calHIPAA: News and Advice about HIPAA Compliance

Healthcare Data Breach Report for April 2025

May 24, 2025

April’s report of healthcare data breaches increased by 17.9% month-over-month, with 66 data breach reports involving 500 and up records submitted to the HHS’ Office for Civil Rights (OCR). This figure is higher than the [...]
Robeson Health Care Corp. to Pay $750K to Settle Data Breach Lawsuit

May 17, 2025

Integrated health system Robeson Health Care Corporation, based in Pembroke, North Carolina, has decided to resolve a class action lawsuit prompted by a cyberattack in February 2023. Allegedly, hackers breached the provider’s network, compromising the [...]
Healthcare Data Breach Report in March 2025

May 10, 2025

According to breach reports submitted to the HHS’ Office for Civil Rights (OCR), healthcare data breaches is beginning to decrease. 2024 saw an average of 61 big healthcare data breaches per month. In the last [...]
How to Address HIPAA Penalties in Employee Training?

May 9, 2025

Incorporating HIPAA Penalties into Employee Training When training employees on HIPAA compliance, it is important to include clear information about potential penalties for violations. Staff should understand the importance of protecting patient health information (PHI) [...]
Yale New Haven Health System Data Breach Impacts 5.5-Million Individuals

May 3, 2025

Yale New Haven Health System reported a data security incident that impacted over 5.5 million people. The data breach report submitted the HHS’ Office for Civil Rights shows that the protected health information (PHI) of [...]
Retina Group of Washington Resolves Data Breach Lawsuit for $3.6 Million

April 25, 2025

Retina Group of Washington agreed to resolve a class action lawsuit associated with a data breach in March 2023 that resulted in the unauthorized access of the protected health information (PHI) of 455,935 persons. Retina [...]
Hacking Incidents Involving Oracle’s Obsolete Servers

April 17, 2025

On April 7, 2025, Oracle mailed notifications to clients concerning a security incident reported in the news, stating that Oracle Cloud was not compromised. Oracle mentioned in the email notification that Oracle Cloud, also called [...]
Hi-School Pharmacy Pays $600,000 to Resolve Data Breach Lawsuit

April 11, 2025

Hi-School Pharmacy, a drug store chain in Vancouver, WA has decided to resolve a class action lawsuit associated with a data breach in November 2023. The company will create a $600,000 settlement fund for class [...]
Third-Party Breaches is the Cause of More Than 33% of Data Breaches

April 4, 2025

A growing number of cyber actors are targeting retailers, suppliers, and software companies, exploiting vulnerabilities to gain access to their systems. According to the latest SecurityScorecard report, about 35.5% of the 2024 data breaches were [...]
Healthcare Data Breach Report for February 2025

March 28, 2025

February saw a 36% decline in healthcare data breaches, as the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) received 46 big healthcare data breach reports. Big data breaches refer to [...]
Medusa Ransomware Group Targets 300 Critical Infrastructure Organizations

March 20, 2025

An alert has been released concerning the Medusa ransomware-as-a-service (RaaS) group, which currently claims over 300 victims in critical infrastructure industries such as healthcare, manufacturing, and education. The group started operations in June 2021 as [...]
$200,000 Penalty Paid by Oregon Health & Science University for HIPAA Right of Access Violation

March 14, 2025

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued the second financial penalty for 2025 to settle a HIPAA Rules violation. Oregon Health & Science University (OHSU) was [...]
Assessing the Usefulness of Insider Risk Management Programs

March 6, 2025

In 2024, the healthcare sector was shaken by the Change Healthcare ransomware attack causing significant disruption to medical services throughout the country. The protected health information (PHI) of over 190 million people. As per Kroll, [...]
Healthcare Data Breach Report for January 2025

March 1, 2025

In January, 66 big healthcare data breaches were reported by HIPAA-covered entities to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In the last 12 months, the average number of [...]
Berry, Dunn, McNeil & Parker to Pay $7.25 Million to Settle Data Breach

February 20, 2025

Berry, Dunn, McNeil & Parker, LLC (BerryDunn) opted to negotiate a class action lawsuit that claimed negligence for not stopping a data breach that impacted over 1.1 million people. BerryDunn has consented to set up [...]
DOGE Given Access to Key CMS Systems

February 13, 2025

The Department of Government Efficiency (DOGE) employees were given access to HHS Centers for Medicare and Medicaid Services (CMS) important payment and contracting systems to find options for enhancing productivity and to determine fraud and [...]
Contec Identifies Vulnerability in CMS8000 Patient Monitors That Transmits Patient Data

February 6, 2025

Contec Health discovered a remote code execution vulnerability along with a hidden backdoor in the software of its popular patient monitors, the Epsimed MN-120 patient monitors and Contec CMS8000 patient monitors. Cybersecurity and Infrastructure Security [...]
Healthcare Data Breach Report for December 2024

January 30, 2025

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) only received 46 reports of data breaches involving 500 and up healthcare records in December. The small December total showed that since [...]
Change Healthcare Substantially Completes Review of Data Stolen During Ransomware Attack

January 22, 2025

It’s about 11 months after Change Healthcare’s network breach that resulted in the theft of data of approximately 100 million people, and encryption of files using ransomware. On January 14, 2025, Change Healthcare released information [...]
OneBlood Notifies July 2024 Ransomware Attack Victims

January 15, 2025

OneBlood, a Florida nonprofit blood donation organization reported on July 31, 2024 that it suffered a ransomware attack. The cyberattack resulted in the shutdown of its IT systems. The organization continued to collect, test, and [...]
Change Healthcare Faces Lawsuit Filed by Nebraska Attorney General

January 9, 2025

Nebraska’s Attorney General Mike Hilgers filed a lawsuit against Change Healthcare in relation to the ransomware attack it experienced on February 11, 2024. Change Healthcare had been targeted by a BlackCat/ALPHV ransomware group affiliate, who [...]
Workplace Fatalities Decline But More is Needed to Enhance Workplace Safety

January 3, 2025

The U.S. Bureau of Labor Statistics has released its results of the 2023 National Census of Fatal Occupational Injuries. According to the census, workplace fatalities declined by 3.7% year-over-year. In 2023, 5,283 workplace fatalities occurred [...]
Healthcare Data Breach Report for November 2024

December 26, 2024

In November 2024, healthcare data breaches increased by 15.3% month-over-month. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) received 68 data breach reports involving 500 and up healthcare records. This [...]
RI Bridges System Breach Impacts Rhode Island Residents’ Data

December 18, 2024

The data of hundreds of thousands of residents in Rhode Island were stolen during a cyberattack on the Rhode Island Bridges system. State residents use this online portal to get social services and medical insurance. [...]
Puerto Rican Healthcare Clearinghouse Resolves Alleged HIPAA Violations

December 12, 2024

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) opted to resolve the alleged HIPAA Privacy and Security Law violations with Inmediata Health Group, a healthcare clearinghouse in Puerto Rico. [...]
October 2024 Healthcare Data Breach Report

December 6, 2024

In October, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights received 57 reports of healthcare data breaches involving 500 and up records. Data breaches increased by 62.9% month-over-month from 35 [...]
Signature Health Pays $16,131 to Settle OSHA Violation

November 27, 2024

In April 2024, Signature Health mental health treatment facility based in Maple Heights, Ohio had an incident where a patient attacked a nurse. The patient continuously stabbed the staff using a knife he carried into [...]
Organ Transplant Coordinator Convicted for Illegal Access of Medical Records

November 21, 2024

In July 2024, a federal jury found 34-year-old Trent James Russell guilty of unlawful access to the health data of Supreme Court Justice Ruth Bader Ginsburg when he was working as the coordinator of an [...]
Updated Security Risk Assessment Tool Announced by OCR

November 14, 2024

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) currently focuses its enforcement initiative on implementing the risk analysis requirements of the Security Management Standard under the HIPAA Security Law. OCR [...]
South Dakota Plastic Surgery Practice Pays $500,000 HIPAA Penalty

November 7, 2024

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) made a decision regarding its investigation of a South Dakota plastic surgery practice’s ransomware attack. This is the sixth ransomware investigation by [...]
September 2024 Healthcare Data Breach Report

November 1, 2024

The number of healthcare data breaches in September is the lowest since May 2020. Only 34 data breach reports involving 500 and up records were submitted to the Department of Health and Human Services (HHS) [...]
Online Data Breach Associated With U.S. Medical Devices and Data Systems

October 24, 2024

Censys, a company that provides an Internet intelligence platform for threat hunting and attack surface management, discovered thousands of IP addresses that leak medical devices and systems online, 49% of which are from the United [...]
Active Exploitation of Critical Vulnerabilities in Fortinet and Veeam Backup & Replication

October 16, 2024

Cybercriminals are taking advantage of a critical vulnerability with a CVSS severity score of 9.8 identified in Veeam Backup & Replication software. The software is designed for data backup and recovery across virtual, physical, and [...]
Mass Exploited Critical Vulnerability in Zimbra Email Servers

October 10, 2024

A critical vulnerability tracked as CVE-2024-45519 with a CVSS base score of 9.8, has been identified in Zimbra’s email servers, exposing the servers to remote code execution and full server compromise. Exploiting the vulnerability allows [...]
OSHA May Exempt Volunteer Fire Departments from the New Emergency Response Standard Requirements

October 2, 2024

The Occupational Safety and Health Administration (OSHA) has addressed growing concerns regarding its proposal on the Emergency Response Standard and the potential challenges it could present for volunteer fire departments. Because of terrorist incidents, major [...]
Healthcare Data Breach Report in August 2024

September 26, 2024

The number of large healthcare data breaches in August slightly increased. There were 49 data breaches involving 500 or more healthcare records reported to the U.S. Department of Health and Human Services (HHS) Office for [...]
Continuing Training of Nurses and HIPAA Compliance

September 19, 2024

A recent American Association of Colleges of Nursing (AACN) meeting discussed the growing number of citations and sanctions against nurses for their Health Insurance Portability and Accountability Act (HIPAA) violations while providing care. Discussions also [...]
Acadian Ambulance Cyberattack Notifies Almost 2.9 Million Affected Individuals

September 12, 2024

Acadian Ambulance Service based in Louisiana is sending notifications to individuals impacted by a cyberattack and data breach. According to the Daixin Team, they had stolen 10 million unique records from the private ambulance service. [...]
Is Outlook HIPAA compliant?

September 10, 2024

Yes, Outlook can be HIPAA compliant if used with Microsoft 365’s HIPAA-compliant plans, configured with proper security settings, and covered by a signed Business Associate Agreement (BAA). Outlook can be HIPAA compliant if configured properly and [...]
Healthcare Data Breach Report for July 2024

September 4, 2024

Large healthcare data breaches have reached an 18-month low after going down for the fourth consecutive month. In July 2024, 43 breach reports involving 500 and up records were submitted to the U.S. Department of [...]
OCR Highlights the Importance of Physical Security Controls for Protecting ePHI

August 28, 2024

In the cybersecurity newsletter published in August 2024, OCR emphasized that physical security measures like facility access controls, are important for HIPAA Security Rule compliance. HIPAA-regulated entities should not treat these measures as mere tasks [...]
IU Health Faces Privacy Lawsuit for HIPAA Violations

August 21, 2024

Indiana Attorney General Todd Rokita has filed a privacy lawsuit against IU Health and its Associates for alleged violations of the Indiana Deceptive Consumer Sales Act and the Health Insurance Portability and Accountability Act (HIPAA). [...]
Organ Transplant Coordinator Guilty of Unlawful Health Records Access

August 14, 2024

Supreme Court Justice Ruth Bader of Ginsburg found an organ transplant coordinator guilty of unlawfully accessing medical information and removing proof but was found not guilty on the charge of posting a copy of the [...]
Average Cost of a Data Breach Rises Yearly Report

August 7, 2024

A data breach’s average cost has increased to $4.88 million; critical infrastructure entities have the highest breach costs. The most expensive breaches involved healthcare companies. Healthcare data breach costs dropped by 10.6% year-over-year with 2023’s [...]
Change Healthcare Faces Lawsuit Filed by NCPA and 40 Healthcare Companies

July 31, 2024

The National Community Pharmacists Association (NCPA) and about 3 dozen healthcare companies in 22 U.S. states filed a lawsuit against Optum, Change Healthcare, and UnitedHealth Group related to its ransomware attack and data security breach [...]
Healthcare Data Breach Report for June 2024

July 25, 2024

In June 2024, 47 data breaches involving 500 and up healthcare records were reported to the HHS’ Office for Civil Rights (OCR). This is the lowest number of breaches from October 2023 to date. Data [...]
Debt Collection Agency Cyberattack Affects 4 Million Individuals

July 18, 2024

The debt collection company Financial Business and Consumer Solutions (FBCS) recently informed the Maine Attorney General that a February 2024 breach that was earlier reported as impacting 1,955,385 persons has more than doubled the number [...]
Social Media HIPAA Violation Examples

July 16, 2024

Social media HIPAA violation examples are most often attributable to healthcare workers impermissibly disclosing facts about patients on social media or posting images and videos without a patient’s authorization. Because these events can result in [...]
Human Technology Inc. Affected by Data Breach

July 11, 2024

The prosthetics and orthotics firm based in Jackson, TN known as Human Technology Inc., and its associates Murphy’s Orthopedic & Footcare, Greer Orthotics & Prosthetics, and Hi-Tech Prosthetics & Orthotics were impacted by a data [...]
Revised Breach Notification Law in Pennsylvania

July 10, 2024

Pennsylvania revised its data breach notification regulation, limiting the meaning of personal information, including the need to alert the state Attorney General, and the provision of credit monitoring services to victims of data breaches victims [...]

Recent HIPAA News