IN August 2025, a data breach at the Colorado Health Network (CHN) was reported after the threat group Cephalus claimed to have obtained 900 GB of data. Although Cephalus vanished shortly after making this claim and did not leak any data publicly, CHN had not reported the incident to the HHS by that time. On June 18, 2026, CHN informed affected individuals of unauthorized access to their systems, which led to the exposure of sensitive personal information, including Social Security numbers and medical details.
However, CHN's notice lacked key details about the breach timeline, the total number of individuals affected, and the response to any ransom demands. The delay in notifying patients has raised concerns about compliance with HIPAA regulations.