Healthcare Organizations Struggling to Implement Primary Method of Blocking Lateral Movement

Posted by Steve Alder

A study of security leaders from the healthcare and manufacturing industries found that while there is an almost universal desire to deploy modern microsegmentation, more than 90% of respondents said they had protected fewer than 80% of critical systems, despite almost half admitting to falling victim to lateral movement attacks in the past year. In healthcare, fewer than 6% of respondents said that their organization had implemented microsegmentation across 80% or more of their critical systems.

Microsegmentation is a cybersecurity technique that divides networks into small, distinct, and isolated zones to secure workloads, applications, or devices. Traditional network segmentation, such as Virtual Local Area Networks (VLANs), creates broad segmented zones, whereas microsegmentation applies security policies at the individual workload or application level. Microsegmentation allows organizations to implement East-West traffic control within their data center, rather than only North-South traffic controls for identifying traffic leaving the network. It provides deep visibility into network traffic flows, including which applications are communicating with each other.  Healthcare organizations can enable strict isolation and monitoring of systems that handle sensitive data such as protected health information (PHI), which can simplify HIPAA Security Rule compliance.

Microsegmentation protects internal workloads from applications without authorized access, and can be applied to on-premises and hybrid environments. It reduces the attack surface and greatly limits the potential for lateral movement. In the event of compromise, attackers are contained within a microsegment, limiting the harm they can cause and the data they can access.

The study was conducted on 352 healthcare and manufacturing security leaders by Omdia, on behalf of the network segmentation specialists Elisity. The survey revealed 99% of respondents were implementing or planning to implement microsegmentation, with 57% of respondents ranking microsegmentation as their main initiative to prevent lateral movement; however, they were slow to fully implement it. Only 9% of respondents had implemented it across 80% or more of critical systems, and just 6% in healthcare. While Microsegmentation ranked first among planned priorities, it ranked close to the bottom 24% among currently deployed zero-trust architectures.

There have been challenges with implementing microsegmentation in the past; however, modern identity-based microsegmentation is a different beast, as it requires no agents, no hardware changes, and no VLAN recognition. Instead, the policy is enforced directly on network switches. “Microsegmentation has matured, but many organizations still carry the scars of earlier, complex approaches. What’s changed is the architecture. Identity-based microsegmentation lets teams enforce precise policy on the switches they already run, so security becomes an enabler rather than a gate,” James Winebrenner, CEO, Elisity, said.

Most organizations still rely on VLANs, ACLs, and agent-based tools, which require constant rework and leave East-West exposure wide open, and progress with implementation has been slow. First-generation tools built around network location rather than identity have slowed real progress to a crawl, as agent-based and firewall-centric designs couldn’t uniformly cover IT, IoT, OT, or IoMT. According to Elisity, “These approaches had outdated or unsupported software (56%), high maintenance costs and hardware limitations (50%), and frequent failures or performance issues (43%).”

There have been challenges implementing microsegmentation in healthcare, especially with integrating SIEM, EDR, and SOAR. Respondents said visiting clinicians (74%) and clinical staff (72%) require the most granular policy attention, given the mix of managed and unmanaged devices moving through clinical environments. Many respondents lacked awareness of the ease and speed at which modern identity-based solutions can be deployed. Only 22% of respondents had hands-on experience of implementing microsegmentation, and most teams were still running legacy methods.

There is a clear desire to implement microsegmentation, and awareness of modern-identity-based microsegmentation is improving. “Our data shows the shift is on. Enterprises intend to deploy microsegmentation, and many now see modern solutions as easier and more effective,” said Hollie Hennessy, Principal Analyst, Omdia, who points out that with modern solutions, the timeline for implementation has shortened from years to weeks.

The post Healthcare Organizations Struggling to Implement Primary Method of Blocking Lateral Movement appeared first on The HIPAA Journal.

Medical Device Maker Medtronic Announces Data Breach

Posted by Steve Alder

The medical device manufacturing giant Medtronic has confirmed that hackers breached its network and exfiltrated data. The company announced the cyberattack on Friday, April 24, 2026, and said the attack was quickly contained and its incident response protocols were activated.

Medtronic manufactures a range of medical products, including pacemakers, defibrillators, heart valves, coronary stents, insulin pumps, continuous glucose monitoring systems, neurosurgery products and imaging systems, surgical robotics, ventilators, and gastrointestinal products. The company is the world’s largest medical device company by revenue, which was $33.5 billion in fiscal year 2025. The company operates in more than 150 countries, employs around 95,000 people worldwide, and serves around 79 million patients annually.

The hackers only accessed a limited portion of its network. Medtronic confirmed that the networks that support its corporate IT systems, products, manufacturing, and distribution operations are separate. Further, hospital customer networks are separate from Medtronic IT networks and are secured and managed by customers’ IT teams. A leading cybersecurity firm has been engaged to investigate the incident and support its investigation and remediation efforts. At present, there has been no identified impact on its products, patient safety, customer connections, manufacturing and distribution operations, or financial reporting systems, and the company is continuing to meet patient needs.

What is not currently known is whether personal or protected health information was accessed or stolen in the incident. If such information has been accessed or stolen, the affected individuals will be identified, and notifications will be issued, and support services will be made available. While mitigating the incident, Medtronic said it is simultaneously working on identifying additional ways that it can optimize system security to prevent similar incidents in the future.

Medtronic is a publicly traded company and is therefore required to notify the U.S. Securities and Exchange Commission (SEC) about material events that may affect shareholders. Its Form 8-K filing with the SEC, Medtronic states that the incident is not expected to have a material impact on its business or financial results. Prior to the announcement and SEC filing on April 18, 2026, the ShinyHunters data theft and extortion group claimed responsibility for the attack. The group claimed to have exfiltrated terabytes of Medtronic data, including personally identifiable information.

ShinyHunters claimed to have stolen more than 9 million records containing PII, although that claim has not been verified by Medtronic. ShinyHunters said it would publish the stolen data if the ransom was not paid by April 21, 2026. The amount of money demanded has not been made public. Medtronic has been removed from the ShinyHunters data leak site, which suggests that the ransom has been paid, although Medtronic has not confirmed whether that is the case.

“This incident highlights a recurring pattern where attackers prioritize corporate IT environments as an entry point, knowing they often contain high-value data but are less rigorously segmented than production or patient-facing systems. Even if Medtronic states there is no impact to products or patient safety, the theft of millions of records, if confirmed, still represents a significant risk, particularly for identity theft, targeted phishing, and supply chain exploitation. In healthcare, “no operational impact” does not mean “no risk”; sensitive data exposure can have long-term downstream consequences.” said, Ensar Seker, CISO at SOCRadar. “From a defender’s perspective, this reinforces the need to treat corporate IT systems with the same level of scrutiny as clinical or operational environments. Strong identity controls, strict network segmentation, and continuous monitoring of data exfiltration paths are critical. Additionally, organizations should assume that groups like ShinyHunters will attempt to monetize even partial or low-sensitivity datasets, so rapid validation, transparent communication, and proactive threat intelligence engagement are essential to reduce reputational and regulatory fallout.”

Medtronic is not the only medical device manufacturer to experience a data breach this year. In January 2026, Massachusetts-based UFP Technologies, a manufacturer of devices and components for wound care, implants, and orthopedic and surgical products, notified the SEC about a cyberattack and data breach. In March 2026, the California implantable orthopedic device manufacturer TriMed announced a cyberattack and data breach, and the medtech company Stryker experienced wiper attack.

The post Medical Device Maker Medtronic Announces Data Breach appeared first on The HIPAA Journal.

SAG-AFTRA Health Plan Settles Lawsuit Over 2024 Phishing Incident

Posted by Steve Alder

SAG-AFTRA Health Plan has settled a class action lawsuit over a September 2024 email data breach. Hackers gained access to the health plan’s email systems between September 17 and September 18, 2026, after employees responded to phishing emails. The attack exposed sensitive personal and protected health information, which was potentially copied by the hackers.

Data compromised in the incident included names and Social Security numbers and, for some individuals, health information, claims information, and plan participant identification numbers. The breach was reported to the HHS’ Office for Civil Rights initially as affecting 35,592 individuals, although that total was later increased to 98,474 individuals. The lawsuit states that approximately 94,546 notification letters were mailed.

The first class action lawsuit over the data breach was filed by plaintiffs Matthew Rouillard and Kristy Munden in December 2024, and a further three class action lawsuits were subsequently filed by other plaintiffs. The lawsuits had overlapping claims, so were consolidated into a single action – In re SAG Health Data Breach Litigation – in the U.S. District Court for the Central District of California.

The consolidated lawsuit asserted several claims, including negligence and violations of California laws. To avoid the expense, distraction, and uncertainty of a trial and related appeals, SAG-AFTRA Health Plan and the plaintiffs agreed to a settlement. SAG-AFTRA Health Plan has agreed to establish a $950,000 settlement fund to cover attorneys’ fees and expenses, claims administration costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a pro rata cash payment, which will be paid from the remaining funds after claims and costs have been deducted. Individuals who were not California residents at the time of the data breach will receive one pro rata share of the remainder of the settlement fund, and California residents will receive two shares.

All class members will receive an 18-month membership to a credit monitoring and identity theft protection service, even if they do not submit a claim for reimbursement of losses or a cash payment. Claims must be submitted by July 23, 2026. The deadline for objection and exclusion is June 23, 2026, and the final fairness hearing has been scheduled for September 24, 2026.

December 13, 2026: SAG-AFTRA Members Sue Health Plan Over Email Breach

A class action lawsuit has been filed by members of the Screen Actors Guild – American Federation of Television and Radio Artists (SAG-AFTRA) health plan over a recent email phishing attack that exposed their protected health information. An unauthorized third party accessed an employee’s email account between September 17 and September 18, 2024, after the employee responded to a phishing email and potentially viewed or copied names, Social Security numbers, health insurance information, and claims information. The breach was reported to the HHS’ Office for Civil Rights as affecting 35,592 individuals, and individual notifications were mailed on December 2, 2024. The total was later increased to 98,474 individuals.

Three days after notification letters were mailed, a lawsuit was filed by Clarkson Law Firm P.C. in the U.S. District Court in Los Angeles that names SAG-AFTRA members Matthew Rouillard and Kristy Munden as plaintiffs. The lawsuit alleges SAG-AFTRA failed to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to members’ sensitive data, which was exfiltrated in the attack, failed to adequately monitor its network and computer systems, and failed to issue timely notifications about the breach. Notification letters were sent more than 2 months after the email account breach was discovered.

The lawsuit alleges the plaintiffs and class members have suffered injuries such as out-of-pocket expenses associated with preventing, detecting, and remediating identity theft, social engineering, and fraud; lost opportunity costs while attempting to mitigate the consequences of the data breach; lost time; an invasion of privacy; diminution in value of their private information; and an increased risk of identity theft and fraud.

The lawsuit claims that in light of the data breach and lack of cybersecurity protections, members overpaid for their health plans. The lawsuit asserts claims of unjust enrichment, invasion of privacy, negligence, breach of express warranty, and violations of the California Civil Code (Deceit by concealment), California Unfair Competition Law (Business & Professions Code), and the California Confidentiality of Medical Information Act.

The lawsuit seeks class action status, a jury trial, monetary damages, restitution, and an order from the court requiring adequate security protocols to be implemented, proper notice to be provided to the affected individuals, and prohibiting the health plan from engaging in further wrongful acts.

The post SAG-AFTRA Health Plan Settles Lawsuit Over 2024 Phishing Incident appeared first on The HIPAA Journal.

Cyberattacks Announced by Florida Physician Specialists & Mile Bluff Medical Center

Posted by Steve Alder

Florida Physician Specialists has started notifying patients affected by a November 2025 hacking incident. Mile Bluff Medical Center in Wisconsin has announced that it is working under downtime procedures as it recovers from an April 2026 ransomware attack.

Florida Physician Specialists

Florida Physician Specialists, a Jacksonville, FL-based multi-specialty private physician practice serving patients in Northeast Florida, started notifying patients on April 24, 2026, about a November 2025 hacking incident that exposed some of their personal and protected health information.

An investigation was launched into a security incident in late November, which confirmed that an unauthorized third party accessed its network between November 27, 2025, and November 29, 2025. The review of the exposed data was completed on April 6, 2026, when it was confirmed that a limited amount of patient data may have been exfiltrated from its network. Data potentially compromised in the incident included names in combination with one or more of the following: Social Security numbers, driver’s license numbers or state identification numbers, other government identification numbers, financial account information, credit or debit card information, medical information, and/or health insurance policy information.

While data may have been stolen, Florida Physician Specialists is unaware of any actual or attempted misuse of the data; however, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring services. The data breach was reported to the Maine Attorney General as affecting 47 Maine Residents, but it is currently unclear how many individuals have been affected in total. There is currently no listing on the HHS Office for Civil Rights website.

Mile Bluff Medical Center

Mile Bluff Medical Center in Mauston, Wisconsin, is dealing with a cyberattack that resulted in the encryption of files on its network.  Security protocols were immediately implemented when the attack was discovered, and an investigation has been launched with assistance provided by third-party partners.

The medical center has confirmed that the cyberattack caused limited and temporary interruptions to certain computer systems, and its phone system has also been impacted. Clinical teams have been working under downtime procedures while the attack is mitigated, and systems can be safely restored. The priority has been to ensure that care continues to be provided to patients. The medical center is working to fully resolve the issues as soon as possible. At this stage of the recovery process, it is too early to tell to what extent, if any, patient data has been affected. No threat group appears to have claimed responsibility for the attack at the time of writing.

The post Cyberattacks Announced by Florida Physician Specialists & Mile Bluff Medical Center appeared first on The HIPAA Journal.

South Texas Oncology and Hematology Pays $1.1M to Settle Data Breach Lawsuit

Posted by Steve Alder

South Texas Oncology and Hematology, a San Antonio, TX-based provider of leading-edge cancer treatment and other medical services, has settled a class action lawsuit stemming from a February 2024 cyberattack and data breach that involved unauthorized access to the personal information of 176,303 individuals, including the protected health information of 175,195 individuals.

Suspicious network activity was identified on February 15, 2024, and the forensic investigation confirmed that an unauthorized individual accessed its network and potentially obtained employee and patient information. Data exposed in the incident included names, contact information, dates of birth, health information, and Social Security numbers. The affected individuals were notified about the incident in June 2024.

The first class action lawsuit over the data breach was filed by plaintiff Doris Flores on June 24, 2024, in the U.S. District Court for Bexar County, Texas, 438th Judicial District. Several other lawsuits were subsequently filed, and since they made similar claims and had overlapping classes, the plaintiffs’ counsel agreed to work cooperatively and litigate in a single action – Flores v. South Texas Oncology and Hematology, PLLC.

The consolidated lawsuit alleged that the defendant failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network, and that the data breach should have been prevented. South Texas Oncology and Hematology maintains that there was no wrongdoing, there is no liability, and denies all claims and contentions in the lawsuit. The defendant and the plaintiffs agreed to a settlement to avoid the costs and risk associated with a trial, with no admission of fault or liability.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for July 21, 2026. Under the terms of the settlement, South Texas Oncology and Hematology has agreed to pay $1,075,000 to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members.

Class members may submit a claim for reimbursement of up to $5,000 in documented, unreimbursed losses due to the data breach, or they may claim an alternative pro rata cash payment. The cash payments are estimated to be $100 per class member, but may be higher or lower depending on the number of valid claims received. In addition to one of those benefits, class members may also claim two years of free medical data monitoring services. Claims must be submitted by July 6, 2026, and individuals wishing to object to the settlement or exclude themselves must do so by June 22, 2026.

The post South Texas Oncology and Hematology Pays $1.1M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.