Top of the World Treatment Center Settles Alleged Risk Analysis HIPAA Violation

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve an alleged violation of the HIPAA Rules. Top of the World Treatment Center, a Milan, Illinois-based addiction treatment provider, has agreed to pay a $103,000 financial penalty to settle an allegation that it violated the risk analysis requirement of the HIPAA Security Rule.

The number of data breaches reported to OCR involving hacking increased by 239% between 2018 and 2023, and hacking incidents have continued to be reported in high numbers since. In an effort to improve healthcare cybersecurity and reduce the number of successful hacking incidents, OCR launched an enforcement initiative targeting noncompliance with a specific requirement of the HIPAA Security Rule – the risk analysis. The risk analysis is one of the most important HIPAA requirements for improving security.

The enforcement initiative is intended to make it harder for hackers to succeed by ensuring that the vulnerabilities they exploit to gain access to healthcare networks are identified and addressed in a timely manner. OCR’s HIPAA compliance audits and data breach investigations consistently uncovered risk analysis failures, including failures to conduct a risk analysis and incomplete risk analyses. If healthcare organizations do not conduct a comprehensive, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), risks and vulnerabilities will remain and can potentially be exploited by hackers.

Including the latest penalty, OCR has resolved 11 investigations of ePHI breaches with settlements or civil monetary penalties for alleged violations of the risk analysis provision of the HIPAA Security Rule. “In a time where health care providers and other HIPAA-regulated entities are facing unprecedented cybersecurity threats, compliance with the HIPAA Risk Analysis provision is more essential than ever,” said OCR Director Paula M. Stannard. “Covered entities and business associates cannot protect electronic protected health information if they haven’t identified potential risks and vulnerabilities to that health information.”

The incident that prompted OCR’s investigation of Top of the World Treatment Center was a phishing incident. An employee was tricked by a phishing email into disclosing their credentials, which allowed a hacker to access a single business email account for several hours on November 17, 2022. The email account was reviewed and found to contain the ePHI of 1,980 individuals, including their names, Social Security numbers, diagnosis information, treatment information, and health insurance information.

OCR investigated and could not be provided with evidence to confirm that a HIPAA-compliant risk analysis had been conducted prior to the data breach, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Under the current enforcement initiative, financial penalties will be imposed for risk analysis failures. OCR notified Top of the World Treatment Center of its intention to impose a financial penalty to address the alleged violation, and offered to settle the alleged violation informally. Settlements involve a reduced financial penalty, although the HIPAA-regulated entity must adopt a corrective action plan.

Top of the World Treatment Center is required to conduct a comprehensive, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Based on the risk analysis, a risk management plan must be developed and implemented to reduce all identified risks and vulnerabilities to a low and acceptable level. After the initial risk analysis, Top of the World Treatment Center must conduct an accurate and thorough risk analysis at least annually, and subject risks to a HIPAA-compliant risk management process.

Further, policies and procedures must be developed, implemented, and maintained to comply with the HIPAA Rules, specifically covering risk analyses, risk management, information system activity reviews, and breach notifications. The new policies must be distributed to the workforce, training materials must be developed (and approved by OCR), and HIPAA training must be provided to the workforce.

The post Top of the World Treatment Center Settles Alleged Risk Analysis HIPAA Violation appeared first on The HIPAA Journal.

Data Shows Elevenfold Increase in Data-only Extortion Attacks

Posted by Steve Alder

There has been a sharp increase in data-only extortion incidents, with ransomware gangs increasingly opting not to encrypt files, instead simply breaching networks, exfiltrating sensitive data, and demanding a ransom payment to prevent the data from being leaked or sold.

Ransomware started to become popular with threat actors in the early to mid-2010s. Attacks involved breaching networks and using robust encryption to prevent data access. The emergence of untraceable cryptocurrencies helped fuel an explosion in ransomware attacks. In the mid-2010s, encryption alone proved to be sufficient, with the majority of victims opting to pay to recover their data. By 2020, double extortionbecame more prevalent, where data is stolen prior to file encryption. A ransom payment is required to obtain the decryption keys and prevent the publication or sale of stolen data. Double extortion fast became the norm, with the majority of ransomware attacks involving data theft and extortion.

The rapid rise in ransomware attacks forced organizations to address their data backup policies. While attacks may involve deletion or encryption of backups, victims are now much more likely to have offline backup copies of critical data that they can use to recover from the encryption with minimal data loss. It is often the threat of sale or leaking of exfiltrated data that is the primary reason for paying a ransom, as organizations seek to limit reputational damage.

Data encryption increases the chances of detection, attacks take longer, and fewer victims are paying ransoms to recover encrypted data. Threat actors understand that the reputational harm caused by data leaks is often enough, and some groups have abandoned encryption altogether. For example, PEAR (Pure Extortion and Ransom), a newly formed threat group that emerged in 2025, has exclusively adopted data-only extortion, as has the Silent Ransom group.

The recently published Arctic Wolf 2026 Threat Report confirms that ransomware attacks continue to be lucrative for threat actors. Ransomware attacks accounted for 44% ofArctic Wolf’s incident response (IR) cases from November 2024 to November 2025, exactly the same percentage as the previous reporting period. While there have been significant law enforcement operations targeting the most prolific ransomware groups – LockBit, ALPHV/BlackCat, and BlackSuit – those actions have had little effect on reducing the volume of attacks, and have simply shifted the ransomware ecosystem. There has been a proliferation of smaller groups, and some groups have stepped up attack volume to fill the vacuum.

Arctic Wolf’s report highlights the growing trend of data extortion-only attacks, which increased elevenfold between November 2024 and November 2025.  Data extortion-only attacks increased from 2% of Arctic Wolf’s IR cases in the previous reporting period to 22% in the current reporting period. “We’re seeing a clear pivot in attacker behavior. As organizations improve their ability to recover from encryption events, some threat actors are skipping ransomware altogether and moving straight to data theft and extortion,” said Kerri Shafer-Page, VP of Incident Response, Arctic Wolf. “From an incident response perspective, this shift fundamentally changes how impact is assessed and managed.”

Arctic Wolf said the increase in data extortion-only attacks shows that threat groups are willing and able to evolve when needed, and attributes the rise in attacks to organizations being better prepared and able to recover quickly from traditional encryption events. Arctic Wolf reports that ransomware actors are maturing their affiliate ecosystems and are now operating very much like business enterprises, with structured affiliate programs, tiered revenue models, and operational support to attract and retain a broader pool of cybercriminals.

Arctic Wolf also reports a prominent trend of diversification of ransomware-as-a-service (RaaS) offerings, where, in addition to a percentage of any ransom payments, affiliates are offered data extortion and access monetization, allowing them to profit from stolen data and compromised credentials without having to encrypt files with ransomware. For the time being, at least, Arctic Wolf has not observed any significant increase in activity from groups with these offerings. What has had an immediate impact is groups absorbing affiliates from other RaaS programs, such as Qilin, which recruited affiliates from the RansomHub operation when it shut down, and rapidly accelerated attacks and became the most prolific threat group.

Aside from ransomware, Business Email Compromise (BEC) continues to be favored by hackers, accounting for 26% of Arctic Wolf’s IR cases, although the targets were primarily finance and legal firms, rather than healthcare organizations. While phishing is the leading initial access vector for BEC attacks, other hacking incidents mostly involved attacks on remote access tools, remote monitoring and management software, and VPNs. These access vectors were used in around two-thirds of non-BEC IR cases, up from 24% three years ago. The exploitation of vulnerabilities has fallen from 26% of IR cases in the previous reporting period to just 11% in the current reporting period.

The post Data Shows Elevenfold Increase in Data-only Extortion Attacks appeared first on The HIPAA Journal.