HIPAA News

Michigan-based McLaren Health Care began informing 743,131 individuals about the compromise of some of their protected health information (PHI) during a ransomware attack in August 2024. McLaren Health Care had earlier reported the ransomware attack, but the analysis of the compromised files took a longer time; therefore, the delay in sending personal breach notification letters. … Read more

Ransomware continues to present a considerable threat to U.S. healthcare providers, though many ransomware groups no longer encrypt data and only conduct extortion attacks. Cybersecurity company Sophos’ new report shows that only 50% of ransomware attacks in 2025 included file encryption. The threat of exposing stolen information is usually enough to compel victims to give … Read more

In early June 2025, the House of Representatives and Senate introduced two bipartisan bills seeking to improve the healthcare and public health (HPH) sector cybersecurity through better coordination at the government level so that, in the event of cyberattacks on HPH sector entities,  government agencies could respond immediately and efficiently. There have been significantly more … Read more

Non-profit provider of drug and alcohol addiction services, Drug and Alcohol Treatment Services, Inc. (DATS), based in Scranton, PA, is facing multiple class action lawsuits because of a ransomware attack in October 2024. DATS discovered the unauthorized access to its computer system on October 6, 2024. Based on the forensic investigation, an unauthorized third party … Read more

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have updated an earlier published joint cybersecurity alert regarding the Play ransomware group, also called Playcrypt. Playcrypt appeared in June 2022 and has executed ransomware attacks on companies in various industries, such as HIPAA-compliant healthcare organizations and other critical infrastructure entities. … Read more

The Cyber Division of the Federal Bureau of Investigation (FBI) has released an alert to U.S. law firms regarding targeted attacks conducted by the Silent Ransom Group. From Spring 2023, the Silent Ransom group has been constantly targeting U.S. law offices, though it also executed attacks in several industries, such as healthcare. The Silent Ransom … Read more

Employee benefits administrator, Kelly & Associates Insurance Group, based in Sparks, Maryland, dba Kelly Benefits, has published edited figures on the number of people impacted by a cyberattack on December 2024. On April 9, 2025, Kelly Benefits at first reported the data breach as an event related to unauthorized access to the information of 32,234 … Read more

Netgain Technology has made the decision to resolve a consumer data breach lawsuit filed because of a ransomware attack and data breach in 2020. Netgain will create a $1.9 million settlement fund to pay class member claims. Netgain is a cloud hosting and managed IT service company based in Minnesota, and many of its clients … Read more

Masimo, a producer of patient monitoring devices, submitted a Form 8-K to the U.S. Securities and Exchange Commission (SEC) to notify investors concerning a cyberattack that has impacted its production facilities. Masimo stated some of its production facilities were running at under normal levels from the time of the attack, which is impacting the company’s … Read more

The court has given final approval of a $2.4 million settlement of a class action lawsuit against Somnia Inc. in association with a cyberattack and data breach in 2022. Somnia operates anesthesiology services at over 100 surgery centers throughout the country. In 2022, Somnia encountered a cyberattack that enabled hackers to access its system that … Read more

A malware campaign using ResolverRAT is targeting healthcare companies and pharmaceutical firms. ResolverRAT is a new stealthy remote access trojan that is being downloaded through phishing emails pretending to be notifications about copyright violations or other legalities that can cause a false impression of urgency. The phishing emails contain a web link that redirects the … Read more

DaVita had an 8K filing with the U.S. Securities and Exchange Commission (SEC) on April 14, 2025. Based on the information submitted, the kidney dialysis provider suffered a ransomware attack that led to the encryption of portions of its system. The attack happened on April 12, 2025 and affected a number of its operations. In … Read more

Microsoft has fixed a vulnerability identified in the Windows Common Log File System (CLFS). A threat actor known as Storm-2460 is actively exploiting the vulnerability using PipeMagic malware. The attacker uses the malware to exploit the vulnerability to alter privileges to spread the ransomware in the victim’s network. Windows CLFS is a recording system for … Read more

Spark DSO, LLC and CDHA Management, LLC, also known as Chord Specialty Dental Partners, recently informed the U.S. Department of Health and Human Services’ Office for Civil Rights about encountering a data breach where unauthorized access affected the protected health information (PHI) of up to 173,430 people. The dental service organization based in Tennessee offers … Read more

At the beginning of March 2025, Microsoft gave an update about its Cybersecurity for Rural Hospitals Program. This program is created to safeguard access to medical care for the 46 million people in rural communities by assisting rural hospitals to enhance cybersecurity. Patients from rural communities must travel twice as far as urban residents to … Read more

The Health Information Sharing and Analysis Center (Health-ISAC) and the American Hospital Association (AHA) released a joint advisory cautioning hospitals regarding a possible coordinated multi-city terrorist attack targeting hospitals in the upcoming weeks. On March 18, 2025, the AHA and Health-ISAC found a social media write-up regarding possible ISIS-K coordinated terrorist attacks on U.S. hospitals. … Read more

Ransomware attacks in 2024 had an upward pattern and will likely continue in 2025 as many more new victims were listed in ransomware groups’ data leak websites in January and February. Cybersecurity company Cyble recently reported that about 599 victims were added to data leak sites in February and 518 in January. Most of the … Read more

Harvard Pilgrim Health Care and Point32Health, its parent company, have decided to pay $16 million to settle claims associated with a ransomware attack in 2023 that impacted roughly 3 million individuals. In 2023, hackers accessed systems that contained 2,967,396 health plan members’ protected health information (PHI). After exfiltrating data, the hackers used ransomware to encrypt … Read more

Ransomware groups are attacking healthcare companies for financial profit, accessing networks, stealing information, then employing ransomware for file encryption. Cyber threat actors also attack healthcare systems and steal information via silent attacks, where breached healthcare companies aren’t extorted and hackers stay in their systems longer. Cybersecurity company Forescout researchers have discovered a new threat group … Read more

A 2 TB database containing around 1.6 million clinical trial data was compromised online and accessible to anyone without a password. Cybersecurity researcher Jeremiah Fowler discovered the database and reported that it consists of 1,674,218 records. The compromised records include survey results in PDF format that contain sensitive personal and medical data. The compromised information … Read more

Although ransomware continually presents a threat to enterprises, ransomware just accounts for about 9.5% of threats in general. Other threats include remote access trojans (13%), malware (17%), malicious scripts (22%), and infostealers (24%). RATs are also involved in over 75% of remote access cases. Huntress discovered greater exploitation of remote monitoring and management (RMM) assets … Read more

The California Department of Corrections and Rehabilitation (CDCR) decided to resolve a class action lawsuit associated with negligence for not preventing a data breach in 2022. The data breach happened in January 2022 after hackers accessed CDCR systems comprising the protected health information (PHI) and personally identifiable information (PII) of people imprisoned in the State … Read more

At the beginning of November 2023, Mulkay Cardiology Consultants based in New Jersey reported a ransomware attack that resulted in unauthorized access to around 79,582 individuals’ protected health information (PHI). Breach victims took legal action against Mulkay Cardiology Consultants which ended in a settlement to conclude the litigation. Based on forensic investigation, a threat actor … Read more

The law firm Wolf Haldenstein Adler Freeman & Herz LLP (Wolf Haldenstein) located in New York City encountered a data breach affecting the personal data and protected health information (PHI) of 3,445,537 people. The law firm submitted a breach notice not long ago to the Maine Attorney General. A few states post data breach reports … Read more

The nonprofit blood donation organization called OneBlood based in Florida suffered a ransomware attack that is impacting its capacity to supply blood to hospitals. OneBlood provides blood to about 250 hospitals located in Alabama, Georgia, North and South Carolina, and Florida. OneBlood reported on July 31, 2024 that a ransomware attack impacted its software program. … Read more

In 2024, OCR received 13 data breach reports that affected over 1 million healthcare records each. The biggest healthcare data breach impacted an approximated 100,000,000 million people. The total of exposed or compromised records of U.S. residents for those 13 data breaches is 146,463,977, which is about 42% of the U.S. population. Change Healthcare Data … Read more

The Conceptions Reproductive Associates of Colorado fertility clinic recently announced that it suffered a ransomware attack. The threat actor gained unauthorized access to its system and stole the data of about 80,000 present and past patients, including their associates. The fertility clinic detected the incident in the middle of April 2024 when it affected some … Read more

Daniel Christian Hulea, 30 years old, from Romania, was sentenced to 20 years imprisonment for executing ransomware attacks on healthcare companies and educational organizations during the pandemic. The man was an affiliate of the NetWalker ransomware-as-a-service (RaaS) operation. The U.S. Department of Justice reported in January 2021 that over $450,000 in cryptocurrency was seized during … Read more

Texas Tech University Health Sciences Center, the university’s academic health institution and med school, reported a theft involving a large volume of patient data during a September ransomware attack. The cyberattack targeted the systems used by UMC Health System, Texas Tech Physicians, and Texas Tech University Health Sciences Center in El Paso. The HHS’ Office … Read more

A 45-year-old hacker named Robert Purbeck was sentenced to 10 years in prison for attacking several U.S. healthcare companies, breaching their systems, stealing sensitive information, and trying to extort from them. Purbeck is an IT expert who previously worked for Ada County in Idaho. He hacked no less than 19 companies from 2017 to 2018 … Read more

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has charged Gulf Coast Pain Consultants, LLC with a $1.19 million civil monetary penalty for failing to block ex-employee members’ access to systems that contain electronic protected health information (ePHI) and for violating other HIPAA Security Rules. Pain management practice Gulf … Read more

The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has audited the HHS Office for Civil Rights (OCR) to evaluate if OCR has accomplished its requirement to perform audits of HIPAA-covered entities to examine HIPAA compliance. A prior HHS-OIG audit was conducted in 2013 to investigate compliance with the Health Information … Read more

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) charged a Californian mental health center a $100,000 civil monetary penalty for not providing prompt access to a patient’s healthcare records. On March 18, 2020, a Rio Hondo Community Mental Health Center patient submitted a request for a copy of her medical … Read more

New York-based reproductive healthcare provider, Planned Parenthood of Montana, has given additional information about the RansomHub ransomware attack that was initially reported at the beginning of September. During the initial security breach report, the investigation just started and it was not confirmed if the attacker stole any patient information. Now, there is confirmation from Planned … Read more

Multiple class-action lawsuits had been filed against Gryphon Healthcare based in Houston, TX, a revenue cycle management and medical billing solutions provider to healthcare companies. The lawsuits are associated with a data breach in August 2024 involving unauthorized access to almost 400,000 individuals’ protected health information (PHI). The breached data contained names, contact data, Social … Read more

In late October, the National Institute for Standards and Technology (NIST) and the Department of Health and Human Services (HHS)hosted a conference called “Safeguarding Health Information: Building Assurance Through HIPAA Security 2024”. Participants received information about the present state of cybersecurity in healthcare and the role of the HIPAA Security Rule in helping HIPAA-covered entities … Read more

Multi-specialty pediatric group Boston Children’s Health Physicians (BCHP) based in Valhalla, NY provides services to newborns and children in New York and Connecticut. BCHP has reported that its IT vendor encountered a cyberattack. The IT vendor informed BCHP on September 6, 2024, that strange activity was noticed in the IT vendor’s network. On September 10, … Read more

Network of behavioral health facilities, AXIS Health System based in Colorado, has published a notification on its website about encountering a cyber incident. Not much information is provided about the nature of the attack except the initiation of incident response protocols. Investigation is ongoing to know the nature and extent of the breach. In case … Read more

Ponemon Institute conducted a new survey for Proofpoint, which revealed that almost all U.S. healthcare organizations faced a cyberattack in the past year. Of the 648 IT and IT Security experts surveyed, 92% reported at least one cyberattack in the last 12 months, compared to 88% of survey respondents in 2023. The report found that … Read more

A new update to the National Institute of Standards and Technology (NIST) password security guidelines now recommends longer passwords over the previous focus on using a mix of uppercase and lowercase letters, numbers, and special characters. While using multiple character types makes the password more complex, it often results in predictable patterns, which weakens security. … Read more

Because of a massive data breach, Change Healthcare is facing dozens of lawsuits filed by plaintiffs across multiple districts. The cyberattack in question resulted in the theft of 6 TB of sensitive data, including personal and protected health information (PHI) of millions of individuals throughout the United States. The lawsuits allege that Change Healthcare failed … Read more

Texas Attorney General Ken Paxton has initiated a lawsuit against the Department of Health and Human Services (HHS), its Secretary Xavier Becerra, and Director Melanie Fontes Rainer of the Office for Civil Rights (OCR). The lawsuit challenges the long-standing HIPAA Privacy Rule and the 2024 HHS final rule concerning reproductive healthcare privacy. Paxton contends that … Read more

Lehigh Valley Health Network (LVHN) agreed to pay $65 million to settle a class action lawsuit over a data breach in 2023. This settlement of a HIPAA violation will compensate plaintiffs whose sensitive data, including nude photos, was stolen and later posted on the dark web. The breach, caused by a Blackcat ransomware attack, exposed … Read more

The Ransom Hub ransomware group continues to target the healthcare sector, with its latest victim being Planned Parenthood, a reproductive healthcare provider based in New York. The group added Planned Parenthood to its data leak site, claiming responsibility for stealing 93 GB of sensitive information. CEO Martha Fuller of Planned Parenthood of Montana reported the … Read more

An Iranian hacking group, known as Pioneer Kitten (also referred to as Fox Kitten, Rubidium, Parisite, and Lemon Sandstorm), has been working together with ransomware groups to exploit and extort businesses across various sectors, including defense, finance, education, and healthcare. Active since 2017, Pioneer Kitten is assumed to operate under the auspices of the Iranian … Read more

McLaren Health Care has updated the status of a recent cyberattack, confirming the use of ransomware to encrypt files in its network. The attack has disrupted the IT systems at 13 of its hospitals, including the Karmanos surgery centers, cancer centers, and clinics. Although the attack has been contained, system access is still limited, and … Read more

The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released an alert concerning the BlackSuit ransomware group, which they have identified as a rebranded version of the Royal ransomware. This group has been behind numerous attacks on healthcare companies. The FBI and CISA initially alerted about the Royal … Read more

United of Omaha Life Insurance Company located in Nebraska submitted a phishing attack report that indicated the compromise of the protected health information (PHI) of 107,894 people. The insurer discovered the breach on April 23, 2024 after identifying suspicious activity in an employee’s email account. United of Omaha noticed that a third party accessed the … Read more

The healthcare provider, Aveanna Healthcare, based in Georgia recently reported the unauthorized access of the email accounts of 11 personnel by a third party, who acquired access to 10,482 patients’ protected health information (PHI). This is Aveanna Healthcare’s second email breach report this year. On March 15, 2024, Aveanna Healthcare submitted to the HHS’ Office … Read more

The software company, MCG Health, based in Seattle, WA offered to pay $8.8 million to resolve a class action lawsuit associated with a data breach in February 2020 that affected the protected health information (PHI) of 793,283 individuals. Two years after the data breach, on March 25, 2022, MCG Health discovered that a threat actor … Read more

UnitedHealth Group (UHG) has given an update about the response costs associated with the February 2024 ransomware attack involving Change Healthcare. The overall response cost is forecasted to be $2.3 billion to $2.45 billion this 2024, over $1 billion more than the figure reported earlier. UHG already paid more or less $2 billion handling the … Read more

DaVita has discovered that tracking tools used on its web pages and mobile app might have transmitted user information to third-party providers. On July 2, 2024, kidney dialysis service provider DaVita Inc. based in Denver, CO informed 67,443 patients concerning a pixel-related data breach. With the 2,800+ outpatient dialysis centers in the U.S., DaVita serves … Read more

HIPAA does not apply to entities or individuals that do not meet the definition of a covered entity (such as healthcare providers, health plans, and healthcare clearinghouses) or a business associate handling protected health information (PHI) on behalf of a covered entity, which includes employers, life insurers, schools, and certain technology platforms when they do … Read more