Center for Neuropsychology and Learning HIPAA Breach: 3,722 Michigan Patients Affected

The Center for Neuropsychology and Learning, PC, a Michigan-based healthcare provider, has been added to the Department of Health and Human Services (HHS) Wall of Shame following a significant cybersecurity incident that compromised the protected health information (PHI) of 3,722 patients. This latest breach, reported on January 9, 2026, serves as another stark reminder of the cybersecurity challenges facing healthcare organizations of all sizes.

What Happened

The Center for Neuropsychology and Learning, PC experienced a network server breach that resulted in unauthorized access to sensitive patient information. The incident was classified as a hacking/IT incident, indicating that cybercriminals successfully penetrated the organization's digital infrastructure.

While specific details about the attack vector remain limited in the public disclosure, the breach occurred on the healthcare provider's network server, suggesting that hackers gained access to centralized systems containing substantial amounts of patient data. The organization discovered the incident and reported it to HHS within the required 60-day timeframe, with the breach appearing on the Wall of Shame in early 2026.

Who Is Affected

The breach impacted 3,722 individuals who received services from The Center for Neuropsychology and Learning, PC. This Michigan-based practice specializes in neuropsychological assessments and learning-related services, meaning the affected patients likely sought care for conditions including:

• Learning disabilities and developmental disorders
• Cognitive assessments following brain injuries
• Attention-deficit/hyperactivity disorder (ADHD) evaluations
• Memory and cognitive functioning assessments
• Psychological testing and evaluations

Given the specialized nature of neuropsychological services, the compromised information potentially includes highly sensitive mental health records, cognitive assessment results, and detailed psychological evaluations.

Breach Details

This incident represents a significant cybersecurity failure affecting nearly 4,000 patients. Key details include:

Breach Classification: Hacking/IT Incident Location: Network Server Timeline: Reported January 9, 2026 Affected Population: 3,722 individuals Geographic Impact: Michigan residents and potentially patients from surrounding areas

The breach occurred on network servers, indicating that cybercriminals potentially accessed centralized databases containing extensive patient records. This type of breach is particularly concerning because network servers typically house comprehensive patient information spanning multiple years of treatment records.

What This Means for Patients

Patients affected by this breach face several potential risks and consequences:

Identity Theft Risk: Compromised PHI often includes Social Security numbers, addresses, dates of birth, and insurance information that criminals can use for identity theft.

Medical Identity Theft: Fraudsters may use stolen health information to obtain medical services, prescription drugs, or file fraudulent insurance claims.

Privacy Concerns: Neuropsychological records contain particularly sensitive mental health information that patients may not want disclosed publicly.

Financial Impact: Patients may face costs associated with credit monitoring, identity theft resolution, and potential fraudulent charges.

Discrimination Risk: Mental health information could potentially be used for employment or insurance discrimination if it falls into the wrong hands.

Affected patients should receive notification letters from The Center for Neuropsychology and Learning, PC detailing what information was compromised and what steps the organization is taking to address the incident.

How to Protect Yourself

If you're a patient of The Center for Neuropsychology and Learning, PC, or any healthcare provider that has experienced a data breach, take these protective steps:

Monitor Your Accounts: Regularly review bank statements, credit card bills, and insurance explanation of benefits for unauthorized activity.

Check Your Credit Reports: Obtain free credit reports from all three major bureaus and look for suspicious accounts or inquiries.

Consider Credit Freezes: Place security freezes on your credit files to prevent new accounts from being opened without your permission.

Watch for Phishing: Be alert for emails, calls, or texts attempting to use your personal information for fraudulent purposes.

Document Everything: Keep records of all breach-related communications and any suspicious activity you discover.

Stay Informed: Monitor news about the breach and follow guidance from the healthcare provider and regulatory authorities.

Prevention Lessons for Healthcare Providers

This breach highlights critical cybersecurity vulnerabilities that healthcare organizations must address:

Network Security: Implement robust firewalls, intrusion detection systems, and network monitoring to prevent unauthorized access.

Access Controls: Establish strict user authentication protocols and limit access to PHI based on job responsibilities.

Regular Security Assessments: Conduct frequent vulnerability scans and penetration testing to identify potential weaknesses.

Employee Training: Provide comprehensive cybersecurity training to help staff recognize and prevent phishing attempts and other social engineering tactics.

Incident Response Planning: Develop and regularly test comprehensive breach response procedures to minimize damage when incidents occur.

Data Encryption: Encrypt PHI both in transit and at rest to protect information even if systems are compromised.

Vendor Management: Carefully vet and monitor third-party vendors who have access to patient information.

The Center for Neuropsychology and Learning breach demonstrates that cybercriminals continue targeting healthcare organizations of all sizes. With 3,722 patients affected, this incident ranks among the more significant breaches reported to HHS, emphasizing the need for healthcare providers to prioritize cybersecurity investments and HIPAA compliance.

As healthcare digitization continues expanding, organizations must balance accessibility and efficiency with robust security measures. The cost of prevention invariably proves less expensive than the consequences of a major data breach, which can include regulatory fines, legal costs, reputation damage, and most importantly, harm to patient trust.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.