Check Point VPN and Google Chrome Vulnerabilities Under Active Exploitation

Posted by Steve Alder

Patches have been issued to fix a critical vulnerability affecting Check Point Mobile Access, SSL VPN, Remote Access VPN, and Spark Firewalls, and a high-severity vulnerability in Google Chrome, both of which are being actively exploited in the wild.

Check Point Remote Access VPN Vulnerability

On June 8, 2026, the cybersecurity firm Check Point issued a security advisory about a critical authentication bypass vulnerability tracked as CVE-2026-50751 (CVSS 9.3), which has been actively exploited in zero-day attacks since May 7, 2026. Exploitation of the vulnerability accelerated over the weekend, with a few dozen organizations falling victim to attacks. In one attack, Check Point associated the post-exploit activity with a Qilin ransomware affiliate that has previously targeted vulnerabilities in other VPNs.

The vulnerability affects Check Point Mobile Access, SSL VPN, Remote Access VPN, and Spark Firewalls; however, only if deployments are configured to use the deprecated IKEv1 key exchange protocol. In vulnerable deployments, unauthenticated remote attackers can exploit a logic flaw in certificate validation, which allows them to establish a VPN connection without a valid password, bypassing authentication requirements.

Check Point also identified a second vulnerability while investigating the actively exploited zero day. The vulnerability is also associated with the deprecated IKEv1 key exchange, which can allow a man-in-the-middle attack on VPN site-to-site connections. The vulnerability is tracked as CVE-2026-50752, has a CVSS score of 7.4, and affects Security Gateways and Spark Firewalls. At the time of issuing the patch, there had been no known exploitation of the flaw.

Customers using the IKEv1 key exchange protocol have been advised to apply the security updates as soon as possible. If the hotfixes cannot be immediately applied, users should follow Check Point’s mitigation guidance detailed in the security alert. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerability (KEV) Catalog and ordered all government agencies to secure their deployments by applying the security updates or mitigations within 3 days. or to discontinue use of the product.

Google Chrome Zero-day

Google has released an emergency patch to fix an actively exploited high-severity zero-day vulnerability in Google Chrome. The vulnerability, tracked as CVE-2026-11645, is due to an out-of-bounds read and write flaw in the Chrome V8 JavaScript engine. The vulnerability can be exploited by a remote attacker via specially crafted HTML pages. Successful exploitation allows the attacker to execute arbitrary code inside the web browser sandbox, exposing sensitive information or crashing Chrome.

Google is aware of an exploit for the vulnerability in the wild, and has rolled out updates for users in the Stable Desktop channel for Windows, Mac, and Linux Systems. Further information about the bug is being withheld until the majority of users have updated Chrome.

The post Check Point VPN and Google Chrome Vulnerabilities Under Active Exploitation appeared first on The HIPAA Journal.

Senator Seeks Answers from NYC Health & Hospitals About 1.8M Record Breach

Posted by Steve Alder

The Senate Health, Education, Labor, and Pensions (HELP) Committee Chair Senator Bill Cassidy, M.D. (R-LA), is seeking answers from NYC Health + Hospitals about the steps that have been taken since its recent data breach to improve its security protocols to prevent further cybersecurity incidents and breaches of patient data.

NYC Health + Hospitals discovered suspicious activity within its computer systems on February 2, 2026, with its investigation determining that its systems were accessed by an unauthorized third party for almost three months before the intrusion was detected. The threat actor first accessed its system on February 25, 2026, and retained access until February 11, 2026. The investigation suggests access was gained via a third-party vendor. Data compromised in the incident included names, Social Security numbers, medical information, health insurance information, billing and claims information, payment information, and precise geolocation data. The data breach was reported to the HHS’ Office for Civil Rights as affecting 1.8 million individuals.

In the letter to NYC Health + Hospitals CEO Mitchell Katz and CC’d to NYC Mayor Zohran Mamdani, Sen. Cassidy pointed out that healthcare data breaches are being reported in high numbers. Currently, 772 large healthcare data breaches are listed on the OCR data breach portal, making 2025 a record year for healthcare data breaches. These incidents result in delayed care, and data theft puts patients at risk of identity theft and fraud. NYC Health + Hospitals is the largest public health system in the United States, providing care to 1 million patients a year, and its data breach has created a substantial risk to the population it serves.

Sen. Cassidy seeks answers on both the cybersecurity controls in place prior to the cybersecurity incident and the measures implemented post-incident to protect against further cyberattacks. Specifically, Sen. Cassidy wants answers about the cyber and physical security protocols in place to protect against cyberattacks, how cybersecurity best practices implemented by other critical infrastructure sectors have been incorporated into its security policies and protocols, exactly when it became aware of an intrusion, when and which federal agencies were notified about the incident, and the remedial steps taken to improve security protocols.

Sen Cassidy also wants more detail about the steps taken to identify any additional information that may have been accessed in the attack, how it is proactively communicating with potentially impacted individuals and entities, and what additional reporting it will commit to doing for the affected individuals, beyond the reporting requirements of HIPAA. Sen. Cassidy is seeking a response to the questions no later than June 18, 2026.

Sen. Cassidy is taking a keen interest in cybersecurity incidents at healthcare organizations. He sent a similar letter to Aflac following its massive data breach in 2025 – the second-largest healthcare data breach of the year, affecting almost 14 million individuals – and UnitedHealth Group following the Change Healthcare cyberattack in 2024.

Sen Cassidy, along with Sens. Maggie Hassan (D-NH), Mark Warner (D-VA), and John Cornyn (R-TX) reintroduced the Health Care Cybersecurity and Resiliency Act last year, which was advanced by the HELP committee this Spring, in an attempt to strengthen healthcare cybersecurity and improve resiliency against ever-increasing healthcare cyberattacks and data breaches.

The post Senator Seeks Answers from NYC Health & Hospitals About 1.8M Record Breach appeared first on The HIPAA Journal.

Southern Illinois Ob-Gyn Associates Announces Data Breach Affecting 38,700 Individuals

Posted by Steve Alder

A data breach at Southern Illinois Ob-Gyn Associates has affected 38,700 individuals. Data breaches have also been reported by Wellpoint Washington – involving Independent Clinics of Washington – and Dillon Family Medicine, part of McLeod Health.

Southern Illinois Ob-Gyn Associates

Southern Illinois Ob-Gyn Associates has notified 38,700 current and former patients about a breach of their personal and protected health information. The cybersecurity incident was identified on November 24, 2025, and after securing its systems, third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the incident. They confirmed that its systems had been subject to unauthorized access, and on January 28, 2026, it was confirmed that there was unauthorized access to patient data.

Data compromised in the incident included names, dates of birth, Social Security numbers, demographic information, health information, and health insurance information. Southern Illinois Ob-Gyn Associates said it has implemented additional technical safeguards and has enhanced its existing security measures to prevent similar incidents in the future. Southern Illinois Ob-Gyn Associates obtained the final list of individuals to notify on April 28, 2026. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Wellpoint Washington

Wellpoint Washington, Inc., has notified 12,020 individuals that some of their personal and protected health information was stored in an employee’s email account that was accessed by an unauthorized third party between June 24 and July 2, 2025. During that time, emails and files may have been exfiltrated.

The data breach affected Independent Clinics of Washington, a delegated provider of Elevance Health, and was detected on July 2, 2025. The incident exposed information such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance ID numbers, medical information, and pharmacy information. The affected individuals were notified directly by Wellpoint Washington Inc. Complimentary credit monitoring and identity theft protection services do not appear to have been made available.

Dillon Family Medicine

Dillon Family Medicine, a healthcare provider that’s part of McLeod Health and serves patients in and around Dillon, South Carolina, has identified unauthorized access to a network server containing patient information. According to the substitute breach notice on the McLeod Health website, the unauthorized access occurred between October 17, 2026, and October 18, 2026.

The breach was not detected until March 5, 2026, when a suspicious file was found on the server, which was about to be decommissioned. An investigation was launched, which determined on April 14, 2026, that there had been unauthorized access to the server. The server contained names, dates of birth, Social Security numbers, and health information, including diagnoses, medications, test results, medical images, treatment information, and health insurance information.

Additional safeguards have been implemented to prevent similar incidents in the future, and the affected server has now been fully decommissioned and is no longer in use. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so the number of affected individuals is currently unknown.

The post Southern Illinois Ob-Gyn Associates Announces Data Breach Affecting 38,700 Individuals appeared first on The HIPAA Journal.

Henderson & Walton Women’s Center Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Henderson & Walton Women’s Center, a Birmingham, AL-based provider of women’s healthcare services, has agreed to settle a class action lawsuit stemming from a 2022 data breach that exposed the personal and protected health information of 34,306 individuals. The forensic investigation confirmed that an unauthorized third party had access to an employee’s email account between February 11, 2022, and February 14, 2022, and potentially obtained information such as names, dates of birth, driver’s license or state ID numbers, and medical and treatment information.

Plaintiff Kim Townsel filed a lawsuit – Townsel v. Henderson & Walton Women’s Center, P.C. – against Henderson & Walton Women’s Center in the Circuit Court for Jefferson County, Alabama, over the data breach, alleging a failure to properly secure and safeguard the sensitive and confidential information of patients through the use of encryption and other cybersecurity measures. The lawsuit alleged that the failure amounted to negligence. In addition to the negligence and negligence per se claims, the lawsuit asserted claims for breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Henderson & Walton Women’s Center maintains that there was no wrongdoing and disagrees with the claims made in the lawsuit; however, it agreed to a settlement to avoid the costs, distractions, and disruptions to its business from continuing with the litigation. The plaintiff and class counsel believe the settlement is fair, and the settlement has received preliminary approval from the court.

Under the terms of the settlement, class members are entitled to claim compensation for ordinary losses incurred as a result of the data breach up to a maximum of $150 per class member, plus compensation for extraordinary losses up to a maximum of $2,500 per class member. Individuals who lost time dealing with the data breach may claim reimbursement of up to three hours of lost time at $30 per hour. Class members are also entitled to enroll in three years of medical and credit monitoring services.

The deadline for objection and comments on the settlement is June 29, 2026. Individuals wishing to exclude themselves must do so by July 13, 2026. The final fairness hearing has been scheduled for August 12, 2026.

The post Henderson & Walton Women’s Center Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.