OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism

Posted by Steve Alder

A proposal to allow the Office of Personnel Management (OPM) to collect the personally identifiable health information of federal employees and their family members has attracted strong criticism due to privacy and security risks, and the potential for HIPAA violations and data misuse.

Per the December 12, 2025, notice about the information collection request (ICR) – Federal Employees Health Benefits (FEHB) and Postal Service Health Benefits (PSHB) Programs Service Use and Cost Data – OPM requires insurance carriers to submit FEHB and PSHB program claims data to OPM. Under the proposal, insurance carriers are required to make monthly submissions of claims-level data, including the protected health information of current and former federal workers and their family members, including personal identifiers. According to OPM, the data will “enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans.”  While there are clear benefits to be gained from collecting and analyzing the data, such as lowering costs and improving care quality, the proposal has raised significant privacy and security concerns.

The Trump administration is seeking unprecedented access to workers’ medical information– information protected under the Health Insurance Portability and Accountability Act (HIPAA). The data being sought is not government data; it is protected health information maintained by HIPAA-regulated entities. Information submitted to OPM under the proposal would populate a government database, but OPM has failed to fully explain exactly how that information will be used, maintained, and protected. As such, there are legitimate concerns that the requested data may be used for reasons other than the stated purpose, especially given the Trump administration’s attempts over the past 12 months to obtain personal information from the Social Security Administration and the Internal Revenue Service.

“OPM is collecting service use and cost data from FEHB and PSHB Carriers, including medical claims, pharmacy claims, encounter data, and provider data. This data will enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans,” explained OPM in the notice. “OPM requires Carriers to report necessary information and permit audits and examinations to manage the FEHB Program effectively.”

In the notice, OPM explains that under HIPAA, covered entities such as health plans are permitted to disclose protected health information – including service use and cost data – to health oversight agencies, including OPM, for oversight activities authorized under 45 CFR 165.512(d)(1). The notice calls for 65 carriers to make ongoing, monthly submissions of claims-level data and quarterly manufacturer rebate data for federal employees and retirees. The carriers hold data for more than 8 million Americans, including federal workers, mail carriers, retired members of Congress, and their immediate family members.

The use of such broad terms for data categories has set alarm bells ringing. OPM will potentially be provided with a huge volume of sensitive, personally identifiable information, including information about treatments sought and received. Encounter data, for instance, could potentially encompass full medical records and doctors’ notes, information over and above what is necessary for the stated health oversight activities.

De-identified data could potentially be used to achieve the stated purpose, but OPM makes no mention of stripping out personal identifiers. As such, there are legitimate concerns from privacy groups that OPM could create a huge database of highly sensitive information that could easily be misused. For instance, for targeting specific employees based on the healthcare services they sought and received, or assisting the administration with its DEI, gender-affirming care, and reproductive health care initiatives, or any other healthcare services being targeted.

Aside from the potential for data misuse, the proposal will create significant compliance and legal risks for the carriers. OPM states in the notice that the HIPAA Privacy Rule permits disclosures of protected health information for health oversight activities, but requests a broad swathe of protected health information, the provision of which will likely violate the minimum necessary standard.  The minimum necessary standard – 45 CFR 164.502(b), 164.514(d) – applies to data disclosed for health oversight activities. “When using or disclosing protected health information or when requesting protected health information… a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

In its current form, the proposal lacks detailed information about the purpose for the disclosure, and the broad categories of data requested will require carriers to walk a HIPAA compliance tightrope. While the Trump administration may have no intention of enforcing HIPAA compliance regarding the OPM data disclosures, future administrations may take an entirely different view, and the data disclosures will expose carriers to significant legal risk. It is currently unclear how carriers intend to comply with the proposal.

While HIPAA permits disclosures of protected health information for health oversight activities, they are not required disclosures under HIPAA. Carriers may choose to only disclose information that they deem appropriate and necessary, although, without further detail about the exact purposes for the disclosures, it will be difficult to determine what information is appropriate and necessary, and the compliance and administrative burden would be significant.

In addition to concerns about protected health information being provided to the government and how that information will be used, concerns have been raised about OPM’s ability to protect a database of highly sensitive protected health information, given the extent to which government entities are targeted by threat actors, and OPM’s and the Trump administration’s history of safeguarding sensitive data. OPM experienced two massive data breaches in 2015, one involving the personal information of 4.2 million current and former federal employees and another involving the theft of the personal records of more than 22 million Americans. The Chinese government is alleged to have been behind the attacks.

The proposal has attracted significant criticism. The Association of Federal Health Organizations (AFHO) points out that this is not the first time that OPM has sought to establish a healthcare claims data warehouse, having made a similar proposal in 2010. The same HIPAA compliance concerns that were voiced 16 years ago still apply to the latest proposal. AFHO had argued that only de-identified data should be shared; however, today, the sharing of de-identified data with OPM carries significant compliance risks. AFHO is concerned that, given the detailed information OPM already has on enrolees and their family members, there is a risk that de-identified data could be re-identified, and the HIPAA Privacy Rule does not permit the sharing of de-identified data when there is a risk of reidentification. AFHO suggests an agreement between OPM and the CMS to use the CMS edge server system to query data, thereby eliminating the risk of re-identification, or to enter into a contract with the Health Care Cost Institute, which could translate raw data into actionable insights.

Robert H. Shriver, III, Managing Director of Civil Service Strong, a project of Democracy Forward Foundation, voiced strong opposition to ICR. Specifically, due to the failure of OPM to justify the proposed data collection and clearly state exactly how the data will be used, the failure to explain how data will be safeguarded, and the risk of data abuse. “OPM’s ICR is especially concerning given the Trump-Vance Administration’s explicit contempt for federal workers and its pattern of recklessness with highly sensitive data,” wrote Shriver in comments in response to the ICR notice. He said the Trump administration has demonstrated that it cannot be trusted with sensitive data, citing the recent admission by the Trump administration that sensitive Social Security Administration data was sent to unauthorized individuals, shared on nongovernmental servers, and, through DOGE activities in particular, it is “playing fast and loose with government data.”

Jonathan Foley, a former OPM employee who advised on the FEHB program under the Obama and Biden administrations, believes there are valuable benefits to be gained from collecting and analysing personally identifiable data, but warned of the considerable potential for data misuse and the privacy risks. In his comments in response to the notice, Foley said the Trump administration has a poor record of properly handling sensitive information and has attempted to link identifiable data across federal programs and use it for reasons unrelated to the original purpose for which the data was collected. Foley suggests that de-identified data could be collected and maintained by a trusted entity other than OPM, with guardrails preventing federal authorities from demanding direct access to the data from that trusted entity. CVS Health suggests that OPM should convene a stakeholder working group to determine the specific data elements required to support the requested goals and to establish a consistent reporting framework.

Most recently, on April 17, 2026, a group of 16 Democratic members of the House Oversight Committee wrote to OPM Director Scott Kupor and Office of Management and Budget Director Russell Vought, calling for the withdrawal of the proposed plan due to the potential for data misuse, HIPAA violations, and concern that OPM lacks the necessary safeguards to responsibly protect sensitive data. “More than 8 million Americans receive health insurance under the FEHB and PSHB programs, including federal workers, mail carriers, and their immediate family members. They should be able to make medical decisions in consultation with their doctors—not the federal government,” wrote the senators. “We therefore demand that OPM halt all plans to collect private health insurance data and provide a briefing on the decision to enact this policy.” The senators have asked the Directors to explain the decision to obtain such an expansive dataset without any guardrails or protections for employee privacy.

The post OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism appeared first on The HIPAA Journal.

Minidoka Memorial Hospital Recovering from Easter Cyberattack

Posted by Steve Alder

Minidoka Memorial Hospital was the victim of a cyberattack on Easter morning, and two further healthcare providers have confirmed they have been affected by the data breach at business associate Doctor Alliance: A Path of Care Home Health and Hospice and Team Select Holdings.

Minidoka Memorial Hospital, Idaho

Minidoka Memorial Hospital in Rupert, Idaho, has confirmed media reports of a cybersecurity incident. On April 17, 2026, Minidoka Memorial Hospital issued a statement on its Facebook page confirming that it experienced a cyber incident on Easter morning that temporarily impacted some of its computer systems.

While the incident did not prevent the hospital from providing care to patients, certain emergency patients were transferred to Intermountain Health Cassia Regional Hospital due to the inability to access certain medical imaging systems. Full access to those systems was restored on April 19, 2026. Minidoka Memorial Hospital said it was not necessary to postpone scheduled appointments, and patients with new health concerns continued to be treated, with the hospital operating under established downtime procedures until such time as systems are restored.

The investigation into the incident is ongoing, and the extent of unauthorized access to patient data has yet to be determined. According to Databreaches.net, a new threat group called Blackwater has claimed responsibility for the attack and has threatened to release the stolen data on April 24, 2026, if the ransom is not paid. Minidoka Memorial Hospital is one of three victims currently listed on the darkweb data leak site.

A Path of Care Home Health and Hospice, Oklahoma

A Path of Care Home Health and Hospice in Oklahoma has notified 3,849 individuals about a data breach at its business associate, Doctor Alliance. Doctor Alliance notified A Path of Care Home Health and Hospice on January 12, 2026, that it had been affected by the incident. A Path of Care Home Health and Hospice confirmed that the breach was limited to Doctor Alliance systems and that its own IT systems were unaffected.

The incident involved unauthorized access to documents containing patient information via a Doctor Alliance web portal between October 31, 2025, and November 17, 2025. The data compromised in the incident was limited to names, addresses, dates of birth, medical record numbers, dates of care, and diagnosis and treatment information. Doctor Alliance confirmed to A Path of Care Home Health and Hospice that several steps have been taken to improve security, including enhancing access controls, expanding monitoring capabilities, and strengthening detection, logging, and alerting measures. A Path of Care Home Health and Hospice has also taken steps to reduce the risk of similar incidents in the future, including conducting additional checks to ensure that medical record requests are coming from a verified source.

A Path of Care Home Health and Hospice is aware of claims that some of the information accessed by the unauthorized third party was further disclosed to other unauthorized individuals, although Doctor Alliance denied any knowledge of any further disclosures.

Team Select, Arizona

Team Select Holdings in Arizona and its affiliated entities were also affected by the data security incident at Doctor Alliance, although the breach was more limited, affecting 949 individuals. Team Select used the Doctor Alliance document management platform to facilitate physicians’ signatures on physician orders and notes. On January 11, 2026, Team Select was informed that it had been affected and that there had been unauthorized access to the platform between November 4, 2025, and November 6, 2025, and between November 14, 2025, and November 17, 2025.

Data compromised in the incident included names, Social Security numbers, dates of birth, addresses, phone numbers, gender information, medical record numbers, dates of care, Medicare or Medicaid IDs, diagnoses, medications, treatment information, physician information, and/or home health provider information. Team Select said it is reviewing its existing policies and procedures with its third-party vendors and working to evaluate additional measures that can be implemented to reduce the risk of similar incidents in the future.

The post Minidoka Memorial Hospital Recovering from Easter Cyberattack appeared first on The HIPAA Journal.

Ransomware Attack on Hospital Caribbean Medical Center Affects 92,000 Individuals

Posted by Steve Alder

A ransomware attack on Hospital Caribbean Medical Center in Puerto Rico has affected up to 92,000 individuals. Data breaches have also been announced by Murray County Medical Center in Minnesota and Aligned Orthopedic Partners in Maryland.

Hospital Caribbean Medical Center, Puerto Rico

A major data breach has been announced by Hospital Caribbean Medical Center in Fajardo, Puerto Rico. While it is unclear when the attack occurred, the hospital issued a press release on February 8, 2026, about a cyberattack that targeted its information systems. The intrusion was detected by its monitoring systems, and steps were immediately taken to contain the incident and prevent further unauthorized access to its IT systems.

The types of information exposed in the incident were not detailed in the press release, nor was the number of affected individuals; however, the incident is now shown on the HHS’ Office for Civil Rights breach portal as affecting up to 92,000 individuals. Hospital Caribbean Medical Center said it has reinforced its monitoring systems, implemented additional updates to its technological infrastructure, and strengthened its internal security protocols.

While not described as a ransomware attack, a ransomware group claimed responsibility for the incident. A group known as The Gentlemen added Hospital Caribbean Medical Center to its dark web data leak site on February 17, 2026, claiming to have exfiltrated sensitive data, including patient information, and threatened to release the stolen data if the ransom was not paid.

Murray County Medical Center, Minnesota

The County of Murray has announced a data security incident that affected current and former patients of Murray County Medical Center in Slayton, Minnesota. The data breach was first announced in early March 2026, although the incident was first detected on August 21, 2025, when suspicious activity was observed in its IT systems.

A leading IT security firm was engaged to assist with the investigation, secure its network, and determine whether any sensitive data had been exposed or stolen in the incident. Unauthorized access to computer systems was confirmed; however, it took until January 27, 2026, to determine that patient and employee data had been compromised in the incident. Information exposed or stolen included patient names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health insurance information, medical treatment information, and medical history information.

The data breach has recently been added to the HHS’ Office for Civil Rights breach portal as affecting 5,073 individuals. Murray County Medical Center has implemented additional safeguards to prevent similar incidents in the future and is offering the affected individuals complimentary credit monitoring and identity theft protection services.

Aligned Orthopedic Partners, Maryland

ASC Ortho Management Company, LLC, which does business as Aligned Orthopedic Partners, has announced a data security incident involving its email platform. Suspicious activity was identified on December 8, 2025, and the investigation confirmed that an unknown actor accessed the platform between November 16, 2026, and December 16, 2026, during which time, personal and protected health information may have been viewed or acquired.

The email system was reviewed, and on February 17, 2026, Aligned Orthopedic Partners confirmed that the exposed data included names, dates of birth, Social Security numbers, driver’s license or state identification numbers, Medicaid or Medicare numbers, financial account numbers, medical dates of service, medical provider names, mental or physical condition, medical treatment information, diagnosis or clinical information, prescription information, health insurance information, patient account numbers, and medical record numbers.

Notification letters were mailed to the affected individuals on April 17, 2026, and complimentary identity protection services have been offered. Steps have been taken to augment security to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ransomware Attack on Hospital Caribbean Medical Center Affects 92,000 Individuals appeared first on The HIPAA Journal.