Why Medical Device Compliance Is Growing More Important Every Year – The HIPAA Journal
Community Health Center of Buffalo & Greenbaum Rowe Smith & Davis Confirm Data Breaches
Data breaches have been announced by Community Health Center of Buffalo in New York and the New Jersey law firm Greenbaum Rowe Smith & Davis.
Community Health Center of Buffalo, New York
Community Health Center of Buffalo (CHCB) in New York has identified a cybersecurity incident in which sensitive data was potentially accessed or acquired. Suspicious activity was identified within its computer network on April 21, 2026. Assisted by digital forensics experts, unauthorized network access was confirmed between April 20 and April 21, 2026.
The files are currently being reviewed to determine the types of data involved and the affected individuals. That process is ongoing; however, CHCB reports that the types of data likely involved includes names in combination with one or more of the following: address, date of birth, Social Security number, driver’s license, medical information such as diagnoses, treatment information, prescriptions/medications, treatment locations, lab results, medical record numbers, provider names, patient medical histories, and health insurance information
Data privacy and security practices are being reviewed, and steps are being taken to improve security. Credit monitoring and identity theft protection services will be made available. The data breach has been reported to the HHS’ Office for Civil Rights using an interim total of at least 501 affected individuals. The total will be updated when the investigation and file review are concluded.
Greenbaum Rowe Smith & Davis, New Jersey
Greenbaum Rowe Smith & Davis LLP, a New Jersey-based law firm, has started notifying 12,801 individuals about a breach of their protected health information. The practice provides legal services to healthcare practices in the state of New Jersey, which require access to certain patient data. The practice has confirmed that it experienced a cybersecurity incident involving unauthorized access to systems containing the data of patients of Atlantic Health System, Hackensack Meridian Health, and Trinitas Regional Medical Center.
Data exposed in the incident included names, Social Security numbers, medical information, health insurance information, and other personal data. At the time of issuing notifications, the practice was unaware of any public release of the impacted data. The practice is offering the affected individuals complimentary credit monitoring and identity theft protection services and has taken steps to improve security to prevent similar incidents in the future.
The post Community Health Center of Buffalo & Greenbaum Rowe Smith & Davis Confirm Data Breaches appeared first on The HIPAA Journal.
Physicians Primary Care of Southwest Florida Agrees to Data Breach Settlement – The HIPAA Journal
Physicians Primary Care of Southwest Florida Agrees to Data Breach Settlement
Physicians Primary Care of Southwest Florida was the victim of a targeted cyberattack in September 2024 that exposed patient data. The data breach sparked a class action lawsuit alleging the breach could have been prevented, as Physicians Primary Care of Southwest Florida failed to implement reasonable and appropriate security measures to prevent unauthorized access to patient data in its possession.
Physicians Primary Care of Southwest Florida is a medical facility with offices in Fort Myers, Cape Coral, Estero, and Lehigh Acres, Florida, that specializes in internal medicine, obstetrics, gynecology, family practice, and pediatrics. On or around September 17, 2024, unauthorized access to its network was identified. The hackers behind the attack had access to the network from September 15, 2024, to September 17, 2024, and potentially viewed or obtained patient data such as names, health information, and Social Security numbers. The data breach was reported to the HHS’ Office for Civil Rights as affecting 170,653 individuals.
The first lawsuit over the data breach was filed on December 3, 2024, in the Circuit Court of the Twentieth Judicial Circuit. An amended complaint was filed on March 7, 2025, in the Circuit Court for Lee County, Florida, naming two alternative plaintiffs, as the plaintiff who filed the initial complaint was determined not to be a putative class member.
The lawsuit – Cirillo et al. v. Physicians Primary Care of Southwest Florida, P.L. – asserted claims for negligence, breach of implied contract, breach of fiduciary duty, violation of the Florida Deceptive and Unfair Trade Practices Act, and declaratory judgment. Physicians Primary Care of Southwest Florida denies wrongdoing and liability and disagrees with the claims and contentions asserted by the lawsuit.
Shortly after the amended complaint was filed, the parties began exploring the possibility of an early resolution. A settlement was not agreed upon during mediation, but after several months of negotiations, terms were agreed that were acceptable to all parties. The settlement class consists of all living adults in the United States who received a notification that the data breach involved their information.
Under the terms of the settlement, class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $5,000 per class member. There is no alternative cash payment; however, all individuals are eligible to enroll in two years of medical monitoring services, which include a $1 million identity theft insurance policy.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for September 14, 2026. Individuals wishing to object to the settlement or opt out must do so by August 30, 2026. Claims must be submitted by September 29, 2026
The post Physicians Primary Care of Southwest Florida Agrees to Data Breach Settlement appeared first on The HIPAA Journal.
Why Medical Device Compliance Is Growing More Important Every Year
You don’t have to look very far to see the everyday applications of the medical device industry. They’re in the new technology and equipment in doctors’ offices, hospitals, and medical clinics. They surface in the expanding repertoire of devices that patients can use at home, expanding healthcare access and convenience. And they’re in the medical implants that often address serious health problems, including everything from pacemakers to stents to hip replacements to spinal fusion.
All these products are considered part of the medical device industry, which academic database ScienceDirect defines as a sector focused on the development, manufacturing, and distribution of devices that provide medical support and improve health outcomes, leveraging advances in biotechnology and bioengineering. A rapidly growing segment of the global economy, the medical device industry was valued at around $570 billion in 2025. It is expected to surpass $600 billion in 2026, before touching one trillion dollars sometime over the next decade.
Medical Device Compliance Defined
Like many large, lucrative industries, medical device manufacturers must adhere to a range of regulations imposed by the markets in which they operate. These regulations are developed and implemented to ensure that the industry’s products are safe, effective, and regularly monitored over the course of their lifetimes in the marketplace.
Due to the inherent risks involved, medical device manufacturing is an extensively regulated industry. Patients’ health, physical capabilities, and even lives are at stake when it comes to these technologies, and because of this, manufacturers have considerable legal responsibilities in countries like the U.S., the U.K., and Canada, as well as economic blocs like the European Union. Violating these regulations can trigger serious consequences, too, including penalties of $100,000 or more and imprisonment in cases of criminal negligence.
The World’s Major Medical Device Regulations
While the medical device sector spans the entire globe, industry regulations, and the legal obligations they impose, differ from one country to the next.
The U.S.: FDA and QSMR
The U.S. regulates medical devices through the Food and Drug Administration (FDA), which determines legal obligations based on three different risk categories. In addition to these classifications, medical device manufacturers must obtain FDA clearance to sell and market their devices, adhere to a Quality Management System Regulation (QSMR) harmonized to ISO 13485, and carry out post-market surveillance by monitoring defects, malfunctions, and other adverse events.
The EU: the MDR
In 2021, the EU replaced its Medical Device Directive (MDD) with the Medical Device Regulation (MDR), a change many describe as the largest shift in medical device compliance in years. The MDR imposes stricter requirements than its predecessor, with a higher threshold for clinical evidence and an expectation that manufacturers carry out post-market clinical follow-up to confirm that devices are working as intended and marketed.
In addition, the EU strengthened its requirements for the notifying bodies that certify devices for CE markings, reducing the number of organizations authorized to issue certifications.
The U.K. and the MHRA
To sell medical devices in the United Kingdom, manufacturers and importers must obtain a UKCA marking. Prior to 2021, products were classified into three different categories, with specific directives regulating each of them:
- Directive 90/385/EEC applies to active implantable medical devices.
- Directive 93/42/EEC applies to medical devices.
- Directive 98/79/EC applies to in vitro diagnostic medical devices.
Today, businesses must get their devices registered and certified through the Medicines and Healthcare products Regulatory Agency (MHRA), the government body responsible for post-market surveillance.
Canada’s CMDR
Canada regulates medical devices through the nation’s Medical Devices Directorate (MDD), a government agency responsible for evaluating the safety and effectiveness of medical technology. Devices are classified into four different risk categories, and products that are categorized in Class II, Class III, or Class IV must all obtain licenses to sell their products.
Products in these three classes must undergo a rigorous review process. During this process, the manufacturer submits a completed application for a license; the MDD reviews the application; and the MDD then issues a license where applicable. In addition to issuing licenses, the directorate also conducts post-market surveillance. According to the Canadian government, if a medical device is found to no longer meet safety and effectiveness requirements, the MDD may suspend its license or ask the manufacturer to recall or refit the medical device.
An Evolving Compliance Landscape
In recent years, medical device compliance has grown more demanding all over the world. In many countries, manufacturers are now responsible for a range of regulatory responsibilities, including but not limited to:
- Ensuring the safety of their devices.
- Adhering to material regulations, including substance bans, maximum thresholds, and other restrictions.
- Communicating and disclosing information to the public.
- Carrying out post-market surveillance in accordance with regulatory requirements.
According to scientific publisher Elsevier, the number of regulations for medical device manufacturers increased 64% between 2015 and 2022, and the landscape has continued expanding since. One statistic that puts the sector’s regulatory obligations in perspective: U.S. manufacturers spend, on average, around $24 million on FDA-related requirements when bringing a single medical device from initial concept to market. For devices classified in the highest-risk Class III by the FDA, that figure rises to $75 million. In the EU, research suggests that the recent transition from the MDD to the MDR has increased regulatory costs on manufacturers up to tenfold.
Medical device compliance is not only becoming more costly. It is also becoming more time-intensive. Manufacturers operating in the U.S. can expect to spend anywhere between a few weeks and eight months working through the FDA’s regulatory approval process, with significant variance depending on the complexity and potential risks of the device. In other countries and regions, this path takes longer. Companies operating in the EU should prepare to commit a year or longer to the compliance process, while businesses in Japan spend between one and three years working to gain regulatory approval for new medical devices, placing Japan among the countries with the longest medical device approval timelines.
Given the time and financial resources required for regulatory adherence, manufacturers need to fully understand and meet their legal obligations to access the large, expanding global marketplace for medical devices.
How Medical Device Manufacturers Can Achieve Regulatory Compliance
Given the stakes associated with products that impact individual health and well-being, medical device manufacturers need to treat regulatory compliance as a major priority. Violations of the MDD, the QSMR, or the MHRA, among other directives, carry substantial financial and legal consequences.
Understand All Regulations That Apply To Your Business
In order to practice effective compliance, manufacturers first need to understand the scope of their responsibilities. The first step in doing that is identifying what specific regulations apply to them and their products. Organizations should review all the countries where their product is manufactured, imported, or sold, and what those nations’ legal obligations are for medical devices.
Medical device regulations remain in an early stage of development. The landscape remains fragmented and heterogeneous, with little harmonization between nations. Businesses must remember that achieving adherence with one directive does not prevent them from violating another.
Carry Out Necessary Steps for Certification
After establishing the scope of their obligations, manufacturers must then begin the process of gathering all the information required to achieve certification with the applicable regulatory bodies. For the more demanding national directives, this may include a number of individual steps:
- Confirm product classification.
- Reach out to a notified body or other accredited third-party organization.
- Work with the notified body to compile all necessary documentation, including device descriptions, bills of materials (BOMs), general safety and performance requirements (GSPR), and risk management standards set by the International Organization for Standardization (ISO 14971).
- Prepare a clinical evaluation report that pulls together clinical data, risks and benefits, and the intended purpose of the device.
- Establish a plan for carrying out post-market clinical follow-up and implementing a post-market surveillance system.
While these steps vary from one regulation to the next, companies operating in multiple national markets should be prepared to fulfill most or all of them.
Foster Expertise and Develop Resources for Post-Market Surveillance
The post-market responsibilities imposed by directives like the MDD cannot be haphazard or ad-hoc. Organizations should have an established framework in place, with dedicated compliance professionals and a clear process for reviewing market data, issuing safety reports, and summarizing clinical performance. Post-market clinical follow-up (PMCF) and post-market surveillance (PMS) are strict obligations that can derail a product’s rollout or longevity when neglected, even after a device has reached the marketplace.
Leverage Third-Party Compliance Tools
The medical device and technology industry is comprised of many small and midsized businesses (SMBs), plenty of whom do not have the internal resources or bandwidth to effectively manage all the compliance obligations the sector imposes. In these cases, manufacturers can utilize a compliance tool that helps them understand their legal responsibilities, collects all the necessary compliance data, and submits technical documentation and clinical evaluations to the appropriate regulatory body. These software tools can support organizations through a regulatory process that is otherwise complex, lengthy, and difficult for smaller companies with limited bandwidth.
The post Why Medical Device Compliance Is Growing More Important Every Year appeared first on The HIPAA Journal.
ScienceSoft’s HIPAA-compliant AI voice scheduler built on AWS – Amazon Web Services (AWS)
May 2026 Healthcare Data Breach Report – The HIPAA Journal
May 2026 Healthcare Data Breach Report
Based on the current data on the HHS’ Office for Civil Rights (OCR) breach portal, 61 healthcare data breaches affecting 500 or more individuals were reported in May 2026. May’s current total represents a 27.1% month-over-month increase in data breaches. Over the past 12 months, an average of 64 large healthcare data breaches were reported each month.

From January 1, 2026, to May 31, 2026, 319 data breaches affecting 500 or more individuals have been reported to OCR. This time last year, the total stood at 342 large data breaches.
While data breaches increased from April, the number of affected individuals fell by 34.8% to 879,447 individuals. In May, an average of 14,417 individuals were affected by healthcare data breaches, down from an average of 28,116 individuals in April. Over the past 12 months, an average of 10.6 million individuals have been affected by healthcare data breaches each month.

Data breaches are down slightly year-over-year, but there has been a massive reduction in the number of affected individuals. Very large data breaches have not been reported to OCR in the numbers seen in previous years. From January 1, 2026, to May 31, 2026, across the 319 data breaches, at least 21,085,405 individuals have been affected. The OCR breach portal shows that from January 2025 to May 2025, 33,116,809 individuals were affected by data breaches.
Biggest Healthcare Data Breaches of May 2026
In May 2026, 17 data breaches affecting 10,000 or more individuals were reported to OCR, all of which were hacking incidents. The biggest data breach of the month was reported by Radiology Associates of Richmond, affecting more than 266,000 individuals, followed by a hacking incident at Western Orthopaedics which affected more than 113,000 individuals.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Radiology Associates of Richmond | VA | Healthcare Provider | 266,183 | Hacking incident |
| Western Orthopaedics, P.C. | CO | Healthcare Provider | 113,330 | Hacking incident |
| ERMI LLC | GA | Healthcare Provider | 74,074 | Hacking incident |
| Singing River Health System | MS | Healthcare Provider | 53,888 | Hacking incident |
| Southern Illinois Ob-Gyn Associates, S.C. | IL | Healthcare Provider | 38,700 | Hacking incident |
| Gastro Health | FL | Healthcare Provider | 35,632 | Unauthorized access to email accounts |
| Eyemart Express, LLC | TX | Healthcare Provider | 25,000 | Hacking incident |
| Connecticut Department of Social Services | CT | Health Plan | 22,500 | Unauthorized access to provider portal website |
| Bridle Trails Family Dentistry | WA | Healthcare Provider | 20,976 | Unauthorized access to email account |
| Community Connections | DC | Healthcare Provider | 18,943 | Ransomware attack (INCRansom) |
| Virta Medical PC | CO | Healthcare Provider | 14,636 | Hacking incident (Lapsus$) |
| Saurabh N. Patel, M.D – Florida Retina Center | LA | Healthcare Provider | 13,652 | Hacking incident |
| Greenbaum Rowe Smith & Davis LLP | NJ | Business Associate | 12,801 | Hacking incident |
| Wellpoint Washington, Inc. | IN | Health Plan | 12,020 | Unauthorized access to email account |
| Defense Health Agency (TriWest) | VA | Health Plan | 11,848 | Hacking incident |
| IKRON Corporation | OH | Healthcare Provider | 11,845 | Hacking incident |
| Elara Caring | TX | Healthcare Provider | 10,490 | Hacking incident at third-party vendor |
May’s total number of affected individuals may increase considerably over the coming weeks and months, as healthcare organizations complete their data breach investigations. HIPAA-regulated entities have 60 days from the date of discovery of a data breach to issue notifications to the HHS’ Office for Civil Rights and the affected individuals. HIPAA requires OCR to be notified even if the total number of individuals has yet to be determined by the 60-day deadline. In such cases, an estimate should be provided. Many regulated entities use a placeholder estimate of 500 or 501 individuals in such cases, and in May, 7 regulated entities appear to have used these placeholder figures.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| United Medical Doctors | CA | Healthcare Provider | 501 | Hacking/IT Incident |
| NJ Pain Care Specialists, LLC | NJ | Healthcare Provider | 501 | Hacking/IT Incident |
| Palomar Health Medical Group | CA | Healthcare Provider | 501 | Hacking/IT Incident |
| Aroostook Mental Health Center | ME | Healthcare Provider | 501 | Hacking/IT Incident |
| Campbell University | NC | Healthcare Provider | 500 | Hacking/IT Incident |
| BAYADA Home Health Care, Inc. | NJ | Healthcare Provider | 500 | Hacking/IT Incident |
| Integrated Pain Associates | TX | Healthcare Provider | 500 | Hacking/IT Incident |
Causes of May 2026 Healthcare Data Breaches
Hacking and other IT incidents dominated the breach reports in May, as has been the case each month for several years. Out of the month’s 61 large healthcare data breaches, 54 were classed as hacking/IT incidents – 88.5% of the month’s data breaches. Across those incidents, the protected health information of 853,532 individuals was compromised- 88.5% of the month’s total affected individuals. On average, hacking/IT incidents affected 15,806 individuals in May, with a median breach size of 3,619 individuals.
There were 7 data breaches classed as unauthorized access/disclosure incidents, representing 11.5% of the month’s breaches. Across those incidents, the protected health information of 25,915 individuals was unlawfully accessed or disclosed. On average, 3,702 individuals were affected by each incident in May. The median breach size was 3,086 individuals. There were no reported theft, loss, or improper disposal incidents in May.
Given the large number of hacking incidents, it is no surprise that the most common location of breached protected health information was network servers. Email incidents were also reported in high numbers.
States Affected by May 2026 Healthcare Data Breaches
Large healthcare data breaches were reported by HIPAA-regulated entities in 26 U.S. states and the District of Columbia. California was the worst affected state with 6 breaches.
| State | Breaches |
| California | 6 |
| Florida, New Jersey, New York, North Carolina, Ohio, Texas & Virginia | 4 |
| Colorado | 3 |
| Indiana, Maine, Michigan, Pennsylvania, South Carolina & the District of Columbia | 2 |
| Arizona, Connecticut, Georgia, Illinois, Iowa, Louisiana, Massachusetts, Mississippi, Oregon, Tennessee, Washington & Wisconsin | 1 |
In terms of affected individuals, Virginia topped the list with almost 300,000 state residents affected.
| State | Individuals Affected | State | Individuals Affected |
| Virginia | 290,254 | Louisiana | 13,652 |
| Colorado | 128,661 | Pennsylvania | 7,095 |
| Georgia | 74,074 | South Carolina | 6,946 |
| Mississippi | 53,888 | Iowa | 6,666 |
| Florida | 44,649 | Michigan | 6,456 |
| Texas | 40,045 | California | 5,303 |
| Illinois | 38,700 | North Carolina | 4,949 |
| Ohio | 28,540 | Massachusetts | 3,086 |
| Connecticut | 22,500 | Maine | 3,024 |
| Washington | 20,976 | Oregon | 2,856 |
| District of Columbia | 20,014 | Arizona | 2,316 |
| New York | 19,674 | Tennessee | 1,807 |
| Indiana | 17,325 | Wisconsin | 1,080 |
| New Jersey | 14,911 | ||
Data Breaches at HIPAA -Regulated Entities
In May 2026, 42 data breaches were reported by healthcare providers, 9 breaches were reported by health plans, and 10 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.
The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 22 of the 61 breaches (rather than 10) occurred at business associates in May.
HIPAA Enforcement Activity in May 2026
No enforcement actions were announced by OCR or state attorneys general in May.
The post May 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.





