Business Associate Data Breaches Affect Florida Healthcare Providers

Posted by Steve Alder

PhyNet Dermatology, a business associate of Premier Dermatology Partners, has identified unauthorized access to an email account containing patient information. Baptist Health South Florida has recently confirmed that it was affected by a breach at Oracle Health (Cerner).

PhyNet Dermatology – Premier Dermatology Partners

PhyNet Dermatology, a provider of managed administrative services to dermatology practices, has announced a breach that has affected one of its affiliates, Boca Raton, FL-based Total Vein & Skin, LLC, which does business as Premier Dermatology Partners.

Suspicious activity was identified in an employee’s email account on November 7, 2024. Immediate action was taken to secure the account, and an investigation was launched to determine the nature and scope of the activity. The investigation determined that the breach was more extensive, and further employee email accounts had also been compromised.

The review was completed on June 6, 2025, and confirmed that Premier Dermatiology Partners’ data was present in the compromised accounts. The types of information involved vary from individual to individual and may include names in addition to one or more of the following: address, Social Security number, financial account information, date of birth, medical history information, treatment information, diagnosis information, treating physician, medical record number, and health insurance information.

PhyNet Dermatology has reviewed its policies and procedures and enhanced certain administrative and technical controls. Additional security awareness training has also been provided to the workforce to reduce the risk of similar incidents in the future.

Baptist Health South Florida

Baptist Health South Florida has recently confirmed that it has been affected by the Oracle Health hacking incident, which involved unauthorized access to legacy Cerner servers that were awaiting migration to Oracle Cloud. No Baptist Health South Florida systems were compromised.

Data compromised in the incident includes names, Social Security numbers, medical record numbers, physician names, diagnoses, medical images, test results, and treatment information. Many of the healthcare providers affected by the Oracle Health incident issued notifications shortly after being notified about the January 22, 2025, hacking incident.

Baptist Health South Florida said its notifications were delayed at the request of law enforcement while the incident was investigated. The affected individuals are now being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. Baptist Health South Florida has not publicly disclosed the number of individuals affected, and the breach is not currently listed on the HHS’ Office for Civil Rights breach portal.

The post Business Associate Data Breaches Affect Florida Healthcare Providers appeared first on The HIPAA Journal.

What is HIPAA Certification For Healthcare Vendors?

Posted by Ian

This post still to be written: HIPAA certification is the process in which an independent third party organization audits a vendor to certify and confirm that the physical, technical, and administrative safeguards required for HIPAA compliance have been met, with the award of a formal document that signals the completion of a HIPAA compliance process.

Certifying that an organization’s workforce is HIPAA compliant can have similar benefits to those discussed above inasmuch as a compliant workforce is less likely to violate HIPAA or make mistakes that could result in data breaches. Similarly achieving workforce HIPAA certification demonstrates a reasonable amount of care to abide by the HIPAA Rules in the event of an OCR investigation or audit.

For individual members of the workforce, HIPAA certification can help foster patient trust, support applications for promotion, and increase prospects in the job market. However, it is what workforce members learn during a certification program that can have the biggest impact on their professional lives, as this can help prevent unintentional violations that can have significant consequences.

Unintentional violations of HIPAA can be attributable to a lack of knowledge, shortcuts being taken “to get the job done”, or because a cultural norm of noncompliance has been allowed to develop. Whatever the reason, violations of HIPAA can result in sanctions ranging from written warnings to loss of professional accreditation – sanctions that can be avoided by applying the information learned during a certification program.

HIPAA training is not optional and “a covered entity must train all members of its workforce on policies and procedures […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” as stated in §164.530(b)(1) of the HIPAA Privacy Rule. All HIPAA covered entities must  “implement a security awareness and training program for all members of its workforce including management” as stated in §164.308(a)(5) of the HIPAA Security Rule.

Why Organizations Get Certified As Being HIPAA Compliant?

The first reason for getting certified is that, in order to achieve an accreditation, organizations will have to adopt best privacy practices and implement the administrative, technical, and physical safeguards of the HIPAA Security Rule. This in itself will reduce the likelihood of HIPAA violations and data breaches – leading to a reduction in patient complaints and OCR investigations.

If – despite achieving an accreditation – a violation still occurs that results in an OCR investigation, a certificate of HIPAA compliance demonstrates “a reasonable amount of care to abide by the HIPAA Rules”. This can be the difference between a HIPAA violation being classified as a Tier 1 violation (minimum penalty per violation $141) and a Tier 2 violation (minimum penalty per violation $1.424).

For business associates, and covered entities that act as business associates for other covered entities, HIPAA certification demonstrates an intention to operate compliantly – making an organization’s services more attractive and reducing the amount of due diligence required before a covered entity and business associate enter into a Business Associate Agreement.

HIPAA Certification Requirements for Covered Entities

In order for a covered entity to be certified as HIPAA compliant, third-party compliance experts will review seven areas of compliance:

  • Compliance with the administrative, technical, and physical safeguards of the HIPAA Security Rule. This includes (but is not limited to), an asset and device audit, an IT risk analysis questionnaire, a physical site audit, a security standards audit, a privacy standards audit, and HITECH Subtitle D privacy audit.
  • Remediation plans to address gaps identified in the above audits.
  • Policies and procedures to address HIPAA regulatory compliance and document a “good faith” effort towards compliance.
  • An employee training program that includes employee understanding of the above policies and procedures.
  • A documentation audit to ensure the documentation required by HIPAA is maintained and accessible.
  • Business Associate Agreement management and due diligence procedures.
  • Incident management procedures in the event of a data breach or reportable violation of HIPAA.

Because of the processes involved in auditing compliance with the HIPAA Security Rule, the HIPAA certification requirements cannot be fulfilled overnight. It is also impossible to put a timeframe on how long it may take to achieve HIPAA certification without knowing what gaps might be identified during the audit processes and the nature of the remediation plans required to address them.

HIPAA Certification Requirements for Business Associates

The HIPAA certification requirements for business associates are much the same as above but tailored to the nature of services provided for covered entities. One important point to note is that 45 CFR § 164.308 stipulates a security and awareness training program must be implemented for all members of the workforce – not just those involved in the provision of a service to a covered entity. It is common for potential business associates of HIPAA covered entities to undergo audits by third party HIPAA compliance companies in order to confirm that their products, services, policies, and procedures meet HIPAA standards. The audits are useful for covered entities’ peace of mind as they confirm HIPAA compliance at the time the audit was conducted.

However, for business associates unfamiliar with the far-reaching complexities of HIPAA, it is likely they will require help to become compliant. For this reason, it can be important to select a third-party HIPAA compliance company that not only offers HIPAA certification services, but also helps business associates implement effective HIPAA compliance programs.

HIPAA Certification FAQs

Why is HIPAA certification described as a “point in time” accreditation?

HIPAA certification is described as a “point in time” accreditation because HIPAA compliance is an on-going progress. A HIPAA certified organization may have passed a third-party company’s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the organization will remain compliant in the future. HIPAA certification should be considered an initial objective and then an ongoing task.

Can software be certified as HIPAA compliant?

Software cannot be certified as HIPAA compliant because, while it is possible for software to have HIPAA compliant capabilities, the way the capabilities are used determines compliance with the HIPAA Rules. It is also important to note the distinction between HIPAA compliant software and HIPAA compliance software.

What does HHS say about HIPAA certification?

What HHS says about HIPAA certification is that there is no requirement in HIPAA for a covered entity or business associate or healthcare worker to be certified as compliant. The Department warns organizations to be aware of misleading marketing claims suggesting compliance programs or material is endorsed by HHS or the Office for Civil Rights (OCR).

What is the difference between a third party audit and an HHS audit?

The difference between a third party audit and an HHS audit is that a third party audit checks a covered entity´s HIPAA compliance and, if lapses in compliance are found, the covered entity has an opportunity to address them. If lapses in compliance are found during an HHS audit, the covered entity may be fined – even if there has been no unauthorized use or disclosure of PHI. Because of the risk of a financial penalty for non-compliance, the cost of a third party audit can be a sound investment.

What is the cost of a third party compliance audit?

The cost of a third party compliance audit depends on the size of the covered entity or business associate and the nature of activities. For example, the cost of a third party audit for a major healthcare group is going to be significantly more than the cost to a sole-trader insurance broker who handles a limited number of healthcare claims each year.

How long does HIPAA certification for covered entities and business associates last?

HIPAA certification for covered entities and business associates does not “last”. A HIPAA certification indicates that a covered entity or business associate has passed a third-party company´s HIPAA compliance program and “at that point in time” was HIPAA compliant. As soon as that point in time has passed, a HIPAA certification is no guarantee of compliance. As a result, HIPAA certification has no lifespan and it is a best practice is to conduct regular compliance audits.

How long does HIPAA certification for healthcare workers last?

How long HIPAA certification for healthcare workers lasts depends on whether the certification has been achieved independently or as part of an employer’s training program. If the former, the “point in time” principle applies. If the latter, the certification should be retained for six years in compliance with the HIPAA documentation requirements. It is also recommended refresher training is provided at least annually.

How does HIPAA certification help foster patient trust?

HIPAA certification helps foster patient trust because one of the most important elements of a patient/healthcare professional relationship is trust. When patients are confident their privacy is being respected, this will help foster trust – which contributes to the delivery of better care in order to achieve optimal health outcomes. Better patient outcomes raise the morale of healthcare professionals and result in more rewarding work experience.

Why might a healthcare professional lack knowledge of HIPAA?

A healthcare professional might lack knowledge of HIPAA because covered entities are only required to provide training relevant to a healthcare professional’s role. When a healthcare professional transfers to a new role – or is asked to substitute for a colleague in a different role – they may not immediately have the level of HIPAA knowledge relevant to the role they are performing, potentially resulting in unintentional HIPAA violations.

How are cultural norms of noncompliance allowed to develop?

Cultural norms of non-compliance are allowed to develop in the workplace because many covered entities lack the resources to monitor HIPAA compliance 24/7. It is not unusual for busy healthcare workers to take shortcuts with HIPAA compliance “to get the job done”; and, if the shortcuts become a regular occurrence, they develop into a cultural norm of noncompliance. This is why it is important for covered entities to provide refresher HIPAA training at least annually.

What does HIPAA certification signify?

HIPAA certification signifies that an organization has passed a HIPAA compliance audit. Although this may only be a point in time accreditation, the certification demonstrates the organization has effectively implemented HIPAA’s privacy provisions and security standards. Alternatively, a HIPAA certification for an individual can signify that a member of the workforce has achieved the level of HIPAA knowledge required to comply with the organization’s policies and procedures.

Is certification a requirement of HIPAA?

Certification is not a requirement of HIPAA. It is a voluntary process that organizations can undertake to validate their understanding and implementation of HIPAA’s regulations. Indeed, preparing for certification can help organizations fine-tune risk analyses to better identify gaps in compliance and make better informed decisions about how to fill the gaps.

What are the benefits of becoming HIPAA certified?

The benefits of becoming HIPAA certified include that the process of certification can help organizations adopt best privacy practices and implement the safeguards required by the HIPAA Security Rule. This can reduce the likelihood of HIPAA violations and data breaches. Also, if a violation does occur, certification may demonstrate “a reasonable amount of care” to abide by the rules, which could impact the severity of penalties.

How can HIPAA certification affect the penalties for HIPAA violations?

HIPAA certification can impact the penalties for HIPAA violations significantly if – for example – an organization that is certified experiences a HIPAA violation, and HHS’ Office for Civil Rights investigates the violation. A HIPAA certification demonstrates a good faith effort to comply with HIPAA. This could influence the decision about whether a violation is classified as a Tier 1 or Tier 2 violation, affecting the minimum penalty per violation – if a penalty is imposed at all.

Why might business associates find it beneficial to obtain HIPAA certification?

Business associates might find it beneficial to obtain HIPAA certification to demonstrate the intention to operate compliantly, making their services more appealing to prospective covered entities in a crowded marketplace. Also, if a business associate has achieved HIPAA certification, it may reduce the amount of due diligence required before a covered entity will enter into a Business Associate Agreement.

What are the key areas of compliance that are reviewed for a covered entity to be certified as HIPAA compliant?

The key areas of compliance that are reviewed for a covered entity to be certified as HIPAA compliant include adherence to the HIPAA Security Rule’s administrative, technical, and physical safeguards; remediation plans for gaps identified in audits; policies and procedures for regulatory compliance; employee training; documentation management; Business Associate Agreement management; and incident management procedures for data breaches or violations.

How do HIPAA certification requirements differ for business associates compared to covered entities?

HIPAA certification requirements differ for business associates compared to covered entities by being tailored to the services being offered to or on behalf of covered entities. A key point is that business associates must implement a security and awareness training program for all members of the workforce, not just those involved in services being offered to or on behalf of covered entities.

What are the benefits of HIPAA certification for healthcare workers?

The benefits of HIPAA certification for healthcare workers are that healthcare workers achieve a deeper understanding of HIPAA beyond the basic “policy and procedure” training provided by employers. This comprehensive education covers frequently violated standards like patients’ rights, the minimum necessary standard, and allowable uses and disclosures – helping to prevent unintentional violations due to lack of knowledge.

How long does it take to achieve HIPAA certification?

The length of time it takes to achieve HIPAA certification can vary widely and is difficult to predict without knowing the level of knowledge that each organization or individual is starting from, the gaps that might be identified during audit processes and the nature of the remediation plans required to address them. The process involves thorough several audits and tests, and cannot be completed overnight.

The post What is HIPAA Certification For Healthcare Vendors? appeared first on The HIPAA Journal.

Warning Issued About High-severity Flaw Affecting Microsoft Exchange Hybrid Deployments

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have issued warnings about a high-severity flaw affecting Exchange hybrid deployments that could allow an attacker to escalate privileges in Exchange Online cloud environments undetected, potentially impacting the identity integrity of an organization’s Exchange Online service.

The vulnerability is tracked as CVE-2025-53786 and affects hybrid-joined configurations of Exchange Server 2016, Exchange Server 2019, and Microsoft Exchange Server Subscription Edition. The vulnerability has a CVSS v3.1 severity score of 8.0 and is due to improper authentication. The vulnerability can be exploited by an attacker with administrative access to an on-premise Microsoft Exchange server.

In hybrid Exchange deployments, the on-premise Exchange Server and Exchange Online share the same service principal, which is used for authentication between the on-premise and cloud environments. If an attacker controls the on-premise Exchange server, they can potentially manipulate trusted tokens or API calls. Exchange Online will accept these as legitimate since the on-premise Exchange Server is implicitly trusted. Since actions originating from the on-premise Exchange Server do not always generate logs of malicious activity, audits of Exchange Online may not identify security breaches that originated in the on-premise Exchange Server.

At the time of the alert, no exploitation of the flaw has been observed in the wild; however, exploitation is considered “more likely”, so organizations with vulnerable hybrid Microsoft Exchange environments should ensure they follow Microsoft’s mitigation guidance:

Exchange hybrid users should review the Exchange Server Security Changes for Hybrid Deployments guidance to determine if their deployments are potentially affected and if there is a Cumulative Update available.

Microsoft April 2025 Exchange Server Hotfix Updates should be applied to the on-premise Exchange server, and Microsoft’s guidance on deploying a dedicated Exchange hybrid app should be followed.

Any organization using Exchange hybrid, or that has previously configured Exchange hybrid but no longer uses it, should review Microsoft’s Service Principal Clean-Up Mode, which includes guidance for resetting the service principal’s keyCredentials. When these steps have been completed, Microsoft Exchange Health Checker should be run to determine if any further actions are required.

Organizations with public-facing versions of Exchange Server or SharePoint Server that have reached end-of-life or end-of-service should be disconnected from the public Internet, and use should be discontinued.

Microsoft is encouraging customers to migrate to its Exchange Hybrid app as soon as possible to enhance the security of their hybrid environments, and said, “Starting in August 2025, we will begin temporarily blocking Exchange Web Services traffic using the Exchange Online shared service principal” to accelerate adoption of the dedicated Exchange hybrid app.

The post Warning Issued About High-severity Flaw Affecting Microsoft Exchange Hybrid Deployments appeared first on The HIPAA Journal.

Family Health Center; NorthCare Settle Data Breach Lawsuits

Posted by Steve Alder

Settlements have received preliminary approval from the courts to resolve class action data breach litigation against Family Health Center in Michigan and NorthCare in Oklahoma.

Family Health Center Class Action Data Breach Settlement

Family Health Center, a Michigan healthcare provider with three locations in Kalamazoo, has agreed to settle class action data breach litigation stemming from a January 25, 2024, cyberattack that exposed the personal and protected health information of up to 34,926 individuals. The ransomware attack prevented access to certain systems, and the forensic investigation confirmed unauthorized access to names, addresses, health insurance information, Social Security numbers, and medical information. The affected individuals were notified about the data breach on March 24, 2024.

Two lawsuits were filed in response to the data breach – Donald Vickery, et al. v. Family Health Center, Inc., and Janet Walker v. Family Health Center, Inc. – in the Ninth Judicial Circuit in and for Kalamazoo County, Michigan. The two lawsuits had overlapping claims and were consolidated on October 16, 2024. The consolidated lawsuit alleged negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, invasion of privacy, and violations of the Michigan Data Breach Notification Act and the Michigan Consumer Protection Act.

The parties mediated on January 15, 2024, and reached an agreement in principle to settle the litigation, with no admission of wrongdoing or liability. All parties agreed to the settlement to avoid the litigation costs and expenses, distractions, burden, expense, and disruption to business operations associated with further litigation. Under the terms of the settlement, the defendants will establish a settlement fund of up to $850,000 to cover attorneys’ fees (up to $283,305), attorneys’ expenses (yet to be determined), service awards to the class representatives ($1,500 for each of the six named plaintiffs), settlement administration costs (up to $75,000), credit monitoring costs (yet to be determined) and payments to class members.

Class members may claim one of two cash payments. Cash Payment A can be claimed as reimbursement for documented, unreimbursed out-of-pocket losses incurred as a result of the data breach up to a maximum of $5,000 per class member. Alternatively, a claim can be submitted for Cash Payment B, which is a flat cash payment of $50.00. In addition to either of the cash payments, class members may claim two years of credit monitoring, dark web monitoring, and managed identity recovery services, which include a $1 million identity theft insurance policy.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for October 17, 2025. Class members wishing to object to or exclude themselves from the settlement must do so by September 8, 2025, and claims must be submitted by October 8, 2025. Further information is available on the settlement website: https://www.fhcdatasettlement.com/

NorthCare Class Action Data Breach Settlement

NorthCare, an Oklahoma City-based mental health clinic, has agreed to settle a class action lawsuit stemming from a June 1, 2021, ransomware attack that involved unauthorized access to the protected health information of up to 128,556 individuals. A ransomware group first gained access to its network on or around May 29, 2021, and potentially viewed or obtained information such as names, addresses, dates of birth, medical diagnoses, and Social Security numbers.

A lawsuit – Ana Chavez Maendele, et al. v. North Oklahoma County Mental Health Center, d/b/a NorthCare – was filed in the District Court of Oklahoma County, Oklahoma, alleging NorthCare was negligent by failing to implement reasonable and appropriate safeguards to prevent unauthorized access to its network. NorthCare maintains there was no wrongdoing and no liability, and said it was prepared to vigorously defend the lawsuit; however, a settlement has been agreed to avoid the burden, expense, risk, and uncertainty of continuing to litigate.

Under the terms of the settlement, NorthCare has agreed to provide benefits to class members. Claims may be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses and financial losses fairly traceable to the data breach up to a maximum of $2,000 per class member. In addition, a claim may be submitted for reimbursement of time spent remedying the effects of the data breach up to a maximum of $100 (5 x hours at $20 per hour).

Alternatively, a cash payment of $125 can be claimed by individuals who do not claim reimbursement of losses and/or reimbursement of lost time. All class members can claim three years of single-bureau credit monitoring services. Claims and cash payments will be paid after all costs and expenses have been deducted from the settlement fund. Attorneys’ fees will be up to $250,000, and class representative awards will be $2,000 per named plaintiff.

The deadline for exclusion from and objection to the settlement is September 12, 2025. Claims must be submitted by October 11, 2025, and the final fairness hearing has been scheduled for December 15, 2025.

The post Family Health Center; NorthCare Settle Data Breach Lawsuits appeared first on The HIPAA Journal.