The HIPAA News section provides essential updates on current events, legal decisions, and regulatory changes related to HIPAA compliance. This section offers healthcare professionals, business associates, and compliance officers timely reports on major data breaches, government enforcement actions, and new policies that affect the safeguarding of protected health information (PHI).
Henry Ford Health agreed to a settlement to deal with a class action lawsuit associated with the usage of third-party tracking codes on health-related sites. This not-for-profit health system based in Detroit, Michigan, is the second-biggest health system in the state. Allegedly, the company put tracking codes on its website that permitted the collection of … Read more
The University of Rochester has decided to pay $2.85 million to settle all claims associated with using tracking tools on its website and MyChart patient site. Like numerous healthcare organizations, the University of Rochester Medical Center (URMC) installed tracking tools on its website to gather data on the use of its website. Tracking tools, usually … Read more
The LockBit ransomware group became very active, with numerous attacks launched, but it encountered a hacking and data leak incident. An unidentified hacker accessed the control panel employed by the group’s affiliates, left the message “Don’t do crime CRIME is BAD xoxo from Prague,” and included a URL for an SQL database. The database did … Read more
University of Maryland Medical System Corporation and University of Maryland Medical Center (UMMC) are facing a class action lawsuit that was filed by six present and past staff members who stated they were affected by cyber-voyeurism and cyber stalking by an ex-UMMC pharmacist. Six Jane Doe plaintiffs filed the lawsuit individually and on behalf of … Read more
Rite Aid has decided to resolve a class action lawsuit associated with a data breach in June 2024 that affected the personal data including PHI of around 2.2 million individuals. Class members are entitled to claim about $10,000 as a refund for documented expenditures sustained because of the data breach. On June 6, 2024, the … Read more
NorthBay Healthcare Corporation manages two hospitals, namely NorthBay VacaValley Hospital and NorthBay Medical Center, and several primary care areas in California. The healthcare system recently reported a data breach affecting the personal data and protected health information (PHI) of 569,012 individuals. According to the notification submitted to the Maine Attorney General, suspicious activity was discovered … Read more
On January 8, 2025, OCR announced a $337,750 settlement that Florida business associate, USR Holdings, LLC agreed to to resolve alleged multiple HIPAA Security Rule violations. USR Holdings owns and operates primary mental health and substance abuse treatment centers in Florida, Kentucky, and Maryland. As a HIPAA business associate, its Port St. Lucie base offers … Read more
New York healthcare company HealthAlliance encountered a breach of the personal data and protected health information (PHI) of 242,641 New York residents. It was instructed to pay a $550,000 financial penalty and take the appropriate steps to reinforce its data security techniques. The healthcare provider serves patients in Delaware and Ulster counties in New York … Read more
Behavioral healthcare provider Cummins Behavioral Health located in Central and Western Indiana, consented to pay $2.1 million to settle a class action lawsuit filed by people impacted by a data breach in 2023. On March 9, 2023, a threat actor left a ransom note for Cummins Behavioral Health stating that it infiltrated its network and … Read more
Harvard Pilgrim Health Care sent an updated report to the Maine Attorney General regarding the number of affected individuals by its April 2023 ransomware attack. There were 106,601 more individuals affected, bringing the total to 2,967,396. The investigation into the breach is still in progress, and the number of impacted individuals may increase further. The … Read more
Specialty Networks, Inc. based in Chattanooga, TN recently reported a data breach impacting the protected health information (PHI) of 411,037 present and former patients. Specialty Networks provides healthcare facilities with radiology information systems and business management solutions. The company specializes in Picture Archiving and Communication Systems (PACS), a medical imaging technology that facilitates medical image … Read more
Advanced Computer Software Group, an IT and software services company in England, is facing a £6.09 million ($7.74 million) financial penalty because of a ransomware attack in August 2022 that caused problems to healthcare and social care organizations in the United Kingdom. The Information Commissioners Office (ICO), the UK’s data watchdog, looked into the attack … Read more
Over 100 provider groups, including the American Health Information Management Association (AHIMA), College of Healthcare Information Management Executives (CHIME), and American Medical Association (AMA), wrote to HHS Secretary Xavier Becerra and OCR Director Melanie Fontes Rainer to clarify the requirements of HIPAA breach reporting about the Change Healthcare ransomware attack and the way those requirements … Read more
Winter Haven Hospital Patients’ Data Impermissibly Disclosed BayCare’s Winter Haven Hospital based in Florida is notifying patients concerning an email incident that impermissibly disclosed patient information. On March 15, 2024, a worker made an error while sending forms to a patient by attaching a cardiac rehabilitation department file by mistake to the email that included … Read more
OrthoConnecticut Data Breach OrthoConnecticut has announced that the protected health information (PHI) of about 118,000 patients was exposed in an attack. OrthoConnecticut is a multi-specialty orthopedic company located in Danbury, CT that has 9 centers in the area. It recently discovered unauthorized access to its system and upon inquiry by the forensic group, the unauthorized … Read more
13,000 Patients Affected by the Wisconsin Dental Surgery Center Email Breach Bay Oral Surgery & Implant Center (Bay Oral), a network of oral & maxillofacial dental surgery centers established in the Green Bay, Niagara and Marinette communities in Wisconsin, recently sent a data breach report to the HHS’ Office for Civil Rights (OCR) indicating that … Read more
Valley Mountain Regional Center Data Breach On April 19, 2024, Valley Mountain Regional Center based in California reported a data security breach discovered on August 1, 2023. Strange activity was observed inside its system and quick steps were undertaken to protect its systems. The forensic investigation affirmed that unauthorized individuals got access to its system … Read more
The Federal Trade Commission (FTC) has issued a $7.1 million penalty to the mental health startup company Cerebral for consumer privacy violations and deceitful trading tactics. The $7.1 million financial fine settles claims that the mental health telehealth firm and its ex-CEO, Kyle Robertson, committed violations of the privacy of consumers by impermissibly sharing their … Read more
About 60,000 People Impacted by the Ezras Choilim Health Center Cyberattack Ezras Choilim Health Center based in Monroe, NY recently submitted a breach report to the HHS’ Office for Civil Rights indicating that 59,861 individuals’ protected health information (PHI) were affected. The strange activity was noticed inside its system on September 18, 2023. The forensic … Read more
Aveanna Healthcare Encounters a Breach of Email Account Home health and hospice care provider, Aveanna Healthcare located in Atlanta, GA, reported a security breach of its email network and a compromise of the information of 65,482 individuals. The healthcare provider discovered suspicious activity in a worker’s email account on September 22, 2023. The email account … Read more
On March 12, officials and leaders from the White House, UnitedHealth Group, Department of Health and Human Services, and other industry groups got together to discuss the impact of a cyberattack on UnitedHealth Group’s Change Healthcare. This cyberattack caused problems for healthcare services for the last three weeks. They also discussed ways to help patients … Read more
The Department of Health and Human Services’ Office for Civil Rights (OCR) has published upgraded guidance for organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) regarding online tracking technologies. The current guidance is meant to give increased understanding for HIPAA-governed entities on using these technologies. OCR has revised its position on the … Read more
New Guidance on Using Zero Trust to Control Lateral Movement The National Security Agency (NSA) has given guidance on using zero trust security to control lateral movement inside a network in case a threat actor breaks into the firm’s defenses. It was noticed numerous times in the previous year that threat actors have obtained first … Read more
177,000 Patients Affected by Northeast Orthopedics and Sports Medicine Breach Northeast Orthopedics and Sports Medicine based in Nanuet, NY recently reported a cyberattack that impacted 177,276 people and compromised the protected health information (PHI) of 177,101 individuals. Abnormal activity was found in its system on November 22, 2023. The investigation by third-party forensics experts confirmed … Read more
Feds Warns Healthcare Sector Regarding ALPHV/Blackcat Ransomware Group A joint cybersecurity notification was released by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation (FBI) about identified Indicators of Compromise (IoCs) and the newest Tactic, Techniques, and Procedures (TTPs) employed by the ALPHV/Blackcat … Read more
Vulnerabilities discovered in the remote desktop program ConnectWise ScreenConnect are being taken advantage of to have an assortment of various malicious payloads into company environments. ConnectWise first announced the vulnerabilities on February 13, 2024. Then, attacks aimed at the vulnerabilities began one day after the launch of patches. One vulnerability, CVE-2024-1709, is an authentication bypass … Read more
California Attorney General Rob Bonta has declared that a $5 million settlement with Quest Diagnostics has been reached to fix allegations that it is unlawfully dumping hazardous and medical waste materials and disposed of the unredacted personal health information of patients in typical trash dumps. An investigation of the business protocols of Quest Diagnostics was … Read more
Ransomware Attack at Prestige Care Senior care organization Prestige Care, Inc. located in Vancouver, WA recently informed 38,087 individuals about the potential access or theft of some of their personal data and protected health information (PHI) in a ransomware attack that occurred on September 2023. The attack was discovered on September 7, 2023, and the … Read more
Ransom Payments Surpassed $1 Billion in 2023 Chainalysis’ new report showed ransomware attack victims paid $1.1 billion to attackers in 2023 to retrieve the keys to unlock their information and to stop the exposure of stolen data. For the first time in 2023, ransom payments were over $1bn and the yearly total jumped from $567 … Read more
The most recent information from the ransomware remediation company, Coveware, reveals a decline in the number of ransomware attack victims who opt to pay the ransom. At the beginning of 2019, 85% of ransomware attack victims gave ransom payments after an attack. In mid-2021, only 46% percentage paid the ransom. In Q4 of 2023, merely … Read more
Hospital IT Help Desks Attacked in Advanced Payment Fraud Scam American Hospital Association (AHA) reports that cybercriminals are targeting U.S. hospitals in a sophisticated payment fraud scam. The AHA has obtained several reports of scammers calling hospital IT departments to carry out password resets and register new devices to get multifactor authentication (MFA) codes. When … Read more
61,000 ConsensioHealth Patients Affected by Ransomware Attack Medical billing service, ConsensioHealth, based in Wisconsin recently informed 60,871 persons regarding a ransomware attack in July 2023. The attack was detected on July 3, 2023, when employees could not access files on its system. Steps were quickly undertaken to stop the unauthorized access. Third-party cybersecurity professionals helped … Read more
Parathon by JDA eHealth Systems Reports a Cyberattack A revenue cycle management firm, Parathon by JDA eHealth Systems located in Naperville, Illinois, recently sent a notification to the state attorneys general that it encountered a cyberattack last July 27, 2023. In December 22, 2023, it notified the Montana Attorney General that unauthorized persons got access … Read more
Threat Actors Contact Integris Health Patients After Cyberattack Integris Health, the biggest not-for-profit health system owned by Oklahoma, has reported the compromise of its internal systems in a cyberattack. The unauthorized third party acquired patient information during the attack. Integris Health manages 15 hospitals in the state and some specialty clinics, centers of excellence, and … Read more
The following companies have reported data breaches in December 2023: Cardiothoracic and Vascular Surgeons, Erie Family Health Centers, ZOLL Medical Corporation, Health Diagnostic Management, Rush System for Health, and BlueCross BlueShield of Tennesse. Cyberattack on Cardiothoracic and Vascular Surgeons Cardiothoracic and Vascular Surgeons based in Texas learned on October 13, 2023 that an unauthorized individual … Read more