HIPAA Security Rule Update Delayed Until 2027 – Clark Hill
Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack – The HIPAA Journal
California Gay & Lesbian Services Center Data Breach Affects 75,500 Individuals – The HIPAA Journal
Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack
A settlement has been agreed to resolve a class action lawsuit against the Pinehurst, North Carolina-based molecular, cytology, and pathology service provider Marlboro-Chesterfield Pathology, P.C. The lawsuit was filed in response to a January 2025 ransomware attack by the SafePay ransomware group.
Unauthorized network access was identified on January 16, 2025, and the forensic investigation confirmed that 235,911 individuals had their data compromised in the attack, including their names, dates of birth, Social Security numbers, and protected health information. The affected individuals were notified about the incident on or around May 7, 2025.
A class action lawsuit – Cox v. Marlboro-Chesterfield Pathology, P.C – was filed in the County of Moor Superior Court by plaintiff Cox, individually and on behalf of similarly affected individuals. Plaintiff Cox alleged that her personal and protected health information was in the hands of cybercriminals as a result of the attack, and that the ransomware attack occurred as a result of the failure of Marlboro-Chesterfield Pathology to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network.
Marlboro-Chesterfield Pathology maintains there was no wrongdoing and disagrees with the claims and contentions in the lawsuit, including claims of fault and liability, and plaintiff Cox believes her claims are valid. After arms-length negotiations, and after the parties considered the costs and risks associated with continuing with the litigation, they entered into settlement discussions, and the material terms of a settlement were agreed on November 21, 2025.
The settlement has now been finalized and has received preliminary approval from the court. The defendant has agreed to pay attorneys’ fees and expenses, settlement administration and notice costs, and a service award for the class representative. Attorneys’ fees and costs have been capped at $100,000.
Class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member. Individuals who had their Social Security numbers compromised in the incident may submit a claim for an alternative cash payment of $10, should they choose not to submit a claim for reimbursement of losses.
All individuals, regardless of whether they submit a claim for reimbursement of losses or the cash payment, are entitled to a one-year membership to a credit monitoring and identity theft protection service, which includes a $1 million identity theft insurance policy. The deadline for objection, opting out, and submitting a claim is August 21, 2026. The final fairness hearing has been scheduled for October 12, 2026.
The post Marlboro-Chesterfield Pathology Agrees to Settle Lawsuit Over 2025 Ransomware Attack appeared first on The HIPAA Journal.
California Gay & Lesbian Services Center Data Breach Affects 75,500 Individuals
Gay & Lesbian Community Services Center of Orange County, California, a provider of mental health, HIV testing, education and outreach, has identified unauthorized access to its network and the exposure of the personal and protected health information of up to 75,532 individuals.
Suspicious network activity was identified on or around December 26, 2025, and third-party cybersecurity experts were engaged to investigate the incident. They confirmed that there had been unauthorized access to the network from December 25 to December 26, 2025, and files containing sensitive information may have been viewed or acquired.
The review of the impacted data was completed on May 6, 2026, when it was confirmed that the following types of information were stored on the compromised parts of the network: full names, dates of birth, Social Security numbers, diagnosis information, prescription information, medical histories and treatment information, medical record numbers, health insurance information, driver’s license numbers, government identification numbers, state identification numbers, passport numbers, taxpayer identification numbers, financial account information, biometric identifiers, financial account information, and payment card information. The types of information involved varied from individual to individual.
Gay & Lesbian Community Services Center of Orange County said it is committed to maintaining the privacy of personal information in its possession and continually evaluates and modifies its security practices to enhance data privacy and security. The affected individuals have been advised to remain vigilant and monitor their account statements and free credit reports for suspicious activity. The website breach notice makes no mention of free credit monitoring or identity theft protection services.
Alta Orthopaedics
Alta Orthopaedics, a Santa Barbara, CA-based orthopedics practice with six locations in Santa Barbara, Santa Maria, Solvang, and Oxnard, has started mailing notification letters to patients affected by a recent security incident.
On March 10, 2026, the practice identified suspicious activity within its computer network. The forensic investigation determined that there had been unauthorized access to certain information on its network between February 3, 2026, and February 6, 2026. The review of the exposed files confirmed that they contained personal and protected health information such as names, addresses, phone numbers, Social Security numbers, driver’s license/state ID numbers, birth dates, billing codes, dates of service, reasons for visits, treatment costs, provider names, diagnoses, treatment information, clinical information, treatment location, medical record numbers, patient account numbers, and health insurance information.
The incident was reported to law enforcement, policies and procedures related to data privacy and security have been reviewed, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Regulators have been notified; however, the number of affected individuals has yet to be publicly disclosed.
Lake Region Healthcare
Lake Region Healthcare, a nonprofit rural health system based in Fergus Falls, Minnesota, has notified individuals affected by a recent cybersecurity incident. Unauthorized access to its network was first identified on May 19, 2025. Law enforcement was notified, and an investigation was launched to determine the nature and scope of the unauthorized activity.
No evidence was found to indicate any unauthorized access to electronic medical records; however, files containing patient information may have been viewed or acquired on or around May 19, 2025. It has taken more than a year to review the affected data. That process was completed on June 5, 2026, when it was confirmed that names were exposed, along with one or more of the following: date of birth, Social Security number, medical record number, patient account number, health insurance information, contact information, medical and/or treatment information, government-issued identification, and/or financial information.
Lake Region Healthcare said it is unaware of any actual or attempted misuse of that data; however, as a precaution, the affected individuals have been offered complimentary identity theft protection services. The scale of the breach has yet to be publicly disclosed, although according to notifications to state attorneys general, 294 Texas residents and 20 Massachusetts residents are among the affected individuals.
The post California Gay & Lesbian Services Center Data Breach Affects 75,500 Individuals appeared first on The HIPAA Journal.
Feds push back HIPAA security rule overhaul to July 2027 – Fierce Healthcare
Study of Healthcare Websites Shows Widespread and Risky Use of Tracking and Analytics Tools – The HIPAA Journal
Study of Healthcare Websites Shows Widespread and Risky Use of Tracking and Analytics Tools
A recent analysis of healthcare websites has revealed that the majority use marketing and analytics tools that could potentially disclose sensitive data to third parties. The study was jointly conducted by Piwik PRO, a privacy-first web analytics platform provider, and Verified Data, an automated audit platform that helps organizations verify analytics accuracy, data quality, and privacy compliance.
Healthcare organizations have faced increased scrutiny of their use of website tracking and analytics tools in recent years, after studies revealed these tools were being routinely used on healthcare websites, in some cases on authenticated pages, and were disclosing sensitive data to third parties. These tools collect and transmit information to third parties about website use, which may include protected health information – personally identifiable health information that HIPAA requires regulated entities to protect. Major HIPAA breaches have been reported to the HHS’ Office for Civil Rights (OCR) related to these tools, including by Advocate Aurora Health, Kaiser Permanente, Novant Health, and Atrium Health.
Patients are increasingly taking legal action over the use of these tools by healthcare providers. Over the past two years, dozens of lawsuits have resulted in settlements to resolve alleged privacy violations. Piwik PRO reports that more than $100 million was paid out in settlements between 2023 and 2025 to resolve healthcare privacy violations due to tracking and analytics tools such as Meta Pixel, Google Analytics, and Microsoft Advertising code.
The Piwik PRO/Verified Data study findings are published in the healthcare website tracking report, Are healthcare companies one audit away from a compliance crisis? The study involved scans of 59 websites of major U.S. hospitals and clinics to assess tracking, consent, and data compliance. The study did not investigate whether protected health information was being disclosed to third parties; rather, it looked for the presence of and behavior of tracking scripts, cookies, advertising pixels, and consent systems.
Concerningly, almost three-quarters (73%) of scanned healthcare websites had active advertising or marketing trackers, even when the Global Privacy Control (GPC) opt-out signal was running. GPC is a browser-based signal that communicates the user’s preference to opt out of the sale or sharing of their personal data to website operators. More than two-thirds of sites (69%) used marketing or advertising cookies, which strongly suggests that data is routed to third-party platforms. The narrow spread between the tracking figure and cookie figure suggests some trackers are likely operating without cookies, which means cookie blocking would not fully prevent exposure. The researchers identified 75 unique tracking tools across the 59 scanned sites, including Google Analytics, Meta Pixel, Microsoft Advertising and session replay technologies.
Over the years, The HIPAA Journal has observed improved education about HIPAA, with patients now having a much better understanding of what HIPAA protects, what it does not, and the rights HIPAA gives them. Patients expect privacy when they visit their healthcare providers, and those expectations extend to their providers’ digital presence. When they visit a healthcare website and search for information about sensitive health matters, book appointments, or disclose their information in forms, they expect that information to be kept private and not be disclosed to third parties such as social media companies and advertising networks, yet these tools have been doing that for years.
“This isn’t a story about reckless marketers or bad intentions. Healthcare organizations often inherit their analytics setup rather than actively choose it. Google Analytics became the default for many because it was free, established, and widely understood. The challenge today is scope creep. What began as website analytics has evolved into broader behavioral ad targeting platforms,” explained Magdalena Pawlitko, Head of Global Sales at Piwik PRO. “In regulated sectors such as healthcare, that creates greater compliance risk and requires much closer scrutiny of how data gathering tools are configured and governed.”
The problem for healthcare providers is that these tools provide important and useful features. While there are regulations governing the use of these tools, healthcare providers do not have to call a halt to their digital marketing campaigns, but they do need to assess their strategy and ensure that they have the right infrastructure in place to ensure compliance and protect patient privacy.
“Patients expect that their health-related behavior stays private when they visit a hospital website. “Meeting that expectation is entirely possible with the right setup – and organizations that get there aren’t just reducing their legal risk. They’re building something more valuable: a digital presence their patients can actually trust. said Brian Clifton, founder of Verified Data and digital analytics and privacy expert.
If not done so already, the researchers recommend that healthcare organizations conduct an audit of their current tracking setup, ensure that advertising pixels on web pages that are PHI-adjacent are removed, that they enforce opt-out signals at the tag management layer, replace non-compliant analytics with a purpose-built platform, and ensure they have compliant infrastructure in place. In addition, the researchers recommend making compliance a standing requirement, rather than a one-off review, ensuring that all compliance-related decisions are fully documented.
The post Study of Healthcare Websites Shows Widespread and Risky Use of Tracking and Analytics Tools appeared first on The HIPAA Journal.