Heart South Data Breach Affects 46,666 Patients in Separate 2025 Incident

What happened

Heart South Cardiovascular Group disclosed a data breach affecting approximately 46,666 individuals in the United States in what it described as a separate and unrelated incident from its earlier 2024 breach. On or about Nov. 11, 2025, the practice learned that an unauthorized party claimed to possess company data and then launched a forensic investigation with external cybersecurity professionals. The investigation did not find evidence of unauthorized network access or data theft, but the organization said the bad actor had recently posted a limited amount of Heart South data on the dark web. On Feb. 12, 2026, the group determined that patient information was stored on the systems affected by the incident. Heart South began notifying consumers electronically on April 6, 2026. 

Who is affected

The direct exposure affects patients of Heart South Cardiovascular Group whose protected health information was stored in the affected areas of the organization’s systems. The disclosed information categories associated with the incident include names, Social Security numbers, dates of birth, addresses, government IDs, medical information, and financial information. 

Why CISOs should care

This incident matters because it involves patient information in a healthcare environment and because the organization said the issue surfaced through a claim by an unauthorized party and the later appearance of limited Heart South data on the dark web. It also shows how an incident can still create patient-notification and response obligations even where the forensic investigation did not find evidence of unauthorized network access or direct data theft. 

3 practical actions

1. Scope dark web exposure quickly: Treat claims that company data has been posted online as a serious incident trigger, even if early forensic work does not show traditional unauthorized network access. 
2. Align patient notification with support services: Make sure affected individuals can be notified promptly and offered identity monitoring, fraud consultation, and identity theft restoration when patient information may be involved. 
3. Track repeat-incident risk separately: Distinguish clearly between separate incidents over time so leadership, patients, and regulators understand when a new breach is unrelated to an earlier event. 

For more news about incidents involving exposure of personal and medical information, click Data Breach to read more.