Author Archives: Steve Alder

University of Hawaii Cancer Center Confirms Patient Data Stolen in Ransomware Attack

Posted by Steve Alder

University of Hawaii Cancer Center has recently disclosed an August 2025 ransomware attack involving the acquisition of the sensitive data of study participants. University of Hawaii Cancer Center, part of the University of Hawaii (UH) System, is located in the Kakaʻako district of Honolulu and is the only National Cancer Institute-designated center in the state. According to the cancer center’s press release and breach reports to state attorneys general, unauthorized access to its computer network was discovered on or around August 31, 2025.

The affected servers were isolated, and an investigation was launched to determine the nature and scope of the unauthorized activity. University of Hawaii Cancer Center confirmed that a ransomware group had breached its network, encrypted files, and exfiltrated research files containing patient information. University of Hawaii Cancer Center said its electronic medical record system was unaffected; however, files were obtained that contained patients’ protected health information.

The majority of the stolen files related to a single research project. The review of those files revealed that some contained the Social Security numbers of research participants dating back to the 1990s. The University of Hawaii Cancer Center said that in the 1990s, Social Security numbers were used as patient identifiers; however, that practice has since been halted, and alternative identifiers are now used.

Due to the highly sensitive nature of the stolen data, UH made the difficult decision to engage with the threat actor. University of Hawaii Cancer Center said it worked with third-party cybersecurity experts to obtain a decryption tool to recover the encrypted data, and paid a ransom to prevent the publication of the stolen data. Assurances have been received that all of the stolen data has been deleted.

Files unrelated to the research study are still being reviewed to determine if they contain any patient data. Notification letters have yet to be sent to the affected individuals, but they will be mailed once up-to-date contact information has been obtained.  University of Hawaii Cancer Center said the affected individuals will be offered complimentary credit monitoring and identity theft protection services.

Even though the ransom was paid, due to the extent of file encryption, it has taken some time to recover the encrypted files and restore the affected systems. Additional security measures have been implemented to strengthen security, including replacing its existing firewall with a new firewall with additional security controls and installing new endpoint protection software with 24/7 monitoring. The University of Hawaii Cancer Center said third-party cybersecurity experts have assessed and validated the cancer center’s security controls.

The incident has been reported to regulators; however, since the file review has not yet concluded, the number of affected individuals has yet to be disclosed.

The post University of Hawaii Cancer Center Confirms Patient Data Stolen in Ransomware Attack appeared first on The HIPAA Journal.

TriZetto Provider Solutions Issues Data Breach Notifications to HIPAA Covered Entities (Update)

Posted by Steve Alder

TriZetto Provider Solutions, a Cognizant-owned provider of revenue management services to physicians, hospitals, and health systems, has started notifying certain healthcare clients about a recently identified cybersecurity incident.

On October 2, 2025, suspicious activity was identified within a web portal used by some of its healthcare provider customers to access TriZetto systems. Immediate action was taken to secure the web portal and mitigate the incident, and the cybersecurity firm Mandiant was engaged to investigate the activity, review the security of the web portal application, and ensure that the incident is fully remediated. TriZetto is satisfied that the threat actor has been eradicated from its system. No further unauthorized web portal activity has been detected since October 2, 2025.

While the cybersecurity incident was only recently detected, the unauthorized access has been ongoing for a considerable period of time. The forensic investigation determined that an unauthorized third party first started accessing historical eligibility transaction reports within the TriZetto system in November 2024, almost a year before the unauthorized access was detected. The reports within its storage system contained the protected health information of patients of certain healthcare provider clients.

Between October 2, 2025, and the end of November 2025, Trizetto reviewed the data within the compromised system to determine the types of data involved and the individuals affected. Information compromised in the incident includes the names of patients and primary insureds, in combination with some or all of the following: address, date of birth, Social Security number, health insurance member number (in some cases, Medicare beneficiary number), health insurer name, information about the primary insured or beneficiary, and other demographic health and health insurance information. TriZetto said no financial information was involved.

Notifications have been issued to the affected healthcare clients, who have been provided with a list of the affected individuals and a copy of the affected data. The HIPAA Breach Notification Rule requires notifications to be issued to the affected individuals within 60 days of a HIPAA-covered entity being notified about a data breach at a business associate. Assuming the affected healthcare providers comply with that HIPAA requirement, individual notifications for the affected individuals should be mailed within 60 days.

TriZetto has offered to handle the breach notifications on behalf of the affected clients, should they determine that breach notifications are required under HIPAA. TriZetto has also offered to notify the HHS’ Office for Civil Rights, state regulators, and media outlets on behalf of its covered entity clients, and will also cover the cost of complimentary credit monitoring, fraud consultation, and identity theft restoration services.

It is currently unclear how many of its healthcare provider clients have been affected or the scale of the data breach. Given the fact that its system was compromised for 11 months, it could be a sizeable data breach. Healthcare providers known to have been affected include:

  • CE-Edinger Medical Group, California
  • Friends of Family Health Center, California
  • Gardner Health Services, California (6,197 individuals)
  • Harmony Health Medical Clinic and Family Resource Center, California
  • One Community Health, California
  • Mission Neighborhood Health Center in California (3,741 individuals)
  • Native American Health Center, California
  • Open Door Community Health Centers, California
  • Planned Parenthood Northern California – TriZetto was a subcontractor of its business associate OCHIN
  • Lynn Community Health, Massachusetts
  • Share Ourselves, California (2,864 individuals)
  • Santa Rosa Community Health Centers, California – TriZetto was a subcontractor of its business associate OCHIN

This post was first published on December 11, 2025, and it will continue to be updated as further information about the TriZetto data breach is released. 

The post TriZetto Provider Solutions Issues Data Breach Notifications to HIPAA Covered Entities (Update) appeared first on The HIPAA Journal.

Mystic Valley Elder Services Agrees to Settle Class Action Data Breach Lawsuit for $520,000

Posted by Steve Alder

The Malden, Massachusetts-based Mystic Valley Elder Services has agreed to pay $520,000 to settle a consolidated class action lawsuit stemming from an April 5, 2024, data breach. Unauthorized individuals gained access to the network of Mystic Valley Elder Services and potentially obtained the names, dates of birth, passport numbers, financial account numbers, payment card numbers, online credentials, taxpayer identification numbers, Social Security numbers, driver’s license numbers, health insurance information, and medical information of more than 89,600 individuals.

Five class action complaints were filed in response to the data breach, which were consolidated in the Middlesex County Superior Court in Massachusetts. The consolidated class action lawsuit – In re Mystic Valley Elder Services Inc. – alleged that the data breach occurred as a result of cybersecurity failures, Mystic Valley Elder Services failed to detect the unauthorized activity in a timely manner, and did not send timely notifications to the affected individuals, who did not learn about the data breach until 6 months later.

The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and violations of the Massachusetts Consumer Protection Act. The lawsuit sought injunctive relief, including an order from the court prohibiting the transmission of sensitive data via unencrypted email, storing protected health information in email accounts, and requiring a host of security measures to be implemented to ensure the privacy and security of patient data. Mystic Valley Elder Services denies all liability and wrongdoing.

While the lawsuit sought a jury trial; however, following mediation, all parties agreed to a settlement to avoid the cost, time, and uncertainty of a trial and related appeals. The settlement fund will be used to cover attorneys’ fees and expenses, settlement administration and notice costs, and service awards for the class representatives. The remainder of the settlement will be used to pay benefits to the class members.

Class members may claim a pro rata cash payment, estimated to be approximately $75 per class member. A claim may also be submitted for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $5,000 per class member. The settlement also includes two years of credit monitoring and identity theft protection services. The final fairness hearing has been scheduled for February 17, 2026. Claims must be submitted by February 9, 2026.

The post Mystic Valley Elder Services Agrees to Settle Class Action Data Breach Lawsuit for $520,000 appeared first on The HIPAA Journal.

Vida Y Salud-Health Systems & Dublin Medical Center Confirm Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by Vida Y Salud-Health Systems in Crystal City, Texas, and Dublin Medical Center in Georgia.

Vida Y Salud-Health Systems, Texas

Vida Y Salud-Health Systems, a Crystal City, TX-based Federally Qualified Health Center, has recently reported a data breach to the Texas Attorney General involving unauthorized access to the protected health information of 34,504 Texas residents. On October 8, 2025, suspicious activity was identified within its network. The forensic investigation confirmed that an unauthorized third party gained access to its network on October 7, 2025, and exfiltrated data.

The investigation and data review have recently concluded, and it was confirmed that names, addresses, dates of birth, Social Security numbers, driver’s license numbers, account numbers, and claim numbers had been stolen. Vida Y Salud-Health Systems has notified the HHS’ Office for Civil Rights; however, the data breach is not currently shown on the OCR data breach portal, so it is unclear how many individuals in total have been affected. Vida Y Salud-Health Systems said steps have been taken to strengthen security to prevent similar breaches in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Dublin Medical Center, Georgia

Dublin Medical Center in Georgia has recently started notifying individuals affected by an October 2025 cybersecurity incident. Suspicious activity was identified within its computer network on October 17, 2025. The substitute data breach notice on Dublin Medical Center’s website does not state when the unauthorized access started.

The review of the files on the affected parts of its network confirmed that patient data was compromised in the incident. The data types varied from individual to individual and may have included names in combination with some or all of the following: contact information, date of birth, patient status, provider name, diagnosis and treatment information, prescriptions, medical history, radiology imaging and reports, medical consent forms, lab reports, patient identification number, dates of service, and health insurance information.

The investigation is continuing; however, notification letters started to be mailed to the affected individuals on December 17, 2025. The affected individuals have been advised to remain vigilant against misuse of their data by reviewing their account statements, free credit reports, and explanation of benefits statements. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Vida Y Salud-Health Systems & Dublin Medical Center Confirm Data Breaches appeared first on The HIPAA Journal.

Consulting Radiologists Pays $2.2M to Settle Class Action Data Breach Litigation

Posted by Steve Alder

A settlement has been approved to resolve class action data breach litigation against Consulting Radiologists Ltd., a physician-owned radiology practice that provides medical imaging services at more than 100 healthcare facilities in Minnesota and the surrounding areas.

The Consulting Radiologists data breach was reported to the HHS’ Office for Civil Rights on June 14, 2024, as involving the protected health information of up to 583,824 individuals. A network intrusion was identified on February 12, 2024, and the investigation confirmed that the network was accessed by an unauthorized third party who may have obtained patient data such as names, addresses, dates of birth, medical information, health insurance information, along with the Social Security numbers of 19,346 individuals.

The data breach was announced in April 2024, and notification letters were sent to the affected individuals. Shortly thereafter, a class action lawsuit was filed in response to the data breach, followed by a further 18 complaints. In August 2024, District Court Judge Thomas Conley issued an order to consolidate all complaints against Consulting Radiologists. The consolidated lawsuit – In re Consulting Radiologists Data Incident Litigation – was filed in the District Court of the 4th Judicial District Court of Hennepin County, Minnesota, on November 1, 2024.

The lawsuit claimed the data breach was the result of negligence and could have been prevented had reasonable and appropriate cybersecurity measures been implemented and maintained. The lawsuit alleged that Consulting Radiologists had violated the HIPAA Rules, including the HIPAA Security Rule, by failing to properly secure patient data and the HIPAA Breach Notification Rule due to the delay in issuing notifications to the affected individuals.

The lawsuit asserted claims of negligence, negligence per se, breach of contract, breach of implied contract, breach of third-party contract, breach of implied covenant of good faith and fair dealing, breach of fiduciary duty, breach of confidence, invasion of privacy/intrusion upon seclusion, unjust enrichment, and violations of the Minnesota Consumer Fraud Act and Minnesota Health Records Act.

Consulting Radiologists sought to have the lawsuit dismissed, and that attempt was partially successful; however, the court failed to dismiss the claims of negligence, negligence per se, unjust enrichment, injunctive/declaratory relief, and violations of the Minnesota Consumer Fraud Act and Minnesota Health Records Act. Following mediation and ongoing negotiations, a settlement was agreed to bring the litigation to an end, with no admission of liability or wrongdoing. Consulting Radiologists has agreed to pay $2,200,000 in aggregate to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the 19 class representatives, and benefits to the class members.

Class members may claim up to three benefits under the settlement: A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Two years of single-bureau credit monitoring services may be claimed, and class members may also claim a cash payment. The cash payments depend on the types of data compromised in the incident, and are expected to be $125 for individuals whose Social Security numbers were involved, and $50 for all other class members. The cash payments are subject to a pro rata reduction to remain under the cap of $2,200,000.

The deadline for objection to and exclusion from the settlement is January 30, 2026. The deadline for submitting a claim is March 2, 2026, and the final fairness hearing has been scheduled for February 25, 2026. Further information can be found on the settlement website: https://www.crdatasettlement.com/

The post Consulting Radiologists Pays $2.2M to Settle Class Action Data Breach Litigation appeared first on The HIPAA Journal.

FREE WEBINAR NEXT WEEK: 2025 HIPAA Breaches & Fines. Avoid Being the Next Headline

Posted by Steve Alder

The healthcare sector saw a surge in 2025 of HIPAA breach reports and enforcement activity, and smaller organizations were not immune. Many cases trace back to the same avoidable breakdowns, such as inconsistent training, weak or outdated policies, and blind spots in Business Associate vendor oversight.

Breaches. Fines. Audits. Do not be the next headline.

If you are a covered entity or a healthcare adjacent organization without a dedicated compliance team, those gaps add up fast. Regulators are paying closer attention, and the cost of getting it wrong can be steep in HIPAA violation fines and related remediation costs.

Webinar attendees will learn how to:

  • Spot the recurring breakdowns behind 2025 breach cases and enforcement actions
  • Connect those failures to HIPAA expectations and oversight from OCR, HHS, and the OIG
  • Prioritize the biggest risk areas that most often lead to investigations, penalties, and costly remediation
  • Put a simple, repeatable compliance routine in place for 2026 that holds up even without a dedicated team
  • Take away practical next steps to reduce exposure and close gaps before the next audit or incident

Why Attend?

You will gain a clearer insight into why breaches and fines keep happening, what regulators look for during investigations and audits, and a practical roadmap you can apply in 2026 to reduce risk and strengthen compliance.

Reserve your seat today and learn how to avoid the compliance mistakes that lead to costly breaches and enforcement actions in 2025.

WEBINAR DETAILS

      2025 HIPAA Data Breaches and Fines Costly Compliance Mistakes and How to Avoid Them in 2026

Date: Thursday, January 22, 2026
  Time: 1:00 PM ET / 6:00 PM GMT
                        Format: Live webinar (with practical guidance)

Speaker: Liam Degnan, Director, Solutions Engineering, Compliancy Group

 

Speaker: Liam Degnan, Director, Solutions Engineering

Liam Degnan Compliancy GroupLiam Degnan brings more than eight years of experience in risk management, SaaS sales, and healthcare compliance. As Compliancy Group’s Senior Solutions Engineer, he advises healthcare decision-makers, healthcare providers, and medical vendors. He speaks on a variety of platforms and topics, with an emphasis on simplifying HIPAA, OSHA, SOC 2, and other healthcare compliance regulations.

 

 

 

The post FREE WEBINAR NEXT WEEK: 2025 HIPAA Breaches & Fines. Avoid Being the Next Headline appeared first on The HIPAA Journal.

CareOregon and Health Share of Oregon Warn of Potential Insurance Fraud After Data Breach

Posted by Steve Alder

CareOregon and Health Share of Oregon have notified certain patients about a data breach and potential insurance fraud. Andover Eye Associates has identified a breach of its email environment.

CareOregon and Health Share of Oregon

CareOregon and Health Share of Oregon have notified certain patients about unauthorized access to some of their protected health information. It is unclear from the phrasing of the notice whether this was an insider breach or if data was accessed by an external actor. The data breach notice states that, “On October 27, 2025, we learned that one or more people looked at your information without permission.” Social Security numbers and financial information were not accessed. The data viewed and potentially obtained was limited to first and last names, dates of birth, health plan information, Medicaid/Medicare numbers, and primary care provider office.

The notice states that there may have been data misuse, warning that the information may have been used to create fake insurance claims. CareOregon and Health Share of Oregon said they were unable to determine if any specific patient’s information had been misused. The affected individuals have been reminded that CareOregon and Health Share of Oregon do not bill for covered health care services, and informed the affected individuals that they will not receive a bill even if their data has been misused to file a fake insurance claim. Individuals who receive a letter detailing the services that they should have received should check the letter carefully and report back if there are any listed services that have not been provided.

Law enforcement has been notified, an investigation has been conducted, and the identified issue has been fixed. Further, CareOregon and Health Share of Oregon have changed how individuals’ information can be viewed, and the staff have been retrained. There is currently no breach report on the HHS’ Office for Civil Rights breach portal at present, so it is unclear how many individuals have been affected.

Andover Eye Associates

Andover Eye Associates in Andover, Massachusetts, has experienced an email security incident that exposed the data of 1,638 patients. Suspicious activity was identified in two employee email accounts on June 10, 2025. An investigation was launched, which confirmed that an unauthorized third party gained access to the accounts on May 28, 2025. No other employee email accounts were affected.

The email accounts were reviewed, and on November 4, 2025, Andover Eye Associates confirmed that the accounts contained patient names and Social Security numbers. Additional training has been provided to the workforce, and additional safeguards are being implemented to improve email security. Notification letters have been mailed to the affected individuals who have been offered complimentary credit monitoring services for 12 months.

The post CareOregon and Health Share of Oregon Warn of Potential Insurance Fraud After Data Breach appeared first on The HIPAA Journal.

HIPAA Refresher Training

Posted by Steve Alder

HIPAA Refresher Training is an annual course designed for staff who have already completed full HIPAA training and need their knowledge reinforced and updated rather than retaught from scratch. It is one of the most important tools for keeping HIPAA awareness alive in day to day work instead of letting it fade after onboarding.

What is Annual HIPAA Refresher Training?

Annual HIPAA Refresher Training focuses on reinforcing and updating knowledge that employees already have. It assumes that staff have previously completed a comprehensive HIPAA onboarding course and already understand core concepts such as PHI, ePHI, the Minimum Necessary Standard, and basic incident reporting. The aim is to strengthen good habits, correct small misunderstandings, and bring everyone up to date with new risks, tools, or policy changes. Because it is built on an existing foundation, the training can concentrate on real scenarios and common pitfalls rather than spending time on basic definitions. For that reason, it is only recommended for staff who have already received a complete, initial HIPAA training program.

How Often Should HIPAA Refresher Training be Provided?

HIPAA itself requires that training be provided on a regular basis, but it does not set a specific schedule. In practice, best practice in the healthcare sector is to provide HIPAA training annually, and the annual course is usually delivered in the form of refresher training. This creates a simple, predictable rhythm that is easy to communicate and easy to document. When everyone knows they will receive HIPAA training every year, it is easier to keep expectations clear and to avoid long gaps where habits drift away from policies. An annual cycle also lines up well with other compliance activities such as risk assessments, policy reviews, and security updates.

When is HIPAA Refresher Training Appropriate? (And when is it Not?)

Refresher training is not a replacement for full onboarding. It is not recommended for new staff because HIPAA Covered Entities and HIPAA Business Associates do not know each person’s baseline knowledge and must establish a consistent standard through comprehensive initial training. The refresher course should build on that baseline, not guess at it. Refresher training is also not suitable after a HIPAA violation. Employees who commit a HIPAA violation should receive more extensive HIPAA Remediation Training that looks closely at what went wrong, why it happened, and what must change, rather than a general refresher. In addition, refresher training is not enough for certain groups such as healthcare students, who should receive full HIPAA training that includes student specific content at the start of each placement. In short, refresher training works best for staff with solid prior training and a generally compliant track record.

HIPAA Refresher Training Content Recommendations

Even though HIPAA Refresher Training is shorter than onboarding, it still needs to cover specialist topics for the organization. For example, EMS staff should receive training on HIPAA in Emergency Situations every year, because their work regularly involves high pressure decisions about disclosures in complex environments. Refresher training is also the ideal place to introduce new topics that were not covered in the original course. Recent examples include HIPAA and AI tools, new communication platforms, and updated workflows for remote work. As technology and practice evolve, refresher training ensures staff understand how HIPAA applies to new tools and situations. Alongside HIPAA content, annual cybersecurity training is very strongly recommended, so staff are reminded about phishing, passwords, device security, and other threats that can expose electronic PHI.

Benefits of HIPAA Refresher Training

Annual HIPAA Refresher Training delivers clear, practical benefits. It reduces the risk of accidental HIPAA violations by reminding people about common pitfalls such as talking about patients in public areas, mishandling emails and attachments, or viewing more information than they need in electronic records. It keeps HIPAA on people’s radar in a busy clinical and administrative environment where urgent tasks can easily crowd out long term obligations. It also gives leadership a visible way to show their ongoing commitment to patient privacy and information security, rather than letting HIPAA compliance fade quietly into the background.

HIPAA Compliance Value of Annual Refresher Training

Annual refresher training also has significant compliance value. Completion records create a clear documentation trail that shows training is ongoing, not a one time event at hire. In the case of a HIPAA violation or an external investigation, these records support client due diligence, internal audits, and regulatory reviews by proving that the organization invests in regular, structured HIPAA education for its workforce. Consistent annual training makes it easier to demonstrate that the organization is acting in good faith, responding to new risks, and taking reasonable steps to prevent violations. It also helps identify departments or locations that may be falling behind on training, so corrective action can be taken before gaps turn into findings. Over time, a well documented pattern of annual refresher training strengthens the organization’s overall compliance posture and supports a more defensible response if something does go wrong.

What Features Should Be Included In HIPAA Refresher Training?

HIPAA Refresher Training should do more than repeat the onboarding course in a shorter format. It needs features that help staff update what they know, correct drifting habits, and stay aligned with current risks and expectations.

Training Created And Overseen By HIPAA Experts

Refresher training should be designed and maintained by HIPAA subject matter experts, including people who have experience as HIPAA Privacy Officers or Compliance Officers. Expert oversight helps ensure the content focuses on real world risks, common violation patterns, and practical behaviors rather than abstract legal language.

Current And Regularly Updated Content

Because refresher training is often taken annually, it must be reviewed and updated regularly. The material should reflect recent guidance, enforcement patterns, and changes in technology such as remote work tools, cloud platforms, and AI. Staff should come away knowing how HIPAA applies to current systems and workflows, not just how things used to work.

Employee Focused, Practical Curriculum

The curriculum needs to speak directly to employees. Refresher training should use simple language, clear explanations, and realistic scenarios that match clinical, administrative, and technical roles. It should highlight non compliant behaviors that cause real incidents, such as unattended workstations, unapproved file sharing, or oversharing in electronic records, and show what staff should do instead.

Emphasis On Risk Reduction And Modern Threats

A strong refresher program is organized around risk reduction. It should revisit high risk situations such as social media use, insecure messaging, and hurried communication in busy environments. The content should also reinforce how HIPAA applies in emergencies and unusual situations so staff can act quickly without guessing when pressure is high.

Flexible Overlays For Different Roles And Settings

HIPAA Refresher Training works best when it can be tailored to different roles and locations. The core course can be the same for everyone, while optional overlays add content for specific needs such as state medical privacy requirements, mental health or EMS practice, healthcare students, Business Associate staff, or small medical practices. This keeps the training relevant without having to build entirely separate programs.

Strong Documentation And Audit Readiness

Effective HIPAA refresher training includes solid documentation features. The system should record who completed which course, when they completed it, and what assessments they passed, with clear links to specific course versions. Reports should be easy to generate for leadership, clients, and auditors. This documentation shows that refresher training is ongoing, structured, and taken seriously across the organization.

Annual HIPAA Training is Healthcare Sector Best Practice

Annual HIPAA Refresher Training is most effective when it is treated as a focused annual update for staff who have already completed full onboarding, not as a shortcut or replacement for comprehensive training. Used correctly, it reinforces existing knowledge, addresses new risks such as changing technology and working practices, and keeps staff alert to common pitfalls that can lead to accidental violations. It is best reserved for employees with a solid baseline and a generally compliant track record, while new hires, healthcare students, and staff involved in violations should receive more extensive training that fits their circumstances.

The post HIPAA Refresher Training appeared first on The HIPAA Journal.

Staff are the Weakest Link in HIPAA Cybersecurity

Posted by Steve Alder

Staff are the Weakest Link in HIPAA CybersecurityThe Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach portal shows that patients’ protected health information is being exposed and stolen at an unprecedented rate. From 2021 to 2024, more than 700 large healthcare data breaches were reported each year, and each of those data breaches affected at least 500 individuals, with an average breach size of 203,892 individuals. In those four years alone, the protected health information of more than 595 million individuals was compromised.

Hackers have been targeting the healthcare and public health sector with increasing frequency, and hacking and other IT incidents now account for the bulk of the reported healthcare data breaches. Email accounts are accessed, networks are compromised, and in almost all cases, healthcare data is stolen by unauthorized individuals. While unauthorized third parties are the ones that access the data, when you delve into the root cause of the breach, it is often the actions of a healthcare employee or an employee of a business associate that caused the data breach.

Healthcare employees are the weakest link in cybersecurity and are targeted by cybercriminals directly, although in many cases, the actions of employees leave a digital door open for cybercriminals walk straight through. Carelessness, employee errors, poor judgment, and a lack of knowledge or understanding of good cyber hygiene result in serious patient privacy violations and costly data breaches. The most common mistakes made by employees usually result in relatively small privacy breaches; however, even these small incidents can cause considerable damage to a healthcare organization’s reputation, and the HHS’ Office for Civil Rights has imposed many fines on HIPAA-regulated entities for data breaches resulting from employee mistakes.

Employee-Related Cyberattacks & Data Breaches

Various studies have confirmed the risk posed by employees. For example, Verizon found that 70% of healthcare data breaches are caused by insiders, a considerable increase from the 39% of breaches in 2021 that were attributed to healthcare employees. A HIMSS survey made it clear that employees are the biggest vulnerability in healthcare, and another revealed that 65% of healthcare employees are taking security shortcuts that are putting patient data at risk, with employees’ poor cyber hygiene a persistent threat.

Listed below is a selection of the many healthcare data breaches caused by employee mistakes, carelessness, and poor security practices over the past five years. These attacks have resulted in the theft of millions of patient records, lawsuits, and HIPAA violation penalties.

Responses to Phishing Emails and Social Engineering Attacks

Employees falling for phishing emails led to $600K fine for a California health care network

Phishing campaign tricks 53 Los Angeles County employees into providing cybercriminals with access to their email accounts

Employee responds to malicious email and exposes 108K individuals’ PHI

Eleven Aveanna Healthcare employees divulge their credentials to cybercriminals in a phishing campaign

Illinois Department of Human Services employees fall for phishing emails, exposing the PHI of 1.1 million patients

Screen Actors Guild – American Federation of Television and Radio Artists sued after an employee responded to a phishing email

$200,000 penalty after a skilled nursing facility employee responds to a phishing email and exposes 14,500 individuals’ PHI

23 L.A. County employees duped by phishing emails and disclosed credentials

OCR imposes its first financial penalty in response to a phishing attack on healthcare employees

Henry Ford Health employees tricked by phishing emails, exposing 168,000 patient records

Office of the Attorney General of Massachusetts fines home health agency $425K for phishing attack, citing insufficient security awareness training

An EyeMed Vision Care employee’s response to a malicious email exposed 2.1 million individuals’ PHI and led to a $4.5 million fine

BJC Healthcare settles data breach lawsuit stemming from three employees responding to phishing emails

Salinas Valley Memorial Healthcare System employees respond to phishing emails and expose patients’ data – the healthcare provider was fined $340,000 over the breach

Employee Malware Downloads Provide Access to Hackers

“Honest mistake” by an Ascension Health employee led to a ransomware attack and a 5.6 million-record data breach. The employee downloaded a malicious file from the internet and executed it, inadvertently executing malware

Summit Pathology and Summit Pathology Laboratories employee opened a malware-infected email attachment

A Behavioral Health Network employee downloaded malware that prevented access to patient data

An employee’s accidental malware download allowed a ransomware group to encrypt files

Employees’ Poor Cyber Hygiene and Bad Cybersecurity Practices 

Healthcare workers routinely expose patient data to ChatGPT, Google Gemini, and via Google Drive and Microsoft OneDrive

An email error by an employee of The Queen’s Health Systems in Hawaii results in the impermissible disclosure of thousands of patients’ PHI

A Bassett Healthcare Network physician was discovered to have transmitted patient data to unauthorized individuals and saved patient data on a personal storage device

An email error by an employee of Campbell County Health has resulted in the impermissible disclosure of the protected health information of patients

Misconfigurations and Carelessly Exposing Patient Data

Password protection was not added to a DM Clinical Research database containing 1.6 million clinical trial records

A New Jersey health technology company employee exposed 86,000 records online

A Gargle database containing approximately 2.7 million patient profiles and 8.8 million appointment records was exposed online due to an employee error

Employee error results in impermissible disclosure of Winter Haven Hospital patients’ data

Employee error results in the exposure of 12 million medical laboratory records

Employee misconfigures patient database, exposing 3.1 million patients’ records. The database was subsequently deleted by the destructive Meow bot

Business associate employee misconfigures server, exposing Fairchild Medical Center patients’ data

University of Washington Medicine sued after an employee misconfigures server, exposing 974,000 patients’ PHI

An Indiana Department of Health employee misconfigures COVID-19 contact tracing database, exposing the data of 750,000 individuals

Failure to configure authentication exposes 1 billion records of CVS website searches

Department of Veterans Affairs contractor misconfigures database, exposing sensitive records of 200,000 military veterans

An employee misconfigures a County of Kings Public Health Department web server, exposing 16,590 patient records

Employee fails to secure AWS S3 bucket, exposing breast cancer patients’ data and medical images

Misconfigured CorrectCare web server exposes PHI of hundreds of thousands of inmates

A Washington D.C. health insurance exchange’s 56K-record data breach was the result of human error

Failure to configure access controls results in the exposure of the COVID vaccination statuses of 500,000 VA employees

The post Staff are the Weakest Link in HIPAA Cybersecurity appeared first on The HIPAA Journal.