John Blacksmith
Critical Vulnerabilities Found in Santesoft Sante PACS Server
Santesoft discovered five vulnerabilities in the medical image archiving and communication system of its Sante PACS Server, which include a critical vulnerability that makes it possible for the interception of user credentials. The vulnerabilities impact all Sante PACS Server versions … Read more
113,500 Individuals Affected by Highlands Oncology Group Ransomware Attack
Highlands Oncology Group, a provider of complete cancer care in six areas in Northwest Arkansas, recently announced a cyberattack that was initially discovered on June 2, 2025. A hacker accessed the Group’s system on January 21, 2025, and stayed in … Read more
Bone & Joint Clinic Pays $575,000 to Resolve Class Action Lawsuit
Bone & Joint Clinic S.C. decided to resolve a class action lawsuit by paying $575,000. The lawsuit is associated with a security breach in January 2023 that had 105,094 affected patients and workers. HIPAA-covered entity, Bone & Joint in Northcentral … Read more
Syracuse ASC Pays $250K to Resolve Violations of HIPAA Risk Analysis and Breach Notification Law
Director Paula M. Stannard of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the 18th HIPAA penalty for 2025. Ambulatory surgery center in Liverpool, New York, Syracuse ASC dba Specialty Surgery Center of Central … Read more
Northbay Healthcare Pays $3.6 Million to Resolve Data Breach Lawsuit
Northbay Healthcare Corporation agreed to a settlement to resolve a class action lawsuit associated with a 2024 cyberattack and data breach that impacted approximately 570,000 people. Northbay Healthcare discovered suspicious activity inside its computer system on February 23, 2024. According … Read more
GRIT Reports Drop in Q2 Ransomware Attacks
Ransomware attacks in Q2 of 2025 diminished by 23% compared to the last quarter, but they are 43% higher compared to this time in 2024, with the drop only partly the result of typical seasonal changes. In quarter 2 of … Read more
20 States Sue HHS and DHS for Alleged Illegal Disclosure of Medicaid Data
An alliance of 20 state Attorneys General is filing a lawsuit against the Department of Homeland Security (DHS), DHS Secretary Kristi Noem, the Department of Health and Human Services (HHS), and HHS Secretary Robert F. Kennedy Jr., because of the … Read more
MNGI Digestive Health Resolves Data Breach Lawsuit for $2.8 Million
MNGI Digestive Health consented to resolve a class action lawsuit associated with its negligence for not securing sensitive patient data. The lawsuit is a result of a ransomware attack on the Minnesota gastroenterology practice by the ALPHV/Blackcat ransomware group in … Read more
NIST’s New Guidance on Setting Up Zero Trust Frameworks
The National Institute of Standards and Technology (NIST) has released new guidance on enforcing zero trust architecture (ZTA) to aid companies in dealing with the difficulties of implementing this new cybersecurity strategy. Conventional security entails protecting a perimeter. Examples of … Read more
Class Action Lawsuits Filed Over HealthEC Data Breach
HealthEC LLC faced multiple class action lawsuits because of a data breach that affected about 4.5 million people. Hackers acquired access to the population health management system of HealthEC from July 14 to July 23, 2024, and acquired the sensitive … Read more
Northwell Health Ex-Employee Secretly Recorded Videos of Patients in Toilets
Sanjai Syamaprasad, 47 years old, from Brooklyn, NY is an ex-employee of the Northwell Health Sleep Disorders Center who was indicted by the Nassau County District Attorney’s Office. Allegedly, Syamaprasad set up a hidden camera in a bathroom’s fake smoke … Read more
WellNow Urgent Care Agreed to Settle Data Breach Litigation for $4.4 Million
WellNow Urgent Care (earlier known as Five Star Urgent Care), a community of walk-in urgent care centers in Illinois, New York, Ohio, and Michigan, has decided to pay $4.4 million to resolve a class action lawsuit. The lawsuit is associated … Read more
Rhode Island Announces the Results of RIBridges Hacking Investigation
The state of Rhode Island has published the results of the investigation conducted by cybersecurity company CrowdStrike regarding the hacking incident involving RIBridges, Rhode Island’s state benefit system. The Brain Cipher threat group was behind the attack that accessed 28 … Read more
123% Increase in Ransomware Attacks in 2 Years with More Small Ransomware Groups Emerging
Black Kite’s new research has revealed the evolving ransomware environment. Last year, a notable shift was seen from big ransomware groups doing many attacks to an increasing number of smaller groups conducting the attacks. The report is according to information … Read more
ELENOR-Corp Ransomware Group Attacks the Healthcare Sector with Mimic Ransomware Variant
According to the cybersecurity company Morphisec, a new ransomware group known as ELENOR-corp is targeting the healthcare sector. Researchers confirmed that ELENOR-corp is utilizing version 7.5 of Mimic ransomware, a ransomware strain first discovered in 2022. The new ransomware variant … Read more
Multiple Lawsuits Filed Against Southeast Series of Lockton Companies Over 1M-Record Breach
Multiple lawsuits were filed against Southeast Series of Lockton Companies (Lockton) based in Kansas City, Missouri, because of a data breach report submitted to OCR. The initial report was 1,706 people were impacted, but a later report indicated that over … Read more
UnitedHealth Implements Aggresive Tactics on Ransomware Attack Loan Recovery
UnitedHealth Group has taken a confrontational approach to retrieve outstanding balances on loans released to HIPAA-covered healthcare companies impacted by the Change Healthcare ransomware attack in February 2024. The attack resulted in an extended outage of Change Healthcare’s network, disrupting … Read more
Saint Louis University to Pay $2 Million to Settle Data Breach Lawsuit
St. Louis University and SSM Health Saint Louis University Hospital (SSM-SLUH) agreed to settle a class action lawsuit involving a data breach in 2023. The terms of the settlement required a $2 million fund to pay for claims, attorneys’ service … Read more
What is a HIPAA Security Incident?
A HIPAA security incident is defined by the HIPAA Security Rule as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” It is important to emphasize that … Read more
Firmware Upgrade Required in Fortinet Products to Fix Critical FortiSwitch Vulnerability
Fortinet is telling FortiSwitch consumers to implement a firmware update immediately to correct a critical vulnerability that may be taken advantage of by a remote hacker to alter admin passwords. Daniel Rozeboom of FortiSwitch’s web UI development group discovered vulnerability … Read more
Email Account Breaches at Two Beacon Health System Business Associates
Beacon Health System, based in South Bend, Indiana, has reported two data breaches associated with two business associates. The non-profit health care system added two breach notices on its website. The incident at business associate CPS Solutions was posted on … Read more
PHI Exposed Due to Orthodontic Practice Management Software Provider Data Breach
Orthodontic practice management software provider OrthoMinds, based in Alpharetta, Georgia, recently reported a security incident that occurred in November 2024, allowing unauthorized access to patients’ protected health information (PHI). According to forensic investigation, parts of its system were exposed to … Read more
MATCH IT Act of 2025 aims to Address Patient Misidentification
The Health Insurance Portability and Accountability Act of 1996 required the creation of a national patient identifier – a unique ID for all U.S. citizens that would reliably link medical records to the correct persons. The mismatching of medical records … Read more
Is It a HIPAA Violation to Say Someone is Your Patient?
Whether it is a HIPAA violation to say someone is your patient is an event-specific determination that depends on factors such as who is speaking, who they are speaking to, and the context of the conversation. It may also be … Read more
86,000 Records in Healthcare Employees Database Compromised Online
A health technology firm in New Jersey encountered a breach of its database online, resulting in the exposure of sensitive data. Anyone could freely access the database with no need for authentication. The database associated with ESHYFT has no password … Read more
Fred Hutchinson Cancer Center Pays $11.5M to Settle a Class Action Data Breach Lawsuit
The University of Washington and Fred Hutchinson Cancer Center have decided to settle a proposed class action data breach lawsuit for $11,500,000 and set aside $13,500,000 to enhance cybersecurity. The lawsuit is a result of a cyberattack and data breach … Read more
BlackLock Ransomware Operation Increased Data Leaks by 1,425%
BlackLock is a new ransomware-as-a-service (RaaS) group that has increased attacks and might become 2025’s most prominent RaaS group. Based on ReliaQuest Threat Spotlight, the BlackLock group was initially noticed in March 2024 using the name El Dorado. It rebranded … Read more
Healthcare Organizations Targeted in 41% of 2024 Third-Party Breaches
According to new research, the healthcare industry is the most impacted by third-party breaches. Monitoring by Black Kite, a cyber risk intelligence and risk management software company, showed that 41.2% of third-party breaches occur in the healthcare sector. Improving digital … Read more
Rhode Island HIE Faces Lawsuit for Alleged HIE Data Impermissible Disclosure
Ex-HIPAA officer Darlene Morris filed a lawsuit against the Rhode Island Quality Institute (RIQI) for allegedly being fired from work for exposing its impermissible disclosures of HIE information. As a state government contractor of Rhode Island, RIQI managed the RI … Read more
Survey Shows 88% of Companies in 2024 Encountered a Ransomware Attack
The Ponemon Institute conducted a survey recently on behalf of Illumio, a provider of a zero-trust segmentation platform. Based on the survey results, 88% of participant organizations had encountered at least one ransomware attack in the last 12 months. The … Read more
Morrison Community Hospital Settles Ransomware Lawsuit for $675K
Critical access hospital Morrison Community Hospital in Illinois has decided to settle a lawsuit for $675,000. The lawsuit was associated with a ransomware attack and data breach in 2023. The BlackCat/ALPHV ransomware group behind the cyberattack on September 24, 2023, … Read more
Memorial Healthcare System to Pay $60,000 to Settle Alleged HIPAA Right of Access Violation
Florida health system South Broward Hospital District, also known as Memorial Healthcare System, has consented to resolve an alleged HIPAA Right of Access violation determined by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). The … Read more
Solara Medical Supplies Settles HIPAA Violations Paying $3M
The HHS’ Office for Civil Rights (OCR) has reported a settlement with Solara Medical Supplies, LLC to settle multiple HIPAA Rules violations. Solara Medical Supplies, LLC is a direct-to-patient supplier of medical products and a subsidiary of AdaptHealth. It is … Read more
Virtual Private Network Solutions Pays $90,000 to Resolve HIPAA Investigation
The HHS’ Office for Civil Rights (OCR) has reported reaching a settlement that ended the investigation of a ransomware attack. Because Virtual Private Network Solutions failed to perform a HIPAA-compliant risk analysis, it will pay OCR a $90,000 financial penalty. … Read more
50% of Rhode Island Residents Potentially Affected by a Ransomware Attack
The cyberattack that compelled the deactivation of Rhode Island’s public benefits system (RI Bridges) has possibly compromised the personal information of over 50% of Rhode Island’s population, around 650,000 people, as reported by state Governor Daniel McKee. McKee stated there … Read more
HIPAA Privacy Rule: New Requirements for Reproductive Healthcare Entities
In April 2024, the HHS Office for Civil Rights (OCR) released the HIPAA Privacy Rule to assist the Reproductive Healthcare Privacy Final Rule. The new rule became effective on June 23, 2024, but the last day of compliance for everything … Read more
43,000 UT Southwestern Medical Center Patients Impacted by Data Breach
UT Southwestern Medical Center (UTSW) in Texas submitted a breach report to the HHS’ Office for Civil Rights (OCR) involving an email-linked unauthorized access/disclosure incident that affected the protected health information (PHI) of about 43,048 patients. As per the substitute … Read more
Kaye-Smith Pays $2 Million to Resolve Class Action Data Breach Lawsuit
The marketing firm and mailing vendor, Kaye-Smith Enterprises, opted to settle a class action lawsuit associated with a cyberattack and data security breach in 2022. Hackers acquired access to its network, deployed ransomware for file encryption, and possibly stole sensitive … Read more
GoodRx to Pay $25 Million to Settle Tracking Technology Lawsuit
Telemedicine platform company and drug discounter GoodRx will pay $25 million to settle a consolidated class action lawsuit. When users became aware that GoodRx used website tracking tools on its platform and shared website visitor information with third parties like … Read more
Truepill Pays $7.5 Million To Settle Data Breach Lawsuit
Postmeds Inc., dba Truepill, an online pharmacy, has agreed to negotiate a class action lawsuit it faced due to a 2023 data breach that impacted 2,364,359 people. U.S. District Court Judge Haywood S. Gilliam gave preliminary approval of the plaintiffs’ … Read more
Cyber Incident Response Playbook Now Available to Help Manufacturers of Medical Products
The Healthcare Sector Coordinating Council (HSCC) has published a Medical Product Manufacturer Cyber Incident Playbook (MPM CIRP). This comprehensive guide is designed to help medical product manufacturers prepare for and respond effectively to cyber incidents affecting their operations. It provides … Read more
US Healthcare Organizations Targeted by New Interlock Ransomware Group
Cisco Talos Incident Response reported that a new ransomware group has been targeting the healthcare sector and has been active since September 2024. Interlock ransomware is a threat group that claims to conduct attacks for financial gain and to show … Read more
OMB’s Review of the Proposed Change to the HIPAA Security Rule
In December 2023, the Department of Health and Human Services (HHS) published its cybersecurity strategy for the healthcare sector, detailing a list of actions to be implemented to improve cybersecurity across the healthcare industry, including voluntary performance targets. These voluntary … Read more
UMC Health’s EHR System is Back After Ransomware Attack
UMC Health System based in Lubbock, Texas reported the progress of its recovery from the ransomware attack in September. The ransomware attack impacted several systems, including the systems used by Texas Tech Physicians and Texas Tech University Health Sciences Center. … Read more
CISA Issues Alert to F5 BIG-IP Users on Unencrypted Cookie Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised concerns for F5 BIG-IP users, warning that malicious actors are exploiting unencrypted cookies to gain information into internal network servers, potentially leading to targeted attacks on vulnerable systems. F5 BIG-IP … Read more
Choosing the Right HIPAA Compliance Software
HIPAA compliance software helps a covered entity deal with the issues of HIPAA by streamlining and automating compliance and undertaking comprehensive risk management processes. Smaller organizations that have less than 100 employees assign the responsibility for HIPAA compliance to an … Read more
Observing National Cybersecurity Awareness Month in 2024
National Cybersecurity Awareness Month is a month-long event held in October aimed at promoting cybersecurity and sharing best practices to help individuals and organizations protect themselves online. The theme in 2024 is “Secure Our World.” The awareness campaign will be … Read more
Impact of the Ransomware Attack on Ascension’s Financial Recovery
Healthcare system Ascension based in St. Louis, MO encountered a ransomware attack in May 2024 that considerably impacted the company, both operationally and financially. Because of the attack, Ascension diverted ambulances, closed pharmacies, took down critical IT systems, and used … Read more
Why Cyberattackers Target Third-Party Vendors
Recent big data breaches that affected third-party vendors like Change Healthcare targeted critical security risk management issues for business associates and vendors. These breaches have proven the necessity of security measures and comprehensive monitoring of third-party vendors, specifically in the … Read more
OSHA’s New Online Database of Reported Severe Workplace Injuries
The Department of Labor’s Occupational Safety and Health Administration (OSHA) has introduced a new online dashboard designed to simplify searching its severe injury report database and tracking workplace injury trends in states under federal OSHA jurisdiction. Beginning January 1, 2015, … Read more
