Author Archives: Steve Alder

$6.5 Million Settlement Resolves Omni Family Health Class Action Data Breach Lawsuit

Posted by Steve Alder

Omni Family Health, a network of 39 community health centers in Kern, Kings, Tulare, and Fresno counties in California, experienced a cyberattack in 2024. A $6.5 million settlement has recently been agreed to resolve the resultant class action litigation.

Omni Family Health experienced a cyberattack in February 2024 that caused a 5-day outage of its IT systems. The cyberattack was investigated at the time; however, no evidence was found to indicate that any patient data had been compromised in the incident. On August 7, 2024, Omni Family Health was made aware that a threat actor (Hunters International) had claimed to have compromised its network and had posted data allegedly stolen in the attack on the dark web.

Omni Family Health investigated and concluded that the data was real and issued notifications to the 468,344 affected individuals, who included current and former patients and employees. Data potentially stolen in the attack included names, addresses, Social Security numbers, dates of birth, health insurance information, and medical information. The affected individuals were notified about the data breach on October 10, 2024.

The first three class action lawsuits were filed in the Eastern District of California on October 20, 2024, and subsequently, 19 separate actions were filed in the Superior Court of the State of California, Kern County. All 21 actions were consolidated into a single action first in the Eastern District of California, and were then remanded to the Superior Court on January 14, 2025, with the case Pace v. Omni Family Health designated as the lead case.

Omni Family Health denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. Despite believing that it had good defenses to all of the claims, Omni Family Health moved to settle the litigation to avoid the time, expense, risk, exposure, inconvenience, and uncertainty of a trial and related appeals. Class counsel evaluated the costs, risks, and uncertainty of continuing with the litigation, and based on an analysis of comparable settlements, determined that the settlement was in the best interests of all class members. The settlement has recently been granted preliminary approval by the court, and the final fairness hearing has been scheduled for February 26, 2026.

Omni Family Health has agreed to establish a $6,500,000 settlement fund, from which attorneys’ fees and expenses (approximately $2.2 million), class representative awards ($1,500 per named plaintiff, totaling $30,000), and settlement notification and administration costs will be deducted. The remainder of the settlement will be used to pay benefits to the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a pro rata cash payment, which has been calculated to be $105.56 per class member based on a 4% claim rate. All class members are also entitled to claim two years of single-bureau credit monitoring and identity theft protection services, and members of the California resident subclass may claim an additional pro rata cash payment of $100. The cash payments may be adjusted based on the number of valid claims received, and will be calculated after credit monitoring costs have been deducted from the settlement fund.

Omni Family Health has also agreed to implement changes to its business practices and make several security enhancements to prevent similar incidents in the future. The cost of those security enhancements will not be paid from the settlement fund. Individuals wishing to object to the settlement or exclude themselves have until December 5, 2025, to do so, and claims must be submitted by January 5, 2026.

The post $6.5 Million Settlement Resolves Omni Family Health Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

CarePro to Pay $1.3 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

The Iowa-based healthcare company, CarePro Health Services, has agreed to pay $1.3 million to settle class action litigation stemming from a November 2023 cyberattack and data breach affecting up to 151,499 individuals.

The cyberattack that triggered the lawsuit was first identified by CarePro on November 16, 2023. Unauthorized individuals remotely accessed a system where unencrypted patient data was stored. Files containing patients’ protected health information were exfiltrated from the network before the intrusion was detected and blocked. Data compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial account information, and medical/health information. The affected individuals were offered complimentary credit monitoring and identity theft protection services.

A lawsuit was filed shortly after notifications were mailed to the affected individuals by CarePro patient Brandi Bell, individually and on behalf of similarly situated individuals. The lawsuit was soon followed by another complaint filed by Brandie Keegan, individually and on behalf of her minor child, and similarly situated individuals. The lawsuits were consolidated into a single complaint, Bell et al. v. C.R. Pharmacy Services, Inc. d/b/a CarePro Health Services – in the Iowa District Court for Linn County.

The lawsuit claimed that the plaintiffs suffered concrete injuries as a direct result of the data breach, including invasion of privacy, lost or diminished value of private information, lost time and opportunity costs, and loss of benefit of the bargain. The plaintiffs’ and class members’ personal and protected health information remain in the hands of cybercriminals, placing them at an increased risk of identity theft and fraud for years to come.

The plaintiffs claim that the data breach could have and should have been prevented, as the defendant failed to implement adequate and reasonable cybersecurity measures to protect patient data, recklessly maintaining patient information. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, breach of fiduciary duty, breach of confidence, unjust enrichment, invasion of privacy-intrusion upon seclusion, and violations of the Iowa Consumer Fraud Act and Iowa Personal Information Security Breach Protection Act.

CarePro denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. All parties agreed that further litigation, a trial, and any related appeals would likely be protracted and expensive and involve risks and uncertainties for all parties, so the decision was taken to settle the litigation. It took several months of negotiations; however, a settlement has been agreed upon that is acceptable to all parties.

The settlement includes three benefits for class members, which will be paid for from a $1,300,000 settlement fund after attorneys’ fees and expenses, class representative service awards, and settlement administration costs have been deducted.

A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. In addition to or instead of a claim for reimbursement of losses, class members may claim a pro rata cash payment, which is expected to be $100 per class member. The cash payment will be adjusted upwards or downwards depending on the number of valid claims received.

All class members are also entitled to claim two years of three-bureau credit monitoring, dark web monitoring, and identity theft protection services. The cost of the credit monitoring services will be deducted from the settlement fund before the cash payments are calculated. The deadline for exclusion from and opting out of the settlement is December 3, 2025. Claims must be submitted by December 3, 2025, and the final fairness hearing has been scheduled for January 23, 2025.

The post CarePro to Pay $1.3 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Audit Uncovers Security Weaknesses in the NIH All of Us Security Program

Posted by Steve Alder

An audit of the National Institutes of Health (NIH) All of Us Research Program has uncovered privacy and security weaknesses that put the health information of more than 1 million individuals at risk of compromise.

The All of Us Research Program was launched in 2015 as part of the NIH Precision Medicine Initiative to advance disease prevention and treatment by making the personal health and genomics data of more than 1 million individuals available for research purposes. Unlike research studies that focus on a specific disease or cohort of people, the All of Us Research database can be used to study a wide range of health conditions and diseases. The data is housed by the Data and Research Center (DRC) and is managed by an NIH award recipient, Vanderbilt University Medical Center. The All of Us database is one of the largest health research databases of its kind.

While general data about the entire group of participants can be viewed by anyone, only researchers approved by the All of Us Research Program are allowed to view data from individual participants. Such a large database of health information is extremely valuable; therefore, robust privacy and security measures must be implemented to protect research participants’ data from cybersecurity and national security threats.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has recently published the findings of a 2024 audit that sought to determine whether appropriate access controls had been implemented by the DRC award recipient, if appropriate privacy and security controls were in place, and if information security and privacy weaknesses had been addressed in accordance with federal standards.

HHS-OIG determined that the DRC award recipient had implemented some cybersecurity controls, including vulnerability scanning, penetration testing, flaw remediation, system monitoring, incident response, contingency planning, disaster recovery, and security awareness training; however, controls were inadequate in some areas, which put research participants’ data at an increased risk of compromise.

HHS-OIG identified access control weaknesses. For instance, while authorized users were permitted to remotely access the information systems from foreign countries with prior approval, there were no controls in place to restrict access to only the individuals who had received approval. As such, any authorized user could access the information systems from a foreign country. While downloads of detailed participants’ data are prohibited, there were no access controls in place to prevent data downloads.

HHS-OIG also found that the DRC award recipient failed to communicate national security concerns associated with the maintenance of genomic data to NIH and did not resolve identified weaknesses and vulnerabilities within the timeframe stipulated by NIH in its award agreement. As such, there was an increased risk of research participants’ data, including genomic data, being accessed, downloaded, and misused by bad actors, including foreign adversaries.

HHS-OIG made five recommendations to NIH to improve oversight of the All of Us Research Program and address the identified privacy and security issues. NIH concurred with all five recommendations and is implementing measures to address the privacy and security weaknesses. NIH has confirmed that measures already fully implemented include controls to resolve the remote access security issues, and access from certain countries of concern has been blocked, including China, Cuba, Iran, Russia, and North Korea.

The post Audit Uncovers Security Weaknesses in the NIH All of Us Security Program appeared first on The HIPAA Journal.

Fortinet Patches Actively Exploited FortiWeb Zero Day Flaw

Posted by Steve Alder

Patches have been released to fix a critical OS command injection vulnerability affecting Fortinet web application firewalls. The FortiWeb zero-day vulnerability is rated medium-severity with a CVSS score of 6.7 out of 10; however, the vulnerability is being actively exploited in the wild.

The vulnerability, tracked as CVE-2025-58034, can only be exploited by an authenticated attacker, hence the relatively low CVSS score, but the vulnerability can be exploited in a low-complexity attack and will allow the attacker to execute unauthorized code on the underlying system. The vulnerability can be exploited via specially crafted HTTP requests or CLI commands. The vulnerability was identified by Jason McFadyen of Trend Micro’s Trend Research team and is due to improper neutralization of special elements in an OS command.

The vulnerability affects multiple FortWeb versions:

Vulnerable Versions Fixed Versions
FortiWeb 8.0.0 through 8.0.1 FortiWeb 8.0.2 and above
FortiWeb 7.6.0 through 7.6.5 FortiWeb 7.6.6 and above
FortiWeb 7.4.0 through 7.4.10 FortiWeb 7.4.11 and above
FortiWeb 7.2.0 through 7.2.11 FortiWeb 7.2.12 and above
FortiWeb 7.0.0 through 7.0.11 FortiWeb 7.0.12 and above

This is the second vulnerability in FortiWeb to be identified and patched recently. Last week, Fortinet announced that a critical path traversal vulnerability in FortiWeb, tracked as CVE-2025-64446 (CVSS v3.1 9.4), received a silent patch on October 28, 2025. The vulnerability can be exploited by an unauthenticated attacker to execute administrative commands on the system via specially crafted HTTP or HTTPS requests.

The vulnerability affects versions 8.0.2 through 8.0.1 and versions 7.6.0 through 7.6.4. The vulnerability was fixed in version 8.0.2 and above, and version 7.6.5 and above. Defused reports that there has been active exploitation of the vulnerability, although that has yet to be confirmed by Fortinet. It is unclear why a security advisory about the flaw was not released at the time the patch was released.

The post Fortinet Patches Actively Exploited FortiWeb Zero Day Flaw appeared first on The HIPAA Journal.

St. Anthony Hospital in Chicago Notifies Patients About February Data Breach

Posted by Steve Alder

Data breaches have recently been announced by St. Anthony Hospital in Chicago, Intercommunity Action in Pennsylvania, and Munson Healthcare in Michigan.

St. Anthony Hospital

St. Anthony Hospital in Chicago, IL, has recently discovered unauthorized access to certain employees’ email accounts. The unauthorized access was identified on February 6, 2025, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity and the extent of any data exposure or theft.

The investigation confirmed that the compromised email accounts contained the personal and protected health information of patients and staff members. The HHS’ Office for Civil Rights breach portal shows that the protected health information of 6,679 was exposed. Information potentially compromised in the incident included names, addresses, telephone numbers, birth dates, Social Security numbers, dates of service, medical record numbers, patient account numbers, medical histories, diagnoses/conditions, treatment information, and prescription information. While sensitive information has been exposed, St. Anthony Hospital has not detected any misuse of the exposed data.

Intercommunity Action Inc.

Intercommunity Action, a Philadelphia, PA-based provider of resources for aging, behavioral health, and individuals with intellectual and developmental disabilities, has notified 2,680 individuals about a recent data security incident involving unauthorized access to its computer network. The security breach was identified on May 29, 2025, and the forensic investigation confirmed that unauthorized connections had been made to its network from May 28, 2025, to May 29, 2025. During that time, files were exfiltrated from its network, and Intercommunity Action warned that the stolen data had potentially been made available online. Intercommunity Action is unaware of any instances of data misuse as a result of the incident.

A review of the affected files revealed that they contained patient information such as first and last names, dates of birth, addresses, Social Security Numbers, driver’s license numbers, state identification numbers, bank account information, credit card numbers, other financial information, claims information, diagnosis/conditions, medications, or other treatment information. The types of information involved varied from individual to individual.

As a precaution against misuse of the affected data, individuals whose Social Security numbers, driver’s license numbers, state ID numbers, and/or bank account information were involved have been offered complimentary identity theft protection services. Steps have also been implemented to prevent similar incidents in the future, including changing passwords, blocking the unauthorized users’ IP addresses, and implementing additional safeguards to strengthen security.

Munson Healthcare

Munson Healthcare, the largest health system in Northern Michigan, has notified 1,186 patients about a mis-mailing incident caused by an error when migrating patient information to a new computer system. The error occurred on January 25, 2025, and resulted in the individual responsible for paying bills being accidentally changed to someone who was previously responsible. The issue was not detected until June 2, 2025.

As a result of the error, some patients’ bills were sent to the wrong individuals. An investigation was launched to determine the root cause of the error and the patients affected. The errors in the data were changed and updated to the correct bill payer, and a technical fix was implemented on June 24, 2025, to prevent further bills from being sent to incorrect individuals. Data impermissibly disclosed was limited to a patient’s name, location of services, balance owed, insurance type, and the type of service. The affected individuals have been advised to review the bills issued after January 25, 2025, to ensure that the billing information is correct.

The post St. Anthony Hospital in Chicago Notifies Patients About February Data Breach appeared first on The HIPAA Journal.

Discovery Practice Management Settle Lawsuit Over 2020 Data Breach

Posted by Steve Alder

Discovery Practice Management, a California-based healthcare provider, has agreed to settle a class action lawsuit stemming from a June 2020 breach of its email environment. An unauthorized third party accessed employee email accounts between June 22, 2020, and June 26, 2020, and obtained sensitive information relating to patients of the Authentic Recovery Center and Cliffside Malibu facilities in California. The data breach was reported to the HHS’ Office for Civil Rights as affecting up to 12,859 individuals.

Data potentially compromised in the incident included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license numbers, and clinical information, such as diagnosis, treatment information, and prescription information. It took almost a year for the emails to be reviewed and notification letters to be issued to the affected individuals.

In February 2021, a class action lawsuit – JeanPaul Magallanes, et al v. Discovery Practice Management, Inc. – was filed in response to the data breach by JeanPaul Magallanes that alleged that Discovery Practice Management failed to implement appropriate measures to safeguard sensitive data stored on its network, then failed to issue adequate and timely notification letters when its email environment was compromised.

The alleged cybersecurity failures included insufficient monitoring of inbound emails, insufficient training of its workforce on email-based threats, and the failure to encrypt a data server that became accessible to unauthorized individuals who compromised two employee email accounts. Despite the significant risk to the affected patients, it took 335 days from the date of discovery to issue notification letters, which the lawsuit claims violated HIPAA and the California Consumer Records Act.

The lawsuit claims the actions of the defendant violated the California Confidentiality of Medical Information Act, California Unfair Competition Law, and the California Consumer Records Act. All parties agreed to engage in settlement discussions to avoid the cost and risk of a trial, and a settlement has been agreed upon with no admission of wrongdoing by Discovery Practice Management. The settlement has recently been granted preliminary approval by Judge Glenda Sanders of the Superior Court of the State of California, for the County of Orange.

Under the terms of the settlement, all class members are entitled to claim a three-year membership to CyEx’s Identity Defense Total Service, and must enroll by December 9, 2025. In addition, claims may be submitted for reimbursement of documented, unreimbursed ordinary and extraordinary losses caused by the data breach. Claims for reimbursement of ordinary losses are capped at $250 per class member, and claims for reimbursement of extraordinary losses are capped at $1,000 per class member.

The deadline for objection to the settlement, exclusion from the settlement, and submitting a claim is November 24, 2025. The final fairness hearing has been scheduled for February 5, 2026.

The post Discovery Practice Management Settle Lawsuit Over 2020 Data Breach appeared first on The HIPAA Journal.

Cyberattack Volume Increases Fueled by 48% YOY Increase in Ransomware Attacks

Posted by Steve Alder

Cyber threat actors had a busy October, with attack volume up 2% month-over-month and 5% year-over-year. In October, organizations experienced an average of 1,938 cyberattacks per week, according to the latest data from cybersecurity firm Check Point.

While attacks are up across all sectors, there was a 15% year-over-year fall in attacks on the health and medical sector, with 2,094 reported attacks in October. The biggest increases were seen in the agriculture (+71%) and information technology sectors (+48%). Education was the most targeted sector with 4,470 attacks, up 5% from October 2024. Latin America experienced the highest number of attacks, with attacks up 16% from October 2024, but the biggest increase was seen in North America, with an average of 1,464 attacks per week, up 18% from October 2024.

Check Point reports that the rise in attacks was fueled by the growing sophistication of ransomware, with attacks dramatically increasing in October. Check Point tracked 801 reported attacks in October, which is a 48% increase compared to September. While Latin America experiences more attacks than any other region, North America was the main target of ransomware groups, accounting for 62% of incidents, ahead of Europe with 19% of attack volume. In October, 57% of reported victims were in the United States, and there was a 56.8% increase in attacks compared to September.

Qilin was the most active ransomware group, accounting for 22.7% of attacks in October. The group has evolved into a sophisticated ransomware-as-a-service organization, attracting new affiliates due to its extensive affiliate support. Akira took second spot with 8.7% of attacks, and the recently emerged Sinobi ransomware group took third spot with 7.8% of attacks.

While all three groups attack healthcare organizations, the healthcare sector appears to be a key focus of the Sinobi group. Sinobi is a ransomware-as-a-service group with a professional structure, highly skilled internal operators, and a team of carefully vetted affiliates. Sinobi primarily targets mid- to large-sized organizations, primarily in the United States and allied countries.

Sinobi claims on its dark web data leak site to have attacked East Jefferson General Hospital, Greater Mental Health of New York, Johnson Regional Medical Center, Judson Center, Middlesex Endodontics, Newmark Healthcare Services, Phoenix Village Dental, Queens Counseling for Change, South Atlanta Medical Clinic, and Watsonville Community Hospital since the group emerged in mid-2025.

Check Point also cautioned about the expanding risks associated with generative AI (GenAI) as enterprise use of GenAI tools continues to grow. One of the biggest threats is the exposure of sensitive data. Check Point reports that in October, 1 out of every 44 GenAI prompts submitted through business networks posed a high risk of sensitive data leakage, something that is especially concerning in healthcare due to the risk of exposure of protected health information.

Check Point reports that 87% of organizations that use GenAI tools regularly experience this type of sensitive data exposure, and many organizations are unaware of the risk. While workers use authorized and managed GenAI tools, on average, 11 different GenAI tools are used by organizations each month, most of which are likely to be unsupervised.

“As ransomware groups evolve and GenAI risks proliferate, organizations must strengthen their threat prevention, data security, and AI governance strategies to stay ahead of adversaries,” suggests Check Point.

The post Cyberattack Volume Increases Fueled by 48% YOY Increase in Ransomware Attacks appeared first on The HIPAA Journal.

HSCC Publishes Preview of Health Sector AI Cybersecurity Risk Guidance

Posted by Steve Alder

In Q1, 2026, the Health Sector Coordinating Council (HSCC) plans to publish AI cybersecurity guidelines for the healthcare sector. Last week, the HSCC Cybersecurity Working Group (CWG) published previews of the cybersecurity guidance ahead of the full release next year.

Artificial intelligence has tremendous potential in healthcare; however, it introduces cybersecurity risks that must be managed and reduced to a reasonable level. To better prepare the health sector, the HSCC CWG established an AI Cybersecurity Task Force in October 2024, consisting of individuals from 115 healthcare organizations across the spectrum. The Cybersecurity Task Group has considered the complexity and the associated risks of AI technology in clinical, administrative, and financial health sector applications, and divided the identified AI issues into five manageable workstreams of discrete functional risk areas:

  • Education and enablement
  • Cyber operations & defense
  • Governance
  • Secure by design
  • Third-party AI risk and supply chain transparency

Significant progress has been made across all workstreams, and in January, guidance will be published covering each of these areas. The guidelines will include best practices for healthcare organizations to adopt, and while not legally binding, they will help the sector effectively manage and reduce AI cybersecurity risks.

Ahead of the release, HSCC CWG published one-page summaries for each of these workstreams detailing the objectives, key focus areas, and deliverables in each area. HSCC CWG has also published a foundational document that describes the most important AI terms that healthcare organizations need to be aware of.

The education and enablement workstream covers the common terms and language used throughout the guidance to familiarize users with the use of AI in their functional environments and help them better understand risk and apply control activities.

The cyber operations and defense workstream provides practical playbooks for preparing for, detecting, responding to, and recovering from AI cyber incidents. That includes identifying requirements for conducting optimized AI-specific cybersecurity operations, defining AI-driven threat intelligence processes with appropriate safeguards to support clinical workflows, establishing operational guardrails for AI technologies beyond LLMs, including predictive machine learning systems and embedded device AI, and establishing clear governance and accountability.

The governance workstream provides a comprehensive framework that can be used by healthcare organizations of all sizes to manage the cybersecurity risks in their own clinical environments and ensure that AI is used securely and responsibly. The objective of the secure by design workstream is to define and develop secure-by-design principles specifically for AI-enabled medical devices, including practical guidance and tools to empower manufacturers and stakeholders to ensure the cybersecurity of AI-enabled medical devices throughout the entire product lifecycle.

Third-party AI risks and supply chain transparency aims to strengthen security, trust, and resilience through the enhancement of visibility and transparency of third-party tools, establishing oversight and governance polices, and standardizing processes for procurement, vetting, and lifecycle management.

The guidance will help to improve awareness and understanding of critical risk areas and provides a roadmap for implementing new AI technologies while ensuring safety and responsible use.

The post HSCC Publishes Preview of Health Sector AI Cybersecurity Risk Guidance appeared first on The HIPAA Journal.

Data Breaches Announced by Sun Valley Surgery Center & American Associated Pharmacies

Posted by Steve Alder

Data breaches have recently been identified by Sun Valley Surgery Center in Nevada and American Associated Pharmacies in Alabama.

Sun Valley Surgery Center

Sun Valley Surgery Center in North Las Vegas, Nevada, has identified unauthorized access to its computer network. Anomalous activity was identified within its information systems on September 3, 2025. The forensic investigation confirmed that an unauthorized third party accessed parts of its network where sensitive patient information was stored.

Data potentially compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license/state-issued identification numbers, passport/other government identification numbers, and health information such as health histories, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN numbers/patient identification numbers. Sun Valley Surgery Center has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Approximately 27,000 individuals were potentially affected.

American Associated Pharmacies

One of the largest independent pharmacy organizations in the United States has recently fallen victim to a ransomware attack that resulted in the encryption of data on its systems. Scottsboro, AL-based American Associated Pharmacies (AAP) identified suspicious activity, including file encryption, within its computer network on October 23, 2024. Immediate action was taken to contain and mitigate the incident, including shutting down all affected systems and changing passwords to prevent further unauthorized access. The forensic investigation confirmed that initial access occurred ten days prior to the attack on October 13, 2024.

Assisted by third-party cybersecurity professionals, AAP determined that before file encryption, the attackers exfiltrated files from its network. The review of those files has recently been completed, and individual notifications are now being mailed to the affected individuals. Data compromised in the incident varies from individual to individual and may include names, addresses, birth dates, Social Security numbers, passport numbers, driver’s license number/other government-issued identification numbers, bank/financial account numbers/routing numbers, clinical/treatment information, medical information, provider names, medical record numbers, health insurance information, prescription information and/or usernames and passwords.

Several steps have been taken to augment security to prevent similar incidents in the future, including implementing further monitoring tools and expanding the use of multifactor authentication. The affected individuals have been advised to monitor their free credit reports, account statements, and explanation of benefits statements for suspicious activity. Credit monitoring and identity theft protection services have been offered to certain individuals, according to the notification sent to the Maine Attorney General. That notification indicates 8,032 individuals have been affected, including 25 Maine residents.

The post Data Breaches Announced by Sun Valley Surgery Center & American Associated Pharmacies appeared first on The HIPAA Journal.