Author Archives: Steve Alder

Vendor Breaches Announced by Illinois and Virginia Healthcare Providers

Posted by Steve Alder

Personic Management Company (Personic Health) and Innovative Physical Therapy have recently confirmed that patient information was compromised in vendor security incidents. Anchorage Neighborhood Health Center has recently disclosed an August cyberattack that exposed patient data.

Personic Management Company (Personic Health)

Vienna, VA-based Personic Management Company LLC, doing business as Personic Health, a wound care specialist, has recently disclosed a data breach involving a third-party software platform used to process patient data. Personic Health was informed on September 1, 2025, that there had been unauthorized access to the platform. Assisted by third-party digital forensics experts, Personic Health launched a comprehensive investigation to determine how the breach occurred and the types of information potentially compromised in the incident.

The investigation confirmed that an unauthorized actor accessed the platform on August 29, 2025, and acquired certain data. The data review was completed on October 13, 2025, and confirmed that the protected health information had been stolen.  The breach was reported to the Maine Attorney General as involving the personal and protected health information of up to 10,929 individuals; however, the types of information involved were redacted. The individual notification letters state the exact types of information involved.

Personic Health has taken steps to strengthen security to prevent similar breaches in the future and has offered the affected individuals 24 months of complimentary credit monitoring and identity protection services.

Innovative Physical Therapy

Innovative Physical Therapy (IPT), a network of outpatient physical therapy and rehabilitation centers, has recently disclosed a security incident involving its third-party practice management software provider. The vendor assisted IPT with administrative services, which required access to patients’ protected health information.

On August 25, 2025, IPT’s software vendor notified IPT about a phishing incident that involved unauthorized access to two employee email accounts. The phishing incident was identified on June 26, 2025, and the accounts were immediately secured. The vendor engaged a third-party digital forensics firm to investigate the incident, which confirmed that an unauthorized third party accessed the accounts between June 25 and June 26, 2025.

The vendor reviewed the emails and associated files and identified names in combination with one or more of the following types of information: address, date of birth, diagnosis, lab results, medications, treatment information, health insurance information, provider name, and dates of service. A limited number of individuals also had their Social Security numbers exposed.

In total, 2,023 patients were affected by the breach and were notified by mail by the practice management vendor on October 3, 2025. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. IPT said it has received assurances that its vendor is taking steps to prevent similar incidents in the future, including providing additional cybersecurity awareness training for its workforce.

Anchorage Neighborhood Health Center

Anchorage Neighborhood Health Center in Alaska has started notifying patients about a criminal cyberattack that involved unauthorized access to or acquisition of some of their protected health information. The cyberattack was detected on August 25, 2025, and the investigation confirmed unauthorized access to its network from August 24 to August 25, 2025.

The review of the exposed files was completed on October 10, 2025, when it was confirmed that the data exposed in the incident included names, dates of birth, Social Security numbers, driver’s license/state identification numbers, medical treatment information, and/or health insurance information. Anchorage Neighborhood Health Center said it has already implemented a series of cybersecurity enhancements and plans to take other steps to strengthen security. While data misuse has not been detected, as a precaution, the affected individuals have been offered up to 24 months of complimentary credit monitoring services.

The post Vendor Breaches Announced by Illinois and Virginia Healthcare Providers appeared first on The HIPAA Journal.

Watson Clinic Agrees to $10 Million Data Breach Settlement

Posted by Steve Alder

Florida’s Watson Clinic has agreed to pay $10,000,000 to settle class action litigation over a January 2024 data breach that affected 280,278 individuals. The hackers stole sensitive data, including digital images, and posted them on the dark web.

The Lakeland-based medical group serves approximately one million patients annually and employs around 1,600 team members and 350 physicians. Watson Clinic identified unauthorized access to its computer network on February 6, 2024, and the forensic investigation confirmed that hackers first gained access to its network on January 26.

The review of the exposed files confirmed that they contained the protected health information of current and former patients, including names, addresses, dates of birth, Social Security numbers, government identifiers, driver’s license numbers, financial account information, and medical information, including diagnoses, treatments, medical record numbers, and pre- and/or post-operative medically necessary images.

Watson Clinic received the results of the third-party file review in July 2024, announced the data breach in August 2024, and issued notifications to the affected individuals. Shortly thereafter, the first class action lawsuit was filed by plaintiff Charles Viviani in the U.S. District Court for the Middle District of Florida. A second class action lawsuit was filed by plaintiff David Thorpe in the same court, and the two complaints were consolidated in a single action – Viviani v. Watson Clinic, LLP. Additional notifications were mailed in February 2025 following a further investigation into the extent of the data breach.

The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and violation of the Florida Deceptive and Unfair Trade Practices Act. Watson Clinic denies all material claims and contentions in the lawsuit and charges of wrongdoing or liability. While Watson Clinic believes it has a solid defense against all claims, the litigation would likely be protracted and expensive, and any litigation has inherent risks. Therefore, the decision was made to settle the lawsuit. Class counsel believes the settlement is in the best interests of all class members.

Watson Clinic has agreed to establish a $10,000,000 settlement fund, from which attorneys’ fees and expenses, service awards for the named plaintiffs, and settlement administration and notification costs will be deducted. The benefits for class members are considerable compared to many class action settlements, including cash payments of up to $75,000 for certain class members, based on the types of digital images posted on the dark web.

Class members who had one or more digital images published on the dark web will be sent a check without having to submit a claim. The compensation amounts are detailed in the table below. Class members are only eligible to receive one of the payments below, whichever is greater.

Type of Published Digital Image Compensation Amount
Full face and exposed sensitive areas $75,000
Partial face and exposed sensitive areas $40,000
No face and exposed sensitive areas $10,000
Fall face and partial clothing of sensitive areas $10,000
Partial face and partial clothing of sensitive areas $7,500
No face and partial clothing of sensitive areas $5,000
Non sensitive $100

In addition to the one-off cash payments, class members may also submit a claim for the following benefits:

Additional benefits (Claim required) Maximum Amount
Reimbursement of documented, unreimbursed ordinary losses $500
Reimbursement of documented, unreimbursed extraordinary losses and attested lost time $6,500, including up to 5 hours of lost time at $25 per hour
Residual cash payment $50*

*The residual cash payments will be paid pro rata from the settlement fund once costs and expenses have been deducted, and digital image exposure cash payments and claims for reimbursement of losses have been paid. The funds will be divided equally between the class members electing to receive a residual cash payment. The cash payment will be a maximum of $50, but may be less, depending on the number of valid claims.

The deadline for objection to and exclusion from the settlement is January 6, 2025. The deadline for submitting a claim is February 5, 2025, and the final fairness hearing has been scheduled for March 9, 2025. Further information can be found on the settlement website: https://watsondatasettlement.com/

The post Watson Clinic Agrees to $10 Million Data Breach Settlement appeared first on The HIPAA Journal.

HIPAA Training Requirements

Posted by Steve Alder

The HIPAA training requirements are that “a covered entity must train all members of its workforce on policies and procedures […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” (§164.530(b)(1) of the HIPAA Privacy Rule). In addition, a covered entity or business associate must “implement a security awareness and training program for all members of its workforce including management”. (§164.308(a)(5) of the HIPAA Security Rule).

What are the HIPAA Training Requirements?

The first thing to be aware of with respect to the HIPAA training requirements is that not only HIPAA-Covered Entities are required to comply with the HIPAA Privacy Rule training standard. The Applicability standard at the beginning of the HIPAA Administrative Simplification Regulations (§160.102) states “Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate”.

This means that if a HIPAA Business Associate provides a service for or on behalf of a covered entity that requires compliance with a HIPAA Privacy Rule standard, the business associate must also comply with the HIPAA Privacy Rule training standard. Both covered entities and business associates are required to comply with the HIPAA Security Rule training standard,  which applies to all members of the workforce regardless of whether they have access to PHI or not.

The HIPAA Privacy Rule Training Standard

To best explain the HIPAA Privacy Rule training standard, it is necessary to start with the “Policies and Procedures” standard of the HIPAA Privacy Rule’s Administrative Requirements. This standard states:

“A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart [the HIPAA Privacy Rule] and subpart D of this part [the Breach Notification Rule]. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance.”

This standard requires HIPAA-Covered Entities (and HIPAA Business Associates “where provided”) to develop and implement policies and procedures for every area of their operations which may involve uses and disclosures of PHI – including how to react to unauthorized uses and disclosures. Thereafter, with the above standard in mind, the Training standard of Administrative Requirements states:

“A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”

The HIPAA Security Rule Training Standard

Compared to the HIPAA Privacy Rule training standards, the HIPAA Security Rule training standard appears straightforward. It states:

“Implement a security awareness and training program for all members of its workforce (including management).”

To guide covered entities and business associates with what should be included in HIPAA security awareness training, the standard has four addressable implementation specifications:

  1. Periodic security updates.
  2. Procedures for guarding against, detecting, and reporting malware.
  3. Procedures for monitoring login attempts and reporting discrepancies.
  4. Procedures for creating, changing, and safeguarding passwords.

However, the section of the HIPAA Security Rule in which the training standard appears (the Administrative Safeguards §160.308) commences with the line “A covered entity or business associate must, in accordance with §164.306”. Section §164.306 contains the General Requirements for the HIPAA Security Rule, which state state covered entities and business associates must protect against any reasonably anticipated uses or disclosures not permitted under the HIPAA Privacy Rule. This implies organizations should incorporate HIPAA Privacy Rule training into HIPAA security awareness training, but it is left to organizations to make this connection themselves. Many don’t.

Therefore, although the HIPAA Security Rule training standard appears more straightforward, it potentially has more issues than the HIPAA Privacy Rule training standard inasmuch as there are many more opportunities for gaps in HIPAA knowledge and avoidable HIPAA violations. For example, training business associate workforces on detecting malware, reporting discrepancies, and safeguarding passwords, does not explain why it is a violation of HIPAA to copy and paste PHI databases and email them to yourself. HIPAA Security Rule training that only focusses on the cybersecurity aspects of HIPAA security will therefore have the wrong focus. The focus on HIPAA security awareness training should be the use and protection of PHI, and any technical aspects of cybersecurity are in the context of PHI.

Organizations that do incorporate HIPAA Privacy Rule training into HIPAA security awareness training can benefit from delivering HIPAA Security Rule training in the correct context. But, to combine training in this way, organizations have to develop multiple training courses to accommodate (for example) members of a covered entity’s workforce with different functions, and members of a business associate’s workforce with no access to PHI who have to undergo security training to “tick the box”.

How Often is HIPAA Training Required?

According to the HIPAA Administrative Requirements, HIPAA training is required for “each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce” and also when “functions are affected by a material change in policies or procedures”, again within a reasonable period of time. As well as providing HIPAA training to new staff as soon as possible, the best practice in the healthcare sector is to provide healthcare staff with annual HIPAA training.

The HIPAA Security Rule training standard implies that security and awareness training programs should be ongoing. HIPAA training should also be provided whenever there is a change in working practices or technology, whenever a risk assessment identifies a need for further training, or whenever new rules or guidelines are issued by the Department of Health and Human Services (HHS). In order to assess whether HIPAA training is required, HIPAA Privacy and HIPAA Security Officers should:

  • Monitor HHS and state publications for advance notice of rule changes. Ideally, this should involve subscribing to a news feed or other official communication channel.
  • When new rules or guidelines are issued, conduct a risk assessment to determine how they will affect the organization’s operations and if HIPAA training is required.
  • Liaise with HR and Practice Managers to receive advance notice of proposed changes in order to determine their impact on compliance with the HIPAA Privacy Rule.
  • Liaise with IT managers to receive advance notice of hardware or software upgrades that may have an impact on compliance with the HIPAA Security Rule.
  • Conduct regular risk assessments to identify how material changes in policies or procedures may increase or decrease the risk of HIPAA violations.
  • Compile a training program that addresses how any changes will affect employees’ compliance with HIPAA – not only the changes themselves.
  • Develop a HIPAA refresher training program that can be conducted at least annually if training is not provided for any other purpose.

Naturally, in the event of changes in working practices and technology, HIPAA training only needs to be provided to workforce members whose roles will be affected by the changes. As mentioned in our “Best Practices” section below, it is also advisable to include at least one member of senior management in the training sessions,  even if they are not affected by the new policies or procedures – as it shows the whole organization is taking its HIPAA training requirements seriously.

A potential issue with the frequency of training is that, if there are no material changes to policies and procedures, working practices, or technology, if no new rules or guidelines are issued by HHS, or if HIPAA security awareness training is only provided “periodically”, it can be a long time between training sessions, during which time members of the workforce may take shortcuts with compliance to “get the job done”. This is why the best practice in the healthcare sector is to provide healthcare staff with annual HIPAA training.

What Should be Included in a HIPAA Training Course?

The basic elements that should be included in a HIPAA training course are suitable as an introduction to HIPAA or can be used as the basis for am annual refresher course.

Recommended Content for HIPAA Compliance Training

The Role of the HIPAA Officers
This training should cover the roles of HIPAA Compliance Officer, HIPAA Privacy Officer, and HIPAA Security Officers, when to contact them, and how to use official reporting channels.

Definitions and Lexicons
This training should include clear definitions of PHI, ePHI, Minimum Necessary, Covered Entity, Business Associate, and Designated Record Set, with role-based examples.

The Main HIPAA Regulatory Rules
This training should cover the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule and how each maps to day-to-day tasks.

HIPAA Compliance for Staff
This training should include core obligations for handling PHI/ePHI, documentation standards, and step-by-step incident reporting.

Why HIPAA Compliance is Important
This training should cover benefits to patients, the organization, and employees, emphasizing confidentiality as part of care quality.

The Consequences of HIPAA Violations and Breaches
This training should include personal and organizational impacts, the difference between violations and breaches, and why prompt reporting matters.

Preventing HIPAA Violations
This training should cover common error patterns and practical habits to avoid them, including mindful, permitted disclosures.

PHI Disclosure Guidelines
This training should include required vs. permitted disclosures, exceptions, professional discretion, identity verification, and escalation triggers.

HIPAA Rights for Patients
This training should cover patient rights (access, amendments, restrictions, confidential communications, accounting of disclosures) and routing requests correctly.

HIPAA Security Rule: Threats to Patient Data
This training should cover accidental, internal, external, and environmental threats—and the importance of quick reporting.

HIPAA Security Rule: Protecting Electronic PHI
This training should include shared responsibilities for ePHI safeguards (devices, credentials, email) and when to alert Security about insider risks.

HIPAA and Emergency Situations
This training should cover permitted disclosures during medical, manmade, and physical emergencies and conditions for OCR enforcement discretion.

Recent HIPAA Updates
This training should include summaries of recent and proposed changes, workflow impacts, and practical cautions to avoid impermissible or missed disclosures.

Additional HIPAA Training Required for New Technologies

Several important technologies emerged after the passing of the HIPAA law and the subsequence introduction of the HIPAA rules.

HIPAA Training for Email, Messaging, and Texting
This training for staff must cover using only approved, secure channels for PHI; applying the Minimum Necessary standard; verifying identity before sending; and documenting disclosures per policy. It must teach employees how to craft message content (no diagnoses in subject lines, limited details in voicemails/texts), handle misdirected messages (immediate recall/notification and escalation), and use safeguards such as encryption, access controls, and auto-lock on mobile devices.

HIPAA Training for Social Media
This training for employees must explain how casual posts, photos, or “anonymous” case descriptions can disclose PHI and trigger sanctions. It must teach employees that once content is online they lose control of further disclosure or manipulation, and that work stories, images from clinical areas, and patient details—even without names—are risky. It should reinforce a culture of caution: follow organizational policy, avoid posting about patients or workplaces, and ask questions to the HIPAA Privacy and HIPAA Compliance Officers.

HIPAA Training for Artificial Intelligence (AI) Tools
This training must teach employees what AI tools are used in healthcare, when they are approved, and how unapproved or untrained AI can cause impermissible disclosures or exceed HIPAA Minimum Necessary Rule. It must cover best practices: never paste PHI into non-approved AI tools, validate AI outputs before use, log interactions as required, and report anomalies or inaccurate results. It must also explain that employees should not use AI to answer HIPAA compliance questions because these tools are often inaccurate or out of date.

Best Practices for HIPAA Compliance Training

Because no detailed HIPAA training requirements listed in the legislation, we have put together a short series of best practices that HIPAA compliance managers may want to consider when compiling “necessary and appropriate” security awareness training, HIPAA training for employees at onboarding, and HIPAA refresher training programs. Our best practices for HIPAA compliance training are not set in stone and can be selected from as best suits each training program.

  • Do test trainees during the training because self-attestation does not work because staff will only pay attention if they know they are going to be tested.
  • Do cover everything required. While it might be tempting to omit some elements of HIPAA to reduce the number of work hours required for an organization, it is a false economy that will almost certainly cost more in the longer term with regard to HIPAA violations or HIPAA breaches.
  • Do include the consequences of a HIPAA breach in the training, not just the financial implications for the organization, but also the personal career implications for trainees and their colleagues, and of course the person(s) whose PHI has been exposed.
  • Do provide Continuing Education Units (CEUs) during HIPAA training because they provide motivation for staff to complete the training. Only use HIPAA training that provides CEUs.
  • Don’t quote long passages of text from the HIPAA guidebooks or the regulations. HIPAA compliance training not only has to be absorbed, but it also has to be understood and followed in day-to-day life.
  • Do include senior management in the training. Even if senior managers have no contact with PHI, it is essential they are seen to be involved with HIPAA compliance training. Knowing that the training is being taken seriously at the top will encourage others to take it seriously.
  • Don’t forget to document your training. In the event of an OCR investigation or audit, it is important to be able to produce the content of the training as well as when it was conducted, to whom, and how frequently. Trainees should sign attestations to confirm they have received training if progress is not monitored by a learning management system.
  • Do provide comprehensive security awareness training that combines HIPAA compliance training and general online security training to cover best practices such as using a password manager, reducing phishing susceptibility, and backing up data. This will help to build a security culture in your organization and reduce the risk of data breaches.  The HIPAA security training must be targeted at PHI and medical records, not generic IT security training.

Additional State Medical Privacy Law Training

State medical privacy laws often supplement and sometimes preempt HIPAA by imposing stricter or additional obligations on workforce members that require additional training in these states. Staff must follow HIPAA plus any stricter state rule, for example, tighter consent, shorter response timelines, expanded breach notice content, or added safeguards for automated tools. It is therefore important that in some states, the HIPAA training also includes the related and relevant additional privacy training.

Texas Medical Privacy and Data Security Laws

In Texas, requirements can exceed HIPAA under the Texas Medical Records Privacy Act (as amended by HB 300), with further duties shaped by the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, and AI-related measures such as the Texas Responsible AI Governance Act and SB 1188 on AI and electronic health records.

California Medical and Data Privacy Laws

California likewise layers additional protections above HIPAA through the Confidentiality of Medical Information Act, the Patient Access to Health Records Act, Medi-Cal rules, and the California Consumer Privacy Act/Privacy Rights Act (including automated decision-making provisions), along with new Health and Safety Code provisions added by SB 81 (Patient Access and Protection).

Additional Federal Laws

HIPAA is a federal statute that applies to covered entities and business associates, but it is not the only legislation covering the privacy and security of healthcare data. HIPAA sets minimum standards for health information privacy and security, but there are circumstances in which other federal and state health information privacy laws preempt HIPAA. For example, federal agencies also have to comply with the Privacy Act, while teaching institutions have to comply with FERPA.

States may also implement more stringent privacy requirements that preempt HIPAA. When more stringent requirements exist, in addition to providing HIPAA training, training must also be provided to comply with state laws where the state laws – or areas of the state laws – preempt HIPAA. For instance, organizations in Texas and those serving Texas residents are required to provide training on Texas HB 300 and the requirements of the Texas Medical Records Privacy Act, which go further than the minimum standards of HIPAA.

Benefits of Online HIPAA Training - the hipaajournal.com

Targeted HIPAA Training

HIPAA Training Requirements for Employers

In most cases, the HIPAA training requirements for employers only apply to employers that are HIPAA-Covered Entities or business associates. Qualifying employers must provide HIPAA training to all members of the workforce regardless of their role within the organization as per the Administrative Safeguards of the HIPAA Security Rule.

If an employer is not a covered entity or a business associate but engages in HIPAA-covered transactions (for example, the employer administers a self-insured health plan), HIPAA training only needs to be provided to employees with access to PHI or ePHI. Further information about HIPAA training requirements for employers in these circumstances can be found in this article.

HIPAA Training for Employees

In addition to providing “necessary and appropriate” HIPAA training for employees, it is advisable to provide additional training that gives context to the training each employee receives. For example, when training employees on the HIPAA rules for PHI disclosures, it is recommended to also discuss the consequences of HIPAA violations.

Documenting the training provided to employees is a requirement of HIPAA. However, this has advantages inasmuch as, if material changes to policies or procedures occur and they impact only a specific area of HIPAA compliance, a record exists of who has been trained in that specific area of HIPAA compliance and who now needs refresher training.

HIPAA Training for Business Associate Staff

The HIPAA training requirements for business associates are often misunderstood because – notwithstanding the Applicability standard §160.102 – nowhere in the HIPAA Privacy Rule does it state HIPAA training for Business Associates is mandatory. However, the Administrative Safeguards of the HIPAA Security Rule (45 CFR § 164.308) state:

“A covered entity or business associate must … … implement a security awareness and training program for all members of its workforce (including management).”

While this could be interpreted as a general security awareness and training program rather than HIPAA awareness training for business associates, it makes sense for training to be HIPAA-related because if a violation of HIPAA occurs, and there is no evidence of appropriate HIPAA Business Associate training being provided, it will likely result in heavier sanctions for willful neglect.

Consequently, while Business Associates must comply with the HIPAA security standards relating to a security and awareness training program, it is advisable to train workforces on whichever elements of the Administrative Requirements, HIPAA Privacy Rule, and/or Breach Notification Rule are appropriate to individuals’ roles or which are stipulated in a Business Associate Agreement.

Business associate staff need HIPAA training because the Privacy Rule can apply to their roles in addition to standard security awareness. This training explains who is who (covered entities, business associates, subcontractors) and how PHI moves along the chain of custody, so employees understand their part of the workflow. It clarifies responsibilities under the HIPAA Security Rule, why safeguards exist, what a Business Associate Agreement (BAA) permits, and when to alert Security or Privacy if confidentiality, integrity, or availability could be at risk. Employees learn the limits on uses and disclosures tied to the BAA and the service provided, the Minimum Necessary principle for access, and the exact steps to take if a mistake exposes PHI. The program also sets expectations about consequences, sanctions, patient harm, and organizational costs, using case studies to keep compliance top of mind.

HIPAA Compliance Training for Students

The HIPAA Privacy Rule states that HIPAA compliance training should be provided to new employees “within a reasonable period of time of a new employee joining a covered entity’s workforce”; and while there may be justifiable reasons not to provide training before a new employee accesses PHI (for example, they have transferred from another healthcare facility and already have an understanding of HIPAA), that is not the case for healthcare students. The HIPAA training for healthcare students is different than regular HIPAA training because the students require extra training on some topics that are not relevant to regular healthcare professionals, such as using PHI in student assignments.

Healthcare students should be provided with HIPAA compliance training before they access PHI so they are aware of PHI disclosure guidelines when they start working with patients or when they use healthcare data to support reports and projects. With this in mind, an appropriate HIPAA compliance training course for healthcare students would consist of the elements listed above, plus further elements relevant to their education.

Electronic Health Record Access by Healthcare Students

During their training, healthcare students may be permitted to access EHRs under supervision. It is important students know what they can and cannot do with patient PHI under HIPAA, and also that it is a violation of HIPAA to use another person’s EHR login credentials to access patient PHI.

PHI & Student Reports and Projects

Students need to be aware that, when writing reports, preparing case studies, or giving presentations, they are unable to use PHI unless the patient has given their informed consent, or unless PHI is de-identified by removing any identifiers that make the health information “protected”.

Being a HIPAA Compliant Student

It is a student’s responsibility to understand the covered entity’s HIPAA policies and procedures and comply with them just as if they were a healthcare professional. They also need to know how to identify a violation of HIPAA and who to report the violation to.

HIPAA Training for Small Medical Practice Employees

Small medical practices have some unique circumstances that are different than, for example, hospitals. HIPAA training for small medical practice staff should prepare employees for real-world constraints: tight spaces, multitasking at a busy front desk, unfamiliar software, and working in close-knit communities where people ask about neighbors’ health. This training must teach employees to control the physical environment (screen privacy, clean desks, locked bins), manage interruptions without over-sharing, and use only approved systems for PHI, no personal email, texting, or ad-hoc tools. It should explain why copying shortcuts from others is risky, provide simple tech steps (strong passwords, MFA, logouts), and offer scripts to resist community pressure (“I can’t discuss patient information”). Employees must learn the difference between a violation and a breach, how to report incidents quickly, and what sanctions or external penalties can follow.

HIPAA Training for IT Professionals

While it is natural to assume HIPAA training for IT professionals should focus on IT security and protecting networks against unauthorized access, it is also important IT professionals receive training about the challenges experienced by frontline healthcare professionals operating in compliance with HIPAA.

This is so IT professionals design systems and develop procedures that streamline with healthcare professionals’ needs. If systems and procedures are too complicated or appear irrelevant to individuals’ roles, ways will be found to circumnavigate the systems – potentially placing ePHI at the risk of exposure, loss, or theft.

HIPAA Training for Medical Office Staff

Depending on the size of a medical office and the variety of roles filled by staff, HIPAA training for medical office staff is likely to be more comprehensive than for any other category of healthcare employee. This is because medical office teams can often deal with patients, their families, inquiries from third parties, suppliers, payment processors, and health care plans.

The range of scenarios medical office staff are likely to experience is one of the reasons HIPAA training needs to be memorable so it is applied in day-to-day life. With regards to HIPAA training for medical office staff, the more contextual it is the better, as it will help employees better understand the significance of HIPAA and why safeguarding ePHI is important.

 

Why HIPAA Training is Important- the hipaajournal.com

 

HIPAA Refresher Training

In addition to being provided regularly to prevent the development of cultural norms, HIPAA refresher training should be provided to staff whenever new threats to patient data are discovered. It is important employees know how to identify the threats and respond to them and delaying training of this nature until an annual refresher training day could result in an avoidable data breach.

As well as covering changes to policies and procedures, HIPAA refresher training also needs to go over old ground periodically in order to remind employees why HIPAA is important and what patients’ rights are – especially as changes to the HIPAA Privacy Rule have recently been proposed that will improve data sharing and interoperability, and prohibit information blocking.

 

HIPAA Training Requirements FAQ

What is HIPAA training?

HIPAA training is part of the training new members of a covered entity’s workforce receive when they start working for a covered health plan, healthcare clearinghouse, healthcare provider, or pharmacy. The training should include an explanation of terms such as Protected Health Information and why it is necessary to protect the privacy of individually identifiable health information.

Additionally, HIPAA training should consist of security awareness training such as password management and phishing awareness. This element of training should not only be provided for members of a covered entity’s workforce, but also to members of a business associate’s workforce regardless of the access to electronic Protected Health Information.

How long is HIPAA training good for?

HIPAA training is good for one year because best practice in the healthcare sector is to provide annual HIPAA training.

There are circumstances where additional HIPAA training is required, such as when the HSS issues new guidelines,  when members of the workforce are required to undergo HIPAA refresher training due to an internal company policy, when an empolyee receives a sanction for a non-compliant event, or when there is a Corrective Action Plan imposed by HHS.

As well as policy and procedure training, the HIPAA Security Rule stipulates that all members of the workforce are required to participate in a security awareness and training program. As the use of the term “program” implies security and awareness training is ongoing, HIPAA training of this nature has no specific expiry date. It is necessary to continue improving the workforce’s resilience against online threats.

How can you get HIPAA training?

In most cases, you get HIPAA training from your employer when you start working for a business required to comply with the HIPAA Privacy, Security, and/or Breach Notification Rules. However, if you have no previous knowledge of HIPAA, it can be beneficial to invest in an online HIPAA training course to better understand the basics of HIPAA before moving onto policy and procedure training.

When must new employees complete their HIPAA training?

New employees must complete their HIPAA training “within a reasonable period of time” according to the HIPAA Privacy Rule. However, some states and some organizations have fixed time limits. For example, new employees in Texas must complete their HIPAA training within 90 days, while personnel attached to the Defense Health Agency must complete their training within 30 days.

How often should HIPAA training be completed?

HIPAA training should be completed as often as is necessary to mitigate the risk of a HIPAA violation or data breach. For some members of the workforce, this may mean completing HIPAA training monthly or quarterly; while, for other members of the workforce, annual refresher training is often sufficient to maintain a compliant organization.

Is there a difference between HIPAA compliance training and other types of HIPAA training?

Although there is no official difference between HIPAA compliance training and other types of HIPAA training, some organizations refer to policy and procedure training as HIPAA compliance training while HIPAA rules and regulations training (i.e., security and awareness training) is referred to as HIPAA training.  The HIPAA Journal has designed its HIPAA training to provide comprehensive training on HIPAA rules and regulations.

How often do healthcare workers need to have HIPAA training?

Healthcare workers need to have HIPAA training as often as required to perform their roles in compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Many healthcare workers only have HIPAA training when they start working for a new employer and when there is a material change to policies and procedures – and this is often not enough to ensure compliance.

How long must HIPAA security awareness training documents be maintained?

HIPAA security awareness training documents must be maintained for as long as policies or procedures related to the training (including sanctions policies) are in force plus six years. This is because documentation relating to policies and procedures have to be maintained for six years from the date they are last in force and, if training is based around the policies and procedures, the documents relating to the training must also be maintained for the same period of time.

How often does CMS require HIPAA training?

Although the Centers for Medicare and Medicaid Services (CMS) regulates compliance with Part 162 of HIPAA (relating to the operating rules for transactions, code sets, identifiers, etc.), CMS does not require HIPAA training. However, the agency does provide a series of web-based training courses on the Medicare Learning Network which cover a broad range of topics related to Part 162 compliance.

Who is in charge of HIPAA training?

The individual in charge of HIPAA training is the Privacy Officer or the Security Officer depending on whether the training relates to HIPAA policies and procedures or security and awareness training. Although in charge of training, neither Officer has to be present during a training session if – for example – a member of the IT team is demonstrating how a software solution works.

HIPAA requires specific training on what?

HIPAA requires specific training on the policies and procedures developed by the organization to protect the privacy of individually identifiable health information. Members of the workforce do not have to receive training on every policy and procedure – just those that are relevant to their roles (although it is also a good idea to provide general HIPAA training to all members of the workforce).

Where do I take HIPAA training for the army?

HIPAA training for the army is required for all Defense Health Agency military, civilian, and contractor personnel within 30 days of onboarding and annually thereafter. HIPAA training and Privacy Act training (also a requirement for Defense Health Agency personnel) is accessible via the Joint Training System on the Joint Chiefs of Staff website.

Are the training requirements under HB 300 any different from the HIPAA training requirements?

The training requirements under HB 300 are different from the HIPAA training requirements inasmuch as new members of a workforce subject to the Texas Medical Records Privacy Act must be trained on policies and procedures within 90 days. The HIPAA training requirements are that new members of the workforce are trained “within a reasonable period of time”, so the difference is that HIPAA does not stipulate a timeframe whereas HB 300 does.

It is worth noting that HIPA-Covered Entities are exempted from complying with the Texas Medical Records Privacy Act, but business associates are not. As a result, HB 300 applies to more types of organizations than HIPAA; and, while the training “requirements” do not differ a great deal, the number of organizations required to provide training is much higher.

Can Covered Entities be fined for not providing HIPAA training?

Covered entities can be fined for not providing HIPAA training if it transpires that a violation investigated by HHS’ Office for Civil Rights is attributable to a lack of training. Most often, rather than fine a covered entity, HHS’ Office for Civil Rights will require the covered entity to follow a Corrective Action Plan which includes monitored and documented training.

Is it necessary to have HIPAA refresher training whenever new technology is implemented?

It is necessary to have HIPAA refresher training whenever new technology is implemented if the new technology is being implemented to address a vulnerability or threat to the privacy and security of Protected Health Information. In most cases, the HIPAA element of the training will be incorporated into the technology element of the training to make both elements more understandable.

If a material change to a policy occurs, but it only affects a few people, is it necessary for everyone to undergo refresher training?

If a material change to a policy occurs, but it only affects a few people, it is not necessary for everyone to undergo refresher training unless the material change has a knock-on effect for other members of the workforce. For example, if a covered entity changes its policy for responding to PHI access requests, only those who respond to PHI access requests need to undergo refresher training, but public-facing members of the workforce will also need to know the policy has changed.

How much is the fine for failing to comply with the HIPAA training requirements?

The fine for failing to comply with the HIPAA training requirements – if a fine is imposed – varies according to the nature of a subsequent violation attributable to the training failure. Fines for failing to comply with the HIPAA training requirements can also be imposed when no subsequent violation has occurred if the training failure is identified during a compliance audit.

How does HHS’ Office for Civil Rights find out about HIPAA training violations?

HHS’ Office for Civil Rights can find out about HIPAA training violations in a number of ways. The agency can discover a training violation when investigating a complaint from a patient, when investigating a data breach, when investigating a tip-off from a member of the workforce, or when conducting a compliance audit.

Is it a requirement to provide HIPAA refresher training to the entire workforce when there is a material change to a policy or procedure?

It is not a requirement to provide HIPAA refresher training to the entire workforce when there is a material change to a policy or procedure unless the material change affects the entire workforce. For example, if there is a change to the content of Business Associate Agreements, only those members of the workforce that handle Business Associate Agreements will have to undergo HIPAA refresher training. However, if there is a material change to the organization’s HIPAA sanctions policy, all members of the workforce need to be trained on the implications of the change.

Why do all members of the workforce have to have HIPAA security and awareness training?

All members of the workforce have to have HIPAA security and awareness training because it is important that all members of the workforce are aware of cyber risks. Cybercriminals do not necessarily know who has access to PHI stored on a network, so will target every member of the workforce to try to infiltrate the network and move laterally until they find unprotected PHI.

Is there a benefit of HIPAA training packages offered by third-party compliance companies?

There is a benefit of HIPAA training packages offered by third-party compliance companies inasmuch as the packages provide a foundation of HIPAA knowledge. Trainees learn about the basics of HIPAA, why it exists, and what it protects to better prepare them for when they undergo policy and procedure training – which is subsequently more understandable.

For covered entities and business associates, the benefit of HIPAA training packages offered by third-party compliance companies is three-fold. The packages prepare new members of the workforce for more advanced policy and procedure training, put security and awareness training into context, and can also be used as the basis for periodic refresher training.

Who is responsible for organizing HIPAA training?

HIPAA compliance officers should be responsible for organizing HIPAA training for members of the workforce – although they don’t necessarily have to conduct the training themselves. If, for example, HIPAA security and awareness training involves how to compliantly use a new piece of software, it may be better for a member of the IT team to present the training – although the compliance officer should be in attendance at the presentation.

Should a Privacy Officer provide privacy training and a Security Officer provide security training?

While it would appear to make sense that a Privacy Officer provides privacy training and a Security Officer provides security training – as each Officer should be a specialist in their own field to answer questions – it is not necessary to divide training responsibilities. A lot of crossover exists between privacy and security in HIPAA, so both topics can often be covered together in a training session unless the session is about a specific privacy or security topic.

What is an example of a “material change to policies”?

An example of a material change to policies is when hospitals had to amend policies and procedures to accommodate the change from CMS’ Meaningful Use program to the Promoting Interoperability program. If the policy changes affect the way in which ePHI is managed, the personnel involved in managing data for the Promoting Interoperability program should undergo training to avoid there being gaps in their knowledge.

Which senior managers should be involved in HIPAA training?

All senior managers must be involved in HIPAA training – particularly security and awareness training. Additionally, while it is important all senior managers are aware of the impact HIPAA compliance has on operations, it is more practical to involve (for example) CIOs and CISOs in technology training, and CFOs in training that concerns interactions between healthcare organizations and health insurance companies.

What is the most important element of HIPAA training?

The most important element of HIPAA training should be determined by a risk assessment. Thereafter, the “most important element” of HIPAA training will vary on a case-by-case basis and likely vary according to workforce roles. However, it is important for personnel to understand why HIPAA is important and why they are undergoing training in a particular aspect of HIPAA compliance.

How long does HIPAA training take?

How long HIPAA training takes is subject to the amount of content included in the session, the number of people attending the session, and the volume of questions asked during and after the session. Online training modules generally take around five minutes each, so it would take around two hours to complete an online training course, but probably longer in a classroom environment.

How often do you have to do HIPAA training?

How often you have to do HIPAA training depends on factors such as material changes to policies and procedures, risk assessments, and OCR corrective action plans. In addition, as well as maintaining an ongoing security and awareness training program, it is recommended covered entities and business associates provide HIPAA Privacy Rule refresher training at least annually.

Why is HIPAA training important?

HIPAA training is important because – beyond the legal requirement to provide/undergo HIPAA training – it demonstrates to members of the workforce how covered entities and business associates protect patient privacy and ensure the confidentiality, integrity, and availability of PHI so members of the workforce can perform their duties without violating HIPAA regulations.

Who needs HIPAA training?

Everybody needs HIPAA training if they are a member of a covered entity’s or business associate’s workforce. This not only means employees have to be trained on HIPAA policies, but also volunteers, students, and contractors who may encounter Protected Health Information in visual, verbal, written, or electronic form. It is also a requirement of the HIPAA Security Rule that all members of the workforce – including senior managers – participate in a security and awareness training program.

When does HIPAA training expire?

HIPAA training does not expire – even though some training organizations issue time-limited certificates of compliance. No training provided in compliance with the HIPAA Privacy and Security Rules has an expiry date unless changes are made to policies and procedures, a risk analysis identifies a need for further training or an individual moves from one covered entity to another where different policies and procedures apply and the new employer has a legal obligation to provide HIPAA training on the different policies and procedures.

What kind of HIPAA training do I need to provide to new hires for HIPAA and HITECH?

The kind of HIPAA training you need to provide to new hires for HIPAA and HITECH depends on whether your organization is a covered entity or business associate.

If your organization is a HIPAA covered entity, you must train new hires on policies and procedures with respect to Protected Health Information and the Breach Notification Rule, and provide security and awareness training.

If your organization is a business associate for a covered entity, the training you need to provide for new hires varies according to the service provided to the covered entity. Breach notification training and security and awareness training are mandatory. However, it may be a condition of a Business Associate Agreement that your organization also provides HIPAA Privacy Rule training to new hires.

Why is documentation of HIPAA training necessary?

The documentation of HIPAA training is necessary for two reasons. First, it demonstrates a covered entity or business associate is complying with the HIPAA training requirements in the event of an audit, inspection, or investigation. Secondly, it records what training has been received by individuals to determine if additional training is required as a consequence of a risk analysis, a policy change, or a promotion.

What do you learn during HIPAA training?

What you learn during HIPAA training depends on the reason for the training being provided. HIPAA training for new employees will likely focus on the basics of HIPAA, policies, and procedures relating to PHI in the workplace, and how to respond to a breach of PHI. Security and awareness training will likely be more focused on best practices for accessing, using, and sharing ePHI online. There may also be occasions when HIPAA training focuses on specific issues identified in a risk assessment or prompted by a patient complaint.

What is a HIPAA training certificate?

A HIPAA training certificate is a third-party accreditation awarded to individuals who pass a HIPAA training course. Often the courses are designed to provide individuals with a basic knowledge of HIPAA so that subsequent training on (for example) policies and procedures or security and awareness is more understandable. HIPAA training certificates can also demonstrate to potential employers that a job candidate has an understanding of the HIPAA rules and regulations.

Who is responsible for training students about HIPAA?

The organization responsible for training students about HIPAA is the covered entity they are under the control of when first exposed to Protected Health Information. However, teaching institutions that do not provide medical services to the general public are not considered to be covered entities. Because of this, it may be the case a student does not receive any HIPAA training until after they have graduated and start working as an employee for a healthcare organization.

What HIPAA training is required?

What HIPAA training is required depends on the reason for the training. The basic HIPAA training requirements are that covered entities train members of the workforce on HIPAA-related policies and procedures relevant to their roles and that both covered entities and business associates provide a security awareness and training program. These requirements are not sufficient to prevent the most common types of HIPAA violations, and it is recommended all businesses supplement the minimum requirements with frequent refresher training.

The post HIPAA Training Requirements appeared first on The HIPAA Journal.

$6.5 Million Settlement Resolves Omni Family Health Class Action Data Breach Lawsuit

Posted by Steve Alder

Omni Family Health, a network of 39 community health centers in Kern, Kings, Tulare, and Fresno counties in California, experienced a cyberattack in 2024. A $6.5 million settlement has recently been agreed to resolve the resultant class action litigation.

Omni Family Health experienced a cyberattack in February 2024 that caused a 5-day outage of its IT systems. The cyberattack was investigated at the time; however, no evidence was found to indicate that any patient data had been compromised in the incident. On August 7, 2024, Omni Family Health was made aware that a threat actor (Hunters International) had claimed to have compromised its network and had posted data allegedly stolen in the attack on the dark web.

Omni Family Health investigated and concluded that the data was real and issued notifications to the 468,344 affected individuals, who included current and former patients and employees. Data potentially stolen in the attack included names, addresses, Social Security numbers, dates of birth, health insurance information, and medical information. The affected individuals were notified about the data breach on October 10, 2024.

The first three class action lawsuits were filed in the Eastern District of California on October 20, 2024, and subsequently, 19 separate actions were filed in the Superior Court of the State of California, Kern County. All 21 actions were consolidated into a single action first in the Eastern District of California, and were then remanded to the Superior Court on January 14, 2025, with the case Pace v. Omni Family Health designated as the lead case.

Omni Family Health denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. Despite believing that it had good defenses to all of the claims, Omni Family Health moved to settle the litigation to avoid the time, expense, risk, exposure, inconvenience, and uncertainty of a trial and related appeals. Class counsel evaluated the costs, risks, and uncertainty of continuing with the litigation, and based on an analysis of comparable settlements, determined that the settlement was in the best interests of all class members. The settlement has recently been granted preliminary approval by the court, and the final fairness hearing has been scheduled for February 26, 2026.

Omni Family Health has agreed to establish a $6,500,000 settlement fund, from which attorneys’ fees and expenses (approximately $2.2 million), class representative awards ($1,500 per named plaintiff, totaling $30,000), and settlement notification and administration costs will be deducted. The remainder of the settlement will be used to pay benefits to the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a pro rata cash payment, which has been calculated to be $105.56 per class member based on a 4% claim rate. All class members are also entitled to claim two years of single-bureau credit monitoring and identity theft protection services, and members of the California resident subclass may claim an additional pro rata cash payment of $100. The cash payments may be adjusted based on the number of valid claims received, and will be calculated after credit monitoring costs have been deducted from the settlement fund.

Omni Family Health has also agreed to implement changes to its business practices and make several security enhancements to prevent similar incidents in the future. The cost of those security enhancements will not be paid from the settlement fund. Individuals wishing to object to the settlement or exclude themselves have until December 5, 2025, to do so, and claims must be submitted by January 5, 2026.

The post $6.5 Million Settlement Resolves Omni Family Health Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

CarePro to Pay $1.3 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

The Iowa-based healthcare company, CarePro Health Services, has agreed to pay $1.3 million to settle class action litigation stemming from a November 2023 cyberattack and data breach affecting up to 151,499 individuals.

The cyberattack that triggered the lawsuit was first identified by CarePro on November 16, 2023. Unauthorized individuals remotely accessed a system where unencrypted patient data was stored. Files containing patients’ protected health information were exfiltrated from the network before the intrusion was detected and blocked. Data compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial account information, and medical/health information. The affected individuals were offered complimentary credit monitoring and identity theft protection services.

A lawsuit was filed shortly after notifications were mailed to the affected individuals by CarePro patient Brandi Bell, individually and on behalf of similarly situated individuals. The lawsuit was soon followed by another complaint filed by Brandie Keegan, individually and on behalf of her minor child, and similarly situated individuals. The lawsuits were consolidated into a single complaint, Bell et al. v. C.R. Pharmacy Services, Inc. d/b/a CarePro Health Services – in the Iowa District Court for Linn County.

The lawsuit claimed that the plaintiffs suffered concrete injuries as a direct result of the data breach, including invasion of privacy, lost or diminished value of private information, lost time and opportunity costs, and loss of benefit of the bargain. The plaintiffs’ and class members’ personal and protected health information remain in the hands of cybercriminals, placing them at an increased risk of identity theft and fraud for years to come.

The plaintiffs claim that the data breach could have and should have been prevented, as the defendant failed to implement adequate and reasonable cybersecurity measures to protect patient data, recklessly maintaining patient information. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, breach of fiduciary duty, breach of confidence, unjust enrichment, invasion of privacy-intrusion upon seclusion, and violations of the Iowa Consumer Fraud Act and Iowa Personal Information Security Breach Protection Act.

CarePro denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. All parties agreed that further litigation, a trial, and any related appeals would likely be protracted and expensive and involve risks and uncertainties for all parties, so the decision was taken to settle the litigation. It took several months of negotiations; however, a settlement has been agreed upon that is acceptable to all parties.

The settlement includes three benefits for class members, which will be paid for from a $1,300,000 settlement fund after attorneys’ fees and expenses, class representative service awards, and settlement administration costs have been deducted.

A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. In addition to or instead of a claim for reimbursement of losses, class members may claim a pro rata cash payment, which is expected to be $100 per class member. The cash payment will be adjusted upwards or downwards depending on the number of valid claims received.

All class members are also entitled to claim two years of three-bureau credit monitoring, dark web monitoring, and identity theft protection services. The cost of the credit monitoring services will be deducted from the settlement fund before the cash payments are calculated. The deadline for exclusion from and opting out of the settlement is December 3, 2025. Claims must be submitted by December 3, 2025, and the final fairness hearing has been scheduled for January 23, 2025.

The post CarePro to Pay $1.3 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Audit Uncovers Security Weaknesses in the NIH All of Us Security Program

Posted by Steve Alder

An audit of the National Institutes of Health (NIH) All of Us Research Program has uncovered privacy and security weaknesses that put the health information of more than 1 million individuals at risk of compromise.

The All of Us Research Program was launched in 2015 as part of the NIH Precision Medicine Initiative to advance disease prevention and treatment by making the personal health and genomics data of more than 1 million individuals available for research purposes. Unlike research studies that focus on a specific disease or cohort of people, the All of Us Research database can be used to study a wide range of health conditions and diseases. The data is housed by the Data and Research Center (DRC) and is managed by an NIH award recipient, Vanderbilt University Medical Center. The All of Us database is one of the largest health research databases of its kind.

While general data about the entire group of participants can be viewed by anyone, only researchers approved by the All of Us Research Program are allowed to view data from individual participants. Such a large database of health information is extremely valuable; therefore, robust privacy and security measures must be implemented to protect research participants’ data from cybersecurity and national security threats.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has recently published the findings of a 2024 audit that sought to determine whether appropriate access controls had been implemented by the DRC award recipient, if appropriate privacy and security controls were in place, and if information security and privacy weaknesses had been addressed in accordance with federal standards.

HHS-OIG determined that the DRC award recipient had implemented some cybersecurity controls, including vulnerability scanning, penetration testing, flaw remediation, system monitoring, incident response, contingency planning, disaster recovery, and security awareness training; however, controls were inadequate in some areas, which put research participants’ data at an increased risk of compromise.

HHS-OIG identified access control weaknesses. For instance, while authorized users were permitted to remotely access the information systems from foreign countries with prior approval, there were no controls in place to restrict access to only the individuals who had received approval. As such, any authorized user could access the information systems from a foreign country. While downloads of detailed participants’ data are prohibited, there were no access controls in place to prevent data downloads.

HHS-OIG also found that the DRC award recipient failed to communicate national security concerns associated with the maintenance of genomic data to NIH and did not resolve identified weaknesses and vulnerabilities within the timeframe stipulated by NIH in its award agreement. As such, there was an increased risk of research participants’ data, including genomic data, being accessed, downloaded, and misused by bad actors, including foreign adversaries.

HHS-OIG made five recommendations to NIH to improve oversight of the All of Us Research Program and address the identified privacy and security issues. NIH concurred with all five recommendations and is implementing measures to address the privacy and security weaknesses. NIH has confirmed that measures already fully implemented include controls to resolve the remote access security issues, and access from certain countries of concern has been blocked, including China, Cuba, Iran, Russia, and North Korea.

The post Audit Uncovers Security Weaknesses in the NIH All of Us Security Program appeared first on The HIPAA Journal.

Fortinet Patches Actively Exploited FortiWeb Zero Day Flaw

Posted by Steve Alder

Patches have been released to fix a critical OS command injection vulnerability affecting Fortinet web application firewalls. The FortiWeb zero-day vulnerability is rated medium-severity with a CVSS score of 6.7 out of 10; however, the vulnerability is being actively exploited in the wild.

The vulnerability, tracked as CVE-2025-58034, can only be exploited by an authenticated attacker, hence the relatively low CVSS score, but the vulnerability can be exploited in a low-complexity attack and will allow the attacker to execute unauthorized code on the underlying system. The vulnerability can be exploited via specially crafted HTTP requests or CLI commands. The vulnerability was identified by Jason McFadyen of Trend Micro’s Trend Research team and is due to improper neutralization of special elements in an OS command.

The vulnerability affects multiple FortWeb versions:

Vulnerable Versions Fixed Versions
FortiWeb 8.0.0 through 8.0.1 FortiWeb 8.0.2 and above
FortiWeb 7.6.0 through 7.6.5 FortiWeb 7.6.6 and above
FortiWeb 7.4.0 through 7.4.10 FortiWeb 7.4.11 and above
FortiWeb 7.2.0 through 7.2.11 FortiWeb 7.2.12 and above
FortiWeb 7.0.0 through 7.0.11 FortiWeb 7.0.12 and above

This is the second vulnerability in FortiWeb to be identified and patched recently. Last week, Fortinet announced that a critical path traversal vulnerability in FortiWeb, tracked as CVE-2025-64446 (CVSS v3.1 9.4), received a silent patch on October 28, 2025. The vulnerability can be exploited by an unauthenticated attacker to execute administrative commands on the system via specially crafted HTTP or HTTPS requests.

The vulnerability affects versions 8.0.2 through 8.0.1 and versions 7.6.0 through 7.6.4. The vulnerability was fixed in version 8.0.2 and above, and version 7.6.5 and above. Defused reports that there has been active exploitation of the vulnerability, although that has yet to be confirmed by Fortinet. It is unclear why a security advisory about the flaw was not released at the time the patch was released.

The post Fortinet Patches Actively Exploited FortiWeb Zero Day Flaw appeared first on The HIPAA Journal.

St. Anthony Hospital in Chicago Notifies Patients About February Data Breach

Posted by Steve Alder

Data breaches have recently been announced by St. Anthony Hospital in Chicago, Intercommunity Action in Pennsylvania, and Munson Healthcare in Michigan.

St. Anthony Hospital

St. Anthony Hospital in Chicago, IL, has recently discovered unauthorized access to certain employees’ email accounts. The unauthorized access was identified on February 6, 2025, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity and the extent of any data exposure or theft.

The investigation confirmed that the compromised email accounts contained the personal and protected health information of patients and staff members. The HHS’ Office for Civil Rights breach portal shows that the protected health information of 6,679 was exposed. Information potentially compromised in the incident included names, addresses, telephone numbers, birth dates, Social Security numbers, dates of service, medical record numbers, patient account numbers, medical histories, diagnoses/conditions, treatment information, and prescription information. While sensitive information has been exposed, St. Anthony Hospital has not detected any misuse of the exposed data.

Intercommunity Action Inc.

Intercommunity Action, a Philadelphia, PA-based provider of resources for aging, behavioral health, and individuals with intellectual and developmental disabilities, has notified 2,680 individuals about a recent data security incident involving unauthorized access to its computer network. The security breach was identified on May 29, 2025, and the forensic investigation confirmed that unauthorized connections had been made to its network from May 28, 2025, to May 29, 2025. During that time, files were exfiltrated from its network, and Intercommunity Action warned that the stolen data had potentially been made available online. Intercommunity Action is unaware of any instances of data misuse as a result of the incident.

A review of the affected files revealed that they contained patient information such as first and last names, dates of birth, addresses, Social Security Numbers, driver’s license numbers, state identification numbers, bank account information, credit card numbers, other financial information, claims information, diagnosis/conditions, medications, or other treatment information. The types of information involved varied from individual to individual.

As a precaution against misuse of the affected data, individuals whose Social Security numbers, driver’s license numbers, state ID numbers, and/or bank account information were involved have been offered complimentary identity theft protection services. Steps have also been implemented to prevent similar incidents in the future, including changing passwords, blocking the unauthorized users’ IP addresses, and implementing additional safeguards to strengthen security.

Munson Healthcare

Munson Healthcare, the largest health system in Northern Michigan, has notified 1,186 patients about a mis-mailing incident caused by an error when migrating patient information to a new computer system. The error occurred on January 25, 2025, and resulted in the individual responsible for paying bills being accidentally changed to someone who was previously responsible. The issue was not detected until June 2, 2025.

As a result of the error, some patients’ bills were sent to the wrong individuals. An investigation was launched to determine the root cause of the error and the patients affected. The errors in the data were changed and updated to the correct bill payer, and a technical fix was implemented on June 24, 2025, to prevent further bills from being sent to incorrect individuals. Data impermissibly disclosed was limited to a patient’s name, location of services, balance owed, insurance type, and the type of service. The affected individuals have been advised to review the bills issued after January 25, 2025, to ensure that the billing information is correct.

The post St. Anthony Hospital in Chicago Notifies Patients About February Data Breach appeared first on The HIPAA Journal.

Discovery Practice Management Settle Lawsuit Over 2020 Data Breach

Posted by Steve Alder

Discovery Practice Management, a California-based healthcare provider, has agreed to settle a class action lawsuit stemming from a June 2020 breach of its email environment. An unauthorized third party accessed employee email accounts between June 22, 2020, and June 26, 2020, and obtained sensitive information relating to patients of the Authentic Recovery Center and Cliffside Malibu facilities in California. The data breach was reported to the HHS’ Office for Civil Rights as affecting up to 12,859 individuals.

Data potentially compromised in the incident included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license numbers, and clinical information, such as diagnosis, treatment information, and prescription information. It took almost a year for the emails to be reviewed and notification letters to be issued to the affected individuals.

In February 2021, a class action lawsuit – JeanPaul Magallanes, et al v. Discovery Practice Management, Inc. – was filed in response to the data breach by JeanPaul Magallanes that alleged that Discovery Practice Management failed to implement appropriate measures to safeguard sensitive data stored on its network, then failed to issue adequate and timely notification letters when its email environment was compromised.

The alleged cybersecurity failures included insufficient monitoring of inbound emails, insufficient training of its workforce on email-based threats, and the failure to encrypt a data server that became accessible to unauthorized individuals who compromised two employee email accounts. Despite the significant risk to the affected patients, it took 335 days from the date of discovery to issue notification letters, which the lawsuit claims violated HIPAA and the California Consumer Records Act.

The lawsuit claims the actions of the defendant violated the California Confidentiality of Medical Information Act, California Unfair Competition Law, and the California Consumer Records Act. All parties agreed to engage in settlement discussions to avoid the cost and risk of a trial, and a settlement has been agreed upon with no admission of wrongdoing by Discovery Practice Management. The settlement has recently been granted preliminary approval by Judge Glenda Sanders of the Superior Court of the State of California, for the County of Orange.

Under the terms of the settlement, all class members are entitled to claim a three-year membership to CyEx’s Identity Defense Total Service, and must enroll by December 9, 2025. In addition, claims may be submitted for reimbursement of documented, unreimbursed ordinary and extraordinary losses caused by the data breach. Claims for reimbursement of ordinary losses are capped at $250 per class member, and claims for reimbursement of extraordinary losses are capped at $1,000 per class member.

The deadline for objection to the settlement, exclusion from the settlement, and submitting a claim is November 24, 2025. The final fairness hearing has been scheduled for February 5, 2026.

The post Discovery Practice Management Settle Lawsuit Over 2020 Data Breach appeared first on The HIPAA Journal.