Why Medical Couriers Are Always Classified as HIPAA Business Associates

Posted by Ian

Other than when they are directly employed by a covered entity, medical couriers are always classified as a HIPAA business associate due to the nature of the work they are contracted to do and their “operational access” to Protected Health Information (PHI), even when access only consists of a visible name, reference number, or address.
Medical couriers play an important role in the healthcare system by transporting specimens, medications, lab results, and other items that support patient care. Because deliveries often involve sealed packages, it could be assumed that medical couriers do not qualify as business associates under the HIPAA conduit exception.
This exception applies to entities that transmit PHI on behalf of a covered entity or business associate without storing it and without having anything more than transient, incidental access to PHI. Examples include the US Postal Service, UPS, FedEx, and Internet Service Providers who simply act as channels through which information flows.

Why the Conduit Exception Does Not Apply to Medical Couriers

Medical couriers, by contrast, are contracted specifically to transport PHI. To fulfil the service they are contracted to provide, medical couriers routinely handle paperwork connected with specimens, read names on labels, sign or verify chain‑of‑custody forms, and confirm pickup and delivery details tied to specific patients.
Their access is not incidental, accidental, or transient, it is operational. Because of this, healthcare organizations, pharmacies, and labs must treat them as HIPAA business associates. That means medical couriers must sign Business Associate Agreements (BAAs) and comply with all applicable HIPAA standards. The same applies when an independent contractor is engaged by a business associate as a subcontractor.

When Access Only Consists of a Visible Name, Number, or Address

When access only consists of a visible name, reference number, or address, the visible information is still classified as PHI because these elements are references to individually identifiable health information being transported within the package. This means a visible name, reference number, or address on the outside of the package is part of the same designated record set as the information inside the package.
This distinction is important because information visible on the outside of the package must be protected with the same care as the information inside the package. It is for this reason that, other than when they are directly employed by a covered entity, medical couriers are always classified as HIPAA business associates, and must train their drivers, dispatchers, and customer service teams on all applicable HIPAA standards.

The post Why Medical Couriers Are Always Classified as HIPAA Business Associates appeared first on The HIPAA Journal.

New Cyber Resilience Readiness Program Developed by Joint Commission; AHA

Posted by Steve Alder

Joint Commission and the American Hospital Association (AHA) have partnered to create a new Cyber Resilience Readiness program for hospitals and health systems to help them sustain safe clinical operations during cyber-related technology outages.

Hacking and ransomware attacks have skyrocketed in recent years. According to the Federal Bureau of Investigation (FBI), healthcare and public health was the most targeted sector in 2025, experiencing 642 hacking incidents, including 460 ransomware attacks and 182 data breaches. Currently, the HHS’ Office for Civil Rights breach portal shows 765 data breaches affecting 500 or more individuals were reported in 2025, the highest number ever reported in a single year. These incidents often result in prolonged periods of digital darkness, where systems are offline, and healthcare organizations are forced to resort to manual processes for recording patient information. During those periods, hospitals and health systems must ensure continuity of care and maintain patient safety, even without access to critical technologies.

To counter the threat to patient safety and care from cyber incidents, extreme weather events, and other natural disasters, Joint Commission and AHA partnered to create a new Cyber Resilience Readiness (CRR) Program for healthcare organizations. The program was developed in partnership with several healthcare organizations and is a first-of-its-kind program to help hospitals and health systems strengthen their ability to sustain safe clinical operations during technology outages caused by cyber events and natural disasters.

While many cybersecurity approaches are focused on rapidly restoring IT systems, the CRR emphasizes real-world operational readiness and patient safety impacts. The CRR was informed by the lessons learned from actual ransomware attacks and other cyber events that have affected hospitals across the United States. “The goal is to help hospitals and health systems move from awareness to readiness, and from readiness to resilience, ultimately enabling organizations to move beyond assessment to practical, operational improvement,” according to Joint Commission and the AHA.

The CRR program is centered on a structured, free-to-complete self-assessment tool for evaluating the current ability to maintain safe care during technology outages, with a focus on maintaining clinical workflows, operational response, leadership coordination, and staff preparedness. The self-assessment tool familiarizes hospitals and health systems with the questions they need to ask and what they need to prepare for. Should they so wish, their assessments can be submitted for expert review for a fee, and they will receive a set of top-line recommendations on how any identified vulnerabilities can be addressed. Joint Commission also plans to develop a new certification pathway to allow organizations to demonstrate strong clinical continuity and cyber resilience capabilities.

“Digital disruption poses a direct and growing threat to patient safety and clinical care,” said Jonathan B. Perlin, MD, PhD, president and CEO of Joint Commission. “As cyber criminals become increasingly sophisticated, advanced, and creative, so too must our efforts to thwart the risks – but we are not talking about cyberattacks alone. It is about how to continue operations under any scenario where technology systems might be down for any period of time. Hospitals and healthcare organizations need practical tools to evaluate and strengthen their approach to withstanding these incidents. The new Cyber Resilience Readiness program is designed to help healthcare organizations focus on what matters most: maintaining safe, quality patient care and clinical operations at all times.”

The post New Cyber Resilience Readiness Program Developed by Joint Commission; AHA appeared first on The HIPAA Journal.

Oglethorpe Settles Data Breach Lawsuit

Posted by Steve Alder

Oglethorpe, a Tampa, FL-based network of mental health and addiction recovery treatment facilities, was sued in response to a June 2025 hacking incident in which the personal and protected health information of 92,000 current and former patients and employees was stolen. The lawsuit has recently been settled and a cash fund of $350,000 will be created to cover benefits for class members.

The hacking incident was discovered in June 2025. The forensic investigation determined that the hacker exfiltrated information such as names, Social Security numbers, driver’s license or state identification numbers, and medical information. The affected individuals started to be notified about the incident on October 31, 2025. Multiple class action lawsuits were filed in response to the data breach, alleging that it could have been prevented had reasonable and appropriate cybersecurity measures been implemented.

The lawsuits were consolidated – Scott, et al. v. Oglethorpe, Inc.– in the Circuit Court for Broward County, Florida, since they had overlapping claims and were based on the same facts. The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, and unjust enrichment, as well as requesting declaratory and injunctive relief. Oglethorpe denies wrongdoing, fault, and liability.

All parties explored the opportunity for early resolution of the lawsuit to avoid unnecessary legal costs and the uncertainty of a trial and related appeals. Following several weeks of arms-length negotiations, a settlement was agreed upon that was acceptable to all parties. Under the terms of the settlement, Oglethorpe has agreed to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. A fund of $350,000 will be created to cover benefits for the class members.

All class members may enroll in one year of medical data monitoring services, which include a $1 million medical identity theft insurance policy. They may also claim one of two cash benefits: A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or a claim may be submitted for an alternative one-time cash payment of $75. That cash payment is subject to a pro rata reduction should the claim total exceed $350,000.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for June 22, 2026. Claims must be submitted by August 8, 2026, and individuals wishing to object to the settlement or exclude themselves must do so by June 8, 2026.

The post Oglethorpe Settles Data Breach Lawsuit appeared first on The HIPAA Journal.

Data Breaches Announced by Four Healthcare Providers

Posted by Steve Alder

Data breaches have recently been announced by Western Orthopaedics in Colorado, Community Health Systems in California, Tri-Cities Gastroenterology in Tennessee, and Integrated Pain Associates in Texas.

Western Orthopaedics

Western Orthopaedics, an Englewood, Colorado-based healthcare provider with locations throughout Colorado, has disclosed a security incident that was first identified on October 2, 2025. Assisted by third-party cybersecurity experts, Western Orthopaedics confirmed unauthorized access to its network between September 17, 2025, and September 25, 2025, during which time files containing personal and protected health information may have been viewed or acquired.

The analysis of those files was completed on March 3, 2026, when it was confirmed that the following data elements were potentially compromised: full name, address, phone number, Social Security number, date of birth, password, and/or financial account information, which may include credit/debit card number with or without security or access code, and protected health information such as health insurance information, health insurance plan or subscriber identification number, medical provider name, medical dates of service, and medical cost or billing information.

Additional measures have been taken to improve security, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. At present, it is unclear how many individuals have been affected. The PEAR cyber extortion group claimed responsibility for the attack and proceeded to leak the stolen data when the ransom was not paid.

Community Health Systems

Community Health Systems Inc., a California healthcare provider serving patients in San Bernardino, Riverside, and San Diego Counties, has recently disclosed a data security incident. According to its April 28, 2026, media notice, suspicious activity was identified within its computer network on or around February 28, 2026. Assisted by third-party security experts, Community Health Systems confirmed unauthorized access to parts of the network where patient data was stored.

The review of the exposed files confirmed that they contained information such as names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, treatment/diagnosis information, prescription information, dates of service, provider names, medical record numbers, patient ID numbers, Medicare/Medicaid ID numbers, health insurance information, and/or medical billing/claims information. Community Health Systems said it is reviewing its policies and procedures related to data protection. At present, it is unclear how many individuals have been affected.

Tri-Cities Gastroenterology

Tri-Cities Gastroenterology, a gastroenterology practice with five locations in Tennessee, has announced a data security incident that occurred on or around December 11, 2025. External cybersecurity professionals assisted with the investigation and confirmed that files were exfiltrated from its network on or around December 11, 2026. The file review confirmed on or around April 22, 2026, that the files contained information such as full names, Social Security numbers, dates of birth, addresses, email addresses, telephone numbers, gender, and medical record numbers.

Notification letters started to be mailed to the affected individuals on April 29, 2026. At that time, no misuse of the stolen data had been identified. Tri-Cities Gastroenterology said it will continue to evaluate and modify its cybersecurity practices and is taking steps to strengthen security. The Insomnia threat group claimed responsibility for the attack and added Tri-Cities Gastroenterology to its dark web data leak site in December. The group proceeded to leak the stolen data, indicating the ransom was not paid.

Integrated Pain Associates

On April 30, 2026, Integrated Pain Associates, a Killeen, Texas-based team of spine and pain specialists, announced a data security incident that was identified in February 2026. The forensic review confirmed unauthorized network access on or around February 24, 2026, and that patient data may have been accessed or acquired.

The review of the affected files is ongoing; however, Integrated Pain Associates has confirmed that the types of data involved include names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnosis/condition information, medication information, health insurance information, provider names, other treatment information, and/or financial account information. Integrated Pain Associates has confirmed that it is offering complimentary credit monitoring and identity theft protection services to the affected individuals. Additional security measures have been implemented to reduce the risk of similar incidents in the future. At present, the breach is not shown on the website of the Office of the Texas Attorney General nor the HHS’ Office for Civil Rights breach portal.

The post Data Breaches Announced by Four Healthcare Providers appeared first on The HIPAA Journal.