Author Archives: Steve Alder

Cybersecurity Should Be Viewed as a Strategic Enabler of the Business

Posted by Steve Alder

The US Healthcare Cyber Resilience Survey from EY and KLAS Research has revealed that more than 7 out of 10 healthcare organizations have experienced significant business disruption due to cyberattacks in the past two years.

The survey was conducted on 100 healthcare executives responsible for cybersecurity decisions within their organization. On average, organizations experienced an average of five different cyber threats in the past year, the most common of which was phishing, experienced by 77% of organizations. The next most commonly encountered threats were third-party breaches (74%), malware (62%), data breaches (47%), and ransomware (45%). Only 3% of respondents reported not experiencing any cyber threats in the past year.

These cyber incidents are having a considerable impact on patient care and business operations. 72% of respondents reported that their organization experienced a moderate to severe financial impact due to cyberattacks in the past two years, 60% reported a moderate to severe operational impact, and 59% reported a moderate to severe clinical impact.

In healthcare, cybersecurity is often viewed as a set of defensive measures to protect against cyber threats and ensure compliance, but cybersecurity should be elevated to an organizational priority. Cyberattacks have a significant impact on patient care and business operations, damaging the organization’s reputation and affecting its bottom line. Healthcare organizations that make cybersecurity an organizational priority find that it creates value and helps them deliver better outcomes.

Cybersecurity investment should be aligned with outcomes such as reduced downtime, improved patient safety, and financial stability, and the survey suggests that CISOs are getting better at communicating this to the C-suite. When the cost of cybersecurity investment is compared to the cost of an outage on patient care and revenue, funds are often provided. The survey suggests that the main challenge is not getting the company to invest in cybersecurity, but to sustain the financial commitment over time, especially when budgets tighten or priorities shift. It can be especially hard to maintain that commitment when, after investing in cybersecurity, the organization continues to experience moderate to severe cyber events.

“Cyber needs to be a shared responsibility across the organization and the health ecosystem,” explained EY and KLAS in the report. “In a time of tight budgets, cutting cyber investments can leave health organizations more vulnerable and ultimately lead to higher costs. Health executives must pivot from viewing cyber as a cost center to a strategic enabler of the business.”

The problem faced by many organizations is competing organizational priorities and tight budgets, which were cited as a problem by two-thirds of respondents. Other challenges affecting healthcare organizations include a rapidly changing threat landscape, AI-driven threats, third-party risk management, and the difficulty of recruiting and retaining cybersecurity talent.

One of the main takeaways from the report is the importance of viewing cybersecurity as more than a set of technical and administrative safeguards to achieve compliance. Cybersecurity needs to be viewed as a value creator that is as critical to the success of other business needs, be that improved patient outcomes, geographical expansion, or smart care models. “When cyber is integrated into care delivery and operational and business strategy, it becomes more than compliance. It serves as a catalyst for trust, transformation, long-term resilience, and care delivery that is future-proof,” suggest EY and KLAS.

The post Cybersecurity Should Be Viewed as a Strategic Enabler of the Business appeared first on The HIPAA Journal.

Willis-Knighton Medical Center Settles Website Tracking Technology Lawsuit

Posted by Steve Alder

A settlement has been agreed to resolve a class action lawsuit against the Louisiana health system, Willis-Knighton Medical Center. The litigation stems from the use of tracking technologies on its public-facing website.

Several lawsuits were filed against Willis-Knighton Medical Center over the use of tracking tools on its website and patient portal, which are alleged to have caused unauthorized transmissions of personally identifiable, non-public information to third parties such as Google and Facebook. The lawsuits were consolidated in a single action – Jacqueline Horton, et al. v. Willis-Knighton Medical Center – which was heard in the 10th Judicial District Court for Natchitoches Parish in Louisiana.

Tracking technologies such as pixels are extensively used on the Internet, including by many healthcare providers. The problem is that these tools may collect sensitive data from website visitors, including information classed as protected health information under HIPAA. That information may be transmitted to third parties unauthorized to receive the information. One study found that more than 99% of hospitals had added these tools to their websites.

Willis-Knighton Medical Center denies the allegation and specifically denies that any medical information from its website or patient portal was shared with Facebook or Google; however, to avoid the cost and distraction of continuing with the litigation, and the uncertain outcome of a trial, the decision was taken to settle the litigation.

Under the terms of the settlement, class members are entitled to one year of CyEx Privacy Shield Pro, a privacy protection product, and may also claim a cash payment. The cash payments differ depending on the subclass. Individuals who used the “request an appointment” feature may claim a cash payment of $25, members of the InteliChart settlement class may claim a cash payment of $38, and members of the Medtech settlement class may claim a cash payment of $15.

Willis-Knighton Medical Center has also agreed not to use 16 specified digital analytics tools on its website and patient portal for a period of two years from the date of final approval of the settlement. The list includes Google DoubleClick, Google Ads, Meta, Amazon, TikTok, Pinterest, and TheTradeDesk.

The deadline for objection to and exclusion from the settlement is November 18, 2025. Claims must be submitted by December 18, 2025, and the final approval hearing has been scheduled for January 22, 2026.

The post Willis-Knighton Medical Center Settles Website Tracking Technology Lawsuit appeared first on The HIPAA Journal.

Tri Century Eye Care & Pittsburgh Gastroenterology Associates Announce Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by Tri Century Eye Care in Pennsylvania, Pittsburgh Gastroenterology Associates, NAHGA Claims Services, and the Texas revenue cycle management company, Legacy Health.

Tri Century Eye Care

Tri Century Eye Care, P.C., in Pennsylvania, has recently started notifying patients about a September 2025 data security incident involving the theft of files containing sensitive data. Suspicious network activity was identified on September 3, 2025, and immediate steps were taken to secure its network. Third-party cybersecurity specialists were engaged to investigate and determine the nature and scope of the activity, and on September 19, 2025, Tri Century Eye Care learned that an unknown actor had accessed its network and acquired files. There was no unauthorized access to its electronic medical record system.

The files were reviewed and found to contain personal and protected health information of patients and employees. The types of information involved varied from individual to individual and may have included names in combination with one or more of the following: Social Security number, date of birth, medical or health information, diagnostic and treatment information, health insurance information, billing or payment information, and/or tax/financial information.

Tri Century Eye Care has implemented additional security measures to reduce the risk of similar incidents in the future, including enforcing stronger password requirements, requiring more frequent password changes, reducing access permissions, and ensuring older data is stored offline. The HHS’ Office for Civil Rights has been notified about the incident, as has the FBI. The OCR breach portal is not currently showing the data breach, so it is unclear how many individuals have been affected.

The Pear threat group claimed responsibility for the incident. Pear (Pure Extraction And Ransom) is a private hacking group that does not engage in data encryption. While no specific industry is targeted, the group has claimed several healthcare victims. Pear claims to have exfiltrated 3.3 GB of data, and appears to have leaked the full dataset.

Pittsburgh Gastroenterology Associates

Pittsburgh Gastroenterology Associates has notified patients about an August 2025 cyberattack that involved unauthorized access to patient information. This appears to have been a ransomware attack, based on the description in its breach notification letters. Network disruption was experienced on August 12, 2025, and after taking steps to secure its IT systems, an investigation was launched to determine the nature and scope of the activity. Assisted by digital forensics specialists, Pittsburgh Gastroenterology Associates determined on August 28, 2025, that a threat actor had accessed its network and may have exfiltrated files containing patient information.

The exposed files were reviewed and found to contain first and last names, birth dates, treatment and procedure information, and health insurance information. Social Security numbers and financial information were not involved, and there was no unauthorized access to its electronic medical record system. Third-party experts have been engaged to conduct a full review of its security practices, and enhancements have been made to improve network and data security.

The Sinobi ransomware group claimed responsibility for the attack and added Pittsburgh Gastroenterology Associates to its dark web data leak site. The dark web leak site appears to list the full 198 Gb of data stolen in the attack.

NAHGA Claims Services

The National Accident Health General Agency (NAHGA) Claims Servicers, a Bridgton, Maine-based third-party administrator specializing in accident and health insurance claims, has recently notified state attorneys general about a recent security incident involving unauthorized access to its computer network. Suspicious network activity was identified on April 13, 2025, and third-party cybersecurity experts were engaged to investigate the activity.

The investigation revealed that its computer network had been accessed by an unauthorized third party between April 8, 2025, and April 10, 2025, during which time certain files on its network may have been acquired. A review was conducted to determine the types of information compromised in the incident, and that process was completed in October. NAHGA has been working with the affected clients to issue notifications to the affected individuals.

At present, it is unclear how many individuals have been affected; however, given that NAHGA provides services nationally, the data breach has the potential to be significant. NAHGA is offering the affected individuals complimentary credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy. NAHGA has also taken steps to improve network and data security to prevent similar data breaches in the future.

Legacy Health

Legacy Health, a Texas revenue cycle management company that works with more than 12,000 healthcare providers, has recently disclosed a security incident that has exposed patient data.  Little is currently known about the data breach, other than it potentially involves unauthorized access to individuals’ names, medical information, and health insurance information. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected in total, although the Texas Attorney General was informed that 4,031 Texas residents have been affected.

The post Tri Century Eye Care & Pittsburgh Gastroenterology Associates Announce Data Breaches appeared first on The HIPAA Journal.

Pomona Valley Hospital Medical Center Pays $600K to Settle Meta Pixel Lawsuit

Posted by Steve Alder

Pomona Valley Hospital Medical Center in California has agreed to pay $600,000 to resolve all claims in class action litigation over its use of Meta Pixel and similar tracking technologies on its public website. According to the lawsuit, the tracking tools resulted in an impermissible disclosure of personally identifiable information to third parties such as Meta (Facebook).

The lawsuit – Warren v. Pomona Valley Hospital Medical Center – was filed in the Superior Court of the State of California, County of Los Angeles, and alleged the use of these tools violated wiretapping and other statutes. Pomona Valley Hospital Medical Center denies all material allegations in the lawsuit and maintains there was no wrongdoing or liability; however, the decision was made to settle the litigation to avoid the costs and risks associated with a trial and related appeals.

Following extensive arm’s-length negotiations, a settlement in principle was reached, and the full terms of the settlement have now been finalized and approved by the court. Under the terms of the settlement, Pomona Valley Hospital Medical Center has agreed to establish a $600,000 settlement fund to cover attorneys’ fees, administrative expenses, service awards, and benefits to the class members.

After all fees and expenses have been deducted from the settlement fund, the remainder will be paid to class members as a pro rata cash payment. Class members are California residents who visited the Pomona Valley Hospital Medical Center website and logged into the patient portal between January 1, 2019, and December 31, 2022.

The deadline for objection to and exclusion from the settlement is December 9, 2025, and the final fairness hearing has been scheduled for January 5, 2026. Class members will be contacted directly about the settlement and may choose how they receive their cash payment (check, PayPal, Venmo, etc.), or may do so via the settlement website: https://pvhmcsettlement.com/

The post Pomona Valley Hospital Medical Center Pays $600K to Settle Meta Pixel Lawsuit appeared first on The HIPAA Journal.

Neuromusculoskeletal Center of The Cascades Settlement Provides Cash Benefits for Breach Victims

Posted by Steve Alder

Neuromusculoskeletal Center of The Cascades, PC, and Cascade Surgicenter LLC in Oregon have agreed to settle class action litigation stemming from an October 2023 data incident. An unauthorized third party gained access to employee email accounts between October 2, 2023, and October 3, 2023. While the unauthorized access was detected and remediated promptly, the hackers had access to sensitive data such as names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial information, medical information, health insurance information, and digital signatures.

Notification letters were mailed to the affected individuals on December 1, 2023. The Oregon Attorney General was informed that the breach affected 22,796 individuals, and the HHS’ Office for Civil Rights was notified that the protected health information of 19,373 individuals was potentially compromised in the attack.

A class action lawsuit was filed by plaintiff Krysta Hakkila individually and on behalf of similarly situated individuals, which was followed by a second lawsuit filed by plaintiff Ida Vetter. The two lawsuits were consolidated in the Circuit Court of Deschutes County, Oregon – Hakkila et al. v. Neuromusculoskeletal Center of The Cascades, PC.

The lawsuit claimed that the Neuromusculoskeletal Center of The Cascades failed to implement appropriate security measures and could have prevented the data breach, asserting claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, invasion of privacy, and violations of the Oregon Unlawful Trade Practices Act. Neuromusculoskeletal Center of The Cascades disagrees with the claims and maintains there was no wrongdoing and is no liability.

The defendants and the plaintiffs agreed to settle the lawsuit with no admission of wrongdoing or liability to avoid the cost and risks of a trial. The settlement has recently received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for two years of medical data monitoring (CyEx Medical Shield Total), reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to a maximum of $500 per class member, reimbursement for documented lost time dealing with the effects of the data breach (up to four hours at $25 per hour), and reimbursement of losses to identity theft and fraud, up to a maximum of $2,500 per class member. Class members who do not wish to claim any of the above benefits may submit a claim for an alternative one-time cash payment of $80.

The deadline for submitting a claim is December 26, 2025. The final approval hearing has been scheduled for January 9, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by November 25, 2025.

The post Neuromusculoskeletal Center of The Cascades Settlement Provides Cash Benefits for Breach Victims appeared first on The HIPAA Journal.

New Jersey Medical Center Suffers Ransomware Attack

Posted by Steve Alder

Central Jersey Medical Center in New Jersey has experienced a ransomware attack. David A. Nover, M.D, is notifying patients about a hacking incident, and Goglia Nutrition (FuturHealth) has announced an October 2024 data breach.

Central Jersey Medical Center, New Jersey

Central Jersey Medical Center, Inc., a Federally Qualified Health Center with locations in Perth Amboy, Newark, and Carteret, New Jersey, has started notifying dental patients about a recent security incident. On August 25, 2025, a cybercriminal actor gained access to its dental server’s network and used ransomware to encrypt files.

An investigation was launched to determine the nature and scope of the activity, and a review was conducted to identify the patients affected and the types of information that were exposed. The electronic medical record system was unaffected; however, files containing patient information were potentially accessed or obtained. At the time of issuing notification letters, Central Jersey Medical Center had not found any evidence to indicate any misuse of the exposed data. The Sinobi ransomware group claimed responsibility for the attack and added the healthcare provider to its data leak site. Sinobi claims to have exfiltrated 930 GB of data.

The types of information involved varied from patient to patient and may have included names in combination with one or more of the following: address, telephone number, email address, date of birth, race/ethnicity, Social Security number, dental record number, health insurance information, dental diagnosis, treatment history, and/or billing information.

Third-party cybersecurity experts were engaged to investigate the incident and review and enhance security, and internal procedures have been strengthened to prevent similar incidents in the future. The data breach has been reported to regulators; however, it is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

David A. Nover, M.D., P.C., Pennsylvania

David A. Nover, M.D., P.C., a psychiatry and psychotherapy practice in Warrington, Pennsylvania, is notifying patients about a recent security incident that exposed patient information. On or around June 3, 2025, unusual activity was identified within the practice’s computer network. An investigation was launched, with assistance provided by legal counsel and third-party digital forensics specialists. The investigation confirmed unauthorized access to the network on June 3, 2025, and some files containing patient information were copied from the network. The exposed files have been reviewed, and that process was completed on October 29, 2025.

Information potentially compromised in the incident included names, dates of birth, Social Security numbers, payment card information (number, expiration date, access information), medical record numbers, patient IDs or account numbers, Medicare numbers, health insurance ID numbers, health insurance group numbers, medical diagnosis information, medical treatment information, medical treatment location, doctors’ names, treatment dates, and medical lab or test results. Credit monitoring and identity protection services have been offered to the affected individuals. The data breach is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

FuturHealth, California

Goglia Nutrition, doing business as FuturHealth, Inc., a California-based health and wellness company specializing in nutrition plans and weight management, has experienced a data security incident. According to the notification letters mailed on October 17, 2025, the data breach occurred in October 2024.

According to the notification letters, on October 16, 2024, an unknown actor gained access to a data storage environment containing G-Plan data. The review of the affected storage environment has recently concluded and confirmed that the data compromised in the incident included names and information provided by customers as part of their subscription. Highly sensitive information such as Social Security numbers, driver’s license numbers, and financial information was not involved. The number of affected individuals has yet to be publicly disclosed.

The post New Jersey Medical Center Suffers Ransomware Attack appeared first on The HIPAA Journal.

U.S. Nationals Indicted for BlackCat Ransomware Attacks on Healthcare Organizations

Posted by Steve Alder

Two U.S. nationals have recently been indicted for using BlackCat ransomware to attack targets in the United States. A third individual is suspected of involvement but was not included in the indictment. All three individuals worked at cybersecurity companies and conducted the attacks while they were employed there.

Ryan Clifford Goldberg was employed by the cybersecurity firm Sygnia as an incident response professional, and Kevin Tyler Martin and an unnamed co-conspirator were both employed by the Chicago-based cyber threat intelligence and incident response firm DigitalMint as ransomware threat negotiators.

The two indicted individuals are alleged to have engaged in a conspiracy to enrich themselves by breaching company networks, stealing their data, using ransomware to encrypt files, and extorting the companies to obtain cryptocurrency payments. A medical device company was attacked on or around May 13, 2023, resulting in a $10 million ransom demand.  The medical device company negotiated and paid a $1,274,000 ransom payment.

A pharmaceutical company was also attacked in May 2023, but the ransom demand was not disclosed. Then came a July 2023 attack on a doctor’s office in California, which included a $5,000,000 ransom demand. In October 2023, an engineering company was attacked and told to pay $1 million, then in November 2023, a drone manufacturer in Virginia was attacked, and the defendants allegedly demanded a $300,000 ransom payment. Only the medical device company paid the ransom.

Kevin Tyler Martin, who resides in Texas, was employed as a ransomware negotiator by DigitalMint between May 2023 and April 2025, where the unnamed Florida-based co-conspirator also worked. Both individuals are thought to have been rogue employees and have been fired by DigitalMint, which has been cooperating with the law enforcement operation. Ryan Clifford Goldberg was employed as an incident response manager at Sygnia Cybersecurity Services at the time of the attacks, but no longer works for the company.

There are no indications that either company was aware of the attacks, which were conducted outside of their infrastructure and systems. DigitalMint said client data was not compromised in the incident, and no one alleged to have been involved in the scheme has worked for the company in over four months.

The FBI raided the home of the unnamed co-conspirator in April 2025, and Goldberg was interviewed by the FBI the following month, initially denying involvement in the scheme. Goldberg later claimed to have been recruited by the unnamed co-conspirator and said he conducted the attacks to get out of debt. He claims that, along with the other two members of the scheme, he received payment of $200,000 for the attack. Martin denies any involvement in the scheme.

Martin and Goldberg were indicted on October 2, 2025, on charges of conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce, and intentional damage to a protected computer. Martin has been released on a $400,000 bond and is prohibited from working in cybersecurity before the trial.

Goldberg is being held pending trial as he is considered a flight risk. Goldberg booked a one-way flight from Atlanta to Paris in June and traveled with his wife. He remained in France until September 21. Goldberg flew from Amsterdam to Mexico City and was arrested when he landed and deported to the United States. If found guilty, Martin and Goldberg face up to 50 years in jail.

The post U.S. Nationals Indicted for BlackCat Ransomware Attacks on Healthcare Organizations appeared first on The HIPAA Journal.

Oglethorpe Hacking Incident Affects More Than 92,000 Patients

Posted by Steve Alder

A Tampa, FL-based network of mental health and addiction recovery treatment facilities has recently disclosed a security incident that involved unauthorized access to patient data. Oglethorpe offers management solutions for health centers, wellness clinics, and hospitals that specialize in psychiatric services, substance abuse treatment programs, and behavioral health counseling, and has facilities in Florida, Louisiana, and Ohio.

In June 2025, Oglethorpe experienced a hacking incident that rendered its systems inoperable for a limited time.  Third-party cybersecurity experts were engaged to help contain, investigate, and remediate the incident. The investigation revealed that the hackers first gained access to its network on May 15, 2025, and maintained access until June 6, 2025. The investigation concluded on September 16, 2025, when it was confirmed that files containing patient information had been exfiltrated from its network. Those files were reviewed, and that process was completed on October 23, 2025, when Oglethorpe learned that first and last names, birth dates, Social Security numbers, driver’s license numbers, and medical information were involved.

Oglethorpe said no evidence has been found to indicate any misuse of the impacted information; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months.

In response to the breach, all systems were wiped and rebuilt, and data was restored from backups. Steps have also been taken to improve network security to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights website; however, the Maine Attorney General was informed that the breach affected 92,332 individuals, including 85 Maine residents.

Northern Montana Health Care Affected by Business Associate Hacking Incident

Havre, MT-based Northern Montana Health Care (NMHC) has been affected by a data breach at one of its business associates. NMHC contracted with Wakefield & Associates, LLC, which provides debt collection services. On October 29, 2025, NMHC published a notice warning patients about a security incident at Wakefield & Associates, which involved unauthorized access to certain files. The incident was confined to the Wakefield & Associates network. No NMHC systems were affected.

Wakefield & Associates is notifying the affected individuals directly, and the individual letters state the types of information involved. NMHC has confirmed that Wakefield & Associates is offering the affected individuals complimentary credit monitoring and identity theft protection services. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post Oglethorpe Hacking Incident Affects More Than 92,000 Patients appeared first on The HIPAA Journal.

Therapeutic Health Services Pays $790K to Resolve Class Action Data Breach Litigation

Posted by Steve Alder

Therapeutic Health Services, a Seattle, WA-based provider of opioid addiction treatment, mental health counseling, and rehabilitation for alcohol and drug addiction recovery, has agreed to settle class action litigation over a February 2024 hacking incident that exposed the protected health information of more than 14,000 patients.

The incident was detected on February 26, 2024, and the investigation confirmed that patients’ names, dates of birth, Social Security numbers, and health information were compromised in the incident. The Hunters International threat group claimed responsibility for the cyberattack. Four class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Kersey, et al., v. Therapeutic Health Services – in the Superior Court of the State of Washington, King County.

The lawsuit alleged that Therapeutic Health Services failed to implement appropriate safeguards to protect sensitive data on its network, resulting in the exposure and theft of the sensitive information of current and former patients and employees. Therapeutic Health Services maintains that there was no wrongdoing and denies all allegations and all liability, does not believe that the class members suffered any damage, nor that the action satisfies the requirements to be certified or tried as a class action lawsuit. After determining that the litigation would likely be protracted and expensive, the decision was taken to settle the litigation. The plaintiffs believe that the settlement that has been negotiated is fair and in the best interests of all class members.

Under the terms of the settlement, Therapeutic Health Services has agreed to establish a $790,000 settlement fund to cover attorneys’ fees and expenses, service awards, settlement administration costs, and class members’ claims. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may be submitted for a cash payment of up to $100, which may be adjusted pro rata depending on the number of valid claims received. All class members may also claim three years of three-bureau credit monitoring services.

Claims must be submitted by January 13, 2026, and the final fairness hearing has been scheduled for January 23, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by December 15, 2025.  Further information can be found on the settlement website, https://www.thsdatasettlement.com/

The post Therapeutic Health Services Pays $790K to Resolve Class Action Data Breach Litigation appeared first on The HIPAA Journal.