James Keogh

Six Democratic senators have formally asked Labor Secretary Lori Chavez-DeRemer to explain reported reductions in Occupational Safety and Health Administration inspections, citations, and penalty assessments during 2025. Letter And Request For Information The senators sent a letter seeking answers about an apparent rollback of workplace safety enforcement and reduced oversight by the Department of Labor. … Read more

Facebook is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Facebook does not sign a HIPAA Business Associate Agreement and its services, including Facebook Messenger, are not intended to be used to create, receive, maintain, or transmit protected health information on behalf of regulated healthcare organizations. HIPAA requires a written HIPAA Business … Read more

Microsoft Defender for Endpoint can support HIPAA compliance when it is implemented within a HIPAA-governed security program, used under Microsoft’s HIPAA Business Associate Agreement for applicable Microsoft online services, and configured and operated to meet HIPAA Security Rule administrative, physical, and technical safeguard requirements for systems that create, receive, maintain, or transmit electronic protected health … Read more

Identity and access management systems that provide single sign-on and multi-factor authentication are not inherently “HIPAA compliant” products, but they can support HIPAA compliance when implemented and configured to meet HIPAA Security Rule and HIPAA Privacy Rule requirements, and when the vendor signs a HIPAA Business Associate agreement if the service creates, receives, maintains, or … Read more

An EHR is HIPAA compliant only when the EHR system supports compliance with the HIPAA Security Rule and the HIPAA Privacy Rule through appropriate administrative, physical, and technical safeguards, the Covered Entity or Business Associate configures and uses the EHR to protect electronic protected health information, and the EHR vendor and any connected service providers … Read more

Google Chrome is not HIPAA compliant as a standalone product, and its use in a HIPAA regulated environment is limited to serving as a managed user agent for accessing systems that are configured for HIPAA compliance and governed by a signed HIPAA Business Associate agreement where applicable. HIPAA applies to covered entities and business associates, … Read more

Salesforce Marketing Cloud is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Salesforce Marketing Cloud is not offered as a HIPAA-covered service for electronic protected health information and a HIPAA Business Associate Agreement is not available for Salesforce Marketing Cloud use involving protected health information. HIPAA compliance for a cloud service depends … Read more

Endpoint encryption tools are HIPAA compliant when they are implemented as part of an organization’s HIPAA Security Rule risk management program to protect electronic protected health information stored on or accessed by endpoints, encryption keys are managed and access is controlled, and any vendor that creates, receives, maintains, or transmits protected health information on behalf … Read more

Claims submission and clearinghouse tools are HIPAA compliant when their use, configuration, and vendor obligations support permitted claims processing activities and meet applicable requirements under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, including execution of a HIPAA Business Associate Agreement when the vendor creates, receives, maintains, or transmits protected health … Read more

Venmo is not a HIPAA compliant platform for transmitting protected health information and it does not offer a Business Associate Agreement, but a covered entity may accept a patient-initiated payment through Venmo when use is limited to payment processing and no protected health information is created, received, maintained, or transmitted through the service. The HIPAA … Read more

A recent study regarding cybersecurity insiders showed that many college students tend to be happy to break the HIPAA Rules. If paid the right price to do so, they are willing to steal and disclose patient information. The right price ranged from $10,000 to over $10 million. Professor Lawrence Sanders of the University of Buffalo, … Read more

Yesware is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Yesware does not offer a HIPAA Business Associate Agreement and the platform’s email productivity and tracking functions can create, receive, maintain, or transmit electronic protected health information outside controls required by the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification … Read more

A new GuidePoint Security report reveals the growing threat of ransomware attacks as 2025 is documented as the most active year since the cybersecurity firm began its reports. Victims increased by 58% year-over-year with 2,287 unique victims in Q4 of 2025 alone. The GuidePoint Research and Intelligence Team (GRIT) reported December as the most active … Read more

Microsoft OneNote can be used in a HIPAA-compliant manner only when a HIPAA Covered Entity or Business Associate uses it under a Microsoft 365 plan that supports HIPAA compliance, has Microsoft’s HIPAA Business Associate Agreement in place for the in-scope services that store or transmit electronic protected health information, configures those services to meet HIPAA … Read more

Telephone triage software is HIPAA compliant when triage calls and related documentation use permitted treatment communications under the HIPAA Privacy Rule, any electronic protected health information created by voice platforms, recordings, call logs, triage notes, and messaging features is protected with safeguards that meet the HIPAA Security Rule, breach response processes meet the HIPAA Breach … Read more

Document scanning software is HIPAA compliant when scanning, optical character recognition, storage, transmission, and user access workflows protect any protected health information under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, and when the vendor signs a HIPAA Business Associate Agreement for any service in which the vendor creates, receives, maintains, … Read more

E-prescribing software is HIPAA compliant only when the software and its supporting services protect electronic protected health information under the HIPAA Security Rule, e-prescribing workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the e-prescribing vendor and any connected service providers that create, receive, maintain, or transmit … Read more

Campaign Monitor is not HIPAA compliant for uses that involve protected health information because it does not offer a Business Associate Agreement for HIPAA Covered Entities or Business Associates, so it should not be used to create, receive, maintain, or transmit protected health information in email marketing or related email automation. A Business Associate Agreement … Read more

A federal judge approved the settlement of a combined class action lawsuit for $1 million that was filed against Community First Medical Center, doing business as Community First Medical Center. The Chicago, IL, medical center encountered unauthorized third-party access to its network on July 12, 2023, resulting in a data breach. Files that contain the … Read more

Microsoft Word can be used in a HIPAA-compliant manner only when it is deployed under a qualifying Microsoft 365 or Office 365 subscription that is covered by Microsoft’s HIPAA Business Associate Agreement, configured to meet HIPAA Security Rule administrative, physical, and technical safeguard requirements, and used under workforce policies that prevent impermissible uses and disclosures … Read more

Alta is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Alta does not offer a HIPAA Business Associate Agreement and the service is not represented as supporting HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements for electronic protected health information. HIPAA requires a HIPAA Business Associate Agreement when … Read more

On December 10, 2020, OCR published a Notice of Proposed Rulemaking that specified the HIPAA improvements to the Privacy Rule according to replies to its December 2018 RFI. The suggested modifications are minimal and do not include the changes in the HIPAA Privacy Rule that healthcare sector stakeholders are lobbying for. The majority of the … Read more

Website contact forms are HIPAA compliant only when they are designed to prevent impermissible disclosures of protected health information and, when the form transmits or stores protected health information, the form platform, hosting provider, and any connected services sign a HIPAA Business Associate agreement and operate with HIPAA Security Rule safeguards for access control, audit … Read more

Selection criteria for HIPAA training should require content created and maintained by HIPAA subject matter experts, current update controls, an employee-focused curriculum that teaches the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule through realistic scenarios, strong administrator oversight and audit-ready documentation, targeted coverage of social media and artificial intelligence risks, flexibility … Read more

Apple Invites is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Apple does not offer a HIPAA Business Associate Agreement for Apple Invites and the service is not provided as a HIPAA-eligible platform for creating, receiving, maintaining, or transmitting electronic protected health information. HIPAA requires a written HIPAA Business Associate Agreement when … Read more

Rural hospital, Memorial Hospital and Manor, in Bainbridge, Georgia, consented to settle a class action litigation involving a ransomware attack and data breach in November 2024. The hospital noticed the cyberattack on November 2, 2024 after its EMR system, website, and email became unavailable. On November 3, 2024, Memorial Hospital and Manor notified patients about … Read more

Patient outcomes tools are not HIPAA compliant by product label, but they can be used in a HIPAA-compliant manner when the tool and connected services handle protected health information under a signed HIPAA Business Associate agreement and the implementation meets HIPAA Security Rule safeguards for access control, audit controls, integrity, person or entity authentication, and … Read more

Non-profit health system, MedStar Health, manages 10 hospitals around the Baltimore-Washington metro region. On October 4, 2025, it discovered a cyberattack and data breach. The forensic investigation revealed that an unauthorized third party acquired access to part of its internal systems that stored patient information from September 12, 2025 to September 16, 2025. MedStar Health … Read more

Secure file transfer software using Secure File Transfer Protocol or managed file transfer is HIPAA compliant when the implementation protects electronic protected health information with safeguards required by the HIPAA Security Rule, limits uses and disclosures under the HIPAA Privacy Rule, supports breach response obligations under the HIPAA Breach Notification Rule, and includes a signed … Read more

Campaigner is not HIPAA compliant for any use that involves protected health information because it does not sign a Business Associate Agreement with HIPAA Covered Entities or Business Associates, so it should not be used to create, receive, maintain, or transmit protected health information in email marketing, automated messaging, or related contact management. A Business … Read more

Patch management software is not HIPAA compliant by product label, but it can support HIPAA compliance when it is implemented as part of a documented patch management program that meets HIPAA Security Rule administrative and technical safeguard requirements for risk analysis, risk management, system maintenance, protection from malicious software, audit controls, and access control, and … Read more

Mirion Medical identified five high-severity vulnerabilities in its EC2 Software NMIS BioDose software and issued patches to correct the problem. An attacker can successfully exploit the vulnerabilities to get unauthorized access to the software, alter program executables, obtain sensitive data, and possibly execute code remotely. HIPAA-compliant Healthcare providers use the Mirion Medical EC2 Software NMIS … Read more

Microsoft Authenticator can support HIPAA compliance when it is used with Microsoft Entra ID under an eligible Microsoft 365 subscription that is covered by Microsoft’s HIPAA Business Associate Agreement for in-scope services, configured to meet HIPAA Security Rule access control and person or entity authentication safeguards, and managed through documented administrative procedures and workforce practices. … Read more

Coda can support HIPAA-compliant use only on its Enterprise plan with a signed HIPAA Business Associate Agreement in place and with product restrictions that limit how electronic protected health information is stored, shared, and processed inside the platform. HIPAA Covered Entities and Business Associates need a HIPAA Business Associate Agreement before a vendor creates, receives, … Read more

Marketo can be HIPAA compliant when a HIPAA Covered Entity or Business Associate uses the platform through Adobe’s healthcare offering, obtains an executed Business Associate Agreement from Adobe that covers the applicable services, and configures and operates the environment to meet HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements for electronic … Read more

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is creating a video presentation to discuss the needs of the HIPAA Security Rule risk management process and has asked HIPAA-regulated entities to submit risk management questions. The risk analysis is a basic component of the HIPAA Security Rule that identifies the … Read more

Digital patient intake and registration is HIPAA compliant only when the online forms, storage, and transmission methods protect electronic protected health information under the HIPAA Security Rule, intake workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the form or intake platform provider will sign a HIPAA … Read more

An EMR is HIPAA compliant only when the system has safeguards that support compliance with the HIPAA Security Rule and HIPAA Privacy Rule, the organization configures and uses the EMR to protect electronic protected health information, and the EMR vendor and any connected service providers that create, receive, maintain, or transmit electronic protected health information … Read more

Trinity Health Corporation, the Catholic Health System based in Livonia, Michigan, and co-defendants Valley Surgical Specialists Medical Group, Inc., Rame Deme Iberdemaj, and Daniel Evan Swartz, MD, have decided to resolve a class action lawsuit associated with a 2021 data breach prompted by its use of Accellion FTA, a file transfer platform. On or about … Read more

Nebraska Attorney General Mike Hilgers took legal action over the 2024 Change Healthcare data breach, which has been permitted to move forward after a motion to dismiss was denied. The litigation registered in Lancaster County District Court in December 2024 referred to Optum, UnitedHealth and Change Healthcare as defendants. The legal action claimed the defendants … Read more

Voicemail transcription tools are HIPAA compliant when voicemail and transcription content that includes protected health information is handled only for permitted treatment, payment, or healthcare operations purposes, protected with safeguards that meet the HIPAA Security Rule, used and disclosed in line with the HIPAA Privacy Rule, supported by breach response procedures under the HIPAA Breach … Read more

Twilio SendGrid is not HIPAA compliant for HIPAA Covered Entities or Business Associates because it is not a HIPAA-eligible service, it does not support HIPAA-compliant transmission of electronic protected health information, and Twilio does not sign a HIPAA Business Associate Agreement for SendGrid. HIPAA requires a written HIPAA Business Associate Agreement when a vendor creates, … Read more

Salesforce Pardot, also known as Marketing Cloud Account Engagement, is not HIPAA compliant for handling electronic protected health information because Salesforce does not make a HIPAA Business Associate Agreement available for Pardot in a way that permits Covered Entities or Business Associates to use the platform to create, receive, maintain, or transmit protected health information … Read more

The Qilin ransomware group launched an attack on June 3, 2024, and encrypted files on its system. Before encrypting the files in the victim’s network, the attacker exfiltrated data. The ransomware attack prompted substantial trouble to Synnovis’ business operations, disrupting a lot of its pathology services. Synnovis mentioned that the ransomware attack affected almost all … Read more

Google Bard is not HIPAA compliant for HIPAA Covered Entities or Business Associates because it is not offered under a HIPAA Business Associate Agreement and it is not designed to create, receive, maintain, or transmit electronic protected health information under HIPAA Privacy Rule and HIPAA Security Rule requirements. HIPAA compliance for third-party services that handle … Read more

Microsoft Forms is HIPAA compliant only when it is used as an in-scope service within an eligible Microsoft 365 or Office 365 subscription under an executed Microsoft HIPAA Business Associate Agreement, configured to meet HIPAA Security Rule administrative, physical, and technical safeguard requirements, and operated under HIPAA Privacy Rule controls that limit uses and disclosures … Read more

Twilio can be HIPAA compliant when a HIPAA Covered Entity or Business Associate executes Twilio’s Business Associate Agreement or Business Associate Addendum for Twilio HIPAA-eligible products and then designs, configures, and operates the implementation so that electronic protected health information is created, received, maintained, and transmitted under controls that meet HIPAA Privacy Rule, HIPAA Security … Read more

According to the US Healthcare Cyber Resilience Survey conducted by EY and KLAS Research, 7 of 10 healthcare institutions have encountered substantial business interruption because of cyberattacks in the last two years. The survey involved the participation of 100 healthcare professionals in charge of cybersecurity decisions in their companies. Companies suffered an average of 5 … Read more

Mend can be used in a HIPAA compliant manner when a HIPAA Covered Entity or Business Associate executes a HIPAA Business Associate agreement with Mend, limits use to the services and configurations covered by that agreement, and implements administrative, physical, and technical safeguards for electronic protected health information under the HIPAA Privacy Rule, HIPAA Security … Read more

Microsoft Intune can support HIPAA compliance when it is used as part of a Microsoft 365 deployment that has Microsoft’s HIPAA Business Associate Agreement in place for in-scope services, is configured to meet HIPAA Security Rule administrative, physical, and technical safeguard requirements, and is governed by HIPAA Privacy Rule and HIPAA Minimum Necessary Rule policies … Read more

Microsoft Bookings is HIPAA compliant only when it is used within an eligible Microsoft 365 environment under Microsoft’s HIPAA Business Associate Agreement for in-scope services, configured to meet HIPAA Security Rule safeguards, and operated under HIPAA Privacy Rule controls that limit collection, use, and disclosure of protected health information. Microsoft Bookings is an appointment scheduling … Read more

Network Solutions is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Network Solutions does not offer a HIPAA Business Associate Agreement for its email, web hosting, or related services and those services are not positioned for creating, receiving, maintaining, or transmitting electronic protected health information under HIPAA Privacy Rule and HIPAA Security … Read more

GetResponse is not HIPAA compliant for uses that involve protected health information because it does not offer a Business Associate Agreement for HIPAA Covered Entities or Business Associates, so it should not be used to create, receive, maintain, or transmit protected health information through email marketing, automation, landing pages, or contact management. A Business Associate … Read more

A Montefiore Medical Center’s former business clerk and his partner have admitted to taking numerous patient data and using the stolen information to defraud government institutions out of about $1 million. Wilkins Estrella, 40 years old, living in Hackensack, New Jersey, was employed at Montefiore Medical Center for more or less ten years. His employment … Read more

Backup and disaster recovery systems are HIPAA compliant when they protect electronic protected health information with safeguards required by the HIPAA Security Rule contingency planning standard, limit uses and disclosures under the HIPAA Privacy Rule, support breach assessment and notification under the HIPAA Breach Notification Rule, and include a signed HIPAA Business Associate Agreement when … Read more

macOS can be used in a HIPAA-compliant manner when it is deployed and managed under a documented HIPAA Security Rule program that applies administrative, physical, and technical safeguards to endpoints that create, receive, maintain, or transmit electronic protected health information, and when consumer Apple cloud services such as iCloud are not used for electronic protected … Read more

Wild Apricot is not HIPAA compliant for HIPAA Covered Entities or Business Associates because the service is not offered with a HIPAA Business Associate Agreement and its membership management and communications features can create, receive, maintain, or transmit electronic protected health information outside the safeguards required by HIPAA. HIPAA requires a written HIPAA Business Associate … Read more

ExtraHop, the network detection and response (NDR) company, published its 2025 Global Threat Landscape Report where it revealed that ransomware groups are running fewer attacks than last year but are taking on a more targeted strategy using sneaky tactics to realize more significant results. Ransomware groups are conducting more targeted, sophisticated attacks, allowing them to … Read more

Oracle Eloqua can support HIPAA-compliant use only when the organization purchases and uses the Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service, executes a HIPAA Business Associate Agreement with Oracle for the applicable services, and limits campaign design, data collection, user access, and integrations to HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach … Read more

Prior authorization platforms are HIPAA compliant only when the platform and its supporting services protect electronic protected health information under the HIPAA Security Rule, prior authorization workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the platform provider and any connected vendors that create, receive, maintain, or … Read more

eFax services are HIPAA compliant when the service is used under a plan that supports protected health information, the provider signs a HIPAA Business Associate Agreement, and the covered entity or business associate configures and operates the service with safeguards and procedures that meet requirements under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA … Read more

Eastern Radiologists in North Carolina has decided to resolve a class action lawsuit associated with a 2023 data breach for $3.25 million. The data breach report submitted to the HHS’s Office for Civil Rights indicated that the protected health information (PHI) of 886,746 individuals was affected. The Eastern Radiologists discovered the data breach on November … Read more

Remote support tools are not HIPAA compliant by product label, but they can be used in a HIPAA-compliant manner when they are configured to meet HIPAA Security Rule technical safeguard requirements for access control, person or entity authentication, audit controls, integrity, and transmission security, and when the vendor will sign a HIPAA Business Associate agreement … Read more

Mozilla Firefox is not HIPAA compliant as a standalone web browser, and it is only suitable for HIPAA regulated use when it is kept supported and patched, centrally managed, and used in a technical environment that prevents impermissible uses or disclosures of electronic protected health information. HIPAA compliance obligations apply to HIPAA Covered Entities and … Read more

LiveChat is not HIPAA compliant by product label, but it can be used in a HIPAA-compliant manner when it is configured and governed to meet HIPAA Security Rule safeguards for access control, audit controls, integrity, person or entity authentication, and transmission security, and when LiveChat will sign a HIPAA Business Associate agreement for the deployment … Read more

Skagit County Public Hospital District No. 1, also known as Skagit Regional Health, which manages Skagit Regional Hospital in Mount Vernon, Washington, has decided to resolve class action litigation associated with its use of Meta Pixel and other tracking tools on its website, which may have exposed patient data to third parties. Skagit Regional Health, … Read more

The HHS’ Office for Civil Rights reached a $182,000 settlement with five Delaware healthcare companies to take care of alleged HIPAA Privacy and HIPAA Breach Notification Rules violations. The settlement is about the publishing of the protected health information (PHI) of patients on social media without first getting HIPAA-compliant consent to use PHI for something … Read more

Microsoft Excel can support HIPAA-compliant workflows only when it is used under a qualifying Microsoft 365 or Office 365 business subscription that is covered by Microsoft’s HIPAA Business Associate Agreement, configured to meet HIPAA Security Rule safeguard requirements, and controlled by organizational policies that prevent impermissible uses and disclosures of protected health information. Excel is … Read more

Autopilot, now branded as Ortto, is not HIPAA compliant for HIPAA Covered Entities or Business Associates because the service is not offered with a HIPAA Business Associate Agreement for handling electronic protected health information and the platform’s marketing automation features can store and transmit data elements that constitute protected health information. HIPAA permits a regulated … Read more

Online appointment scheduling is HIPAA compliant only when the scheduling system and any related reminder or messaging functions protect electronic protected health information under the HIPAA Security Rule, scheduling workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the scheduling vendor and its subcontractors will sign a … Read more

Claims submission and clearinghouse tools are HIPAA compliant when their use, configuration, and vendor obligations support permitted claims processing activities and meet applicable requirements under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, including execution of a HIPAA Business Associate Agreement when the vendor creates, receives, maintains, or transmits protected health … Read more

The U.S. Government Accountability Office wrote to Health and Human Services Chief Information Officer (CIO) Clark Minor, calling his attention about the recommendations for the present open cybersecurity and IT management. As a non-partisan agency, GAO works for Congress and gives assistance to ensure it fulfills its constitutional duties and helps enhance the efficiency and … Read more

Mobile device management (MDM) supports HIPAA compliance when it is implemented as part of an organization’s HIPAA Security Rule safeguards for mobile devices that create, receive, maintain, or transmit electronic protected health information, and when any MDM vendor that handles electronic protected health information on behalf of a HIPAA Covered Entity or Business Associate signs … Read more

Mad Mimi is not HIPAA compliant for uses that involve protected health information because it does not offer a Business Associate Agreement for HIPAA Covered Entities or Business Associates, so it should not be used to create, receive, maintain, or transmit protected health information through email campaigns, subscriber management, or related email marketing functions. A … Read more

The U.S. Department of Justice arrested Volodymyr Viktorovich Tymoshchuk who is accused of his important role in several ransomware operations. This Ukrainian ransomware criminal, also known as Boba, deadforz, msfv, and farnetwork, is alleged to have conducted the MegaCortex, Nefilim, and LockerGaga ransomware operations from December 2018 to October 2021. Tymoshchuk, with his accomplices, performed … Read more

Microsoft Publisher can be used in a HIPAA-compliant manner only when it is deployed under a qualifying Microsoft 365 or Office 365 business subscription that is covered by Microsoft’s HIPAA Business Associate Agreement for in-scope services, configured to meet HIPAA Security Rule safeguards, and governed by HIPAA Privacy Rule and HIPAA Minimum Necessary Rule controls … Read more

Eligibility verification software is HIPAA compliant only when the software and its supporting services protect electronic protected health information under the HIPAA Security Rule, eligibility workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the vendor and any connected service providers that create, receive, maintain, or transmit … Read more

MailerLite is not HIPAA compliant for HIPAA Covered Entities or Business Associates because it does not offer a Business Associate Agreement and its service is not presented as supporting HIPAA Privacy Rule and HIPAA Security Rule requirements for creating, receiving, maintaining, or transmitting electronic protected health information. HIPAA requires a written contract, commonly a Business … Read more

Healthcare entities are less likely to have critical cybersecurity vulnerabilities as opposed to other industries, since they are typically good at prevention; nevertheless, when vulnerabilities are discovered, healthcare falls behind other industries in terms of remediation. These are the conclusions of a recent research about penetration testing data and a survey by the Pentest-as-a-service (PTaaS) … Read more

Indicative is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Indicative does not sign a HIPAA Business Associate Agreement and therefore cannot be used to create, receive, maintain, or transmit electronic protected health information on behalf of a regulated healthcare organization. HIPAA requires a written HIPAA Business Associate Agreement when a vendor … Read more

Windows 10 can be used in a HIPAA-compliant manner only when it is deployed and managed under a HIPAA Security Rule program that enforces administrative, physical, and technical safeguards for endpoints that create, receive, maintain, or transmit electronic protected health information, and its continued use after Microsoft ends standard support on October 14, 2025 requires … Read more

Practice management software is HIPAA compliant only when the software and its supporting services can be configured to meet the administrative, physical, and technical safeguard requirements of the HIPAA Security Rule, the organization uses the software in a way that limits uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, … Read more

Antivirus tools are not HIPAA compliant by product label, but they can support HIPAA compliance when deployed and managed under documented HIPAA Security Rule safeguards for guarding against, detecting, and reporting malicious software, and when the vendor will sign a HIPAA Business Associate agreement for any service arrangement that involves the vendor creating, receiving, maintaining, … Read more

Electronic consent management is HIPAA compliant when the consent workflow and technology protect electronic protected health information under the HIPAA Security Rule, support valid written authorizations under the HIPAA Privacy Rule where required, apply the HIPAA Minimum Necessary Rule to consent related access and disclosures, and the consent management provider will sign a HIPAA Business … Read more

Recent alerts had been issued concerning a critical vulnerability identified in FortiSIEM with a publicly available exploit code and two vulnerabilities in N-able N-central. Network defenders use FortiSIEM, a central security information and event management (SIEM) solution, for network telemetry, logging, and security incident notifications. Big companies, healthcare organizations, and government entities commonly use FortiSIEM. … Read more

Kidney dialysis service provider, DaVita, in Denver, CO, submitted a data breach report to the HHS’ Office for Civil Rights due to a ransomware attack on April 12, 2025. The attackers acquired access to its system, exfiltrated sensitive information, and encrypted files on some of its systems. Although the attack temporarily disrupted part of its … Read more

A District Court judge recently approved a settlement of a consolidated class action complaint for $8.5 million against Nuance Communications in association with a data breach in May 2023. This computer software firm, based in Burlington, Massachusetts, is owned by Microsoft. HIPAA business associate, Nuance Communications, offers speech recognition programs to clients in the healthcare … Read more

Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released alerts regarding a high-severity vulnerability impacting Exchange hybrid deployments that can enable an attacker to elevate privileges in Exchange Online cloud settings without being detected, potentially compromising the identity integrity of a company’s Exchange Online service. Vulnerability CVE-2025-53786 affects hybrid-joined settings of Exchange … Read more

Patient survey tools are not HIPAA compliant by product label, but they can be used in a HIPAA-compliant manner when the survey workflow is designed to limit protected health information collection to the HIPAA Minimum Necessary Rule, the tool and all connected services operate with HIPAA Security Rule safeguards, and the vendor signs a HIPAA … Read more

The 2025 Cost of a Data Breach Report by IBM reveals a drop in the worldwide average data breach cost. However, the cost of U.S. data breaches increased by 9.2% to $10.22 million. It was $9.36 million in 2024. The increased costs of U.S. data breaches were mostly because of higher regulatory penalties. and detection … Read more

Amwell can be used in a HIPAA compliant manner when a HIPAA Covered Entity or Business Associate signs a HIPAA Business Associate agreement with Amwell for the applicable services, configures the platform to support required safeguards, and operates telemedicine workflows in a way that prevents impermissible uses or disclosures of protected health information under the … Read more

Clinical dictation software is not HIPAA compliant by product label, but it can be used in a HIPAA-compliant manner when the dictation workflow meets HIPAA Privacy Rule and HIPAA Security Rule requirements for protected health information and the vendor signs a HIPAA Business Associate agreement for any service in which the vendor creates, receives, maintains, … Read more

An international law enforcement operation succeeded in seizing the dark web sites of the BlackSuit ransomware group. The takedown covers BlackSuit’s negotiation and data leak websites, after a court order approved the seizure. The dark websites now display banners informing visitors that U.S. Homeland Security Investigations has seized the web properties as part of Operation … Read more

Patient payment portals are HIPAA compliant when the portal handles protected health information only for permitted payment activities, applies administrative, physical, and technical safeguards that meet the HIPAA Security Rule, limits uses and disclosures under the HIPAA Privacy Rule, supports incident response and notification obligations under the HIPAA Breach Notification Rule, and the vendor signs … Read more

A phishing attack impacted several cancer care organizations of the Integrated Oncology Network (ION). All impacted entities released identical breach notices concerning the attack. According to the breach notices, the sophisticated phishing attack allowed unauthorized individuals to access a few employee email and SharePoint accounts. ION took immediate action to protect the impacted accounts and … Read more

Website chat can be used in a HIPAA-compliant manner only when the chat function is configured and governed to prevent impermissible disclosures of protected health information, the vendor signs a HIPAA Business Associate agreement when the service creates, receives, maintains, or transmits protected health information on the organization’s behalf, and the implementation meets HIPAA Security … Read more

There is a new ransomware group that is attacking several industries, particularly technology, healthcare, and event services. Based on the latest Trend Micro report, the Bert ransomware group, tracked as Water Pombero, first attacked entities in the United States and Asia, though victims across Europe were also identified. It is believed to have originated from … Read more

Document management software is HIPAA compliant when it is used to create, receive, maintain, or transmit protected health information only under permitted HIPAA Privacy Rule purposes, it is implemented with administrative, physical, and technical safeguards that meet the HIPAA Security Rule, it supports breach assessment and notification obligations under the HIPAA Breach Notification Rule, and … Read more

ActiveCampaign is not HIPAA compliant for handling electronic protected health information in email marketing workflows because HIPAA compliance requires a signed HIPAA Business Associate Agreement that covers the specific services in scope and operational controls that prevent electronic protected health information from being created, received, maintained, or transmitted in ways the platform is not designed … Read more

Michigan-based McLaren Health Care began informing 743,131 individuals about the compromise of some of their protected health information (PHI) during a ransomware attack in August 2024. McLaren Health Care had earlier reported the ransomware attack, but the analysis of the compromised files took a longer time; therefore, the delay in sending personal breach notification letters. … Read more

WebEngage is not HIPAA compliant for HIPAA Covered Entities or Business Associates because WebEngage does not offer a HIPAA Business Associate Agreement for its platform, which prevents regulated organizations from using it to create, receive, maintain, or transmit electronic protected health information. HIPAA requires a written HIPAA Business Associate Agreement when a vendor performs services … Read more

Validic can be HIPAA compliant when a HIPAA Covered Entity or Business Associate signs a HIPAA Business Associate Agreement with Validic for the applicable services and then configures, governs, and uses the platform so electronic protected health information is handled under HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements. HIPAA compliance … Read more

Two-way patient messaging is HIPAA compliant when the messaging workflow is limited to permitted treatment, payment, and healthcare operations uses, protected health information is safeguarded under the HIPAA Security Rule, uses and disclosures are controlled under the HIPAA Privacy Rule, breach response procedures support the HIPAA Breach Notification Rule, and any vendor that creates, receives, … Read more

Ransomware continues to present a considerable threat to U.S. healthcare providers, though many ransomware groups no longer encrypt data and only conduct extortion attacks. Cybersecurity company Sophos’ new report shows that only 50% of ransomware attacks in 2025 included file encryption. The threat of exposing stolen information is usually enough to compel victims to give … Read more

In early June 2025, the House of Representatives and Senate introduced two bipartisan bills seeking to improve the healthcare and public health (HPH) sector cybersecurity through better coordination at the government level so that, in the event of cyberattacks on HPH sector entities,  government agencies could respond immediately and efficiently. There have been significantly more … Read more

Doxy.me can be used in a HIPAA compliant manner for telehealth when the organization uses a plan that supports HIPAA requirements, executes a HIPAA Business Associate agreement with Doxy.me, and configures workflows and policies to meet the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. HIPAA compliance for a telehealth platform depends … Read more

Non-profit provider of drug and alcohol addiction services, Drug and Alcohol Treatment Services, Inc. (DATS), based in Scranton, PA, is facing multiple class action lawsuits because of a ransomware attack in October 2024. DATS discovered the unauthorized access to its computer system on October 6, 2024. Based on the forensic investigation, an unauthorized third party … Read more

Microsoft Edge is not HIPAA compliant as a standalone web browser, and it is only suitable for HIPAA regulated use when it is managed, kept supported and patched, and used to access systems that are configured for compliance under an applicable HIPAA Business Associate agreement when required. Browser choice affects HIPAA Security Rule compliance because … Read more

Hightail is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Hightail will not sign a HIPAA Business Associate Agreement for handling electronic protected health information and the service is not offered as a HIPAA-eligible platform for regulated healthcare workflows. HIPAA requires a written HIPAA Business Associate Agreement when a vendor creates, receives, … Read more

Patient reminder systems are HIPAA compliant when appointment reminders are limited to permitted treatment communications, patient requested privacy restrictions and confidential communication preferences are applied to the reminder workflow, the system is configured with safeguards that meet the HIPAA Security Rule for any electronic protected health information it creates, receives, maintains, or transmits, the vendor … Read more

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have updated an earlier published joint cybersecurity alert regarding the Play ransomware group, also called Playcrypt. Playcrypt appeared in June 2022 and has executed ransomware attacks on companies in various industries, such as HIPAA-compliant healthcare organizations and other critical infrastructure entities. … Read more

GoTo can be used in a HIPAA-compliant manner when a HIPAA Covered Entity or Business Associate signs GoTo’s HIPAA Business Associate Agreement for the specific GoTo service offerings in scope and then configures and operates those services to meet HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements for electronic protected health … Read more

Microsoft PowerPoint can be used in a HIPAA-compliant manner only when it is deployed under a qualifying Microsoft 365 or Office 365 business subscription that is covered by Microsoft’s HIPAA Business Associate Agreement, configured to meet HIPAA Security Rule safeguard requirements, and governed by workforce policies that prevent impermissible uses and disclosures of protected health … Read more

The Cyber Division of the Federal Bureau of Investigation (FBI) has released an alert to U.S. law firms regarding targeted attacks conducted by the Silent Ransom Group. From Spring 2023, the Silent Ransom group has been constantly targeting U.S. law offices, though it also executed attacks in several industries, such as healthcare. The Silent Ransom … Read more

Employee benefits administrator, Kelly & Associates Insurance Group, based in Sparks, Maryland, dba Kelly Benefits, has published edited figures on the number of people impacted by a cyberattack on December 2024. On April 9, 2025, Kelly Benefits at first reported the data breach as an event related to unauthorized access to the information of 32,234 … Read more

Password managers are not “HIPAA compliant” products by designation, but they can be used in a HIPAA-compliant manner when the deployment supports HIPAA Security Rule administrative, physical, and technical safeguards, and when the vendor will sign a HIPAA Business Associate agreement for any service that creates, receives, maintains, or transmits electronic protected health information on … Read more

Schedulicity is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Schedulicity does not sign a HIPAA Business Associate Agreement and the service is not offered as a controlled environment for creating, receiving, maintaining, or transmitting electronic protected health information. HIPAA requires a written contract when a vendor performs functions or services for … Read more

Call recording systems are HIPAA compliant when recordings and related metadata that contain protected health information are created and stored only for a defined operational purpose, safeguarded in accordance with the HIPAA Security Rule, used and disclosed in accordance with the HIPAA Privacy Rule, managed under documented retention and access controls, and supported by a … Read more

Netgain Technology has made the decision to resolve a consumer data breach lawsuit filed because of a ransomware attack and data breach in 2020. Netgain will create a $1.9 million settlement fund to pay class member claims. Netgain is a cloud hosting and managed IT service company based in Minnesota, and many of its clients … Read more

Lab ordering and results portals are HIPAA compliant only when the portal and related services protect electronic protected health information under the HIPAA Security Rule, portal workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the portal provider and any connected vendors that create, receive, maintain, or … Read more

Masimo, a producer of patient monitoring devices, submitted a Form 8-K to the U.S. Securities and Exchange Commission (SEC) to notify investors concerning a cyberattack that has impacted its production facilities. Masimo stated some of its production facilities were running at under normal levels from the time of the attack, which is impacting the company’s … Read more

Windows 11 can be used in a HIPAA-compliant manner only when it is deployed and managed under a documented HIPAA Security Rule program that implements required administrative, physical, and technical safeguards for endpoints that create, receive, maintain, or transmit electronic protected health information. Windows 11 is an operating system and does not provide HIPAA compliance … Read more

A patient portal is HIPAA compliant only when the portal and its supporting services are implemented and configured to meet the safeguard requirements of the HIPAA Security Rule, portal operations comply with the use and disclosure requirements of the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the portal provider and any connected … Read more

Infusionsoft by Keap is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Keap does not offer a HIPAA Business Associate Agreement for Infusionsoft by Keap and the platform is not positioned for creating, receiving, maintaining, or transmitting electronic protected health information in marketing automation workflows. HIPAA requires a written HIPAA Business Associate … Read more

The court has given final approval of a $2.4 million settlement of a class action lawsuit against Somnia Inc. in association with a cyberattack and data breach in 2022. Somnia operates anesthesiology services at over 100 surgery centers throughout the country. In 2022, Somnia encountered a cyberattack that enabled hackers to access its system that … Read more

A malware campaign using ResolverRAT is targeting healthcare companies and pharmaceutical firms. ResolverRAT is a new stealthy remote access trojan that is being downloaded through phishing emails pretending to be notifications about copyright violations or other legalities that can cause a false impression of urgency. The phishing emails contain a web link that redirects the … Read more

Clinical transcription software is not HIPAA compliant by product label, but it can be used in a HIPAA-compliant manner when the transcription workflow meets HIPAA Privacy Rule and HIPAA Security Rule requirements for protected health information handling and the vendor signs a HIPAA Business Associate agreement for any arrangement in which the vendor creates, receives, … Read more

Workday can be used in a HIPAA-compliant manner when a HIPAA Covered Entity or Business Associate executes Workday’s HIPAA Business Associate Agreement for the specific Workday services that will handle electronic protected health information and then configures and governs the environment to meet HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements. … Read more

DaVita had an 8K filing with the U.S. Securities and Exchange Commission (SEC) on April 14, 2025. Based on the information submitted, the kidney dialysis provider suffered a ransomware attack that led to the encryption of portions of its system. The attack happened on April 12, 2025 and affected a number of its operations. In … Read more

Microsoft Access can support HIPAA-compliant use of electronic protected health information only when it is deployed within a controlled environment that meets HIPAA Security Rule safeguard requirements, uses a HIPAA Business Associate Agreement for any Microsoft-hosted services involved in storing or transmitting the data, and is governed by HIPAA Privacy Rule and HIPAA Minimum Necessary … Read more

Microsoft has fixed a vulnerability identified in the Windows Common Log File System (CLFS). A threat actor known as Storm-2460 is actively exploiting the vulnerability using PipeMagic malware. The attacker uses the malware to exploit the vulnerability to alter privileges to spread the ransomware in the victim’s network. Windows CLFS is a recording system for … Read more

Spark DSO, LLC and CDHA Management, LLC, also known as Chord Specialty Dental Partners, recently informed the U.S. Department of Health and Human Services’ Office for Civil Rights about encountering a data breach where unauthorized access affected the protected health information (PHI) of up to 173,430 people. The dental service organization based in Tennessee offers … Read more

At the beginning of March 2025, Microsoft gave an update about its Cybersecurity for Rural Hospitals Program. This program is created to safeguard access to medical care for the 46 million people in rural communities by assisting rural hospitals to enhance cybersecurity. Patients from rural communities must travel twice as far as urban residents to … Read more

The Health Information Sharing and Analysis Center (Health-ISAC) and the American Hospital Association (AHA) released a joint advisory cautioning hospitals regarding a possible coordinated multi-city terrorist attack targeting hospitals in the upcoming weeks. On March 18, 2025, the AHA and Health-ISAC found a social media write-up regarding possible ISIS-K coordinated terrorist attacks on U.S. hospitals. … Read more