Calibrated Healthcare Settles Class Action Data Breach Lawsuit
Calibrated Healthcare Systems, LLC, and Calibrated Healthcare, LLC, have agreed to settle a class action lawsuit stemming from a February 2024 security incident that exposed patient information.
Calibrated Healthcare identified a security incident on February 26, 2024, and its investigation determined that there had been unauthorized access to its network between February 25, 2024, and February 26, 2024. While data theft was not confirmed, Calibrated Healthcare said data theft was likely. Data compromised in the incident included names, dates of birth, medical diagnosis/treatment information, and health insurance information.
The data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 6,890 individuals, and the affected individuals were notified on or around August 2, 2024. Two putative class action lawsuits were filed in response to the data breach: Adams v. Calibrated Healthcare Systems, LLC, et al and Holden v. Calibrated Healthcare, LLC, which were consolidated in the District Court for the Central District of California, Southern Division – Adams, et al. v. Calibrated Healthcare Systems, LLC, et al.
The consolidated lawsuit alleged that the data breach was due to the defendants’ negligence and should have been prevented. The lawsuit asserted claims for negligence, invasion of privacy, breach of contract, breach of implied contract, unjust enrichment, and violations of the California Unfair Competition Law Bus. & Prof. Code for unlawful, fraudulent, and unfair business practices, violation of the California Consumers Legal Remedies Act, and violation of the California Consumers Legal Remedies Act.
The defendants deny all claims and contentions in the lawsuit, including claims of fault, wrongdoing, and liability. The parties attended mediation, and while a settlement was not agreed during mediation, settlement negotiations continued, and a settlement acceptable to all parties has now been agreed. The settlement has received preliminary approval from the court.
While the OCR breach portal still lists the incident as involving the protected health information (PHI) of 6,890 individuals, there are 34,562 individuals in the settlement class. The settlement provides all class members with two years of medical monitoring and identity theft insurance services, and a monetary payment of between $21.44 and $28.68, depending on the number of valid claims received for reimbursement of out-of-pocket costs and lost time.
Class members may claim up to seven hours of documented lost time due to the data breach at $25 per hour (Maximum $175 per class member). A claim may also be submitted for reimbursement of documented losses fairly traceable to the data breach up to a maximum of $5,000 per class member. Claims must be submitted by July 9, 2026, and the final fairness hearing has been scheduled for August 13, 2026.
The post Calibrated Healthcare Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.
Lawsuits target healthcare firms for data breaches – Nashville Banner
Small Practice Owners Guide to HIPAA Compliance Programs
A small practice owner carries legal responsibility for HIPAA compliance regardless of who performs the day-to-day compliance tasks, which means the owner must confirm a current HIPAA Security Risk Analysis exists, written policies align with the HIPAA Privacy Rule and HIPAA Security Rule, staff training stays documented, and vendor agreements are in place, even when a Practice Administrator or Privacy Officer manages the details. Ownership of a HIPAA-covered practice creates direct financial and legal exposure to fines, corrective action plans, and civil litigation. An owner who delegates compliance tasks without maintaining oversight of the program still answers for gaps found during an investigation.
Why Ownership Carries HIPAA Responsibility Regardless of Delegation
The Office for Civil Rights holds the practice, not the individual staff member who made an error, accountable for a HIPAA violation in most circumstances. A small practice owner who assumes that hiring a compliance-minded office manager transfers legal responsibility misunderstands how enforcement works. The owner’s name is on the practice license, the Business Associate Agreements, and the corrective action plan that follows a settlement. Delegating tasks is appropriate and common in a small practice, but delegating tasks differs from delegating accountability.
Delegating Tasks While Retaining Accountability
An owner can assign the HIPAA Security Risk Analysis, policy drafting, and training tracking to a Practice Administrator, office manager, or outside consultant. What the owner cannot do is stop asking whether those tasks are actually complete. A short recurring check-in, where the owner asks for the date of the last risk analysis, the status of staff training, and any open items from a prior review, keeps the owner informed without requiring the owner to perform the compliance work directly.
Understanding the Practice’s Compliance Obligations
A small practice that qualifies as a HIPAA covered entity must comply with the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule regardless of its size or patient volume. Ownership size does not reduce the scope of these obligations, though it does affect how much internal staff capacity exists to manage them. A solo practitioner and a ten-provider group practice face the same regulatory requirements, applied to different scales of operation.
HIPAA Security Risk Analysis as the Starting Point
Every compliance program traces back to the HIPAA Security Risk Analysis, which identifies where patient data exists across the practice and what safeguards protect it. An owner reviewing this document, even without technical expertise to conduct it personally, should be able to confirm its completion date, who performed it, and what remediation items came out of it. A risk analysis older than a year, or one that has never accounted for a new system the practice adopted, represents an open gap an owner should ask about directly.
Business Associate Agreements as an Ownership Blind Spot
A practice’s list of vendors often grows over time without a corresponding update to its Business Associate Agreements. Billing services, scheduling platforms, cloud storage providers, and IT support contractors all typically require a signed agreement before they can access patient data. An owner who has not personally reviewed the full vendor list against the practice’s signed agreements may be unaware of a gap that has existed for years, since this area of compliance rarely surfaces in daily operations until an incident forces a review.
Financial Exposure from Noncompliance
Penalties for HIPAA violations scale according to the nature of the violation, the practice’s prior compliance history, and how quickly the practice corrects the issue once identified. A small practice’s fine exposure is not proportional to its size relative to a large hospital system. A missing risk analysis or an unsigned Business Associate Agreement produces the same underlying violation whether the practice has two providers or two hundred, and the resulting fine can affect a small practice’s finances more severely given its smaller revenue base.
Comparing Fine Exposure to Program Cost
An owner weighing whether to invest in a structured compliance program benefits from comparing the ongoing cost of maintaining that program against the potential cost of a single enforcement action. A documented, functioning program does not prevent every breach, since no security measure eliminates risk entirely. It does affect how an investigation resolves once a breach or complaint occurs, because a practice that can show good-faith compliance efforts is treated differently than one that cannot produce basic documentation.
Compliance Elements an Owner Should Confirm Are in Place
- A current HIPAA Security Risk Analysis with a documented completion date
- Written policies covering the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule
- Signed Business Associate Agreements for every vendor handling patient data
- Staff training records showing completion dates for all current employees
- A designated Privacy Officer and Security Officer, even if the same person holds both roles
Choosing How to Run the Program
A small practice owner generally chooses among three approaches to managing HIPAA compliance: handling it internally with existing staff and generic templates, engaging an outside consultant for periodic review, or adopting dedicated software built specifically to generate and maintain the program. Each approach carries different tradeoffs in cost, staff time, and how current the program stays between reviews.
Templates, Consultants, or Dedicated Software
Generic templates require the practice to interpret and apply generalized language to its own operations, a task that consumes staff time and introduces the risk of a mismatch between the template and the practice’s actual environment. A consultant provides expertise at a point in time, but the resulting program reflects conditions as they existed during that engagement and requires a new engagement to stay current. Software designed for HIPAA compliance management generates a program specific to the practice and updates it as regulatory requirements change, reducing the ongoing burden on the owner and staff to manually track changes.
Staying Current with Regulatory Change
HIPAA requirements change through new rules, updated guidance, and shifting enforcement priorities from the Office for Civil Rights. An owner does not need to track every regulatory development personally, but should confirm that whoever manages the practice’s compliance program has a process for identifying and applying relevant changes.
Monitoring Updates to the HIPAA Rules
Proposed and finalized changes to the HIPAA Privacy Rule, Security Rule, and related regulations occur on an ongoing basis, and a practice’s policies need to reflect the current version of each rule rather than the version in effect when the policies were first written. An owner asking how the practice tracks these changes, and confirming that a documented review occurs when a rule changes, closes a gap that a static, one-time policy library cannot address on its own.
Oversight Without Micromanagement
An owner does not need to review every training record or read every policy line by line to maintain effective oversight. A structured reporting cadence, where the person managing compliance provides the owner with a short status update on a fixed schedule, gives the owner visibility into the program’s health without requiring direct involvement in daily compliance tasks.
Reviewing the Program on a Set Schedule
A quarterly or semi-annual review meeting, where the owner asks about the status of the risk analysis, training completion rates, outstanding Business Associate Agreements, and any incidents logged since the last review, keeps the owner informed at a sustainable level of involvement. This cadence also creates a documented history showing the owner exercised active oversight of the program, which matters if the practice’s compliance efforts are later scrutinized.
Enforcing Consequences for Noncompliance
An owner’s oversight includes confirming that the practice’s sanctions policy is applied consistently when staff violate HIPAA policies, rather than existing only as a document in the policy library. A sanctions policy that has never been invoked, in a practice that has operated for years, may indicate either an unusually compliant workforce or a pattern of violations handled informally without documentation. An owner asking whether the sanctions policy has ever been applied, and reviewing the record if it has, gains insight into whether the policy functions as written.
Preparing for an Investigation or Breach
When a breach occurs or a patient files a complaint with the Office for Civil Rights, the resulting review of HIPAA violation cases shows that documentation, not intention, determines how the investigation resolves. An owner who has maintained oversight of a current, documented program enters that process with evidence the practice acted in good faith. An owner who cannot produce basic documentation, regardless of how the practice actually operated day to day, faces a more difficult path through the same investigation.
The Owner’s Role During an Active Investigation
During an active investigation, the owner typically serves as the practice’s primary point of contact and decision-maker, even when a Privacy Officer or outside counsel manages the technical response. An owner familiar with the practice’s own compliance documentation, rather than encountering it for the first time during the investigation, responds to the process more effectively and avoids delays caused by scrambling to locate records that should have been maintained on an ongoing basis.
The post Small Practice Owners Guide to HIPAA Compliance Programs appeared first on The HIPAA Journal.
North Los Angeles County Regional Center Notifies Individuals About November 2024 Ransomware Attack – The HIPAA Journal
North Los Angeles County Regional Center Notifies Individuals About November 2024 Ransomware Attack
North Los Angeles County Regional Center has started mailing notification letters to individuals affected by a November 2024 ransomware attack, and Midland Care Connection in Kansas has announced a March 2026 hacking incident.
North Los Angeles County Regional Center
North Los Angeles County Regional Center has started notifying individuals about a cybersecurity incident and data breach that was first identified 17 months ago on November 28, 2024. Suspicious activity was identified within its computer network, and the forensic investigation confirmed unauthorized access from November 20, 2024, to December 1, 2024.
North Los Angeles County Regional Center determined that sensitive data was exfiltrated from its systems before ransomware was used to encrypt files. The files exfiltrated from its systems included names, addresses, dates of birth, telephone numbers, Social Security numbers, passport numbers, driver’s license or other state-issued ID numbers, U.S. federal issued ID numbers, email addresses, usernames/passwords, financial account information, payment card information, health plan information, CI and patient ID numbers, medical record numbers, lab results, medications, physical and/or mental conditions, diagnosis and/or treatment information, prescription or medication information, treatment cost information, disability codes, certificate/license numbers, and certain other medical and health insurance-related information.
North Los Angeles County Regional Center said it first announced the incident on its website on January 6, 2025, to allow individuals to take steps to protect themselves against data misuse; however, it has taken time to review the affected data to allow notification letters to be issued. North Los Angeles County Regional Center said it implemented additional technical security measures shortly after the attack and is continuing to work with data security experts to further enhance the security of its systems. The Medusa ransomware group claimed responsibility for the attack, in which more than 600 gigabytes of data was allegedly stolen.
The incident is shown on the HHS’ Office for Civil Rights website as affecting 500 individuals. That is a placeholder figure, as the breach was reported to OCR on January 6, 2025, well before the investigation had concluded. The total should be updated in the coming days, now that the data review has concluded.
Midland Care Connection
Midland Care Connection Inc., a Topeka, Kansas-based non-profit provider of patient care, hospice, and community health support services, has experienced a cybersecurity incident that may have resulted in the theft of sensitive data. Suspicious network activity was identified on March 31, 2026, and legal counsel and third-party digital forensics experts were engaged to investigate the activity. They confirmed network access by an unauthorized third party starting on March 30, 2026, and initiated a data review to determine the individuals affected and the types of information. The data review was completed on June 12, 2026.
The affected information varied from individual to individual and may have included names, birth dates, medical treatment information, medical health information, health insurance information, financial account information, and, for certain individuals, Social Security numbers. Data privacy and security policies have been reviewed and enhanced to reduce the risk of similar incidents in the future, and the affected individuals have been notified by mail and offered 12 months of complimentary single-bureau credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
The post North Los Angeles County Regional Center Notifies Individuals About November 2024 Ransomware Attack appeared first on The HIPAA Journal.