Vikor Scientific Affected by Ransomware Attack on Revenue Cycle Management Vendor

Posted by Steve Alder

Vikor Scientific (now rebranded as Vanta Diagnostics), a molecular diagnostics company based in Charleston, South Carolina, has been affected by a security incident at one of its vendors – the revenue cycle management company, Catalyst RCM. The breach also affected the Vikor Scientific-owned molecular testing laboratory KorGene,  and KorPath, a Tampa, Florida-based anatomical pathology lab, which partners with Vanta Diagnostics. Vikor Scientific has reported the data breach to the HHS’ Office for Civil Rights as involving the electronic protected health information (ePHI) of 139,964 individuals.

Catalyst RCM has published a substitute breach notice on its website and is issuing notification letters to the affected individuals on behalf of its affected HIPAA-covered entity clients. While it is ultimately the responsibility of each affected HIPAA-covered entity to issue notification letters when there has been a data breach at a vendor, the notification responsibilities are often delegated to the vendor.

In the breach notice, Catalyst RCM explains that suspicious activity was identified within its secure file management system on or around November 13, 2025. An investigation was launched, which identified an unauthorized login to a system used to access one of its servers. The server was accessed without authorization between November 8, 2025, and November 9, 2025. The affected system was reviewed to determine whether any protected health information had been exposed or stolen, and the review concluded on December 12, 2025. Catalyst RCM confirmed that the threat actor exfiltrated data in the attack.

Data potentially compromised in the incident varies from individual to individual and may include names plus one or more of the following: date of birth, diagnosis information, medical treatment information, history, health insurance information, and/or payment card information with access code.

Catalyst RCM has updated its security policies, procedures, and protocols to reduce the likelihood of similar incidents in the future, and has advised the affected individuals to remain vigilant against identity theft and fraud by monitoring their free credit reports. While no misuse of the affected data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

While the incident was not described as a ransomware attack, the Everest ransomware group claimed responsibility for the attack and added Vikor Scientific to its dark web data leak site, along with samples of data allegedly stolen in the attack. Everest threatened to leak the stolen data if contact was not made. Everest claims to have leaked all data exfiltrated in the attack, indicating the ransom was not paid.

The post Vikor Scientific Affected by Ransomware Attack on Revenue Cycle Management Vendor appeared first on The HIPAA Journal.

HHS-OIG Identifies Security Deficiencies in Audit of VA Spokane Healthcare System

Posted by Steve Alder

An audit of the Department of Veterans’ Affairs Spokane Healthcare System in Washington state by the Department of Health and Human Services Office of Inspector General (HHS-OIG) identified deficiencies in all three control areas inspected: configuration management, security management, and access controls. The audit was conducted on the Mann-Grandstaff VA Medical Center between January 29 and February 6, 2025, which has approximately 1,300 employees and provided care to 27,000 patients in fiscal year 2024.

There were several instances where staff failed to remediate critical and high-severity vulnerabilities within the 60-day time frame stipulated by the VA, and in some cases had failed to develop the required action plans to remediate those vulnerabilities within that time frame. HHS-OIG also identified systems that were running unsupported software, and several devices were identified that had not been configured to VA-approved security baselines. These deficiencies increased the risk of unauthorized access and operational disruption, especially the failure to meet the security baselines on databases and core network devices.

One deficiency was identified in security management regarding the protection of personally identifiable information (PII). A screen with unredacted PII in the federal electronic health record (EHR) could be viewed by volunteers and scheduling clerks, who did not require access to that information. The failure to restrict access puts PII at risk, which could potentially be misused to cause harm to veterans.

Four access control deficiencies were identified related to physical and logical access to IT resources. There was a lack of proper segregation of duties for key distribution, unsecured network equipment was identified in two locations, eleven communications sockets did not have proper electrical grounding, and perimeter protection measures for fuel storage did not meet VA guidelines.

HHS-OIG made 7 recommendations in the areas of configuration management, security management, and access controls, which HHS-OIG said are also applicable to other VA facilities. The VA has already implemented some of the recommendations and has planned to address the remaining issues.

The post HHS-OIG Identifies Security Deficiencies in Audit of VA Spokane Healthcare System appeared first on The HIPAA Journal.

Senators Demand Answers from Labor Secretary on Decline in OSHA Safety & Health Enforcement

Posted by Steve Alder

Six Democratic Senators have written to the United States Secretary of Labor, Lori Chavez-DeReme, demanding answers about an apparent rollback of safety rules and reduced oversight of workplace safety and health. Senators Elizabeth Warren (D-MA), Angela Alsobrooks (D-MD), Tammy Baldwin (D-IL), Richard Blumenthal (D-CT), Alex Padilla (D-CA), and Ron Wyden (OR) questioned whether the Trump administration is discouraging the enforcement of workplace safety laws, and whether the sharp reduction in inspections and penalties is a precursor to the elimination of key safety regulations that were established to keep American workers safe.

Sen. Warren was confidentially provided with data that shows a 20% reduction in workplace inspections by the Department of Labor’s Occupational Safety and Health Administration (OSHA) between April 2025 and September 2025, compared to the corresponding period the previous year. The data also show a 42% reduction in inspections with citations for willful violations.

While there may have been improvements to workplace safety, resulting in fewer citations for willful violations, such a high percentage reduction in a single year suggests something else may be at play.  “This reduction in findings of willful violations indicates that OSHA inspectors may be being encouraged to issue citations for lesser violations, allowing employers who commit serious safety violations to avoid facing proportional consequences,” wrote the senators in the letter. “If employers know that they are unlikely to face hefty fines, they may be less likely to adhere to safety standards that keep American workers safe in their places of employment,” the senators wrote.

The senators cite a December 2025 report – Worker Protections in Freefall: The Collapse of Federal Labor Enforcement under the Second Trump Administration – by the advocacy group Good Jobs First that highlights a precipitous decline in OSHA penalty assessments. Between 2009 and 2024, OSHA penalty assessments have remained fairly steady, only fluctuating by 4% over that period. Good Jobs First reports that “Wage and hour penalties have decreased 94% during Trump’s second term, and workplace health and safety penalties have dropped 45%.”

Based on the findings of workplace safety and health inspections since 2009, an increase in inspections would appear to be the logical response to get employees to create safer and more healthful workplaces, yet the Trump administration has proposed massive cuts to OSHA’s funding, while the Department of Labor has rolled out a deregulatory agenda to eliminate key health and safety regulations. “Your agency has tried to cloak your deregulatory agenda in the language of ‘putting workers first,’ but the reality is that the Labor Department is prioritizing the interests of unscrupulous employers over Americans who work hard in dangerous environments to provide for their families,” wrote the senators.

According to the senators, some of the regulations that have been rolled back include the elimination of the authority of the Mine Safety and Health Administration (MSHA) to require mine operators to ensure proper ventilation to protect miners from hazards such as black lung disease, and loosened respirator requirements for workers exposed to carcinogens, lead, asbestos, and formaldehyde. The senators also warn that the Department of Labor plans to eliminate the requirements for adequate lighting on construction sites, despite one in 20 construction worker deaths being due to inadequate lighting, and plans to limit the ability of OSHA to hold employers accountable for unsafe working conditions in inherently unsafe professions.

In the letter, the senators demanded answers to their questions by March 4, 2026. They include questions related to the Department of Labor’s deregulatory agenda, whether the termination of leases of 11 OSHA regional offices by the Department of Government Efficiency (DOGE) means they have been permanently closed, whether there are plans to close other OSHA regional offices, and several questions about OSHA inspections, hazard letters, violations, and citations in 2025.

The post Senators Demand Answers from Labor Secretary on Decline in OSHA Safety & Health Enforcement appeared first on The HIPAA Journal.

Why Healthcare Staff Need HIPAA Training for Social Media

Posted by PJ Murray

Healthcare staff need HIPAA training for social media because a single post, photo, or comment can expose Protected Health Information (PHI), trigger a reportable breach, damage the organization’s reputation, and create personal legal risk for the employee. Social media feels informal and personal, but the HIPAA Privacy Rule and HIPAA Security Rule still apply every time a staff member talks about patients, work cases, or the workplace online.

How social media turns everyday moments into HIPAA risk

HIPAA does not only protect obvious identifiers like a name or medical record number. Any detail that can reasonably identify a person or connect them to a health condition, diagnosis, or treatment can qualify as Protected Health Information. A photo of a recognizable tattoo, a description of “the only serious car wreck in town last night,” or a story about a local public figure receiving care can all reveal who the patient is, even if no name appears.

Social media amplifies this risk. Once something is posted, the author loses control over where it goes, who screenshots it, or how it is edited and reused. Deleted posts can live on in private messages and group chats. Staff may believe that limiting a post to friends or using privacy settings keeps it safe, but friends and followers can still recognize patients, locations, or events and share that information with others. Without specific training, many employees underestimate how easy it is for patients, families, co-workers, and regulators to connect the dots.

Misunderstandings that drive HIPAA violations online

Most staff who get into trouble on social media did not wake up intending to violate HIPAA. They often misunderstand what the law covers or how easy it is to identify a patient. A common belief is that removing a name or blurring a face is enough. Staff may think that talking about “a patient I had today” or “a wild case in the ICU” is acceptable as long as they avoid names or use casual language.

Another problem is emotional pressure. Healthcare work is stressful, sad, and sometimes dramatic. Staff feel a real need to vent, seek support, or share meaningful experiences. In a moment of frustration, pride, or grief, it can feel natural to post a story, image, or video. That impulse to be heard and validated can override training or policy, especially if the person never truly understood how HIPAA applies online.

Some individuals also use social media as a form of self-promotion or branding, highlighting cases or patient interactions to showcase their skill or compassion. When those posts include any identifying details, they become impermissible disclosures. A good training program needs to address not just rules, but these emotional and social drivers of behavior.

Why organizational policies are strict about social media

Most healthcare organizations now have broad social media policies that cover both official and personal use. These policies usually extend beyond the major platforms and include blogs, online forums, messaging apps, and even personal email used from work devices. They often apply not only to original posts but also to actions such as liking a patient’s post, commenting on someone else’s content about a patient, or resharing material that mentions the organization.

Policies may restrict personal social media activity on workplace devices or during work hours. They may authorize the organization to monitor certain activity or block specific sites. Sanctions for violations can include mandatory retraining, written warnings, suspension, or termination. The stakes are high because a single post can harm a patient, damage community trust, attract media attention, and trigger an investigation. Intentional PHI disclosure on social media can create individual criminal exposure.

Staff need training to understand what the policy says in practical terms. They need concrete examples of forbidden behavior, clear explanations of permitted uses, and transparency about how monitoring and sanctions operate.

Personal legal consequences for staff who misuse social media

The risks are not only professional. Impermissible disclosures of PHI on social media for personal gain can be treated as wrongful disclosures under federal law. That can lead to civil fines and, in serious cases, criminal penalties. Liability is possible even if the employee did not personally press the publish button. A person who shares confidential details with a colleague, knowing that the colleague is likely to post about it, can share responsibility for the disclosure.

Personal gain does not have to be financial. Posts that highlight a shocking case to gain followers, sympathy, or status can still be viewed as motivated by gain. Families or individuals whose privacy was breached can pursue civil lawsuits, adding another layer of risk for both the organization and the individual staff member. Effective training should make these consequences real through scenarios and case examples, while still keeping the focus on prevention rather than fear.

Appropriate, compliant uses of social media in healthcare

Staff also need to see that social media is not entirely off limits. Many organizations use official accounts to share public health information, educational content, research updates, and general service announcements. These activities can support community engagement and patient education when they avoid individual patient information and follow internal approval workflows.

Training should distinguish clearly between official, controlled communication and personal accounts. Staff must understand that personal accounts are not appropriate channels for discussing care, answering clinical questions, or coordinating treatment. Even when patients reach out first, staff should redirect them to secure, approved communication methods. Clear boundaries make it easier for employees to participate safely in the organization’s online presence.

Staff HIPAA Training for Social Media

HIPAA social media training should first explain what counts as Protected Health Information in an online context, including any detail or image that could reasonably identify a patient or link someone to a diagnosis, condition, or treatment. Staff need to understand that posting this information on personal accounts is almost always an impermissible disclosure unless there is a valid, informed HIPAA authorization, and that once something is posted it can be copied, manipulated, and shared beyond their control.

The training should then walk through the organization’s social media policy and give clear examples of prohibited behavior and acceptable use. That includes explaining that policies often apply to blogs, forums, messaging apps, and even likes or comments, not just obvious posts on major platforms. Staff should see how real cases have led to discipline, fines, loss of employment, and even criminal charges, and they should know how to report a concern to the HIPAA Privacy Officer or other designated contact.

Training should close by reinforcing simple rules for staying safe on social media, emphasizing that work experiences and patient information belong in secure, approved channels, not on public or semi-public platforms.

The post Why Healthcare Staff Need HIPAA Training for Social Media appeared first on The HIPAA Journal.