Author Archives: Steve Alder

St. Anthony Hospital in Chicago Notifies Patients About February Data Breach

Posted by Steve Alder

Data breaches have recently been announced by St. Anthony Hospital in Chicago, Intercommunity Action in Pennsylvania, and Munson Healthcare in Michigan.

St. Anthony Hospital

St. Anthony Hospital in Chicago, IL, has recently discovered unauthorized access to certain employees’ email accounts. The unauthorized access was identified on February 6, 2025, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity and the extent of any data exposure or theft.

The investigation confirmed that the compromised email accounts contained the personal and protected health information of patients and staff members. The HHS’ Office for Civil Rights breach portal shows that the protected health information of 6,679 was exposed. Information potentially compromised in the incident included names, addresses, telephone numbers, birth dates, Social Security numbers, dates of service, medical record numbers, patient account numbers, medical histories, diagnoses/conditions, treatment information, and prescription information. While sensitive information has been exposed, St. Anthony Hospital has not detected any misuse of the exposed data.

Intercommunity Action Inc.

Intercommunity Action, a Philadelphia, PA-based provider of resources for aging, behavioral health, and individuals with intellectual and developmental disabilities, has notified 2,680 individuals about a recent data security incident involving unauthorized access to its computer network. The security breach was identified on May 29, 2025, and the forensic investigation confirmed that unauthorized connections had been made to its network from May 28, 2025, to May 29, 2025. During that time, files were exfiltrated from its network, and Intercommunity Action warned that the stolen data had potentially been made available online. Intercommunity Action is unaware of any instances of data misuse as a result of the incident.

A review of the affected files revealed that they contained patient information such as first and last names, dates of birth, addresses, Social Security Numbers, driver’s license numbers, state identification numbers, bank account information, credit card numbers, other financial information, claims information, diagnosis/conditions, medications, or other treatment information. The types of information involved varied from individual to individual.

As a precaution against misuse of the affected data, individuals whose Social Security numbers, driver’s license numbers, state ID numbers, and/or bank account information were involved have been offered complimentary identity theft protection services. Steps have also been implemented to prevent similar incidents in the future, including changing passwords, blocking the unauthorized users’ IP addresses, and implementing additional safeguards to strengthen security.

Munson Healthcare

Munson Healthcare, the largest health system in Northern Michigan, has notified 1,186 patients about a mis-mailing incident caused by an error when migrating patient information to a new computer system. The error occurred on January 25, 2025, and resulted in the individual responsible for paying bills being accidentally changed to someone who was previously responsible. The issue was not detected until June 2, 2025.

As a result of the error, some patients’ bills were sent to the wrong individuals. An investigation was launched to determine the root cause of the error and the patients affected. The errors in the data were changed and updated to the correct bill payer, and a technical fix was implemented on June 24, 2025, to prevent further bills from being sent to incorrect individuals. Data impermissibly disclosed was limited to a patient’s name, location of services, balance owed, insurance type, and the type of service. The affected individuals have been advised to review the bills issued after January 25, 2025, to ensure that the billing information is correct.

The post St. Anthony Hospital in Chicago Notifies Patients About February Data Breach appeared first on The HIPAA Journal.

Discovery Practice Management Settle Lawsuit Over 2020 Data Breach

Posted by Steve Alder

Discovery Practice Management, a California-based healthcare provider, has agreed to settle a class action lawsuit stemming from a June 2020 breach of its email environment. An unauthorized third party accessed employee email accounts between June 22, 2020, and June 26, 2020, and obtained sensitive information relating to patients of the Authentic Recovery Center and Cliffside Malibu facilities in California. The data breach was reported to the HHS’ Office for Civil Rights as affecting up to 12,859 individuals.

Data potentially compromised in the incident included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license numbers, and clinical information, such as diagnosis, treatment information, and prescription information. It took almost a year for the emails to be reviewed and notification letters to be issued to the affected individuals.

In February 2021, a class action lawsuit – JeanPaul Magallanes, et al v. Discovery Practice Management, Inc. – was filed in response to the data breach by JeanPaul Magallanes that alleged that Discovery Practice Management failed to implement appropriate measures to safeguard sensitive data stored on its network, then failed to issue adequate and timely notification letters when its email environment was compromised.

The alleged cybersecurity failures included insufficient monitoring of inbound emails, insufficient training of its workforce on email-based threats, and the failure to encrypt a data server that became accessible to unauthorized individuals who compromised two employee email accounts. Despite the significant risk to the affected patients, it took 335 days from the date of discovery to issue notification letters, which the lawsuit claims violated HIPAA and the California Consumer Records Act.

The lawsuit claims the actions of the defendant violated the California Confidentiality of Medical Information Act, California Unfair Competition Law, and the California Consumer Records Act. All parties agreed to engage in settlement discussions to avoid the cost and risk of a trial, and a settlement has been agreed upon with no admission of wrongdoing by Discovery Practice Management. The settlement has recently been granted preliminary approval by Judge Glenda Sanders of the Superior Court of the State of California, for the County of Orange.

Under the terms of the settlement, all class members are entitled to claim a three-year membership to CyEx’s Identity Defense Total Service, and must enroll by December 9, 2025. In addition, claims may be submitted for reimbursement of documented, unreimbursed ordinary and extraordinary losses caused by the data breach. Claims for reimbursement of ordinary losses are capped at $250 per class member, and claims for reimbursement of extraordinary losses are capped at $1,000 per class member.

The deadline for objection to the settlement, exclusion from the settlement, and submitting a claim is November 24, 2025. The final fairness hearing has been scheduled for February 5, 2026.

The post Discovery Practice Management Settle Lawsuit Over 2020 Data Breach appeared first on The HIPAA Journal.

Cyberattack Volume Increases Fueled by 48% YOY Increase in Ransomware Attacks

Posted by Steve Alder

Cyber threat actors had a busy October, with attack volume up 2% month-over-month and 5% year-over-year. In October, organizations experienced an average of 1,938 cyberattacks per week, according to the latest data from cybersecurity firm Check Point.

While attacks are up across all sectors, there was a 15% year-over-year fall in attacks on the health and medical sector, with 2,094 reported attacks in October. The biggest increases were seen in the agriculture (+71%) and information technology sectors (+48%). Education was the most targeted sector with 4,470 attacks, up 5% from October 2024. Latin America experienced the highest number of attacks, with attacks up 16% from October 2024, but the biggest increase was seen in North America, with an average of 1,464 attacks per week, up 18% from October 2024.

Check Point reports that the rise in attacks was fueled by the growing sophistication of ransomware, with attacks dramatically increasing in October. Check Point tracked 801 reported attacks in October, which is a 48% increase compared to September. While Latin America experiences more attacks than any other region, North America was the main target of ransomware groups, accounting for 62% of incidents, ahead of Europe with 19% of attack volume. In October, 57% of reported victims were in the United States, and there was a 56.8% increase in attacks compared to September.

Qilin was the most active ransomware group, accounting for 22.7% of attacks in October. The group has evolved into a sophisticated ransomware-as-a-service organization, attracting new affiliates due to its extensive affiliate support. Akira took second spot with 8.7% of attacks, and the recently emerged Sinobi ransomware group took third spot with 7.8% of attacks.

While all three groups attack healthcare organizations, the healthcare sector appears to be a key focus of the Sinobi group. Sinobi is a ransomware-as-a-service group with a professional structure, highly skilled internal operators, and a team of carefully vetted affiliates. Sinobi primarily targets mid- to large-sized organizations, primarily in the United States and allied countries.

Sinobi claims on its dark web data leak site to have attacked East Jefferson General Hospital, Greater Mental Health of New York, Johnson Regional Medical Center, Judson Center, Middlesex Endodontics, Newmark Healthcare Services, Phoenix Village Dental, Queens Counseling for Change, South Atlanta Medical Clinic, and Watsonville Community Hospital since the group emerged in mid-2025.

Check Point also cautioned about the expanding risks associated with generative AI (GenAI) as enterprise use of GenAI tools continues to grow. One of the biggest threats is the exposure of sensitive data. Check Point reports that in October, 1 out of every 44 GenAI prompts submitted through business networks posed a high risk of sensitive data leakage, something that is especially concerning in healthcare due to the risk of exposure of protected health information.

Check Point reports that 87% of organizations that use GenAI tools regularly experience this type of sensitive data exposure, and many organizations are unaware of the risk. While workers use authorized and managed GenAI tools, on average, 11 different GenAI tools are used by organizations each month, most of which are likely to be unsupervised.

“As ransomware groups evolve and GenAI risks proliferate, organizations must strengthen their threat prevention, data security, and AI governance strategies to stay ahead of adversaries,” suggests Check Point.

The post Cyberattack Volume Increases Fueled by 48% YOY Increase in Ransomware Attacks appeared first on The HIPAA Journal.

HSCC Publishes Preview of Health Sector AI Cybersecurity Risk Guidance

Posted by Steve Alder

In Q1, 2026, the Health Sector Coordinating Council (HSCC) plans to publish AI cybersecurity guidelines for the healthcare sector. Last week, the HSCC Cybersecurity Working Group (CWG) published previews of the cybersecurity guidance ahead of the full release next year.

Artificial intelligence has tremendous potential in healthcare; however, it introduces cybersecurity risks that must be managed and reduced to a reasonable level. To better prepare the health sector, the HSCC CWG established an AI Cybersecurity Task Force in October 2024, consisting of individuals from 115 healthcare organizations across the spectrum. The Cybersecurity Task Group has considered the complexity and the associated risks of AI technology in clinical, administrative, and financial health sector applications, and divided the identified AI issues into five manageable workstreams of discrete functional risk areas:

  • Education and enablement
  • Cyber operations & defense
  • Governance
  • Secure by design
  • Third-party AI risk and supply chain transparency

Significant progress has been made across all workstreams, and in January, guidance will be published covering each of these areas. The guidelines will include best practices for healthcare organizations to adopt, and while not legally binding, they will help the sector effectively manage and reduce AI cybersecurity risks.

Ahead of the release, HSCC CWG published one-page summaries for each of these workstreams detailing the objectives, key focus areas, and deliverables in each area. HSCC CWG has also published a foundational document that describes the most important AI terms that healthcare organizations need to be aware of.

The education and enablement workstream covers the common terms and language used throughout the guidance to familiarize users with the use of AI in their functional environments and help them better understand risk and apply control activities.

The cyber operations and defense workstream provides practical playbooks for preparing for, detecting, responding to, and recovering from AI cyber incidents. That includes identifying requirements for conducting optimized AI-specific cybersecurity operations, defining AI-driven threat intelligence processes with appropriate safeguards to support clinical workflows, establishing operational guardrails for AI technologies beyond LLMs, including predictive machine learning systems and embedded device AI, and establishing clear governance and accountability.

The governance workstream provides a comprehensive framework that can be used by healthcare organizations of all sizes to manage the cybersecurity risks in their own clinical environments and ensure that AI is used securely and responsibly. The objective of the secure by design workstream is to define and develop secure-by-design principles specifically for AI-enabled medical devices, including practical guidance and tools to empower manufacturers and stakeholders to ensure the cybersecurity of AI-enabled medical devices throughout the entire product lifecycle.

Third-party AI risks and supply chain transparency aims to strengthen security, trust, and resilience through the enhancement of visibility and transparency of third-party tools, establishing oversight and governance polices, and standardizing processes for procurement, vetting, and lifecycle management.

The guidance will help to improve awareness and understanding of critical risk areas and provides a roadmap for implementing new AI technologies while ensuring safety and responsible use.

The post HSCC Publishes Preview of Health Sector AI Cybersecurity Risk Guidance appeared first on The HIPAA Journal.

Data Breaches Announced by Sun Valley Surgery Center & American Associated Pharmacies

Posted by Steve Alder

Data breaches have recently been identified by Sun Valley Surgery Center in Nevada and American Associated Pharmacies in Alabama.

Sun Valley Surgery Center

Sun Valley Surgery Center in North Las Vegas, Nevada, has identified unauthorized access to its computer network. Anomalous activity was identified within its information systems on September 3, 2025. The forensic investigation confirmed that an unauthorized third party accessed parts of its network where sensitive patient information was stored.

Data potentially compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license/state-issued identification numbers, passport/other government identification numbers, and health information such as health histories, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN numbers/patient identification numbers. Sun Valley Surgery Center has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Approximately 27,000 individuals were potentially affected.

American Associated Pharmacies

One of the largest independent pharmacy organizations in the United States has recently fallen victim to a ransomware attack that resulted in the encryption of data on its systems. Scottsboro, AL-based American Associated Pharmacies (AAP) identified suspicious activity, including file encryption, within its computer network on October 23, 2024. Immediate action was taken to contain and mitigate the incident, including shutting down all affected systems and changing passwords to prevent further unauthorized access. The forensic investigation confirmed that initial access occurred ten days prior to the attack on October 13, 2024.

Assisted by third-party cybersecurity professionals, AAP determined that before file encryption, the attackers exfiltrated files from its network. The review of those files has recently been completed, and individual notifications are now being mailed to the affected individuals. Data compromised in the incident varies from individual to individual and may include names, addresses, birth dates, Social Security numbers, passport numbers, driver’s license number/other government-issued identification numbers, bank/financial account numbers/routing numbers, clinical/treatment information, medical information, provider names, medical record numbers, health insurance information, prescription information and/or usernames and passwords.

Several steps have been taken to augment security to prevent similar incidents in the future, including implementing further monitoring tools and expanding the use of multifactor authentication. The affected individuals have been advised to monitor their free credit reports, account statements, and explanation of benefits statements for suspicious activity. Credit monitoring and identity theft protection services have been offered to certain individuals, according to the notification sent to the Maine Attorney General. That notification indicates 8,032 individuals have been affected, including 25 Maine residents.

The post Data Breaches Announced by Sun Valley Surgery Center & American Associated Pharmacies appeared first on The HIPAA Journal.

EHR Vendor Identifies Business Associate Data Breach

Posted by Steve Alder

Data breaches have recently been announced by the EHR vendor CareTracker (Amazing Charts) and the Wisconsin health system, Marshfield Clinic.

CareTracker (Amazing Charts)

CareTracker Inc., doing business as Amazing Charts, an electronic health record and practice management platform provider, has been affected by a security incident at one of its vendors. On June 19, 2025, Amazing Charts identified unusual activity within a system managed by a third-party vendor. Immediate action was taken to secure the vendor’s environment, and an investigation was launched to determine the nature and scope of the activity.

The investigation confirmed unauthorized access to the service provider’s network between June 15, 2025, and June 19, 2025. Files were then reviewed to determine the individuals affected and the types of data involved. Due to the complexity of the data review, that process has only recently been completed.

Data potentially compromised in the incident included names in combination with one or more of the following: diagnoses, treatment information, physician names, medical record numbers, and health insurance information. Notification letters have recently been mailed to the affected individuals, and complimentary credit monitoring services have been offered for 12 months. At the time of notification, no misuse of the affected information had been identified.

Marshfield Clinic Health System

Marshfield Clinic Health System, an integrated health system serving Wisconsin and Michigan’s Upper Peninsula, identified unauthorized access to certain employee email accounts on or around August 27, 2025. The forensic investigation confirmed that an unauthorized third party had access to the accounts from August 26 to August 27, 2025, and potentially accessed or copied emails containing patient information. The types of information compromised in the incident varied from individual to individual and may have included names, medical record numbers, health insurance information, diagnosis, and treatment information.

The affected individuals are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post EHR Vendor Identifies Business Associate Data Breach appeared first on The HIPAA Journal.

Doctor Alliance Investigating 353 GB Data Theft Claim

Posted by Steve Alder

Dallas, TX-based Doctor Alliance, a HIPAA business associate that provides document management and billing services to HIPAA-covered entities, is investigating a claim that a hacker exfiltrated 353 GB of data in a November cyberattack.

On or around November 7, 2025, a hacker using the moniker Kazu, added a post to an underground hacking forum claiming to have stolen 1.24 million files from Doctor Alliance. The hacker has demanded a $200,000 ransom, payment of which is required to ensure that the stolen data is deleted. The hacker has threatened to sell the data if the ransom is not paid.

A 200 MB sample was added to the listing that was analyzed and found to contain what appears to be patient names, addresses, phone numbers, email addresses, medical record numbers, Medicare numbers, diagnoses, treatment information, medications, and provider information. According to the leak site, Doctor Alliance has until November 21, 2025, to pay the ransom.

While the sample appears to include patient data, it has yet to be confirmed whether the data came from Doctor Alliance. It is possible that the data came from a previous data breach at an unrelated entity. Doctor Alliance has issued a statement confirming it is aware of the claim, has engaged cybersecurity experts to determine whether its network was compromised, and is analyzing the data sample to determine if the claim is valid. Doctor Alliance has confirmed that a single client account has been accessed by an unauthorized individual, and that immediate action was taken to contain the incident. The vulnerability that was exploited was remediated on the day of discovery, but Doctor Alliance has not confirmed if data was stolen in that incident.

It is unclear whether Kazu is an individual or a member of a hacking group. The Kazu data leak site currently lists more than 30 victims from spring 2025. Other victims on the leak site include government entities, the military, and other healthcare organizations. Kazu does not appear to have previously targeted entities in the United States, appearing to favor entities in South America, Asia, and the Middle East. The dark web data leak site includes victims from Argentina, Bolivia, Colombia, Costa Rica, Iran, Mauritania, Mexico, Nepal, Saudi Arabia, Sri Lanka, Thailand, and Venezuela. Doctor Alliance is currently the only listed U.S. victim.

The lack of confirmation of data theft has not prevented legal action from being taken. Multiple class action lawsuits have already been filed in the United States District Court for the Northern District of Texas, Dallas Division, by individuals who claim to have been affected. One of those lawsuits was filed by Barbara Catabia, individually and on behalf of similarly situated individuals. According to the lawsuit, “There is no question Plaintiff’s and Class Members’ Private Information is in the hands of cybercriminals who will continue to use the stolen Private Information for nefarious purposes for the rest of their lives.”

The lawsuit claims Doctor Alliance provides services to healthcare organizations such as Intrepid, AccentCare, Interim, and Prima Care. Prima Care is also named as a defendant in the lawsuit. The lawsuit asserts claims of negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and breach of third-party beneficiary contract. The lawsuit seeks class action certification, a jury trial, compensatory damages, punitive damages, nominal damages, restitution, injunctive and declaratory relief, reasonable attorneys’ fees and costs, and other remedies deemed appropriate by the court.

The post Doctor Alliance Investigating 353 GB Data Theft Claim appeared first on The HIPAA Journal.

Warning Issued About Akira Ransomware as Attacks on Critical Infrastructure Accelerate

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Crime Center (DC3), Department of Health and Human Services (HHS), and international law enforcement partners about the Akira ransomware group, which has accelerated its attacks on critical infrastructure in recent months.

According to the FBI, Akira has been paid more than $244 million in ransoms since the group was first identified in March 2023. While Akira primarily targets small- to medium-sized organizations, the group has also attacked larger organizations, favoring sectors such as manufacturing, education, information technology, healthcare, financial services, and food and agriculture.

The group’s tactics are constantly evolving. While the group initially targeted Windows systems, a Linux version of its encryptor has been developed that is used to target VMware Elastic Sky X Integrated (ESXi) virtual machines (VMs), and recently the group has been observed encrypting Nutanix AHV VM disk files.

Akira typically uses stolen credentials for initial access, often obtained in spear phishing campaigns or through brute force attempts to guess weak passwords. Akira may also purchase access to compromised networks from initial access brokers. The group typically targets virtual private network (VPN) services that do not have multifactor authentication enabled, although vulnerabilities are also exploited. Akira has been observed exploiting vulnerabilities in Cisco devices (CVE-2020-3259; CVE-2023-70766) and has recently been observed exploiting a vulnerability in SonicWall Firewall devices (CVE-2024-40766). Once access has been gained, the group maintains persistence by using legitimate remote access tools such as LogMeIn and AnyDesk.

Like many other ransomware groups, Akira engages in double extortion tactics, stealing data and encrypting files, then demanding payment to prevent the publication of the stolen data on its leak site and to obtain the decryptrion keys.

“The threat of ransomware from groups like Akira is real and organizations need to take it seriously, with swift implementation of mitigation measures,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. The joint advisory about Akira ransomware was first issued in April 2024, but has now been updated with new tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) from recent attacks, including new recommended mitigations. The most important mitigations are to ensure that vulnerabilities are patched promptly, especially the vulnerabilities detailed in the advisory; to implement and enforce phishing-resistant multifactor authentication; and to ensure that backups are made of all critical data, storing backups securely offline.

The post Warning Issued About Akira Ransomware as Attacks on Critical Infrastructure Accelerate appeared first on The HIPAA Journal.

Urgent Patching Required to Fix Actively Exploited Cisco Flaws

Posted by Steve Alder

Threat actors are actively exploiting multiple Cisco vulnerabilities for which patches were previously issued in August; however, attacks are ongoing, including attacks on devices that have been improperly patched.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a cybersecurity alert this week about two critical Cisco vulnerabilities – CVE-2025-30333 and CVE-2025-20362 – affecting Cisco Adaptive Security Appliances (ASA) and Firepower devices. The vulnerabilities affect devices running Cisco Secure ASA Software or Cisco Secure FTD Software and have CVSS v3.1 base scores of 9.9 and 9.8. The vulnerabilities can be exploited by sending specially crafted HTTP requests to a vulnerable web server on a device.

Cisco issued patches to fix the vulnerabilities in August this year, warning that hackers could exploit the flaws to execute commands at a high privilege level. The flaws allow threat actors to access restricted URL endpoints that should be inaccessible without authentication. By exploiting the flaws, attackers can execute code on vulnerable devices. If the vulnerabilities are chained, an attacker can gain full control of the devices. At the time the patches were issued, Cisco warned that the vulnerabilities had already been exploited as zero-days in the ArcaneDoor campaign, which exploited two other flaws.

While many organizations applied the patches and believed they were protected against exploitation, in some cases, the patches were applied without updating the minimum software version, leaving the organizations vulnerable to exploitation. “In CISA’s analysis of agency-reported data, CISA has identified devices marked as ‘patched’ in the reporting template, but which were updated to a version of the software that is still vulnerable to the threat activity outlined in the [Emergency Directive], explained CISA in the alert. “CISA recommends all organizations verify the correct updates are applied.” CISA has published guidance on patching the two vulnerabilities and warned that immediate patching is required, including on devices that are not exposed to the Internet.

The post Urgent Patching Required to Fix Actively Exploited Cisco Flaws appeared first on The HIPAA Journal.