HHS-OIG Report Highlights Key HHS Cybersecurity Challenges

Posted by Steve Alder

The U.S. Department of Health and Human Services Office of Inspector General has published its annual report on the Top Management and Performance Challenges Facing HHS to help the department improve the effectiveness and efficiency of its programs. The report highlights some of the cybersecurity challenges faced by HHS, including a lack of standardized governance and controls, which complicates HHS’s preparedness efforts to prevent and respond to cybersecurity threats.

The HHS is a large department with disparate organizational approaches to cybersecurity across its various divisions and programs. While the department has taken steps to consolidate cybersecurity functions and improve cybersecurity, HHS-OIG says overall progress is often still dependent on each division and program. In addition, the HHS has an army of contractors, grantees, and other external entities that number in the thousands. Cybersecurity solutions must be implemented within the HHS, but also by each contractor, grantee, and external entity. That makes cybersecurity improvements especially challenging, and the ability of the HHS to mitigate cybersecurity threats is often dependent on those entities implementing cybersecurity solutions specific to their operations. “Protecting technology and data requires broader efforts beyond implementing technical fixes, such as establishing clear expectations; modernizing program rules; and conducting effective oversight of the Department’s contractors, grantees, and other external entities,” HHS-OIG said.

The healthcare sector remains a key target for cyber actors. Ransomware attacks continue in volume, as financially motivated threat actors encrypt and steal data to use as leverage to obtain ransom payments. Cyberattacks are growing in sophistication and are continually evolving, and the HHS must be able to respond quickly, alert the sector about vulnerabilities under exploitation, and help prepare the sector for evolving threats.

The HHS plays a key role in improving cybersecurity across the sector and responding to threats, yet the diffuse nature of HHS cybersecurity authorities and responsibilities is complicating HHS’s response efforts. The HHS has limited resources for improving cybersecurity across the healthcare and public health sector, such as the sector’s reliance on legacy technology and workforce challenges. Further, privacy and security are governed by HIPAA, which is more than two decades old. HHS-OIG warned that the HIPAA Privacy Rule and the HIPAA Security Rule may not be sufficient to address contemporary privacy concerns and the increasing cybersecurity risks to electronic protected health information. As such, HHS-OIG said the HHS must adapt as privacy and security needs evolve.

Further regulation could help in this regard; however, the HHS has been slow to enact updates to the HIPAA Rules. A Privacy Rule update was proposed by HHS under the previous Trump administration in late 2020, yet a final rule has still not been published more than five years after the update was first proposed. The update is still on the HHS’s agenda, but there has been no indication when a final rule will be published. An extensive update to modernize the HIPAA Security Rule to strengthen cybersecurity across the sector was proposed in the final days of the Biden administration. While there is an urgent need to improve cybersecurity across the sector, it is currently unclear if the HHS, under the Trump administration, plans on implementing the proposed rule.

HHS-OIG said the HHS has taken action to address the challenges it highlights in the report, but there are considerable opportunities for further progress, and until the HIPAA Rules are updated, HHS must continue to work within the statutory authorities established by HIPAA in 1996, the HIPAA Privacy Rule in 2000, and the HIPAA Security Rule in 2003.

The post HHS-OIG Report Highlights Key HHS Cybersecurity Challenges appeared first on The HIPAA Journal.

Numotion Agrees to Pay $4 Million to Settle Litigation Stemming from 2024 Data Breaches

Posted by Steve Alder

The mobility equipment provider United Seating and Mobility, doing business as Numotion, has agreed to settle class action litigation stemming from two data security incidents in 2024 that involved unauthorized access to the protected health information of hundreds of thousands of its customers.

The first incident was detected by Numotion on March 2, 2024. The forensic investigation confirmed that an unauthorized third party gained access to its systems, which, according to the lawsuit, contained the personal and protected health information of 685,264* current and former customers and employees. The ransomware group had access to its network between February 29, 2024, and March 2, 2024, and potentially obtained names, dates of birth, equipment order details, supporting medical documentation, medical insurance information, and, for certain individuals, Social Security numbers.

The second data security incident was a phishing incident, discovered on September 29, 2024, involving unauthorized access to email accounts. The data review confirmed that the personal and protected health information of 494,326 individuals* was present in the compromised accounts, including names, dates of birth, product information, payment and financial account information, health insurance information, medical information, and limited Social Security numbers.

Multiple class action lawsuits were filed in response to each data breach, which were consolidated into two separate actions. In March 2025, the parties in each of the two consolidated actions explored the early resolution of both lawsuits in a single settlement. Following a full day of mediation and arms-length negotiations, the material terms of a settlement were agreed upon, and over the following weeks, a settlement was finalized with no admission of liability or wrongdoing by the defendant. That settlement has now received preliminary approval from the court.

Under the terms of the settlement, Numotion has agreed to establish a $4,000,000 settlement fund to cover attorneys’ fees and expenses (up to $1,333,333.33), settlement administration costs, service awards for the class representatives, and benefits for the class members. There are two possible cash payments. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $15,000 per class member, plus a pro rata cash payment. The cash payments will be paid pro rata if the costs and other benefits do not exhaust the settlement fund.

All class members will receive two years of complimentary credit monitoring services without submitting a claim, and the subclass of individuals who had their Social Security numbers exposed may submit a claim for two years of medical monitoring services. The deadline for opting out of and objection to the settlement is March 3, 2026, and claims must be submitted by March 18, 2026. The final approval hearing was scheduled for April 2, 2026.

*The HHS’ Office for Civil Rights was informed that the first incident involved the protected health information of up to 602,265 individuals, and the second data breach involved the protected health information of up to 529,004 individuals.

The post Numotion Agrees to Pay $4 Million to Settle Litigation Stemming from 2024 Data Breaches appeared first on The HIPAA Journal.

58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price

Posted by Steve Alder

A recent study exploring insider cybersecurity threats revealed that a majority of college students would be willing to violate the HIPAA Rules and steal and disclose patient data if they were paid to do so, provided the price was right. The amount of money required ranged from less than $10,000 to more than $10 million. The study was conducted by Lawrence Sanders, professor emeritus, University of Buffalo, Department of Management Science and Systems, and colleagues at the School of Management, and builds on a 2020 study that explored the price of healthcare privacy violations.

The 2020 study, published in JMIR Medical Informatics, was conducted on 523 students (average age of 21) who were about to enter the workforce. The respondents were asked to imagine that they had been employed by a hospital, and were given five scenarios in which they were asked if they would illegally obtain and disclose sensitive health information. 46% of respondents admitted that they would violate HIPAA and patient privacy if the price was right. In one of the scenarios, study participants were asked if they would obtain and disclose a politician’s medical records in exchange for $100,000, if the money was needed to pay for an experimental treatment for their mother that insurance wouldn’t cover. 79% of respondents said they would.

The follow-up study, which focused on cybersecurity insiders, was conducted on 500 undergraduate college students in technology-related programs, who represented future IT workers in the healthcare industry. They were asked to imagine they had been employed by a hospital, were being paid between $30,000 and $100,000, and were under financial stress and had been approached and asked to obtain and leak information about a famous patient at the hospital.

They were informed about HIPAA and how the federal law prohibited unauthorized access and disclosure of protected health information, yet 58% said they would violate HIPAA in exchange for payment. The amount of money required was less than $10,000 in some cases, and whether they would be tempted – and the amount required – varied depending on the employee’s salary leveland the perceived probability of being caught. The higher the employee’s salary, the more money was required to violate HIPAA and steal data. Individuals who had an interest in ethical hacking generally required less money to violate HIPAA, as was the case with individuals with an interest in unethical hacking, if they were assured that they would not be caught.

The study highlights the risk of insider data breaches and the importance of training on the HIPAA Privacy Rule requirements and the consequences of HIPAA violations, making it clear to all workers that if violations are discovered, the consequences of HIPAA violations can be severe.

“As cyberattacks and data breaches continue to rise, particularly in health care and other data-intensive sectors, our findings underscore the need for organizations to address the human and economic dimensions of cybersecurity alongside traditional technical controls,” said Professor Sanders. “Promoting awareness and education can discourage people from engaging in cybercrime by highlighting the negative consequences and risks associated with it. Initiatives that promote economic opportunity, social inclusion, cybersecurity literacy and a more secure digital environment are part of the solution.”

The post 58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price appeared first on The HIPAA Journal.

Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach

Posted by Steve Alder

Patients of Laurel Health Centers have been notified that their protected health information was exposed in a July 2025 security incident, and Modern Health has identified unauthorized access to member profiles.

Laurel Health Centers

Laurel Health Centers, a Federally Qualified Health Center network in Northern Pennsylvania, has discovered unauthorized access to its email environment. An investigation was launched on July 14, 2025, to determine the cause of unusual email activity. The investigation determined that an unauthorized third party had access to certain email accounts between July 11, 2025, and July 25, 2025. During that time, emails and files may have been viewed or copied.

The affected email accounts were reviewed and found to contain patient information. The types of information vary from individual to individual and may include names in combination with one or more of the following: address, telephone number, email address, date of birth, Social Security numbers, medical record number, date(s) of service, medical provider, Medicare information, insurance information, diagnostic information, treatment and diagnosis data, insurance carrier, procedure codes, disability status, dental and denture information, immunization record, behavioral health information, Pennsylvania Account ID, account number, credit card information, checking account information and claim information.

Laurel Health Centers said it took time to conclusively determine that the threat actor no longer had access to its systems, hence the delay between discovering the unauthorized activity and confirming that the threat actor had been eradicated from its email environment. The review of the email accounts concluded on December 30, 2025, and notification letters were mailed to the affected individuals shortly thereafter. Complimentary credit monitoring services have been offered to the affected individuals. The incident is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Modern Health

Modern Health, a management support organization that provides services to several affiliated entities, including Modern Health Arizona, Modern Health California, Modern Health New Jersey, Elevate Tele-Medicine Telehealth, and Modern Life, has recently notified the Massachusetts Attorney General about an incident involving unauthorized access to member profiles on its behavioral health platform.

In November 2025, Modern Health determined that an unauthorized individual had accessed a limited number of member profiles. Steps were immediately taken to disable those profiles, and an investigation was launched to determine the extent of the unauthorized activity. The affected profiles were reviewed and found to contain sensitive member data, although Social Security numbers and financial information were not exposed. The review of the affected profiles was completed on January 5, 2026, and the affected individuals were notified via email on January 12, 2026. It is currently unclear how many individuals were affected in total. The Massachusetts Attorney General was informed that two state residents were affected.

The post Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach appeared first on The HIPAA Journal.