Free Webinar: Making Sense of HIPAA Compliance for Your Small Practice

For most small practices, your team is already wearing a lot of hats, and compliance is one that can feel like an impossible task to even know where to start.
But the risks keep growing. Breaches are rising fast, with hackers targeting small medical practices’ sensitive patient data. With major new HIPAA requirements potentially on the horizon as soon as 2027, it’s never been a better time to ensure your practice has built and maintains a HIPAA compliance program with a strong, compliant foundation.

Join Bradley King, Senior Compliance Consultant, as he provides a clear explanation for small medical practices on what they actually need to do when it comes to becoming HIPAA compliant.

You’ll Discover:
The timeline of HIPAA – how we got here and why it matters now
What actually triggers a HIPAA investigation
Current HIPAA enforcement initiatives to watch
What your practice needs to do to become (and stay) compliant
Real examples of investigation letters

WEBINAR DETAILS

Making Sense of HIPAA Compliance for Your Small Practice

Live Webinar | Wednesday, July 22 | 12:00–12:30 PM ET

Click Here Register for the Free Webinar

 

Speaker: Bradley King, Senior Compliance Consultant, Abyde

Dawn Halpin, Paubox

Bradley King is a Senior Compliance Consultant at Abyde with several years of experience in HIPAA and OSHA compliance consulting. He has spoken at national conferences and delivered continuing education webinars on HIPAA and OSHA compliance best practices, and has worked directly with thousands of practices, from solo, owner-operator practices to multi-location, multistate healthcare organizations, on building and maintaining compliance programs. Abyde is a leader in the compliance software industry, streamlining HIPAA & OSHA requirements for thousands of practices across the United States.

 

 

The post Free Webinar: Making Sense of HIPAA Compliance for Your Small Practice appeared first on The HIPAA Journal.

Vision Care Providers Settle Data Breach Class Actions

Settlements have been agreed to resolve class action lawsuits against two vision care providers: Total Vision in California and Naper Grove Vision Care in Illinois. Both providers fell victim to hacking incidents that exposed patient data.

Total Vision Settlement

A settlement has been agreed to resolve class action litigation against Total Vision LLC, which owns and operates a network of optometry centers throughout California. Total Vision experienced a hacking incident on or around October 30, 2020, in which hackers accessed a database server. The server contained sensitive patient information such as names, addresses, dates of birth, Social Security numbers, and prescription information. The data breach was reported to the HHS’ Office for Civil Rights as affecting 138,402 current and former patients.

Total Vision faced two class action lawsuits over the data breach, which were consolidated into a single complaint – Ramey, et al. v. Total Vision, LLC, et al. – in the Superior Court of California, County of San Diego, naming Anjanette Ramey and Jane Doe as class representatives. In addition to Total Vision, John C. Pack, O.D., and Beverly Bianes, O.D., Inc., and John C. Pack, O.D., and Beverly Bianes, O.D., were named as defendants.

The lawsuit alleged the data breach occurred as a result of the negligence of the defendants, who failed to properly secure the server and protect patient information, then failed to issue adequate breach notices. The plaintiffs allege that they experienced numerous instances of attempted data misuse and identity theft as a result of the security incident. The lawsuit asserted claims for negligence, breach of implied contract, and violations of California’s unfair competition law, the Confidentiality of Medical Information Act, and California security notification laws, all of which were denied by the defendants, along with the allegations of wrongdoing and liability.

During mediation on November 21, 2023, the terms of a settlement were agreed by all parties, and the settlement has now been finalized and has received preliminary approval from the court. The defendants have agreed to establish a $475,000 settlement fund, from which attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives will be deducted. The remaining funds will be used to pay for class member benefits.

Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $1,000 per class member, and/or a claim may be submitted for a pro rata cash payment, the value of which will depend on the number of valid claims received. The defendants have also agreed to implement improved data security measures, valued at $224,000. The exclusion/objection deadline is September 4, 2026. Claims must be submitted by October 5, 2026, and the final fairness hearing has been scheduled for December 18, 2026.

Naper Grove Vision Care Settlement

Naper Grove Vision Care in Naperville, Illinois, has settled class action litigation stemming from a May 2025 security incident that involved unauthorized access to the protected health information of 20,093 individuals. On May 24, 2025, Naper Grove Vision Care identified unauthorized network access. The Interlock ransomware group claimed responsibility for the attack and obtained patient information such as names, addresses, birth dates, driver’s license numbers, patient numbers, health insurance information, explanation of benefits documents, and medical condition and treatment information. Some Social Security numbers were also among the accessed data.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated – In re Naper Grove Data Breach Litigation – in the Circuit Court of the Eighteenth Judicial Circuit, Dupage County, Illinois. The consolidated lawsuit names Ashley Fett and Paul Mifsud as class representatives. The lawsuit alleged that the data breach occurred due to the failure to implement reasonable and appropriate cybersecurity measures, and asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act. All claims and contentions continue to be denied by Naper Grove Vision Care.

All parties have agreed to settle the litigation, with no admission of fault, liability, or wrongdoing. The defendant will cover the cost of attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives.  Claims may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $1,000 per class member.

If a claim for reimbursement of losses is not submitted, class members may submit a claim for an alternative cash payment. The cash payments will be paid pro rata from a $50,000 settlement fund. Regardless of which option is chosen, class members qualify for a one-year membership to a credit and medical data monitoring service. The deadline for objection/exclusion is September 18, 2026. Claims must be submitted by September 18, 2026, and the final approval hearing has been scheduled for October 20, 2026.

The post Vision Care Providers Settle Data Breach Class Actions appeared first on The HIPAA Journal.

Ohio Living; Erlanger; Heart of America Eye Care Announce Data Breaches

Data breaches have recently been announced by the senior living company Ohio Living, Erlinger Health System in Tennessee, and Heart of America Eye Care in Missouri.

Ohio Living

The Westerville, Ohio-based nonprofit senior living company Ohio Living has identified unauthorized access to its network. Suspicious activity was identified within its computer network on April 17, 2026. Its network was secured, and an investigation was launched to determine the nature and scope of the activity, with assistance provided by third-party cybersecurity experts.

The forensic investigation confirmed unauthorized network access between April 16, 2026, and April 17, 2026, and the exfiltration of files containing patient information. While the specific types of information involved for each individual have yet to be determined, Ohio Living states that the categories of data likely involved include names, addresses, birth dates, Social Security numbers, medical histories, disability information, diagnostic and treatment information, prescription information, physician information, medical record numbers, health insurance information, and financial account/payment card information.

Ohio Living is reviewing its security policies and procedures and is implementing enhanced cybersecurity safeguards to prevent similar incidents in the future. The data review is ongoing, so the total number of affected individuals has yet to be determined. The HHS’ Office for Civil Rights has been informed that the data breach affected at least 500 individuals. The total will be updated when the data review is concluded.

Erlanger Health System

Erlanger Health System, a Chattanooga, Tennessee-based health system and operator of six hospitals and multiple healthcare facilities, has announced a security incident affecting a limited number of patients. The incident was detected on May 13, 2026, and affected 4,237 Erlanger Western California patients.

The investigation revealed that patient information was inadvertently sent to a billing partner that provides services for its Erlanger Tennessee campuses. The information was disclosed between July 1, 2025, and May 27, 2026, and related to individuals who had received anesthesia care. Those patients of Erlanger Western California received anesthesia care from a different anesthesia group.

The billing partner was a business associate and was therefore aware of its responsibilities with respect to HIPAA; however, it was an impermissible disclosure warranting breach notifications. The data transmitted included names, birth dates, medical record numbers, mailing addresses, email addresses, telephone numbers, internal hospital account numbers, insurance information, guarantor names, guarantor addresses, guarantor telephone numbers, dates of service, and limited medical information associated with surgical care, including operative notes.

Heart of America Eye Care

MVP VIP Holdco, doing business as Heart of America Eye Care, an ophthalmology and optometry services provider at its locations in Overland Park, Prairie Village and Shawnee Mission, KS, and Belton, MO, has notified regulators and patients about a hacking incident that exposed patient data.

The website breach notice does not state when the hacking incident was detected; however, the forensic investigation determined that patient information was viewed or copied from its systems between April 1, 2026, and April 6, 2026. The notice states that the investigation is underway to determine the extent to which protected health information was involved. The HHS’ Office for Civil Rights has been informed that the data breach affected at least 500 individuals. The total will be updated when the data review is concluded.

The post Ohio Living; Erlanger; Heart of America Eye Care Announce Data Breaches appeared first on The HIPAA Journal.