Monroe University: 320,000 Individuals Affected by December 2024 Cyberattack

Posted by Steve Alder

Monroe University, a for-profit university with campuses in the Bronx and La Rochelle in New York, and Saint Lucia in the Caribbean, has recently confirmed that a cyberattack has resulted in unauthorized access to the personal and health information of approximately 320,973 individuals.

The cyberattack was detected more than a year ago on December 23, 2024. When the intrusion was detected, immediate action was taken to secure its systems to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that an unauthorized third party had access to its network from December 9, 2024, to December 23, 2024, and exfiltrated files containing sensitive data.

It has taken nine months to review the affected files to determine the individuals affected and the types of data involved. On September 30, 2025, Monroe University confirmed that the data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, government identification numbers, medical information, health insurance information, electronic account or email usernames and passwords, financial account information, and/or student data.

The university started issuing notification letters to the affected individuals on January 2, 2026, and had advised all individuals to remain vigilant against potential fraud and identity theft by monitoring their credit reports, accounts, and explanation of benefits statements for suspicious activity. At the time of issuing notification letters, the university had not identified any misuse of the stolen data. Based on the notification letter seen by The HIPAA Journal, credit monitoring services do not appear to have been offered.

Universities, like healthcare organizations, are an attractive target for hackers, who can gain access to vast amounts of sensitive data, which in this case included student data and health information. Other universities that have recently experienced cyberattacks include Harvard and Columbia.

The post Monroe University: 320,000 Individuals Affected by December 2024 Cyberattack appeared first on The HIPAA Journal.

Tens of Thousands of Patients Affected by Two Business Associate Data Breaches

Posted by Steve Alder

Mid Michigan Medical Billing Service, a Flint, MI-based revenue cycle management company that provides billing support services to HIPAA-covered entities, has fallen victim to a cyberattack that exposed the sensitive data of patients of its healthcare clients.

Suspicious network activity was identified on March 27, 2025, and the forensic investigation confirmed that an unauthorized third party accessed and copied data from its network. The affected data was reviewed to determine the types of information involved and the affected individuals. Mid Michigan Medical Billing Service then notified the affected covered entity clients and worked with them to provide notice to the affected individuals.

The file review confirmed that the protected health information of 28,185 individuals had been exposed in the cyberattack. The compromised data varied from individual to individual and may have included names in combination with one or more of the following: date of birth, driver’s license/ government issued identification number, Medicare/Medicaid identification number, diagnosis/treatment information, medical record number/patient account number, health insurance information, payment card number, employer identification number, passport number, treating/referring provider name, and biometric data. For a limited number of individuals, Social Security numbers were involved.

VillageCareMAX, New York

VillageCareMAX, a New York, NY-based provider of health plans and community healthcare services to seniors and individuals with chronic diseases, has announced a data breach involving one of its business associates, TMG Health.

VillageCareMAX uses the Cognizant-owned TMG Health to assist with the administration of its members’ health plans. TMG Health identified unauthorized activity within its information system on September 19, 2025. The unauthorized access was immediately terminated, and an investigation was launched to determine the nature and scope of the unauthorized activity. TMG Health determined that an unauthorized third party had access to its network for 10 months from November 20, 2024, to September 19, 2025. During that time, VillageCareMAX members’ protected health information may have been accessed and acquired.

The affected data included names, member identification numbers, health information, and Social Security numbers. While no misuse of that data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft recovery services. VillageCareMAX has received assurances that TMG Health has implemented technological and procedural enhancements to prevent similar incidents in the future.

VillageCareMAX provides services to more than 35,000 individuals each year. It is currently unclear how many of those individuals have been affected.

The post Tens of Thousands of Patients Affected by Two Business Associate Data Breaches appeared first on The HIPAA Journal.

Is your Cybersecurity Training Good Enough to Give You HIPAA Safe Harbor Law Protection?

Posted by Steve Alder

Your HIPAA Safe Harbor protection is only as strong as your ability to prove through documentation and consistent practice that your organization has implemented recognized security practices for at least 12 months, and cybersecurity training is one of the most visible ways regulators can see those practices operating in real life.

Healthcare organizations often ask a deceptively simple question after a breach, a complaint, or an OCR investigation begins: “Will our training help us?” Under the HIPAA Safe Harbor Law, the more precise question is: “Can we demonstrate that our security program, including workforce training, reflects recognized security practices, and that we’ve run it consistently for at least a year?”

That distinction matters because HIPAA Safe Harbor is not a “get out of jail free” card. It’s a legal instruction to the U.S. Department of Health and Human Services (HHS) to consider what you were already doing before an incident when deciding how hard to come down on you, especially when it comes to penalties, corrective action plans, and audits.

In other words: Safe Harbor doesn’t require perfection. It rewards proof of discipline and best practices.

What the HIPAA Safe Harbor Law Actually Does (and Doesn’t Do)

The HIPAA Safe Harbor Law is commonly referenced as HR 7898, an amendment to the HITECH Act passed by Congress in 2021. In plain terms, it gives HHS room to be more reasonable with organizations that can show they implemented and maintained recognized security practices before a security-related HIPAA incident.

What HIPAA Safe Harbor may influence includes:

  • Civil monetary penalties (the size and severity of fines)

  • Corrective action plans (how disruptive and extensive remediation requirements become)

  • Audit burden (length and extent, including how invasive the process is)

What Safe Harbor does not do:

  • It does not eliminate HIPAA obligations.

  • It does not guarantee you won’t be fined.

  • It does not excuse weak safeguards or missing documentation.

  • It does not retroactively “fix” a program you can’t prove existed and functioned.

The entire premise is straightforward: if you’ve been taking recognized security seriously, and can demonstrate that, HHS can factor it into how they respond when something still goes wrong.

HR 7898 and the “Recognized Security Practices” Language you must Understand

HIPAA Safe Harbor is anchored in the concept of recognized security practices, and HR 7898 points directly to well-known cybersecurity references. The law includes the following text (emphasis added here only for readability):

“Standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act, the approaches promulgated under section 405(d) of the 2015 Cybersecurity Act, and other programs that address cybersecurity and that are developed, recognized, or promulgated through regulations […] consistent with the HIPAA Security Rule.”

What that means in practice

This language is doing two things at once:

  1. It recognizes established cybersecurity “programs” and frameworks (for example, NIST-related guidance and the 405(d) Health Industry Cybersecurity Practices approach).

  2. It draws a boundary: whatever you adopt must be consistent with the HIPAA Security Rule and not a generic IT checklist that ignores how ePHI is created, accessed, transmitted, and stored in healthcare environments.

So if you want HIPAA Safe Harbor to matter, your story has to be coherent:

  • Your security framework (the “recognized practices”)

  • Your policies and controls (how those practices are implemented)

  • Your training program (how your workforce is taught to execute those practices)

  • Your records (how you prove it happened consistently over time)

Why Cybersecurity Training is a Safe Harbor Pressure Point

Training is not the whole Safe Harbor equation but it’s one of the easiest places for regulators to test whether your security program is real.

Policies can be beautifully written and still meaningless. Controls can exist and still be bypassed. But training forces you to answer uncomfortable questions, such as:

  • Did staff understand how to recognize common attacks (like phishing and social engineering)?

  • Were they taught how to handle passwords, devices, email, and messaging safely?

  • Did they know how to report a suspected security incident—immediately?

  • Did you reinforce and update training as threats and workflows changed?

  • Can you produce documentation that shows training was delivered, completed, tested, and refreshed?

If your organization can produce training materials, completion records, quiz results, and updated modules that align with your program, it becomes concrete evidence that recognized practices were not just “adopted on paper,” but implemented across your workforce.

The real question: is Your Training “good enough” for HIPAA Safe Harbor?

To be “good enough” in a Safe Harbor sense, training must do more than satisfy a checkbox. It needs to be:

1) Healthcare-specific, not generic

Safe Harbor is about practices consistent with the HIPAA Security Rule. Generic corporate security training often misses the realities of healthcare workflows—shared workstations, high-urgency communication, patient-facing operations, and the constant movement of sensitive data across systems and people.

2) Outcome-driven and behavior-focused

The goal isn’t to make employees recite definitions. It’s to reduce risk by changing day-to-day behavior: how people click, reply, forward, store, share, verify, escalate, and report.

3) Mapped to your recognized security practices

If you claim alignment with recognized practices, your training should visibly reinforce them. A regulator should be able to see the connection between what your program says and what your workforce is taught to do.

4) Consistent for at least 12 months (and provable)

Safe Harbor looks backward. If you can’t show continuity—onboarding, refreshers, updates, and participation evidence—you lose the main benefit the law offers.

5) Documented like you expect to be investigated

A “good” training program can still fail the Safe Harbor test if you can’t produce records quickly and cleanly. In enforcement, absence of documentation is often treated as absence of action.

What Healthcare Cybersecurity should Encompass to Provide HIPAA Safe Harbor

This section is based exclusively on the training content referenced and describes what a healthcare-focused cybersecurity program for employees should include if you want training to meaningfully support HIPAA Safe Harbor. Healthcare cybersecurity training should be designed to teach staff to recognize threats and handle health records securely, and it should be grounded in HIPAA and real healthcare workflows. The objective is to reduce the likelihood of data breaches caused by employees by building practical habits, personal responsibility, and repeatable behaviors.

Practical, risk-reducing behaviors employees must learn

Training should cover practical behaviors that directly reduce cyber risk, including:

  • Passwords

  • Email and messaging security

  • Resisting social engineering

  • Careful use of USB devices and removable media

It should also teach employees how attackers actually get in and how to stop them, focusing on the real causes of breaches such as phishing, weak credentials, unsafe device use, and slow reporting.

Early incident recognition and first-response actions

A healthcare cybersecurity program must help staff recognize when “something looks wrong” and understand what to do immediately. This includes:

  • Early attack incident recognition

  • How to respond to suspected attacks

  • Clear guidance on recognizing and reporting security incidents

Case-based learning that motivates real behavior change

Effective training should include real-world, relatable healthcare examples and case-based consequences that explain:

  • Why security best practices matter for healthcare records

  • The difference between a HIPAA violation and a data breach

  • The negative consequences of healthcare cybersecurity failures for patients, healthcare organizations, and employees

Clear emphasis on employee responsibility

The training should emphasize that security responsibilities are personal and that every employee plays a direct role in protecting medical data by:

  • Following proper procedures

  • Securing physical devices

  • Remaining alert to suspicious activity

It should also explain the consequences of HIPAA violations and data breaches.

Physical safeguards that protect medical records

Healthcare cybersecurity should explicitly include physical safeguards, teaching how medical records can be exposed through physical technology and how to prevent that, including:

  • Securing workstations

  • Properly managing personal devices

  • Safely handling removable media

The objective is to protect patient information when using physical technology and maintain the confidentiality and integrity of medical records.

The core healthcare cyberthreats your workforce must be trained on

Training should teach the most common ways medical records can be hacked and how to prevent breaches, including:

  • Phishing

  • Password security

  • Social engineering

  • Email and messaging security

  • Social media security

A HIPAA Safe Harbor Readiness Checklist for your Healthcare Cybersecurity Training

If you want an honest answer to “Is our cybersecurity training good enough for HIPAA Safe Harbor protection?”, pressure-test it with questions like these:

  • Can we show 12+ months of consistent cybersecurity training activity?

  • Do we have clean documentation: materials, completion records, quiz/test evidence, certificates, and updates?

  • Is training healthcare-specific and clearly connected to protecting medical records and ePHI?

  • Does it teach practical behaviors (not just rules) across cyber and physical safeguards?

  • Does it teach recognition + response for suspected attacks and reporting expectations?

  • Can we demonstrate that training reflects our policies and technical controls, not generic advice?

  • If OCR asked for evidence tomorrow, could we produce it quickly, completely, and confidently?

If any of those answers are shaky, the issue isn’t just training quality, it’s Safe Harbor credibility.

HIPAA Safe Harbor Protection

HIPAA Safe Harbor protection is less about claiming you followed a framework and more about proving your organization operationalized recognized security practices over time and workforce cybersecurity training is one of the clearest ways to demonstrate that operational reality. If your training is generic, sporadic, poorly tracked, or disconnected from how your organization actually protects ePHI, it’s unlikely to carry meaningful Safe Harbor weight when it matters most.

The post Is your Cybersecurity Training Good Enough to Give You HIPAA Safe Harbor Law Protection? appeared first on The HIPAA Journal.

HIPAA Awareness Training

Posted by Steve Alder

HIPAA awareness training is a practical, organization wide program that helps every workforce member recognize Protected Health Information, avoid common privacy and security mistakes, and report concerns early, while supporting the deeper role based HIPAA training required for both HIPAA Covered Entities and HIPAA Business Associates.

What is HIPAA Awareness Training?

HIPAA awareness training is the baseline layer of HIPAA education that builds shared expectations across the workforce. It focuses on everyday behaviors and decision points rather than turning every employee into a HIPAA specialist. Awareness training works best as the common foundation that is supplemented with additional modules for higher risk roles, departments, and systems.

Awareness training should be written in clear, employee friendly language and designed to be easy to apply during real work. It should also include short knowledge checks that confirm understanding, rather than relying only on acknowledgement statements.

Who Should Receive HIPAA Awareness Training?

HIPAA awareness training should be delivered to all workforce members, including management, employees, temporary staff, and contractors. Organizations often make mistakes by limiting training to clinical teams or staff who regularly handle medical records, but privacy and security risk also comes from support roles, shared systems, and basic workplace behavior.

Even staff who rarely interact with PHI should still understand the basics of confidentiality, security awareness, and incident reporting, because they may encounter PHI unexpectedly through emails, phone calls, misdirected documents, or shared work areas.

What HIPAA Awareness Training Should Cover

A strong awareness program explains core terms and responsibilities in practical language. Staff should understand what PHI and ePHI are, why the minimum necessary mindset matters, and how to follow internal policies for handling information. Training should explain common permitted and non permitted behaviors in a way that fits everyday work, such as what to do when someone asks for information, how to verify identity, and how to avoid sharing details in public spaces.

Awareness training should also introduce patient rights concepts at a high level so staff know when to escalate requests rather than guessing. It should reinforce that HIPAA compliance is part of the job, not a one time event or a once a year exercise.

HIPAA Security Awareness Training and Cybersecurity

Security awareness should be included for all workforce members because human error is a leading contributor to security incidents. HIPAA awareness training should cover phishing and social engineering, safe password practices, account security, device protection, and secure remote work. It should also address safe use of email, messaging, and texting, since these channels are common sources of accidental disclosures.

Modern awareness training should also address emerging risks such as the unsafe use of generic AI tools with PHI. Staff need clear rules about what information can and cannot be entered into general purpose AI systems and what approved tools exist inside the organization.

HIPAA Privacy Awareness in Everyday Work

Privacy awareness training should focus on practical mistakes that occur in normal workflows. This includes conversations in hallways, waiting rooms, and public areas, screen visibility in shared spaces, printed documents left on printers, and casual sharing of patient information in internal chats. It should also cover social media risks, including the fact that “no name” stories can still identify a patient when enough context is shared.

Awareness training should connect these risks to simple habits, such as checking recipient addresses before sending, using approved communication tools, limiting what is displayed on screens, and avoiding unnecessary details in notes and messages.

Incident Reporting and Escalation

A core goal of HIPAA awareness training is to help staff recognize issues early and report them quickly. Training should define what counts as a potential incident, what to do if something seems wrong, and who to contact. It should reinforce that reporting is encouraged and expected, and that raising concerns early is safer than trying to fix issues quietly.

This reporting section should also introduce the organization’s HIPAA officers and escalation channels, so staff know exactly where to go when they suspect a privacy or security problem.

How often should HIPAA Awareness Training be Delivered?

HIPAA training should be provided to new workforce members within a reasonable period after they join, and additional training should be delivered when policies, procedures, or technology change in a relevant way. Risk assessments and incident patterns should also drive additional training when gaps are identified.

Best practice in the healthcare sector is annual HIPAA training, and awareness training should be part of that annual cycle. Annual refreshers reinforce expectations, incorporate new risks, and help prevent slow drift in daily habits.

HIPAA Awareness Training Documentation and Audit Readiness

HIPAA awareness training should generate strong documentation. Organizations should maintain records of training content, dates, attendees, completion status, and frequency so they can demonstrate ongoing education. A training platform that supports completion tracking, certificates, and easy reporting makes it far simpler to respond to audits and client due diligence requests.

Documentation should show that training is not one time, that content is updated, and that the organization tests understanding rather than relying only on attestations.

HIPAA Awareness Training for a HIPAA-Covered Entity

For a HIPAA Covered Entity, awareness training should provide a clear baseline for all workforce members and connect HIPAA requirements to patient trust and the organization’s mission. It should explain the Privacy, Security, and Breach Notification Rules in plain language and show how they apply to common workflows in clinical and administrative settings.

Covered Entities should ensure awareness training is consistent across departments while adding role specific overlays for higher risk groups. Training should be practical and scenario based, include knowledge checks, and be supported by clear documentation.

HIPAA Awareness Training for a HIPAA Business Associate

For a HIPAA Business Associate, awareness training must include the same practical privacy and security foundations, plus additional emphasis on Business Associate obligations. Staff need to understand that Business Associate Agreement terms govern permitted uses and disclosures, that PHI can only be used for contracted purposes, and that incident escalation must be fast so Covered Entity clients can meet notification timelines.

Business Associate awareness training should also use examples that match the services provided, such as billing, IT support, analytics, document handling, or call center workflows. It should reinforce secure handling of client data, careful use of communication tools, and the need to follow client specific procedures where required.

How to Make HIPAA Awareness Training Effective

Awareness training works best when it is written and maintained by HIPAA experts, updated regularly, and delivered in employee friendly language. It should use realistic scenarios, focus on the decisions employees actually make, and test understanding rather than relying on acknowledgement alone. It should also explain consequences of noncompliance with realistic examples so staff understand why details matter.

Programs should include role based options for special groups, support clear reporting and audit ready documentation, and integrate cybersecurity awareness that reflects real threats to ePHI. When HIPAA awareness training is delivered to all staff and refreshed annually, it becomes a practical, defensible way to reduce risk and build a consistent culture of privacy and security across both HIPAA Covered Entities and HIPAA Business Associates.

The post HIPAA Awareness Training appeared first on The HIPAA Journal.