AI Analysis Identifies 38 Flaws in OpenEMR Platform

Posted by Steve Alder

An automated, AI-driven analysis of the most widely used electronic medical records platform uncovered 38 previously unknown vulnerabilities, including two critical flaws with maximum CVSS severity scores of 10.0. The vulnerabilities were identified as part of a collaboration between AISLE, an autonomous, AI-native application security platform, and OpenEMR, an open source and U.S. government-certified platform, the purpose of which was to identify and remediate critical vulnerabilities in the platform before they could be exploited by malicious actors.

OpenEMR is used by more than 100,000 healthcare providers worldwide, and the platform serves more than 200 million patients globally. OpenEMR is free open source software with no licensing fees and relatively low operating costs, making it a popular choice for under-resourced healthcare providers. The platform is widely used in the United States.

The analysis by AISLE resulted in 39 GitHub Security Advisory (GHSA) vulnerabilities in Q1, 2026, including critical, high, and moderate severity vulnerabilities, with 38 of the 39 vulnerabilities receiving CVE designations. The two most serious vulnerabilities could potentially have been exploited to access and rewrite patient and provider data, compromise the full database, and achieve remote code execution on the server, allowing ePHI to be exfiltrated at scale. One of the maximum severity flaws could be exploited by a remote attacker with no authentication on any Internet-reachable OpenEMR instance.

The vulnerabilities identified by AISLE accounted for more than half of all OpenEMR Security vulnerabilities published on GitHub in Q1, 2026. “These disclosures reflect the growing threats that healthcare institutions face in the age of AI,” said Stanislav Fort, co-founder and chief scientist at AISLE. “Because human lives and identities are at stake, few issues are as critical as ensuring that medical codebases are secure. AISLE’s collaboration with OpenEMR shows that AI-driven analysis can help dedicated, lean teams defend vital systems and remain compliant.”

Threat actors are increasingly using AI to analyze code and identify exploitable vulnerabilities, so it is vital for defenders to also use AI to accelerate the discovery and remediation of vulnerabilities. Through the partnership with AISLE, the OpenEMR maintainers were able to fix the vulnerabilities before they could be exploited and have now begun a partnership with AISLE to secure the OpenEMR for years to come.

AISLE generated a repository-native fix proposal OpenEMR’s own abstractions, authorization patterns, and sanitization helpers for each of the 38 CVEs. AISLE produced the fix for one of the critical vulnerabilities, and for other critical flaws, OpenEMR maintainers adopted AISLE’s proposed remediation into the final fix. The OpenEMR maintainers now have access to AISLE’s AI-native AppSec platform, which allows them to automatically detect, triage, and fix software vulnerabilities. OpenEMR can now focus on hardening defenses without having to employ additional team members. In addition to using the platform to identify vulnerabilities in production code, OpenEMR is using the AISLE vulnerability analyzer to analyze code and identify security issues before they reach production.

The post AI Analysis Identifies 38 Flaws in OpenEMR Platform appeared first on The HIPAA Journal.

Healthcare Organizations Struggling to Implement Primary Method of Blocking Lateral Movement

Posted by Steve Alder

A study of security leaders from the healthcare and manufacturing industries found that while there is an almost universal desire to deploy modern microsegmentation, more than 90% of respondents said they had protected fewer than 80% of critical systems, despite almost half admitting to falling victim to lateral movement attacks in the past year. In healthcare, fewer than 6% of respondents said that their organization had implemented microsegmentation across 80% or more of their critical systems.

Microsegmentation is a cybersecurity technique that divides networks into small, distinct, and isolated zones to secure workloads, applications, or devices. Traditional network segmentation, such as Virtual Local Area Networks (VLANs), creates broad segmented zones, whereas microsegmentation applies security policies at the individual workload or application level. Microsegmentation allows organizations to implement East-West traffic control within their data center, rather than only North-South traffic controls for identifying traffic leaving the network. It provides deep visibility into network traffic flows, including which applications are communicating with each other.  Healthcare organizations can enable strict isolation and monitoring of systems that handle sensitive data such as protected health information (PHI), which can simplify HIPAA Security Rule compliance.

Microsegmentation protects internal workloads from applications without authorized access, and can be applied to on-premises and hybrid environments. It reduces the attack surface and greatly limits the potential for lateral movement. In the event of compromise, attackers are contained within a microsegment, limiting the harm they can cause and the data they can access.

The study was conducted on 352 healthcare and manufacturing security leaders by Omdia, on behalf of the network segmentation specialists Elisity. The survey revealed 99% of respondents were implementing or planning to implement microsegmentation, with 57% of respondents ranking microsegmentation as their main initiative to prevent lateral movement; however, they were slow to fully implement it. Only 9% of respondents had implemented it across 80% or more of critical systems, and just 6% in healthcare. While Microsegmentation ranked first among planned priorities, it ranked close to the bottom 24% among currently deployed zero-trust architectures.

There have been challenges with implementing microsegmentation in the past; however, modern identity-based microsegmentation is a different beast, as it requires no agents, no hardware changes, and no VLAN recognition. Instead, the policy is enforced directly on network switches. “Microsegmentation has matured, but many organizations still carry the scars of earlier, complex approaches. What’s changed is the architecture. Identity-based microsegmentation lets teams enforce precise policy on the switches they already run, so security becomes an enabler rather than a gate,” James Winebrenner, CEO, Elisity, said.

Most organizations still rely on VLANs, ACLs, and agent-based tools, which require constant rework and leave East-West exposure wide open, and progress with implementation has been slow. First-generation tools built around network location rather than identity have slowed real progress to a crawl, as agent-based and firewall-centric designs couldn’t uniformly cover IT, IoT, OT, or IoMT. According to Elisity, “These approaches had outdated or unsupported software (56%), high maintenance costs and hardware limitations (50%), and frequent failures or performance issues (43%).”

There have been challenges implementing microsegmentation in healthcare, especially with integrating SIEM, EDR, and SOAR. Respondents said visiting clinicians (74%) and clinical staff (72%) require the most granular policy attention, given the mix of managed and unmanaged devices moving through clinical environments. Many respondents lacked awareness of the ease and speed at which modern identity-based solutions can be deployed. Only 22% of respondents had hands-on experience of implementing microsegmentation, and most teams were still running legacy methods.

There is a clear desire to implement microsegmentation, and awareness of modern-identity-based microsegmentation is improving. “Our data shows the shift is on. Enterprises intend to deploy microsegmentation, and many now see modern solutions as easier and more effective,” said Hollie Hennessy, Principal Analyst, Omdia, who points out that with modern solutions, the timeline for implementation has shortened from years to weeks.

The post Healthcare Organizations Struggling to Implement Primary Method of Blocking Lateral Movement appeared first on The HIPAA Journal.

Medical Device Maker Medtronic Announces Data Breach

Posted by Steve Alder

The medical device manufacturing giant Medtronic has confirmed that hackers breached its network and exfiltrated data. The company announced the cyberattack on Friday, April 24, 2026, and said the attack was quickly contained and its incident response protocols were activated.

Medtronic manufactures a range of medical products, including pacemakers, defibrillators, heart valves, coronary stents, insulin pumps, continuous glucose monitoring systems, neurosurgery products and imaging systems, surgical robotics, ventilators, and gastrointestinal products. The company is the world’s largest medical device company by revenue, which was $33.5 billion in fiscal year 2025. The company operates in more than 150 countries, employs around 95,000 people worldwide, and serves around 79 million patients annually.

The hackers only accessed a limited portion of its network. Medtronic confirmed that the networks that support its corporate IT systems, products, manufacturing, and distribution operations are separate. Further, hospital customer networks are separate from Medtronic IT networks and are secured and managed by customers’ IT teams. A leading cybersecurity firm has been engaged to investigate the incident and support its investigation and remediation efforts. At present, there has been no identified impact on its products, patient safety, customer connections, manufacturing and distribution operations, or financial reporting systems, and the company is continuing to meet patient needs.

What is not currently known is whether personal or protected health information was accessed or stolen in the incident. If such information has been accessed or stolen, the affected individuals will be identified, and notifications will be issued, and support services will be made available. While mitigating the incident, Medtronic said it is simultaneously working on identifying additional ways that it can optimize system security to prevent similar incidents in the future.

Medtronic is a publicly traded company and is therefore required to notify the U.S. Securities and Exchange Commission (SEC) about material events that may affect shareholders. Its Form 8-K filing with the SEC, Medtronic states that the incident is not expected to have a material impact on its business or financial results. Prior to the announcement and SEC filing on April 18, 2026, the ShinyHunters data theft and extortion group claimed responsibility for the attack. The group claimed to have exfiltrated terabytes of Medtronic data, including personally identifiable information.

ShinyHunters claimed to have stolen more than 9 million records containing PII, although that claim has not been verified by Medtronic. ShinyHunters said it would publish the stolen data if the ransom was not paid by April 21, 2026. The amount of money demanded has not been made public. Medtronic has been removed from the ShinyHunters data leak site, which suggests that the ransom has been paid, although Medtronic has not confirmed whether that is the case.

“This incident highlights a recurring pattern where attackers prioritize corporate IT environments as an entry point, knowing they often contain high-value data but are less rigorously segmented than production or patient-facing systems. Even if Medtronic states there is no impact to products or patient safety, the theft of millions of records, if confirmed, still represents a significant risk, particularly for identity theft, targeted phishing, and supply chain exploitation. In healthcare, “no operational impact” does not mean “no risk”; sensitive data exposure can have long-term downstream consequences.” said, Ensar Seker, CISO at SOCRadar. “From a defender’s perspective, this reinforces the need to treat corporate IT systems with the same level of scrutiny as clinical or operational environments. Strong identity controls, strict network segmentation, and continuous monitoring of data exfiltration paths are critical. Additionally, organizations should assume that groups like ShinyHunters will attempt to monetize even partial or low-sensitivity datasets, so rapid validation, transparent communication, and proactive threat intelligence engagement are essential to reduce reputational and regulatory fallout.”

Medtronic is not the only medical device manufacturer to experience a data breach this year. In January 2026, Massachusetts-based UFP Technologies, a manufacturer of devices and components for wound care, implants, and orthopedic and surgical products, notified the SEC about a cyberattack and data breach. In March 2026, the California implantable orthopedic device manufacturer TriMed announced a cyberattack and data breach, and the medtech company Stryker experienced wiper attack.

The post Medical Device Maker Medtronic Announces Data Breach appeared first on The HIPAA Journal.

SAG-AFTRA Health Plan Settles Lawsuit Over 2024 Phishing Incident

Posted by Steve Alder

SAG-AFTRA Health Plan has settled a class action lawsuit over a September 2024 email data breach. Hackers gained access to the health plan’s email systems between September 17 and September 18, 2026, after employees responded to phishing emails. The attack exposed sensitive personal and protected health information, which was potentially copied by the hackers.

Data compromised in the incident included names and Social Security numbers and, for some individuals, health information, claims information, and plan participant identification numbers. The breach was reported to the HHS’ Office for Civil Rights initially as affecting 35,592 individuals, although that total was later increased to 98,474 individuals. The lawsuit states that approximately 94,546 notification letters were mailed.

The first class action lawsuit over the data breach was filed by plaintiffs Matthew Rouillard and Kristy Munden in December 2024, and a further three class action lawsuits were subsequently filed by other plaintiffs. The lawsuits had overlapping claims, so were consolidated into a single action – In re SAG Health Data Breach Litigation – in the U.S. District Court for the Central District of California.

The consolidated lawsuit asserted several claims, including negligence and violations of California laws. To avoid the expense, distraction, and uncertainty of a trial and related appeals, SAG-AFTRA Health Plan and the plaintiffs agreed to a settlement. SAG-AFTRA Health Plan has agreed to establish a $950,000 settlement fund to cover attorneys’ fees and expenses, claims administration costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a pro rata cash payment, which will be paid from the remaining funds after claims and costs have been deducted. Individuals who were not California residents at the time of the data breach will receive one pro rata share of the remainder of the settlement fund, and California residents will receive two shares.

All class members will receive an 18-month membership to a credit monitoring and identity theft protection service, even if they do not submit a claim for reimbursement of losses or a cash payment. Claims must be submitted by July 23, 2026. The deadline for objection and exclusion is June 23, 2026, and the final fairness hearing has been scheduled for September 24, 2026.

December 13, 2026: SAG-AFTRA Members Sue Health Plan Over Email Breach

A class action lawsuit has been filed by members of the Screen Actors Guild – American Federation of Television and Radio Artists (SAG-AFTRA) health plan over a recent email phishing attack that exposed their protected health information. An unauthorized third party accessed an employee’s email account between September 17 and September 18, 2024, after the employee responded to a phishing email and potentially viewed or copied names, Social Security numbers, health insurance information, and claims information. The breach was reported to the HHS’ Office for Civil Rights as affecting 35,592 individuals, and individual notifications were mailed on December 2, 2024. The total was later increased to 98,474 individuals.

Three days after notification letters were mailed, a lawsuit was filed by Clarkson Law Firm P.C. in the U.S. District Court in Los Angeles that names SAG-AFTRA members Matthew Rouillard and Kristy Munden as plaintiffs. The lawsuit alleges SAG-AFTRA failed to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to members’ sensitive data, which was exfiltrated in the attack, failed to adequately monitor its network and computer systems, and failed to issue timely notifications about the breach. Notification letters were sent more than 2 months after the email account breach was discovered.

The lawsuit alleges the plaintiffs and class members have suffered injuries such as out-of-pocket expenses associated with preventing, detecting, and remediating identity theft, social engineering, and fraud; lost opportunity costs while attempting to mitigate the consequences of the data breach; lost time; an invasion of privacy; diminution in value of their private information; and an increased risk of identity theft and fraud.

The lawsuit claims that in light of the data breach and lack of cybersecurity protections, members overpaid for their health plans. The lawsuit asserts claims of unjust enrichment, invasion of privacy, negligence, breach of express warranty, and violations of the California Civil Code (Deceit by concealment), California Unfair Competition Law (Business & Professions Code), and the California Confidentiality of Medical Information Act.

The lawsuit seeks class action status, a jury trial, monetary damages, restitution, and an order from the court requiring adequate security protocols to be implemented, proper notice to be provided to the affected individuals, and prohibiting the health plan from engaging in further wrongful acts.

The post SAG-AFTRA Health Plan Settles Lawsuit Over 2024 Phishing Incident appeared first on The HIPAA Journal.