HIPAA Enforcement News

Gryphon Healthcare agreed to pay $2.87 million to settle a class action data breach lawsuit alleging exposed protected health information (PHI) following a July 2024 cyberattack. Data Breach Incident Details Gryphon Healthcare is a Houston, […]

Blue Cross Blue Shield of Montana (BCBSMT) is being investigated for potential non-compliance with Montana’s breach notification rules after a data breach resulted in the compromise of sensitive personal data and protected health information (PHI) […]

According to breach reports filed with the U.S. Department of Health and Human Services (HHS), November only had 32 healthcare data breaches. The average number of healthcare data breaches involving 500 or more individuals reported […]

The Mystic Valley Elder Services based in Malden, Massachusetts decided to pay $520,000 to resolve a combined class action litigation associated with a data breach in April 5, 2024. Unauthorized individuals accessed the system of […]

The October 2025 healthcare data breach report is late because of the government shutdown in October. The HHS’ Office for Civil Rights, did not publish any data breach reports. The shutdown concluded on November 12, […]

Insurance company Aflac based in Columbus, GA encountered a cyberattack in June 2025. The data breach report submitted on August 8, 2025 to the HHS’ Office for Civil Rights used a placeholder of 500 affected […]

Oklahoma Spine Hospital decided to pay $1,100,000 to resolve a class action lawsuit arising from a data breach in July 2024 that impacted approximately 39,000 present and past patients. The hospital discovered a potential email […]

Officials in Albemarle County, Virginia, reported the compromise of sensitive data, including protected health information (PHI), during a ransomware attack in June 2025. The cyberattack started on June 10, 2025, and was discovered the next […]

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released a “Dear Colleague” notice telling HIPAA-covered entities about their responsibilities under the HIPAA Privacy Law to give parents a complete […]

A judge of the California Superior Court gave preliminary approval to the settlement involving a lawsuit against Community Psychiatry Management, LLC. The mental healthcare provider, doing business as Mindpath Health, decided to settle the class […]

California-based Pomona Valley Hospital Medical Center decided to pay $600,000 to settle all claims in the Warren v. Pomona Valley Hospital Medical Center litigation. This class action lawsuit was associated with the medical center’s usage […]

The healthcare company Geisinger Health, based in Danville, Pennsylvania, and its past IT supplier Nuance Communications, Inc., decided to pay $5 million to resolve the class action litigation associated with a 2023 insider data breach […]

Wakefield & Associates based in Knoxville, Tennessee, provides healthcare providers with revenue cycle & collections services. Recently, the vendor reported a security incident that was discovered on or about January 17, 2025. Wakefield & Associates […]

Two U.S. citizens were recently accused of conducting cyberattacks in the United States using BlackCat ransomware. Another person is alleged to be involved, although they were not a part of the indictment. The three people […]

Conduent Business Solutions, a business associate of many HIPAA-regulated entities and government institutions, suffered a data breach that brought about the exposure and likely theft of the protected health information (PHI) of over 10.5 million […]

As of October 22, 2025, OCR listed 26 data breaches involving 500 or more people on its data breach website. This is the lowest number of data breaches per month from December 2018 up to […]

EyeMed Vision Care has decided to settle a class action lawsuit associated with a data breach in June 2020 for $5 million. The company discovered the data breach on July 1, 2025 after noticing suspicious […]

Hospital Sisters Health System, a HIPAA-covered entity, settled a class action lawsuit for $7.6 million. The litigation pertains to an August 2023 cyberattack that impacted around 883,000 people. The cyberattack prompted a shutdown of computer […]

The cybersecurity company Netwrix reported that from March 2024 to March 2025, nearly 50% of healthcare organizations encountered one or more data incidents, including hacking incidents, ransomware attacks, or phishing attacks. Netwrix 2025 Cybersecurity Trends […]

Central Valley Regional Center, based in Fresno, California, provides services to persons who have developmental handicaps. It informed patients concerning the recent leakage of paper documents that contain their personal data. There is no announcement […]

Nonprofit health system, Adena Health System, based in southern and south central Ohio, decided to pay $17.8 million to settle allegations that it illegally shared patient records with third parties when it installed tracking codes […]

The number of reported healthcare data breaches in the U.S. decreased by 34.1% month-over-month, and the number of individuals impacted decreased by 44.5%. In July, HIPAA-covered entities submitted 48 reports of data breaches affecting 500 […]

Cencora & The Lash Group decided to create a $40 million fund to resolve a class action data breach lawsuit over a data breach in February 2024 that affected about 1.43 million people. Cencora, Inc., […]

New York business associate BST & Co. CPAs, LLP decided to pay the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) a $175,000 financial penalty to settle an alleged Health Insurance […]

In April 2025, DaVita, a kidney dialysis facility, mentioned a security breach in its SEC filing, though during the time, it was uncertain how many people were affected by the theft of sensitive data. The […]

The cybersecurity company Semperis has published a new report indicating a slight decrease in ransomware attacks year-over-year. The ransomware risk report indicates that ransomware groups continue to target the healthcare industry, with 77% of organizations […]

Premier Health Partners based in Dayton, OH issued a press release on July 18, 2025, concerning a data breach first discovered about two years ago. The press release stated that Premier Health discovered suspicious activity […]

For June 2025, healthcare data breaches increased by 16.67% month-over-month, and the number of individuals who had their protected health information (PHI) exposed or impermissibly disclosed increased by 302.71% month-over-month. In June, the HHS’ Office […]

Ransomware groups have carried out many attacks on medical labs recently. These attacks can lead to considerable disruption to laboratory screening services, causing delays in diagnosis and treatment. The ransomware attack on Synnovis last June […]

Compumedics USA Inc., a company that provides sleep study clinics with its diagnostic and research technologies for sleep disorders. The company recently suffered a data security incident that impacted patients of a few healthcare company […]

Healthcare providers are reminded by OCR to follow the HIPAA patch management requirements, which make sure that ePHI privacy, integrity, and accessibility stays secure. Flaws in the software applications code could be exploited by hackers […]

OB/GYN Clinics Mid-Atlantic Women’s Care and Physicians to Women, Inc. agreed to settle a class action lawsuit associated with a data breach in April 2023. Hackers acquired access to protected health information (PHI) stored by […]

May saw 60 reports of healthcare data breaches involving 500 and up individuals submitted to the HHS’ Office for Civil Rights (OCR), a bit lower than the monthly 12-month average of 57 data breaches. This […]

The U.S. House Committee on Oversight and Government Reform is looking at the national security and privacy risks associated with the sale of genetic testing firm 23andMe. The committee hearing showed the lawmakers’ worries regarding […]

The HHS’ Office for Civil Rights (OCR) has reported reaching a settlement with Comstar, LLC regarding an alleged non-compliance with the HIPAA Security Rule’s risk analysis requirement. This is the OCR’s 9th enforcement action associated […]

Akeela Inc. offers mental health and substance use disorder treatment services in Anchorage, AK. This healthcare provider recently agreed to resolve a class action lawsuit associated with a 2023 data breach that exposed the protected […]

A big law enforcement operation has led to the shutdown of the system used for the DanaBot MaaS operation. This DanaBot banking Trojan and botnet malware is typically passed on through spam emails. It steals […]

April’s report of healthcare data breaches increased by 17.9% month-over-month, with 66 data breach reports involving 500 and up records submitted to the HHS’ Office for Civil Rights (OCR). This figure is higher than the […]

Integrated health system Robeson Health Care Corporation, based in Pembroke, North Carolina, has decided to resolve a class action lawsuit prompted by a cyberattack in February 2023. Allegedly, hackers breached the provider’s network, compromising the […]

According to breach reports submitted to the HHS’ Office for Civil Rights (OCR), healthcare data breaches is beginning to decrease. 2024 saw an average of 61 big healthcare data breaches per month. In the last […]

Yale New Haven Health System reported a data security incident that impacted over 5.5 million people. The data breach report submitted the HHS’ Office for Civil Rights shows that the protected health information (PHI) of […]

Retina Group of Washington agreed to resolve a class action lawsuit associated with a data breach in March 2023 that resulted in the unauthorized access of the protected health information (PHI) of 455,935 persons. Retina […]

On April 7, 2025, Oracle mailed notifications to clients concerning a security incident reported in the news, stating that Oracle Cloud was not compromised. Oracle mentioned in the email notification that Oracle Cloud, also called […]

Hi-School Pharmacy, a drug store chain in Vancouver, WA has decided to resolve a class action lawsuit associated with a data breach in November 2023. The company will create a $600,000 settlement fund for class […]

A growing number of cyber actors are targeting retailers, suppliers, and software companies, exploiting vulnerabilities to gain access to their systems. According to the latest SecurityScorecard report, about 35.5% of the 2024 data breaches were […]

February saw a 36% decline in healthcare data breaches, as the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) received 46 big healthcare data breach reports. Big data breaches refer to […]

An alert has been released concerning the Medusa ransomware-as-a-service (RaaS) group, which currently claims over 300 victims in critical infrastructure industries such as healthcare, manufacturing, and education. The group started operations in June 2021 as […]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued the second financial penalty for 2025 to settle a HIPAA Rules violation. Oregon Health & Science University (OHSU) was […]

In 2024, the healthcare sector was shaken by the Change Healthcare ransomware attack causing significant disruption to medical services throughout the country. The protected health information (PHI) of over 190 million people. As per Kroll, […]

In January, 66 big healthcare data breaches were reported by HIPAA-covered entities to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In the last 12 months, the average number of […]

Berry, Dunn, McNeil & Parker, LLC (BerryDunn) opted to negotiate a class action lawsuit that claimed negligence for not stopping a data breach that impacted over 1.1 million people. BerryDunn has consented to set up […]

The Department of Government Efficiency (DOGE) employees were given access to HHS Centers for Medicare and Medicaid Services (CMS) important payment and contracting systems to find options for enhancing productivity and to determine fraud and […]

Contec Health discovered a remote code execution vulnerability along with a hidden backdoor in the software of its popular patient monitors, the Epsimed MN-120 patient monitors and Contec CMS8000 patient monitors. Cybersecurity and Infrastructure Security […]

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) only received 46 reports of data breaches involving 500 and up healthcare records in December. The small December total showed that since […]

It’s about 11 months after Change Healthcare’s network breach that resulted in the theft of data of approximately 100 million people, and encryption of files using ransomware. On January 14, 2025, Change Healthcare released information […]

OneBlood, a Florida nonprofit blood donation organization reported on July 31, 2024 that it suffered a ransomware attack. The cyberattack resulted in the shutdown of its IT systems. The organization continued to collect, test, and […]

Nebraska’s Attorney General Mike Hilgers filed a lawsuit against Change Healthcare in relation to the ransomware attack it experienced on February 11, 2024. Change Healthcare had been targeted by a BlackCat/ALPHV ransomware group affiliate, who […]

The U.S. Bureau of Labor Statistics has released its results of the 2023 National Census of Fatal Occupational Injuries. According to the census, workplace fatalities declined by 3.7% year-over-year. In 2023, 5,283 workplace fatalities occurred […]

In November 2024, healthcare data breaches increased by 15.3% month-over-month. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) received 68 data breach reports involving 500 and up healthcare records. This […]

The data of hundreds of thousands of residents in Rhode Island were stolen during a cyberattack on the Rhode Island Bridges system. State residents use this online portal to get social services and medical insurance. […]

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) opted to resolve the alleged HIPAA Privacy and Security Law violations with Inmediata Health Group, a healthcare clearinghouse in Puerto Rico. […]

In October, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights received 57 reports of healthcare data breaches involving 500 and up records. Data breaches increased by 62.9% month-over-month from 35 […]

In April 2024, Signature Health mental health treatment facility based in Maple Heights, Ohio had an incident where a patient attacked a nurse. The patient continuously stabbed the staff using a knife he carried into […]

In July 2024, a federal jury found 34-year-old Trent James Russell guilty of unlawful access to the health data of Supreme Court Justice Ruth Bader Ginsburg when he was working as the coordinator of an […]

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) currently focuses its enforcement initiative on implementing the risk analysis requirements of the Security Management Standard under the HIPAA Security Law. OCR […]

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) made a decision regarding its investigation of a South Dakota plastic surgery practice’s ransomware attack. This is the sixth ransomware investigation by […]

The number of healthcare data breaches in September is the lowest since May 2020. Only 34 data breach reports involving 500 and up records were submitted to the Department of Health and Human Services (HHS) […]

Censys, a company that provides an Internet intelligence platform for threat hunting and attack surface management, discovered thousands of IP addresses that leak medical devices and systems online, 49% of which are from the United […]

Cybercriminals are taking advantage of a critical vulnerability with a CVSS severity score of 9.8 identified in Veeam Backup & Replication software. The software is designed for data backup and recovery across virtual, physical, and […]

A critical vulnerability tracked as CVE-2024-45519 with a CVSS base score of 9.8, has been identified in Zimbra’s email servers, exposing the servers to remote code execution and full server compromise. Exploiting the vulnerability allows […]

The Occupational Safety and Health Administration (OSHA) has addressed growing concerns regarding its proposal on the Emergency Response Standard and the potential challenges it could present for volunteer fire departments. Because of terrorist incidents, major […]

The number of large healthcare data breaches in August slightly increased. There were 49 data breaches involving 500 or more healthcare records reported to the U.S. Department of Health and Human Services (HHS) Office for […]

Acadian Ambulance Service based in Louisiana is sending notifications to individuals impacted by a cyberattack and data breach. According to the Daixin Team, they had stolen 10 million unique records from the private ambulance service. […]

Large healthcare data breaches have reached an 18-month low after going down for the fourth consecutive month. In July 2024, 43 breach reports involving 500 and up records were submitted to the U.S. Department of […]

In the cybersecurity newsletter published in August 2024, OCR emphasized that physical security measures like facility access controls, are important for HIPAA Security Rule compliance. HIPAA-regulated entities should not treat these measures as mere tasks […]

Indiana Attorney General Todd Rokita has filed a privacy lawsuit against IU Health and its Associates for alleged violations of the Indiana Deceptive Consumer Sales Act and the Health Insurance Portability and Accountability Act (HIPAA). […]

Supreme Court Justice Ruth Bader of Ginsburg found an organ transplant coordinator guilty of unlawfully accessing medical information and removing proof but was found not guilty on the charge of posting a copy of the […]

A data breach’s average cost has increased to $4.88 million; critical infrastructure entities have the highest breach costs. The most expensive breaches involved healthcare companies. Healthcare data breach costs dropped by 10.6% year-over-year with 2023’s […]

The National Community Pharmacists Association (NCPA) and about 3 dozen healthcare companies in 22 U.S. states filed a lawsuit against Optum, Change Healthcare, and UnitedHealth Group related to its ransomware attack and data security breach […]

In June 2024, 47 data breaches involving 500 and up healthcare records were reported to the HHS’ Office for Civil Rights (OCR). This is the lowest number of breaches from October 2023 to date. Data […]

The debt collection company Financial Business and Consumer Solutions (FBCS) recently informed the Maine Attorney General that a February 2024 breach that was earlier reported as impacting 1,955,385 persons has more than doubled the number […]

The prosthetics and orthotics firm based in Jackson, TN known as Human Technology Inc., and its associates Murphy’s Orthopedic & Footcare, Greer Orthotics & Prosthetics, and Hi-Tech Prosthetics & Orthotics were impacted by a data […]

Pennsylvania revised its data breach notification regulation, limiting the meaning of personal information, including the need to alert the state Attorney General, and the provision of credit monitoring services to victims of data breaches victims […]

The U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) has recommended the first federal workplace heat standard to safeguard millions of people in America from the health threats connected with exposure to intense […]

The number of reported healthcare data breaches dropped to its lowest for the second month since October 2023. May had 51 data breaches with 500 and up breached healthcare records reported to OCR. This number […]

SecurityScorecard gave the U.S. healthcare industry a B+ rating for cybersecurity during the first 6 months of 2024. This indicates that the industry is doing better in spite of the reported major breaches, including the […]

Medication benefits management service provider A&A Services, also known as Sav-Rx, is facing a class action lawsuit because of a data breach that occurred in October 2023 affecting 2.8 million people. On or about October […]

In 2022, a hacker accessed Medibank’s system, stole the personal and health data of 9.7 million people, and exposed the stolen files on the dark web. This Australian health insurance company has confirmed the ransomware […]

Adventist Health has just reported that an unauthorized individual accessed the protected health information (PHI) of over 70,000 patients of Adventist Health Tulare in California. The security incident happened at its business associate, Signature Performance, […]

The Health Sector Cyber Initiative of the Biden administration has partnered with Microsoft and Google to give critical access and rural hospitals free and discounted cybersecurity services. In 2023, the healthcare industry experienced more ransomware […]

In July 2023, the LockBit ransomware group listed Panorama Eyecare on its data leak website and noted to have stolen 798 GB of files from the doctor-led management services provider based in Fort Collins, CO. […]

The Los Angeles County Department of Mental Health suffered a phishing attack that allowed unauthorized access to the email account of an employee resulting in the compromise of protected health information (PHI) for 1,598 individuals. […]

The Cybersecurity and Infrastructure Security Agency (CISA) included a critical vulnerability identified in the NextGen Healthcare Mirth Connect remote code execution to its Known Exploited Vulnerability (KEV) Catalog. Mirth Connect is a free software integration […]

The Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) issued an alert warning the healthcare and public health (HPH) sector against business email compromise (BEC) attacks. This kind of spear […]

Healthcare data breaches dropped by 43% month-over-month. There were 54 data breaches involving 500 and up records reported to the HHS’ Office for Civil Rights. The reported number of breaches this April is the lowest […]

PHI Compromised in Redwood Coast Regional Center Cyberattack Social services organization Redwood Coast Regional Center based in Ukiah, CA offers services and assistance to children and adults who have developmental handicaps. It recently submitted a […]

Federal Judge Dismisses CommonSpirit Health Data Breach Lawsuit Due to Not Enough Standing A federal court judge decided to dismiss a class action lawsuit versus CommonSpririt Health regarding its 2022 data breach because of the […]

March had 93 healthcare data breach reports involving 500 or more records submitted to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The number of breaches increased by 50% from […]

OctaPharma Plasma Donation Centers Closed While Investigating Ransomware Attack The Swiss pharmaceutical provider, Octapharma Plasma, experienced a cyberattack that impacted the systems at 190 plasma donation centers located in 35 U.S. states. Those donation centers […]

MedData Pays $7 Million to Resolve Class Action Data Breach Lawsuit Revenue cycle management company MedData based in Spring, TX consented to pay $7 million to resolve a class action lawsuit associated with the breach […]