Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Okanogan Behavioral Healthcare, a provider of holistic behavioral health services in Okanogan County, Washington, has agreed to settle a class action lawsuit stemming from a May 2024 data breach that affected 26,429 individuals.

A network intrusion was identified on May 15, 2024, and the forensic investigation determined that an unauthorized third party had access to its network from May 13, 2024, to May 15, 2024. Data exposed in the incident included client names, contact information, dates of birth, Social Security numbers, driver’s license numbers, other identification numbers, and medical information, including diagnosis and treatment information, and health insurance information. The affected individuals started to be notified on August 23, 2024.

A lawsuit was filed – Doe v. Okanogan Behavioral Healthcare – in the Superior Court of the State of Washington for the County of Okanogan in response to the data breach, alleging that the data breach was due to the failure of the defendant to implement reasonable and appropriate cybersecurity measures, and had they been implemented, the data breach could have been prevented. Okanogan Behavioral Healthcare denies wrongdoing and liability, and disagrees with all claims and contentions in the lawsuit; however, a settlement was agreed to avoid further litigation costs and the uncertainty of a trial and associated appeals.

Okanogan Behavioral Healthcare has agreed to cover attorneys’ fees and expenses, settlement notification and administration costs, and a service award for the class representative. Under the terms of the settlement, class members may submit a claim for reimbursement of losses due to the data breach and/or an alternative cash payment or credit monitoring services.

Claims may be submitted for reimbursement of documented, unreimbursed ordinary losses, up to a maximum of $300 per class member, and extraordinary losses up to a maximum of $5,000 per class member. A claim may also be submitted for an alternative cash payment, anticipated to be $50 per class member, or two years of credit monitoring services. The maximum claim is therefore $5,300 plus $50, or $5,300 plus credit monitoring services.

The deadline for objection to the settlement and exclusion is August 4, 2026. The deadline for submitting a claim is September 3, 2026, and the final approval hearing has been scheduled for September 3, 2026.

The post Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

High-Severity Vulnerability Identified in OHIF Viewers DICOM

Posted by Steve Alder

A high-severity vulnerability has been identified in OHIF (Open Health Imaging Foundation) Viewers DICOM, which could be exploited to steal an authenticated clinician’s token via a crafted link.

The Server-Side Request Forgery (SSRF) vulnerability is tracked as CVE-2026-12473 and has a CVSS base score of 8.2 (v3.1) and 8.3 (v4.0). The vulnerability is due to two data sources – DICOMWebProxy and DICOMJSON –  shipped in the default configuration fetching an arbitrary URL parameter without validation.

A global authentication service in OHIF injects the authenticated user’s OIDC Bearer token into the resulting requests, which could be sent to an attacker-controlled server, allowing the OIDC Bearer token to be obtained. The vulnerability does not impact DICOMweb data sources.

The vulnerability affects OHIF DICOM Web Viewer Framework prior to v3.12.0. The vulnerability has been fixed by the maintainer in version 3.12.2, which was released on May 18, 2026. The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12).

Users are advised to update to the fixed version as soon as possible. There are additional requirements for users running OHIF with authentication and those that need dicomwebproxy or dicomjson in authenticated deployments, as detailed in the CISA security advisory.

The post High-Severity Vulnerability Identified in OHIF Viewers DICOM appeared first on The HIPAA Journal.

Why You Don’t Need to Understand HIPAA to Make Your Small Practice HIPAA Compliant

Posted by Steve Alder

A small practice owner who cannot define a Security Risk Analysis, has never read the HIPAA Security Rule, and does not know what a Business Associate Agreement must contain can still operate a practice with a complete, documented, provable HIPAA compliance program. The expertise does not have to live in the practitioner’s head. It has to live in the program. A purpose-built compliance program encodes what HIPAA requires and translates a practice owner’s knowledge of their own practice into a complete compliance record. The practitioner does not need to become a compliance expert. They need a structured program built specifically for them.

What HIPAA Actually Requires a Small Practice to Have

HIPAA’s requirements for a small independent practice are extensive, but they are not open-ended. The HIPAA compliance obligations for a covered entity resolve into four documented outputs that the HHS Office for Civil Rights will look for in any investigation or audit.

The first is a current Security Risk Analysis. The Security Rule requires covered entities to conduct an accurate and thorough assessment of the risks and vulnerabilities to electronic Protected Health Information across every system, device, and workflow the practice uses. The SRA must be current. A practice that completed one two years ago and has since changed its EHR system, added a telehealth platform, or hired new staff has an outdated assessment and a documented gap.

The second is a set of written policies and procedures tailored to the practice. The HIPAA Privacy Rule and Security Rule both require written policies that address each applicable standard. Generic templates do not satisfy this requirement. The HHS Office for Civil Rights treats policies that do not reflect how the practice actually operates as evidence that a compliance program exists on paper only, not in practice.

The third is documented workforce training. The HIPAA training requirement applies to every member of the workforce, including staff who do not directly handle patient records. Training records must show who completed training, what was covered, and when. The record of completion is the compliance artifact. An investigator will ask for documentation, not recollections.

The fourth is a signed Business Associate Agreement with every vendor that creates, receives, maintains, or transmits Protected Health Information on behalf of the practice. This includes EHR vendors, billing services, cloud storage providers, transcription services, and any other third party with access to PHI. A breach involving a vendor without a current agreement exposes the practice to enforcement action regardless of where the fault lies.

These are not judgment calls or matters of interpretation. A practice either has all four, documented and current, or it does not. An OCR investigator will request each of them.

Why Most Small Practices Have Gaps They Cannot See

Most small practices are not non-compliant on purpose. They completed a training session, filed some policies, and reasonably concluded they were covered. The gap between that conclusion and actual compliance is where enforcement actions originate.

Three specific failure patterns appear consistently in OCR investigations of small practices.

The first is the generic template problem. A policy downloaded from a template library describes a hypothetical organization with hypothetical workflows. It does not describe the practice’s actual intake process, its specific EHR configuration, or how its staff handles verbal disclosures in shared clinical spaces. When an investigator asks a staff member to describe their workflow and the answer does not match the written policy, the program is treated as non-implemented. The document existed. The compliance program did not.

The second is the one-time SRA problem. Many practices completed a Security Risk Analysis once, often at the recommendation of their EHR vendor or an IT provider, and have not revisited it since. An SRA is not a one-time obligation. Every material change to the practice’s technology, physical environment, or service delivery model requires a reassessment. A practice that added telehealth after a prior SRA has a gap that the original assessment does not cover. OCR currently maintains an active enforcement initiative targeting incomplete and outdated risk analyses, and the SRA is the first document requested when an investigation opens.

The third is the partial completion problem. Training without a current SRA is partial compliance. Policies without documented training are partial compliance. A signed BAA for the EHR vendor but not the billing service is partial compliance. HIPAA penalties do not recognize partial effort. OCR does not award credit for the components a practice completed. The program must be complete to function as a defense, and partial compliance is treated the same as no compliance when an investigation surfaces a gap.

What Compliance Expertise Actually Consists Of, and Why a Program Can Carry It

A compliance expert knows which safeguards apply to a two-provider dental practice versus a multi-location behavioral health group. They know which questions a Security Risk Analysis must answer for a practice that uses a cloud-based EHR versus one with on-premises servers. They know when a vendor arrangement creates PHI storage exposure the practice has not assessed, and they know how the HIPAA Breach Notification Rule applies to a misdirected fax versus a ransomware incident.

That knowledge is not trivial. It takes years to develop and requires ongoing attention as the regulations change. The argument here is not that it is unimportant. The argument is that a practice owner should not have to carry it personally to operate a compliant practice.

A purpose-built compliance program encodes that expertise into a guided workflow. The practitioner answers questions about their practice: how many locations, which systems, what types of staff, which vendors. The program translates those answers into a practice-specific Security Risk Analysis, practice-specific policies, role-based training assignments, and a managed vendor agreement inventory. The practitioner brings knowledge of the practice. The program brings knowledge of HIPAA.

This is not a theoretical model. Practices with no prior compliance background and no dedicated compliance staff have built and maintained complete, audit-ready programs this way. The expertise is in the platform, not in the practitioner.

What a Complete, Practice-Specific Compliance Program Produces

A complete compliance program generates four outputs that correspond directly to what an OCR investigation will request.

The Security Risk Analysis produced by a purpose-built program is tailored to the practice’s actual systems, locations, workflows, and vendor relationships. It routes around questions that do not apply to a single-location practice and focuses on the vulnerabilities that do. It produces a documented risk register that identifies each vulnerability, assigns a risk level, and records the remediation action and timeline. An SRA without a corresponding risk management plan tells an investigator that risks were identified and ignored. A complete program produces both.

The policies and procedures generated by the program reflect how the practice actually operates, because they are built from the practice’s own SRA responses. They are not generic. They describe real workflows, real staff responsibilities, and real system configurations. When an investigator asks a staff member to describe their role and then compares the answer to the written policy, the two should match. A purpose-built program makes that alignment the default rather than an administrative aspiration.

The training records maintained by the program document completion at the individual level, with timestamps and role-specific assignments. Staff turnover, multiple start dates, and varying training schedules are tracked automatically. The program generates the documentation an investigator will request, not a spreadsheet assembled after the fact.

The Business Associate Agreement inventory tracks every vendor relationship, the date each agreement was executed, and when renewal review is due. Agreements that lapse because no one was tracking the renewal date are one of the most common findings in OCR investigations. A managed inventory with automated reminders eliminates that specific gap.

A practice that can produce all four on demand has a program it can prove. That is the only standard an OCR investigation applies.

The Difference Between Doing Some of It and Having All of It

The cost argument for a complete program is direct. Once a breach occurs, the costs that follow are largely fixed. Patient notification, breach response, reputational damage, and civil liability attach at the moment the breach is confirmed. The one cost that documentation and good-faith compliance can prevent is the government fine.

HIPAA civil penalties are tiered by culpability. A violation attributable to reasonable cause carries a substantially lower maximum penalty than one attributable to willful neglect. A complete, documented compliance program is the evidence of reasonable cause that determines which tier applies. For a small practice, the difference between those tiers can represent tens or hundreds of thousands of dollars. The fine is the cost that prior documentation prevents.

The time investment required to stand up a complete program through purpose-built software is measured in hours, not weeks. Maintenance thereafter requires a few minutes a month to keep the program current as the practice changes. That investment is not proportional to the regulatory risk it eliminates.

Partial completion does not reduce the fine. A practice that completed training but has no current SRA is exposed to the same willful neglect finding as a practice that did nothing, if the SRA gap surfaces during an investigation triggered by a breach. Every component of the program must be in place, documented, and current.

What to Look for in a Compliance Program

Not all HIPAA compliance software produces a complete, provable program. Three criteria distinguish a program that protects a practice during an investigation from one that generates paperwork without building a defense.

The first is practice-specific generation rather than templates. The program must produce documentation that reflects the actual practice, built from the practice’s own responses to guided questions. A policy library or downloadable template set requires the practice to implement, maintain, and update documents that were not written for them. A purpose-built program generates policies from the SRA and keeps them current as the practice changes.

The second is a complete program in a single plan. The brief’s positioning is explicit on this point: partial compliance is not compliance, and a program that places the SRA, policies, training management, or BAA tracking behind separate service tiers or paid add-ons creates the same internal gap the practice is trying to close. Everything HIPAA requires should be included without requiring the practice to choose between cost and completeness.

The third is access to compliance experts. A software workflow handles the structured outputs: the SRA, the policies, the training records, the vendor agreements. It cannot handle the judgment calls that arise when a situation falls outside the structured workflow. How should the practice respond to a patient complaint that may or may not involve an impermissible disclosure? Does a specific cloud storage arrangement create PHI exposure that the SRA must address? Does a particular incident qualify as a notifiable breach under the four-factor harm analysis? Direct access to compliance experts, included in the program rather than billed separately, is what covers those situations. A practice that can call a compliance expert at the moment an unusual situation arises is not navigating HIPAA alone. A practice that cannot is.

The Standard an Investigation Applies

An OCR investigation does not assess how much the practice owner understands about HIPAA. It assesses what the practice can produce: a current Security Risk Analysis, written policies that match actual workflows, training records for every workforce member, and signed Business Associate Agreements with every covered vendor. Those are documents. They are generated by a program, not by regulatory expertise.

A practice owner who cannot define an SRA but runs their compliance program through purpose-built software will produce better documentation than a practice owner who has read the regulations in full but manages compliance manually through binders and spreadsheets. OCR does not see the effort. It sees the record.

The program does not replace the practitioner’s knowledge of their practice. It replaces the requirement that the practitioner also carry expertise in federal health information law. That expertise is already built in. The practice owner’s job is to answer the questions accurately and follow the guidance the program provides. The program does the rest.

The post Why You Don’t Need to Understand HIPAA to Make Your Small Practice HIPAA Compliant appeared first on The HIPAA Journal.

Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches

Posted by Steve Alder

Data security incidents have been announced by the Colorado Health Network and Kentucky Mountain Health Alliance. In both cases, only limited information has been released about the nature of the incidents.

Colorado Health Network

Colorado Health Network Inc., a nonprofit organization that provides health and support services to individuals with HIV/AIDS across Colorado, has recently disclosed a data security incident. The breach notification does not state when the breach was detected or for how long the threat actors had access to its network, only that an unauthorized third-party accessed and removed files from its systems.

The files have been reviewed and found to contain patient names in combination with one or more of the following: Social Security number, driver’s license/state identification card number, passport number, financial account information, debit/credit card information, health insurance information (which may include Medicaid/Medicare information), and medical information. The medical information may include, but is not limited to, diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s/location.

Colorado Health Network started mailing notification letters to the affected individuals on June 18, 2026, and said it has received no reports to suggest that any of the exposed or copied information has been misused. The affected individuals have been advised to monitor their account statements, free credit reports, and explanation of benefits statements for suspicious activity, and to sign up for the complimentary credit monitoring and identity theft protection services that have been offered.

This appears to have been a ransomware attack by the Cephalus ransomware group. Cephalus claimed on its dark web data leak site on August 28, 2025, that it was behind the attack and obtained more than 900 GB of data. The group’s data leak site is not currently accessible, so it is unclear whether the data was leaked online.

The Texas attorney general was informed that 257 Texas residents were affected by the breach. Given that the primary location of business is Colorado, that would suggest that the incident affected more than 500 individuals and should have been reported to the HHS’ Office for Civil Rights (OCR) and added to the OCR data breach portal; however, it is not currently shown on the breach portal.

Kentucky Mountain Health Alliance

Kentucky Mountain Health Alliance, a Hazard, KY-based nonprofit organization that provides primary and specialty care to the homeless, has disclosed a data breach that involved unauthorized access to patient data, some of which was copied in the incident.

While data breach notices should be placed in a prominent location on the home page of the provider’s website under HIPAA, users are required to click on the “more” section and then select the notice from the drop-down menu. The notice states that the information compromised in the includes names plus one or more of the following: Social Security numbers, driver’s license numbers/state identification numbers, passport numbers, financial account information, debit/credit card information, health insurance information, and medical information such as diagnosis, diagnosis code, mental/physical condition, prescription information, provider’s name and location, and health insurance information. Notification letters were issued to the affected individuals on June 12, 2026.

As with the data breach at Colorado Health Network (above), the breach notifications do not elaborate further on the nature of the incident, such as who potentially accessed the data (internal/external), when the incident was detected, or for how long the data was exposed. The website notice makes no mention of credit monitoring services; however, the notice issued to the Massachusetts Office of Consumer Affairs and Business Regulation states that 24 months of complimentary credit monitoring and identity theft protection services are being provided through Epiq. The number of affected individuals has yet to be publicly disclosed.

The post Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches appeared first on The HIPAA Journal.

Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches

Posted by Steve Alder

Data breaches have been announced by Minnesota Epilepsy Group, Campbell University, and the City of Middletown, Ohio.

Minnesota Epilepsy Group

Minnesota Epilepsy Group, the largest epilepsy center in the Midwest, has started notifying current and former patients about a recent cybersecurity incident that may have resulted in unauthorized access to the protected health information of current and former patients. Suspicious network activity was identified on April 7, 2026, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had accessed its network at various times between March 16, 2026, and April 10, 2026.

The parts of the network that were accessed contained files that included patient data. The file review concluded on May 18, 2026, and determined that the exposed information included names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance information. The types of information exposed varied from patient to patient.

Notification letters started to be mailed to the affected individuals on June 5, 2026, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were exposed. Minnesota Epilepsy Group confirmed that it has taken steps to enhance its technical security measures to prevent similar incidents in the future.

City of Middletown, Ohio

The City of Middletown in Ohio has started notifying individuals about a cybersecurity incident that occurred last year that resulted in unauthorized access to sensitive personal and protected health information. The incident was first identified on August 17, 2025, and the forensic investigation determined that its network was accessed by an unauthorized third party between July 29, 2025, and August 17, 2025, during which time files containing sensitive information may have been accessed or acquired.

The data review concluded on May 18, 2026, and determined that data compromised in the incident included names, addresses, Social Security numbers, driver’s license or government identification, financial account information, medical information, and health insurance information. Notification letters were mailed to the individuals with a complete address on file on June 3, 2026. City of Middletown officials have confirmed that steps are being taken to augment security. The HHS’ Office for Civil Rights was informed that the protected health information of 20,608 individuals was compromised in the incident.

This appears to have been a ransomware attack by the SafePay ransomware group, which added the City of Middletown to its dark web data leak site on September 12, 2025, then proceeded to leak the stolen data.

Campbell University, North Carolina

Campbell University in North Carolina is investigating a cybersecurity incident that was first identified on April 1, 2026. The incident involved unauthorized access to one of its cloud-based data storage platforms between March 31, 2026, and April 1, 2026. The university explained that due to its security protections, the incident was contained to a single platform.

The investigation and data review are ongoing, and as such, the total number of affected individuals has yet to be determined. The HHS’ Office for Civil Rights has been informed that the protected health information of at least 500 individuals was involved. The total will be updated when the data review is concluded. The specific type of information involved has not yet been determined, but general categories of data involved have been disclosed. In addition to their name, individuals may have had one or more of the following exposed or stolen in the incident:

Address, date of birth, admission/discharge/death date, medical record number, provider/facility name, medical condition, diagnosis and/or treatment information, lab results, prescriptions and/or medications, personal history, mental health information, insurance/payment amount history information, date of service, payment card information, and/or any information on an individual that was created, used, or disclosed in the course of providing health care services, and Social Security number, driver’s license or state identification number, passport number, student identification number, other government identification number, financial account information, debit/credit card information, health insurance information, medical information, individual taxpayer identification number, identity protection PIN issued by the IRS, parent’s legal surname prior to marriage, digital signature, geolocation, and/or user name and access information for a non-financial account.

Campbell University said it has reset passwords, set up a new instance of the affected platform, strengthened data access policies, and implemented additional technical safeguards.

The post Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches appeared first on The HIPAA Journal.