CISA Advises U.S. Organziations to Harden Microsoft Intune Following Stryker Data Wiping Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging U.S. organizations to strengthen administrative controls for the Intune endpoint management tool, following the Iran-linked cyberattack on the medical technology company Stryker. The Stryker cyberattack was conducted by a threat actor called Handala – a hacktivist group with links to Iran’s Ministry of Intelligence and Security.
Handala claimed to have exfiltrated 50 terabytes of data in the attack, before wiping data. Handala has claimed that it managed to delete 12 Petabytes of data in the attack from 200,000 devices. Wiper malware was not required, as Handala used the built-in wipe command in the Intune cloud-based endpoint management tool to wipe Windows devices, including mobile phones and laptops. According to Bleeping Computer, a source familiar with the incident claimed that Handala compromised an administrator account and created a new Global Administrator account, which was used to wipe the data.
At the time of writing, the military action against Iran is continuing, and Iran has issued threats of retaliation. In addition to a military response, retaliation is also likely to include further cyberattacks on U.S. companies. “CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026, cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment,” explained CISA in its March 18, 2026, alert. Consequently, CISA is recommending that organizations take steps to harden their endpoint management system configurations by following Microsoft’s recommendations.
The three main actions to take to harden Intune involve adopting a least-privilege approach for admin roles, assigning only the necessary permissions for day-to-day operations through Microsoft’s Intune role-based access control (RBAC). Organizations are advised to enforce phishing-resistant multifactor authentication and privileged access hygiene, including using Microsoft Entra ID capabilities to block unauthorized access to privileged actions in Microsoft Intune. Microsoft also recommends configuring access policies to require multiple admin approvals. Policies should be set up that require approval from a second administrative account in order to make changes to sensitive or high-impact actions, such as wiping devices, applications, scripts, RBAC, and configurations.
According to the Palo Alto Networks Unit 42 team, there has been an increase in cyberattacks related to the war with Iran, including data wiping attacks and data theft. While the attack on Stryker involved misuse of Intune to wipe data, Iran-linked threat groups commonly use wiper malware in their offensive cyber operations. The Unit 42 team has observed Iran-nexus hacking groups and hacktivist groups increasing wiper attacks and spear phishing attacks. In addition to hardening Intune security, organizations should ensure that they patch promptly, have robust data backup systems in place, and have a tested disaster recovery and business continuity plan for data wiping attacks.
The post CISA Advises U.S. Organziations to Harden Microsoft Intune Following Stryker Data Wiping Attack appeared first on The HIPAA Journal.
Free Webinar: HIPAA Email Security 101: PHI, Encryption, and What’s Required – The HIPAA Journal
Free Webinar: HIPAA Email Security 101: PHI, Encryption, and What’s Required
According to the Paubox 2026 Healthcare Email Security Report, in 2025, 170 email-related data breaches were reported to the HHS’ Office for Civil Rights (OCR). While healthcare organizations are getting better at preventing email-related data breaches, an analysis of email security configurations found that in 2025, 41% of healthcare organizations fell into the high-risk category, an increase from the previous year.
On top of those large healthcare data breaches are the thousands of smaller breaches that affect fewer than 500 individuals, a large percentage of which are due to poor email security configurations and errors by healthcare employees. Each email incident erodes trust, can be costly to resolve, and potentially puts the organization at risk of a HIPAA penalty, yet email compliance failures are easily avoided.
On March 31, 2026, the leading healthcare email security company, Paubox, is hosting a webinar to explain HIPAA email security 101. The webinar consists of a practical session covering the fundamentals of HIPAA-compliant email, what constitutes PHI and how to identify the indicators of PHI, as well as the key email security requirements that HIPAA-regulated entities must have in place to ensure that sensitive information is protected and patient privacy is assured. Attendees will also learn about the common compliance errors made by organizations and healthcare employees when communicating via email, and how to avoid them.
Webinar attendees will learn about:
- The HIPAA requirements for email
- How encryption works and why it is vital for HIPAA compliance
- What qualifies as protected health information, and how to identify PHI indicators in day-to-day emails
- The email security requirements for healthcare organizations
- Common email compliance mistakes when sending PHI and how to avoid them
Reserve your spot today to learn how HIPAA applies to email and the requirements for HIPAA-compliant email communications.
Why Attend?
- Attendees will learn the fundamentals of HIPAA-compliant email communications, what constitutes PHI, and the common compliance mistakes made by healthcare organizations and how to avoid them. This webinar is eligible for 1 self-reported CPE. Attendees will receive a certificate of attendance that may be used as supporting documentation when submitting credits to applicable certifying bodies.
WEBINAR DETAILS
HIPAA Email Security 101: PHI, Encryption, and What’s Required
Date: Tuesday, March 31, 2026
Time: 2:00 p.m. ET | 11:00 a.m. PT | 6:00 p.m. GMT
Format: Live webinar (Zoom)
Speaker: Dawn Halpin, Demand Generation Manager, Paubox
Dawn Halpin, a Marquette University and University of Wisconsin-Milwaukee graduate, is the Demand Generation Manager at the email security firm Paubox. Paubox is a leader in HIPAA-compliant email security for the healthcare industry and is trusted by more than 8,000 organizations, including Cost Plus Drugs, Rippling, and Covenant Health.
The post Free Webinar: HIPAA Email Security 101: PHI, Encryption, and What’s Required appeared first on The HIPAA Journal.
Trinity Health & UPMC Notify Patients About Potential Unauthorized Data Access via HIE
Trinity Health and the University of Pittsburgh Medical Center are notifying patients about potential unauthorized access to patient data by third parties via a Health Information Exchange (HIE).
Trinity Health, a not-for-profit Michigan-based Catholic health system that operates more than 92 hospitals in 22 states, has informed state attorneys general that some of its patients may have had their protected health information accessed without authorization. Trinity Health participates in automated electronic data exchanges with Health Information Exchanges (HIEs), which ensure that patient data can be easily accessed by other healthcare providers for treatment purposes, regardless of where the provider is located.
On January 13, 2026, Trinity Health was informed by its HIE partner that there had potentially been unauthorized access to the protected health information of certain Trinity Health patients. The incident involves an HIE member called Health Gorilla, which provides an interoperability platform and manages data access requests for client companies. Health Gorilla grants access to its network to companies that require access to patient data for treatment purposes. The HIE partner warned Trinity Health that Health Gorilla claimed that health information was required for treatment purposes; however, the HIE partner said it was unable to verify whether the statements made by Health Gorilla were accurate, and whether the recipient companies had authorizations for the information they obtained via the HIE.
Data potentially accessed without authorization included clinical care details, demographic information, insurance information, and potentially driver’s license numbers. Health Gorilla has suspended access to the HIE for the companies concerned. Trinity Health is providing the affected individuals with complimentary credit monitoring and identity theft protection services for 24 months. The number of affected individuals has not yet been disclosed.
University of Pittsburgh Medical Center (UPMC) patients have also been affected and are in the process of being notified about the potential unauthorized access. Data potentially accessed without a valid authorization included names, ages, diagnoses, and other information from patients’ medical histories. UPMC said it was informed about the potential unauthorized access by its electronic medical record vendor (Epic), and similarly, the unauthorized access occurred through an HIE via Health Gorilla. The incident has been reported to the HHS’ Office for Civil Rights, although it is not yet shown on the breach portal, so it is unclear how many patients have been affected.
Further healthcare providers are expected to issue similar notices in the coming days and weeks.
Legal Action Taken Over Alleged Unauthorized Access and Disclosures
Legal action is being taken over the alleged impermissible disclosures by Epic, OCHIN, and several healthcare providers who allege that Health Gorilla and others enabled “sham” companies to access their platforms to obtain patient data from national HIEs. While not stated in the breach notice, the information accessed by the sham companies may have been disclosed to third parties, such as law firms. One of the companies named as a defendant has admitted to making fraudulent claims that data was required for treatment purposes, when the data was disclosed to law firms. The lawsuit is proceeding against the other named defendants. Health Gorilla, a Qualified Health Information Network (QHIN), denies any wrongdoing, and so far, only one of the defendants has admitted wrongdoing. You can read more about the lawsuit in this post.
The post Trinity Health & UPMC Notify Patients About Potential Unauthorized Data Access via HIE appeared first on The HIPAA Journal.
GuardDog Telehealth Admits Improper Access to Medical Records – The HIPAA Journal
GuardDog Telehealth Admits Improper Access to Medical Records The HIPAA Journal
GuardDog Telehealth Admits Improper Access to Medical Records
A telehealth company has admitted to improperly accessing patients’ medical records. GuardDog Telehealth purported to require access to patients’ medical records for treatment purposes; however, the records were accessed in order to provide data to law firms for potential lawsuits.
GuardDog Telehealth obtained access to patients’ medical records through a Health Information Exchange (HIE) network, using Health Gorilla’s interoperability platform to access the records. Health Gorilla is a Qualified Health Information Network (QHIN) under the Trusted Exchange Framework and Common Agreement (TEFCA), through which many companies access patients’ medical records. The network supports patient care and ensures efficient care coordination between healthcare providers.
Epic Systems, the health IT consultancy firm OCHIN, and three healthcare providers filed a lawsuit against Health Gorilla and others, alleging they were allowing “sham” medical practices to access health information exchanges through their interoperability platforms. After gaining access, the sham companies are alleged to have marketed their access to patient data to law firms, offering to help them find plaintiffs for class action lawsuits. In addition to GuardDog Telehealth, other companies accused of improper access included Mammoth Path Solution, RavillaMed, and Llamalab. According to the lawsuit, the sham companies were given connections to Carequality, TEFCA, and other HIEs, which allowed them to access patient records.
The lawsuit seeks immediate relief for fraud, aiding and abetting fraud, violations of the California Business and Professions Code, and the Federal Computer Fraud and Abuse Act. According to the lawsuit, almost 300,000 patient records were improperly accessed by the sham companies under the guise of treatment. Only GuardDog Telehealth has admitted to any wrongdoing.
Companies such as Health Gorilla are the gatekeepers and control who can access their frameworks and sensitive patient data through HIEs. They must therefore ensure that any participants are vetted before they are onboarded, and are accessing the framework for legitimate purposes. Health Gorilla vehemently denies the allegations and claims that Epic, a rival, is attempting to squash competition.
In a legal filing – stipulated judgment and permanent injunction – on Friday, Epic said it has obtained an admission from Health Gorilla client GuardDog Telehealth that patient records were accessed under the guise of providing chronic care management and remote patient monitoring, when those services were not provided. Instead, records were reviewed, summarized, and the data provided to law firms.
GuardDog Telehealth and Epic have reached an agreement and are seeking a court order permanently barring GuardDog Telehealth from requesting health records via the Carequality and TEFCA interoperability frameworks. GuardDog Telehealth has agreed to delete all patient records obtained from those frameworks within one week and will not use or disclose any patient information obtained from the HIEs. The agreement now awaits approval from the court.
Epic said the legal action against Health Gorilla and the other defendants will continue and that it would welcome discussions with other defendants regarding stipulated judgments and permanent injunctions. Health Gorilla maintains that GuardDog Telehealth did not inform it of any non-treatment uses of patient data and maintains that there has been no wrongdoing by Health Gorilla.
“GuardDog’s consent judgment has no legal impact on Health Gorilla, and is incomplete at best and misleading at worst. If you read carefully, GuardDog does not state it ever informed Health Gorilla of any non-treatment use of patient information, and we are prepared to demonstrate it did not,” explained Health Gorilla in a statement. “In addition, when Health Gorilla sought to investigate GuardDog along with the interoperability networks and several major health providers, GuardDog failed to respond and refused to cooperate. Epic’s lawsuit remains an attack on interoperability that threatens patient safety and efficient healthcare nationwide, made worse by misleading submissions like its agreement with GuardDog. Health Gorilla continues to fully comply with all applicable data-sharing frameworks, and we remain confident as we address these claims through the legal processes.”
Epic is also facing legal action of its own, with multiple class action lawsuits filed against it and other companies for failing to prevent Health Gorilla and its clients from connecting to the Epic Care Everywhere health information exchange. The lawsuits allege that Epic and others were negligent, as they either knew or should have known about the misuse of Care Everywhere to obtain patient information for non-treatment purposes, and that they failed to take timely corrective action.
The post GuardDog Telehealth Admits Improper Access to Medical Records appeared first on The HIPAA Journal.