Navia Benefit Solutions Discloses Data Breach Affecting 2.7 Million Individuals
Over a three-week period between December 2025 and January 2026, hackers had access to the network of a Washington-based employee benefits administrator and potentially acquired the data of almost 2.7 million current and former participants and their dependents.
Renton, WA-based Navia Benefit Solutions, Inc., provides employee benefits administration services, including Health Care Flexible Spending Accounts and COBRA benefits. The company works with employers to manage tax-advantaged healthcare and dependent care accounts, and as such, maintains large amounts of employee data. The company has more than 10,000 clients nationwide and more than 1 million participants. The intrusion was identified on or around January 15, 2026, and the forensic investigation confirmed that its computer environment was subject to unauthorized access from December 22, 2025, to January 15, 2026. According to the breach notice provided to the Maine Attorney General, 2,697,540 individuals have been affected.
Navia Benefit Solutions uploaded a substitute breach notice to its website on March 13, 2026, and individual notification letters started to be mailed to the affected individuals on March 18, 2026. Data potentially compromised in the incident included names, email addresses, phone numbers, and Social Security numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.
Navia Benefit Solutions said it moved quickly to respond to the incident and secure its systems, and an investigation was launched to determine the nature and scope of the incident. Federal law enforcement was notified, and the company has been working to implement additional security measures and provide its employees with additional training to prevent similar incidents in the future. Navia Benefit Solutions did not disclose whether this was a ransomware attack or if it received a ransom demand. No ransomware group has claimed responsibility for the incident.
The data breach is a reportable incident under HIPAA. The Department of Health and Human Services has been notified, and a media notice has also been issued, in compliance with the HIPAA Breach Notification Rule. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal. While it is unclear how many clients have been affected, the Washington State Health Care Authority is one of the affected clients. Navia Benefit Solutions contracted with the Washington State Health Care Authority as the administrator of its Flexible Spending Arrangement (FSA) and Dependent Care Assistance Program (DCAP) for the PEBB and SEBB Programs.
Washington State Health Care Authority, which manages Medicaid in the state, has published its own substitute breach notice. The notice confirms that records going back seven years were compromised in the incident, which relate to approximately 27,000 current and former PEBB members, 5,600 current and former SEBB members, and 3,000 current and former Compacts of Free Association (COFA) islander members. In addition, 37 school districts that contracted with Navia before the SEBB Program was implemented in January 2020 have also been notified that some of their data was potentially compromised in the incident. The impacted data includes first and last names, Navia ID numbers, addresses, phone numbers, email addresses, enrollment start and end dates, employee IDs, Social Security numbers, and dates of birth.
The post Navia Benefit Solutions Discloses Data Breach Affecting 2.7 Million Individuals appeared first on The HIPAA Journal.
Essen Medical Associates Agree to $4 Million Settlement to Resolve Class Action Data Breach Lawsuit – The HIPAA Journal
Essen Medical Associates Agree to $4 Million Settlement to Resolve Class Action Data Breach Lawsuit
Essen Medical Associates has agreed to pay $4,000,000 to resolve class action litigation over a March 2023 cyberattack and data breach that affected 904,672 current and former patients. Essen Medical, a New York-based healthcare provider, experienced a cyberattack that saw hackers access its network between March 14, 2023, and March 22, 2023.
Data exposed in the incident included personally identifiable information and protected health information such as names, driver’s license numbers/state identification numbers, U.S. alien registration numbers, non-U.S. identification numbers, passport numbers, financial account information, dates of birth, Social Security numbers, medical treatment information, and health insurance information.
The data breach sparked several class action lawsuits, which were consolidated – Rivera, et al. v. Essen Medical Associates, P.C – in the Supreme Court of the State of New York, County of Bronx. The consolidated lawsuit alleged that the cyberattack was preventable and was the result of the defendant’s failure to implement adequate and appropriate cybersecurity procedures and protocols. The lawsuit claimed that the defendants recklessly maintained data on systems vulnerable to cyberattacks.
The lawsuit asserted claims for negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and violation of the New York Deceptive Trade Practices Act. Essen Medical denies all charges of wrongdoing or liability, and all claims or contentions alleged against it. All parties agreed that a settlement was the best outcome, and class counsel and the six class representatives believe that the settlement is fair. The settlement has recently received preliminary approval from the court and awaits final approval.
Under the terms of the settlement, Essen Medical will establish a $4,000,000 settlement fund to cover attorneys’ fees and expenses, service awards for the class representatives, and all costs related to the settlement. The attorneys’ fees will be no more than 33.33% of the settlement fund, and the service awards will be no more than $3,000 per class representative. The remainder of the fund will be used to pay for class member benefits.
Class members may submit a claim for documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. In addition, a claim may be submitted for a cash payment of up to $100 per class member. The deadline for objecting to the settlement and exclusion is May 4, 2026. Claims must be submitted by June 1, 2026, and the final fairness hearing has been scheduled for July 7, 2026.
The post Essen Medical Associates Agree to $4 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.
FDA Issues Recall Notice for GE HealthCare Centricity Universal Viewer – The HIPAA Journal
FDA Issues Recall Notice for GE HealthCare Centricity Universal Viewer The HIPAA Journal
FDA Issues Recall Notice for GE HealthCare Centricity Universal Viewer
A class 2 recall has been issued by the U.S. Food and Drug Administration (FDA) for certain GE HealthCare Centricity medical imaging products due to a vulnerability that could potentially be exploited by an unauthorized individual to manipulate data or impact system availability. Centricity Universal Viewer is a device that displays medical images such as mammograms and data from various imaging sources. The vulnerability affects the following Centricity Universal Viewer software versions:
- Versions 5.0 SP6 through UV 5.0 SP7.1
- Versions 6.0 through 6.0 Sp10.4.1
- Versions 7.0 through 7.0 Sp2.0.1
The recall was issued as the vulnerability may cause temporary or medically reversible adverse health consequences, but where the probability of serious adverse health consequences is remote. The vulnerability is due to user login credentials being exposed on the local client workstation. As such, an unauthorized individual could obtain the credentials and potentially impact system availability and/or manipulate data; however, the potential for exploitation is limited, as direct physical access to the local workstation is required.
There have been no known cases of exploitation of the vulnerability nor any known unauthorized access to patient data, according to GE Healthcare. The vulnerability was discovered by GE Healthcare during routine testing, and the company is working on a permanent fix. GE HealthCare has issued instructions for customers to follow to allow them to continue using their devices until the fix is issued.
According to the FDA’s recall notice, in order to continue using the affected products, users must ensure that appropriate security controls are implemented, as stated in the product manuals. Network account authentication should be implemented by using Active Directory/LDAP services for user management. If network authentication is not possible, users should contact GE Healthcare to request temporary steps to mitigate the issue.
The post FDA Issues Recall Notice for GE HealthCare Centricity Universal Viewer appeared first on The HIPAA Journal.
Final Rule Implementing HIPAA Security Rule Updates Edges Closer – The HIPAA Journal
Final Rule Implementing HIPAA Security Rule Updates Edges Closer The HIPAA Journal
Final Rule Implementing HIPAA Security Rule Updates Edges Closer
The HIPAA Security Rule update proposed by OCR in the final days of the Biden administration is only two months away from a final rule, should OCR stick to the proposed timescale for release. OCR has yet to confirm when a final rule will be released or if the proposed rule will actually progress to a final rule.
OCR issued its Notice of Proposed Rulemaking (NPRM) on December 27, 2024, to strengthen cybersecurity protections for electronic protected health information (ePHI). The proposed update, the first significant update to the HIPAA Security Rule in more than two decades, introduced significant new security requirements to ensure the confidentiality, integrity, and availability of ePHI, taking into account changes to business practices and technology since the original rule was enacted.
Several months earlier, in January 2024, OCR published its voluntary Health Care and Public Health Cybersecurity Performance Goals (HPH CPGs) – two sets of voluntary goals (essential and enhanced) that HPH sector organizations were encouraged to adopt to improve resilience to cyber threats, and ensure the fastest possible recovery in the event of a successful cyber incident. Both sets of goals consisted of high impact measures for quickly improving resilience.
The HPH CPGs were the first step in the HHS’s Healthcare Sector Cybersecurity strategy concept paper, published in December 2023. The second step was the provision of incentives to encourage adoption of the HPH CPGs. HHS said at the time that it would work with Congress to establish an upfront investment program to help low-resource healthcare providers adopt the essential goals and an incentives program to encourage the adoption of the enhanced goals. Those programs are key to improving adoption of the HPH CPGs, especially at low-resource hospitals that simply do not have the necessary funds to make significant improvements to cybersecurity.
The voluntary goals were welcomed by HIPAA-regulated entities and industry groups, but they were only a starting point, and OCR explained that the goals would advise future rulemaking. Initially, the measures would be voluntary, but further rulemaking would make some of the cybersecurity requirements mandatory, which was what we saw with the proposed HIPAA Security Rule update.
The HIPAA Security Rule update was poorly received by HIPAA-regulated entities and industry groups and attracted considerable criticism. A coalition of more than 100 hospital systems and provider associations called for the HHS to withdraw the proposed updates to the HIPAA Security Rule, which they said “runs counter to President Trump’s robust deregulatory agenda.”
In its proposed form, the Security Rule update was criticized for placing substantial new financial burdens on HIPAA-regulated entities, and there was an unreasonable timeline for implementation. Instead, the authoring healthcare providers and industry groups called for “a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”
During a session at the recent HIMSS conference in Las Vegas, OCR Director Paula M. Stannard said OCR had received more than 4,700 comments in response to the NPRM and is still parsing those comments. Stannard did not confirm whether the proposed Security Rule update will progress to a final rule per OCR’s schedule, nor did she confirm whether the proposed rule will actually progress to a final rule. “After we review the comments, the Trump administration may have a different view on the burdens and benefits of some of the proposed changes,” Stannard said.
Stannard did state that the core requirements of the proposed rule are sound cybersecurity best practices for healthcare organizations. She also acknowledged the criticisms of the proposed rule. Rather than view the requirements of the proposed rule as inflexible and costly to implement, Stannard suggested that viewing things differently, as “there is a high cost of doing nothing.” The proposed changes, if implemented correctly, will improve resilience to cyber threats and reduce the likelihood of costly breaches.
“A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals, and not to mention my investigators coming and knocking on your door and asking for information and talking about penalties,” Stannard said.
It remains to be seen whether the Trump administration will view the benefits of the proposed rule as worth the short term financial and administrative pain of implementation. Based on the feedback received, the proposed rule could be slimmed down to reduce the compliance burden, although doing that would water down the protections. If the final rule is released, OCR could extend the timeframe for compliance to ease the burden on HIPAA-regulated entities, extending the compliance deadline from the standard 180 days following publication in the Federal Register.
Even if the proposed rule does not make it to a final rule, Stannard said there have already been benefits from the proposed rule. “The proposal to modify the Security Rule, I think, helped put a spotlight on information security in the healthcare system and drew attention to the need for better compliance and to take cybersecurity seriously. And that alone is an advantage.”
The post Final Rule Implementing HIPAA Security Rule Updates Edges Closer appeared first on The HIPAA Journal.