HHS-OIG Identifies Web Application Security Weaknesses at Large U.S. Hospital
An audit of a large Southeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) identified security weaknesses in internet-facing applications, which could potentially be exploited by threat actors for initial access. Similar security weaknesses are likely to exist at many U.S. hospitals. The aim of the audit was to assess whether the hospital had implemented adequate cybersecurity controls to prevent and detect cyberattacks, if processes were in place to ensure the continuity of care in the event of a cyberattack, and whether sufficient measures had been implemented to protect Medicare enrollee data.
The audited hospital had more than 300 beds and was part of a network of providers who share patients’ protected health information for treatment, payment, and healthcare operations. The hospital had adopted the HITRUST Common Security Framework (CSF) version 9.4 as its main cybersecurity framework, used that framework for regulatory compliance and risk management, and had implemented physical, technical, and administrative safeguards as required by the HIPAA Rules.
HHS-OIG reviewed the hospital’s policies and procedures to assess its cybersecurity practices concerning data protection, data loss prevention, network management, and incident response, and interviewed appropriate staff members to gain further cybersecurity and risk mitigation insights. HHS-OIG conducted penetration tests and external vulnerability assessments on four of the hospital’s internet-facing applications.
The hospital had implemented cybersecurity controls to protect Medicare enrollee data and ensure the continuity of care in the event of a cyberattack, and the cybersecurity controls detected most of HHS-OIG’s simulated cyberattacks; however, weaknesses were found that allowed the HHS-OIG to capture login credentials and use them to access the account management web application, and a security weakness in its input validation controls allowed manipulation of the application.
HHS-OIG sent 2,171 phishing emails, but only the last 500 were blocked. A total of 108 users clicked the link in the email (6% click rate), and one user entered their login credentials in the HHS-OIG phishing website. The captured login credentials allowed HHS-OIG to access the account, although it did not appear to contain patient information. Once the web application was accessed, HHS-OIG was able to view the user’s devices associated with the account, as well as a list with options to deactivate multifactor authentication and add/remove devices from the account. If it were a real cyberattack, a threat actor could use the access for a more extensive compromise. HHS-OIG said strong user identification and authentication (UIA) controls for the account management web application had not been implemented; however, the click rate and login rate were relatively low, therefore, no recommendations were made regarding its anti-phishing controls.
Another internet-facing application was found to lack strong input validation controls, which made the application vulnerable to an injection attack. An attacker could inject malicious code into weak input fields, alter commands sent to the website, and access sensitive data or manipulate the system. While the hospital had conducted vulnerability scans and third-party penetration tests, the vulnerability failed to be identified. Further, the web application did not have a web application firewall for filtering, monitoring, and blocking malicious web traffic, such as injection attacks.
HHS-OIG made four recommendations: Implement strong user identification and authentication controls for the account management web application; periodically assess and update user identification and authentication controls across all systems; assess all web applications to determine if an automated technical solution, such as a web application firewall, is required; and utilize a wider array of testing tools for identifying vulnerabilities in applications, such as dynamic application testing tools, static application testing tools, and manual, interactive testing.
HHS-OIG did not name the audited hospital due to the risk that it could be targeted by threat actors. Further audits of this nature will be conducted on other healthcare providers to determine whether similar security issues exist and if there are any opportunities for the HHS to improve guidance and outreach to help hospitals improve their security controls.
“This report highlights the need for healthcare organizations to adapt their security programs to reflect a fundamental shift: sensitive data now resides not just in on-prem, internal apps, but also in web-based SaaS applications,” Russell Spitler, CEO of Nudge Security, told the HIPAA Journal. “Traditional network-focused security controls cannot adequately protect cloud applications where data flows across organizational boundaries. This makes identity security controls—particularly MFA and SSO—essential for protecting this dynamic attack surface.”
Spitler suggests “healthcare organizations should take a systematic approach that prioritizes comprehensive visibility and strong authentication controls across their entire application ecosystem.” Key steps recommended by Spitler include:
- Conducting a comprehensive inventory of all SaaS and web applications to understand the full picture of the organization’s attack surface
- Prioritizing MFA implementation for applications with privileged access or sensitive data, starting with internet-facing systems
- Deploying SSO solutions that can enforce MFA centrally while improving user experience and reducing password-related security risks
- Using conditional access policies that require MFA for any access from outside the corporate network or from unmanaged devices
- Regularly testing authentication controls through penetration testing and phishing simulations, as HHS OIG did in this audit
The post HHS-OIG Identifies Web Application Security Weaknesses at Large U.S. Hospital appeared first on The HIPAA Journal.
Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients – The HIPAA Journal
Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients
Data breaches have recently been announced by Central Ozarks Medical Center in Missouri, AdventHealth Daytona Beach in Florida, and the Middlesex Sheriff’s Office in Massachusetts.
Central Ozarks Medical Center, Missouri
Central Ozarks Medical Center (COMC), a Federally Qualified Health Center (FQHC) in mid-Missouri, has notified 11,818 individuals that some of their personal and protected health information was compromised in a criminal cyberattack. The substitute breach notice on the COMC website does not state when the cyberattack was detected or for how long its network was compromised, only that it was determined on or around November 10, 2025, that personally identifiable information and protected health information may have been subject to unauthorized access or acquisition.
The types of information compromised in the incident included names, dates of birth, Social Security numbers, financial account information, medical treatment information, and health insurance information. COMC has provided the affected individuals with information on steps they can take to reduce the risk of identity theft and fraud, and at least 12 months of complementary credit monitoring and identity theft protection services have been offered. COMC has confirmed that it has implemented a series of cybersecurity enhancements and will continue to augment those measures to better protect patient information.
Middlesex Sheriff’s Office, Massachusetts
The Middlesex Sheriff’s Office in Massachusetts has announced a January 2025 security breach that involved unauthorized access to individuals’ protected health information. The Sheriff’s Office launched an investigation to determine the extent and nature of the incident, and was assisted by the Federal Bureau of Investigation, the Massachusetts State Police, the Commonwealth Fusion Center, the Executive Office of Technology Services and Security, and two cybersecurity firms.
It took until November 19, 2025, to complete the review of the exposed files, when it was confirmed that they contained names, addresses, dates of birth, diagnoses, and/or other general health information. The Sheriff’s Office said it has not identified any misuse of the exposed information. The Middlesex Sheriff’s Office has implemented additional safeguards to prevent similar breaches in the future and has advised the affected individuals to review their bank statements and insurance records for signs of misuse. The data breach has been reported to the HHS’ Office for Civil Rights as affecting 501 individuals – a commonly used placeholder figure when the total number of affected individuals has not yet been confirmed.
AdventHealth Daytona Beach, Florida
AdventHealth Daytona Beach in Florida has notified 821 individuals about the loss of paperwork containing their protected health information. The loss of documentation was identified by its outpatient laboratory on November 25, 2025. Outpatient lab orders were determined to be missing for individuals who received outpatient services between September 1 and September 14, 2025.
AdventHealth Daytona Beach said the loss occurred during a departmental relocation from the first to the second floor. Construction activities were taking place to install a new tubing system, and the planned project location was changed by the construction workers, who accessed an area containing the lab orders without first notifying the laboratory team. The paperwork was discarded by the construction workers. AdventHealth Daytona Beach said no evidence was found to indicate the lab orders were or will be misused. The lab orders contained information such as names, addresses, dates of birth, telephone numbers, email addresses, diagnosis codes, health condition(s), and health insurance policy numbers.
The post Central Ozarks Medical Center Discloses Data Breach Affecting Almost 12,000 Patients appeared first on The HIPAA Journal.
Capital Health Data Breach Litigation Settled for $4.5M – The HIPAA Journal
Capital Health Data Breach Litigation Settled for $4.5M The HIPAA Journal
Capital Health Data Breach Litigation Settled for $4.5M
Capital Health has agreed to pay $4.5 million to settle a class action lawsuit stemming from a 2023 ransomware attack. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell Township – as well as many primary care clinics in New Jersey and Pennsylvania.
On or around November 26, 2023, Capital Health identified unauthorized activity within its computer systems. The forensic investigation confirmed that a criminal cyber actor had access to its network between November 11, 2023, and November 26, 2023, and used ransomware to encrypt files. The investigation determined that files containing patient data had been exposed and may have been stolen. The LockBit ransomware group claimed responsibility for the attack and said it exfiltrated 7 TB of data. LockBit threatened to publish the stolen data on January 9, 2024, if the ransom was not paid. It is unclear if any payment was made.
Capital Health’s investigation confirmed that the hackers potentially accessed patient data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and medical information. The data breach was reported to the HHS’ Office for Civil Rights as affecting 503,071 individuals. Capital Health announced the cyberattack in December 20223, and the first class action lawsuit over the attack was filed on December 19, 2023. Further class action lawsuits were filed by other affected patients, which were consolidated in May 2025 – Bruce Graycar, et al. v. Capital Health Systems, Inc. – in the United States District Court for the District of New Jersey, as the lawsuits had overlapping claims. The consolidated class action lawsuit alleged claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, declaratory judgment, and Violation of the New Jersey Consumer Fraud Act.
All parties discussed the option of settling the lawsuit, and a settlement was agreed upon by all parties, with no admission of liability, fault, or wrongdoing by Capital Health. Under the terms of the settlement, class members may submit claims for up to $5,000 per class member as reimbursement for documented, unreimbursed losses resulting from the data breach. Alternatively, class members may submit a claim for a cash payment, estimated to be $100 per class member. The cash payments may be increased or decreased, depending on the number of valid claims received. In addition to the cash payments, class members may also submit a claim for three years of credit monitoring services, valued at $90 per year.
Capital Health has also confirmed to class counsel that a range of additional security measures have been implemented and will be maintained to better protect patient data in the future. The deadline for objection to and opting out of the settlement is March 9, 2026. The deadline for submitting a claim is April 6, 2026, and the final fairness hearing has been scheduled for July 14, 2026.
The post Capital Health Data Breach Litigation Settled for $4.5M appeared first on The HIPAA Journal.
Gryphon Healthcare Agrees to Pay $2.87M to Settle Class Action Data Breach Lawsuit
Gryphon Healthcare, a Houston, TX-based revenue cycle, coding, compliance, consultancy, and management services vendor, faced multiple class action lawsuits over a July 2024 cyberattack involving a partner for which it provides billing services. Gryphon Healthcare learned about the incident in August 2024, and its investigation found that files may have been viewed or obtained. Those files contained the protected health information of 393,358 patients, including names, dates of birth, addresses, Social Security numbers, dates of service, diagnoses, medical treatment information, prescriptions, medical record numbers, and health insurance information.
On or around October 11, 2024, Gryphon Healthcare started sending notification letters to the affected individuals, and shortly thereafter, the first class action lawsuit was filed. A further eight lawsuits were subsequently filed, which were consolidated into a single complaint – Morris et al., v. Gryphon Healthcare, LLC – in the District Court for Harris County, Texas. The lawsuit asserted claims of negligence/negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, unjust enrichment, bailment, a failure to provide adequate notice pursuant to any breach notification statute or common law duty, and violations of state consumer protection laws.
While Gryphon Healthcare denies wrongdoing, fault, and liability for the cyberattack and data breach, after considering the cost and distraction of continuing the litigation and the uncertainty of trial, the decision was taken to settle. Under the terms of the settlement, Gryphon Healthcare will establish a $2,800,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the nine named plaintiffs. After those costs have been deducted, the remainder of the fund will be used to pay benefits to the class members.
Class members may choose one of two cash payments. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, they may choose to receive a cash payment, which is estimated to be $100, but may increase or decrease depending on the number of valid claims received. All class members who submit a valid claim are entitled to a two-year membership to an identity theft protection and medical data monitoring service, which includes a $1 million identity theft insurance policy. The deadline for objecting to the settlement and opting out is March 17, 2026. Claims must be submitted by April 16, 2026, and the final fairness hearing has been scheduled for August 31, 2026.
Nov 4, 2024: Gryphon Healthcare Facing Multiple Lawsuits Over 400,000-Record Data Breach
Gryphon Healthcare, a Houston, TX-based provider of revenue cycle management and medical billing services to healthcare providers, is facing multiple class action lawsuits over an August 2024 data breach that involved unauthorized access to the protected health information of almost 400,000 individuals. The compromised information included names, contact information, Social Security numbers, diagnosis and treatment information, health insurance information, and medical record numbers. The intrusion occurred via an unnamed IT service provider.
At least seven lawsuits have now been filed by individuals who were recently notified about the exposure of their protected health information. The plaintiffs allege that Gryphon Healthcare failed to implement reasonable and appropriate cybersecurity measures to protect the sensitive information it stored and also failed to monitor its network for unauthorized activity. The lawsuits assert that if appropriate defenses had been implemented and if industry standards had been adhered to, the data breach could have been prevented. Proper monitoring would have allowed the intrusion to be detected much more promptly.
The lawsuits make similar claims, including a violation of duties under common law, contract law, the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Trade Commission (FTC) Act. The plaintiffs allege that the theft of their personal and protected health information has resulted in them suffering and continuing to suffer injuries, including financial harm due to the misuse of their information, lost time due to the detection and prevention of identity theft and fraud, and the loss or diminished value of their private information.
The plaintiffs make claims of negligence, negligence per se, invasion of privacy, breach of confidence, breach of fiduciary duty, breach of implied contract, breach of third-party beneficiary contract, and unjust enrichment. The lawsuits were filed in Texas federal court and seek class action certification for a nationwide class of individuals affected by the data breach, a jury trial, actual, compensatory, statutory, and punitive damages, and injunctive relief, including an order from the court requiring Gryphon Healthcare to implement a host of security measures to safeguard the personal and protected health information stored by the company.
The post Gryphon Healthcare Agrees to Pay $2.87M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.