Author Archives: Steve Alder

Healthcare Organizations Take 3.7 Months To Announce Ransomware Data Breaches

Posted by Steve Alder

A recent data analysis by Comparitech has revealed that the average time for a U.S. healthcare organization to report a ransomware attack is 3.7 months, the shortest time out of all industries represented in the study. Across all industries, the average time to report a ransomware attack in 2023 was 5.1 months, a considerable increase from the average of 2.1 months in 2018.

In 2024, ransomware-related data breaches took an average of 3.7 months to report, although it is too early to obtain reliable reporting data, as ransomware victims are still reporting ransomware-related data breaches from last year.

Comparitech’s researchers analyzed data from 2,600 U.S. ransomware attacks since 2018. Over the entire period of study, the average time to report a data breach following a ransomware attack was 4.1 months. The legal sector delayed reporting data breaches for the longest time, taking an average of 6.4 months to report the data breach.

While healthcare had the shortest breach reporting times, one healthcare entity had an exceptionally long delay between the date of the attack and the issuing of notifications. Ventura Orthopedics experienced a ransomware attack in July 2020, yet it took 38 months for notification letters to be issued, which were not sent until September 2023.  Another healthcare entity had an exceptionally long delay before notifications were issued. It took two years from the date of the attack for Westend Dental to issue notification letters, earning the company a $350,000 financial penalty.

The reporting time is no doubt influenced by federal and state laws. In healthcare, the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires regulated entities to report a data breach within 60 days of the date of discovery, and if the total number of affected individuals is not yet known, the regulated entity must report the breach using an estimated total for the number of affected individuals, with the estimated figure typically being 500 or 501. A figure of 500 affected individuals is the threshold for media announcements and public listing of the data breach on the HHS’ Office for Civil Rights breach portal.

Looking at the business sector only, healthcare also had one of the shortest delays, taking an average of 3.4 months to report the data breach, slightly ahead of utilities at 3.3 months. Healthcare businesses in this sector were not direct healthcare providers.

Comparitech also identified shorter breach reporting times in states that have implemented data breach notification laws, with an average time of 3.9 months to report a breach in those states compared to 4.2 months in other states. The states with the longest breach reporting times were Wyoming (7.3 months), the District of Columbia (6.6 months), and North Dakota (6.3 months), whereas the states with the shortest reporting periods were Montana (1.9 months), South Dakota (2.2 months), and Alaska (2.3 months).

While it may not be possible to issue notification letters quickly, it is important to announce ransomware attacks to allow potentially affected individuals to take steps to protect themselves. If it takes 4.1 months on average to report a ransomware-related data breach, that gives ample time for stolen data to be misused.

Ransomware groups that engage in double extortion list the stolen data on their data leak sites if the ransom is not paid, and the data can be downloaded by anyone. That means the data could be misused for several months before the affected individuals are notified. If a notice is added to the breached organization’s website, even if data theft has not been confirmed, consumers would be aware that they could potentially be at risk and could take steps to protect themselves.

The post Healthcare Organizations Take 3.7 Months To Announce Ransomware Data Breaches appeared first on The HIPAA Journal.

Medical Imaging Service Provider Settles HIPAA Risk Analysis & Breach Notification Failures

Posted by Steve Alder

The HHS’ Office for Civil Rights has announced its 8th financial penalty under the Trump administration, with the latest financial penalty resolving an alleged violation of the risk analysis provision of the HIPAA Security Rule and a violation of the HIPAA Breach Notification Rule.  The California magnetic resonance imaging (MRI) service provider, Vision Upright MRI LLC, has agreed to settle the alleged violations and will pay a $5,000 financial penalty.

OCR currently has a risk analysis enforcement initiative and has imposed 9 penalties under this initiative. OCR is focusing on risk analysis compliance as the risk analysis is a foundational Security Rule requirement that is essential for risk management and implementing safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The failure to conduct a comprehensive and accurate risk analysis is also one of the most commonly identified HIPAA violations.

OCR also appears to be looking closely at Breach Notification Rule compliance. The HIPAA Breach Notification Rule requires notifications to be issued to the HHS Secretary (via the OCR breach portal) and the affected individuals within 60 days of the discovery of a data breach. A media notice is also required for breaches affecting 500 or more individuals. This is the second HIPAA compliance case this year to include a penalty for late breach notifications.

Vision Upright MRI is a small healthcare provider with one location in San Jose, California. OCR notified Vision Upright MRI on December 1, 2020, that OCR had initiated an investigation into compliance with the HIPAA Rules. It is unclear from the settlement agreement how OCR discovered the data breach, as the data breach was not reported to OCR, and the affected individuals were not notified. The breach also does not appear to have been reported to the California Attorney General. The only breach notice on the OCR breach portal from Vision Upright MRI is a March 10, 2025, breach with 23,031 affected individuals.

OCR’s investigation revealed Vision Upright MRI had never conducted a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI, and also failed to notify the affected individuals within 60 days of the discovery of a data breach. OCR said the ePHI of 21,778 individuals, including medical images and associated ePHI, was stored on an unsecured Picture Archiving and Communication System (PACS) server. The server and PACS were used for storing, retrieving, managing, and accessing radiology images, and the server had been accessed by an unauthorized third party. It is unclear whether the access was by a hacker, a security researcher, or another individual.

Under the terms of the settlement, Vision Upright MRI will pay a $5,000 financial penalty and adopt a corrective action plan (CAP) to ensure HIPAA compliance. Compliance with the CAP will be monitored by OCR for 2 years. The CAP requires Vision Upright MRI to conduct a comprehensive and accurate risk analysis to identify risk and vulnerabilities to ePHI; develop, implement, and maintain a risk management plan to reduce any risks and vulnerabilities identified through the risk analysis to a low and acceptable level; develop, implement, and maintain policies and procedures to comply with the HIPAA Rules; distribute the policies and procedures to the workforce and provide HIPAA training; and issue breach notifications to the HHS, the media, and the affected individuals.

“Cybersecurity threats affect large and small covered health care providers,” OCR Acting Director Anthony Archeval said. “Small providers also must conduct accurate and thorough risk analyses to identify potential risks and vulnerabilities to protected health information and secure them.”

OCR HIPAA Fines and settlements 2017 to 2025

The post Medical Imaging Service Provider Settles HIPAA Risk Analysis & Breach Notification Failures appeared first on The HIPAA Journal.

Weiser Memorial Hospital Data Breach Affects 34,200 Patients

Posted by Steve Alder

Cyberattacks and data breaches have recently been announced by Weiser Memorial Hospital in Idaho and Minnesota Orthodontics and Dentofacial Orthopedics.

Weiser Memorial Hospital

Weiser Memorial Hospital in Idaho has recently informed the Maine Attorney General about a data breach that involved unauthorized access to the personal and protected health information of 34,249 individuals, including 14 Maine residents. Unusual network activity was identified on September 4, 2024, and after securing its network, Weiser Memorial Hospital engaged third-party cybersecurity experts to investigate and determine the nature and scope of the unauthorized activity.

The investigation confirmed that an unauthorized third party accessed its network and exfiltrated files containing sensitive data on or around September 4, 2024. The impacted files were reviewed to determine the patients affected and the types of data involved, and that process concluded on April 21, 2025. Weiser Memorial Hospital has confirmed that current and former patients had some or all of the following information stolen in the incident: name, date of birth, Social Security number, other government ID numbers, diagnoses, treatment/procedure information, Medicare/Medicaid numbers, and/or health insurance information.

Weiser Memorial Hospital said steps have been taken to improve security to prevent similar incidents in the future, and the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services.

Minnesota Orthodontics and Dentofacial Orthopedics

Minnesota Orthodontics and Dentofacial Orthopedics (MN Ortho) has alerted patients about a recent data security incident involving unauthorized access to sensitive patient data. On February 26, 2025, MN Ortho discovered unauthorized access to its network. Steps were taken to secure its systems and prevent further unauthorized access, and third-party cybersecurity specialists were engaged to investigate the activity.

On April 18, 2025, MN Ortho confirmed that an unauthorized third party copied files from its network that contained patient data such as names, dates of birth, financial information, health forms, insurance information, treatment information, and employment information. The investigation and data review are ongoing, and notification letters will be mailed to the affected individuals when the process is completed. MN Ortho said it is unaware of any misuse of the affected data. The security incident has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. The total will be updated when the file review is concluded.

The post Weiser Memorial Hospital Data Breach Affects 34,200 Patients appeared first on The HIPAA Journal.

Microsoft, Fortinet & Ivanti Warn About Actively Exploited Zero Day Vulnerabilities

Posted by Steve Alder

Microsoft, Fortinet & Ivanti have all notified customers about vulnerabilities in their products that are known to have been exploited by threat actors. Prompt patching is strongly recommended, and workaround/mitigations should be implemented if patching must be delayed.

Microsoft

On Patch Tuesday, Microsoft issued patches for five vulnerabilities known to have been exploited in the wild, plus two publicly disclosed zero-day vulnerabilities. The actively exploited  vulnerabilities are:

Product CVE Severity Type Outcome
Microsoft DWM Core Library CVE-2025-30400 Important Elevation of Privilege Local elevation of privilege to SYSTEM
Windows Common Log File System CVE-2025-32701 Important Elevation of Privilege Local elevation of privilege to SYSTEM
Windows Common Log File System CVE-2025-32706 Important Elevation of Privilege Local elevation of privilege to SYSTEM
Windows Ancillary Function Driver CVE-2025-32709 Important Elevation of Privilege Local elevation of privilege to SYSTEM
Microsoft Scripting Engine CVE-2025-30397 Important Memory Corruption Code execution

The following vulnerabilities have been publicly disclosed:

Product CVE Severity Type Outcome
Microsoft Defender CVE-2025-26685 Important Identity Spoofing Spoofing of another account over an adjacent network
Visual Studio CVE-2025-32702 Important Remote Code Execution Local code execution by an unauthenticated attacker

Microsoft also released patches for six critical vulnerabilities that are not known to have been exploited but should be prioritized. They affect Microsoft Office (CVE-2025-30377 and CVE-2025-30386), Microsoft Power Apps (CVE-2025-47733), Remote Desktop Gateway Service (CVE-2025-29967), and Windows Remote Desktop (CVE-2025-29966).

Fortinet

Fortinet has issued a security advisory about a critical vulnerability affecting its FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera products. The stack-based buffer overflow vulnerability has been assigned a CVSS v4 severity score of 9.6 (CVSS v3.1: 9.8) and can be exploited by a remote unauthenticated hacker by sending HTTP requests with a specially crafted hash cookie. Successful exploitation of the vulnerability can allow arbitrary code execution.

Fortinet said it has observed exploitation of the vulnerability on FortiVoice. The threat actor scanned the device network, erased system crashlogs, and enabled fcgi debugging to log credentials from the system or SSH login attempts. The vulnerability is tracked as CVE-2025-32756 and affects the following product versions:

Affected Product Affected Versions Fixed Versions
FortiVoice 7.2.0 Upgrade to 7.2.1 or above
7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
6.4.0 through 6.4.10 Upgrade to 6.4.11 or above
FortiRecorder 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
7.0.0 through 7.0.5 Upgrade to 7.0.6 or above
6.4.0 through 6.4.5 Upgrade to 6.4.6 or above
FortiMail 7.6.0 through 7.6.2 Upgrade to 7.6.3 or above
7.4.0 through 7.4.4 Upgrade to 7.4.5 or above
7.2.0 through 7.2.7 Upgrade to 7.2.8 or above
7.0.0 through 7.0.8 Upgrade to 7.0.9 or above
FortiNDR 7.6.0 Upgrade to 7.6.1 or above
7.4.0 through 7.4.7 Upgrade to 7.4.8 or above
7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
7.1 all versions Migrate to a fixed release
7.0.0 through 7.0.6 Upgrade to 7.0.7 or above
1.1 through 1.5 Migrate to a fixed release
FortiCamera 2.1.0 through 2.1.3 Upgrade to 2.1.4 or above
2.0 all versions Migrate to a fixed release
1.1 all versions Migrate to a fixed release

Fortinet has issued indicators of Compromise in its security alert. If immediate patching is not possible, Fortinet recommends disabling the HTTP/HTTPS administrative interface

Ivanti

Ivanti has issued a security advisory about two vulnerabilities affecting the Ivanti Endpoint Manager Mobile (EPMM) solution, one is a medium severity flaw and the other is high severity flaw. The two vulnerabilities can be chained together and can allow unauthenticated remote code execution. Ivanti explained that the two vulnerabilities are associated with open-source code used in the EPMM, and not within Ivanti’s code.

The medium severity flaw is tracked as CVE-2025-4427 and is an authentication bypass flaw with a CVSS v3.1 severity score of 5.3. The second vulnerability is a remote code execution vulnerability with a CVSS v3.1 severity score of 7.2

Affected Product Affected Versions Fixed Versions
Ivanti Endpoint Mobile Manager 11.12.0.4 and prior 11.12.0.5 and later
12.3.0.1 and prior 12.3.0.2 and later
12.4.0.1 and prior 12.4.0.2 and later
12.5.0.0 and prior 12.5.0.1 and later

Ivanti said users should upgrade to the latest version as soon as possible; however, risk can be greatly reduced if the user filters access to the API using the built-in Portal ACLs or an external WAF.

The post Microsoft, Fortinet & Ivanti Warn About Actively Exploited Zero Day Vulnerabilities appeared first on The HIPAA Journal.

Robeson Health Care Corp. Agrees to $750K Data Breach Settlement

Posted by Steve Alder

Robeson Health Care Corporation, a Pembroke, North Carolina-based integrated health system, has agreed to settle a class action lawsuit that alleged hackers compromised its network in a February 2023 cyberattack, exposing the protected health information of 62,627 individuals.

Hackers gained access to its network on or around February 21, 2023, and potentially accessed or acquired protected health information such as names, dates of birth, Social Security numbers, diagnosis and treatment information, medical record numbers, Medicare/Medicaid numbers, prescription information, health insurance information, and other sensitive data. The affected individuals started to be notified about the data breach on April 21, 2023.

In early to mid-May 2023, three lawsuits were filed against Robeson Health Care Corp. over the data breach by plaintiffs Julianna McKenzie, Judith Hammonds, and Ronnie McGriff in the United States District Court for the Eastern District of North Carolina. The plaintiffs asserted several claims, including negligence for failing to implement reasonable and appropriate safeguards to secure its network and protect patient data from unauthorized access. Robeson Health Care Corp. denies all claims and contentions in the lawsuit, including charges of wrongdoing and liability. Since continuing with the action would likely be expensive and protracted, all parties agreed to negotiate an appropriate settlement. That settlement has been determined to be fair by all parties and has received preliminary approval from the Superior Court of the State of North Carolina for the County of Robeson.

Under the terms of the settlement, Robeson Health Care Corp. has agreed to pay for benefits for class members, which will be capped at $750,000. Class members may submit a claim for up to $2,500 for reimbursement of documented, unreimbursed out-of-pocket losses that resulted from the data breach. Attorneys’ fees and costs have been capped at $250,000, and each of the three plaintiffs will receive a service award of $1,500.

Alternatively, class members may choose to receive a cash payment of $50, which will be paid pro rata after claims have been paid. The cash payments may be higher or lower depending on the number of claims received. In addition, class members can claim two years of single-bureau credit monitoring services. The deadline for exclusion from and objection to the settlement is June 23, 2025. The final approval hearing has been scheduled for July 21, 2025, and the deadline for submitting claims is August 6, 2025. Further information on the settlement can be found on the settlement website:  https://www.rhccdataincidentsettlement.com/

The post Robeson Health Care Corp. Agrees to $750K Data Breach Settlement appeared first on The HIPAA Journal.

Ransomware Attacks Increase 123% in 2 Years with 52 New Groups Emerging in 2024

Posted by Steve Alder

New research from Black Kite has shed light on the changing ransomware ecosystem. Over the past year, there has been a marked shift from large ransomware syndicates conducting the bulk of attacks to an increasingly fragmented ransomware ecosystem with a growing number of smaller groups and lone actors.

The report is based on data collected by the Black Kite Research & Intelligence Team (BRITE) between April 2024 and March 2025, including victim analysis, dark web intelligence gathering, and continuous monitoring of ransomware operations. Out of the 150 ransomware groups tracked by BRITE, 96 were considered active, having conducted at least one attack in the past 12 months, a sizeable increase from the 61 active ransomware groups in April 2023. Out of the 96 active ransomware groups, 52 are entirely new groups that emerged in the past 12 months. Over that period, there was a 24% year-over-year increase in the number of publicly disclosed ransomware victims (6,046), which follows an 81% increase over the preceding year, amounting to a 123% increase in disclosed ransomware victims in the past two years.

When the ransomware ecosystem was dominated by large ransomware syndicates such as LockBit and ALPHV/BlackCat, there was a degree of predictability to the attacks, but the power vacuum left by the law enforcement operations against LockBit and the shutdown of ALPHV has led to the creation of many smaller groups, with some of the more experienced actors branching out on their own. With so many new groups, the ransomware ecosystem has become more chaotic, with less sophisticated attacks being conducted in greater volume. BRITE reports that these smaller groups tend to lack the infrastructure, discipline, and credibility of their predecessors, and this shift has resulted in an increase in attack volume, a fall in coordination, and growing unpredictability in how, where, and why attacks unfold.

One trend that has emerged is a shift from attacks on larger companies with deeper pockets to attacks on small to medium-sized businesses (SMBs), which tend to have poorer defenses, smaller cybersecurity teams, and carry a lower risk of retaliation from law enforcement. The potential rewards from conducting the attacks are lower, with BRITE reporting a 35% reduction in ransom payment values in the past 12 months; however, the overall impact of ransomware attacks has widened. In 2024, the average ransom demand was $4,24 million, the median ransom payment was $2 million, and the average ransom payment was $553,959. SMBs with between $4 and $8 million appear to be the sweet spot in terms of ease of conducting attacks and ransom payment value.

In terms of targets, ransomware groups tend to conduct strategic attacks with the top three targets unchanged year-over-year. Manufacturing was the most targeted sector with 1,315 victims over the past 12 months. Attacks on the sector tend to result in massive disruption to business operations, with the costs of downtime increasing the probability of ransoms being paid. Professional and technical services were the second-most targeted sector with 1,040 attacks, followed by healthcare and social assistance with 434 known attacks.

In terms of the growth of attacks on different sectors, excluding the mass exploitation of vulnerabilities by the Clop group as an outlier, wholesale trade saw the biggest growth with a 2.27% increase in attacks, with healthcare and social assistance in second with 1.44% growth. Physicians and health practitioners overtook hospitals in terms of victim count, as they tend to have far weaker security, lack dedicated security teams, and handle reasonable volumes of sensitive patient data, making them low-hanging fruit with significant extortion potential.  These smaller healthcare providers accounted for 38% of attacks, with hospitals in second spot (20%), social assistance in third (11%), and nursing and residential facilities in fourth (9%).

BRITE also reports deeper entanglement in supply chains, with ransomware groups increasingly targeting third-party vendors, as an attack on a vendor can easily allow the ransomware actor to attack and attempt extortion on dozens of downstream organizations. BRITE reports that ransomware was behind 67% of all known third-party breaches. “Incidents involving Change Healthcare, Blue Yonder, and CDK Global made clear that ransomware’s impact is no longer contained within the four walls of the initially affected organization,” explained Black Kite in the report. “When threat actors compromise a widely used vendor, the effects ripple outward, paralyzing downstream businesses in multiple sectors. In this way, ransomware is increasingly a supply chain problem, not just a cybersecurity one.”

Black Kite predicts a deepening fragmentation of the ransomware ecosystem over the coming year, an increase in double targeting of victims with different ransomware variants deployed in a short space of time, speedier attacks with reduced dwell time between initial access and ransomware deployment, and increased automation and AI-assisted reconnaissance.

The post Ransomware Attacks Increase 123% in 2 Years with 52 New Groups Emerging in 2024 appeared first on The HIPAA Journal.

Healthcare Workers Violating Patient Privacy by Uploading Sensitive Data to GenAI and Cloud Accounts

Posted by Steve Alder

Research conducted by the cybersecurity company Netskope indicates healthcare workers routinely expose sensitive data such as protected health information (PHI) by using generative AI tools such as ChatGPT and Google Gemini and by uploading data to personal cloud storage services such as Google Drive and OneDrive.

The healthcare industry has fully embraced AI tools, with almost all organizations using AI tools to some degree to improve efficiency. According to data collected by Netskope Threat Labs, 88% of healthcare organizations have integrated cloud-based genAI apps into their operations, 98% use apps that incorporate genAI features, 96% use apps that leverage user data for training, and 43% are experimenting with running genAI infrastructure locally.

As more healthcare organizations incorporate AI tools into their operations and make them available to their workforces, fewer healthcare workers are using personal AI accounts for work purposes; however, 71% of healthcare workers still use personal AI accounts, down from 87% the previous year. If genAI tools are not HIPAA-compliant and the developers will not sign business associate agreements, using those tools with PHI violates HIPAA and puts organizations at risk of regulatory penalties. Further, uploading patient data to genAI tools and cloud storage services without robust safeguards in place can erode patient trust.

“Beyond financial consequences, breaches erode patient trust and damage organizational credibility with vendors and partners,” Ray Canzanese of Netskope said. It is clear that there needs to be greater oversight of the use of AI tools, and a pressing need for authorized tools to be provided to reduce “shadow AI” risks.

According to Netskope, the mishandling of HIPAA-regulated data is the leading security concern in the healthcare sector, and PHI is the most common type of sensitive data uploaded to personal cloud apps, genAI apps, and other unapproved locations. Netskope reports that 81% of all data policy violations were for regulated healthcare data, with the remainder including source code, secrets, and intellectual property.

“Healthcare organizations must balance the benefits of genAI with the implementation of strict data governance policies to mitigate associated risks,” warns Netskope. Netskope recommends the adoption of enterprise-grade genAI applications with robust security features to ensure that sensitive and regulated data is properly protected, along with data loss prevention (DLP) tools for monitoring and controlling access to genAI tools to prevent privacy violations. Netskope says 54% of healthcare organizations now have DLP policies, up from 31% the previous year. The most commonly blocked genAI apps in healthcare are DeepAI, Tactiq, and Scite, with 44%, 40%, and 36% of healthcare organizations blocking these apps with their DLP tools due to privacy risks and there being more secure alternatives.

While genAI tools certainly have a place in healthcare and can help improve efficiency, there are significant security challenges. Netskope warns that healthcare organizations must remain vigilant, implement comprehensive security measures, and enforce data protection policies, as well as incorporate the risks into their cybersecurity awareness training.

The report also warns of the risk of malware infections via cloud apps. Threat actors are increasingly using cloud apps to deploy information stealers and ransomware, with GitHub, OneDrive, Amazon S3, and Google Drive being the most common. Rather than trying to breach networks themselves, threat actors use social engineering to trick healthcare employees into compromising their own systems with first-stage malware payloads, which give threat actors initial access to networks. Netskope recommends inspecting all HTTP and HTTPS traffic for phishing and malware, blocking apps that serve no business purpose or pose a disproportionate risk to the organization, and using remote browser isolation technology when categories of websites need to be visited that pose a higher risk, such as newly registered domains.

The post Healthcare Workers Violating Patient Privacy by Uploading Sensitive Data to GenAI and Cloud Accounts appeared first on The HIPAA Journal.

Union Health System: Almost 263,000 Individuals Affected by Oracle Health/Cerner Hack

Posted by Steve Alder

Union Health System, a Terre Haute, Indiana-based integrated health system that operates two hospitals and a medical group, has been affected by a security incident at Oracle Health/Cerner. Oracle Health recently notified healthcare providers about a security incident involving legacy Cerner servers, which had yet to be migrated to Oracle Cloud. Oracle acquired Cerner in 2022. A hacker was able to access and obtain data hosted in the Oracle Health/Cerner data migration environment, and then tried to extort the affected companies.

Oracle Health has released little information about the incident and maintains it is the responsibility of its HIPAA-covered entity clients to determine if there has been a breach that warrants notifications under the HIPAA Breach Notification Rule. Union Health said it received confirmation of the data breach from Oracle Health/Cerner on March 15, 2024. Oracle Health explained that it detected a cybersecurity incident on February 20, 2025, and its forensic investigation confirmed that the unauthorized third party’s initial access occurred on or after January 22, 2025. Union Health received a list of the affected individuals from Oracle Health/Cerner on March 22, 2025.

The compromised data included names plus Social Security numbers, dates of birth, driver’s license numbers, treating physicians’ names, dates of service, medication information, health insurance information, and diagnostic and treatment information. The breach was recently reported to the HHS’ Office for Civil Rights by Union Health as affecting 262,831 individuals.

While the data breach was confirmed by Oracle Health/Cerner in March, that was not the first time that Union Health was made aware of the data breach. An “unknown party” contacted Union Health claiming to be in possession of patient data. Union Health verified the individual’s claims on February 24, 2025, and identified the information as likely having been obtained from Oracle Health/Cerner. Union Health then proactively reached out to Oracle Health about the incident for confirmation, which was obtained on March 15, 2025. Union Health made it clear in the notification letters that the breach occurred at Oracle Health/Cerner and no Union Health systems were accessed. Union Health said it is offering the affected individuals complimentary credit monitoring services.

A lawsuit has already been filed against Union Health and Oracle Health/Cerner over the data breach. The lawsuit, Cerner Corporation d/b/a Oracle Health, Inc. and Union Health System, Inc. – was filed in the U.S. District Court for the Western District of Missouri by plaintiff Shannon Smith, who is represented by John F. Garvey of Stranch, Jennings & Garvey, PLLC.

The lawsuit claims that the defendants’ inadequate security practices violated HIPAA and allowed cybercriminals to gain access to sensitive personally identifiable information (PII) and protected health information (PHI), and that the failure amounts to negligence. The lawsuit cites eight causes of action – negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of fiduciary duty, breach of confidence, and declaratory judgment.

The lawsuit also takes issue with the time taken to issue notification letters, which were not sent until 89 days after the breach occurred, keeping the affected individuals in the dark and depriving them of the opportunity to try to mitigate their injuries in a timely manner.  The lawsuit claims the data breach has placed the plaintiff and class members at a present, continuing, and significant risk of suffering identity theft. The lawsuit seeks a jury trial, compensatory, exemplary, punitive, and statutory damages, injunctive relief, attorneys’ fees, and legal costs and expenses.

This is one of two security incidents to be confirmed by Oracle in 2025. In a separate incident, a hacker obtained usernames, passkeys, and encrypted passwords of an undisclosed number of Oracle customers. “Oracle would like to state unequivocally that the Oracle Cloud – also known as Oracle Cloud Infrastructure or OCI – has not experienced a security breach. No OCI customer environment has been penetrated,” explained Oracle. “No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.” Oracle confirmed that a hacker gained access to two obsolete servers but did not obtain any usable passwords, as the passwords were either encrypted or hashed.

The post Union Health System: Almost 263,000 Individuals Affected by Oracle Health/Cerner Hack appeared first on The HIPAA Journal.

Netgain Technology Agrees to $1.9 Million Settlement to Resolve Data Breach Litigation

Posted by Steve Alder

Netgain Technology has agreed to settle consumer data breach litigation filed in response to a 2020 ransomware attack and data breach. Netgain will establish a $1.9 million settlement fund to cover claims from class members.

Netgain is a Minnesota-based cloud hosting and managed IT service provider with many clients in the healthcare industry. A ransomware group gained access to Netgain’s environment between September and December 2020 and deployed ransomware on November 24, 2020. The attack affected thousands of Netgain’s servers and forced it to take some of its data servers offline. The ransomware group was able to exfiltrate data in the attack, including the data of patients of its healthcare provider clients.  Data stolen in the attack included names, contact information, dates of birth, Social Security numbers, medical information, and financial information.

On May 13, 2021, plaintiffs Misty Meier and Jane Doe filed a class action complaint against Netgain, alleging their personally identifiable information (PII) and protected health information (PHI) were stolen in the attack. Further lawsuits were filed by plaintiffs Susan Reichert, Mark Kalling, Sherman Moore, Robert Smithburg, Thomas Lindsay, and Robert Guertin. On August 24, 2021, a federal judge consolidated the lawsuits into a single class action complaint – In Re: Netgain Technology, LLC, Consumer Data Breach Litigation – in the United States District Court for the District of Minnesota.

The lawsuit asserted several causes of action, some of which were dismissed; however, the causes of action for negligence and declaratory judgment were allowed to proceed, and a settlement has been negotiated that has received preliminary approval from the court.  Under the terms of the settlement, class members may submit claims for documented losses and lost time up to a maximum of $5,000 per class member, and after all payments have been made, any remaining funds in the settlement fund will be distributed pro rata among the class members.

Netgain has also agreed to injunctive relief for three years from the effective date of the settlement. Netgain has agreed to adopt, continue, or implement firewall upgrades, geo-blocking, routing through secured gateways, virus prevention technology across its data environment, multi-factor authentication in its hosting environments, backup data protection, and configure its network in a secure and scalable manner.

The post Netgain Technology Agrees to $1.9 Million Settlement to Resolve Data Breach Litigation appeared first on The HIPAA Journal.