Two ASCs publicly reported data security incidents over the last week.
Covenant Health’s Advanced Family Surgery Center, formally known as Surgery Center of Oak Ridge (Tenn.), LLC, stated that “on or around November 26, 2025,” it “became aware of a network intrusion that affected a limited number of systems” and took “immediate action” to secure its network. After engaging a third-party team of forensic experts to investigate the incident and determine its full nature and scope, AFSC confirmed that a limited amount of protected health information may have been subject to unauthorized access.
“Although the forensic investigation could not rule out the possibility that an unknown actor may have accessed this information, there is no indication whatsoever that any information has been misused at this time,” stated AFSC. “The type of information contained within the affected data included first and last name, in combination with one or more of the following: address, date of birth, date of service, health insurance information, medical diagnosis information, medical record number, Medicare/Medicaid number, patient account number, prescription and treatment information, provider name, and Social Security number. Importantly, the information potentially impacted may vary for each individual, and may include all, or just one of the above-listed types of information.”
AFSC stated that it has “promptly notified potentially affected individuals as quickly as possible via U.S. mail to their most recent address on file,” has implemented “additional security measures within its network and facilities,” and is reviewing its current policies and procedures related to data security.
AFSC encouraged patients to “monitor their account statements and explanation of benefits forms for suspicious activity and to detect errors.” It also stated that patients “may wish to” contact the three major credit agencies to place fraud alerts on their credit reports. AFSC established a toll-free call center (844-784-6193), available 8:00 am to 8:00 pm ET Monday through Friday excluding holidays, to answer questions about the incident and to address related concerns, and published a mailing address through which it can also be contacted by concerned parties.
“The privacy and protection of information is a top priority for us, and we deeply regret any inconvenience or concern this incident may cause,” stated AFSC.
Meanwhile, Northwoods Surgery Center in Virginia, Minn., announced a “data security incident that may have impacted certain protected health information stored on its network.”
On or around September 8, 2025, Northwoods discovered a “network intrusion that impacted certain systems.” It “immediately took steps to secure its network and engaged third-party specialists to assist with determining the full nature and scope of the event.” After it was determined that “a limited amount of information may have been accessed by an unauthorized actor,” the ASC conducted a “comprehensive review of the data in order to determine the types of information contained within the impacted dataset and to whom that information related.”
Within the potentially affected dataset, it stated, were “patient names, addresses, patients’ identification numbers, dates of birth, diagnosis, medical history information, medical record numbers, medical treatment information, treating doctor’s name, medication information, and medical insurance information.”
Northwoods stated that, at this time, it is “not aware of any evidence to suggest that any information has been misused,” but in the interest of diligence, it is providing notice to “potentially affected individuals out of an abundance of caution,” as well as offering “complimentary credit monitoring services to potentially impacted individuals.” The ASC is working with third-party specialists to investigate and implement additional security measures within its network. Although it has “no evidence of actual or attempted misuse of information as a result of this incident,” it is encouraging individuals to monitor their account statements and explanation of benefits forms for “suspicious activity and to detect errors.”
Northwoods established a toll-free call center (833-833-6099), available Monday through Friday from 8:00 am to 8:00 pm ET excluding holidays, to answer questions about the incident and to address related concerns. It has also notified the U.S. Health and Human Services Office for Civil Rights and “any applicable state regulators” of the incident.
“The privacy and protection of information is a top priority for the Center, and the Center deeply regrets any inconvenience or concern this incident may cause,” stated Northwoods.
