High Severity Vulnerability Identified in Grassroots DICOM

Posted by Steve Alder

A high-severity vulnerability has been identified in Grassroots DICOM that could be exploited by a remote threat actor to trigger a denial-of-service condition.  The vulnerability, tracked as CVE-2026-3650, is a memory leak issue that has been assigned a CVSS v3.1 severity score of 7.5.

Grassroots DICOM is a C++ library for DICOM medical images that comes with a scanner implementation capable of quickly scanning hundreds of DICOM files for attributes. Grassroots DICOM is used by healthcare and public health sector organizations worldwide, including in the United States.

The vulnerability affects Grassroots DICOM (GDCM) version 3.2.2 and occurs when parsing malformed DICOM files with non-standard VR types in file meta information. If an attacker sends a specially crafted file, when that file is parsed, it leads to vast memory allocations and resource depletion, triggering a denial of service condition. A maliciously crafted file could fill the heap in a single read operation without properly releasing it.

The vulnerability was identified by Volodymyr Bihunenko, Mykyta Mudryi, and Markiian Chaklosh of ARIMLABS, who reported it to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which contacted the maintainer of Grassroots DICOM; however, the maintainer failed to respond to requests by CISA to mitigate the vulnerability.

While there is currently no fix to remediate the vulnerability, CISA has suggested recommended practices to reduce the potential for exploitation. They involve ensuring that the Grassroots DICOM is not exposed to the internet, that control system networks are located behind firewalls and are isolated from business networks, and if remote access is required, that secure methods are used to connect, such as Virtual Private Networks (VPNs), ensuring that the VPN is running the latest software version.

The post High Severity Vulnerability Identified in Grassroots DICOM appeared first on The HIPAA Journal.

Telehealth Platform Provider OpenLoop Health Disclosed Data Breach

Posted by Steve Alder

A major data breach has been reported by the telehealth platform provider OpenLoop Health Inc. While the total number of affected individuals has yet to be publicly disclosed, it could well be one of the largest healthcare data breaches of the year to date. According to the breach notice provided to the California Attorney General, OpenLoop Health learned on January 7, 2026, that an unauthorized third party had gained access to some of its systems and copied files containing sensitive data. Third-party cybersecurity specialists were engaged to investigate and determine the nature and scope of the incident and ensure that its systems were secured and could no longer be accessed.

The forensic investigation confirmed that the unauthorized third party had access to its network from January 7, 2026, to January 8, 2026, and the files exfiltrated from its systems included information such as names, addresses, email addresses, dates of birth, and medical information. OpenLoop Health said Social Security numbers were not accessed or stolen. Steps have since been taken to harden security, and the affected individuals are being notified by mail. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

A threat actor with the moniker Stuckin2019 claimed responsibility for the incident in a hacking forum listing and claims to have obtained the information of 1.6 million patients. Threat actor claims may be exaggerated, the records may not all be unique, and in some cases, the claims are entirely fabricated. In this case, Stuckin2019 published samples of patient data as proof of data theft. OpenLoop Health has yet to publicly confirm the scale of the data breach or the validity of Stuckin2019’s claims. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, although the website of the Office of the Texas Attorney General lists an OpenLoop Health data breach affecting 68,160 state residents. That incident was published by the Texas Attorney General on March 18, 2026.

Databreaches.net reports that the Stuckin2019 is male and an individual rather than a group, who seemingly has form attacking telehealth companies. He claimed earlier this year to have attacked the New York telehealth company Zealthy, although the company has yet to publicly disclose any data breach. Databreaches reports that the OpenLoop Health forum post was only live for two days before being taken down, and in conversation with the hacker on Tox, was informed that payment was received and the data had been deleted.

The post Telehealth Platform Provider OpenLoop Health Disclosed Data Breach appeared first on The HIPAA Journal.

National Association on Drug Abuse Problems Announces Data Breach Affecting 90,000 Individuals

Posted by Steve Alder

The National Association on Drug Abuse Problems has experienced a data breach affecting up to 90,000 individuals. An insider data breach has been discovered by Weill Cornell Medicine, and Commonwealth Care Alliance has identified a mis-mailing incident.

The National Association on Drug Abuse Problems Hacking Incident Affects 90K Individuals

The National Association on Drug Abuse Problems (NADAP), a New York-based nonprofit, has disclosed a cybersecurity incident that has affected up to 90,000 individuals. Suspicious activity was identified within its network on or around January 10, 2026. Immediate action was taken to secure its network, and an investigation was launched to determine the nature and scope of the activity. On or around January 27, 2026, NADAP determined that the protected health information of certain clients, employees, and related individuals was present in files that were subject to unauthorized access.

The files have been reviewed and found to contain names, Social Security numbers, dates of birth, medical or health information, health care treatment or diagnostic information, health insurance information, and tax or financial information. The types of data involved vary from individual to individual. NADAP has implemented additional measures to enhance network security, including strengthening password requirements and implementing conditional access policies, and the incident has been reported to regulators and law enforcement. No known threat group has claimed responsibility for the incident.

The substitute data breach notice makes no mention of complimentary credit monitoring services. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements for suspicious activity.

Weill Cornell Medicine Identifies Insider Data Breach

Weill Cornell Medicine, the medical school of Cornell University in New York, has identified an insider breach involving the electronic medical records of 516 patients. Following an internal investigation, Weill Cornell Medicine confirmed that a former employee had accessed patient records for reasons unrelated to their job duties.

The potential for misuse of patient data is limited due to the nature of the data accessed, which was limited to name, contact information, and reason for visit. No Social Security numbers, clinical information, or financial information were accessed. Weill Cornell Medicine did not state the reason for the access but confirmed that the employee is no longer with the organization. All affected individuals have been notified by mail, and additional security measures have been implemented to reduce the risk of similar incidents in the future.

Commonwealth Care Alliance Announces Mis-Mailing Incident

Commonwealth Care Alliance, a Massachusetts-based health plan and care delivery system, has notified 634 individuals about a recent mis-mailing incident. The incident was identified on December 29, 2025, and involved letters intended for one member being mailed to an incorrect member. The letters included a member’s name, CCA Member ID number, and their Medicare eligibility status only. An investigation was launched to identify the cause of the error, and additional safeguards have been implemented to reduce the risk of similar incidents in the future, including supplemental quality checks with its mailing process.

The post National Association on Drug Abuse Problems Announces Data Breach Affecting 90,000 Individuals appeared first on The HIPAA Journal.

CMS Releases Final Rule Implementing HIPAA Standards for Health Care Claims Attachments

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) released a final rule on Friday establishing new standards for the electronic transfer of claims documentation, including a new standard for electronic signatures to ensure that claims attachment transactions are secure, authenticated, and compliant with federal regulations.

While electronic health records have been widely adopted by healthcare providers, the healthcare industry is still reliant on outdated methods for transferring attachments to support electronic health care claims. The exchange of health care claims remains a manual process, with the necessary documentation transferred by fax or physical mail. These outdated methods of data transfer result in delays to patient care, increased health care costs, and place a considerable administrative burden on clinicians. The final rule modernizes health care administration, resulting in cost savings, time savings, enhanced security, improved efficiency, and faster care delivery.

“The 1980s called, and they want their fax machines back,” CMS Administrator Dr. Mehmet Oz said. “The futuristic medical breakthroughs we’ve achieved, like augmented reality glasses that give surgeons X-ray vision, shouldn’t have to coexist with administrative systems that often lag decades behind. This new rule will modernize American healthcare by standardizing electronic claims attachments and enabling secure electronic signatures. Because every minute providers save on paperwork is another minute they can spend caring for patients.”

The CMS collaborated with industry stakeholders when developing its proposed rule and received considerable feedback from health plans, healthcare providers, healthcare clearinghouses, technology vendors, patients, and consumers, which shaped the final rule. The final rule was published in the Federal Register on March 24, 2026, and takes effect on May 26, 2026. The new standards apply to all HIPAA-covered entities – health plans, healthcare providers, and healthcare clearinghouses – and compliance with the new standards is required by May 26, 2028. While HIPAA-covered entities have two years to ensure compliance, they are encouraged to read and review the final rule and start implementing the new standards promptly.

The final rule – Administrative Simplification; Adoption of Standards for Health Care Claims Attachments Transactions and Electronic Signatures Final Rule – implements the requirements of the administrative simplification subtitle of HIPAA and the Patient Protection and Affordable Care Act, and establishes the first-ever standards for healthcare claims attachments under HIPAA. The final rule will enable the secure electronic exchange of healthcare claims-related supporting documentation, including medical records, medical images, clinical notes, telemedicine visit documentation, and laboratory results. The new standards are anticipated to save the healthcare sector up to $782 million each year, according to the CMS, and will allow clinicians to spend more time providing care for patients.

The final rule adopts definitions of “attachment information,” “electronic signature,” and “health care claims attachments transaction,” and adopts standards for health care claims transactions and digital signatures used in conjunction with health care claims attachments transactions.  The final rule also adopts X12N standards for data exchange and Health Level 7 (HL7) standards for sharing clinical data.

While the proposed rule included electronic transfer standards for prior authorizations, after considering the comments received, the CMS omitted the proposed electronic transfer standards for prior authorizations from the final rule due to conflicts with currently mandated standards for prior authorization. The CMS will continue evaluating other standards for prior authorizations.

The post CMS Releases Final Rule Implementing HIPAA Standards for Health Care Claims Attachments appeared first on The HIPAA Journal.

Business Associate HIPAA Checklist

Posted by HIPAA-Journal

As aBusiness Associate, it is important to be aware of which HIPAA compliance standards apply to your organization.

Do you have the correct procedures in place to avoid costly data breaches, HIPAA violations, and regulatory fines?

Find out now with our comprehensive HIPAA Checklist for Business Associates that has been compiled by leading compliance experts.

Use the form to download this checklist.

Non Compliance Is Not An Option

HIPAA compliance standards are enforced by HHS Office of Civil Rights, the Centres for Medicare and Medicaid, and the Federal Trade Commission.

The post Business Associate HIPAA Checklist appeared first on The HIPAA Journal.