HIPAA News

NorthBay Healthcare Corporation manages two hospitals, namely NorthBay VacaValley Hospital and NorthBay Medical Center, and several primary care areas in California. The healthcare system recently reported a data breach affecting the personal data and protected health information (PHI) of 569,012 individuals. According to the notification submitted to the Maine Attorney General, suspicious activity was discovered … Read more

On January 8, 2025, OCR announced a $337,750 settlement that Florida business associate, USR Holdings, LLC agreed to to resolve alleged multiple HIPAA Security Rule violations. USR Holdings owns and operates primary mental health and substance abuse treatment centers in Florida, Kentucky, and Maryland. As a HIPAA business associate, its Port St. Lucie base offers … Read more

New York healthcare company HealthAlliance encountered a breach of the personal data and protected health information (PHI) of 242,641 New York residents. It was instructed to pay a $550,000 financial penalty and take the appropriate steps to reinforce its data security techniques. The healthcare provider serves patients in Delaware and Ulster counties in New York … Read more

Behavioral healthcare provider Cummins Behavioral Health located in Central and Western Indiana, consented to pay $2.1 million to settle a class action lawsuit filed by people impacted by a data breach in 2023. On March 9, 2023, a threat actor left a ransom note for Cummins Behavioral Health stating that it infiltrated its network and … Read more

Harvard Pilgrim Health Care sent an updated report to the Maine Attorney General regarding the number of affected individuals by its April 2023 ransomware attack. There were 106,601 more individuals affected, bringing the total to 2,967,396. The investigation into the breach is still in progress, and the number of impacted individuals may increase further. The … Read more

Specialty Networks, Inc. based in Chattanooga, TN recently reported a data breach impacting the protected health information (PHI) of 411,037 present and former patients. Specialty Networks provides healthcare facilities with radiology information systems and business management solutions. The company specializes in Picture Archiving and Communication Systems (PACS), a medical imaging technology that facilitates medical image … Read more

Advanced Computer Software Group, an IT and software services company in England, is facing a £6.09 million ($7.74 million) financial penalty because of a ransomware attack in August 2022 that caused problems to healthcare and social care organizations in the United Kingdom. The Information Commissioners Office (ICO), the UK’s data watchdog, looked into the attack … Read more

Over 100 provider groups, including the American Health Information Management Association (AHIMA), College of Healthcare Information Management Executives (CHIME), and American Medical Association (AMA), wrote to HHS Secretary Xavier Becerra and OCR Director Melanie Fontes Rainer to clarify the requirements of HIPAA breach reporting about the Change Healthcare ransomware attack and the way those requirements … Read more

Winter Haven Hospital Patients’ Data Impermissibly Disclosed BayCare’s Winter Haven Hospital based in Florida is notifying patients concerning an email incident that impermissibly disclosed patient information. On March 15, 2024, a worker made an error while sending forms to a patient by attaching a cardiac rehabilitation department file by mistake to the email that included … Read more

OrthoConnecticut Data Breach OrthoConnecticut has announced that the protected health information (PHI) of about 118,000 patients was exposed in an attack. OrthoConnecticut is a multi-specialty orthopedic company located in Danbury, CT that has 9 centers in the area. It recently discovered unauthorized access to its system and upon inquiry by the forensic group, the unauthorized … Read more

13,000 Patients Affected by the Wisconsin Dental Surgery Center Email Breach Bay Oral Surgery & Implant Center (Bay Oral), a network of oral & maxillofacial dental surgery centers established in the Green Bay, Niagara and Marinette communities in Wisconsin, recently sent a data breach report to the HHS’ Office for Civil Rights (OCR) indicating that … Read more

Valley Mountain Regional Center Data Breach On April 19, 2024, Valley Mountain Regional Center based in California reported a data security breach discovered on August 1, 2023. Strange activity was observed inside its system and quick steps were undertaken to protect its systems. The forensic investigation affirmed that unauthorized individuals got access to its system … Read more

The Federal Trade Commission (FTC) has issued a $7.1 million penalty to the mental health startup company Cerebral for consumer privacy violations and deceitful trading tactics. The $7.1 million financial fine settles claims that the mental health telehealth firm and its ex-CEO, Kyle Robertson, committed violations of the privacy of consumers by impermissibly sharing their … Read more

About 60,000 People Impacted by the Ezras Choilim Health Center Cyberattack Ezras Choilim Health Center based in Monroe, NY recently submitted a breach report to the HHS’ Office for Civil Rights indicating that 59,861 individuals’ protected health information (PHI) were affected. The strange activity was noticed inside its system on September 18, 2023. The forensic … Read more

Aveanna Healthcare Encounters a Breach of Email Account Home health and hospice care provider, Aveanna Healthcare located in Atlanta, GA, reported a security breach of its email network and a compromise of the information of 65,482 individuals. The healthcare provider discovered suspicious activity in a worker’s email account on September 22, 2023. The email account … Read more

On March 12, officials and leaders from the White House, UnitedHealth Group, Department of Health and Human Services, and other industry groups got together to discuss the impact of a cyberattack on UnitedHealth Group’s Change Healthcare. This cyberattack caused problems for healthcare services for the last three weeks. They also discussed ways to help patients … Read more

The Department of Health and Human Services’ Office for Civil Rights (OCR) has published upgraded guidance for organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) regarding online tracking technologies. The current guidance is meant to give increased understanding for HIPAA-governed entities on using these technologies. OCR has revised its position on the … Read more

New Guidance on Using Zero Trust to Control Lateral Movement The National Security Agency (NSA) has given guidance on using zero trust security to control lateral movement inside a network in case a threat actor breaks into the firm’s defenses. It was noticed numerous times in the previous year that threat actors have obtained first … Read more

177,000 Patients Affected by Northeast Orthopedics and Sports Medicine Breach Northeast Orthopedics and Sports Medicine based in Nanuet, NY recently reported a cyberattack that impacted 177,276 people and compromised the protected health information (PHI) of 177,101 individuals. Abnormal activity was found in its system on November 22, 2023. The investigation by third-party forensics experts confirmed … Read more

Feds Warns Healthcare Sector Regarding ALPHV/Blackcat Ransomware Group A joint cybersecurity notification was released by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation (FBI) about identified Indicators of Compromise (IoCs) and the newest Tactic, Techniques, and Procedures (TTPs) employed by the ALPHV/Blackcat … Read more

Vulnerabilities discovered in the remote desktop program ConnectWise ScreenConnect are being taken advantage of to have an assortment of various malicious payloads into company environments. ConnectWise first announced the vulnerabilities on February 13, 2024. Then, attacks aimed at the vulnerabilities began one day after the launch of patches. One vulnerability, CVE-2024-1709, is an authentication bypass … Read more

California Attorney General Rob Bonta has declared that a $5 million settlement with Quest Diagnostics has been reached to fix allegations that it is unlawfully dumping hazardous and medical waste materials and disposed of the unredacted personal health information of patients in typical trash dumps. An investigation of the business protocols of Quest Diagnostics was … Read more

Ransomware Attack at Prestige Care Senior care organization Prestige Care, Inc. located in Vancouver, WA recently informed 38,087 individuals about the potential access or theft of some of their personal data and protected health information (PHI) in a ransomware attack that occurred on September 2023. The attack was discovered on September 7, 2023, and the … Read more

Ransom Payments Surpassed $1 Billion in 2023 Chainalysis’ new report showed ransomware attack victims paid $1.1 billion to attackers in 2023 to retrieve the keys to unlock their information and to stop the exposure of stolen data. For the first time in 2023, ransom payments were over $1bn and the yearly total jumped from $567 … Read more

The most recent information from the ransomware remediation company, Coveware, reveals a decline in the number of ransomware attack victims who opt to pay the ransom. At the beginning of 2019, 85% of ransomware attack victims gave ransom payments after an attack. In mid-2021, only 46% percentage paid the ransom. In Q4 of 2023, merely … Read more

Hospital IT Help Desks Attacked in Advanced Payment Fraud Scam American Hospital Association (AHA) reports that cybercriminals are targeting U.S. hospitals in a sophisticated payment fraud scam. The AHA has obtained several reports of scammers calling hospital IT departments to carry out password resets and register new devices to get multifactor authentication (MFA) codes. When … Read more

61,000 ConsensioHealth Patients Affected by Ransomware Attack Medical billing service, ConsensioHealth, based in Wisconsin recently informed 60,871 persons regarding a ransomware attack in July 2023. The attack was detected on July 3, 2023, when employees could not access files on its system. Steps were quickly undertaken to stop the unauthorized access. Third-party cybersecurity professionals helped … Read more

Parathon by JDA eHealth Systems Reports a Cyberattack A revenue cycle management firm, Parathon by JDA eHealth Systems located in Naperville, Illinois, recently sent a notification to the state attorneys general that it encountered a cyberattack last July 27, 2023. In December 22, 2023, it notified the Montana Attorney General that unauthorized persons got access … Read more

Threat Actors Contact Integris Health Patients After Cyberattack Integris Health, the biggest not-for-profit health system owned by Oklahoma, has reported the compromise of its internal systems in a cyberattack. The unauthorized third party acquired patient information during the attack. Integris Health manages 15 hospitals in the state and some specialty clinics, centers of excellence, and … Read more

The following companies have reported data breaches in December 2023: Cardiothoracic and Vascular Surgeons, Erie Family Health Centers, ZOLL Medical Corporation, Health Diagnostic Management, Rush System for Health, and BlueCross BlueShield of Tennesse. Cyberattack on Cardiothoracic and Vascular Surgeons Cardiothoracic and Vascular Surgeons based in Texas learned on October 13, 2023 that an unauthorized individual … Read more