HIPAA News Today

A ransomware attack on revenue cycle management vendor Catalyst RCM exposed electronic protected health information (ePHI) associated with Vikor Scientific and affiliated laboratories and was reported to federal regulators as affecting 139,964 individuals. Incident Overview Vikor Scientific, a molecular diagnostics company based in Charleston, South Carolina that has rebranded as Vanta Diagnostics, disclosed a data … Read more

Comstar LLC agreed to pay $515,000 to resolve allegations by the Massachusetts and Connecticut Attorneys General that the company failed to safeguard sensitive patient medical information in violation of state and federal law. Massachusetts Attorney General Andrea Joy Campbell and Connecticut Attorney General William Tong announced the settlement with Comstar LLC, an ambulance billing vendor … Read more

Behavioral health clinic, Denton County MHMR Center, located in Denton, Texas, recently submitted a data breach report to the Department of Health and Human Services’ Office for Civil Rights (OCR) where an unauthorized party accessed the protected health information (PHI) of 108,967 present and past patients. The clinic discovered unusual activity within its computer system … Read more

TriZetto Provider Solutions, a firm owned by Cognizant, which offers revenue management services to doctors, hospitals, and health networks, began notifying some healthcare clients regarding a recently uncovered cybersecurity incident. On October 2, 2025, TriZetto identified suspicious activity within a web portal utilized by a number of its healthcare organization customers to access TriZetto systems. … Read more

First Choice Dental, which manages 12 dental clinics in Madison and Dane counties in Wisconsin, suffered a ransomware attack on October 22, 2023. The dental care provider decided to resolve the litigation due to the data security breach. First Choice Dental publicized a temporary notice about the breach, informing patients concerning the exposure of their … Read more

Cybersecurity company Black Fog has published its Q3 2025 State of Ransomware Report. According to the report, ransomware attacks are higher by 36% than in the same quarter last year. Every month during the quarter, attacks increased in comparison to the corresponding month in 2024. The worst month was July with 50% more attacks. The … Read more

The Assistant Secretary for Technology Policy (ASTP) and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) have introduced the revised version of the Security Risk Assessment (SRA) Tool. The SRA tool was created to support small to medium-sized healthcare organizations in following the security risk assessment requirements of the HIPAA … Read more

Change Healthcare stated that the number of people impacted by its February 2024 ransomware is a bit more than the 190 million individuals it had earlier estimated. The most recent estimate is currently roughly 192.7 million people. That number may be greater than the real number of impacted people. Though Change Healthcare has tried to … Read more

Henry Ford Health agreed to a settlement to deal with a class action lawsuit associated with the usage of third-party tracking codes on health-related sites. This not-for-profit health system based in Detroit, Michigan, is the second-biggest health system in the state. Allegedly, the company put tracking codes on its website that permitted the collection of … Read more

The University of Rochester has decided to pay $2.85 million to settle all claims associated with using tracking tools on its website and MyChart patient site. Like numerous healthcare organizations, the University of Rochester Medical Center (URMC) installed tracking tools on its website to gather data on the use of its website. Tracking tools, usually … Read more

The LockBit ransomware group became very active, with numerous attacks launched, but it encountered a hacking and data leak incident. An unidentified hacker accessed the control panel employed by the group’s affiliates, left the message “Don’t do crime CRIME is BAD xoxo from Prague,” and included a URL for an SQL database. The database did … Read more

University of Maryland Medical System Corporation and University of Maryland Medical Center (UMMC) are facing a class action lawsuit that was filed by six present and past staff members who stated they were affected by cyber-voyeurism and cyber stalking by an ex-UMMC pharmacist. Six Jane Doe plaintiffs filed the lawsuit individually and on behalf of … Read more

Rite Aid has decided to resolve a class action lawsuit associated with a data breach in June 2024 that affected the personal data including PHI of around 2.2 million individuals. Class members are entitled to claim about $10,000 as a refund for documented expenditures sustained because of the data breach. On June 6, 2024, the … Read more

NorthBay Healthcare Corporation manages two hospitals, namely NorthBay VacaValley Hospital and NorthBay Medical Center, and several primary care areas in California. The healthcare system recently reported a data breach affecting the personal data and protected health information (PHI) of 569,012 individuals. According to the notification submitted to the Maine Attorney General, suspicious activity was discovered … Read more

On January 8, 2025, OCR announced a $337,750 settlement that Florida business associate, USR Holdings, LLC agreed to to resolve alleged multiple HIPAA Security Rule violations. USR Holdings owns and operates primary mental health and substance abuse treatment centers in Florida, Kentucky, and Maryland. As a HIPAA business associate, its Port St. Lucie base offers … Read more

New York healthcare company HealthAlliance encountered a breach of the personal data and protected health information (PHI) of 242,641 New York residents. It was instructed to pay a $550,000 financial penalty and take the appropriate steps to reinforce its data security techniques. The healthcare provider serves patients in Delaware and Ulster counties in New York … Read more

Behavioral healthcare provider Cummins Behavioral Health located in Central and Western Indiana, consented to pay $2.1 million to settle a class action lawsuit filed by people impacted by a data breach in 2023. On March 9, 2023, a threat actor left a ransom note for Cummins Behavioral Health stating that it infiltrated its network and … Read more

Harvard Pilgrim Health Care sent an updated report to the Maine Attorney General regarding the number of affected individuals by its April 2023 ransomware attack. There were 106,601 more individuals affected, bringing the total to 2,967,396. The investigation into the breach is still in progress, and the number of impacted individuals may increase further. The … Read more

Specialty Networks, Inc. based in Chattanooga, TN recently reported a data breach impacting the protected health information (PHI) of 411,037 present and former patients. Specialty Networks provides healthcare facilities with radiology information systems and business management solutions. The company specializes in Picture Archiving and Communication Systems (PACS), a medical imaging technology that facilitates medical image … Read more

Advanced Computer Software Group, an IT and software services company in England, is facing a £6.09 million ($7.74 million) financial penalty because of a ransomware attack in August 2022 that caused problems to healthcare and social care organizations in the United Kingdom. The Information Commissioners Office (ICO), the UK’s data watchdog, looked into the attack … Read more

Rite Aid, the third biggest pharmacy company based in Philadelphia with over 2,000 U.S. stores, reported a cyberattack in June that potentially compromised customer’s protected health information (PHI). The breach investigation and incident response by third-party cybersecurity experts are almost completed. All breached systems were recovered and are 100% operational. The analysis of the compromised … Read more

The Qilin ransomware group responsible for an attack that has upset healthcare services throughout London has added Synnovis, a pathology services provider for NHS hospitals, to its darknet leak site. The ransomware attack at the beginning of June on Synnovis resulted in major interferences to services, particularly blood testing. This latest action of Qilin suggests … Read more

Over 100 provider groups, including the American Health Information Management Association (AHIMA), College of Healthcare Information Management Executives (CHIME), and American Medical Association (AMA), wrote to HHS Secretary Xavier Becerra and OCR Director Melanie Fontes Rainer to clarify the requirements of HIPAA breach reporting about the Change Healthcare ransomware attack and the way those requirements … Read more

Winter Haven Hospital Patients’ Data Impermissibly Disclosed BayCare’s Winter Haven Hospital based in Florida is notifying patients concerning an email incident that impermissibly disclosed patient information. On March 15, 2024, a worker made an error while sending forms to a patient by attaching a cardiac rehabilitation department file by mistake to the email that included … Read more

OrthoConnecticut Data Breach OrthoConnecticut has announced that the protected health information (PHI) of about 118,000 patients was exposed in an attack. OrthoConnecticut is a multi-specialty orthopedic company located in Danbury, CT that has 9 centers in the area. It recently discovered unauthorized access to its system and upon inquiry by the forensic group, the unauthorized … Read more

13,000 Patients Affected by the Wisconsin Dental Surgery Center Email Breach Bay Oral Surgery & Implant Center (Bay Oral), a network of oral & maxillofacial dental surgery centers established in the Green Bay, Niagara and Marinette communities in Wisconsin, recently sent a data breach report to the HHS’ Office for Civil Rights (OCR) indicating that … Read more

Valley Mountain Regional Center Data Breach On April 19, 2024, Valley Mountain Regional Center based in California reported a data security breach discovered on August 1, 2023. Strange activity was observed inside its system and quick steps were undertaken to protect its systems. The forensic investigation affirmed that unauthorized individuals got access to its system … Read more

The Federal Trade Commission (FTC) has issued a $7.1 million penalty to the mental health startup company Cerebral for consumer privacy violations and deceitful trading tactics. The $7.1 million financial fine settles claims that the mental health telehealth firm and its ex-CEO, Kyle Robertson, committed violations of the privacy of consumers by impermissibly sharing their … Read more

About 60,000 People Impacted by the Ezras Choilim Health Center Cyberattack Ezras Choilim Health Center based in Monroe, NY recently submitted a breach report to the HHS’ Office for Civil Rights indicating that 59,861 individuals’ protected health information (PHI) were affected. The strange activity was noticed inside its system on September 18, 2023. The forensic … Read more

Aveanna Healthcare Encounters a Breach of Email Account Home health and hospice care provider, Aveanna Healthcare located in Atlanta, GA, reported a security breach of its email network and a compromise of the information of 65,482 individuals. The healthcare provider discovered suspicious activity in a worker’s email account on September 22, 2023. The email account … Read more

On March 12, officials and leaders from the White House, UnitedHealth Group, Department of Health and Human Services, and other industry groups got together to discuss the impact of a cyberattack on UnitedHealth Group’s Change Healthcare. This cyberattack caused problems for healthcare services for the last three weeks. They also discussed ways to help patients … Read more

The Department of Health and Human Services’ Office for Civil Rights (OCR) has published upgraded guidance for organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) regarding online tracking technologies. The current guidance is meant to give increased understanding for HIPAA-governed entities on using these technologies. OCR has revised its position on the … Read more

New Guidance on Using Zero Trust to Control Lateral Movement The National Security Agency (NSA) has given guidance on using zero trust security to control lateral movement inside a network in case a threat actor breaks into the firm’s defenses. It was noticed numerous times in the previous year that threat actors have obtained first … Read more

177,000 Patients Affected by Northeast Orthopedics and Sports Medicine Breach Northeast Orthopedics and Sports Medicine based in Nanuet, NY recently reported a cyberattack that impacted 177,276 people and compromised the protected health information (PHI) of 177,101 individuals. Abnormal activity was found in its system on November 22, 2023. The investigation by third-party forensics experts confirmed … Read more

Feds Warns Healthcare Sector Regarding ALPHV/Blackcat Ransomware Group A joint cybersecurity notification was released by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation (FBI) about identified Indicators of Compromise (IoCs) and the newest Tactic, Techniques, and Procedures (TTPs) employed by the ALPHV/Blackcat … Read more

Vulnerabilities discovered in the remote desktop program ConnectWise ScreenConnect are being taken advantage of to have an assortment of various malicious payloads into company environments. ConnectWise first announced the vulnerabilities on February 13, 2024. Then, attacks aimed at the vulnerabilities began one day after the launch of patches. One vulnerability, CVE-2024-1709, is an authentication bypass … Read more

2.35M Individuals Impacted by American Vision Partners Breach Medical Management Resource Group, LLC (MMRG), also known as American Vision Partners, has affirmed in a breach notification letter sent to the HHS’ Office for Civil Rights that the protected health information (PHI) of 2,350,236 persons was exposed in a hacking incident. MMRG discovered unauthorized activity in … Read more

California Attorney General Rob Bonta has declared that a $5 million settlement with Quest Diagnostics has been reached to fix allegations that it is unlawfully dumping hazardous and medical waste materials and disposed of the unredacted personal health information of patients in typical trash dumps. An investigation of the business protocols of Quest Diagnostics was … Read more

Ransomware Attack at Prestige Care Senior care organization Prestige Care, Inc. located in Vancouver, WA recently informed 38,087 individuals about the potential access or theft of some of their personal data and protected health information (PHI) in a ransomware attack that occurred on September 2023. The attack was discovered on September 7, 2023, and the … Read more

Ransom Payments Surpassed $1 Billion in 2023 Chainalysis’ new report showed ransomware attack victims paid $1.1 billion to attackers in 2023 to retrieve the keys to unlock their information and to stop the exposure of stolen data. For the first time in 2023, ransom payments were over $1bn and the yearly total jumped from $567 … Read more

The most recent information from the ransomware remediation company, Coveware, reveals a decline in the number of ransomware attack victims who opt to pay the ransom. At the beginning of 2019, 85% of ransomware attack victims gave ransom payments after an attack. In mid-2021, only 46% percentage paid the ransom. In Q4 of 2023, merely … Read more

Hospital IT Help Desks Attacked in Advanced Payment Fraud Scam American Hospital Association (AHA) reports that cybercriminals are targeting U.S. hospitals in a sophisticated payment fraud scam. The AHA has obtained several reports of scammers calling hospital IT departments to carry out password resets and register new devices to get multifactor authentication (MFA) codes. When … Read more

61,000 ConsensioHealth Patients Affected by Ransomware Attack Medical billing service, ConsensioHealth, based in Wisconsin recently informed 60,871 persons regarding a ransomware attack in July 2023. The attack was detected on July 3, 2023, when employees could not access files on its system. Steps were quickly undertaken to stop the unauthorized access. Third-party cybersecurity professionals helped … Read more

Parathon by JDA eHealth Systems Reports a Cyberattack A revenue cycle management firm, Parathon by JDA eHealth Systems located in Naperville, Illinois, recently sent a notification to the state attorneys general that it encountered a cyberattack last July 27, 2023. In December 22, 2023, it notified the Montana Attorney General that unauthorized persons got access … Read more

Threat Actors Contact Integris Health Patients After Cyberattack Integris Health, the biggest not-for-profit health system owned by Oklahoma, has reported the compromise of its internal systems in a cyberattack. The unauthorized third party acquired patient information during the attack. Integris Health manages 15 hospitals in the state and some specialty clinics, centers of excellence, and … Read more

The following companies have reported data breaches in December 2023: Cardiothoracic and Vascular Surgeons, Erie Family Health Centers, ZOLL Medical Corporation, Health Diagnostic Management, Rush System for Health, and BlueCross BlueShield of Tennesse. Cyberattack on Cardiothoracic and Vascular Surgeons Cardiothoracic and Vascular Surgeons based in Texas learned on October 13, 2023 that an unauthorized individual … Read more

The Pediatric Physicians’ Organization at Children (PPOC) encountered a malware attack on February 10, 2020, causing a system outage. 500+ pediatricians, doctor assistants and nurse practitioners were not able to access patient data and consultation calendar. The PPOC is a physician group affiliated with Boston Children’s Hospital. PPOC has approximately 200 servers. The malware attack … Read more