OSHA Launches Initiatives to Help Employers Develop and Implement Effective Health & Safety Programs

Posted by Steve Alder

The U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) has announced new initiatives to help employers develop and implement effective health and safety programs and meet federal workplace safety requirements.

The Safety Champions Program

The Safety Champions Program has been launched to help employers develop and implement effective workplace safety and health programs to improve safety and health and prevent workplace injuries, illnesses, and deaths. While any employer can sign up to become a safety champion, the program is especially beneficial for small businesses seeking to develop a more effective safety and health program. The program provides a comprehensive framework of policies, guidance, and requirements to help employees enhance their safety and health management program.

The program incorporates the seven core elements of OSHA’s Safety and Health Program Recommended Practices – management leadership, worker participation, hazard identification & assessment, hazard prevention & control, education & training, program evaluation & improvement, and communication and coordination for host employers, contractors & staffing agencies – and provides employers with the tools they need to create an effective safety and health program.

There are three steps to the Safety Champions Program – Introductory, Intermediate, and Advanced – each of which is self-guided and self-paced. Participants may request a Safety Champion Special Government Employee (SGE) to assess their progress through the steps and their safety and health program. “The Department of Labor’s new Safety Champions Program exemplifies the Trump Administration’s commitment to supporting and empowering job creators,” U.S. Secretary of Labor Lori Chavez-DeRemer said. “By providing employers with these resources, we are putting American workers first and keeping them healthy and safe on the job.”

OSHA Cares Initiative

OSHA has also launched a new OSHA Cares Initiative, an agency-wide effort to help businesses meet federal workplace safety requirements and build strong and successful safety and health programs. The initiative is intended to show businesses that OSHA is here to help ensure their workplaces are safe and healthful, and to encourage them to reach out to OSHA for assistance and collaborate with the agency.

The program aims to empower employers to improve safety in the workplace, especially small to medium-sized businesses with unique safety and health challenges. This will be achieved by increasing access to OSHA’s experts and compliance assistance specialists, providing access to educational and training materials, and providing consistent workplace assistance during enforcement visits and meetings. OSHA’s Directorate of Enforcement Programs is also launching a training program to standardize how its Compliance Safety and Health Officers will offer real-time assistance during inspections and enforcement activities.

“We want to provide practical, real-time insight, equipping employers with the tools needed to improve safety and health,” said David Keeling, Assistant Secretary of Labor for Occupational Safety and Health. “Through open dialogue, responsive support, and trusted resources, we can help workplaces move beyond compliance toward making sure workers go home safe.”

The post OSHA Launches Initiatives to Help Employers Develop and Implement Effective Health & Safety Programs appeared first on The HIPAA Journal.

Balance Autism Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Balance Autism has agreed to settle a class action lawsuit stemming from a security incident that exposed patient information. Altoona, Iowa-based Balance Autism identified a cybersecurity incident on or around March 17, 2025, that resulted in a data breach. Hackers had access to its network from March 11, 2025, to March 17, 2025, and obtained access to data such as names, dates of birth, Social Security numbers, health insurance information, and Medicaid numbers. The data breach was reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 1,281 individuals.

A class action lawsuit – Bennett v. Balance Autism – was filed in the Iowa District Court for Polk County by plaintiff Andrea Bennett, individually and on behalf of other similarly affected individuals. The lawsuit alleged that the cybersecurity incident resulted from the defendant’s negligence in failing to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network. The lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, breach of fiduciary duty, and invasion of privacy. The defendant denies all claims and contentions in the lawsuit, including allegations of fault, wrongdoing, and liability; however, following mediation, a settlement was agreed that was acceptable to all parties to bring the litigation to an end.

Under the terms of the settlement, Balance Autism has agreed to pay for two years of credit monitoring and identity theft protection services and will accept claims from the affected individuals for up to $400 as reimbursement for out-of-pocket losses due to the data breach, and up to four hours of lost time at $20 per hour. Alternatively, instead of submitting a claim for reimbursement of losses and lost time, class members may submit a claim for a cash payment, which is estimated to be $50, but may be lower, depending on the number of claims received.

The deadline for exclusion and objection is May 1, 2026; the claims deadline is June 1, 2026; and the final approval hearing has been scheduled for June 12, 2026.

The post Balance Autism Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Akeela Data Breach Settlement Gets First Nod from the Court

Posted by Steve Alder

In June of last year, we reported that a settlement had been agreed to resolve a class action lawsuit against Akeela, Inc., over a June 2023 cybersecurity incident and data breach. The case was stayed until July 18, 2025, and ahead of that date, the plaintiff was required to move for preliminary approval of class certification. Ahead of that date, the plaintiff, Jessica McRorie, dismissed her complaint without prejudice and immediately joined a separate complaint, Batin et al. v. Akeela, Inc., which made substantially similar allegations. The Batin case, filed in the Superior Court for Anchorage, Alaska, has recently been settled, and the settlement has received preliminary approval from the court.

The Batin case lists Jessica McRorie, Elynnie Batin, Jane Doe, Rocky Hawley, Andrew Metcalf, Thomas Maxim, and Kathleet Yarr (Personal Representative for the Estate of Ian Christiansen) as plaintiffs, who allege that their names, Social Security numbers, dates of birth, and medical diagnosis and treatment information were exposed to cybercriminals as a result of the negligence of Akeela. Akeela is alleged to have failed to adequately secure its network, which allowed cybercriminals to access patients’ sensitive data.

The defendant denies the claims and contentions in the lawsuit and disputes the facts, including that any damages have been suffered as a result of the data breach or that the action satisfies the requirements to be certified or tried as a class action. To avoid continuing with the litigation, which would likely be protracted and expensive, and to avoid the uncertainty of a trial, a settlement was agreed.

Compared to most settlement agreements to resolve class action data breach lawsuits, the benefits are limited. Class members may submit a claim for two years of credit monitoring and identity theft protection services, and a pro rata cash payment may be claimed. The cash payments will be paid from the remainder of a $50,000 settlement fund after credit monitoring costs have been deducted.  Attorneys’ fees and other costs and expenses will be paid separately by Akeela. The deadline for objection and exclusion is April 13, 2026; the claims deadline is May 25, 2026, and the final approval hearing has been scheduled for April 13, 2026.

June 4, 2025: Akeela Inc. Agrees to Settlement to Resolve Class Action Data Breach Litigation

Akeela Inc., an Anchorage, AK-based provider of mental health and substance use disorder treatment services, has agreed to settle a class action lawsuit filed in response to a 2023 data breach that exposed the protected health information of more than 284,000 individuals.

On or around June 22, 2023, Akeela experienced a disruption to its IT network. The forensic investigation confirmed there had been unauthorized network access and the exfiltration of administrative files containing patients’ protected health information. The stolen information included names, dates of birth, diagnosis and treatment information, and Social Security numbers.

In August 2024, a class lawsuit – Jessica McRorie v. Akeela Inc. – was filed in the United States District Court for the District of Alaska over the data breach. The lawsuit alleged Akeela was negligent by failing to secure and safeguard patients’ personally identifiable and protected health information and did not comply with industry-standard data security practices, even though there was a known risk that cybercriminals actively target healthcare providers. The lawsuit claims Akeela maintained sensitive data in a reckless manner, and as a direct consequence of its negligence, sensitive patient data is now in the hands of cybercriminals.

Further, when the breach was detected, Akeela delayed issuing notification letters to the affected individuals, who were informed that their sensitive data had been stolen more than a year after the data breach was identified. The lawsuit claims that the delay diminished the plaintiff and class members’ ability to timely and thoroughly mitigate and address the harms resulting from the data breach.

The lawsuit claims the plaintiff and class members have suffered concrete injuries as a result of the data breach, including financial costs from mitigating the risk and imminent threat of identity theft and fraud, lost of time and productivity, actual identity theft and fraud, deprivation of the value of their private information, loss of privacy, and emotional distress, anxiety, and stress. In addition to claims for negligence and negligence per se, the lawsuit asserted claims of breach of implied contract, breach of fiduciary duty, invasion of privacy, and unjust enrichment.

Akeela maintains there was no wrongdoing and denies all of the claims and contentions in the lawsuit; however, the healthcare provider agreed to settle the litigation to avoid further legal costs and the uncertainty of trial. Details of the settlement agreement have yet to be made public; however, the plaintiff and Akeela have reached an agreement in principle on an appropriate settlement. Notices for class members and the motion for preliminary approval from the court are now being prepared.

This post will be updated when the settlement receives preliminary approval from the court.

The post Akeela Data Breach Settlement Gets First Nod from the Court appeared first on The HIPAA Journal.

Navia Benefit Solutions Discloses Data Breach Affecting 2.7 Million Individuals

Posted by Steve Alder

Over a three-week period between December 2025 and January 2026, hackers had access to the network of a Washington-based employee benefits administrator and potentially acquired the data of almost 2.7 million current and former participants and their dependents.

Renton, WA-based Navia Benefit Solutions, Inc., provides employee benefits administration services, including Health Care Flexible Spending Accounts and COBRA benefits. The company works with employers to manage tax-advantaged healthcare and dependent care accounts, and as such, maintains large amounts of employee data. The company has more than 10,000 clients nationwide and more than 1 million participants. The intrusion was identified on or around January 15, 2026, and the forensic investigation confirmed that its computer environment was subject to unauthorized access from December 22, 2025, to January 15, 2026. According to the breach notice provided to the Maine Attorney General, 2,697,540 individuals have been affected.

Navia Benefit Solutions uploaded a substitute breach notice to its website on March 13, 2026, and individual notification letters started to be mailed to the affected individuals on March 18, 2026. Data potentially compromised in the incident included names, email addresses, phone numbers, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Navia Benefit Solutions said it moved quickly to respond to the incident and secure its systems, and an investigation was launched to determine the nature and scope of the incident. Federal law enforcement was notified, and the company has been working to implement additional security measures and provide its employees with additional training to prevent similar incidents in the future. Navia Benefit Solutions did not disclose whether this was a ransomware attack or if it received a ransom demand. No ransomware group has claimed responsibility for the incident.

The data breach is a reportable incident under HIPAA. The Department of Health and Human Services has been notified, and a media notice has also been issued, in compliance with the HIPAA Breach Notification Rule. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal. While it is unclear how many clients have been affected, the Washington State Health Care Authority is one of the affected clients. Navia Benefit Solutions contracted with the Washington State Health Care Authority as the administrator of its Flexible Spending Arrangement (FSA) and Dependent Care Assistance Program (DCAP) for the PEBB and SEBB Programs.

Washington State Health Care Authority, which manages Medicaid in the state, has published its own substitute breach notice. The notice confirms that records going back seven years were compromised in the incident, which relate to approximately 27,000 current and former PEBB members, 5,600 current and former SEBB members, and 3,000 current and former Compacts of Free Association (COFA) islander members. In addition, 37 school districts that contracted with Navia before the SEBB Program was implemented in January 2020 have also been notified that some of their data was potentially compromised in the incident. The impacted data includes first and last names, Navia ID numbers, addresses, phone numbers, email addresses, enrollment start and end dates, employee IDs, Social Security numbers, and dates of birth.

The post Navia Benefit Solutions Discloses Data Breach Affecting 2.7 Million Individuals appeared first on The HIPAA Journal.