Author Archives: Steve Alder

Somnia’s $2.4 Million Data Breach Settlement Receives Final Approval

Posted by Steve Alder

A $2.4 million settlement has received final approval from the court to resolve a class action lawsuit against Somnia Inc. and others over a 2022 cyberattack and data breach.

Somnia manages anesthesiology services at more than a hundred surgery centers across the country. In the summer of 2022, Somnia experienced a cyberattack that saw hackers access parts of its network where patient information was stored. The forensic investigation confirmed that names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, medical record numbers, Medicaid/Medicare IDs, and health information were potentially compromised. More than 450,000 individuals had their information exposed in the incident.

Several lawsuits were filed in response to the breach against Somnia, Anesthesia Services of San Joaquin, Palm Springs Anesthesia Services, Resource Anesthesiology Associates of IL, Resource Anesthesiology Association of NM, and Anesthesia Associates of El Paso. The lawsuits were consolidated into a single lawsuit as they all asserted similar claims and were based on the same facts.  The plaintiffs claimed that Somnia was negligent by failing to implement appropriate cybersecurity safeguards to ensure the privacy and confidentiality of the data stored on its network, did not follow industry security standards, and was not fully compliant with the HIPAA Rules.

The plaintiffs claimed they had suffered harm as a result of the data breach, including being placed at an elevated risk of identity theft and fraud. They also alleged that data breach notification letters were delayed and did not contain adequate information about the data breach, including the exact types of information that were stolen. The defendants denied and continue to deny any wrongdoing, and maintain the plaintiffs’ claims have no merit; however, the decision was taken to settle the litigation to prevent further legal costs and to avoid the risks and uncertainties associated with continuing to fight the litigation.

Under the terms of the settlement, a $2,425,000 settlement fund has been established to cover claims from class members for unreimbursed, documented out-of-pocket losses that are plausibly traceable to the data breach. $1 million of the settlement will be paid to the plaintiffs’ lawyers, $50,295 will be deducted to cover litigation expenses, and each of the 9 named plaintiffs will receive a $1,000 service award. The remainder of the settlement will cover class members’ claims, which were capped at $2,500 per class member. Any remaining funds in the settlement fund after claims and expenses have been paid will be paid pro rata to the class members.

The post Somnia’s $2.4 Million Data Breach Settlement Receives Final Approval appeared first on The HIPAA Journal.

HIPAA Compliance for Business Associates

Posted by Steve Alder

HIPAA compliance for business associates has acquired greater significance since the publication of proposals to align the HIPAA Security Rule more closely with HHS’ Healthcare Sector Cybersecurity Strategy – among which is a requirement for covered entities to obtain verifications from business associates that they have implemented measures to protect electronic Protected Health Information.

The implication of this requirement – if finalized – is that covered entities will only be permitted to contract services from business associates that can demonstrate compliance with HIPAA. However, demonstrating compliance with HIPAA is not straightforward for many business associates because what HIPAA compliance for business associates consists of can vary considerably depending on the type of service provided to or on behalf of a covered entity.

Despite the variety of compliance requirements, some areas of HIPAA compliance are common to all business associates. Business associates that can demonstrate compliance with these common areas via independent certification are likely to have a competitive advantage against other service providers to the healthcare industry. This article explains what these common areas of compliance are and what business associates need to do to comply with HIPAA.

What is a HIPAA Business Associate?

A HIPAA business associate is an organization, or a person who is not a member of a covered entity’s workforce, that provides services to or on behalf of a covered entity which enable the business associate to have “persistent access” to Protected Health Information (PHI). Examples of HIPAA business associates include medical billing service providers, software providers (including Managed Service Providers), and accreditation organizations with access to PHI.

There are exceptions to this definition of a HIPAA business associate. Some providers of healthcare and payment services, and organizations or persons for whom access to PHI is incidental or transient, do not qualify as HIPAA business associates. Researchers also do not qualify as HIPAA business associates when PHI is disclosed for research because the purpose of the disclosure is not regulated by the HIPAA Administrative Simplification Regulations.

When an organization or person qualifies as a HIPAA business associate, they are required to comply with all applicable standards, requirements, and implementation specifications of the HIPAA Administrative Simplification Regulations. Each HIPAA business associate must determine which standards, requirements, and implement specifications are applicable to the service being provided, and implement policies, procedures, and other measures as necessary.

Why HIPAA Compliance for Business Associates is Important

When the HIPAA Privacy Rule was published in 2002, covered entities were required to obtain “satisfactory assurances” HIPAA business associates would only use PHI disclosed to them for the purposes of the service being provided, would safeguard the information from misuse, and would help the covered entity comply with some of their HIPAA Privacy Rule obligations by providing a service that enabled the covered entity to carry out its functions compliantly.

However, until the passage of the HITECH Act in 2009, HIPAA business associates could not be held accountable for the failure to uphold their satisfactory assurances. The HITECH Act made HIPAA business associates and their downstream subcontractors directly liable for compliance with certain requirements of the HIPAA Rules. The direct liability of HIPAA business associates and downstream subcontractors was codified in the HIPAA Omnibus Final Rule in 2013.

“Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.” (§160.102(b))

More recently, The Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking in January 2025 which, when finalized, will require covered entities to obtain written verifications from their HIPAA business associates that each HIPAA business associate has deployed and is operating technical safeguards that protect the confidentiality, integrity, and availability of PHI maintained on electronic information systems.

As the Notice of Proposed Rulemaking has the objective of aligning the HIPAA Security Rule with HHS’ Cybersecurity Performance Goals, and as compliance with HHS’ Cybersecurity Performance Goals may also become a condition of participation in Medicare and Medicaid, verifiable HIPAA compliance for business associates may soon become a condition for providing services to or on behalf of covered entities in the healthcare industry.

The Responsibilities of HIPAA Business Associates

The responsibilities of HIPAA business associates are much the same as they were in 2002 – only use PHI for the purposes of the service being provided, safeguard the information from misuse, and support the covered entity’s functions by providing a HIPAA compliant service. HIPAA business associates may use PHI for internal management and administration purposes, but there must be a documented chain of custody if PHI is disclosed to downstream subcontractors.

How HIPAA business associates fulfil their responsibilities depends on their existing status. For example, a software provider that wants to break into the healthcare market may only now be starting their journey to HIPAA compliance, while a Managed Service Provider with existing healthcare clients may already be fulfilling some responsibilities of HIPAA business associates – but not all – and may need to review and revise its operations to achieve full HIPAA compliance.

For the benefit of organizations and persons starting their journeys to HIPAA compliance, this article focuses on the common areas of HIPAA compliance for business associates from start to finish. Existing HIPAA business associates can use this article to identify gaps in compliance activities, while those with additional or uncommon HIPAA compliance responsibilities should seek advice from an independent compliance professional.

The Basics

Do You Qualify as a HIPAA Business Associate?

The first thing to determine is whether the service being provided qualifies you as a HIPAA business associate or subcontractor. If the service does not involve disclosures of PHI by a covered entity or upstream business associate, if disclosures of PHI are incidental or transient, or if the service is exempted under the HIPAA definition of a business associate, it is not necessary to comply with HIPAA (although other privacy and security regulations may apply).

Are disclosures of PHI involved?

Examples of when a service does not involve disclosures of PHI by a covered entity to a third party include when an organization provides email services to a healthcare provider, but the healthcare provider does not use email service to send, receive, or store PHI. Alternatively, an organization could provide software for an on-premises email server, but the organization does not have access to PHI sent, received, stored, or transmitted by the on-premises email server.

Are disclosures of PHI incidental?

Incidental disclosures of PHI are usually considered to be disclosures secondary to permitted disclosures of PHI that cannot reasonably be prevented. In the context of HIPAA compliance for business associates, incidental disclosures are when a third party whose services do not ordinarily involve uses and disclosures of PHI has unintended access to PHI. Examples could include a landscape gardener who recognizes a patient in the garden of a nursing home.

Is access to PHI transient?

Transient disclosures of PHI are disclosures to transmission-only services that do not have repeated or routine access to PHI. Example of third parties that do not qualify as a HIPAA business associate because their access to PHI is transient include the US Postal Service and other private couriers such as Fed-Ex, UPS, and DHL. Internet Service Providers also do not qualify as HIPAA business associates when they are used for transmission purposes only.

Is the service exempted?

Several types of services are exempted from qualifying as HIPAA business associates when the service being provided on behalf of a covered entity is for the treatment of a patient (i.e., medical specialists, laboratories, etc.) or for payment processing. However, the exemption for payment processing only applies to financial institutions providing their “normal” services for customers – not to developers and vendors of payment processing applications.

If You Qualify as a HIPAA Business Associate … …

If you qualify as a HIPAA business associate, there are several activities you must undertake before providing a service for or on behalf of a covered entity. The first is to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. The HIPAA Privacy Officer is responsible for ensuring compliance with all applicable HIPAA Administrative Simplification Requirements, while the HIPAA Security Officer is responsible for implementing the HIPAA Security Rule Safeguards.

Both roles can be outsourced, designated to existing employees, or – in smaller organizations – designated to the same employee. However, other than in exceptional circumstances, it is important to appoint both roles. It is rare that HIPAA compliance for business associates can be accomplished complying solely with the requirements of the HIPAA Security Rule. In most cases a more holistic approach to HIPAA compliance for business associates is necessary.

Business Associate Agreements

Before any PHI is disclosed to a HIPAA business associate, upstream covered entities must enter into a HIPAA Business Associate Agreement with the business associate. The Agreement establishes the permissible uses and disclosures of PHI by the business associate, how the business associate will respond to patients exercising their HIPAA rights, and responsibility for reporting disclosures of PHI not permitted by the Agreement, security incidents, and data breaches.

If your organization (as a HIPAA business associate) is using a service provided by a third party subcontractor (i.e., Microsoft 365) in the provision of the service to the covered entity, and PHI will be disclosed to the downstream subcontractor, your organization must also enter into a Business Associate Agreement with the downstream subcontractor. Some subcontractors (i.e., Microsoft) have a standard Business Associate Agreement that your organization must agree to.

Why Business Associate Agreements are Important

Determine which standards apply

Determining which standards of HIPAA apply to a service is one of the most complicated areas of HIPAA compliance for business associates. This is because, while most business associates are aware the service has to comply with the Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule, many overlook the Security Rule’s General Requirements – including the requirement to:

“Protect against any reasonably anticipated uses or disclosures [of PHI] that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).” (§164.306(a))

In addition to being aware of which uses and disclosures of PHI are permitted by the HIPAA Privacy Rule – and in what circumstances – and implementing policies and procedures to prevent violations of the HIPAA Privacy Rule, business associates may also have to prepare for individuals exercising their HIPAA rights and security incident notifications – the responsibility for which may be subject to the terms of upstream and downstream Business Associate Agreements.

Map the flow of PHI in all formats

One of the factors that can affect which standards of HIPAA apply is how PHI is created, received, maintained, or transmitted by the organization. For example, if PHI is received verbally, written down, and then transferred to an electronic system for storage, it will be necessary to have procedures in place to compliantly dispose of the media on which the PHI was written down as well as the final disposition of PHI stored on the electronic system.

Mapping the flow of PHI in all formats will also enable HIPAA business associates to determine when an individual’s consent or authorization is required prior to further disclosing PHI (for example, Substance Use Disorder records), or when an attestation is required from the recipient of PHI that the information will not be used to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.

Conduct Risk Analyses

Determining which HIPAA standards apply and mapping how PHI flows through the organization will help HIPAA business associates better prepare for a risk analysis – a process required by the HIPAA Security Rule, but also potentially necessary for PHI in all formats depending on the nature of the service(s) being provided to a covered entity. HIPAA risk analyses should be based on guidance published by HHS and adjusted as necessary to accommodate uncommon circumstances.

Identify and document potential vulnerabilities and threats to PHI

Business associates are required to identify and document vulnerabilities which, if triggered by a reasonably anticipated threat, would create a risk of unauthorized access to – or disclosure of – PHI. All vulnerabilities and reasonably anticipated threats from both internal and external sources must be documented.

Assess the capabilities of existing policies and security measures

Most organizations will already have some policies and security measures in place to support HIPAA compliance for business associates. However, business associates should assess whether the existing policies and security measures are sufficient to reduce identified vulnerabilities and risks to a reasonable and appropriate level.

Determine the likelihood and impact of a threat occurrence

It is not possible to eliminate all risks to the confidentiality, integrity, and availability of PHI, but by determining the likelihood and impact of a threat occurrence, HIPAA business associates should be able to prioritize which vulnerabilities should be addressed either by implementing additional technical safeguards or the provision of workforce training.

Determine the level of risk and potential consequences

Determining the level of risk to PHI and the potential consequences of a data breach will help HIPAA business associates with the development of contingency plans, data backup plans, and emergency mode operation plans (as required by the Administrative Safeguards) to ensure the availability of covered entities’ PHI during a HIPAA security incident

Implement additional policies and security measures as required

If existing policies and security measures are not sufficient to reduce identified vulnerabilities and risks to a reasonable and appropriate level, business associates are required to implement additional policies and security measures as required, and document the reasons for them based on the previous steps in the risk analysis process.

Reassess periodically and in response to a regulatory or operational change

A risk analysis is required every time there is a change in regulations or work practices, and when new technology is implemented. If none of these events occur, HIPAA business associates must still perform a periodic technical and non-technical evaluation to ensure policies and security measures remain effective and in compliance with HIPAA.

Common Safeguards

Because business associates must implement administrative, physical, and technical safeguards based on the outcome of a risk analysis, there is no one-size-fits-all guidance for what safeguards must be implemented in order to accomplish HIPAA compliance for business associates. Nonetheless, there are several common safeguards that must be implemented in order for HIPAA business associates to comply with HIPAA.

Physical security

Secure locations in which PHI in all formats is stored and restrict physical access to systems on which PHI is maintained. It may also be necessary to secure workstations and other devices or media which can access PHI depending on whether PHI is stored locally on the workstations, devices, and media, and what other technical safeguards exist to prevent unauthorized access.

Unique user IDs

Although HIPAA does not stipulate password requirements, business associates are required to assign unique user IDs for all members of the workforce. If user IDs consist of a username and password, it is important to enforce the use of strong passwords and be conscious that the mandatory use of MFA is included in the proposed update to the HIPAA Security Rule.

Minimum Necessary

Other than in exempted circumstances, uses and disclosures of PHI must be limited to the minimum necessary to fulfil the purpose of a use or disclosure. This means assigning different access permissions to systems depending on their functions, and different access permissions to workforce members depending on their roles.

Maintain audit logs

One of the purposes of assigning unique user IDs is to create audit logs and monitor access to PHI by workforce members. For this reason, it is important workforce members are instructed not to share login credentials with other members of the workforce. The audit logs should also monitor access to PHI by applications and be configured to flag anomalies that could indicate unauthorized access.

Workforce training

A common issue with HIPAA compliance for business associates is that the security awareness training provided by business associates is generic. According to the General Requirements of the HIPAA Security Rule, workforce training must be designed to protect against reasonably anticipated uses or disclosures of PHI not required or permitted by the HIPAA Privacy Rule.

Sanctions Policy

Business associates are required to apply sanctions against workforce members for any violation of the HIPAA Privacy Rule or for any violation of a policy implemented by the business associate to comply with the HIPAA Security Rule. Business associates that do not have, do not explain, or do not enforce a sanctions policy are themselves in violation of HIPAA.

Incident Management Preparation

According to §164.304 of the HIPAA Security Rule, the definition of a HIPAA security incident is any “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” The reason that unsuccessful security incidents must be monitored is to identify trends in failed access attempts in order to identify future potential risks to the security of PHI.

System configurations

In order to monitor unsuccessful security incidents, systems should be configured where it is possible to automatically detect and log events such as unsuccessful brute force attacks on log-in credentials, pings, and scans looking for undefended network ports. Anti-virus software and email systems should also be monitored for increasing volumes of detected malware and spam emails.

Reporting procedures

Procedures should also be developed for members of the workforce to report incidents that have evaded detection by security software or that have resulted from their own actions. In some cases, it can be beneficial to implement a system that facilitates anonymous reports to ensure that workforce members report an incident before it develops into a more serious event.

Incident management plan

Business associates must develop an incident management plan that includes incident monitoring, tracking, handling, and response for each type of incident. The plan must be documented and include the procedures for determining whether an incident is notifiable to an upstream covered entity. This can depend on the content of the Business Associate Agreement.

Incident preparedness testing

The incident management plan must be tested periodically for each type of incident and revised as necessary if vulnerabilities are discovered or if an analysis of detected unsuccessful security incidents identifies an increasing incident type. It may also be necessary to test workforce members on their abilities to identify and report incidents using a safe or sandboxed environment.

Procedures for receiving notifications

If a HIPAA business associate uses services provided by a downstream subcontractor, and the Business Associate Agreement with the downstream subcontractor specifies the business associate must be notified of security incidents and data breaches, the business associate must have procedures in place for receiving notifications (i.e., a point of contact, the method of notification, etc.).

Procedures for making notifications

Procedures must also be in place for notifying upstream covered entities when a HIPAA security incident or data breach occurs. Depending on the content of the Business Associate Agreement with the upstream covered entity, it may also be necessary to have procedures in place to notify affected individuals and HHS’ Office for Civil Rights in the event of a data breach.

Documentation and Reviews

One of the most important elements of HIPAA compliance for business associates is documentation. The accurate documentation of how PHI flows through the organization, risk analyses, and policies and procedures to support HIPAA compliance are essential. It is also important that all HIPAA training is documented as well as any sanctions imposed for violations of HIPAA. Business Associate Agreements and breach notifications must also be documented.

Organized documentation implies operational efficiency, which can help build trust in upstream covered entities. Organized documentation also makes it easier to keep on top of periodic reviews and evaluations. In addition, although documentation alone will not absolve a business associate from liability in the event of an avoidable HIPAA violation, organized documentation provides visible evidence of a business associate’s good faith effort to be HIPAA compliant.

It is important for certain documents to be reviewed periodically (risk analyses, incident management plans, etc.). However, HIPAA documentation is not the only regulatory requirements business associates may have to comply with and it is advisable to implement a policy management platform that not only manages HIPAA documentation and reviews, but also other documentation required by other federal and state agencies (i.e., OSHA, CMS, etc.).

The Strategic Advantage of HIPAA Compliance for Business Associates

HIPAA compliance is often seen as a legal obligation, but for business associates, it can also serve as a strategic advantage. By embracing HIPAA standards, demonstrating a commitment to safeguarding PHI via independent certification, and aligning HIPAA compliance activities with broader privacy and security frameworks, business associates not only fulfill their HIPAA compliance responsibilities but can also enhance their reputation and unlock growth opportunities.

Demonstrating compliance with applicable HIPAA Administrative Simplification Regulations via white papers, case studies, and independent certifications positions HIPAA business associates as reliable and attractive partners. This can serve as a differentiator in the healthcare industry when a compliance-certified HIPAA business associate is compared to other vendors and service providers  – opening doors to business opportunities, contracts, and collaborations.

Business associates that invest in HIPAA compliance are better positioned to adapt to new laws and industry standards. The processes and systems established for HIPAA compliance often lay the groundwork for meeting future regulatory requirements, ensuring long-term sustainability and success. For those willing to embrace the challenges and opportunities of HIPAA compliance for business associates, the rewards extend far beyond meeting regulatory requirements – they lead to lasting business growth and innovation.

The post HIPAA Compliance for Business Associates appeared first on The HIPAA Journal.

City of Long Beach Notifies Individuals Affected by November 2023 Cyberattack

Posted by Steve Alder

It has taken more than a year for current and former residents of the City of Long Beach in California to learn that some of their personally identifiable and protected health information was compromised in a cyberattack. Notifications have been sent to multiple U.S. states confirming that the information of 470,060 individuals was exposed and potentially stolen in the attack. That figure includes 258,191 individuals whose protected health information was compromised. No ransomware group is known to have claimed responsibility for the attack.

The cyberattack was detected on or around November 14, 2023, and the forensic investigation confirmed on March 18, 2024, that sensitive data had been accessed or acquired by the threat actor. It then took a further 13 months before notification letters were mailed to the affected individuals. City officials confirmed that notification letters started to be mailed on April 14, 2025.

City officials explained that most of the affected systems were restored and brought back online within a matter of weeks after the attack was detected, and while confirmation of unauthorized access to data was confirmed in March 2024, in an October 7, 2024, update, the city explained that third party cybersecurity professionals were still trying to determine the nature and scope of the data stolen in the attack. The city explained in the notice that complimentary credit monitoring and identity theft protection services would be offered to individuals whose Social Security numbers were involved. “This process of identifying specific individuals’ sensitive information is incredibly detailed, time-intensive, can be lengthy, and has been ongoing to date,” explained city officials in the October 2024 notice. “Progress is being made, and the process may be close to completion in the upcoming months.”

In the latest notification, city officials explained that between the attack and April 14, 2025, there have been no indications that any of the impacted information has been misused for the purpose of committing identity theft or fraud, and said the notification letters were being issued as required by law and out of an abundance of caution. Long Beach Mayor Rex Richardson said, “This has proven to be an unprecedented event for our organization, and we continue to take this investigation and its findings seriously.” The individual notifications confirm that credit monitoring and identity theft protection services are being provided for 12 months to individuals whose Social Security numbers were compromised.

The post City of Long Beach Notifies Individuals Affected by November 2023 Cyberattack appeared first on The HIPAA Journal.

Healthcare Orgs Fined for Employing Nurses on the HHS-OIG Exclusion List

Posted by Steve Alder

This month, the Department of Health and Human Services’ Office of Inspector General (HHS-OIG) agreed to settlements with two healthcare providers who employed nurses on the HHS-OIG exclusion list, who provided items or services that were billed to federally funded healthcare programs.

The exclusion list, formally known as the List of Excluded Individuals and Entities (LEIE), contains entities and individuals excluded from participating in federally funded healthcare programs. The exclusion list was established to prevent fraud, waste, and abuse in federally funded healthcare programs. If an individual or entity has been added to the list, they are not permitted to participate in federally funded healthcare programs in any capacity.

There are many different reasons for exclusion, including fraud convictions, patient abuse and neglect, felony drug convictions, submission of false claims, and participation in illegal kickback schemes. Certain violations carry a mandatory minimum exclusion period, with HHS-OIG having discretion over how long an entity or individual remains on the list. While it is possible to be removed from the list after the minimum term has expired, the excluded company/individual must complete a formal reinstatement process, which can take some time.

Prior to hiring any individual or onboarding a new supplier, healthcare organizations need to review the exclusion list to make sure the company or individual has not been excluded. The responsibilities do not end there, as if an individual or company is added to the exclusion list after hiring/onboarding, penalties can be imposed for continuing to employ that individual or the continued use of a company’s services. Regular screenings of the workforce should be conducted, along with monthly checks of vendors to ensure OIG compliance. Many companies choose to ease this compliance headache by using automated screening and other third-party compliance services.

In April 2025, two companies were discovered to have failed to conduct exclusion list checks, resulting in the employment of excluded individuals. Advancare Healthcare Services in Lombard, Illinois, was discovered to have employed a registered nurse who was on the exclusion list and had been barred from participating in federally funded healthcare programs. The nurse had provided items or services that were billed to Medicare or Medicaid. Advancare Healthcare Services agreed to settle the alleged exclusion list violation, paid a $41,596.68 penalty, and was required to terminate the nurse’s employment.

Associated Clinicians of East Texas, PLLC, which does business as Diagnostic Clinic of Longview, was discovered to have employed a licensed vocational nurse who had been added to the exclusion list. The nurse provided items or services billed to federally funded healthcare programs. Diagnostic Clinic of Longview agreed to settle the alleged violation, paid a $77,877.45 financial penalty, and was required to terminate the nurse’s employment.

The post Healthcare Orgs Fined for Employing Nurses on the HHS-OIG Exclusion List appeared first on The HIPAA Journal.

Ascension Notifying Patients About Data Breach at Former Business Partner

Posted by Steve Alder

Ascension in St. Louis, Missouri, has started notifying certain patients about a security incident at one of its former business partners. Ascension learned on December 5, 2024, that the business partner had experienced a hacking incident. An investigation was launched, and it was determined on January 21, 2025, that Ascension had inadvertently disclosed patient data to the former business partner, and that data had likely been stolen in the hacking incident. Ascension confirmed that its own systems were unaffected.

A hacker was able to exploit a vulnerability in third-party software to gain access to data held by the former business partner. The data review confirmed that the information likely stolen in the incident included names, addresses, phone numbers, dates of birth, email addresses, race/gender, Social Security numbers, medical record numbers, insurance company names, and clinical information related to inpatient visits, which may have included, service locations, physicians’ names, discharge dates, and diagnosis and billing codes.

Ascension said it has reviewed its policies, procedures, and processes and will implement enhanced safeguards to prevent similar incidents in the future. The affected individuals had previously received services at Ascension facilities in Alabama, Michigan, Indiana, Tennessee, and Texas. Individual notifications are being mailed, and the affected individuals have been offered two years of complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Carolina Anesthesiology Database Containing 21,344 Records Exposed Online

A database containing the personally identifiable and protected health information of 21,344 patients has been exposed online. The database was found by security researcher Jeremiah Fowler, who analyzed a sample of the data and confirmed it contained information such as names, addresses, phone numbers, health insurance information, emergency contact information, diagnoses, case summaries, medications, vital statistics, family and patient medical histories, antitheology summaries, and physicians’ notes. The database also contained software billing and compliance reports belonging to a medical software company.

Fowler notified the medical software company about the exposed database, which identified the database owner, and notified them. The database was secured the same day. It is unclear for how long the database was exposed and if it was accessed by any other individuals. Fowler also identified files related to Atrium Health and contacted them about the data breach. Atrium Health confirmed that an investigation had been initiated and, via databreaches.net, that the database belonged to Carolina Anesthesiology. Atrium Health said it immediately shut down its data feeds to Carolina Anesthesiology while the database was secured and the incident was investigated. Carolina Anesthesiology is located in High Point, North Carolina, and provides anesthesiology services to High Point Regional Health System and Atrium Health.

The post Ascension Notifying Patients About Data Breach at Former Business Partner appeared first on The HIPAA Journal.

AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

A settlement has been agreed to resolve litigation stemming from a 2022 data breach at AllCare Plus Pharmacy. The Northborough, MA-based pharmacy detected the security incident on June 21, 2022, when suspicious activity was identified in an employee’s email account.

The investigation confirmed that hackers gained access to the email account after the employee responded to a phishing email. The review of the account confirmed it contained names, addresses, birth dates, Social Security numbers, driver’s license and other ID numbers, financial information, and limited health and health insurance information related to treatment and prescriptions. The breach was reported to the Maine Attorney General as affecting 5,971 individuals.

A lawsuit – Celeste Brown, et al. v. AllCare Plus Pharmacy LLC – was filed in the Suffolk County Superior Court of the Commonwealth of Massachusetts over the data breach, claiming the data breach occurred due to the failure to implement appropriate cybersecurity measures and follow industry standard security best practices.

According to the lawsuit, had those measures been implemented, the data breach could have been prevented. AllCare Plus Pharmacy maintains that there was no wrongdoing and that it had meritorious defenses in place; however, the pharmacy chose to settle the litigation to prevent further legal costs and to avoid the risks and uncertainty associated with continuing to fight the litigation.

Under the terms of the settlement, individuals who were notified that their data was compromised may submit claims for reimbursement of documented out-of-pocket losses. Claims may be submitted for ordinary losses up to a maximum of $750 per class member, which can include communication costs, credit monitoring costs, attorneys’ fees, accountants’ fees, and miscellaneous expenses.

Claims may also be submitted for extraordinary losses, such as losses due to identity theft and fraud, up to a maximum of $5,000 per class member. Class members may also claim up to five hours of lost time dealing with the consequences of the data breach at $20 per hour. Class members have been offered two years of complimentary credit monitoring and identity theft protection services. Class members who do not wish to submit a claim or receive credit monitoring services may choose to receive a cash payment of $50.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 27, 2025. The deadline for exclusion from the settlement, objection to the settlement, and submitting claims is July 3, 2025. AllCare Plus Pharmacy said it has made security changes since the incident and will continue to review and update those security measures.

The post AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Verisource Services Increases Data Breach Victim Count to 4 Million

Posted by Steve Alder

Verisource Services, an employee benefits administration service provider, has determined that a previously announced data breach was far worse than initially thought and has affected up to 4 million individuals. The Houston, Texas-based company detected a hacking incident on February 28, 2024, that disrupted access to some of its systems. Third-party cybersecurity and incident response experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed hackers had access to its network and exfiltrated files on February 27, 2024. At the time of the initial announcement, Verisource Services said names, dates of birth, genders, and Social Security numbers had been stolen. The affected individuals included employees and dependents of clients who used its services, which include HR outsourcing, benefits enrollment, billing, and administrative services.

The data breach was initially reported as affecting 1,382 individuals, but as the investigation progressed, it became clear that the breach was worse than initially thought. In August 2024, the data breach was reported to the HHS’ Office for Civil Rights (OCR) as involving the protected health information of 112,726 individuals. The most recent notification to the Maine Attorney General indicates up to 4 million individuals have been affected, a sizeable increase from previous estimates. The OCR breach portal still lists the incident as affecting 112,726 patients and plan members of its HIPAA-regulated entity clients, although that total may well be updated in the coming days.

Verisource Services explained in the breach notice that the data review was not completed until April 17, 2025, almost 14 months after the security incident was detected. Verisource Services reported the security incident to the Federal Bureau of Investigation, and several additional security measures have been implemented to improve its security posture. Notification letters had previously been sent to some affected individuals; however, the bulk of the notification letters have only recently been mailed. Verisource Services said complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, who will also be protected with a $1,000,000 identity theft insurance policy.

Since sensitive data was stolen many months ago, data may already have been misused. In addition to signing up for the credit monitoring and identity theft protection services, affected individuals should also check their account statements for signs of data misuse going back to February 2024. Verisource Services was already facing several class action lawsuits over the data breach. Now that the breach total has been substantially increased, further lawsuits are expected to be filed. The lawsuits already filed alleged that Verisource Services was negligent due to the failure to implement reasonable and appropriate cybersecurity measures and follow industry-standard cybersecurity best practices. The lawsuits seek a jury trial, attorneys’ fees, and compensatory and punitive damages.

The post Verisource Services Increases Data Breach Victim Count to 4 Million appeared first on The HIPAA Journal.

Endue Software Confirms Data Breach Affecting Multiple Providers

Posted by Steve Alder

Cybersecurity incidents have been announced by Endue Software, Whitman County Public Hospital District No. 3, Palo Verde Hospital, and Northern California Children’s Therapy Center.

Endue Software

Endue Software, an infusion management platform provider, has recently confirmed it has been affected by a cyberattack that involved unauthorized access to patient data. In its April 11, 2025, substitute breach notice, Endue Software explained that unauthorized access to some of its systems was identified on February 17, 2025. The forensic investigation confirmed that an unauthorized actor gained access to some of its systems for a brief period on February 16, 2025. While the window of opportunity was short, files were copied from its systems during that time. Since February, Endue Software has been reviewing the compromised data to determine which clients and patients have been affected. It has now been confirmed that the compromised data included patients’ full names, addresses, dates of birth, Social Security numbers, and medical record numbers.

It is unclear how many of Endue Software’s clients have been affected in total. Endue Software has reported the breach to the HHS’ Office for Civil Rights as a data breach affecting 118,028 individuals; however, some of its customers may be reporting the data breach separately, as was the case with Rheumatology Associates of Baltimore (RAB), which recently reported the breach to OCR as affecting 28,968 of its patients.

Whitman County Public Hospital District No. 3

Whitman County Public Hospital District No. 3 in Washington State has recently announced a data breach that has affected 63,453 individuals, including patients and members of its Group Health Plan. Suspicious activity was identified within its IT network on February 28, 2025. Its IT environment was immediately secured, law enforcement was notified, and an investigation was launched to determine the cause of the activity.

The investigation confirmed that an unauthorized third party had access to its IT environment between December 26, 2024, and February 28, 2025, during which time, files containing patient and health plan member data may have been viewed or acquired.  The file review confirmed that the exposed data included names plus some or all of the following: date of birth, address, Social Security number, financial account information, diagnosis, lab results, medications, other treatment information, health insurance information, provider names, and/or dates of treatment.

Notification letters started to be sent to the affected individuals on April 11, 2025. Complimentary credit monitoring and identity theft protection services have been offered to eligible individuals. Whitman County Public Hospital District No. 3 said additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.

Palo Verde Hospital

Palo Verde Hospital, a 51-bed hospital in Blythe, California, has recently notified the California Attorney General about a security incident “that disrupted the operations of some of its IT systems,” which suggests it was the victim of a ransomware attack. The incident was detected on March 6, 2025, and action was immediately taken to contain the threat. Assisted by third-party cybersecurity experts, the hospital determined there had been unauthorized access to its network between March 3, 2025, and March 6, 2025.  During that time, files containing patient data were accessed and acquired by the threat actor.

The file review confirmed that patient data was involved such as names, contact information, demographic information, Social Security numbers, dates of birth, medical record numbers, patient account numbers, diagnosis/treatment information, prescription information, provider name(s), date(s) of service, and health insurance information. A subset of individuals also had financial account information and routing numbers exposed.

Steps have been taken to improve security to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Northern California Children’s Therapy Center

Northern California Children’s Therapy Center in Woodland, California, has confirmed that patient data has been compromised in a recent security incident. On March 16, 2025, an unauthorized individual exploited a vulnerability in a cloud-based system used to collect and manage information to facilitate developmental screenings and connect families with appropriate resources.

The screenings were provided through the Help Me Grow Yolo County Program, through which community programs such as early childhood services are provided. When the breach was detected, action was immediately taken to secure the system, and the incident was fully resolved by March 19, 2025. An internal review has been completed, and the compromised data has been confirmed as:

  • Referring provider information: agency name, address, phone number; provider name and email address
  • Child’s information: name, gender, date of birth, language(s), and developmental skills
  • Parent/caregiver information: name, relationship to the child, preferred method of contact, phone number, email address, and broad health-related issues
  • Other information: Broad questions or concerns of the family or provider

It was not possible to determine whether any specific child’s data was accessed or acquired. As a precaution, all individuals who had screenings have been notified. Northern California Children’s Therapy Center is working with cybersecurity experts to ensure the ongoing security of systems and records, has reconfigured the impacted storage system, and is looking to implement additional measures to strengthen security.

The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Endue Software Confirms Data Breach Affecting Multiple Providers appeared first on The HIPAA Journal.

Alternate Solutions Health Network Notifies Patients About May 2024 Email Breach

Posted by Steve Alder

Email accounts have been compromised at four HIPAA-regulated organizations: Alternate Solutions Health Network in Ohio; Park Royal Hospital in Florida; 90 Degree Benefits in Minnesota; and the Charleston Fire Department in West Virginia. Almost 107,000 individuals have been affected.

Alternate Solutions Health Network, Ohio

Alternate Solutions Health Network, LLC, a Kettering, Ohio-based provider of home healthcare services, has identified unauthorized access to an employee’s email account that contained patient data. It is unclear for how long the threat actor had access to the account or when the breach was detected; however, it has taken almost a year for the affected individuals to be notified.

Alternate Solutions Health Network explained in its substitute breach notice that the forensic investigation confirmed that the account was breached on or around May 30, 2024. When the breach was detected, the account was secured, and third-party cybersecurity professionals were engaged to investigate the incident. “After an extensive investigation and manual document review, we discovered on February 14, 2025, that some personal and/or protected health information of individuals was contained in the compromised email account that was subject to unauthorized access and acquisition,” explained Alternate Solutions Health Network in the notification letters.

The types of information involved vary from individual to individual and may include first and last names, dates of birth, addresses, driver’s license numbers, physician/clinician names, clinical information, diagnostic information, and treatment information. A subset of the affected individuals also had their Social Security numbers stolen. Alternate Solutions Health Network said it will implement additional cybersecurity safeguards, enhance its employee cybersecurity training, and improve its cybersecurity policies, procedures, and protocols. The data breach was reported to the HHS’ Office for Civil Rights on April 14, 2025, as a breach affecting 93,589 individuals. Individual notification letters also started to be mailed on April 14, 2025.

Park Royal Hospital, Florida

The Pavilion at HealthPark, LLC, has announced a data breach affecting patients of Park Royal Hospital in Fort Myers, Florida. The private psychiatric hospital provides inpatient and outpatient behavioral health services, including treatment for mental health and substance use disorders. On January 14, 2025, an employee responded to a phishing email and disclosed their credentials, allowing a threat actor to access the employee’s email account and associated SharePoint account between January 14 and January 15, 2025. The breach was detected on January 17, 2025, and the email account was immediately secured.

The forensic investigation confirmed that the breach was limited to a single email account and the associated SharePoint account. No other systems or accounts were affected. The account review confirmed that the sensitive data of 9,349 patients was present in the account, including personally identifiable and protected health information such as names, admission dates, provider information, and patient status information. Individual notification letters started to be mailed to the affected individuals on March 18, 2025. Since Social Security numbers and financial information were not compromised, credit monitoring services are not being offered. Patients have been advised to monitor the statements they receive from their providers and health plans and should report any services listed that have not been received.

90 Degree Benefits, Inc., Minnesota

90 Degree Benefits, St. Paul, a third-party administrator that processes claims for companies that operate self-funded health plans, has identified an email account breach. Suspicious activity was identified in an employee’s email account in October 2024. The forensic investigation confirmed that a threat actor gained access to the account on October 18, 2024, and on or around December 17, 2024, it was confirmed that the threat actor had accessed emails and attachments in the account that contained sensitive data.

The emails and attachments were reviewed and found to contain information such as names, Social Security numbers, and/or member identification numbers. The breach was reported to the HHS’ Office for Civil Rights on April 18, 2025, as a data breach affecting 1,268 individuals. Individual notification letters were mailed to the affected individuals on April 18, 2025, and complimentary credit monitoring services have been made available. 90 Degree Benefits, St. Paul said several steps have already been taken to improve the security of its IT environment, including a review of security policies and processes and the provision of additional training to employees.

Charleston Fire Department, West Virginia

The Charleston Fire Department in West Virginia has identified unauthorized access to an employee’s email account. An account breach was suspected when the email account was used to send spam emails. The account was immediately secured, and third-party cybersecurity experts were engaged to conduct a forensic investigation. They confirmed that the breach was limited to a single email account, which was accessible between February 18, 2025, and February 21, 2025. The review of emails and attachments revealed the protected health information of 2,583 individuals had been exposed.

The exposed information was related to ambulance trips and EMS billing and included names, addresses, dates of birth, Social Security numbers, other demographic identifiers, clinical information (diagnoses/conditions, medications, dates of services), and/or insurance information. The majority of affected individuals only had their names, date of services, insurance carriers, and billing amounts exposed. Steps are being taken to strengthen email security, and complimentary credit monitoring services have been offered to the affected individuals. Individual notification letters were mailed to the affected individuals on April 22, 2025.

The post Alternate Solutions Health Network Notifies Patients About May 2024 Email Breach appeared first on The HIPAA Journal.