HHS-OIG Identifies Web Application Security Weaknesses at Large U.S. Hospital

Posted by Steve Alder

An audit of a large Southeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) identified security weaknesses in internet-facing applications, which could potentially be exploited by threat actors for initial access. Similar security weaknesses are likely to exist at many U.S. hospitals. The aim of the audit was to assess whether the hospital had implemented adequate cybersecurity controls to prevent and detect cyberattacks, if processes were in place to ensure the continuity of care in the event of a cyberattack, and whether sufficient measures had been implemented to protect Medicare enrollee data.

The audited hospital had more than 300 beds and was part of a network of providers who share patients’ protected health information for treatment, payment, and healthcare operations. The hospital had adopted the HITRUST Common Security Framework (CSF) version 9.4 as its main cybersecurity framework, used that framework for regulatory compliance and risk management, and had implemented physical, technical, and administrative safeguards as required by the HIPAA Rules.

HHS-OIG reviewed the hospital’s policies and procedures to assess its cybersecurity practices concerning data protection, data loss prevention, network management, and incident response, and interviewed appropriate staff members to gain further cybersecurity and risk mitigation insights. HHS-OIG conducted penetration tests and external vulnerability assessments on four of the hospital’s internet-facing applications.

The hospital had implemented cybersecurity controls to protect Medicare enrollee data and ensure the continuity of care in the event of a cyberattack, and the cybersecurity controls detected most of HHS-OIG’s simulated cyberattacks; however, weaknesses were found that allowed the HHS-OIG to capture login credentials and use them to access the account management web application, and a security weakness in its input validation controls allowed manipulation of the application.

HHS-OIG sent 2,171 phishing emails, but only the last 500 were blocked. A total of 108 users clicked the link in the email (6% click rate), and one user entered their login credentials in the HHS-OIG phishing website. The captured login credentials allowed HHS-OIG to access the account, although it did not appear to contain patient information. Once the web application was accessed, HHS-OIG was able to view the user’s devices associated with the account, as well as a list with options to deactivate multifactor authentication and add/remove devices from the account. If it were a real cyberattack, a threat actor could use the access for a more extensive compromise. HHS-OIG said strong user identification and authentication (UIA) controls for the account management web application had not been implemented; however, the click rate and login rate were relatively low, therefore, no recommendations were made regarding its anti-phishing controls.

Another internet-facing application was found to lack strong input validation controls, which made the application vulnerable to an injection attack. An attacker could inject malicious code into weak input fields, alter commands sent to the website, and access sensitive data or manipulate the system. While the hospital had conducted vulnerability scans and third-party penetration tests, the vulnerability failed to be identified. Further, the web application did not have a web application firewall for filtering, monitoring, and blocking malicious web traffic, such as injection attacks.

HHS-OIG made four recommendations: Implement strong user identification and authentication controls for the account management web application; periodically assess and update user identification and authentication controls across all systems; assess all web applications to determine if an automated technical solution, such as a web application firewall, is required; and utilize a wider array of testing tools for identifying vulnerabilities in applications, such as dynamic application testing tools, static application testing tools, and manual, interactive testing.

HHS-OIG did not name the audited hospital due to the risk that it could be targeted by threat actors. Further audits of this nature will be conducted on other healthcare providers to determine whether similar security issues exist and if there are any opportunities for the HHS to improve guidance and outreach to help hospitals improve their security controls.

“This report highlights the need for healthcare organizations to adapt their security programs to reflect a fundamental shift: sensitive data now resides not just in on-prem, internal apps, but also in web-based SaaS applications,” Russell Spitler, CEO of Nudge Security, told the HIPAA Journal. “Traditional network-focused security controls cannot adequately protect cloud applications where data flows across organizational boundaries. This makes identity security controls—particularly MFA and SSO—essential for protecting this dynamic attack surface.”

Spitler suggests “healthcare organizations should take a systematic approach that prioritizes comprehensive visibility and strong authentication controls across their entire application ecosystem.” Key steps recommended by Spitler include:

  • Conducting a comprehensive inventory of all SaaS and web applications to understand the full picture of the organization’s attack surface
  • Prioritizing MFA implementation for applications with privileged access or sensitive data, starting with internet-facing systems
  • Deploying SSO solutions that can enforce MFA centrally while improving user experience and reducing password-related security risks
  • Using conditional access policies that require MFA for any access from outside the corporate network or from unmanaged devices
  • Regularly testing authentication controls through penetration testing and phishing simulations, as HHS OIG did in this audit

The post HHS-OIG Identifies Web Application Security Weaknesses at Large U.S. Hospital appeared first on The HIPAA Journal.

Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients

Posted by Steve Alder

Data breaches have recently been announced by Central Ozarks Medical Center in Missouri, AdventHealth Daytona Beach in Florida, and the Middlesex Sheriff’s Office in Massachusetts.

Central Ozarks Medical Center, Missouri

Central Ozarks Medical Center (COMC), a Federally Qualified Health Center (FQHC) in mid-Missouri, has notified 11,818 individuals that some of their personal and protected health information was compromised in a criminal cyberattack. The substitute breach notice on the COMC website does not state when the cyberattack was detected or for how long its network was compromised, only that it was determined on or around November 10, 2025, that personally identifiable information and protected health information may have been subject to unauthorized access or acquisition.

The types of information compromised in the incident included names, dates of birth, Social Security numbers, financial account information, medical treatment information, and health insurance information. COMC has provided the affected individuals with information on steps they can take to reduce the risk of identity theft and fraud, and at least 12 months of complementary credit monitoring and identity theft protection services have been offered. COMC has confirmed that it has implemented a series of cybersecurity enhancements and will continue to augment those measures to better protect patient information.

Middlesex Sheriff’s Office, Massachusetts

The Middlesex Sheriff’s Office in Massachusetts has announced a January 2025 security breach that involved unauthorized access to individuals’ protected health information.  The Sheriff’s Office launched an investigation to determine the extent and nature of the incident, and was assisted by the Federal Bureau of Investigation, the Massachusetts State Police, the Commonwealth Fusion Center, the Executive Office of Technology Services and Security, and two cybersecurity firms.

It took until November 19, 2025, to complete the review of the exposed files, when it was confirmed that they contained names, addresses, dates of birth, diagnoses, and/or other general health information. The Sheriff’s Office said it has not identified any misuse of the exposed information. The Middlesex Sheriff’s Office has implemented additional safeguards to prevent similar breaches in the future and has advised the affected individuals to review their bank statements and insurance records for signs of misuse. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals – a commonly used placeholder figure when the total number of affected individuals has not yet been confirmed.

AdventHealth Daytona Beach, Florida

AdventHealth Daytona Beach in Florida has notified 821 individuals about the loss of paperwork containing their protected health information. The loss of documentation was identified by its outpatient laboratory on November 25, 2025. Outpatient lab orders were determined to be missing for individuals who received outpatient services between September 1 and September 14, 2025.

AdventHealth Daytona Beach said the loss occurred during a departmental relocation from the first to the second floor. Construction activities were taking place to install a new tubing system, and the planned project location was changed by the construction workers, who accessed an area containing the lab orders without first notifying the laboratory team. The paperwork was discarded by the construction workers. AdventHealth Daytona Beach said no evidence was found to indicate the lab orders were or will be misused. The lab orders contained information such as names, addresses, dates of birth, telephone numbers, email addresses, diagnosis codes, health condition(s), and health insurance policy numbers.

The post Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients appeared first on The HIPAA Journal.

Is Wix HIPAA Compliant?

Posted by Steve Alder

When this article was first published in early 2025, Wix was not a HIPAA-compliant service; however, the company has since implemented comprehensive measures to allow its platform to be used by HIPAA-regulated entities, and the company is prepared to sign a business associate agreement with HIPAA-regulated entities.

HIPAA Compliant Email Services

Wix is a service that helps businesses in all industries easily design, build, and host websites. Depending on the type of subscription, customers’ websites can include appointment scheduling software, e-commerce platforms, and loyalty programs. The service scores highly for performance, reliability, and security, and is certified PCI DSS and ISO 27001 compliant.

With regard to collecting data from website visitors, Wix enables customers to comply with the California Consumer Privacy Act (CCPA) and other state privacy laws that require an affirmative opt-in before data can be used for marketing purposes.

When it comes to collecting Protected Health Information (PHI) from website visitors, HIPAA-regulated entities must ensure that they use a platform that incorporates all of the necessary safeguards to ensure the confidentiality, integrity, and availability of PHI, and a regulated entity must enter into a business associate agreement (BAA) with the platform provider.

Wix has now incorporated a comprehensive range of measures to allow its platform to be used by HIPAA-regulated entities and provides both the tools and contractual safeguards to support HIPAA compliance. Provided customers have the appropriate Wix plan, take certain steps to make their Wix website HIPAA-compliant, and only use Wix’s HIPAA-designated apps and services, then Wix websites can be HIPAA-compliant.

How Does Wix Comply with HIPAA?

Customers with certain Wix plans (supported Premium or Studio plans) can activate a PHI protection feature from the Compliance, Privacy & Cookies section of their site dashboard. Activating this feature provides enhanced administrative, physical, and technical safeguards. These include encryption of ePHI at rest and in transit, access controls, audit logging, and the automatic restriction of non-HIPAA-compliant features and applications.

After activating this feature, users can execute a formal BAA with Wix. The BAA establishes Wix’s obligations under the HIPAA Rules. Wix agrees to comply with the permitted and required uses and disclosures of PHI, maintain appropriate safeguards, comply with data access, amendment, and accounting requirements, and the breach reporting requirements of the HIPAA Breach Notification Rule.

A HIPAA-regulated entity may request a copy of all PHI data on the site and submit a request to have the information securely and permanently deleted. Wix has published resources on its website to help HIPAA-regulated entities ensure HIPAA compliance when using its services:  Wix Services and HIPAA and HIPAA Compliance for Your Wix Site.

In order to comply with HIPAA, users must ensure that they only use specific services and apps on their website that have been approved for HIPAA use. Wix has curated a collection of apps in the Wix App Market and explicitly designates which apps and services support HIPAA compliance, allowing regulated entities to clearly identify which apps and services may be used to create, receive, maintain, or transmit ePHI.

What this Means for HIPAA Covered Entities and Business Associates

HIPAA-covered entities and business associates can use a website built on Wix to collect non-health information such as names, phone numbers, and email addresses. This is because information of this type is not considered PHI when it is not maintained in the same designated record set as individually identifiable health information.

Provided that forms are limited in the information they collect, that the appointment scheduling software does not reveal the nature of treatment, and that payment systems are just used for payment processing, covered entities and business associates will not be in violation of HIPAA for creating, receiving, maintaining, or transmitting non-health information via the service.

Before a website built on Wix is used to collect PHI, users must configure the options correctly, enter into a BAA with Wix, and only use apps and services that support HIPAA compliance. If those steps are taken, Wix websites are HIPAA compliant. Further, Wix’s HIPAA compliance features align with the international healthcare information security standard ISO 27799, to support healthcare providers in meeting strict data protection and security requirements, such as the EU’s General Data Protection Regulation (GDPR).

It should be noted that while a company can implement all of the necessary measures to support HIPAA-compliance, including signing a business associate agreement, it is up to each regulated entity to ensure that the product or service is used correctly.

The post Is Wix HIPAA Compliant? appeared first on The HIPAA Journal.

Capital Health Data Breach Litigation Settled for $4.5M

Posted by Steve Alder

Capital Health has agreed to pay $4.5 million to settle a class action lawsuit stemming from a 2023 ransomware attack. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell Township – as well as many primary care clinics in New Jersey and Pennsylvania.

On or around November 26, 2023, Capital Health identified unauthorized activity within its computer systems. The forensic investigation confirmed that a criminal cyber actor had access to its network between November 11, 2023, and November 26, 2023, and used ransomware to encrypt files. The investigation determined that files containing patient data had been exposed and may have been stolen. The LockBit ransomware group claimed responsibility for the attack and said it exfiltrated 7 TB of data. LockBit threatened to publish the stolen data on January 9, 2024, if the ransom was not paid. It is unclear if any payment was made.

Capital Health’s investigation confirmed that the hackers potentially accessed patient data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and medical information. The data breach was reported to the HHS’ Office for Civil Rights as affecting 503,071 individuals. Capital Health announced the cyberattack in December 20223, and the first class action lawsuit over the attack was filed on December 19, 2023. Further class action lawsuits were filed by other affected patients, which were consolidated in May 2025 – Bruce Graycar, et al. v. Capital Health Systems, Inc. – in the United States District Court for the District of New Jersey, as the lawsuits had overlapping claims. The consolidated class action lawsuit alleged claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, declaratory judgment, and Violation of the New Jersey Consumer Fraud Act.

All parties discussed the option of settling the lawsuit, and a settlement was agreed upon by all parties, with no admission of liability, fault, or wrongdoing by Capital Health. Under the terms of the settlement, class members may submit claims for up to $5,000 per class member as reimbursement for documented, unreimbursed losses resulting from the data breach. Alternatively, class members may submit a claim for a cash payment, estimated to be $100 per class member. The cash payments may be increased or decreased, depending on the number of valid claims received. In addition to the cash payments, class members may also submit a claim for three years of credit monitoring services, valued at $90 per year.

Capital Health has also confirmed to class counsel that a range of additional security measures have been implemented and will be maintained to better protect patient data in the future. The deadline for objection to and opting out of the settlement is March 9, 2026. The deadline for submitting a claim is April 6, 2026, and the final fairness hearing has been scheduled for July 14, 2026.

The post Capital Health Data Breach Litigation Settled for $4.5M appeared first on The HIPAA Journal.