Allina Health System to Pay $12.5 Million to Settle Pixel Litigation

Posted by Steve Alder

Allina Health System, a nonprofit health system based in Minneapolis, Minnesota, that serves patients in Minnesota and Western Wisconsin, has agreed to pay $12,500,000 to resolve litigation over its use of website tracking technologies such as pixels. Those tools were alleged to have resulted in the disclosure of personally identifiable information (PII) and protected health information (PHI) to third parties such as Facebook (Meta) and Google, in violation of federal and state laws.

Those tools are extensively used on websites for marketing and advertising purposes. The tools collect information about website usage, and that information can be used to improve web services. It can also be used to serve targeted advertisements to individuals, based on their interactions on a website. Depending on how they are configured, these tools can collect individually identifiable health information when installed on healthcare providers’ websites, and if they are used on authenticated pages such as a patient portal, that information may include HIPAA-protected data.

The first lawsuit over the use of these tracking tools was filed by Plaintiff Jacqueline Ahlers on September 16, 2024, in the U.S. District Court for the District of Minnesota. An amended complaint was filed on February 12, 2025, adding a further two plaintiffs who had filed similar complaints. The consolidated lawsuit – Ahlers, et al. v. Allina Health System – asserted claims for invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, negligence, and violations of the Electronic Communication Privacy Act, Minnesota Health Records Act, and Minnesota Unfair and Deceptive Trade Practices Act.

Allina Health System denies wrongdoing and liability; however, after considering the cost, distraction, burden, and risks associated with continuing with the litigation, Allina Health System agreed to a settlement.  Under the terms of the settlement, Allina Health System has agreed to pay $12,500,000 to resolve the complaint. From that amount, attorneys’ fees and expenses will be deducted, along with settlement administration and notification costs, and service awards for the class representatives.

The $12,500,000 will be split into two settlement funds: A Group 1 settlement fund of $10,303,098 and a Group 2 settlement fund of $2,196,902. The attorneys’ fees/expenses, settlement administration/notification costs, and service awards will be deducted from those settlement funds with an 82.42% (Group 1) and 17.58% (Group 2) split. The remaining funds will be paid pro rata to individuals submitting a claim.

The Group 1 settlement class consists of individuals who were patient portal users, non-portal bill pay users, and non-portal scheduling users between September 16, 2018, and May 11, 2026. The Group 2 settlement class consists of individuals who were non-portal, non-bill pay, and non-scheduling patients between September 16, 2018, and May 11, 2026.

The deadline for opting out of the settlement and objection to the settlement is August 10, 2026. Claims must be submitted by September 8, 2026, and the final approval hearing has been scheduled for September 24, 2026.

The post Allina Health System to Pay $12.5 Million to Settle Pixel Litigation appeared first on The HIPAA Journal.

Data Breaches Reported by Amicus Solutions: Huntsville Hospital Health System

Posted by Steve Alder

Amicus Solutions (Fedora Solutions) has been affected by a cybersecurity incident, and Huntsville Hospital has confirmed it was affected by a January 2025 breach at Cerner (Oracle Health).

Amicus Solutions

Amicus Solutions, Inc., doing business as Fedora Solutions, a provider of managed IT and revenue cycle management services, has experienced a cybersecurity incident involving the protected health information of 1,137 individuals. According to the breach notification to the Massachusetts Office of Consumer Affairs and Business Regulation, the breach affected patients of medical practices managed by OneOncology, LLC, including New York Cancer and Blood Specialists.

Suspicious activity was identified within the Amicus Solutions network on April 2, 2026, with the unauthorized access believed to have occurred between February 2, 2026, and February 18, 2026. During that time, a threat actor exfiltrated data from its systems, and some of that data was posted to the threat actor’s website, including personally identifiable information and protected health information.

The data review confirmed that the threat actor obtained patient data such as first and last names, phone numbers, email addresses, birth dates, gender information, Social Security numbers, medical information, and health insurance information. Amicus Solutions confirmed that there was no unauthorized access to its clients’ networks. No misuse of that data had been identified at the time of issuing notifications. Amicus Solutions said additional safeguards have been implemented to harden security, and 24 months of complementary credit monitoring and identity theft protection services have been offered to the affected individuals.

Huntsville Hospital

Huntsville Hospital Health System in Alabama has recently announced that it has been affected by the January 2025 data breach at electronic health record vendor Cerner, now Oracle Health. The data breach affected approximately 90 healthcare providers, and many of those providers announced the data breach last year. Hackers gained access to two legacy Cerner servers as early as January 22, 2025, and Huntsville Hospital was informed that it was affected on August 12, 2025. The hospital said law enforcement requested delaying notifying the affected individuals and additional providers so as not to impede the investigation.

According to the hospital, the breach was confined to Cerner systems, which contained names, Social Security numbers, and details from medical records, including medical record numbers, doctors’ names, diagnoses, medications, test results, images, and treatment information. The affected individuals have been offered complementary credit monitoring services for 24 months. It is currently unclear how many Huntsville Hospital patients have been affected.

The post Data Breaches Reported by Amicus Solutions: Huntsville Hospital Health System appeared first on The HIPAA Journal.

Washington Dept. Health & Social Services Insider Breach Affects 8,600 Individuals

Posted by Steve Alder

The Washington Department of Social and Health Services (DSHS) has identified an insider data breach involving unauthorized access to the protected health information of approximately 8,600 individuals.

Insider threats are a major problem in healthcare, more so than in other sectors. While most insider incidents are unintentional, and snooping on medical records is a common cause of healthcare data breaches. Patient records may also be obtained for financial gain. Regular workforce HIPAA training is important to remind employees of their responsibilities with respect to patient privacy, and employee access logs should be routinely monitored. Without active monitoring, these privacy violations can persist for long periods before unauthorized access is identified.

In this case, a DSHS employee was discovered to have accessed a DSHS internal client data system without authorization and viewed records containing full names, dates of birth, Social Security numbers, DSHS client numbers, and information about DSHS program enrollment.

The DSHS investigation found no evidence that health information was accessed, such as diagnoses, test results, treatments, claims, or chart notes. The DSHS said the employee was found to have accessed records for “reasons unrelated to their job duties,” but did not elaborate further on the individual’s reasons for access. It is also unclear when the unauthorized access was detected, or for how long the employee had been accessing records for non-work purposes.

DSHS confirmed that action was immediately taken when the privacy violations were identified, preventing further unauthorized access. DSHS has confirmed that the individual is no longer working for the department. It is unclear whether the employee was terminated over the HIPAA violation or if they left voluntarily.

DSHS said it is issuing notification letters by mail to all affected individuals and encourages them to monitor their account statements and credit reports for unauthorized activity. DSHS is cooperating with state and local law enforcement in their ongoing investigation. DSHS said steps are being taken to implement additional safeguards, and internal policies and procedures related to data privacy and security are being reviewed.

The post Washington Dept. Health & Social Services Insider Breach Affects 8,600 Individuals appeared first on The HIPAA Journal.

South Florida Injury Centers; Chickasaw Nation Department of Health Report Data Breaches

Posted by Steve Alder

A hacking incident has been reported by South Florida Injury Centers, and Chickasaw Nation Department of Health has discovered that an employee accessed patient data without authorization.

South Florida Injury Centers

South Florida Injury Centers, Inc., a medical practice with locations in Tamarac and Port Saint Lucie that specializes in treating patients injured in automobile accidents, has recently reported a hacking-related data breach to the HHS’ Office for Civil Rights that has affected up to 1,525 patients.

While few details have been released about the incident, this appears to have been a cyberattack by the threat actor Kairos. Kairos is a financially motivated threat group that engages in data theft and extortion, breaching networks, exfiltrating data, and demanding payment to prevent the data from being leaked online. The group has conducted attacks on several healthcare organizations and claims to have exfiltrated 45 GB of data from South Florida Injury Centers.

South Florida Injury Centers was added to its dark web data leak site on April 7, 2026, along with samples of the stolen data, which appear to contain redacted patient information such as names, contact information, driver’s license numbers, Social Security numbers, and medical histories. Kairos proceeded to leak the stolen data, indicating that the ransom was not paid.

Chickasaw Nation Department of Health, Oklahoma

Chickasaw Nation Department of Health in Oklahoma has identified an insider patient privacy incident that was first identified on April 22, 2026. An investigation was promptly initiated when unauthorized access to patient records was identified, and immediate steps were taken to prevent further unauthorized access.

The review of access logs confirmed that the privacy breach was due to the actions of a single employee, who had accessed patient records without authorization between December 1, 2025, and April 22, 2026. During that time, the records of 1,607 patients may have been accessed without authorization.

The information viewed included patient names, ages, dates of service, tribal affiliations, reasons for visits, and clinical information such as lab and radiology orders. No evidence was found to indicate that full Social Security numbers were viewed. The website notification about the privacy incident does not state the actions that have been taken against the employee over the privacy breach.

The post South Florida Injury Centers; Chickasaw Nation Department of Health Report Data Breaches appeared first on The HIPAA Journal.

Remote Desktop Tools are the Front Door in Healthcare, and Hackers are Walking Through

Posted by Steve Alder

There is some positive news from the data collected by cybersecurity firm SonicWall, as cyberattacks have declined by up to 57% in some sectors; however, the healthcare industry has seen the smallest decline out of all tracked verticals, registering just a 17% year-over-year decline, compared to -23% for professional services, -42% for education, -46% for retail and -57% for manufacturing. Healthcare is still persistently targeted by cyber actors, and the gap between healthcare and other sectors is growing, according to the SonicWall 2026 Healthcare Protect Brief.

There are more active ransomware groups (10) attacking healthcare organizations than any other sector, indicating the industry is being actively targeted rather than falling victim to spray-and-pray attacks, and in H1 2026, there were four times as many malware hits per firewall in healthcare as the next most attacked sector. UltraVNC buffer overflow attacks generated 13.3 million hits in just 5 months, as hackers primarily targeted remote desktop tools to attack healthcare organizations – no other vertical experienced remote desktop exploitation at that scale.

Healthcare organizations rely on remote desktop tools to support their distributed clinical environments, telemedicine platforms, and third-party vendor access. If remote access credentials are compromised, it gives threat actors a path to clinical systems and patient data, which can be exfiltrated and held to ransom. While network-level controls can limit data access, and multifactor authentication (MFA) can prevent compromised credentials from providing access, MFA is often not implemented, and a single set of credentials does not just unlock one application; they often grant access to the full network.

SonicWall also identified 243 unique attack methods targeting connected medical devices, with the Internet of Things (IoT) the fastest-growing and hardest-to-patch exposure. Healthcare organizations have a huge range of deployed connected devices, including infusion pumps, patient monitors, imaging systems and more, which means a huge attack surface to defend. Unfortunately, the attack surface is growing faster than security teams can govern it. IoT devices are often not routinely patched, cannot run endpoint agents, and often share network segments with clinical systems that contain protected health information.

“Healthcare does not have a cybersecurity problem. It has three of them,” explained Michael Crean, SonicWall SVP of Managed Services. Remote desktop tools without layered controls and MFA; a huge IoT footprint containing vulnerable devices; and targeted ransomware attacks. “Attackers have figured out how to use all of them at the same time.”

Hackers continue to target the sector as the returns are too reliable and the defenses too predictable. “What our research makes clear is that attackers have done the math. Hospitals cannot go dark, downtime is measured in patient outcomes, and the pressure to pay is unlike anything in any other sector. None of that changes until healthcare stops relying on security architectures built for a world that no longer exists, and starts treating Zero Trust not as a future initiative, but as the baseline they needed yesterday.”

The immediate steps recommended by SonicWall are to restrict UltraVNC and RDP to internal VLANS and ensure that MFA is implemented for all remote access, with no exceptions for vendors and no break-glass credentials. Connected medical IoT devices must be placed on isolated networks, away from clinical systems. Healthcare organizations need to implement application-level Zero Trust and ensure that legacy vulnerability exposure is addressed. SonicWall recommends conducting a comprehensive inventory of clinical middleware and IoT firmware and then ensuring that vulnerabilities are patched or devices isolated on a defined schedule.

The post Remote Desktop Tools are the Front Door in Healthcare, and Hackers are Walking Through appeared first on The HIPAA Journal.