Compliance and Regulations

A $3.3 million class action settlement resolves litigation arising from a ransomware incident that occurred on January 2025 involving Mt. Baker Imaging and Northwest Radiologists, following unauthorized access that exposed the protected health information (PHI) … Read more

Ruby Scott, owner and operator of Delta Home Health Care LLC in Michigan, was convicted by a federal jury on charges related to healthcare fraud and illegal healthcare kickbacks connected to a scheme that caused … Read more

Healthcare organizations are exposing patient data through improperly secured DICOM servers that are accessible through the public internet, according to a Trend Micro TrendAI analysis that identified thousands of exposed servers across more than 100 … Read more

The Office of Personnel Management proposal to collect claims-level health insurance data for federal employees and retirees has generated sustained criticism due to privacy risks, potential violations of the HIPAA Privacy Rule, and concerns about … Read more

Concord Orthopaedics Professional Association has agreed to a settlement to resolve consolidated class action litigation arising from a November 2024 cybersecurity incident that involved unauthorized access to the personal and protected health information (PHI) of … Read more

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance instructing U.S. organizations to strengthen administrative controls in Microsoft Intune following a cyberattack on Stryker Corporation that involved data exfiltration and substantial data deletion. … Read more

Orthopedic and neurosurgery practice, Rebound Orthopedics & Neurosurgery P.C. based in Vancouver, WA, agreed to a $2,500,000 settlement in a class action lawsuit over a February 2024 data breach that exposed the protected health information … Read more

Capital Health agreed to pay $4.5 million to resolve the class action lawsuit over a 2023 data breach that exposed patient data and other personal information. Data Breach Incident Capital Health experienced unauthorized access to … Read more

The Massachusetts Attorney General is investigating Comstar, an ambulance billing and collections company in Massachusetts and determined to have failed to comply with the Massachusetts Data Security Regulations and the Health Insurance Portability and Accountability … Read more

TriZetto Provider Solutions, owned by Cognizant, which provides hospitals, doctors, and health systems with revenue management services, has began informing some healthcare clients regarding a recently discovered cybersecurity breach. On October 2, 2025, TriZetto Provider … Read more

Your HIPAA Safe Harbor protection is only as strong as your ability to prove through documentation and consistent practice that your organization has implemented recognized security practices for at least 12 months, and cybersecurity training … Read more

Richmond Behavioral Health Authority (RBHA) offers substance abuse and prevention and mental health services in Richmond, Virginia. This HIPAA-covered entity recently encountered a data incident that resulted in the compromise of up to 113,232 individuals’ … Read more

Part 1 of the 2025 American Hospital Association (AHA) review of healthcare cybersecurity revealed that from January to October 3, 2025, there were 364 hacking incidents that resulted in the compromise of the health records … Read more

HIPAA-covered entity Neuromusculoskeletal Center of The Cascades, PC, and Cascade Surgicenter LLC in Oregon decided to resolve a class action lawsuit resulting from a data breach in October 2023. Employee email accounts were accessed by … Read more

HIPAA-covered entity Greater Cincinnati Behavioral Health Services (GCBHS) decided to pay approximately $850,000 to settle all claims associated with a ransomware attack in December 2023 involving unauthorized access to patient and worker data. On December … Read more

Skagit County Public Hospital District No. 1, also called Skagit Regional Health, operates Skagit Regional Hospital, located in Mount Vernon, Washington, agreed to settle class action litigation prompted by its installation of Meta Pixel and … Read more

Verily, owned by Alphabet, is facing a lawsuit filed by an ex-employee who alleges the misuse of the personally identifiable health information of over 25,000 patients, and the failure of the company to submit HIPAA … Read more

Wayne Memorial Hospital patients received notification recently about a ransomware group that stole their protected health information (PHI) fifteen months ago. The 84-bed rural hospital located in Jessup, Georgia, sent personal notifications to the 163,400 … Read more

Cencora & The Lash Group decided to create a $40 million fund to resolve class action litigation over a data breach in February 2024 that affected approximately 1.43 million people. Cencora, Inc., formerly known as … Read more

Director Paula M. Stannard of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the 18th HIPAA penalty for 2025. Ambulatory surgery center in Liverpool, New York, Syracuse ASC dba … Read more

Northbay Healthcare Corporation agreed to a settlement to resolve a class action lawsuit associated with a 2024 cyberattack and data breach that impacted approximately 570,000 people. Northbay Healthcare discovered suspicious activity inside its computer system … Read more

An alliance of 20 state Attorneys General is filing a lawsuit against the Department of Homeland Security (DHS), DHS Secretary Kristi Noem, the Department of Health and Human Services (HHS), and HHS Secretary Robert F. … Read more

MNGI Digestive Health consented to resolve a class action lawsuit associated with its negligence for not securing sensitive patient data. The lawsuit is a result of a ransomware attack on the Minnesota gastroenterology practice by … Read more

HealthEC LLC faced multiple class action lawsuits because of a data breach that affected about 4.5 million people. Hackers acquired access to the population health management system of HealthEC from July 14 to July 23, … Read more

WellNow Urgent Care (earlier known as Five Star Urgent Care), a community of walk-in urgent care centers in Illinois, New York, Ohio, and Michigan, has decided to pay $4.4 million to resolve a class action … Read more

According to the cybersecurity company Morphisec, a new ransomware group known as ELENOR-corp is targeting the healthcare sector. Researchers confirmed that ELENOR-corp is utilizing version 7.5 of Mimic ransomware, a ransomware strain first discovered in … Read more

UnitedHealth Group has taken a confrontational approach to retrieve outstanding balances on loans released to HIPAA-covered healthcare companies impacted by the Change Healthcare ransomware attack in February 2024. The attack resulted in an extended outage … Read more

The Health Insurance Portability and Accountability Act of 1996 required the creation of a national patient identifier – a unique ID for all U.S. citizens that would reliably link medical records to the correct persons. … Read more

Whether it is a HIPAA violation to say someone is your patient is an event-specific determination that depends on factors such as who is speaking, who they are speaking to, and the context of the … Read more

The University of Washington and Fred Hutchinson Cancer Center have decided to settle a proposed class action data breach lawsuit for $11,500,000 and set aside $13,500,000 to enhance cybersecurity. The lawsuit is a result of … Read more

Ex-HIPAA officer Darlene Morris filed a lawsuit against the Rhode Island Quality Institute (RIQI) for allegedly being fired from work for exposing its impermissible disclosures of HIE information. As a state government contractor of Rhode … Read more

Critical access hospital Morrison Community Hospital in Illinois has decided to settle a lawsuit for $675,000. The lawsuit was associated with a ransomware attack and data breach in 2023. The BlackCat/ALPHV ransomware group behind the … Read more

Florida health system South Broward Hospital District, also known as Memorial Healthcare System, has consented to resolve an alleged HIPAA Right of Access violation determined by the U.S. Department of Health and Human Services’ Office … Read more

The HHS’ Office for Civil Rights (OCR) has reported reaching a settlement that ended the investigation of a ransomware attack. Because Virtual Private Network Solutions failed to perform a HIPAA-compliant risk analysis, it will pay … Read more

In April 2024, the HHS Office for Civil Rights (OCR) released the HIPAA Privacy Rule to assist the Reproductive Healthcare Privacy Final Rule. The new rule became effective on June 23, 2024, but the last … Read more

How often you have to do HIPAA training depends on factors such as material changes to HIPAA policies and procedures, the frequency of security awareness training, the outcomes of risk analyses and evaluations, and employers’ … Read more

HIPAA security awareness training should have the objective of showing members of the workforce why it is important to protect the confidentiality, integrity, and availability of individually identifiable health information as well as explaining cybersecurity … Read more

In December 2023, the Department of Health and Human Services (HHS) published its cybersecurity strategy for the healthcare sector, detailing a list of actions to be implemented to improve cybersecurity across the healthcare industry, including … Read more

UMC Health System based in Lubbock, Texas reported the progress of its recovery from the ransomware attack in September. The ransomware attack impacted several systems, including the systems used by Texas Tech Physicians and Texas … Read more

HIPAA compliance software helps a covered entity deal with the issues of HIPAA by streamlining and automating compliance and undertaking comprehensive risk management processes. Smaller organizations that have less than 100 employees assign the responsibility … Read more

The European Court of Justice’s July 16th 2020 Schrems II judgment had major implications for the use of US cloud services. Since that case, every US cloud service provider has been obliged to verify the … Read more

A new bill known as the “Health Infrastructure Security and Accountability Act of 2024,” has been introduced to the U.S. Senate to strengthen cybersecurity standards for healthcare information systems. This legislative proposal aims to implement … Read more

The U.S. House Homeland Security Committee has introduced new legislation aimed at strengthening the nation’s cybersecurity defences against threats from China. This bill establishes an interagency task force to assess the risks by state-sponsored cyber … Read more

Recent big data breaches that affected third-party vendors like Change Healthcare targeted critical security risk management issues for business associates and vendors. These breaches have proven the necessity of security measures and comprehensive monitoring of … Read more

The Department of Labor’s Occupational Safety and Health Administration (OSHA) has introduced a new online dashboard designed to simplify searching its severe injury report database and tracking workplace injury trends in states under federal OSHA … Read more

Searchlight Cyber1 reported a 57% increase in the number of active ransomware groups. In H1 of 2023, 46 active ransomware groups were identified from posts on dark web data leak sites compared to 72 active … Read more

Atlantic General Hospital in Berlin, MD, has proposed a $2.24 million settlement to resolve a class action lawsuit associated with a ransomware attack in 2023. The settlement proposal was given preliminary approval by the court. … Read more

What comes to mind first when the words ‘Data security’ are mentioned to most workers? Chances are, it is thoughts of things like; frequent password changes, oversensitive spam folders, the inability to make personal calls … Read more

The U.S. water and wastewater systems are dealing with an increasingly serious threat from cyberattacks, which could have lasting consequences for public health and environmental safety. A report from the U.S. Government Accountability Office (GAO) … Read more