HHS-OIG Announces 10-Year Exclusions for Companies and Individuals

Posted by Steve Alder

The Department of Health and Human Services Office of Inspector General (HHS-OIG) maintains an exclusion list of companies and individuals who are not permitted to participate in federal healthcare programs, including indirectly participating by providing goods or services to entities that are billed to federal healthcare programs.

Exclusion is the most severe civil sanction that can be imposed by HHS-OIG and is most commonly due to conviction of a felony or misdemeanor related to a federally funded healthcare program, although individuals and entities can be added to the exclusion list for a variety of reasons. The duration of the exclusion depends on several factors and can range from months to permanent exclusion.

For permissive exclusions, HHS-OIG has discretion over how long the exclusion period lasts. That could be until an individual who has defaulted on a repayment addresses the default, although most permissive exclusions fall in the range of 1 to 3 years. Mandatory exclusions, such as those for misdemeanor and felony convictions, have minimum exclusion periods of 5 or 10 years, although three convictions will result in permanent exclusion.

If an individual is excluded, they are not permitted to work within the healthcare industry for any company that accepts federal funds, which can severely limit work opportunities. Since excluded individuals may still seek employment in the healthcare field, it is vital for employers to regularly check the exclusion list to ensure that new hires can be employed, and also to conduct regular checks of all employed individuals to ensure they can continue to be employed. Employing or continuing to employ an excluded individual risks civil monetary penalties.

HHS-OIG has recently announced new additions to its exclusion list, all of which see the individuals and entities excluded from federally funded healthcare programs for 10 years. In August, HHS-OIG entered into a settlement agreement with Ideal Health Diagnostics, Inc. (Ideal Health) and Svetlana Dizik (Dizik), of Glenview, Illinois, that requires a payment of $227,193.28 in addition to the 10-year exclusion. HHS-OIG alleged that Ideal Health and Dizik solicited and received improper remuneration from Perry Rudich, MD, in exchange for referrals for radiological interpretative services. Ideal Health and Dizik also caused claims to be submitted to Medicare that falsely identified Dr. Rudich as the rendering provider of items and services that he did not perform. Ideal Health and Dizik were not enrolled in Medicare, so they could not bill Medicare for those services themselves or receive payment for those services from Medicare.

In September, HHS-OIG announced 10-year exclusions for Optimum Faith Lab Corp. and its owner, Opal Mullings. Opal Mullings and Optimum had submitted claims for mileage under HCPCS Code P9603 that were improperly inflated, in excess of the actual mileage driven by phlebotomists, not properly prorated, or both. Further, claims were submitted for travel allowance, when only a fingerstick blood draw was performed, when Medicare rules do not permit travel allowance to be claimed for that purpose, and travel allowance was also claimed for laboratory services that were never rendered.

The post HHS-OIG Announces 10-Year Exclusions for Companies and Individuals appeared first on The HIPAA Journal.

Skagit Regional Health Settles Meta Pixel Class Action Litigation

Posted by Steve Alder

Skagit County Public Hospital District No. 1, doing business as Skagit Regional Health, the operator of Skagit Regional Hospital in Mount Vernon, Washington, has agreed to settle class action litigation stemming from its use of Meta Pixel and other tracking tools on its website, which may have disclosed patient information to third parties.

Like many hospital operators, Skagit Regional Health added tracking technologies such as Meta Pixel to its website. These tools track user activity on websites, such as the pages visited and time spent on each page; however, they can collect a range of information that can be tied to individuals via various identifiers, including IP addresses. The data collected by these tools is typically transmitted to the providers of these tools, and in the case of Meta Pixel, the data can be used to serve targeted advertisements.

On November 8, 2024, a lawsuit was filed in Skagit County Superior Court in Washington by Dave Suther – Dave Suther v. Skagit County Public Hospital District No. 1, d/b/a Skagit Regional Hospital – alleging the defendant had used tracking tools on the hospital website which collected and transmitted protected health information to Meta and other third parties without the knowledge or consent of website users. The lawsuit asserted claims of negligence, negligence per se, invasion of privacy-intrusion upon seclusion, invasion of privacy-disclosure of private facts, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of both the Washington Consumer Protection Act and the Washington Privacy Act.

The defendant denies any wrongdoing or liability and believes it would prevail at summary judgment; however, after taking into account the costs, time, and distraction of continuing with the litigation and the uncertainty and risks associated with any litigation, it agreed to engage in settlement discussions. A settlement has now been agreed that is acceptable to all parties, and the settlement has received preliminary approval from the court. Under the terms of the settlement, Skagit Regional Health has agreed to cover the cost of attorneys’ fees and expenses, settlement administration costs, class representative awards, and a cash payment of $20 for all class members.

The class consists of individuals who were patients of Skagit Regional Hospital who navigated to, signed up for, logged in, or used its patient portal between May 1, 2021, and September 5, 2025. Individuals wishing to object to the settlement or exclude themselves must do so by November 3, 2025. Claims for cash payments must be submitted by November 3, 2025, and the final fairness hearing has been scheduled for November 21, 2025. Further information can be found on the settlement website: https://www.sutherpixelsettlement.com/

The post Skagit Regional Health Settles Meta Pixel Class Action Litigation appeared first on The HIPAA Journal.

Florida Radiology Practice Announces 171K-record Data Breach

Posted by Steve Alder

Data breaches have been announced by Doctors Imaging Group in Florida, Rectangle Health in New York, and Care N’ Care in Texas.

Doctors Imaging Group, Florida

Doctors Imaging Group, a Gainesville, Florida-based physician-owned radiology practice, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 171,862 current and former patients. Suspicious activity was identified within its computer network on or around November 11, 2024, and the forensic investigation confirmed that unknown actors accessed its network between November 5, 2024, and November 11, 2024. During that time, files were copied from its systems, some of which contained the protected health information of patients. The substitute breach notice does not say if this was an extortion attempt, such as a ransomware attack, and the HIPAA Journal has not identified any posts by ransomware groups claiming responsibility for the attack.

Doctors Imaging Group conducted a file review to identify the types of information exposed in the incident, which was completed on August 29, 2025. Data potentially compromised in the attack includes names, addresses, birth dates, admission dates, medical treatment information, claims information, Social Security numbers, patient account numbers, medical record numbers, financial account numbers, and account types. The affected individuals have been advised to monitor their account statements, explanation of benefits statements, and free credit reports for suspicious activity. Doctors Imaging Group has reviewed its data security policies and procedures and is evaluating additional cybersecurity tools to reduce the risk of similar incidents in the future.

Rectangle Health, New York

Rectangle Health, a Valhalla, NY-based software company that provides practice management software to healthcare providers, has recently notified the Maine Attorney General about a breach affecting 2,095 individuals, including 11 Maine residents. The incident involved unauthorized access to its Salesforce platform on August 14, 2025. The platform was used to store customer information. Rectangle Health did not state which cybercriminal group was involved. The file review was completed on September 4, 2025, and confirmed that the stolen data includes names, dates of birth, and Social Security numbers. Notification letters were mailed to the affected individuals on October 8, 2025. Complimentary credit monitoring services are being offered to the affected individuals.

There has been a spate of attacks on Salesforce environments over the past few months, prompting the Federal Bureau of Investigation (FBI) to issue a Flash Alert in September. The alert warned that two cybercriminal groups – UNC6040 (ShinyHunters) and UNC6395 – were targeting Salesforce environments. In September, a hacking group called Scattered Lapsus$ Hunters started leaking stolen Salesforce data. Some members are believed to also be part of the ShinyHunters group. The group has attempted to extort Salesforce and has threatened to extort companies directly if Salesforce refuses to pay the ransom.

Care N’ Care, Texas

Care N’ Care, a Medicare Advantage health plan provider serving Medicare beneficiaries in North Texas, has recently notified the Texas Attorney General about a data breach affecting 32,452 Texas residents. While little is currently known about the data breach, this was a hacking incident that involved unauthorized access to protected health information, which may also have been stolen in the attack. The date of the cyberattack has not been publicly disclosed. The file review has confirmed that the exposed data includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information.

The post Florida Radiology Practice Announces 171K-record Data Breach appeared first on The HIPAA Journal.