Author Archives: Steve Alder

Catholic Health System & Northwell Health Settle Pixel Lawsuits

Posted by Steve Alder

The New York-based health systems, Catholic Health System & Northwell Health, have agreed to settle class action lawsuits stemming from their use of pixels and other website tracking and analytics tools, which are alleged to have disclosed sensitive personal and protected health information to third parties such as Meta and Google without consent.

Website tracking and analytics tools are used extensively across the internet for tracking website visitors. While these tools can collect valuable information to help website owners improve their websites, they can also collect and transmit sensitive data to the third-party providers of the tools. That disclosed information may then be used for advertising purposes.

Depending on how these tools are implemented, they may violate the HIPAA Privacy Rule, such as if they are added to web pages or apps that require authentication. Over the past three years, many lawsuits have been filed over the use of these tools by healthcare providers. HIPAA has no private cause of action, so individuals cannot sue for HIPAA violations. The lawsuits were filed for alleged violations of federal wiretapping laws and state consumer protection laws.

Catholic Health System Pixel Settlement

Catholic Health System, a non-profit integrated health system based in Buffalo, New York, was sued for implementing these tools, which resulted in impermissible disclosures of protected health information to Meta and other third parties. The defendant filed a motion to dismiss, which was partially successful; however, the lawsuit was allowed to proceed, and an amended complaint – J.C. v. Catholic Health System, Inc. – was filed in the Supreme Court of the State of New York, County of Erie.

Catholic Health System denies any wrongdoing whatsoever and also denies that tracking technologies were added to its patient portal or electronic medical record system; however, following mediation, a settlement was agreed upon by all parties. The settlement provides benefits to all patients who logged into the Catholic Health System MyChart patient portal from January 1, 2020, through December 11, 2025 (Subclass 1), and any current or former patient who sought and received treatment from Catholic Health System between the same dates, not including individuals in Subclass 1 (Subclass 2).

The defendant has agreed to pay all attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. Class members in Subclass 1 may submit a claim for a one-time cash payment of $20, and members of Subclass 2 may submit a claim for a 12-month membership to a Dashlane privacy monitoring service. Class members have until March 11, 2026, to object to the settlement or exclude themselves. Claims must be submitted by April 10, 2026, and the final fairness hearing has been scheduled for April 23, 2026.

Northwell Health Pixel Settlement

Northwell Health, a New York-based nonprofit integrated healthcare serving patients in New York and Connecticut, faced similar class action litigation over the use of website tracking tools that were alleged to have disclosed sensitive personal and protected health information to third parties such as Meta and Google without patients’ knowledge or consent. Through these tools, the defendant is alleged to have disclosed information related to past, present, or future health conditions, which would allow third parties to determine that an individual was a patient or seeking treatment, together with the type of medical care being sought.

The lawsuit, Kaplan v. Northwell Health, Inc., was filed in the Supreme Court of the State of New York, County of Kings and asserted claims of breach of fiduciary duty/confidentiality, breach of implied contract, unjust enrichment, negligence, invasion of privacy under New York Civil Rights Law, violations of the New York Consumer Law for Deceptive Acts and Practices, and violations of the Electronic Communications Privacy Act.

The defendant denies all claims of fault, wrongdoing, and liability and disagrees with all contentions in the lawsuit; however, to avoid the expense of ongoing litigation and the uncertainty of a trial and related appeals, the decision was taken to settle the litigation. There are two settlement classes, with different benefits. Individuals who used Northwell Health’s FollowMyHealth patient portal between January 1, 2020, and December 31, 2023, are in Settlement Subclass 1 and may submit a claim for monetary relief of $15 per class member. All other patients of Northwell Health between January 1, 2020, and July 25, 2024, not including those in Settlement Subclass 1, are in Settlement Subclass 2 and may claim a 12-month membership to a privacy monitoring service.

The deadline for objection and opting out is March 23, 2026. The deadline for submitting a claim is April 20, 2026, and the final fairness hearing has been scheduled for April 21, 2026.

The post Catholic Health System & Northwell Health Settle Pixel Lawsuits appeared first on The HIPAA Journal.

Greater Pittsburgh Orthopedic Associates Data Breach Affects Almost 57,000 Individuals

Posted by Steve Alder

Greater Pittsburgh Orthopedic Associates has experienced a ransomware attack that has affected almost 57,000 individuals. Data breaches have also been announced by Triad Radiology Associates in North Carolina and North East Medical Services in California.

Greater Pittsburgh Orthopedic Associates, Pennsylvania

Greater Pittsburgh Orthopedic Associates in Pennsylvania has recently reported a data breach to the Maine Attorney General involving unauthorized access to the personal and protected health information of up to 56,954 individuals, including 3 Maine residents.

According to the notice, anomalous network activity was identified on August 10, 2025. Incident response protocols were initiated, and third-party cybersecurity experts were engaged to assist with the investigation, help secure its IT environment, and harden security. The investigation confirmed that patient data was exposed in the incident, and the review of that data has recently been completed. The exposed data elements vary from individual to individual and may include names in combination with one or more of the following: mailing address, Social Security number, and provider name.

Notification letters started to be mailed to the affected individuals on or around February 5, 2026, and at the time of issuing those notifications, no evidence had been found to indicate any patient data had been misused; however, as a precaution, the affected individuals have been offered complimentary single bureau credit score, credit report, and credit monitoring services. The Ransomhouse ransomware group claimed responsibility for the breach and said it encrypted files and exfiltrated data from its network. While the group claims that it will publish the stolen data, its dark web data leak site only includes an “evidence pack,” which currently cannot be downloaded.

Triad Radiology Associates, North Carolina

Triad Radiology Associates, a North Carolina-based physician practice providing medical imaging and radiology services, has notified 11,011 individuals about unauthorized access to an employee’s email account containing electronic protected health information. Suspicious activity was identified within the email account on or around July 30, 2025. After securing the account, an investigation was launched to determine the nature and scope of the activity, with assistance provided by third-party cybersecurity experts.

According to its data breach notice, “Our investigation determined that a limited amount of information may have been accessed between July 11, 2025, and September 8, 2025.”  That suggests that despite securing the account, unauthorized access continued for almost 40 days after the incident was first identified. Triad Radiology said its file review confirmed that the information exposed in the incident included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, bank account information, medical information, and health insurance information. Triad Radiology has reviewed its data security policies and procedures and is taking steps to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

North East Medical Services, California

North East Medical Services, a San Francisco, California-based network of community health centers in the San Francisco Bay Area and Las Vegas, has recently disclosed a data breach to the California Attorney General. On October 19, 2025, suspicious activity was identified within its computer systems. Third-party cybersecurity experts have been engaged to investigate the incident, and unauthorized network access was confirmed.

The exposed data is currently being reviewed, and North East Medical Services has yet to determine how many individuals have been affected or the types of data involved. Notification letters will be mailed to the affected individuals when the data review is concluded. In the meantime, all patients have been advised to remain vigilant against incidents of identity theft and fraud by monitoring their accounts and explanation of benefits statements for suspicious activity.

The post Greater Pittsburgh Orthopedic Associates Data Breach Affects Almost 57,000 Individuals appeared first on The HIPAA Journal.

Vikor Scientific Affected by Ransomware Attack on Revenue Cycle Management Vendor

Posted by Steve Alder

Vikor Scientific (now rebranded as Vanta Diagnostics), a molecular diagnostics company based in Charleston, South Carolina, has been affected by a security incident at one of its vendors – the revenue cycle management company, Catalyst RCM. The breach also affected the Vikor Scientific-owned molecular testing laboratory KorGene,  and KorPath, a Tampa, Florida-based anatomical pathology lab, which partners with Vanta Diagnostics. Vikor Scientific has reported the data breach to the HHS’ Office for Civil Rights as involving the electronic protected health information (ePHI) of 139,964 individuals.

Catalyst RCM has published a substitute breach notice on its website and is issuing notification letters to the affected individuals on behalf of its affected HIPAA-covered entity clients. While it is ultimately the responsibility of each affected HIPAA-covered entity to issue notification letters when there has been a data breach at a vendor, the notification responsibilities are often delegated to the vendor.

In the breach notice, Catalyst RCM explains that suspicious activity was identified within its secure file management system on or around November 13, 2025. An investigation was launched, which identified an unauthorized login to a system used to access one of its servers. The server was accessed without authorization between November 8, 2025, and November 9, 2025. The affected system was reviewed to determine whether any protected health information had been exposed or stolen, and the review concluded on December 12, 2025. Catalyst RCM confirmed that the threat actor exfiltrated data in the attack.

Data potentially compromised in the incident varies from individual to individual and may include names plus one or more of the following: date of birth, diagnosis information, medical treatment information, history, health insurance information, and/or payment card information with access code.

Catalyst RCM has updated its security policies, procedures, and protocols to reduce the likelihood of similar incidents in the future, and has advised the affected individuals to remain vigilant against identity theft and fraud by monitoring their free credit reports. While no misuse of the affected data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

While the incident was not described as a ransomware attack, the Everest ransomware group claimed responsibility for the attack and added Vikor Scientific to its dark web data leak site, along with samples of data allegedly stolen in the attack. Everest threatened to leak the stolen data if contact was not made. Everest claims to have leaked all data exfiltrated in the attack, indicating the ransom was not paid.

The post Vikor Scientific Affected by Ransomware Attack on Revenue Cycle Management Vendor appeared first on The HIPAA Journal.

HHS-OIG Identifies Security Deficiencies in Audit of VA Spokane Healthcare System

Posted by Steve Alder

An audit of the Department of Veterans’ Affairs Spokane Healthcare System in Washington state by the Department of Health and Human Services Office of Inspector General (HHS-OIG) identified deficiencies in all three control areas inspected: configuration management, security management, and access controls. The audit was conducted on the Mann-Grandstaff VA Medical Center between January 29 and February 6, 2025, which has approximately 1,300 employees and provided care to 27,000 patients in fiscal year 2024.

There were several instances where staff failed to remediate critical and high-severity vulnerabilities within the 60-day time frame stipulated by the VA, and in some cases had failed to develop the required action plans to remediate those vulnerabilities within that time frame. HHS-OIG also identified systems that were running unsupported software, and several devices were identified that had not been configured to VA-approved security baselines. These deficiencies increased the risk of unauthorized access and operational disruption, especially the failure to meet the security baselines on databases and core network devices.

One deficiency was identified in security management regarding the protection of personally identifiable information (PII). A screen with unredacted PII in the federal electronic health record (EHR) could be viewed by volunteers and scheduling clerks, who did not require access to that information. The failure to restrict access puts PII at risk, which could potentially be misused to cause harm to veterans.

Four access control deficiencies were identified related to physical and logical access to IT resources. There was a lack of proper segregation of duties for key distribution, unsecured network equipment was identified in two locations, eleven communications sockets did not have proper electrical grounding, and perimeter protection measures for fuel storage did not meet VA guidelines.

HHS-OIG made 7 recommendations in the areas of configuration management, security management, and access controls, which HHS-OIG said are also applicable to other VA facilities. The VA has already implemented some of the recommendations and has planned to address the remaining issues.

The post HHS-OIG Identifies Security Deficiencies in Audit of VA Spokane Healthcare System appeared first on The HIPAA Journal.

Senators Demand Answers from Labor Secretary on Decline in OSHA Safety & Health Enforcement

Posted by Steve Alder

Six Democratic Senators have written to the United States Secretary of Labor, Lori Chavez-DeReme, demanding answers about an apparent rollback of safety rules and reduced oversight of workplace safety and health. Senators Elizabeth Warren (D-MA), Angela Alsobrooks (D-MD), Tammy Baldwin (D-IL), Richard Blumenthal (D-CT), Alex Padilla (D-CA), and Ron Wyden (OR) questioned whether the Trump administration is discouraging the enforcement of workplace safety laws, and whether the sharp reduction in inspections and penalties is a precursor to the elimination of key safety regulations that were established to keep American workers safe.

Sen. Warren was confidentially provided with data that shows a 20% reduction in workplace inspections by the Department of Labor’s Occupational Safety and Health Administration (OSHA) between April 2025 and September 2025, compared to the corresponding period the previous year. The data also show a 42% reduction in inspections with citations for willful violations.

While there may have been improvements to workplace safety, resulting in fewer citations for willful violations, such a high percentage reduction in a single year suggests something else may be at play.  “This reduction in findings of willful violations indicates that OSHA inspectors may be being encouraged to issue citations for lesser violations, allowing employers who commit serious safety violations to avoid facing proportional consequences,” wrote the senators in the letter. “If employers know that they are unlikely to face hefty fines, they may be less likely to adhere to safety standards that keep American workers safe in their places of employment,” the senators wrote.

The senators cite a December 2025 report – Worker Protections in Freefall: The Collapse of Federal Labor Enforcement under the Second Trump Administration – by the advocacy group Good Jobs First that highlights a precipitous decline in OSHA penalty assessments. Between 2009 and 2024, OSHA penalty assessments have remained fairly steady, only fluctuating by 4% over that period. Good Jobs First reports that “Wage and hour penalties have decreased 94% during Trump’s second term, and workplace health and safety penalties have dropped 45%.”

Based on the findings of workplace safety and health inspections since 2009, an increase in inspections would appear to be the logical response to get employees to create safer and more healthful workplaces, yet the Trump administration has proposed massive cuts to OSHA’s funding, while the Department of Labor has rolled out a deregulatory agenda to eliminate key health and safety regulations. “Your agency has tried to cloak your deregulatory agenda in the language of ‘putting workers first,’ but the reality is that the Labor Department is prioritizing the interests of unscrupulous employers over Americans who work hard in dangerous environments to provide for their families,” wrote the senators.

According to the senators, some of the regulations that have been rolled back include the elimination of the authority of the Mine Safety and Health Administration (MSHA) to require mine operators to ensure proper ventilation to protect miners from hazards such as black lung disease, and loosened respirator requirements for workers exposed to carcinogens, lead, asbestos, and formaldehyde. The senators also warn that the Department of Labor plans to eliminate the requirements for adequate lighting on construction sites, despite one in 20 construction worker deaths being due to inadequate lighting, and plans to limit the ability of OSHA to hold employers accountable for unsafe working conditions in inherently unsafe professions.

In the letter, the senators demanded answers to their questions by March 4, 2026. They include questions related to the Department of Labor’s deregulatory agenda, whether the termination of leases of 11 OSHA regional offices by the Department of Government Efficiency (DOGE) means they have been permanently closed, whether there are plans to close other OSHA regional offices, and several questions about OSHA inspections, hazard letters, violations, and citations in 2025.

The post Senators Demand Answers from Labor Secretary on Decline in OSHA Safety & Health Enforcement appeared first on The HIPAA Journal.

Interview: Hoala Greevy, Founder & CEO, Paubox

Posted by Steve Alder

The HIPAA Journal has spoken with Paubox founder and CEO, Hoala Greevy to find out more about their work and experiences with HIPAA.

Hoala Greevy, Founder & CEO, Paubox

Hoala Greevy, Founder & CEO, Paubox.

Tell the readers about your career in the healthcare industry

My journey in healthcare began in 2014, following a lunch meeting with Siana Austin Hunt, who was CEO of the Make-A-Wish Foundation of Hawaii at the time.

She explained a business problem to me and after some thought, I decided to do something about it. From there we built a seamless email encryption solution that became Paubox.

What was your first position?

My first job out of college was working for an email company in San Francisco in 1999. I’ve been doing email ever since.

What is your current position?

I’m the Founder and CEO of Paubox.

What are the main challenges in your position?

Communicating the mission, vision, and future direction of Paubox to staff, investors, and customers. I’ve found in my role, there is no such thing as over-communicating.

Tell the readers about any significant event in your career.

During my first semester taking computer science courses at Portland State University, I noticed a “help wanted” sign on the job bulletin board in the CS building. The scope of work for the contract was nearly identical to the homework we had the prior week. Although I was certain someone had already beaten me to it, I called the number anyway.

As luck would have it, I was the only person to call; I specifically recall how motivated the guy was. There was a bug in his company’s payroll file and without it fixed, he couldn’t run payroll.

A few days later, I met him in a Safeway parking lot near campus, floppy disk in hand. He popped it into his laptop, ran the executable, and voilà—it worked. He then begrudgingly gave me a check, I think it was for $1,000. I split it with my buddy who had access to a C++ compiler, which I needed. All told, I made $500 for 30 minutes of work.

I immediately knew that was exactly what I wanted to do as a career: develop, market, and sell software.

What products/services do you provide for the healthcare industry and what is unique about them?

Our mission is to become the market leader for HIPAA-compliant communication. To that end, we specialize in three areas: email, forms, and text.

  • Paubox inbound email security protects healthcare organizations from advanced, healthcare-targeted threats with a combination of AI analysis and proven email security defenses. Every email is secured before it reaches users, eliminating the risk of interaction with malicious messages.
  • Paubox Email Suite is compatible with Microsoft 365, Google Workspace, and Microsoft Exchange. By default, it encrypts every email, for all users, and all devices.
  • Paubox Email API is a HIPAA-compliant REST API for transactional email.
  • Paubox Marketing is for digital marketers in healthcare. Paubox Marketing can be used to build personalized email campaigns that include protected health information (PHI). This is unique in that it’s common knowledge outside of healthcare that personalized email increases engagement and conversions. In healthcare however, personalization information can easily become PHI, which is protected by HIPAA. The ability to personalize with PHI and thereby increase patient engagement, is a new horizon in healthcare.
  • Paubox Forms is included for free for all paid customers. We released it in January.
  • Paubox Texting, our newest solution, is designed to further increase patient engagement.
  • Paubox Email Suite, Paubox Email API, and Paubox Marketing are HITRUST CSF certified. The HITRUST certification is the gold standard for HIPAA compliance in U.S. healthcare.

When did you first get involved with HIPAA compliance?

I first dove into the world of HIPAA compliance in 2014. After writing more than 700 blog posts generally around HIPAA-compliant email, it remains a topic I’m still learning about.

What are your main challenges regarding HIPAA?

HIPAA can mean many things to people. Effectively communicating and understanding HIPAA compliance is a constant challenge.

What do you think needs to be improved in the HIPAA regulations?

The deprecation of the fax machine as a HIPAA-compliant form of communication.

Do you have any predictions for the future of HIPAA?

More HIPAA breaches. More HIPAA fines. More HIPAA regulations.

Do you have any predictions for the future of healthcare regulation?

I believe more privacy rights will be added to healthcare regulations. While the HIPAA Privacy Act is a good start, I think more privacy provisions will be added.

For example, the California Consumer Privacy Act (CCPA) gives consumers the right to know about the personal information a business collects about them and how it is used and shared. It also gives them the right to delete personal information collected.

I think it’s a natural step for the HIPAA Privacy Act to be extended to adopt guidance similar to this.

Do you have any predictions for the future of healthcare technology?

Until we vanquish the fax machine, it remains a mystery to me how effective Generative AI will be in healthcare.

Do you have anything else interesting to share with readers?

I hold the IGFA world record for the finescale triggerfish, which is perhaps the ugliest fish ever caught!

You can reach Hoala Greevy via LinkedIn https://www.linkedin.com/in/hoalagreevy/

 

The post Interview: Hoala Greevy, Founder & CEO, Paubox appeared first on The HIPAA Journal.

Audit of Utah Department of Health and Human Services Identifies Critical Privacy & Security Weaknesses

Posted by Steve Alder

An audit of the Utah Department of Health and Human Services (DHHS) by the Office of the Utah State Auditor has identified privacy and security weaknesses that are putting the health information privacy of state residents at risk, especially children.

The audit was conducted in response to a complaint by a DHHS whistleblower employee who alleged that the DHHS had not implemented adequate incident response procedures and had insufficient monitoring mechanisms for detecting and managing privacy incidents. According to the complainant, the deficiencies have resulted in under-reporting of incidents and unmitigated exposure of sensitive data, especially the data of children.

The audit was led by Tina M. Cannon, State Auditor; Nora Kurzova, State Privacy Auditor; and Mark Meyer, Assistant State Privacy Auditor, and involved a review of applicable laws related to incident response and data protection, a privacy risk assessment of the most significant data processing activities as they relate to children, an evaluation of incident response documentation and internal privacy and cybersecurity monitoring controls, and interviews with certain DHHS employees, including members of its Information Privacy and Security (IPS) team.

The audit was limited in scope and focused on two systems. SAFE and eChart. SAFE is the Comprehensive Child Welfare Information System (CCWIS) for the State of Utah, Division of Child and Family Services (DCFS), which is used to support child welfare case management, including child abuse and neglect cases. Currently, the system contains around 6 million records relating to more than 2 million individuals. eChart is the central repository of records related to patients with mental health needs. The system is maintained by the Utah State Hospital (USH) and currently includes records relating to more than 10,500 individuals.

The audit uncovered several privacy and security weaknesses, including weaknesses in oversight, awareness, and internal controls, which allow privacy violations to go undetected and unaddressed for extended periods. The auditors identified systemic issues in both the SAFE and eChart systems related to access controls, records dissemination, and monitoring across systems and teams handling sensitive records, including mental health and child welfare.

Inadequate access controls meant sensitive records in both systems could be accessed without enforcing or adequately monitoring role-based and least privileged access. Records could be accessed for individuals outside a user’s workload, without requiring any justification for the access. Broad access to records had been given to individuals other than DHHS social workers, including the Utah Office of Guardian ad Litem, Utah Psychotropic Oversight Panel (UPOP), and the office of the Attorney General. In the eChart system, there were similar access control issues. For instance, users of the eChart system are expected to determine for themselves what range of viewing access is appropriate, and there were no restrictions on accessing the records of individuals outside a user’s caseload. The lack of protection was given a critical risk rating.

While logs are created of user access, there was no automated system for monitoring those logs. Each month, the division’s privacy officer reviewed access logs through a manual sampling process. There was no system in place for providing real-time alerts about suspicious medical record access. Data retention periods were unnecessarily long, creating an accumulating long-term exposure risk. For instance, some records in the SAFE system had a retention period of 100 years, when the typical retention period is only 7-10 years.

There have been documented cases of intentional breaches occurring, as well as staff members accessing and disclosing records to the wrong person. There were reports of individuals posting sensitive data online, and staff members capturing unauthorized photos of patients or facilities. From the interviews, the auditors discovered that there was no well-known or secure mechanism to support anonymous reports of inappropriate access to medical records. As a result, staff and stakeholders could not raise concerns about potential wrongdoing or privacy and security issues without fear of retaliation from agency leadership or coworkers.

The auditors pointed out that a single compromised account could expose an entire data repository, putting individuals at risk of identity theft and fraud. Since children’s data is highly valuable to cybercriminals, and identity theft using children’s data can go undetected for years, robust access controls are vital. The privacy of minors, patients, and other vulnerable groups at risk was put at risk due to the lack of authentication and access controls; there was under-detection of privacy incidents and breaches due to inadequate monitoring; overretention of data created an unnecessary risk; and broad, unchecked access heightens the threat of identity
theft.

While privacy and security weaknesses were identified, no evidence was found to suggest any successful hacking incidents involving either the SAFE or eChart systems. The Office of the State Auditor made several recommendations for improving privacy and security, and the DHHS is in various stages of implementing those recommendations.

The post Audit of Utah Department of Health and Human Services Identifies Critical Privacy & Security Weaknesses appeared first on The HIPAA Journal.

UMMC Shuts Clinics While it Grapples with Ransomware Attack

Posted by Steve Alder

University of Mississippi Medical Center (UMMC) has temporarily closed most of its clinics following a ransomware attack, and scheduled appointments and surgeries have been cancelled and will be rebooked once the attack has been remediated. Mississippi MED-COM, the network that coordinates hospital transfers across the state, has also been affected by the ransomware attack, but had redundancies in place, and patients continue to be routed to hospitals in the state without disruption.

The attack was detected in the early hours of Thursday, February 19, 2026, and has impacted the UMMC network and many of its IT systems, including its EPIC electronic medical record system. According to LouAnn Woodward, vice chancellor for health affairs and dean of the School of Medicine, all clinics will remain closed on Friday, February 20, 2026, as a result of the attack, with the exception of its kidney dialysis clinic at Jackson Medical Mall, which remains open with appointments proceeding as scheduled. Without access to key systems, including its electronic medical record system, information is being recorded with pen and paper for patients in its care. In-person classes for students are continuing as scheduled.

Woodward confirmed that care continues to be provided to hospital patients, and all clinical equipment and operations remain functional. While there have been temporary clinic closures, the emergency department remains open and is accepting patients. Law enforcement has been alerted, and UMMC is coordinating with the Department of Homeland Security and the U.S. Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation is providing assistance.

Since the attack was only detected yesterday, it is too early to tell to what extent, if any, patient data has been compromised, or how long the recovery will take. “ At this point in the incident it’s too early for us to communicate what we do and don’t know, but we are in the process of surging resources, both locally and nationally, into this incident to make sure that we are standing alongside with UMMC and their vendors,” said FBI Special Agent in Charge Robert A. Eikhoff, who was present at the UMMC presser announcing the attack. UMMC has confirmed it has made contact with the group behind the attack, but the name of the group has not been disclosed, and UMMC has not stated whether it is considering paying the ransom.

The post UMMC Shuts Clinics While it Grapples with Ransomware Attack appeared first on The HIPAA Journal.

Granite Wellness Centers & Pediatric Home Service Settle Class Action Data Breach Lawsuits

Posted by Steve Alder

Granite Wellness Centers in California and Pediatric Home Service in Minnesota have both settled lawsuits stemming from cyberattacks that exposed sensitive patient data.

Granite Wellness Centers Data Breach Settlement

Granite Wellness Centers, a network of drug addiction treatment centers in Northern California, has agreed to settle class action litigation over a January 2021 ransomware attack and data breach that affected up to 15,600 individuals. The attack was detected on or around January 5, 2021, and the forensic investigation confirmed that the ransomware actor acquired files containing sensitive patient data, including names, dates of birth, home addresses, dates of care, treatment information, treatment providers, health information, health insurance information, driver’s license numbers, medical histories, Social Security numbers, and bank account numbers.

The affected individuals were notified on or around March 5, 2021, and the first class action lawsuit was filed on June 14, 2023. An amended complaint was filed in September 2023 – Bente, et al. v. Granite Wellness Centers – in the Superior Court of the State of California, County of Placer. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and declaratory judgment. Granite Wellness Centers maintains that there was no wrongdoing and denies claims that the exposure of data caused any harm to individuals. Following mediation, all parties agreed to settle the litigation to avoid the cost and risk of a trial, with no admission of wrongdoing or liability by the defendant.

Granite Wellness Centers has agreed to establish a $725,000 settlement fund to cover all costs associated with the litigation, including attorneys’ fees (up to 33.33% of the fund), litigation expenses (up to $20,000), service awards for the class representatives (up to $2,000 per class representative), and class member benefits. There are three types of payments available to class members. A claim may be submitted for a pro rata cash payment, estimated to be approximately $750 per class member, but may be higher or lower depending on the number of claims submitted. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and California residents at the time of the data breach may submit a claim for an additional statutory $100 cash payment.

The deadline for opting out and objecting is March 28, 2026. The deadline for submitting a claim is April 27, 2026, and the final fairness hearing has been scheduled for April 28, 2026.

Pediatric Home Service Data Breach Settlement

Pediatric Home Respiratory Services (Pediatric Home Service), a Roseville, MN-based independent children’s home healthcare provider, has agreed to settle litigation stemming from a November 2024 cyberattack and data breach. The lawsuit claims that 43,634 individuals were affected by the data breach. The HHS’ Office for Civil Rights was informed that the protected health information of 41,792 patients was exposed in the incident. The Pediatric Home Service cyberattack was detected on November 7, 2024, and the forensic investigation confirmed that an unauthorized third party accessed its network between November 1, 2024, and November 7, 2024. The affected individuals were notified on January 8, 2025.

Two class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – In re Pediatric Home Respiratory Services, LLC d/b/a Pediatric Home Service Litigation –in the District Court for Ramsey County, Minnesota. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, violation of the Minnesota Health Records Act, breach of fiduciary duty, declaratory judgment, and unjust enrichment. Pediatric Home Service denies all claims and contentions in the lawsuit and maintains there was no wrongdoing. Pediatric Home Service sought to have the lawsuit dismissed for lack of standing and failure to state a claim. The plaintiffs opposed the motion, and following mediation, a settlement was agreed to resolve the litigation.

There are two cash payment options, one of which can be selected by all class members. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $1,500 per class member. Alternatively, a one-time cash payment of $50 may be claimed. In addition, a claim may be submitted for a 12- month membership to one of three credit monitoring options: CyEx Medical Shield Complete, CyEx Identity Defense Total, or CyEx Minor Defense Pro (for minors). The deadline for objecting to the settlement and exclusion is April 8, 2026. The claims deadline is April 23, 2026, and the final fairness hearing has been scheduled for May 8, 2026.

The post Granite Wellness Centers & Pediatric Home Service Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.