DoL OIG to Audit OSHA to Assess Agency’s Efforts to Prevent Workplace Violence

Posted by Steve Alder

The Department of Labor Office of Inspector General will be conducting a federal audit to determine how well the Occupational Safety and Health Administration (OSHA) is addressing the growing problem of workplace violence.

Workplace violence is a significant occupational safety concern, especially in the healthcare industry, where healthcare employees are regularly subjected to physical assaults, verbal threats, and other attacks. According to the U.S. Bureau of Labor Statistics, healthcare workers are five times as likely to suffer nonfatal workplace injuries as professionals in other sectors, and across all sectors, acts of violence and related injuries are the third leading cause of fatal occupational injuries in the United States.

Data from 2022 shows that out of the 5,486 fatal injuries that occurred in the workplace, 849 involved intentional injury caused by another person. A Medscape survey published earlier this year found that almost 70% of physicians believe that physical security at work is a more pressing issue than it was three years ago, and a 2024 poll of members of the American College of Emergency Physicians (ACEP) found that 91% said they had experienced workplace violence or were aware of a college who was a victim of workplace violence in the past year. According to the World Health Organization, up to 38% of healthcare workers experience physical violence at some point in their careers, and the problem is getting worse.

A report produced by the Department of Labor’s Office of Inspector General in 2001 found that OSHA could do more to address workplace violence and recommended a reassessment of its training and outreach programs, and better recordkeeping systems for incidents involving workplace violence. The OIG audit, due to take place this year, will evaluate the steps that OSHA has taken to address workplace violence since that report was published, and how effectively OSHA is working to prevent violence in workplaces. OSHA has yet to implement a standard for workplace violence, although a potential standard on workplace violence for healthcare and social assistance is one of its long-term actions.

The post DoL OIG to Audit OSHA to Assess Agency’s Efforts to Prevent Workplace Violence appeared first on The HIPAA Journal.

Data Breach Reported by Orthopedic Implant Manufacturer TriMed

Posted by Steve Alder

TriMed, a Santa Clarita, California-based manufacturer of upper and lower orthopedic implants, has announced a data security incident involving unauthorized access to parts of its network where order forms and invoices were stored. While in the most part the exposed data only contained information related to the company’s hardware and the individuals who received it, in some cases, the documentation included personal information.

TriMed identified suspicious activity without certain systems in September 2025, prompting an investigation to determine the nature and scope of the activity. The forensic investigation determined that an unauthorized third party had access to parts of its environment between September 13, 2025, and September 21, 2025, during which time, files were potentially accessed and acquired by the unauthorized third party.

TriMed manufactures hardware that is surgically implanted to repair or replace damaged joints. A programmatic and manual review of the exposed files confirmed that they contained information related to that hardware, which would have been ordered on a patient’s behalf, including part type, associated installation components such as screws, or the ordering surgeon’s name. While the affected documents do not typically include personal information, in certain cases, the documents contained names, dates of birth, and medical record numbers. The exposed documents did not contain Social Security numbers or financial information such as bank account or credit/debit card numbers.

TriMed has taken steps to augment security to prevent similar incidents in the future, including strengthening its existing security controls and threat detection practices. Further, TriMed has integrated a global security operations center and will continue to update its security measures, as appropriate, in the future. TriMed reported the incident to law enforcement, but there was no request to delay notifications to the affected individuals. The notification letters were sent as soon as possible once the affected individuals and data categories were identified. While Social Security numbers were not involved, credit monitoring and identity theft protection services have been offered for 24 months, according to the notification letter sent to the Maine Attorney General.

The Maine Attorney General was informed that two Maine residents were affected, but the data breach listing does not state how many individuals were affected in total, and the incident has yet to be added to the HHS’ Office for Civil Rights website. No known threat group appears to have claimed responsibility for the attack.

The post Data Breach Reported by Orthopedic Implant Manufacturer TriMed appeared first on The HIPAA Journal.

Data Breaches Announced by Corewell Health & Rocky Mountain Care

Posted by Steve Alder

Rocky Mountain Care in Utah has announced a January 2026 data breach, and Corewell Health in Michigan has confirmed that more than 19,000 patients have been affected by a data breach at business associate Pinnacle Holdings.

Corewell Health, Michigan

Corewell Health, a non-profit Michigan health system, has recently confirmed that the protected health information of more than 19,000 of its patients has been exposed in a data breach at one of its business associates, Colorado-based Pinnacle Holdings, LTD. Pinnacle Holdings, a provider of consulting services, experienced a network disruption on November 25, 2024, that affected some of its IT systems, including systems containing the protected health information of patients of its clients.

Pinnacle Holdings said immediate action was taken to secure its systems; however, the detailed data review has taken many months to complete due to the complexity of the impacted data. The company has now confirmed that patient names, phone numbers, birth dates, Social Security numbers, driver’s license numbers, health insurance information, prescription information, and dates of service were compromised. The affected Corewell Health patients have been offered complimentary credit monitoring and identity theft protection services, and Pinnacle Holdings has implemented additional safeguards to prevent similar incidents in the future.

The data breach at Pinnacle Holdings affected several of the company’s clients, including the Chicago-based Catholic health system, CommonSpirit Health, as previously reported by The HIPAA Journal. It is currently unclear how many clients were affected in total or the number of individuals whose data was compromised in the incident.

Rocky Mountain Care, Utah

Rocky Mountain Care, a Woods Cross, Utah-based provider of skilled nursing care and home health services to seniors in Utah and Wyoming, has announced a January 2026 cybersecurity incident that involved unauthorized access to parts of its network that contained patient information. The forensic investigation determined that a hacker gained access to files on its network between January 30, 2026, and February 2, 2026. The review of the impacted data is ongoing, so the full impact of the incident has yet to be determined. Rocky Mountain Care said notification letters will be mailed to the affected individuals when the review is concluded

While further details about the attack have not been disclosed, a threat actor has claimed responsibility for the incident. The Qilin threat group added Rocky Mountain Care to its dark web data leak site on February 23, 2026, and issued a ransom demand along with a threat to publish the stolen data if the ransom was not paid. Samples of data allegedly stolen in the attack were also added to the listing. Qilin claimed to have exfiltrated 33 GB of data in the attack and later published the stolen data, indicating the ransom was not paid.

The post Data Breaches Announced by Corewell Health & Rocky Mountain Care appeared first on The HIPAA Journal.