Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches

Posted by Steve Alder

Data security incidents have been announced by the Colorado Health Network and Kentucky Mountain Health Alliance. In both cases, only limited information has been released about the nature of the incidents.

Colorado Health Network

Colorado Health Network Inc., a nonprofit organization that provides health and support services to individuals with HIV/AIDS across Colorado, has recently disclosed a data security incident. The breach notification does not state when the breach was detected or for how long the threat actors had access to its network, only that an unauthorized third-party accessed and removed files from its systems.

The files have been reviewed and found to contain patient names in combination with one or more of the following: Social Security number, driver’s license/state identification card number, passport number, financial account information, debit/credit card information, health insurance information (which may include Medicaid/Medicare information), and medical information. The medical information may include, but is not limited to, diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s/location.

Colorado Health Network started mailing notification letters to the affected individuals on June 18, 2026, and said it has received no reports to suggest that any of the exposed or copied information has been misused. The affected individuals have been advised to monitor their account statements, free credit reports, and explanation of benefits statements for suspicious activity, and to sign up for the complimentary credit monitoring and identity theft protection services that have been offered.

This appears to have been a ransomware attack by the Cephalus ransomware group. Cephalus claimed on its dark web data leak site on August 28, 2025, that it was behind the attack and obtained more than 900 GB of data. The group’s data leak site is not currently accessible, so it is unclear whether the data was leaked online.

The Texas attorney general was informed that 257 Texas residents were affected by the breach. Given that the primary location of business is Colorado, that would suggest that the incident affected more than 500 individuals and should have been reported to the HHS’ Office for Civil Rights (OCR) and added to the OCR data breach portal; however, it is not currently shown on the breach portal.

Kentucky Mountain Health Alliance

Kentucky Mountain Health Alliance, a Hazard, KY-based nonprofit organization that provides primary and specialty care to the homeless, has disclosed a data breach that involved unauthorized access to patient data, some of which was copied in the incident.

While data breach notices should be placed in a prominent location on the home page of the provider’s website under HIPAA, users are required to click on the “more” section and then select the notice from the drop-down menu. The notice states that the information compromised in the includes names plus one or more of the following: Social Security numbers, driver’s license numbers/state identification numbers, passport numbers, financial account information, debit/credit card information, health insurance information, and medical information such as diagnosis, diagnosis code, mental/physical condition, prescription information, provider’s name and location, and health insurance information. Notification letters were issued to the affected individuals on June 12, 2026.

As with the data breach at Colorado Health Network (above), the breach notifications do not elaborate further on the nature of the incident, such as who potentially accessed the data (internal/external), when the incident was detected, or for how long the data was exposed. The website notice makes no mention of credit monitoring services; however, the notice issued to the Massachusetts Office of Consumer Affairs and Business Regulation states that 24 months of complimentary credit monitoring and identity theft protection services are being provided through Epiq. The number of affected individuals has yet to be publicly disclosed.

The post Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches appeared first on The HIPAA Journal.

Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches

Posted by Steve Alder

Data breaches have been announced by Minnesota Epilepsy Group, Campbell University, and the City of Middletown, Ohio.

Minnesota Epilepsy Group

Minnesota Epilepsy Group, the largest epilepsy center in the Midwest, has started notifying current and former patients about a recent cybersecurity incident that may have resulted in unauthorized access to the protected health information of current and former patients. Suspicious network activity was identified on April 7, 2026, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had accessed its network at various times between March 16, 2026, and April 10, 2026.

The parts of the network that were accessed contained files that included patient data. The file review concluded on May 18, 2026, and determined that the exposed information included names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance information. The types of information exposed varied from patient to patient.

Notification letters started to be mailed to the affected individuals on June 5, 2026, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were exposed. Minnesota Epilepsy Group confirmed that it has taken steps to enhance its technical security measures to prevent similar incidents in the future.

City of Middletown, Ohio

The City of Middletown in Ohio has started notifying individuals about a cybersecurity incident that occurred last year that resulted in unauthorized access to sensitive personal and protected health information. The incident was first identified on August 17, 2025, and the forensic investigation determined that its network was accessed by an unauthorized third party between July 29, 2025, and August 17, 2025, during which time files containing sensitive information may have been accessed or acquired.

The data review concluded on May 18, 2026, and determined that data compromised in the incident included names, addresses, Social Security numbers, driver’s license or government identification, financial account information, medical information, and health insurance information. Notification letters were mailed to the individuals with a complete address on file on June 3, 2026. City of Middletown officials have confirmed that steps are being taken to augment security. The HHS’ Office for Civil Rights was informed that the protected health information of 20,608 individuals was compromised in the incident.

This appears to have been a ransomware attack by the SafePay ransomware group, which added the City of Middletown to its dark web data leak site on September 12, 2025, then proceeded to leak the stolen data.

Campbell University, North Carolina

Campbell University in North Carolina is investigating a cybersecurity incident that was first identified on April 1, 2026. The incident involved unauthorized access to one of its cloud-based data storage platforms between March 31, 2026, and April 1, 2026. The university explained that due to its security protections, the incident was contained to a single platform.

The investigation and data review are ongoing, and as such, the total number of affected individuals has yet to be determined. The HHS’ Office for Civil Rights has been informed that the protected health information of at least 500 individuals was involved. The total will be updated when the data review is concluded. The specific type of information involved has not yet been determined, but general categories of data involved have been disclosed. In addition to their name, individuals may have had one or more of the following exposed or stolen in the incident:

Address, date of birth, admission/discharge/death date, medical record number, provider/facility name, medical condition, diagnosis and/or treatment information, lab results, prescriptions and/or medications, personal history, mental health information, insurance/payment amount history information, date of service, payment card information, and/or any information on an individual that was created, used, or disclosed in the course of providing health care services, and Social Security number, driver’s license or state identification number, passport number, student identification number, other government identification number, financial account information, debit/credit card information, health insurance information, medical information, individual taxpayer identification number, identity protection PIN issued by the IRS, parent’s legal surname prior to marriage, digital signature, geolocation, and/or user name and access information for a non-financial account.

Campbell University said it has reset passwords, set up a new instance of the affected platform, strengthened data access policies, and implemented additional technical safeguards.

The post Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches appeared first on The HIPAA Journal.

HIPAA Security Rule Training for Business Associates

Posted by Steve Alder

HIPAA Business Associates that create, receive, maintain, or transmit electronic Protected Health Information on behalf of HIPAA-covered entities are directly subject to the HIPAA Security Rule and must provide security awareness training to their entire workforce, not only to staff who work on healthcare-specific accounts or handle patient data as part of their primary function. The HIPAA Security Rule at 45 CFR 164.308(a)(5) requires covered entities and business associates to “implement a security awareness and training program for all members of its workforce (including management).” The direct applicability of the HIPAA Security Rule to business associates was established by the HITECH Act and confirmed in the 2013 Omnibus Rule, which means the training obligation runs to the business associate as an independently regulated entity rather than solely as a contractual requirement imposed through a HIPAA Business Associate Agreement. A business associate that relies on its covered entity client’s training program to satisfy its own workforce training requirement has misread the regulation.

The Training Scope Goes Beyond Healthcare-Facing Roles

Many business associates operate with workforces that include personnel who are not assigned to healthcare client accounts, do not access patient records, and may not consider themselves to be working in a healthcare context. The HIPAA Security Rule’s training requirement applies to those employees when their roles place them within the organization’s IT security environment. A software developer working on a platform that processes electronic Protected Health Information, an HR coordinator whose email account sits on the same network as systems containing patient data, a legal team member who reviews Business Associate Agreements, and an operations manager who approves the technology stack all fall within the training obligation’s scope. This broader reach distinguishes the Security Rule from the HIPAA Privacy Rule, which directs its training requirement at workforce members whose job functions involve Protected Health Information. The HIPAA Security Rule covers any workforce member whose conduct can affect the security of electronic Protected Health Information through system access, credential use, device handling, or network activity, regardless of whether they handle patient data directly.

Why Business Associate Environments Present Distinct Security Risks

Business associate workforces interact with electronic Protected Health Information in operational contexts that differ from the clinical and administrative settings most HIPAA training content addresses. A billing company processes claims data across hundreds of covered entity clients. A cloud service provider stores electronic Protected Health Information for multiple healthcare organizations on shared infrastructure. A health IT vendor’s support staff access production systems containing patient records to resolve technical issues. In each context, a single compromised credential, a successful phishing attack, or an employee’s unauthorized use of a personal device can expose electronic Protected Health Information belonging to multiple covered entity clients simultaneously. Security awareness training for business associate workforces must reflect those operational realities and address the specific threat patterns that target vendor and service provider environments, including supply chain phishing, business email compromise exploiting covered entity relationships, and credential attacks targeting third-party administrative access.

Building a Training Program Around the Annual Cycle

Annual HIPAA Security Rule training is industry best practice for business associates because the threat environment, the regulatory framework, and the organization’s own service scope all evolve throughout the year. A business associate that expands its services to include a new category of electronic Protected Health Information processing, adopts a new platform used to access covered entity systems, or onboards a new covered entity client may face security risks its current workforce training did not address. Annual training gives the organization a structured opportunity to update content, address changes to internal security policies, reinforce reporting obligations, and produce a new completion record for each workforce member. That annual record supports the six-year documentation retention requirement under 45 CFR 164.316(b) and demonstrates to covered entity clients, OCR auditors, and internal compliance reviewers that the organization maintains a functioning and current security awareness program rather than a one-time onboarding exercise.

Online Security Training Designed for Business Associate Staff

The HIPAA Journal’s Cybersecurity Training for Business Associate Employees is built for organizations that handle electronic Protected Health Information on behalf of covered entities and need a structured online course that reflects the Security Rule obligations, threat patterns, and operational contexts specific to business associate environments. The course covers the regulatory framework governing business associates, electronic Protected Health Information safeguards, healthcare cyber threats including phishing and ransomware, password and credential security, device and media controls, email and messaging risks, incident recognition, and the reporting obligations that run from the business associate to the covered entity. It supports onboarding training before system access is granted, annual refresher delivery across the full workforce, and targeted retraining when policy changes or security events require it, and produces completion records that satisfy the individual-level documentation requirements of the Security Rule’s training mandate.

The post HIPAA Security Rule Training for Business Associates appeared first on The HIPAA Journal.