Long Island Weight Loss Institute Hit by Major HIPAA Data Breach

A significant cybersecurity incident has struck Dr. Michael Kaplan DO PC DBA Long Island Weight Loss Institute, exposing the protected health information (PHI) of 3,426 patients. The breach, reported to the Department of Health and Human Services (HHS) on November 20, 2025, represents another alarming example of healthcare organizations falling victim to cyberattacks.

What Happened

The Long Island Weight Loss Institute experienced a hacking/IT incident that compromised their network server. While specific details about the attack vector remain limited in the HHS Office for Civil Rights (OCR) report, the breach involved unauthorized access to the practice's digital infrastructure where patient data was stored.

Cybercriminals targeted the healthcare provider's network server, gaining access to sensitive patient information maintained by the New York-based weight loss practice. The incident highlights the ongoing vulnerability of healthcare organizations to sophisticated cyber threats, particularly smaller practices that may lack robust cybersecurity infrastructure.

Who Is Affected

The breach impacted 3,426 individuals who received services from the Long Island Weight Loss Institute. Patients affected by this incident likely had their protected health information exposed, which could include:

• Names, addresses, and contact information
• Social Security numbers
• Health insurance information
• Medical record numbers
• Treatment information and medical histories
• Weight loss program details and progress records
• Prescription information
• Payment and billing data

Weight loss patients may be particularly vulnerable because their records often contain detailed personal health information, body measurements, medical conditions, and potentially sensitive psychological evaluations related to their treatment.

Breach Details

The incident occurred at Dr. Michael Kaplan DO PC, which operates as the Long Island Weight Loss Institute. As a healthcare provider entity in New York, the practice is required to comply with HIPAA privacy and security regulations.

Key facts about the breach:

• Entity Type: Healthcare Provider
• Breach Classification: Hacking/IT Incident
• Affected Systems: Network Server
• Scale: 3,426 patients impacted
• Reporting Date: November 20, 2025

The breach adds to the growing list of healthcare cybersecurity incidents on HHS's "Wall of Shame," which publicly reports breaches affecting 500 or more individuals. This incident ranks among the medium-sized breaches reported to OCR, though any breach affecting thousands of patients represents a serious privacy violation.

What This Means for Patients

Patients of the Long Island Weight Loss Institute face several potential risks following this data exposure:

Identity Theft Risk

With personal information potentially compromised, patients may be at increased risk for identity theft, fraudulent credit applications, and unauthorized financial transactions.

Medical Identity Theft

Cybercriminals could use exposed health information to obtain medical services, prescription drugs, or submit false insurance claims in patients' names.

Privacy Concerns

Weight loss treatment information is highly personal. Unauthorized disclosure could cause embarrassment and emotional distress for affected individuals.

Insurance Fraud

Exposed insurance information could be used to submit fraudulent claims or obtain services under patients' coverage.

Affected patients should receive breach notification letters within 60 days of the incident discovery, detailing what information was compromised and what steps the practice is taking to address the situation.

How to Protect Yourself

If you're a patient of the Long Island Weight Loss Institute, take these immediate steps:

Monitor Your Accounts

• Review credit reports from all three major bureaus
• Watch for unauthorized transactions on bank and credit card statements
• Check insurance Explanation of Benefits statements for services you didn't receive

Place Fraud Alerts

• Contact credit bureaus to place fraud alerts on your credit files
• Consider a credit freeze for additional protection
• Monitor your credit score for unexpected changes

Watch for Medical Identity Theft

• Review medical records and insurance statements carefully
• Report any unfamiliar medical services or prescriptions
• Contact your insurance company about suspicious claims

Stay Alert for Phishing

• Be cautious of emails or calls requesting personal information
• Verify any communications claiming to be from healthcare providers
• Don't click links in suspicious emails

Prevention Lessons for Healthcare Providers

This breach underscores critical cybersecurity lessons for healthcare practices:

Network Security

Implement robust network security measures including firewalls, intrusion detection systems, and regular security monitoring.

Access Controls

Establish strict user access controls and regularly audit who has access to what patient information.

Employee Training

Provide comprehensive cybersecurity training to all staff members about phishing, social engineering, and safe computing practices.

Regular Updates

Maintain current software patches and security updates across all systems handling PHI.

Risk Assessments

Conduct regular HIPAA risk assessments to identify and address security vulnerabilities before they're exploited.

Incident Response Planning

Develop and test incident response plans to minimize damage and ensure proper breach notification procedures.

Backup and Recovery

Implement secure backup systems and test recovery procedures regularly.

The Long Island Weight Loss Institute breach serves as a stark reminder that no healthcare organization is immune to cyber threats. As cybercriminals increasingly target healthcare data, providers must prioritize cybersecurity investments and HIPAA compliance to protect patient privacy.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.