Carespring Health Care Management & LifeBridge Health Settle Class Action Data Breach Lawsuits

Posted by Steve Alder

Carespring Health Care Management in Ohio and LifeBridge Health in Maryland have agreed to settle class action lawsuits stemming from data breaches.

Carespring Health Care Management

Carespring Health Care Management has agreed to settle a class action lawsuit stemming from an October 2023 cyberattack and data breach. Hackers gained access to the protected health information of 64,609 individuals, including names, dates of birth, Social Security numbers, financial information, health insurance information, and medical information.

The first class action lawsuit over the data breach was filed by plaintiff Phyllis Rise on August 29, 2024. Four related actions were subsequently filed by other affected individuals. The five lawsuits were consolidated – Rice, et al., v. Carespring Health Care Management, LLC – in the Court of Common Pleas for Clermont County, Ohio, as the lawsuits had overlapping claims.

The consolidated lawsuit asserted several claims, including negligence/negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, fraud, misrepresentation, unjust enrichment, bailment, wantonness, and the failure to provide adequate notice about the data breach. Carespring Health Care Management denies all claims asserted in the lawsuit.

To avoid the expense, delay, and uncertainties of litigation, all parties agreed to a settlement, with no admission of liability or wrongdoing. Carespring Health Care Management will pay up to $305,000 to cover attorneys’ fees and expenses, service awards of $2,500 for each of the five class representatives, and benefits for the class members. Class members may submit a claim for two years of single-bureau credit monitoring services, and a claim for up to $4,500 as compensation for documented, unreimbursed losses resulting from the data breach. If a claim is not submitted for reimbursement of losses, class members may claim an alternative $50 cash payment

The deadline for objection to and exclusion from the settlement is March 17, 2026. Claims must be submitted by April 16, 2026, and the final fairness hearing has been scheduled for April 28, 2026.

LifeBridge Health

LifeBridge Health Inc., a Maryland-based holding company for four Maryland hospitals and other affiliated entities, has agreed to pay $575,000 to settle class action litigation stemming from a cybersecurity incident detected in November 2024. LifeBridge Health determined that a hacker intermittently accessed its computer systems between August 27, 2024, and September 21, 2024, and potentially obtained patients’ protected health information. The affected individuals were notified about the data breach on April 1, 2025.

A lawsuit was filed in the Circuit Court for Baltimore County, Maryland, in response to the data breach, alleging it could have been prevented had LifeBridge Health implemented reasonable and appropriate cybersecurity measures. The lawsuit – Ragin v. LifeBridge Health, Inc. – asserted claims of negligence, alleged breach of implied contract, and breach of the implied covenant of good faith and fair dealing. LifeBridge Health denies all allegations in the lawsuit and maintains there was no wrongdoing. While believing that it would have prevailed at trial, the decision was taken to settle the litigation to avoid the cost, distraction, and uncertainty of trial and related appeals.

A $575,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. The remainder of the fund will be used to pay for benefits for the class members. LifeBridge Health has also agreed to make data security enhancements to better protect patient data.

A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a flat cash payment, which will be paid pro rata after all valid claims have been paid. The cash payment is estimated to be $100 per class member, but may be higher or lower depending on the number of valid claims received. The deadline for objection to and exclusion from the settlement is February 28, 2026. The deadline for submitting a claim is February 28, 2026, and the final fairness hearing has been scheduled for March 20, 2026.

The post Carespring Health Care Management & LifeBridge Health Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

Do your Staff need Training on HIPAA in Emergency Situations?

Posted by PJ Murray

Emergencies in healthcare are not limited to extreme weather, wildfires, or other natural disasters. Today’s most disruptive incidents are just as likely to be cyberattacks, EHR downtime, system outages, and infrastructure failures. On a more localized level, organizations also face disruptive, aggressive, or violent patients and visitors that create immediate safety risks and require rapid, compliant decision‑making. Across all these scenarios, HIPAA continues to apply and staff must know how to act quickly while protecting patient privacy.

Effective HIPAA training equips staff to make permitted disclosures for treatment and care coordination during urgent situations without guessing. It helps staff understand when information may be shared with family or friends involved in a patient’s care, how to communicate with public health authorities, and when disaster relief organizations may receive limited information to help locate or notify individuals. It also clarifies that the minimum necessary standard does not limit disclosures for treatment, while guiding staff to limit other disclosures to what is reasonably needed.

HIPAA in Emergency Situations

HIPAA compliance officers must navigate a wide spectrum of emergencies that challenge normal operations and require staff to apply HIPAA under pressure. These events fall into two broad categories. The first involves system‑wide operational disruptions, which can halt access to ePHI, interrupt clinical workflows, or compromise critical infrastructure.

Natural disasters, cyberattacks, EHR downtime, system outages, and infrastructure failures can all force organizations into contingency mode. These situations often require coordinated action across clinical, IT, and compliance teams and activate HIPAA’s contingency planning requirements.

The second category involves localized safety emergencies, which occur far more frequently and demand immediate, on‑the‑ground decision‑making. Disruptive, aggressive, or violent patients, threatening or unstable visitors, and behavioral health crises that escalate into safety risks can all create urgent situations where staff must balance safety with privacy obligations.

Although this second category of incidents rarely triggers organization‑wide emergency preparedness plans, they do require personnel to make rapid HIPAA decisions, particularly around the imminent danger standard, the minimum necessary requirement, and appropriate communication boundaries.

Across both categories, whether the disruption affects the entire organization or a single unit, staff must understand how HIPAA applies when normal operations are disrupted and quick judgment is essential.

HIPAA Training for System‑Wide Disruptions

During natural disasters, cyberattacks, outages, and infrastructure failures, staff must know how to:

  • Access essential information during downtime
  • Permissibly disclose PHI to emergency services personnel
  • Document care using approved paper or downtime workflows
  • Secure temporary records and re‑enter data safely once systems are restored
  • Avoid insecure workarounds such as using personal or unapproved tools and services.
  • Verify patient identity when electronic tools are unavailable

Training should reinforce that HIPAA’s Privacy and Security Rules remain fully in effect, even when systems are compromised.

HIPAA Training for Localized Safety Emergencies

Disruptive or violent behavior creates immediate risks to staff, patients, and visitors. HIPAA training should prepare personnel to:

  • Recognize when the imminent danger standard permits disclosure of limited PHI
  • Share only the information necessary to protect individuals on site
  • Document what was disclosed, to whom, and why
  • Avoid unnecessary post‑incident discussion or over‑disclosure
  • Understand when behavioral information is PHI and when it is not
  • Coordinate with security teams without violating privacy boundaries

These scenarios are among the most common sources of privacy lapses because staff act quickly, often without clear guidance. Training must close that gap.

Contingency Planning, Emergency Preparedness, and HIPAA Expectations

Effective emergency readiness requires strong HIPAA contingency planning supported by clear HIPAA Privacy Rule guidance. HIPAA Security Officers must ensure that the confidentiality, integrity, and availability of ePHI can be maintained during any disruption, and staff should understand how backup and recovery processes work, what emergency mode operations look like in practice, and their specific responsibilities during downtime.

HIPAA Training must also clarify how permissible uses and disclosures function in emergencies. Staff must understand that disclosures for treatment may proceed without delay, the minimum necessary standard still applies to most non‑treatment disclosures, and that patient authorization is still required for uses and disclosures not otherwise permitted by the Privacy Rule, even during emergencies. Staff should also know how to escalate suspected breaches or unusual system behavior and how these expectations apply during both system‑wide and localized incidents.

For Medicare and Medicaid participants, integrating HIPAA contingency planning with CMS Emergency Preparedness requirements creates a unified response framework. This alignment reduces confusion during incident command activation, clarifies communication channels and decision‑making authority, and ensures staff understand how HIPAA’s Privacy and Security Rules operate within broader emergency operations, particularly during incidents where coordinated action is essential.

HIPAA Flexibilities and Expectations in Emergencies

HIPAA provides important flexibilities that support emergency response, but these flexibilities operate within clear boundaries that staff must understand. During widespread events such as major natural disasters, the HHS Office for Civil Rights may announce temporary enforcement discretion for specific provisions of the HIPAA Privacy Rule, but this discretion is always limited, temporary, and formally communicated. Staff must continue following HIPAA as usual unless leadership explicitly advises otherwise.

Key Takeaways for HIPAA Compliance Officers

  • HIPAA continues to apply during system-wide or localized emergencies.
  • Staff must be trained to make rapid, lawful disclosures for treatment and safety.
  • Cyberattacks and outages now trigger HIPAA contingency plans more often than natural disasters.
  • Disruptive patients and visitors create high‑frequency safety emergencies that require clear HIPAA guidance.
  • Training must address downtime workflows, secure communication, and re‑entry procedures.
  • Aligning HIPAA contingency plans with CMS Emergency Preparedness strengthens organizational readiness.
  • HIPAA flexibilities support emergency response but require clear understanding. Enforcement discretion must never be assumed.

A well‑trained workforce is your strongest asset during emergencies. When staff understand how HIPAA operates under pressure, they protect patients, support continuity of care, and reduce organizational risk.

The post Do your Staff need Training on HIPAA in Emergency Situations? appeared first on The HIPAA Journal.

HHS Office for Civil Rights Establishes Part 2 Enforcement Program

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has established a civil enforcement program for the 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations.

The Coronavirus Aid, Relief, and Economic Security (CARES) Act, an economic stimulus bill signed into law on March 27, 2020, included a section (Section 3221) related to the confidentiality and disclosure of substance use disorder (SUD) records. The CARES Act directed the HHS to implement changes to align the Part 2 regulations more closely with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, to enhance protections and improve patient rights, while allowing a more flexible approach to the sharing of SUD records with patient consent to improve care coordination.

In February 2024, the HHS issued a final rule that modified the Part 2 regulations by implementing the changes mandated by Section 3221 of the CARES Act. The final rule improves coordination among providers treating patients for SUD, aligns certain Part 2 requirements with the HIPAA Privacy Rule and HIPAA Breach Notification Rule, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.

The final rule also implemented a new penalty structure, mirroring that of HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. OCR has been granted authority to enforce compliance, and if violations are identified, they will be subject to the same range of enforcement mechanisms as HIPAA. Violations of the Part 2 regulations can be resolved with civil monetary penalties, resolution agreements, monetary settlements, and corrective action plans to address areas of noncompliance.

The enforcement program uses newly established mechanisms of civil enforcement to protect the confidentiality of SUD records by covered SUD programs. “At President Trump’s direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative,” said HHS Secretary Robert F. Kennedy, Jr. “Americans seeking treatment for substance use disorder deserve comprehensive care without sacrificing their privacy or legal protections.”

This is the first time that mechanisms have been established and will help to ensure that the privacy of Americans seeking treatment for substance use disorder is protected. “OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens,” said OCR Director Paula M. Stannard. “OCR is uniquely positioned to enforce patient rights and the regulated community’s obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA.”

OCR must be notified about any breach of SUD records, and the agency will investigate breaches to determine if they were the result of noncompliance. On February 16, 2026, OCR started accepting complaints about potential violations of the Part 2 regulations, including civil rights and breach notifications related to SUD records.

Complaints about potential Part 2 violations should be submitted via the OCR breach portal. Individuals are encouraged to file a complaint if they believe that their civil rights or health information privacy have been violated, but also if they suspect that the civil rights or health information privacy of other individuals have been violated. Complaints will be investigated, and if substantiated, violations will be resolved through the newly established enforcement mechanisms.

The OCR breach portal has been updated to show entities and individuals that have experienced breaches of Part 2 records. As with the section of the OCR breach portal for HIPAA breach reports, a summary of each breach of Part 2-covered records is listed. The listings include basic information about the breach – The name of the Part 2 Program, state, individuals affected, breach submission date, type of breach, and the location of breached information. When OCR has completed its investigation of the breach, the complaints will be moved to the archive, with brief notes added from OCR’s investigation. The breach portal only includes large breaches of SUD records – those affecting 500 or more individuals. Smaller breaches are not made public, although the breach reporting requirements are the same, irrespective of the size of the breach.

The post HHS Office for Civil Rights Establishes Part 2 Enforcement Program appeared first on The HIPAA Journal.