a vendor's internal investigation or compel faster notification under current HIPAA rules.

FAQs

Why did patients receive notification more than a year after the breach occurred?

Pinnacle's own investigation and file review determined who was affected and which covered entity clients needed to be notified. Until Pinnacle completed that process and notified each client, those organizations could not begin their own regulatory notification timelines. The 13-month gap between the November 2024 breach and December 2025 notification reflects the vendor's investigation pace rather than any delay by the covered entities themselves.

How does a VPN vulnerability allow attackers to access a network without deploying ransomware?

A VPN vulnerability can allow an attacker to authenticate as a legitimate user and browse network file systems without triggering the encryption activity that typically alerts organizations to a ransomware attack. Data exfiltration through a legitimate-appearing VPN session generates less anomalous traffic than ransomware deployment, making it harder to detect during the intrusion window.

What obligations does a business associate have under HIPAA when it discovers a breach?

Under HIPAA's Breach Notification Rule, a business associate must notify the covered entity of a breach without unreasonable delay and no later than 60 days after discovering the breach. The covered entity then has 60 days from receiving that notification to notify affected individuals and HHS. A 13-month notification delay by the business associate would likely be considered an unreasonable delay under the rule.

What can covered entities do to reduce the risk of delayed vendor notifications?

Business associate agreements can include contractual breach notification timelines shorter than HIPAA's 60-day maximum, requiring notification within 24 to 72 hours of discovery. Covered entities can also include audit rights in agreements that allow them to request security incident logs from vendors, and establish regular check-in processes with high-risk vendors handling large volumes of PHI.

Why does a consulting firm's breach carry particular risk compared to a standard vendor breach?

Healthcare consulting firms handle data from multiple covered entity clients simultaneously as part of their core services. A breach at one consulting firm can therefore expose patient data from many organizations at once, and the consulting firm's own investigation must assess each client relationship separately before notifications can be issued, extending the timeline for every affected downstream organization.