HSCC Issues Guidance for Healthcare Organizations on Managing Third Party AI Risks
The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group has issued a guidance document for healthcare organizations on managing third-party AI and AI-related supply chain risks. Healthcare organizations are increasingly reliant on AI-powered third-party tools and services, such as natural language processing engines embedded in electronic health records and AI-powered remote monitoring devices. These products provide critical functions for healthcare organizations, yet they introduce complex cybersecurity challenges that traditional risk management tools and models struggle to address.
Managing risk can be difficult, as AI tools are provided by third-party vendors whose security postures, governance practices, and model integrity are difficult to verify. Further, healthcare organizations often lack visibility into the full scope of the AI components incorporated into third-party products and services, which are often sourced through layered supply chains, including subcontractors, offshore development, and open source assets, explain HSCC co-leads Ed Gaudet, Censinet, and Samantha Jacques, McLaren Health.
The HSCC Cybersecurity Working Group developed the 109-page guide – Health Industry Third Party AI Risk and Supply Chain Transparency Guide – to help healthcare organizations understand and manage third-party AI supply chain risks. The guide draws from established cybersecurity frameworks such as the NIST AI Risk Management Framework and the joint HSCC-HHS Health Industry Cybersecurity Practices (HICP), and adapts cybersecurity best practices to reflect the modern realities of AI supply chains in healthcare. The guide has been developed to meet the needs of organizations of all sizes, regardless of their level of AI adoption. The guide can be followed in its entirety, or organizations can adopt the parts that work for their organization. The guide will help them to define accountability expectations and drive performance standards across their extended AI ecosystem.
The guide provides risk managers, compliance teams, and procurement officers with scalable tools to identify and manage AI-specific risks such as hidden dependencies and cascading failure points, and address the growing gaps in discovery and disclosure processes that make AI supply chain risk so challenging to manage. HSCC encourages healthcare organizations to distribute the guidance to senior business and technical leaders and their teams, recommending that they incorporate the best practices in the guide and evaluate their own third-party and supply chain risk management practices against the best practices outlined in the document. In addition to the guide, HSCC has published a living AI Cyber Glossary reference document for establishing consistent governance-ready definitions for artificial intelligence terminology for the healthcare sector. The AI Cyber Glossary is intended to serve as the terminological foundation for all current and future HSCC AI Task Group guidance materials.
The post HSCC Issues Guidance for Healthcare Organizations on Managing Third Party AI Risks appeared first on The HIPAA Journal.
Anne Arundel Dermatology Pays $2.4M to Settle Data Breach Lawsuit – The HIPAA Journal
Anne Arundel Dermatology Pays $2.4M to Settle Data Breach Lawsuit The HIPAA Journal
Anne Arundel Dermatology Pays $2.4M to Settle Data Breach Lawsuit
Anne Arundel Dermatology has agreed to pay $2,400,000 to settle a consolidated class action lawsuit stemming from a cybersecurity incident involving unauthorized access to its network for three months in 2025. Anne Arundel Dermatology identified suspicious activity within its computer network on May 13, 2025. The forensic investigation confirmed that an unauthorized third party had access to its network between February 14, 2025, and May 13, 2025. It was not possible to determine if patient data was accessed or exfiltrated in the attack, so notification letters were sent to 1,905,000 current and former patients who may have been affected. Information potentially compromised included names, addresses, birth dates, medical information, health insurance information, and other personal information.
Many class action lawsuits were filed in response to the data breach. Due to the lawsuits having overlapping claims, the 21 lawsuits were consolidated into a single action – In Re Anne Arundel Data Breach Litigation – in the U.S. District Court for the District of Maryland. The consolidated lawsuit alleged that Anne Arundel Dermatology negligently maintained sensitive data and failed to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence, breach of contract, breach of fiduciary duty, unjust enrichment, and intentional invasion of privacy, all of which were denied by the defendant, along with claims of wrongdoing, fault, and liability.
Class counsel explored the opportunity for an early resolution of the litigation, and following mediation, the material terms of a settlement were agreed upon. The settlement has now been finalized and has received preliminary approval from the court. The final fairness hearing has been scheduled for July 16, 2026. Anne Arundel Dermatology has agreed to establish a $2.4 million settlement fund, from which attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives will be deducted. The remainder of the settlement fund will be used to pay for benefits for the class members.
Class members are entitled to claim a 3-year membership to the CyEx Medical Shield Complete product, which provides medical data monitoring, and one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or an alternative pro rata cash payment may be claimed, which is estimated to be $100 but may be higher or lower depending on the number of valid claims received. The deadline for opting out and objection is June 9, 2026, and claims must be submitted by July 8, 2026.
The post Anne Arundel Dermatology Pays $2.4M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.
Ransomware Attack on Cookeville Regional Medical Center Affected 338K Individuals
Cookeville Regional Medical Center in Cookeville, Tennessee, has recently confirmed that a 2025 ransomware attack exposed the personal and protected health information of 337,917 individuals. Cookeville Regional Medical Center identified the ransomware attack on July 14, 2025, and immediately took action to prevent further unauthorized access to its network. The forensic investigation determined that the ransomware group had access to its computer network between July 11, 2025, and July 14, 2025.
The attack was announced by Cookeville Regional Medical Center promptly, and within a couple of months, when it was confirmed that personal and protected health information had been exposed, a further announcement was made, warning patients about potential data theft. The data breach was reported to the HHS’ Office for Civil Rights in August 2025, using a placeholder figure of 500 individuals; however, it has taken several months to review all of the exposed data.
On March 16, 2026, the file review was completed, and Cookeville Regional Medical Center obtained the full list of affected individuals. Up-to-date contact information was obtained, and notification letters are now being sent. The types of importation exposed in the incident vary from individual to individual, and may include names in combination with some or all of the following: address, date of birth, Social Security number, driver’s license number, financial account number, medical treatment information, medical record number, and/or health insurance policy information.
The affected individuals have been advised to remain vigilant against misuse of their information and should check their accounts and explanation of benefits statements carefully. While no evidence has been found to indicate misuse of the compromised data, Cookeville Regional Medical Center has offered the affected individuals complimentary credit monitoring and identity theft protection services for 12 months, and additional technical security measures have been implemented to prevent similar incidents in the future.
The Rhysida ransomware group claimed responsibility for the attack and added Cookeville Regional Medical Center to its dark web data leak site. Rhysida claims to have exfiltrated 538 gigabytes of data in the attack and has published the data that it has been unable to sell. The data leak site indicates 70% of the data has been leaked, which suggests that the group found a buyer for 30% of the data.
The post Ransomware Attack on Cookeville Regional Medical Center Affected 338K Individuals appeared first on The HIPAA Journal.