Trinity Health; Precision Imaging Centers Settle Class Action Data Breach Lawsuits

Posted by Steve Alder

Trinity Health in Michigan and Precision Imaging Centers in Florida have agreed to settle class action lawsuits that alleged negligence and violations of state laws in related to breaches of patients’ electronic protected health information.

Trinity Health Settles Litigation Stemming from Accellion FTA Data Breach

The Livonia, Michigan-based Catholic Health System, Trinity Health Corporation, and co-defendants Valley Surgical Specialists Medical Group, Inc., Daniel Evan Swartz, MD, and Rame Deme Iberdemaj, have agreed to settle class action litigation stemming from a 2021 data breach involving its secure file transfer platform, Accellion FTA.

On or around January 29, 2021, Accellion notified Trinity Health that hackers had gained access to the Accellion FTA by exploiting a zero-day vulnerability. Trinity Heath used the Accellion FTA for sending secure email, and determined that the files on the Accellion FTA had likely been downloaded by an unauthorized third party. The files contained names, addresses, email addresses, dates of birth, medical record numbers, lab results, medications, claims information, Social Security numbers, and credit card information. Notification letters were sent to 18,153 California residents, who were offered one year of complimentary credit monitoring, identity theft protection, and fraud resolution services.

A class action lawsuit – Jane Doe v. Trinity Health Corporation – was filed on May 20, 2021, in the Fresno County Superior Court over the data breach, seeking damages, restitution, and injunctive relief. The lawsuit alleged that Trinity Health had failed to adequately secure patient data by failing to encrypt the data on the Accellion FTA. The lawsuit asserted claims of violations of the California Confidentiality of Medical Information Act, California Security Notification Laws, and claimed the defendants had engaged in unlawful and unfair business acts and practices, in violation of Cal. Bus. & Prof. Code §§ 17200 et seq.

Trinity Health and the other defendants deny any wrongdoing; however, they chose to settle the lawsuit rather than incur additional costs continuing with the litigation and face the uncertainty of trial and any related appeals. Class counsel and the class representative believe the settlement is fair and is in the best interests of the class members.

Trinity Health has agreed to establish a $450,000 settlement fund to pay attorneys’ fees (maximum $150,000), attorneys’ expenses (maximum $25,000), service awards (maximum $5,000), and settlement administration costs. The remainder of the fund will be used to pay benefits to the class members. Class members may submit a claim for reimbursement of documented out-of-pocket expenses due to the data breach and can claim a one-off cash payment.

Claims for reimbursement of losses are capped at $1,000 per class member, and the cash payments are anticipated to be $231 if 5% of class members submit a claim, $115 if 10% of class members submit a claim, and $11 if all class members submit a claim. The deadline for filing a claim is January 19, 2026, and the final fairness hearing has been scheduled for April 29, 2026. Individuals wishing to object to or opt out of the settlement have until December 19, 2025, to do so.

Precision Imaging Centers to Pay Up to $200,000 to Settle Data Breach Litigation

Precision Imaging Centers, a Jacksonville, Florida-based provider of MRI, PET, CT, ultrasound, and X-ray imaging services, has agreed to settle class action litigation stemming from a cybersecurity incident that was identified on November 2, 2022. Hackers breached its network and gained access to files containing the personally identifiable information (PII) and protected health information (PHI) of current and former patients, including names, dates of birth, contact information, Social Security numbers, driver’s license numbers, diagnoses, and other medical and health information. Individual notification letters were mailed to the affected individuals on or around June 27, 2023, and the data was reported to the Maine Attorney General as affecting 31,010 individuals.

The first class action lawsuit in response to the data breach was filed by plaintiff Lauren Boyle, which was followed by complaints by four other individuals: Philipp Groebe, Natalie Luttrell, Bijoy Shroff, Cheryl Wearing, and Paige Demaio. The lawsuits asserted overlapping claims and were consolidated in a single complaint, In Re Precision Imaging Centers Data Breach Litigation, in the Circuit Court for the Fourth Judicial Circuit in and for Duval County, Florida.

The consolidated lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and violation of the Florida Deceptive and Unfair Trade Practices Act, all of which were denied by the defendant, who maintains there was no wrongdoing or liability. The plaintiffs believe all claims are legitimate and that the data breach could have and should have been prevented had reasonable and appropriate cybersecurity measures been implemented.

Precision Imaging Centers sought to have the complaint dismissed; however, the court denied the motion with prejudice, with the plaintiffs voluntarily dropping the Florida Deceptive and Unfair Trade Practices Act violation claim. On April 17, 2025, all parties attended mediation, and an agreement in principle was reached to settle the litigation with no admission of wrongdoing. The terms of the settlement have now been finalized and given preliminary approval by the court.

Under the terms of the settlement, Precision Imaging Centers has agreed to pay up to $200,000 to settle the litigation. Class members may submit a claim for reimbursement of documented out-of-pocket ordinary expenses and attested lost time (up to 4 hours at $20 per hour) up to a maximum of $500 per class member. Class members may also submit a claim for reimbursement of extraordinary losses, including up to 8 hours of lost time at $20 per hour, capped at $5,000 per class member.

Class members who submit a valid claim are also entitled to receive two years of credit monitoring services. The settlement has been capped at $200,000, and if that total is reached, claims will be paid pro rata. Precision Imaging Centers has also agreed to implement a range of cybersecurity measures to address the causes of the cyberattack, which will be maintained for at least three years. Further, any patient who has not received services from the company for five years or more will have their Social Security numbers purged from its systems or encrypted.

The final fairness hearing has been scheduled for January 8, 2026, and the deadline for submitting a claim is January 31, 2026. Individuals who wish to object to the settlement or exclude themselves have until January 1, 2026, to do so.

The post Trinity Health; Precision Imaging Centers Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Who develops and maintains The HIPAA Journal’s HIPAA training content?

Posted by PJ Murray

The HIPAA Journal’s HIPAA training content is created and maintained by The HIPAA Journal editorial team, a group of in-house HIPAA experts each with more than a decade of experience in HIPAA and healthcare regulation. They designed the courses using insights from over ten years of HIPAA breach reporting and analysis, then refined the content using input from hundreds of external contributors such as privacy officers, compliance officers, IT security managers, and practice managers who responded to surveys and reviewed the material.

The training is actively maintained by The HIPAA Journal’s editorial and compliance team, who continuously monitor HIPAA rules, HHS/OCR guidance, and enforcement trends and update the lessons whenever there are meaningful regulatory or practical changes, including new issues such as the use of generative AI, messaging platforms, and social media.

The post Who develops and maintains The HIPAA Journal’s HIPAA training content? appeared first on The HIPAA Journal.

Why is The HIPAA Journal training the best on the market?

Posted by PJ Murray

Yes, the HIPAA training from The HIPAA Journal is the best available on the market. The HIPAA Journal’s employee training is the best on the market because it was built to correct real weaknesses in existing courses, developed over a long period by highly experienced HIPAA specialists with extensive field feedback, provides comprehensive and accurate coverage including key state laws, focuses on practical real world scenarios and everyday behavior, emphasizes personal responsibility and consequences, addresses modern technologies and evolving risks, offers tailored tracks for different environments and roles, uses an accessible online format with strong assessment and management tools, and is continuously updated and improved based on expert and user input.

Here are the main reasons why the training from The HIPAA Journal is the best available on the market:

  1. Created to fix real problems in existing training
    The team analyzed actual HIPAA violations and concluded that many were caused by preventable staff mistakes. They then reviewed other training products and found that a lot of what is on the market is inaccurate, incomplete, or out of date. Their program was built specifically to correct those weaknesses and reduce common staff errors.

  2. Developed by experienced HIPAA specialists over a long period
    The course took more than a year to build. It involved a team where everyone working on the content has more than ten years of HIPAA experience. They also gathered input from hundreds of privacy officers, compliance officers, IT security managers, and practice managers through surveys and feedback rounds.

  3. Comprehensive, accurate coverage for employees
    The core training covers the full HIPAA rule set from the perspective of everyday staff, not just policy writers. It includes additional modules on specialist topics and addresses key state privacy laws that add extra obligations, such as in Texas and California. The goal is to give employees a complete and correct understanding of what applies to them.

  4. Practical and scenario focused rather than just reciting rules
    Instead of simply repeating regulation text, the course emphasizes what workers must actually do in daily tasks. It explains how to apply HIPAA in real situations, so employees know how to act when faced with common scenarios that could lead to violations.

  5. Strong focus on behavior and personal responsibility
    The training stresses that every individual has a direct role in protecting protected health information. It explains how to spot and report security incidents and describes the possible consequences of noncompliance for both organizations and individuals, including internal sanctions, termination, fines, loss of license, and in serious cases criminal charges.

  6. Covers modern risk areas that older courses often ignore like AI and social media
    The program includes dedicated content on email, messaging apps, social media, artificial intelligence tools, and other modern technologies that HIPAA did not originally anticipate. The material is designed to be updated as technology and threats evolve, so the course does not become stale.

  7. Tailored training for different environments like Small Medical Practices or Universities or Business Associates
    There are specific modules for staff in small medical practices and for employees of business associates. These address the particular pressures and misconceptions in those settings and focus on why HIPAA still applies and why their own actions matter.

  8. Accessible online format with robust assessment features
    The training is offered as an online subscription. Staff can log back in for refreshers throughout the year rather than losing access. Quizzes draw from a large bank of questions, with randomization and unlimited retakes until all answers are correct, after which a certificate is issued. There are distinct courses for different audiences and tools for training managers to view records and track completion.

  9. Built with a continuous improvement and feedback loop
    The content was not written once and left alone. It has been reviewed by privacy and compliance officers, and their feedback led to additional modules being added. The program is designed to keep evolving based on user experience and ongoing regulatory and technological changes.

  10. Aligned with broader security and compliance efforts
    Because a large part of the HIPAA Journal readership is IT and security professionals, the training is designed to fit alongside security awareness and cybersecurity content, helping organizations connect privacy rules with practical security behavior.

The HIPAA Journal’s employee training program sets a new benchmark by combining expert developed, up to date content with practical, role specific guidance that helps organizations strengthen HIPAA compliance in everyday practice.

The post Why is The HIPAA Journal training the best on the market? appeared first on The HIPAA Journal.

AccuCare Home Health Services Pays $20,000 Fine for Employing Excluded Individual

Posted by Steve Alder

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has agreed to a $20,000 settlement with AccuCare Home Health Services to resolve allegations that the home healthcare provider employed an individual on the HHS-OIG exclusions list and billed services provided by that individual to federally funded healthcare programs.

AccuCare Home Health Services is a Mesa, Arizona-based provider of home health care services, specializing in skilled nursing, physical therapy, occupational therapy, speech therapy, and medical social services. According to HHS-OIG, AccuCare Home Health Services was discovered to have employed a home healthcare aide who was not permitted to participate in any federally funded healthcare program, and billed products or services provided by that individual to federal health care programs. The alleged violation was settled with a $20,000 financial penalty.

Healthcare organizations must ensure that a check is conducted of the HHS-OIG List of Excluded Individuals and Entities (LEIE) prior to onboarding a new employee. Regular checks must also be conducted on all employees, since individuals may be added to the LEIE after their employment commences. The HHS’ Office for Civil Rights imposes relatively few financial penalties for HIPAA violations; however, when it comes to HHS OIG compliance, there is a much greater risk of a financial penalty if violations are identified. HHS-OIG regularly imposes significant financial penalties for claiming for items and services provided by excluded individuals and companies, submitting false claims, and violations of the Stark Law and the Anti-Kickback Statute. In addition to a financial penalty, there is a risk of being added to the HHS exclusion list, which will prohibit an individual or company from participating in federally funded health care programs.

On November 12, 2025, HHS-OIG announced that William Mangan, DO (Dr. Mangan) of Okemos, Michigan, had agreed to be excluded from participating in federally funded healthcare programs for a period of 10 years in connection with False Claims Act violations. Dr. Mangan was investigated by HHS-OIG in connection with allegations that he ordered genetic tests, durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) that were not reasonable or medically necessary and submitted claims to federally funded health care programs. Dr. Mangan claimed that he had evaluated patients and falsely certified that the ordered products were medically necessary when he failed to perform an adequate review.

Individuals can face severe penalties for knowingly causing products or services to be billed to federally funded healthcare programs when they are on the HHS-OIG exclusion list. Erik X. Alonso, 55, of Miami, Florida, had been convicted of conspiracy to commit health care fraud in 2015 for offenses in the Southern District of Florida. As a result of the conviction, Alonso was placed on the exclusion list and was fully aware that he was prohibited from participating in work that was billed to federally funded healthcare programs. In March 2022, Alonso started working for a telehealth mental health provider in New Hampshire and provided services to patients in the state that he knew would be billed to Medicaid. Alonso caused New Hampshire Medicaid to pay approximately $173,998.83 based on false and fraudulent claims. The healthcare fraud was discovered, and Alonso entered a guilty plea to one count of healthcare fraud and is awaiting sentencing. He now faces up to 10 years in jail.

The post AccuCare Home Health Services Pays $20,000 Fine for Employing Excluded Individual appeared first on The HIPAA Journal.

Bill Introduced to Repeal Proposed OSHA Heat Standard for Indoor and Outdoor Workplaces

Posted by Steve Alder

Rep. Mark Messmer (R-IN) has introduced a bill that seeks to repeal safety and health legislation introduced by the Biden administration to protect Americans against heat injury and illness in both indoor and outdoor work settings. Rep. Messmer introduced the Health Workforce Standards Act of 2025 on November 20, 2025, to repeal the Occupational Safety and Health Administration’s  (OSHA) Heat Injury and Illness Prevention in Outdoor and Indoor Work Settings proposed rule. The bill is co-sponsored by 23 Republican representatives in 16 U.S. states and is supported by more than two dozen industry organizations.

OSHA’s proposed standard applies to most employers in the general industry, construction, maritime, and agriculture sectors where OSHA has jurisdiction, and requires them to implement a plan to evaluate and control heat hazards in the workplace and protect their workers from hazardous heat. Rep. Messmer claims that OSHA’s proposed rule would impose impracticable and unnecessary requirements on residential construction employers, noncompliance with which would attract excessive financial penalties.

Rep. Messmer said the sweeping and unworkable heat standards were fast-tracked by the Biden administration, and these heavy-handed regulations are likely to crush innovation, increase costs, and undermine productivity. The proposed rule would require almost all American businesses and institutions to follow rigid, one-size-fits-all, federal workplace standards based on predetermined temperature thresholds, regardless of industry, climate, or existing safety protocols.

“The Biden Heat Rule was never about safety, but was rather, unsurprisingly, focused upon expanding federal bureaucratic control over hard-working Americans,” said Rep. Messmer in a press release announcing the bill. “My Heat Workforce Standards Act empowers employers to maintain safe and realistic workplace standard parameters which allow for both their workers and the business to thrive.”

Rep. Messmer maintains that if OHSA’s proposed rule is implemented, there would be redundant and egregious regulation requirements in all 50 states, with little variance considered for industry-specific outdoor and indoor heat variables and differences in climate. Employers who already had heat injury prevention measures in place would not be recognized, and it would remove state governments’ ability to create targeted heat rules specific to their climate and local industries.

“Needless to say, California, Florida, and Michigan are miles apart when it comes to heat, and heat hazards in construction are very different from the hazards in manufacturing or agriculture. That is why any standard intended to prevent and reduce heat-related injuries must be flexible and keep workers safe in ways that best address their unique environments and challenges,” Tim Walberg, House Education and Workforce Committee Chairman, said. “The Biden-Harris proposed heat rule does not have that much-needed flexibility, which is why this bill is a necessary step in protecting workers and preventing federal overreach so we can help workers earn a living and get home safe.”

The post Bill Introduced to Repeal Proposed OSHA Heat Standard for Indoor and Outdoor Workplaces appeared first on The HIPAA Journal.