Southern Illinois Ob-Gyn Associates Announces Data Breach Affecting 38,700 Individuals

Posted by Steve Alder

A data breach at Southern Illinois Ob-Gyn Associates has affected 38,700 individuals. Data breaches have also been reported by Wellpoint Washington – involving Independent Clinics of Washington – and Dillon Family Medicine, part of McLeod Health.

Southern Illinois Ob-Gyn Associates

Southern Illinois Ob-Gyn Associates has notified 38,700 current and former patients about a breach of their personal and protected health information. The cybersecurity incident was identified on November 24, 2025, and after securing its systems, third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the incident. They confirmed that its systems had been subject to unauthorized access, and on January 28, 2026, it was confirmed that there was unauthorized access to patient data.

Data compromised in the incident included names, dates of birth, Social Security numbers, demographic information, health information, and health insurance information. Southern Illinois Ob-Gyn Associates said it has implemented additional technical safeguards and has enhanced its existing security measures to prevent similar incidents in the future. Southern Illinois Ob-Gyn Associates obtained the final list of individuals to notify on April 28, 2026. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Wellpoint Washington

Wellpoint Washington, Inc., has notified 12,020 individuals that some of their personal and protected health information was stored in an employee’s email account that was accessed by an unauthorized third party between June 24 and July 2, 2025. During that time, emails and files may have been exfiltrated.

The data breach affected Independent Clinics of Washington, a delegated provider of Elevance Health, and was detected on July 2, 2025. The incident exposed information such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance ID numbers, medical information, and pharmacy information. The affected individuals were notified directly by Wellpoint Washington Inc. Complimentary credit monitoring and identity theft protection services do not appear to have been made available.

Dillon Family Medicine

Dillon Family Medicine, a healthcare provider that’s part of McLeod Health and serves patients in and around Dillon, South Carolina, has identified unauthorized access to a network server containing patient information. According to the substitute breach notice on the McLeod Health website, the unauthorized access occurred between October 17, 2026, and October 18, 2026.

The breach was not detected until March 5, 2026, when a suspicious file was found on the server, which was about to be decommissioned. An investigation was launched, which determined on April 14, 2026, that there had been unauthorized access to the server. The server contained names, dates of birth, Social Security numbers, and health information, including diagnoses, medications, test results, medical images, treatment information, and health insurance information.

Additional safeguards have been implemented to prevent similar incidents in the future, and the affected server has now been fully decommissioned and is no longer in use. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so the number of affected individuals is currently unknown.

The post Southern Illinois Ob-Gyn Associates Announces Data Breach Affecting 38,700 Individuals appeared first on The HIPAA Journal.

Henderson & Walton Women’s Center Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Henderson & Walton Women’s Center, a Birmingham, AL-based provider of women’s healthcare services, has agreed to settle a class action lawsuit stemming from a 2022 data breach that exposed the personal and protected health information of 34,306 individuals. The forensic investigation confirmed that an unauthorized third party had access to an employee’s email account between February 11, 2022, and February 14, 2022, and potentially obtained information such as names, dates of birth, driver’s license or state ID numbers, and medical and treatment information.

Plaintiff Kim Townsel filed a lawsuit – Townsel v. Henderson & Walton Women’s Center, P.C. – against Henderson & Walton Women’s Center in the Circuit Court for Jefferson County, Alabama, over the data breach, alleging a failure to properly secure and safeguard the sensitive and confidential information of patients through the use of encryption and other cybersecurity measures. The lawsuit alleged that the failure amounted to negligence. In addition to the negligence and negligence per se claims, the lawsuit asserted claims for breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Henderson & Walton Women’s Center maintains that there was no wrongdoing and disagrees with the claims made in the lawsuit; however, it agreed to a settlement to avoid the costs, distractions, and disruptions to its business from continuing with the litigation. The plaintiff and class counsel believe the settlement is fair, and the settlement has received preliminary approval from the court.

Under the terms of the settlement, class members are entitled to claim compensation for ordinary losses incurred as a result of the data breach up to a maximum of $150 per class member, plus compensation for extraordinary losses up to a maximum of $2,500 per class member. Individuals who lost time dealing with the data breach may claim reimbursement of up to three hours of lost time at $30 per hour. Class members are also entitled to enroll in three years of medical and credit monitoring services.

The deadline for objection and comments on the settlement is June 29, 2026. Individuals wishing to exclude themselves must do so by July 13, 2026. The final fairness hearing has been scheduled for August 12, 2026.

The post Henderson & Walton Women’s Center Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

HSCC Issues Guidance on Cyber Governance Frameworks for Secure AI implementation

Posted by Steve Alder

The Health Sector Coordinating Council (HSCC) AI cybersecurity governance task force has published new guidance for healthcare CISOs and other leaders to help them establish cybersecurity governance frameworks for secure AI implementation.

Adoption of AI-based technologies in healthcare is progressing at a pace, with AI tools increasingly embedded into critical healthcare functions; however, these tools introduce new and often poorly understood cyber risks into already complex ecosystems. AI-specific cyber risks, such as data poisoning, model drift, and bias, can threaten successful implementation and HIPAA compliance, and the tools can create vulnerabilities that can be exploited by threat actors in attacks that impact patient privacy, safety, and care.

Healthcare organizations should implement a strong governance structure that integrates cybersecurity principles into the full AI product lifecycle, from assessment, design, development, deployment, and decommissioning of AI systems. The guidance can be used to implement a cybersecurity governance framework for identifying and mitigating AI-specific cyber risks associated with all AI technologies, from traditional machine learning systems to generative AI and agentic AI systems capable of autonomous action.

The AI Cyber Governance Framework Implementation Guide guidance establishes core AI cybersecurity governance objectives for enterprises, ecosystems, and third-party adoption scenarios, and includes AI cyber-specific industry best practices and protocols for secure data handling, model protection, continuous monitoring, and threat detection, including model evasion, model inversion, data leakage, and data poisoning. The guidance provides practical tools for organizing roles and responsibilities, inventory management, contractual language for vendor relationships, and includes a five-level AI autonomy framework and an AI-specific incident response playbook.

The 87-page guidance document is focused on establishing a governance framework for addressing AI-specific cybersecurity risks, and while the guidance covers clinical safety, ethics, and patient engagement when they intersect with cybersecurity risk, a broader AI governance program should be maintained for addressing the full spectrum of AI-related risks beyond cybersecurity, and should therefore be used in combination with existing organizational governance activities.

The playbook is part of a series of AI-specific documents for the healthcare industry, with previous publications including a guide for addressing supply chain risk. Further publications are expected in the coming months to address other healthcare-specific AI considerations.

The post HSCC Issues Guidance on Cyber Governance Frameworks for Secure AI implementation appeared first on The HIPAA Journal.