National Association on Drug Abuse Problems Announces Data Breach Affecting 90,000 Individuals

Posted by Steve Alder

The National Association on Drug Abuse Problems has experienced a data breach affecting up to 90,000 individuals. An insider data breach has been discovered by Weill Cornell Medicine, and Commonwealth Care Alliance has identified a mis-mailing incident.

The National Association on Drug Abuse Problems Hacking Incident Affects 90K Individuals

The National Association on Drug Abuse Problems (NADAP), a New York-based nonprofit, has disclosed a cybersecurity incident that has affected up to 90,000 individuals. Suspicious activity was identified within its network on or around January 10, 2026. Immediate action was taken to secure its network, and an investigation was launched to determine the nature and scope of the activity. On or around January 27, 2026, NADAP determined that the protected health information of certain clients, employees, and related individuals was present in files that were subject to unauthorized access.

The files have been reviewed and found to contain names, Social Security numbers, dates of birth, medical or health information, health care treatment or diagnostic information, health insurance information, and tax or financial information. The types of data involved vary from individual to individual. NADAP has implemented additional measures to enhance network security, including strengthening password requirements and implementing conditional access policies, and the incident has been reported to regulators and law enforcement. No known threat group has claimed responsibility for the incident.

The substitute data breach notice makes no mention of complimentary credit monitoring services. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements for suspicious activity.

Weill Cornell Medicine Identifies Insider Data Breach

Weill Cornell Medicine, the medical school of Cornell University in New York, has identified an insider breach involving the electronic medical records of 516 patients. Following an internal investigation, Weill Cornell Medicine confirmed that a former employee had accessed patient records for reasons unrelated to their job duties.

The potential for misuse of patient data is limited due to the nature of the data accessed, which was limited to name, contact information, and reason for visit. No Social Security numbers, clinical information, or financial information were accessed. Weill Cornell Medicine did not state the reason for the access but confirmed that the employee is no longer with the organization. All affected individuals have been notified by mail, and additional security measures have been implemented to reduce the risk of similar incidents in the future.

Commonwealth Care Alliance Announces Mis-Mailing Incident

Commonwealth Care Alliance, a Massachusetts-based health plan and care delivery system, has notified 634 individuals about a recent mis-mailing incident. The incident was identified on December 29, 2025, and involved letters intended for one member being mailed to an incorrect member. The letters included a member’s name, CCA Member ID number, and their Medicare eligibility status only. An investigation was launched to identify the cause of the error, and additional safeguards have been implemented to reduce the risk of similar incidents in the future, including supplemental quality checks with its mailing process.

The post National Association on Drug Abuse Problems Announces Data Breach Affecting 90,000 Individuals appeared first on The HIPAA Journal.

CMS Releases Final Rule Implementing HIPAA Standards for Health Care Claims Attachments

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) released a final rule on Friday establishing new standards for the electronic transfer of claims documentation, including a new standard for electronic signatures to ensure that claims attachment transactions are secure, authenticated, and compliant with federal regulations.

While electronic health records have been widely adopted by healthcare providers, the healthcare industry is still reliant on outdated methods for transferring attachments to support electronic health care claims. The exchange of health care claims remains a manual process, with the necessary documentation transferred by fax or physical mail. These outdated methods of data transfer result in delays to patient care, increased health care costs, and place a considerable administrative burden on clinicians. The final rule modernizes health care administration, resulting in cost savings, time savings, enhanced security, improved efficiency, and faster care delivery.

“The 1980s called, and they want their fax machines back,” CMS Administrator Dr. Mehmet Oz said. “The futuristic medical breakthroughs we’ve achieved, like augmented reality glasses that give surgeons X-ray vision, shouldn’t have to coexist with administrative systems that often lag decades behind. This new rule will modernize American healthcare by standardizing electronic claims attachments and enabling secure electronic signatures. Because every minute providers save on paperwork is another minute they can spend caring for patients.”

The CMS collaborated with industry stakeholders when developing its proposed rule and received considerable feedback from health plans, healthcare providers, healthcare clearinghouses, technology vendors, patients, and consumers, which shaped the final rule. The final rule was published in the Federal Register on March 24, 2026, and takes effect on May 26, 2026. The new standards apply to all HIPAA-covered entities – health plans, healthcare providers, and healthcare clearinghouses – and compliance with the new standards is required by May 26, 2028. While HIPAA-covered entities have two years to ensure compliance, they are encouraged to read and review the final rule and start implementing the new standards promptly.

The final rule – Administrative Simplification; Adoption of Standards for Health Care Claims Attachments Transactions and Electronic Signatures Final Rule – implements the requirements of the administrative simplification subtitle of HIPAA and the Patient Protection and Affordable Care Act, and establishes the first-ever standards for healthcare claims attachments under HIPAA. The final rule will enable the secure electronic exchange of healthcare claims-related supporting documentation, including medical records, medical images, clinical notes, telemedicine visit documentation, and laboratory results. The new standards are anticipated to save the healthcare sector up to $782 million each year, according to the CMS, and will allow clinicians to spend more time providing care for patients.

The final rule adopts definitions of “attachment information,” “electronic signature,” and “health care claims attachments transaction,” and adopts standards for health care claims transactions and digital signatures used in conjunction with health care claims attachments transactions.  The final rule also adopts X12N standards for data exchange and Health Level 7 (HL7) standards for sharing clinical data.

While the proposed rule included electronic transfer standards for prior authorizations, after considering the comments received, the CMS omitted the proposed electronic transfer standards for prior authorizations from the final rule due to conflicts with currently mandated standards for prior authorization. The CMS will continue evaluating other standards for prior authorizations.

The post CMS Releases Final Rule Implementing HIPAA Standards for Health Care Claims Attachments appeared first on The HIPAA Journal.

Business Associate HIPAA Checklist

Posted by HIPAA-Journal

As aBusiness Associate, it is important to be aware of which HIPAA compliance standards apply to your organization.

Do you have the correct procedures in place to avoid costly data breaches, HIPAA violations, and regulatory fines?

Find out now with our comprehensive HIPAA Checklist for Business Associates that has been compiled by leading compliance experts.

Use the form to download this checklist.

Non Compliance Is Not An Option

HIPAA compliance standards are enforced by HHS Office of Civil Rights, the Centres for Medicare and Medicaid, and the Federal Trade Commission.

The post Business Associate HIPAA Checklist appeared first on The HIPAA Journal.