The HIPAA Enforcement News section provides comprehensive and up-to-date coverage of key developments in the world of HIPAA enforcement. From major data breaches to HIPAA enforcement actions, regulatory updates, and industry-specific news, this section is dedicated to keeping you informed about HIPAA enforcement.
Our reporting covers significant legal rulings, government actions, policy changes, and emerging trends within HIPAA enforcement. Whether it’s a new HIPAA enforcement mandate from the Department of Health and Human Services (HHS), a high-profile HIPAA breach affecting patient data, or evolving HIPAA enforcement priorities, you’ll find timely and accurate news here to help you stay current with critical HIPAA-enforcement related events.
Facebook is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Facebook does not sign a HIPAA Business Associate Agreement and its services, including Facebook Messenger, are not intended to be used to create, receive, maintain, or transmit protected health information on behalf of regulated healthcare organizations. HIPAA requires a written HIPAA Business … Read more
Microsoft Defender for Endpoint can support HIPAA compliance when it is implemented within a HIPAA-governed security program, used under Microsoft’s HIPAA Business Associate Agreement for applicable Microsoft online services, and configured and operated to meet HIPAA Security Rule administrative, physical, and technical safeguard requirements for systems that create, receive, maintain, or transmit electronic protected health … Read more
Identity and access management systems that provide single sign-on and multi-factor authentication are not inherently “HIPAA compliant” products, but they can support HIPAA compliance when implemented and configured to meet HIPAA Security Rule and HIPAA Privacy Rule requirements, and when the vendor signs a HIPAA Business Associate agreement if the service creates, receives, maintains, or … Read more
An EHR is HIPAA compliant only when the EHR system supports compliance with the HIPAA Security Rule and the HIPAA Privacy Rule through appropriate administrative, physical, and technical safeguards, the Covered Entity or Business Associate configures and uses the EHR to protect electronic protected health information, and the EHR vendor and any connected service providers … Read more
Google Chrome is not HIPAA compliant as a standalone product, and its use in a HIPAA regulated environment is limited to serving as a managed user agent for accessing systems that are configured for HIPAA compliance and governed by a signed HIPAA Business Associate agreement where applicable. HIPAA applies to covered entities and business associates, … Read more
Salesforce Marketing Cloud is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Salesforce Marketing Cloud is not offered as a HIPAA-covered service for electronic protected health information and a HIPAA Business Associate Agreement is not available for Salesforce Marketing Cloud use involving protected health information. HIPAA compliance for a cloud service depends … Read more
Endpoint encryption tools are HIPAA compliant when they are implemented as part of an organization’s HIPAA Security Rule risk management program to protect electronic protected health information stored on or accessed by endpoints, encryption keys are managed and access is controlled, and any vendor that creates, receives, maintains, or transmits protected health information on behalf … Read more
Claims submission and clearinghouse tools are HIPAA compliant when their use, configuration, and vendor obligations support permitted claims processing activities and meet applicable requirements under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, including execution of a HIPAA Business Associate Agreement when the vendor creates, receives, maintains, or transmits protected health … Read more
Venmo is not a HIPAA compliant platform for transmitting protected health information and it does not offer a Business Associate Agreement, but a covered entity may accept a patient-initiated payment through Venmo when use is limited to payment processing and no protected health information is created, received, maintained, or transmitted through the service. The HIPAA … Read more
A recent study regarding cybersecurity insiders showed that many college students tend to be happy to break the HIPAA Rules. If paid the right price to do so, they are willing to steal and disclose patient information. The right price ranged from $10,000 to over $10 million. Professor Lawrence Sanders of the University of Buffalo, … Read more
Yesware is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Yesware does not offer a HIPAA Business Associate Agreement and the platform’s email productivity and tracking functions can create, receive, maintain, or transmit electronic protected health information outside controls required by the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification … Read more
A new GuidePoint Security report reveals the growing threat of ransomware attacks as 2025 is documented as the most active year since the cybersecurity firm began its reports. Victims increased by 58% year-over-year with 2,287 unique victims in Q4 of 2025 alone. The GuidePoint Research and Intelligence Team (GRIT) reported December as the most active … Read more
Microsoft OneNote can be used in a HIPAA-compliant manner only when a HIPAA Covered Entity or Business Associate uses it under a Microsoft 365 plan that supports HIPAA compliance, has Microsoft’s HIPAA Business Associate Agreement in place for the in-scope services that store or transmit electronic protected health information, configures those services to meet HIPAA … Read more
Telephone triage software is HIPAA compliant when triage calls and related documentation use permitted treatment communications under the HIPAA Privacy Rule, any electronic protected health information created by voice platforms, recordings, call logs, triage notes, and messaging features is protected with safeguards that meet the HIPAA Security Rule, breach response processes meet the HIPAA Breach … Read more
Document scanning software is HIPAA compliant when scanning, optical character recognition, storage, transmission, and user access workflows protect any protected health information under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, and when the vendor signs a HIPAA Business Associate Agreement for any service in which the vendor creates, receives, maintains, … Read more
E-prescribing software is HIPAA compliant only when the software and its supporting services protect electronic protected health information under the HIPAA Security Rule, e-prescribing workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the e-prescribing vendor and any connected service providers that create, receive, maintain, or transmit … Read more
Campaign Monitor is not HIPAA compliant for uses that involve protected health information because it does not offer a Business Associate Agreement for HIPAA Covered Entities or Business Associates, so it should not be used to create, receive, maintain, or transmit protected health information in email marketing or related email automation. A Business Associate Agreement … Read more
A federal judge approved the settlement of a combined class action lawsuit for $1 million that was filed against Community First Medical Center, doing business as Community First Medical Center. The Chicago, IL, medical center encountered unauthorized third-party access to its network on July 12, 2023, resulting in a data breach. Files that contain the … Read more
Microsoft Word can be used in a HIPAA-compliant manner only when it is deployed under a qualifying Microsoft 365 or Office 365 subscription that is covered by Microsoft’s HIPAA Business Associate Agreement, configured to meet HIPAA Security Rule administrative, physical, and technical safeguard requirements, and used under workforce policies that prevent impermissible uses and disclosures … Read more
Alta is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Alta does not offer a HIPAA Business Associate Agreement and the service is not represented as supporting HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements for electronic protected health information. HIPAA requires a HIPAA Business Associate Agreement when … Read more
On December 10, 2020, OCR published a Notice of Proposed Rulemaking that specified the HIPAA improvements to the Privacy Rule according to replies to its December 2018 RFI. The suggested modifications are minimal and do not include the changes in the HIPAA Privacy Rule that healthcare sector stakeholders are lobbying for. The majority of the … Read more
Website contact forms are HIPAA compliant only when they are designed to prevent impermissible disclosures of protected health information and, when the form transmits or stores protected health information, the form platform, hosting provider, and any connected services sign a HIPAA Business Associate agreement and operate with HIPAA Security Rule safeguards for access control, audit … Read more
Selection criteria for HIPAA training should require content created and maintained by HIPAA subject matter experts, current update controls, an employee-focused curriculum that teaches the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule through realistic scenarios, strong administrator oversight and audit-ready documentation, targeted coverage of social media and artificial intelligence risks, flexibility … Read more
Apple Invites is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Apple does not offer a HIPAA Business Associate Agreement for Apple Invites and the service is not provided as a HIPAA-eligible platform for creating, receiving, maintaining, or transmitting electronic protected health information. HIPAA requires a written HIPAA Business Associate Agreement when … Read more
Rural hospital, Memorial Hospital and Manor, in Bainbridge, Georgia, consented to settle a class action litigation involving a ransomware attack and data breach in November 2024. The hospital noticed the cyberattack on November 2, 2024 after its EMR system, website, and email became unavailable. On November 3, 2024, Memorial Hospital and Manor notified patients about … Read more
Patient outcomes tools are not HIPAA compliant by product label, but they can be used in a HIPAA-compliant manner when the tool and connected services handle protected health information under a signed HIPAA Business Associate agreement and the implementation meets HIPAA Security Rule safeguards for access control, audit controls, integrity, person or entity authentication, and … Read more
Non-profit health system, MedStar Health, manages 10 hospitals around the Baltimore-Washington metro region. On October 4, 2025, it discovered a cyberattack and data breach. The forensic investigation revealed that an unauthorized third party acquired access to part of its internal systems that stored patient information from September 12, 2025 to September 16, 2025. MedStar Health … Read more
Secure file transfer software using Secure File Transfer Protocol or managed file transfer is HIPAA compliant when the implementation protects electronic protected health information with safeguards required by the HIPAA Security Rule, limits uses and disclosures under the HIPAA Privacy Rule, supports breach response obligations under the HIPAA Breach Notification Rule, and includes a signed … Read more
Campaigner is not HIPAA compliant for any use that involves protected health information because it does not sign a Business Associate Agreement with HIPAA Covered Entities or Business Associates, so it should not be used to create, receive, maintain, or transmit protected health information in email marketing, automated messaging, or related contact management. A Business … Read more
Patch management software is not HIPAA compliant by product label, but it can support HIPAA compliance when it is implemented as part of a documented patch management program that meets HIPAA Security Rule administrative and technical safeguard requirements for risk analysis, risk management, system maintenance, protection from malicious software, audit controls, and access control, and … Read more
Mirion Medical identified five high-severity vulnerabilities in its EC2 Software NMIS BioDose software and issued patches to correct the problem. An attacker can successfully exploit the vulnerabilities to get unauthorized access to the software, alter program executables, obtain sensitive data, and possibly execute code remotely. HIPAA-compliant Healthcare providers use the Mirion Medical EC2 Software NMIS … Read more
Microsoft Authenticator can support HIPAA compliance when it is used with Microsoft Entra ID under an eligible Microsoft 365 subscription that is covered by Microsoft’s HIPAA Business Associate Agreement for in-scope services, configured to meet HIPAA Security Rule access control and person or entity authentication safeguards, and managed through documented administrative procedures and workforce practices. … Read more
Coda can support HIPAA-compliant use only on its Enterprise plan with a signed HIPAA Business Associate Agreement in place and with product restrictions that limit how electronic protected health information is stored, shared, and processed inside the platform. HIPAA Covered Entities and Business Associates need a HIPAA Business Associate Agreement before a vendor creates, receives, … Read more
Marketo can be HIPAA compliant when a HIPAA Covered Entity or Business Associate uses the platform through Adobe’s healthcare offering, obtains an executed Business Associate Agreement from Adobe that covers the applicable services, and configures and operates the environment to meet HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements for electronic … Read more
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is creating a video presentation to discuss the needs of the HIPAA Security Rule risk management process and has asked HIPAA-regulated entities to submit risk management questions. The risk analysis is a basic component of the HIPAA Security Rule that identifies the … Read more
Digital patient intake and registration is HIPAA compliant only when the online forms, storage, and transmission methods protect electronic protected health information under the HIPAA Security Rule, intake workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the form or intake platform provider will sign a HIPAA … Read more
An EMR is HIPAA compliant only when the system has safeguards that support compliance with the HIPAA Security Rule and HIPAA Privacy Rule, the organization configures and uses the EMR to protect electronic protected health information, and the EMR vendor and any connected service providers that create, receive, maintain, or transmit electronic protected health information … Read more
Trinity Health Corporation, the Catholic Health System based in Livonia, Michigan, and co-defendants Valley Surgical Specialists Medical Group, Inc., Rame Deme Iberdemaj, and Daniel Evan Swartz, MD, have decided to resolve a class action lawsuit associated with a 2021 data breach prompted by its use of Accellion FTA, a file transfer platform. On or about … Read more
Nebraska Attorney General Mike Hilgers took legal action over the 2024 Change Healthcare data breach, which has been permitted to move forward after a motion to dismiss was denied. The litigation registered in Lancaster County District Court in December 2024 referred to Optum, UnitedHealth and Change Healthcare as defendants. The legal action claimed the defendants … Read more
Voicemail transcription tools are HIPAA compliant when voicemail and transcription content that includes protected health information is handled only for permitted treatment, payment, or healthcare operations purposes, protected with safeguards that meet the HIPAA Security Rule, used and disclosed in line with the HIPAA Privacy Rule, supported by breach response procedures under the HIPAA Breach … Read more
Twilio SendGrid is not HIPAA compliant for HIPAA Covered Entities or Business Associates because it is not a HIPAA-eligible service, it does not support HIPAA-compliant transmission of electronic protected health information, and Twilio does not sign a HIPAA Business Associate Agreement for SendGrid. HIPAA requires a written HIPAA Business Associate Agreement when a vendor creates, … Read more
Salesforce Pardot, also known as Marketing Cloud Account Engagement, is not HIPAA compliant for handling electronic protected health information because Salesforce does not make a HIPAA Business Associate Agreement available for Pardot in a way that permits Covered Entities or Business Associates to use the platform to create, receive, maintain, or transmit protected health information … Read more
The Qilin ransomware group launched an attack on June 3, 2024, and encrypted files on its system. Before encrypting the files in the victim’s network, the attacker exfiltrated data. The ransomware attack prompted substantial trouble to Synnovis’ business operations, disrupting a lot of its pathology services. Synnovis mentioned that the ransomware attack affected almost all … Read more
Google Bard is not HIPAA compliant for HIPAA Covered Entities or Business Associates because it is not offered under a HIPAA Business Associate Agreement and it is not designed to create, receive, maintain, or transmit electronic protected health information under HIPAA Privacy Rule and HIPAA Security Rule requirements. HIPAA compliance for third-party services that handle … Read more
Microsoft Forms is HIPAA compliant only when it is used as an in-scope service within an eligible Microsoft 365 or Office 365 subscription under an executed Microsoft HIPAA Business Associate Agreement, configured to meet HIPAA Security Rule administrative, physical, and technical safeguard requirements, and operated under HIPAA Privacy Rule controls that limit uses and disclosures … Read more
Twilio can be HIPAA compliant when a HIPAA Covered Entity or Business Associate executes Twilio’s Business Associate Agreement or Business Associate Addendum for Twilio HIPAA-eligible products and then designs, configures, and operates the implementation so that electronic protected health information is created, received, maintained, and transmitted under controls that meet HIPAA Privacy Rule, HIPAA Security … Read more
According to the US Healthcare Cyber Resilience Survey conducted by EY and KLAS Research, 7 of 10 healthcare institutions have encountered substantial business interruption because of cyberattacks in the last two years. The survey involved the participation of 100 healthcare professionals in charge of cybersecurity decisions in their companies. Companies suffered an average of 5 … Read more
Mend can be used in a HIPAA compliant manner when a HIPAA Covered Entity or Business Associate executes a HIPAA Business Associate agreement with Mend, limits use to the services and configurations covered by that agreement, and implements administrative, physical, and technical safeguards for electronic protected health information under the HIPAA Privacy Rule, HIPAA Security … Read more
Microsoft Intune can support HIPAA compliance when it is used as part of a Microsoft 365 deployment that has Microsoft’s HIPAA Business Associate Agreement in place for in-scope services, is configured to meet HIPAA Security Rule administrative, physical, and technical safeguard requirements, and is governed by HIPAA Privacy Rule and HIPAA Minimum Necessary Rule policies … Read more
Microsoft Bookings is HIPAA compliant only when it is used within an eligible Microsoft 365 environment under Microsoft’s HIPAA Business Associate Agreement for in-scope services, configured to meet HIPAA Security Rule safeguards, and operated under HIPAA Privacy Rule controls that limit collection, use, and disclosure of protected health information. Microsoft Bookings is an appointment scheduling … Read more
Network Solutions is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Network Solutions does not offer a HIPAA Business Associate Agreement for its email, web hosting, or related services and those services are not positioned for creating, receiving, maintaining, or transmitting electronic protected health information under HIPAA Privacy Rule and HIPAA Security … Read more
GetResponse is not HIPAA compliant for uses that involve protected health information because it does not offer a Business Associate Agreement for HIPAA Covered Entities or Business Associates, so it should not be used to create, receive, maintain, or transmit protected health information through email marketing, automation, landing pages, or contact management. A Business Associate … Read more
A Montefiore Medical Center’s former business clerk and his partner have admitted to taking numerous patient data and using the stolen information to defraud government institutions out of about $1 million. Wilkins Estrella, 40 years old, living in Hackensack, New Jersey, was employed at Montefiore Medical Center for more or less ten years. His employment … Read more
Backup and disaster recovery systems are HIPAA compliant when they protect electronic protected health information with safeguards required by the HIPAA Security Rule contingency planning standard, limit uses and disclosures under the HIPAA Privacy Rule, support breach assessment and notification under the HIPAA Breach Notification Rule, and include a signed HIPAA Business Associate Agreement when … Read more
macOS can be used in a HIPAA-compliant manner when it is deployed and managed under a documented HIPAA Security Rule program that applies administrative, physical, and technical safeguards to endpoints that create, receive, maintain, or transmit electronic protected health information, and when consumer Apple cloud services such as iCloud are not used for electronic protected … Read more
Wild Apricot is not HIPAA compliant for HIPAA Covered Entities or Business Associates because the service is not offered with a HIPAA Business Associate Agreement and its membership management and communications features can create, receive, maintain, or transmit electronic protected health information outside the safeguards required by HIPAA. HIPAA requires a written HIPAA Business Associate … Read more
ExtraHop, the network detection and response (NDR) company, published its 2025 Global Threat Landscape Report where it revealed that ransomware groups are running fewer attacks than last year but are taking on a more targeted strategy using sneaky tactics to realize more significant results. Ransomware groups are conducting more targeted, sophisticated attacks, allowing them to … Read more
Oracle Eloqua can support HIPAA-compliant use only when the organization purchases and uses the Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service, executes a HIPAA Business Associate Agreement with Oracle for the applicable services, and limits campaign design, data collection, user access, and integrations to HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach … Read more
Prior authorization platforms are HIPAA compliant only when the platform and its supporting services protect electronic protected health information under the HIPAA Security Rule, prior authorization workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the platform provider and any connected vendors that create, receive, maintain, or … Read more
eFax services are HIPAA compliant when the service is used under a plan that supports protected health information, the provider signs a HIPAA Business Associate Agreement, and the covered entity or business associate configures and operates the service with safeguards and procedures that meet requirements under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA … Read more
Eastern Radiologists in North Carolina has decided to resolve a class action lawsuit associated with a 2023 data breach for $3.25 million. The data breach report submitted to the HHS’s Office for Civil Rights indicated that the protected health information (PHI) of 886,746 individuals was affected. The Eastern Radiologists discovered the data breach on November … Read more
Remote support tools are not HIPAA compliant by product label, but they can be used in a HIPAA-compliant manner when they are configured to meet HIPAA Security Rule technical safeguard requirements for access control, person or entity authentication, audit controls, integrity, and transmission security, and when the vendor will sign a HIPAA Business Associate agreement … Read more
Mozilla Firefox is not HIPAA compliant as a standalone web browser, and it is only suitable for HIPAA regulated use when it is kept supported and patched, centrally managed, and used in a technical environment that prevents impermissible uses or disclosures of electronic protected health information. HIPAA compliance obligations apply to HIPAA Covered Entities and … Read more
LiveChat is not HIPAA compliant by product label, but it can be used in a HIPAA-compliant manner when it is configured and governed to meet HIPAA Security Rule safeguards for access control, audit controls, integrity, person or entity authentication, and transmission security, and when LiveChat will sign a HIPAA Business Associate agreement for the deployment … Read more
Skagit County Public Hospital District No. 1, also known as Skagit Regional Health, which manages Skagit Regional Hospital in Mount Vernon, Washington, has decided to resolve class action litigation associated with its use of Meta Pixel and other tracking tools on its website, which may have exposed patient data to third parties. Skagit Regional Health, … Read more
The HHS’ Office for Civil Rights reached a $182,000 settlement with five Delaware healthcare companies to take care of alleged HIPAA Privacy and HIPAA Breach Notification Rules violations. The settlement is about the publishing of the protected health information (PHI) of patients on social media without first getting HIPAA-compliant consent to use PHI for something … Read more
Microsoft Excel can support HIPAA-compliant workflows only when it is used under a qualifying Microsoft 365 or Office 365 business subscription that is covered by Microsoft’s HIPAA Business Associate Agreement, configured to meet HIPAA Security Rule safeguard requirements, and controlled by organizational policies that prevent impermissible uses and disclosures of protected health information. Excel is … Read more
Autopilot, now branded as Ortto, is not HIPAA compliant for HIPAA Covered Entities or Business Associates because the service is not offered with a HIPAA Business Associate Agreement for handling electronic protected health information and the platform’s marketing automation features can store and transmit data elements that constitute protected health information. HIPAA permits a regulated … Read more
Online appointment scheduling is HIPAA compliant only when the scheduling system and any related reminder or messaging functions protect electronic protected health information under the HIPAA Security Rule, scheduling workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the scheduling vendor and its subcontractors will sign a … Read more
Claims submission and clearinghouse tools are HIPAA compliant when their use, configuration, and vendor obligations support permitted claims processing activities and meet applicable requirements under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, including execution of a HIPAA Business Associate Agreement when the vendor creates, receives, maintains, or transmits protected health … Read more
The U.S. Government Accountability Office wrote to Health and Human Services Chief Information Officer (CIO) Clark Minor, calling his attention about the recommendations for the present open cybersecurity and IT management. As a non-partisan agency, GAO works for Congress and gives assistance to ensure it fulfills its constitutional duties and helps enhance the efficiency and … Read more
Mobile device management (MDM) supports HIPAA compliance when it is implemented as part of an organization’s HIPAA Security Rule safeguards for mobile devices that create, receive, maintain, or transmit electronic protected health information, and when any MDM vendor that handles electronic protected health information on behalf of a HIPAA Covered Entity or Business Associate signs … Read more
Mad Mimi is not HIPAA compliant for uses that involve protected health information because it does not offer a Business Associate Agreement for HIPAA Covered Entities or Business Associates, so it should not be used to create, receive, maintain, or transmit protected health information through email campaigns, subscriber management, or related email marketing functions. A … Read more
The U.S. Department of Justice arrested Volodymyr Viktorovich Tymoshchuk who is accused of his important role in several ransomware operations. This Ukrainian ransomware criminal, also known as Boba, deadforz, msfv, and farnetwork, is alleged to have conducted the MegaCortex, Nefilim, and LockerGaga ransomware operations from December 2018 to October 2021. Tymoshchuk, with his accomplices, performed … Read more
Microsoft Publisher can be used in a HIPAA-compliant manner only when it is deployed under a qualifying Microsoft 365 or Office 365 business subscription that is covered by Microsoft’s HIPAA Business Associate Agreement for in-scope services, configured to meet HIPAA Security Rule safeguards, and governed by HIPAA Privacy Rule and HIPAA Minimum Necessary Rule controls … Read more
Eligibility verification software is HIPAA compliant only when the software and its supporting services protect electronic protected health information under the HIPAA Security Rule, eligibility workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the vendor and any connected service providers that create, receive, maintain, or transmit … Read more
MailerLite is not HIPAA compliant for HIPAA Covered Entities or Business Associates because it does not offer a Business Associate Agreement and its service is not presented as supporting HIPAA Privacy Rule and HIPAA Security Rule requirements for creating, receiving, maintaining, or transmitting electronic protected health information. HIPAA requires a written contract, commonly a Business … Read more
Healthcare entities are less likely to have critical cybersecurity vulnerabilities as opposed to other industries, since they are typically good at prevention; nevertheless, when vulnerabilities are discovered, healthcare falls behind other industries in terms of remediation. These are the conclusions of a recent research about penetration testing data and a survey by the Pentest-as-a-service (PTaaS) … Read more
Indicative is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Indicative does not sign a HIPAA Business Associate Agreement and therefore cannot be used to create, receive, maintain, or transmit electronic protected health information on behalf of a regulated healthcare organization. HIPAA requires a written HIPAA Business Associate Agreement when a vendor … Read more
Windows 10 can be used in a HIPAA-compliant manner only when it is deployed and managed under a HIPAA Security Rule program that enforces administrative, physical, and technical safeguards for endpoints that create, receive, maintain, or transmit electronic protected health information, and its continued use after Microsoft ends standard support on October 14, 2025 requires … Read more
Practice management software is HIPAA compliant only when the software and its supporting services can be configured to meet the administrative, physical, and technical safeguard requirements of the HIPAA Security Rule, the organization uses the software in a way that limits uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, … Read more
Antivirus tools are not HIPAA compliant by product label, but they can support HIPAA compliance when deployed and managed under documented HIPAA Security Rule safeguards for guarding against, detecting, and reporting malicious software, and when the vendor will sign a HIPAA Business Associate agreement for any service arrangement that involves the vendor creating, receiving, maintaining, … Read more
Electronic consent management is HIPAA compliant when the consent workflow and technology protect electronic protected health information under the HIPAA Security Rule, support valid written authorizations under the HIPAA Privacy Rule where required, apply the HIPAA Minimum Necessary Rule to consent related access and disclosures, and the consent management provider will sign a HIPAA Business … Read more
Recent alerts had been issued concerning a critical vulnerability identified in FortiSIEM with a publicly available exploit code and two vulnerabilities in N-able N-central. Network defenders use FortiSIEM, a central security information and event management (SIEM) solution, for network telemetry, logging, and security incident notifications. Big companies, healthcare organizations, and government entities commonly use FortiSIEM. … Read more
Kidney dialysis service provider, DaVita, in Denver, CO, submitted a data breach report to the HHS’ Office for Civil Rights due to a ransomware attack on April 12, 2025. The attackers acquired access to its system, exfiltrated sensitive information, and encrypted files on some of its systems. Although the attack temporarily disrupted part of its … Read more
A District Court judge recently approved a settlement of a consolidated class action complaint for $8.5 million against Nuance Communications in association with a data breach in May 2023. This computer software firm, based in Burlington, Massachusetts, is owned by Microsoft. HIPAA business associate, Nuance Communications, offers speech recognition programs to clients in the healthcare … Read more
Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released alerts regarding a high-severity vulnerability impacting Exchange hybrid deployments that can enable an attacker to elevate privileges in Exchange Online cloud settings without being detected, potentially compromising the identity integrity of a company’s Exchange Online service. Vulnerability CVE-2025-53786 affects hybrid-joined settings of Exchange … Read more
Patient survey tools are not HIPAA compliant by product label, but they can be used in a HIPAA-compliant manner when the survey workflow is designed to limit protected health information collection to the HIPAA Minimum Necessary Rule, the tool and all connected services operate with HIPAA Security Rule safeguards, and the vendor signs a HIPAA … Read more
The 2025 Cost of a Data Breach Report by IBM reveals a drop in the worldwide average data breach cost. However, the cost of U.S. data breaches increased by 9.2% to $10.22 million. It was $9.36 million in 2024. The increased costs of U.S. data breaches were mostly because of higher regulatory penalties. and detection … Read more
Amwell can be used in a HIPAA compliant manner when a HIPAA Covered Entity or Business Associate signs a HIPAA Business Associate agreement with Amwell for the applicable services, configures the platform to support required safeguards, and operates telemedicine workflows in a way that prevents impermissible uses or disclosures of protected health information under the … Read more
Clinical dictation software is not HIPAA compliant by product label, but it can be used in a HIPAA-compliant manner when the dictation workflow meets HIPAA Privacy Rule and HIPAA Security Rule requirements for protected health information and the vendor signs a HIPAA Business Associate agreement for any service in which the vendor creates, receives, maintains, … Read more
An international law enforcement operation succeeded in seizing the dark web sites of the BlackSuit ransomware group. The takedown covers BlackSuit’s negotiation and data leak websites, after a court order approved the seizure. The dark websites now display banners informing visitors that U.S. Homeland Security Investigations has seized the web properties as part of Operation … Read more
Patient payment portals are HIPAA compliant when the portal handles protected health information only for permitted payment activities, applies administrative, physical, and technical safeguards that meet the HIPAA Security Rule, limits uses and disclosures under the HIPAA Privacy Rule, supports incident response and notification obligations under the HIPAA Breach Notification Rule, and the vendor signs … Read more
A phishing attack impacted several cancer care organizations of the Integrated Oncology Network (ION). All impacted entities released identical breach notices concerning the attack. According to the breach notices, the sophisticated phishing attack allowed unauthorized individuals to access a few employee email and SharePoint accounts. ION took immediate action to protect the impacted accounts and … Read more
Website chat can be used in a HIPAA-compliant manner only when the chat function is configured and governed to prevent impermissible disclosures of protected health information, the vendor signs a HIPAA Business Associate agreement when the service creates, receives, maintains, or transmits protected health information on the organization’s behalf, and the implementation meets HIPAA Security … Read more
There is a new ransomware group that is attacking several industries, particularly technology, healthcare, and event services. Based on the latest Trend Micro report, the Bert ransomware group, tracked as Water Pombero, first attacked entities in the United States and Asia, though victims across Europe were also identified. It is believed to have originated from … Read more
Document management software is HIPAA compliant when it is used to create, receive, maintain, or transmit protected health information only under permitted HIPAA Privacy Rule purposes, it is implemented with administrative, physical, and technical safeguards that meet the HIPAA Security Rule, it supports breach assessment and notification obligations under the HIPAA Breach Notification Rule, and … Read more
ActiveCampaign is not HIPAA compliant for handling electronic protected health information in email marketing workflows because HIPAA compliance requires a signed HIPAA Business Associate Agreement that covers the specific services in scope and operational controls that prevent electronic protected health information from being created, received, maintained, or transmitted in ways the platform is not designed … Read more
Michigan-based McLaren Health Care began informing 743,131 individuals about the compromise of some of their protected health information (PHI) during a ransomware attack in August 2024. McLaren Health Care had earlier reported the ransomware attack, but the analysis of the compromised files took a longer time; therefore, the delay in sending personal breach notification letters. … Read more
WebEngage is not HIPAA compliant for HIPAA Covered Entities or Business Associates because WebEngage does not offer a HIPAA Business Associate Agreement for its platform, which prevents regulated organizations from using it to create, receive, maintain, or transmit electronic protected health information. HIPAA requires a written HIPAA Business Associate Agreement when a vendor performs services … Read more
Validic can be HIPAA compliant when a HIPAA Covered Entity or Business Associate signs a HIPAA Business Associate Agreement with Validic for the applicable services and then configures, governs, and uses the platform so electronic protected health information is handled under HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements. HIPAA compliance … Read more
Two-way patient messaging is HIPAA compliant when the messaging workflow is limited to permitted treatment, payment, and healthcare operations uses, protected health information is safeguarded under the HIPAA Security Rule, uses and disclosures are controlled under the HIPAA Privacy Rule, breach response procedures support the HIPAA Breach Notification Rule, and any vendor that creates, receives, … Read more
Ransomware continues to present a considerable threat to U.S. healthcare providers, though many ransomware groups no longer encrypt data and only conduct extortion attacks. Cybersecurity company Sophos’ new report shows that only 50% of ransomware attacks in 2025 included file encryption. The threat of exposing stolen information is usually enough to compel victims to give … Read more
In early June 2025, the House of Representatives and Senate introduced two bipartisan bills seeking to improve the healthcare and public health (HPH) sector cybersecurity through better coordination at the government level so that, in the event of cyberattacks on HPH sector entities, government agencies could respond immediately and efficiently. There have been significantly more … Read more
Doxy.me can be used in a HIPAA compliant manner for telehealth when the organization uses a plan that supports HIPAA requirements, executes a HIPAA Business Associate agreement with Doxy.me, and configures workflows and policies to meet the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. HIPAA compliance for a telehealth platform depends … Read more
Non-profit provider of drug and alcohol addiction services, Drug and Alcohol Treatment Services, Inc. (DATS), based in Scranton, PA, is facing multiple class action lawsuits because of a ransomware attack in October 2024. DATS discovered the unauthorized access to its computer system on October 6, 2024. Based on the forensic investigation, an unauthorized third party … Read more
Microsoft Edge is not HIPAA compliant as a standalone web browser, and it is only suitable for HIPAA regulated use when it is managed, kept supported and patched, and used to access systems that are configured for compliance under an applicable HIPAA Business Associate agreement when required. Browser choice affects HIPAA Security Rule compliance because … Read more
Hightail is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Hightail will not sign a HIPAA Business Associate Agreement for handling electronic protected health information and the service is not offered as a HIPAA-eligible platform for regulated healthcare workflows. HIPAA requires a written HIPAA Business Associate Agreement when a vendor creates, receives, … Read more
Patient reminder systems are HIPAA compliant when appointment reminders are limited to permitted treatment communications, patient requested privacy restrictions and confidential communication preferences are applied to the reminder workflow, the system is configured with safeguards that meet the HIPAA Security Rule for any electronic protected health information it creates, receives, maintains, or transmits, the vendor … Read more
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have updated an earlier published joint cybersecurity alert regarding the Play ransomware group, also called Playcrypt. Playcrypt appeared in June 2022 and has executed ransomware attacks on companies in various industries, such as HIPAA-compliant healthcare organizations and other critical infrastructure entities. … Read more
GoTo can be used in a HIPAA-compliant manner when a HIPAA Covered Entity or Business Associate signs GoTo’s HIPAA Business Associate Agreement for the specific GoTo service offerings in scope and then configures and operates those services to meet HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements for electronic protected health … Read more
Microsoft PowerPoint can be used in a HIPAA-compliant manner only when it is deployed under a qualifying Microsoft 365 or Office 365 business subscription that is covered by Microsoft’s HIPAA Business Associate Agreement, configured to meet HIPAA Security Rule safeguard requirements, and governed by workforce policies that prevent impermissible uses and disclosures of protected health … Read more
The Cyber Division of the Federal Bureau of Investigation (FBI) has released an alert to U.S. law firms regarding targeted attacks conducted by the Silent Ransom Group. From Spring 2023, the Silent Ransom group has been constantly targeting U.S. law offices, though it also executed attacks in several industries, such as healthcare. The Silent Ransom … Read more
Employee benefits administrator, Kelly & Associates Insurance Group, based in Sparks, Maryland, dba Kelly Benefits, has published edited figures on the number of people impacted by a cyberattack on December 2024. On April 9, 2025, Kelly Benefits at first reported the data breach as an event related to unauthorized access to the information of 32,234 … Read more
Password managers are not “HIPAA compliant” products by designation, but they can be used in a HIPAA-compliant manner when the deployment supports HIPAA Security Rule administrative, physical, and technical safeguards, and when the vendor will sign a HIPAA Business Associate agreement for any service that creates, receives, maintains, or transmits electronic protected health information on … Read more
Schedulicity is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Schedulicity does not sign a HIPAA Business Associate Agreement and the service is not offered as a controlled environment for creating, receiving, maintaining, or transmitting electronic protected health information. HIPAA requires a written contract when a vendor performs functions or services for … Read more
Call recording systems are HIPAA compliant when recordings and related metadata that contain protected health information are created and stored only for a defined operational purpose, safeguarded in accordance with the HIPAA Security Rule, used and disclosed in accordance with the HIPAA Privacy Rule, managed under documented retention and access controls, and supported by a … Read more
Netgain Technology has made the decision to resolve a consumer data breach lawsuit filed because of a ransomware attack and data breach in 2020. Netgain will create a $1.9 million settlement fund to pay class member claims. Netgain is a cloud hosting and managed IT service company based in Minnesota, and many of its clients … Read more
Lab ordering and results portals are HIPAA compliant only when the portal and related services protect electronic protected health information under the HIPAA Security Rule, portal workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the portal provider and any connected vendors that create, receive, maintain, or … Read more
Masimo, a producer of patient monitoring devices, submitted a Form 8-K to the U.S. Securities and Exchange Commission (SEC) to notify investors concerning a cyberattack that has impacted its production facilities. Masimo stated some of its production facilities were running at under normal levels from the time of the attack, which is impacting the company’s … Read more
Windows 11 can be used in a HIPAA-compliant manner only when it is deployed and managed under a documented HIPAA Security Rule program that implements required administrative, physical, and technical safeguards for endpoints that create, receive, maintain, or transmit electronic protected health information. Windows 11 is an operating system and does not provide HIPAA compliance … Read more
A patient portal is HIPAA compliant only when the portal and its supporting services are implemented and configured to meet the safeguard requirements of the HIPAA Security Rule, portal operations comply with the use and disclosure requirements of the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the portal provider and any connected … Read more
Infusionsoft by Keap is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Keap does not offer a HIPAA Business Associate Agreement for Infusionsoft by Keap and the platform is not positioned for creating, receiving, maintaining, or transmitting electronic protected health information in marketing automation workflows. HIPAA requires a written HIPAA Business Associate … Read more
The court has given final approval of a $2.4 million settlement of a class action lawsuit against Somnia Inc. in association with a cyberattack and data breach in 2022. Somnia operates anesthesiology services at over 100 surgery centers throughout the country. In 2022, Somnia encountered a cyberattack that enabled hackers to access its system that … Read more
A malware campaign using ResolverRAT is targeting healthcare companies and pharmaceutical firms. ResolverRAT is a new stealthy remote access trojan that is being downloaded through phishing emails pretending to be notifications about copyright violations or other legalities that can cause a false impression of urgency. The phishing emails contain a web link that redirects the … Read more
Clinical transcription software is not HIPAA compliant by product label, but it can be used in a HIPAA-compliant manner when the transcription workflow meets HIPAA Privacy Rule and HIPAA Security Rule requirements for protected health information handling and the vendor signs a HIPAA Business Associate agreement for any arrangement in which the vendor creates, receives, … Read more
Workday can be used in a HIPAA-compliant manner when a HIPAA Covered Entity or Business Associate executes Workday’s HIPAA Business Associate Agreement for the specific Workday services that will handle electronic protected health information and then configures and governs the environment to meet HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements. … Read more
DaVita had an 8K filing with the U.S. Securities and Exchange Commission (SEC) on April 14, 2025. Based on the information submitted, the kidney dialysis provider suffered a ransomware attack that led to the encryption of portions of its system. The attack happened on April 12, 2025 and affected a number of its operations. In … Read more
Microsoft Access can support HIPAA-compliant use of electronic protected health information only when it is deployed within a controlled environment that meets HIPAA Security Rule safeguard requirements, uses a HIPAA Business Associate Agreement for any Microsoft-hosted services involved in storing or transmitting the data, and is governed by HIPAA Privacy Rule and HIPAA Minimum Necessary … Read more
Microsoft has fixed a vulnerability identified in the Windows Common Log File System (CLFS). A threat actor known as Storm-2460 is actively exploiting the vulnerability using PipeMagic malware. The attacker uses the malware to exploit the vulnerability to alter privileges to spread the ransomware in the victim’s network. Windows CLFS is a recording system for … Read more
Spark DSO, LLC and CDHA Management, LLC, also known as Chord Specialty Dental Partners, recently informed the U.S. Department of Health and Human Services’ Office for Civil Rights about encountering a data breach where unauthorized access affected the protected health information (PHI) of up to 173,430 people. The dental service organization based in Tennessee offers … Read more
At the beginning of March 2025, Microsoft gave an update about its Cybersecurity for Rural Hospitals Program. This program is created to safeguard access to medical care for the 46 million people in rural communities by assisting rural hospitals to enhance cybersecurity. Patients from rural communities must travel twice as far as urban residents to … Read more
The Health Information Sharing and Analysis Center (Health-ISAC) and the American Hospital Association (AHA) released a joint advisory cautioning hospitals regarding a possible coordinated multi-city terrorist attack targeting hospitals in the upcoming weeks. On March 18, 2025, the AHA and Health-ISAC found a social media write-up regarding possible ISIS-K coordinated terrorist attacks on U.S. hospitals. … Read more
Ransomware attacks in 2024 had an upward pattern and will likely continue in 2025 as many more new victims were listed in ransomware groups’ data leak websites in January and February. Cybersecurity company Cyble recently reported that about 599 victims were added to data leak sites in February and 518 in January. Most of the … Read more
Harvard Pilgrim Health Care and Point32Health, its parent company, have decided to pay $16 million to settle claims associated with a ransomware attack in 2023 that impacted roughly 3 million individuals. In 2023, hackers accessed systems that contained 2,967,396 health plan members’ protected health information (PHI). After exfiltrating data, the hackers used ransomware to encrypt … Read more
Ransomware groups are attacking healthcare companies for financial profit, accessing networks, stealing information, then employing ransomware for file encryption. Cyber threat actors also attack healthcare systems and steal information via silent attacks, where breached healthcare companies aren’t extorted and hackers stay in their systems longer. Cybersecurity company Forescout researchers have discovered a new threat group … Read more
A 2 TB database containing around 1.6 million clinical trial data was compromised online and accessible to anyone without a password. Cybersecurity researcher Jeremiah Fowler discovered the database and reported that it consists of 1,674,218 records. The compromised records include survey results in PDF format that contain sensitive personal and medical data. The compromised information … Read more
Although ransomware continually presents a threat to enterprises, ransomware just accounts for about 9.5% of threats in general. Other threats include remote access trojans (13%), malware (17%), malicious scripts (22%), and infostealers (24%). RATs are also involved in over 75% of remote access cases. Huntress discovered greater exploitation of remote monitoring and management (RMM) assets … Read more
The California Department of Corrections and Rehabilitation (CDCR) decided to resolve a class action lawsuit associated with negligence for not preventing a data breach in 2022. The data breach happened in January 2022 after hackers accessed CDCR systems comprising the protected health information (PHI) and personally identifiable information (PII) of people imprisoned in the State … Read more
At the beginning of November 2023, Mulkay Cardiology Consultants based in New Jersey reported a ransomware attack that resulted in unauthorized access to around 79,582 individuals’ protected health information (PHI). Breach victims took legal action against Mulkay Cardiology Consultants which ended in a settlement to conclude the litigation. Based on forensic investigation, a threat actor … Read more
The law firm Wolf Haldenstein Adler Freeman & Herz LLP (Wolf Haldenstein) located in New York City encountered a data breach affecting the personal data and protected health information (PHI) of 3,445,537 people. The law firm submitted a breach notice not long ago to the Maine Attorney General. A few states post data breach reports … Read more
The nonprofit blood donation organization called OneBlood based in Florida suffered a ransomware attack that is impacting its capacity to supply blood to hospitals. OneBlood provides blood to about 250 hospitals located in Alabama, Georgia, North and South Carolina, and Florida. OneBlood reported on July 31, 2024 that a ransomware attack impacted its software program. … Read more
In 2024, OCR received 13 data breach reports that affected over 1 million healthcare records each. The biggest healthcare data breach impacted an approximated 100,000,000 million people. The total of exposed or compromised records of U.S. residents for those 13 data breaches is 146,463,977, which is about 42% of the U.S. population. Change Healthcare Data … Read more
The Conceptions Reproductive Associates of Colorado fertility clinic recently announced that it suffered a ransomware attack. The threat actor gained unauthorized access to its system and stole the data of about 80,000 present and past patients, including their associates. The fertility clinic detected the incident in the middle of April 2024 when it affected some … Read more
Daniel Christian Hulea, 30 years old, from Romania, was sentenced to 20 years imprisonment for executing ransomware attacks on healthcare companies and educational organizations during the pandemic. The man was an affiliate of the NetWalker ransomware-as-a-service (RaaS) operation. The U.S. Department of Justice reported in January 2021 that over $450,000 in cryptocurrency was seized during … Read more
Texas Tech University Health Sciences Center, the university’s academic health institution and med school, reported a theft involving a large volume of patient data during a September ransomware attack. The cyberattack targeted the systems used by UMC Health System, Texas Tech Physicians, and Texas Tech University Health Sciences Center in El Paso. The HHS’ Office … Read more
A 45-year-old hacker named Robert Purbeck was sentenced to 10 years in prison for attacking several U.S. healthcare companies, breaching their systems, stealing sensitive information, and trying to extort from them. Purbeck is an IT expert who previously worked for Ada County in Idaho. He hacked no less than 19 companies from 2017 to 2018 … Read more
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has charged Gulf Coast Pain Consultants, LLC with a $1.19 million civil monetary penalty for failing to block ex-employee members’ access to systems that contain electronic protected health information (ePHI) and for violating other HIPAA Security Rules. Pain management practice Gulf … Read more
The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has audited the HHS Office for Civil Rights (OCR) to evaluate if OCR has accomplished its requirement to perform audits of HIPAA-covered entities to examine HIPAA compliance. A prior HHS-OIG audit was conducted in 2013 to investigate compliance with the Health Information … Read more
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) charged a Californian mental health center a $100,000 civil monetary penalty for not providing prompt access to a patient’s healthcare records. On March 18, 2020, a Rio Hondo Community Mental Health Center patient submitted a request for a copy of her medical … Read more
New York-based reproductive healthcare provider, Planned Parenthood of Montana, has given additional information about the RansomHub ransomware attack that was initially reported at the beginning of September. During the initial security breach report, the investigation just started and it was not confirmed if the attacker stole any patient information. Now, there is confirmation from Planned … Read more
Multiple class-action lawsuits had been filed against Gryphon Healthcare based in Houston, TX, a revenue cycle management and medical billing solutions provider to healthcare companies. The lawsuits are associated with a data breach in August 2024 involving unauthorized access to almost 400,000 individuals’ protected health information (PHI). The breached data contained names, contact data, Social … Read more
In late October, the National Institute for Standards and Technology (NIST) and the Department of Health and Human Services (HHS)hosted a conference called “Safeguarding Health Information: Building Assurance Through HIPAA Security 2024”. Participants received information about the present state of cybersecurity in healthcare and the role of the HIPAA Security Rule in helping HIPAA-covered entities … Read more
Multi-specialty pediatric group Boston Children’s Health Physicians (BCHP) based in Valhalla, NY provides services to newborns and children in New York and Connecticut. BCHP has reported that its IT vendor encountered a cyberattack. The IT vendor informed BCHP on September 6, 2024, that strange activity was noticed in the IT vendor’s network. On September 10, … Read more
Network of behavioral health facilities, AXIS Health System based in Colorado, has published a notification on its website about encountering a cyber incident. Not much information is provided about the nature of the attack except the initiation of incident response protocols. Investigation is ongoing to know the nature and extent of the breach. In case … Read more
Ponemon Institute conducted a new survey for Proofpoint, which revealed that almost all U.S. healthcare organizations faced a cyberattack in the past year. Of the 648 IT and IT Security experts surveyed, 92% reported at least one cyberattack in the last 12 months, compared to 88% of survey respondents in 2023. The report found that … Read more
A new update to the National Institute of Standards and Technology (NIST) password security guidelines now recommends longer passwords over the previous focus on using a mix of uppercase and lowercase letters, numbers, and special characters. While using multiple character types makes the password more complex, it often results in predictable patterns, which weakens security. … Read more
Because of a massive data breach, Change Healthcare is facing dozens of lawsuits filed by plaintiffs across multiple districts. The cyberattack in question resulted in the theft of 6 TB of sensitive data, including personal and protected health information (PHI) of millions of individuals throughout the United States. The lawsuits allege that Change Healthcare failed … Read more
Texas Attorney General Ken Paxton has initiated a lawsuit against the Department of Health and Human Services (HHS), its Secretary Xavier Becerra, and Director Melanie Fontes Rainer of the Office for Civil Rights (OCR). The lawsuit challenges the long-standing HIPAA Privacy Rule and the 2024 HHS final rule concerning reproductive healthcare privacy. Paxton contends that … Read more
Lehigh Valley Health Network (LVHN) agreed to pay $65 million to settle a class action lawsuit over a data breach in 2023. This settlement of a HIPAA violation will compensate plaintiffs whose sensitive data, including nude photos, was stolen and later posted on the dark web. The breach, caused by a Blackcat ransomware attack, exposed … Read more
The Ransom Hub ransomware group continues to target the healthcare sector, with its latest victim being Planned Parenthood, a reproductive healthcare provider based in New York. The group added Planned Parenthood to its data leak site, claiming responsibility for stealing 93 GB of sensitive information. CEO Martha Fuller of Planned Parenthood of Montana reported the … Read more
An Iranian hacking group, known as Pioneer Kitten (also referred to as Fox Kitten, Rubidium, Parisite, and Lemon Sandstorm), has been working together with ransomware groups to exploit and extort businesses across various sectors, including defense, finance, education, and healthcare. Active since 2017, Pioneer Kitten is assumed to operate under the auspices of the Iranian … Read more
McLaren Health Care has updated the status of a recent cyberattack, confirming the use of ransomware to encrypt files in its network. The attack has disrupted the IT systems at 13 of its hospitals, including the Karmanos surgery centers, cancer centers, and clinics. Although the attack has been contained, system access is still limited, and … Read more
The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released an alert concerning the BlackSuit ransomware group, which they have identified as a rebranded version of the Royal ransomware. This group has been behind numerous attacks on healthcare companies. The FBI and CISA initially alerted about the Royal … Read more
United of Omaha Life Insurance Company located in Nebraska submitted a phishing attack report that indicated the compromise of the protected health information (PHI) of 107,894 people. The insurer discovered the breach on April 23, 2024 after identifying suspicious activity in an employee’s email account. United of Omaha noticed that a third party accessed the … Read more
The healthcare provider, Aveanna Healthcare, based in Georgia recently reported the unauthorized access of the email accounts of 11 personnel by a third party, who acquired access to 10,482 patients’ protected health information (PHI). This is Aveanna Healthcare’s second email breach report this year. On March 15, 2024, Aveanna Healthcare submitted to the HHS’ Office … Read more
The software company, MCG Health, based in Seattle, WA offered to pay $8.8 million to resolve a class action lawsuit associated with a data breach in February 2020 that affected the protected health information (PHI) of 793,283 individuals. Two years after the data breach, on March 25, 2022, MCG Health discovered that a threat actor … Read more
UnitedHealth Group (UHG) has given an update about the response costs associated with the February 2024 ransomware attack involving Change Healthcare. The overall response cost is forecasted to be $2.3 billion to $2.45 billion this 2024, over $1 billion more than the figure reported earlier. UHG already paid more or less $2 billion handling the … Read more
DaVita has discovered that tracking tools used on its web pages and mobile app might have transmitted user information to third-party providers. On July 2, 2024, kidney dialysis service provider DaVita Inc. based in Denver, CO informed 67,443 patients concerning a pixel-related data breach. With the 2,800+ outpatient dialysis centers in the U.S., DaVita serves … Read more
HIPAA does not apply to entities or individuals that do not meet the definition of a covered entity (such as healthcare providers, health plans, and healthcare clearinghouses) or a business associate handling protected health information (PHI) on behalf of a covered entity, which includes employers, life insurers, schools, and certain technology platforms when they do … Read more