Author Archives: Steve Alder

California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers

Posted by Steve Alder

California Governor Gavin Newsom has added his signature to a bill that strengthens privacy protections for individuals seeking or receiving healthcare services from a family planning center. Prior to the update, California law prohibited a person or business from collecting, using, disclosing, or retaining the personal information of a person located at or within the geolocation of a family planning center, other than as necessary to provide the goods or services requested by that person.

Assembly Bill 45 (AB-45) strengthens privacy protections by prohibiting the collection, use, disclosure, sale, sharing, or retention of personal information of a natural person located at or within the precise geolocation of a family planning center, other than to provide goods and services to an individual, as requested. The requirements do not apply to HIPAA-regulated entities or their business associates, provided that the business associate is contractually obliged to comply with all state and federal laws.

The new law extends the scope of existing law to cover any person, including a natural person, association, proprietorship, corporation, trust, foundation, partnership, or any other organization or group of people acting in concert. The new law uses the same definitions for sale, personal information, and precise geolocation as the California Consumer Protection Act (CCPA), although the definitions apply to all persons. A family planning center is defined as a facility categorized as a family planning center by the North American Industry Classification System adopted by the United States Census Bureau, which includes, but is not limited to, clinics that provide reproductive healthcare services.

The new law makes it unlawful to geofence an entity that provides in-person healthcare services for certain purposes and prohibits the selling or sharing of information with a third party to geofence an entity that provides healthcare services. Healthcare services are defined as “any service provided to a natural person of a medical, surgical, psychiatric, therapeutic, diagnostic, mental health, behavioral health, preventative, rehabilitative, supportive, consultative, referral, or prescribing nature.”

Geofencing is specifically prohibited for the purpose of identifying or tracking an individual seeking or receiving healthcare services, collecting personal information from a person seeking, receiving, or providing healthcare services, sending notifications to a person related to their personal information or healthcare services, and sending advertisements to an individual related to their personal information or healthcare services. There are exceptions to the geofencing restrictions. The owner of the facility is permitted to geofence its own location, geofencing is permitted for research purposes that comply with federal regulations, and geofencing is permitted by labor organizations, although consent must be obtained from individuals if the geofencing results in the collection of names or personal information. Personally identifiable research records of individuals seeking healthcare services are protected and may not be released in response to a subpoena or request made pursuant to other states’ laws that interfere with a person’s rights under the California Reproductive Privacy Act.

There is a limited private cause of action in AB-45, which allows individuals and entities aggrieved by a violation of the provisions of AB-45 to sue for damages, up to a maximum of three times the actual damages, in addition to expenses, costs, and reasonable attorneys’ fees. The California Attorney General will enforce the new law and can impose penalties of up to $25,000 per violation and injunctive relief. Any collected penalties will be used to fund the California Reproductive Justice and Freedom Fund. The new law takes effect on January 1, 2026.

The post California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers appeared first on The HIPAA Journal.

Orthopedics Rhode Island Agrees to Pay $2.9 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

Orthopedics Rhode Island (Ortho RI) has agreed to pay $2.9 million to settle a class action lawsuit stemming from a 2024 ransomware attack. The ransomware attack was detected by Ortho RI on September 7, 2025, with the forensic investigation confirming unauthorized network access from September 4 to September 8, 2024. Information compromised in the incident included names, addresses, dates of birth, billing and claims information, health insurance claims information, diagnoses, medications, test results, x-ray images, and other treatment information. The data breach was reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 377,731 individuals. The affected individuals were notified about the incident via a November 6, 2024, website notice and individual notifications, which were mailed on December 6, 2024.

Seven class action lawsuits were filed against Ortho RI over the data breach, one of which was dismissed. The remaining actions were consolidated in Lavoie-Soria et al. v Orthopedics Rhode Island, Inc. in Kent County Superior Court of the State of Rhode Island, as the lawsuits had overlapping claims and were based on the same facts. The plaintiffs claim to have suffered injuries due to the attack, including lost or diminished value of their private information, lost opportunity costs associated with mitigating the consequences of the data breach, and out-of-pocket losses associated with the prevention, detection, and recovery from identity theft and fraud. The lawsuit asserted claims of negligence and negligence per se due to the failure to implement reasonable and appropriate cybersecurity measures, breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Ortho RI maintains there was no wrongdoing; however, it chose to settle the lawsuit to avoid the costs, risks, and uncertainty of continuing with the litigation. The class representatives believe the settlement is best for all individuals in the settlement class for the same reasons. Under the terms of the settlement, all class members are entitled to claim two years of medical record monitoring services plus one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses related to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may claim an alternative cash payment, which is anticipated to be around $100. Attorneys’ fees, settlement administration costs, service awards for class representatives, and medical record monitoring costs will be deducted from the settlement fund, after which claims will be paid from the remaining funds.

The deadline for objection to and exclusion from the settlement is December 29, 2025. The deadline for submitting a claim is January 13, 2026, and the final approval hearing has been scheduled for January 28, 2026.

The post Orthopedics Rhode Island Agrees to Pay $2.9 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

72% of Healthcare Orgs Report Disruption to Patient Care Due to Cyberattacks

Posted by Steve Alder

A recent survey of U.S. healthcare IT and cybersecurity professionals found that 93% of the surveyed organizations had experienced at least one cyberattack in the past 12 months, and 72% of those reported that the attacks caused disruption to patient care. The negative impacts were typically delayed intake, increased hospital stays, and increased complications from medical procedures, with 29% of respondents reporting an increase in mortality rate. The problem is getting worse, as last year, 69% of healthcare organizations said cyberattacks had negatively impacted patient care.

The survey was conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint on 677 healthcare IT and cybersecurity professionals in the United States. The findings are published in Proofpoint’s report: The 2025 Study on Cyber Insecurity in Healthcare, which looks specifically at the effectiveness of reducing human-targeted cybersecurity risks in the healthcare industry and the cost and impact of cyberattacks on patient safety and care.

Out of the 93% of organizations that experienced a cyberattack, 43 attacks were experienced on average, up from 40 last year. The survey showed that 96% of healthcare organizations experienced at least two incidents involving data loss or exfiltration of patient data, with the majority of respondents reporting that those incidents had a negative impact on patient care.

“Patient safety is inseparable from cyber safety,” said Ryan Witt, vice president of industry solutions at Proofpoint. “This year’s report highlights a stark reality: Cyber threats aren’t just IT issues, they’re clinical risks. When care is delayed, disrupted, or compromised due to a cyberattack, patient outcomes are impacted, and lives are potentially put at risk.”

The report is based on four categories of cyberattacks: cloud/account compromises, supply chain attacks, ransomware attacks, and business email compromise (BEC)/spoofing/impersonation incidents. Supply chain attacks had the biggest impact on patient care, with 87% of victims of supply chain attacks reporting negative impacts such as delayed procedures, poorer outcomes, and increased complications.

When asked about the cost of the single most expensive cyberattack, the answers ranged from $10,000 to more than $25 million, with an average cost of $3.9 million, down from the 2024 average of $4.7 million. The biggest cost was operational disruption, which cost an average of $1,210,172, down 17.6% from last year. Idle time and lost productivity fell by 13.7% year-over-year to an average of $858,832. The average cost of correcting the impact on patient care fell by 21.5% to $853,272, the cost of damage to IT assets and infrastructure fell by 13.8% to $711,060, and the cost of remediation and technical support activities fell by 28.6% to $507,491.

There has been a significant increase in ransomware incidents, which rose from 60% in 2024. While costs are down overall, the cost of ransomware attacks increased from an average of $1.1 million in 2024 to $1.2 million in 2025. The percentage of victims paying the ransom has continued to fall, with 33% of victims choosing to pay compared to 36% last year.

The adoption of AI for security and migration of data to the cloud were the most common protective strategies adopted by healthcare organizations. The survey revealed that 75% of healthcare organizations have or plan to move clinical applications to the cloud, and 30% of respondents use AI for security. The respondents who have adopted AI for security claim the tools are very effective, although 60% said they struggle to protect sensitive data used by AI systems, and the adoption of AI tools is being hampered by interoperability issues and data accuracy problems.

Human error was a key factor in data loss/data exfiltration incidents, with 35% of respondents reporting that data loss was caused by employees not following policies. One-quarter reported data due to privilege access abuse, and one-quarter said it was due to an employee sending PHI to an incorrect recipient. The human factor in cyberattacks is an area being addressed by 76% of organizations. Out of those, 63% said they have regular training and security awareness programs, 51% are monitoring the actions of employees, and 47% are conducting phishing simulations.

“This report underscores the urgent need for healthcare organizations to adopt a human-centric cybersecurity approach—one that not only protects systems and data but also preserves the continuity and quality of care,” said Witt. You can view/download the report here.

The post 72% of Healthcare Orgs Report Disruption to Patient Care Due to Cyberattacks appeared first on The HIPAA Journal.

Five Healthcare Providers Warn Patients About Cyberattacks & Data Breaches

Posted by Steve Alder

Cyberattacks and data breaches have been announced by Crenshaw Community Hospital in Alabama, Waveny LifeCare in Connecticut, Aunt Martha’s Health and Wellness in Illinois, Pulse Urgent Care Center in California, and MyCardiologist in Florida.

Crenshaw Community Hospital

Crenshaw Community Hospital in Luverne, Alabama, has recently announced a security incident. Crenshaw Community Hospital said the incident was detected on June 16, 2025, and involved “network disruption that impacted the functionality and access of certain computer systems.” Third-party cybersecurity experts were engaged to investigate the incident and provide help with securing its environment. The investigation into the attack is ongoing, but it has been determined that certain files were copied from its systems.

The ransomware group, Payouts King, has claimed responsibility for the attack. The group is known to engage in double extortion, stealing data and demanding payment to prevent its publication and for the decryption keys to unlock files. The group claims to have exfiltrated 53 GB of data, and has listed Crenshaw Community Hospital on its dark web data leak site, and claims to have published the entire dataset as the ransom was not paid.

Crenshaw Community Hospital is still reviewing the affected data to determine the individuals affected and the types of data involved. Individual notification letters will be mailed when the file review is concluded. In the meantime, all patients have been advised to remain vigilant against identity theft and fraud by monitoring their account statements, explanation of benefits statements, and free credit reports.

Waveny LifeCare

Waveny LifeCare Network, a New Canaan, Connecticut-based provider of senior living and healthcare services, has experienced a cyberattack that disrupted its network systems. The attack was detected on or around May 28, 2025, and immediate action was taken to contain the incident and secure its systems. Waveny LifeCare engaged third-party cybersecurity experts to assist with the investigation, who confirmed that the attackers accessed certain data on its network.

The investigation and file review are ongoing, but it has been confirmed that the following types of information were involved: name, address, date of birth, admission/discharge date, date of death, telephone number, email address, Social Security number, medical record number, patient account number, facial photographic images, laboratory test results, medical imaging results, driver’s license number, electronic health records, health insurance account or policy number, payment information, Medicare or Medicaid information, and/or financial account number. While sensitive data was accessed, no evidence has been found to date to indicate that any of that information has been misused. Notification letters will be sent to the affected individuals when the file review is concluded.

Aunt Martha’s Health and Wellness

Aunt Martha’s Health and Wellness, a provider of community health, wellness, and support services in Illinois, has fallen victim to a ransomware attack. The attack was detected on August 13, 2025, when suspicious network activity was observed. The forensic investigation confirmed that a threat actor gained access to its computer network on August 12, 2025, exfiltrated sensitive data, and deployed malware that encrypted files. The attack was rapidly contained, and systems and data were restored from backups, without paying the ransom. No evidence has been found to indicate that any of the compromised data has been misused; however, the affected individuals have been advised to remain vigilant against identity theft and fraud.

While the file review is ongoing, Aunt Martha’s Health and Wellness has identified the general categories of information exposed in the incident as name, address, birth date, provider/facility name, medical condition, diagnosis information, treatment information, lab results, prescriptions/medications, personal history, mental health information, insurance/payment amount history information, date(s) of service, Social Security number, medical information, health insurance information, and driver’s license or state identification number. Other information created, used, or disclosed in the course of providing health care services may also have been compromised.

Pulse Urgent Care Center

Pulse Urgent Care Center, which has locations in Redding and Red Bluff in California, is alerting patients about a network security breach that was identified on March 24, 2025.  The incident was investigated and determined to involve network access by an unauthorized third party who deployed malicious software. The attack caused temporary disruption to its IT systems; however, network access and data were rapidly restored from backups, and normal operations were quickly resumed.

The investigation confirmed on May 1, 2025, that some patient data had been exposed and many have been viewed or acquired. The types of data involved vary from individual to individual, and may include names, dates of birth, home addresses, phone numbers, diagnoses, service dates, and treatment information. Pulse Urgent Care Center has strengthened its web server infrastructure and has implemented enhanced safeguards to prevent similar incidents in the future. Individual notification letters state the specific information involved for each individual. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

MyCardiologist

Cardiovascular Medicine Associates, PA, which does business as MyCardiologist, a cardiology practice with nine locations in South Florida, is alerting patients about a cyberattack involving the theft of data from its network. The attack was detected on June 12, 2025, when suspicious activity was observed within its email system. Third-party investigators determined that its email system was compromised on May 30, 2025, and an unauthorized third party had access to its environment until June 12, 2025, when the security breach was identified and blocked. The forensic investigation confirmed that the threat actor copied data from its environment.

Notification letters started to be mailed to the affected individuals on October 7, 2025, following a comprehensive and time-consuming review of the affected data. The review confirmed that names, addresses, dates of birth, clinical information, diagnoses, provider names/locations, and Medicare numbers were compromised in the incident. No evidence has been found to indicate that any of the impacted data has been misused; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Five Healthcare Providers Warn Patients About Cyberattacks & Data Breaches appeared first on The HIPAA Journal.

Almost 26,000 Individuals Affected by Data Breach at Methodist Homes of Alabama & Northwest Florida

Posted by Steve Alder

Data breaches have recently been announced by Methodist Homes of Alabama & Northwest Florida, Rockhill Women’s Care, and Sierra Vista Hospital & Clinics.

Methodist Homes of Alabama & Northwest Florida

Methodist Homes of Alabama & Northwest Florida, a provider of affordable homes, senior living, and healthcare services, disclosed a data breach on October 8, 2025, involving unauthorized access to the personal and protected health information of almost 26,000 residents, employees, and other individuals. The breach occurred almost one year previously, having first been detected on October 14, 2024.

An investigation was launched to determine the cause of suspicious network activity, which confirmed that an unauthorized actor had access to its network between October 2, 2024, and October 14, 2024. During that time, sensitive data may have been accessed or acquired. All exposed files were reviewed, and that process was completed on September 2, 2025. Notification letters have now been mailed to all individuals with valid contact information, and regulators have been notified, including the HHS’ Office for Civil Rights.

The incident is not yet shown on the HHS’ Office for Civil Rights breach portal; however, the Maine Attorney General was informed that 25,579 individuals have been affected in total. The information involved varies from individual to individual and may include names in combination with one or more of the following: Social Security number, driver license or state ID number, health insurance number, and clinical information, including medical record number, medical history, diagnosis and treatment information, patient number, Medicaid/Medicaid number, date of discharge, and date of birth.

Individuals who were neither patient nor resident had their first and last name exposed, plus one or more of the following: Social Security number, driver’s license number, state ID, health insurance number, and medical history information. Credit monitoring services have been offered free of charge to individuals whose Social Security numbers were involved.

Rockhill Women’s Care

The OB-GYN medical practice, Rockhill Women’s Care, which has locations in Overland Park, Kansas, and Lee’s Summit, Missouri, has started notifying patients about a security incident that affected its IT systems and exposed patient information. Suspicious network activity was identified on or around February 26, 2025, and third-party cybersecurity experts were engaged to investigate the activity and assist with remediation. The substitute breach notice does not state when its network was first accessed or for how long hackers had access to the network.

The file review concluded on August 13, 2025, when it was confirmed that the information compromised in the incident included names, addresses, dates of birth, Social Security numbers, treatment information, and, for some patients, also health insurance information. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Sierra Vista Hospital & Clinics

Sierra Vista Hospital & Clinics in Truth or Consequences, New Mexico, has identified unauthorized access to its computer network and the exposure of patient information. The unauthorized access was identified on January 29, 2025, and working with third-party digital forensics specialists, it was determined that a threat actor had access to its network from January 14, 2025, to January 31, 2025.

A comprehensive review was conducted to determine whether patient data had been exposed, and on August 13, 2025, it was confirmed that sensitive patient data may have been accessed or acquired, including first and last names, addresses, state identification numbers/driver’s license numbers, medical information, and health insurance information. Network security has been strengthened, and additional cybersecurity measures have been implemented to prevent similar breaches in the future. Those measures include strengthened email filtering and malware monitoring, and additional cybersecurity awareness training is being provided to the workforce.

The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected. The Texas Attorney General was notified that 481 Texas residents were affected.

The post Almost 26,000 Individuals Affected by Data Breach at Methodist Homes of Alabama & Northwest Florida appeared first on The HIPAA Journal.

Fort Wayne Medical Education Program Data Breach Affects Almost 30,000 Individuals

Posted by Steve Alder

A data breach at the Fort Wayne Medical Education Program has affected almost 30,000 individuals. Data breaches have also been announced by Space Coast Vascular in Florida and Partners in Pediatrics in Colorado.

Fort Wayne Medical Education Program

Fort Wayne Medical Education Program, a family medicine residency in Northeastern Indiana, has recently announced a security incident that potentially involved unauthorized access to the personal and protected health information of up to 29,485 individuals, including patients, employees, and employees’ dependents.

Suspicious activity was identified within its computer network on December 17, 2024, and after securing its systems, the activity was investigated. The forensic investigation confirmed that an unauthorized actor had access to its computer network from December 12, 2024, to December 17, 2024, during which time files containing sensitive data may have been viewed or acquired. The file review was completed on September 9, 2025, when it was confirmed that personal and protected health information had been exposed.

The types of data involved vary from individual to individual. For employees and their dependents, the exposed data included first and last names, in combination with a Social Security number, driver’s license number, state ID number, or passport number. For patients, the exposed information includes names in combination with some or all of the following: Social Security number, government ID number such as driver’s license or passport number, date of birth, medical information, health insurance information, and medical billing information, which may have included bank account number and payment or credit card number (but not CVC). Notification letters were mailed to the affected individuals on October 2, 2025, and complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security number was involved.

Space Coast Vascular

Space Coast Vascular, a vascular and venous health diagnostic laboratory and treatment center in Melbourne, Florida, has announced that it was the subject of a criminal cyberattack on or around January 13, 2025, that impacted its computer systems. Assisted by third-party cybersecurity experts, Space Coast Vascular learned on August 7, 2025, that patients’ protected health information had been exposed and may have been viewed or acquired by the threat actor.

The types of data involved vary from individual to individual and may include name, date of birth, Social Security number, driver’s license/state ID number, medical treatment information, health insurance information, and/or financial account information. At the time of issuing notifications, Space Coast Vascular was unaware of any misuse of patient data as a result of the incident.

The affected individuals are now being notified by mail, and at least 12 months of complimentary credit monitoring and related services are being offered.  Space Coast Vascular has also confirmed that a series of cybersecurity improvements have been made to reduce the risk of similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Partners in Pediatrics

Partners in Pediatrics, an integrative pediatric healthcare practice with offices in Denver and Englewood in Colorado, has recently notified patients about a recent email account breach. Suspicious activity was identified in an employee’s email account on March 5, 2025. The email account was secured, and digital forensics experts were engaged to investigate the activity. They determined that the threat actor had access to emails containing patient information; however, no other systems were affected. The emails were reviewed, and that process was completed on September 23, 2025. Information potentially compromised in the incident includes names, dates of birth, Social Security numbers, driver’s license numbers, clinical information, treatment information, lab test results, prescription information, provider information, and health insurance information.

Data privacy and security policies and procedures have been reviewed, and security measures have been enhanced to prevent similar incidents in the future. On October 3, 2025, individual notification letters started to be mailed to the affected individuals. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Fort Wayne Medical Education Program Data Breach Affects Almost 30,000 Individuals appeared first on The HIPAA Journal.

ALN Medical Management to Pay $4 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

ALN Medical Management, a Nebraska-based revenue cycle management company, has agreed to pay $4 million to settle class action litigation over a March 2024 cybersecurity incident. As reported below, this was a hacking incident that occurred in March 2024, which was initially reported to the HHS’ Office for Civil Rights (OCR) using a placeholder figure of at least 501 affected individuals. The breach total was then revised to more than 1.8 million individuals, and subsequently revised downwards to 1,323,720 individuals. The incident is now archived on the OCR breach portal, indicating that OCR has closed the investigation.

ALN Medical Management and its healthcare clients, Allied Physicians Group, PLLC, Bethany Medical Clinic of New York, PLLC, Hoag Clinic, and National Spine and Pain Centers, LLC, were named in class action lawsuits over the data breach, which were consolidated in a single suit, In Re: ALN Medical Management Data Incident Litigation, in the U.S. District Court for the District of Nebraska.

The lawsuit alleged that ALN Medical Management used the information technology company Long View to host, manage, and secure its IT environment against unauthorized access, and that ALN stored its healthcare clients’ data within an environment hosted, supported, and managed by Long View, which was also named as a defendant in the litigation. Between March 18, 2024, and March 24, 2024, an unauthorized third party gained access to that environment and either accessed or acquired the sensitive data of approximately 1.8 million individuals. The consolidated class action lawsuit asserted claims of negligence, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and violations of the California Consumer Privacy Act.

The defendants deny any wrongdoing, and the plaintiffs believe they have made valid claims; however, all parties quickly moved to settle the litigation, and on August 4, 2025, a settlement in principle was agreed upon. The terms of the settlement have now been finalised and await preliminary approval from the court. Under the terms of the proposed settlement, a $4 million settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the named plaintiffs. After all costs have been deducted, the remaining funds will be used to pay for benefits for the class members.

Class members may choose one of two cash payments: They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member or, alternatively, they can submit a claim for a cash payment. The cash payments are expected to be approximately $50.00 per class member, but may be adjusted upwards or downwards based on the number of valid claims received. The dates for objection, exclusion, and submitting a claim have yet to be set.

May 29, 2025: More Than 1.8 Million Individuals Affected by 2024 ALN Medical Management Data Breach

ALN Medical Management, a Lincoln, Nebraska-based provider of revenue cycle and billing services to the healthcare industry, has recently confirmed the scale of a data breach that occurred more than a year ago in March 2024. The protected health information of more than 1.8 million individuals was compromised in the incident.

On May 23, 2024, ALN Medical Management filed a breach report with the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. At the time, the investigation into the cyberattack and the review of the compromised files were ongoing. In March 2025, ALN Medical Management provided an update on the data breach, confirming that the hackers obtained files from systems hosted by a third-party service provider. The files included individuals’ names, Social Security numbers, driver’s license numbers, government-issued ID numbers, financial information (account number, credit/debit card number), medical information, and health insurance information.

ALN Medical Management started mailing notification letters to the affected individuals on March 21, 2025, and is offering them complimentary credit monitoring and identity theft protection services. The notification process has been ongoing, as there have been reports of notification letters only recently being received. The HHS’ Office for Civil Rights has been provided with an updated total, with the OCR breach portal now showing that the protected health information of 1,823,844 individuals was compromised in the incident. (Update October 2025: That total has since been revised downwards to 1,323,720 individuals.)

State attorneys general have also been provided with updated breach notices, including in Texas, California, and Massachusetts. The notification letter to the Massachusetts Attorney General lists four affected clients: National Spine and Pain in Frederick, Maryland; Inpatient Physician Associates in Lincoln, Nebraska; Hoag Clinic in Costa Mesa, California; and Allied Physicians Group of Melville, New York. It is currently unclear how many other healthcare organizations have been affected.

ALN Medical Management and its Maryland-based parent company, Health Prime International, are facing multiple class action lawsuits over the data breach, with many law firms having opened investigations into potential litigation. The lawsuits already filed allege negligence due to the failure to implement reasonable and appropriate security measures and adhere to industry standard best practices, breach of contract, and other claims. The lawsuits seek financial damages, reimbursement of out-of-pocket expenses, and injunctive relief, requiring ALN Medical Management to implement additional security measures to prevent further data breaches.

The post ALN Medical Management to Pay $4 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

SimonMed Imaging: 1.27M Individuals Affected by January 2025 Cyberattack

Posted by Steve Alder

On October 10, 2025, SimonMed Imaging started mailing notification letters to the individuals affected by its January 2025 cyberattack. SimonMed Imaging is one of the largest medical imaging providers in the country, operating more than 170 medical imaging facilities in 10 U.S. states. In a breach notice to the Maine Attorney General, the Scottsdale, AZ-based company confirmed that the protected health information of 1,275,669 individuals was compromised in the incident, including 22 Maine residents. The HHS’ Office for Civil Rights breach portal still lists the incident with a 500-individual placeholder figure.

The notification letters provide little extra information beyond that provided in its previous announcement, other than the fact that data theft has now been confirmed. While patient data was stolen in the attack, SimonMed Imaging said it is unaware of any misuse of the stolen data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

As previously reported, the Medusa ransomware group claimed responsibility for the attack; however, SimonMed Imaging is not currently listed on the group’s data leak site, which suggests that the ransom was paid. Regardless, the affected individuals should take advantage of the free services being offered.

Apr 2, 2025: SimonMed Imaging Confirms January 2025 Cyberattack

SimonMed Imaging has recently confirmed that it was affected by a cybersecurity incident earlier this year that involved unauthorized access to patient data via one of its vendors. The Scottsdale, Arizona-based radiology practice said that on January 27, 2025, it was alerted by one of its vendors that they were experiencing a security incident. A review was initiated of its own systems, and the following day, January 28, 2025, suspicious activity was identified within the SimonMed network. Immediate action was taken to contain the situation, and a forensic investigation was initiated to determine the extent to which systems had been compromised and the nature of the unauthorized activity.

The investigation confirmed that an unauthorized actor had direct access to its systems between January 21, 2025, and February 5, 2025. The review of the affected files is ongoing to identify the individuals who had their data exposed, but the initial findings of the investigation suggest that the following data has been exposed and potentially stolen: names, addresses, birth dates, dates of service, provider names, medical record numbers, patient numbers, medical condition information, diagnosis/ treatment information, medications, health insurance information, and driver’s license numbers. The data exposed in the incident varies from individual to individual.

SimonMed said several steps have been taken to improve security as a result of the incident, including enhancing multifactor authentication, resetting passwords, implementing endpoint detection and response monitoring, and removing all third-party vendor direct access to systems within SimonMed’s environment and all associated tools. As the investigation progresses, further technical safeguards will be implemented to bolster existing protections.

SimonMed did not state the name of the threat group behind the attack, nor was any confirmation provided on whether ransomware was used.  The Medusa ransomware group had previously claimed responsibility for the attack and said more than 212 GB of data had been infiltrated, and proof of the breach was posted on its data leak site. Medusa claimed to have demanded a $1 million ransom payment and gave a deadline of February 21, 2025, for payment to be made. At least one class action lawsuit has already been filed against SimonMed over the incident.

The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 500 affected individuals.  The total will be updated when the investigation and file review have concluded.

The post SimonMed Imaging: 1.27M Individuals Affected by January 2025 Cyberattack appeared first on The HIPAA Journal.

Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member

Posted by Steve Alder

An Iowa nurse has been terminated for a HIPAA violation and has lost her unemployment benefits after disclosing the pregnancy status of a 17-year-old patient to a family member without the patient’s consent. Erica Hulsing was a registered nurse at Waverly Health Center in Waverly, Iowa, where she had been employed since September 2016. On April 17, 2025, Hulsing received a call from a family member of a 17-year-old patient inquiring about the patient’s recent stay at the hospital.

The patient had made an explicit request for her pregnancy status to be kept confidential; however, Hulsing informed the family member that the patient had been pregnant. Following the disclosure, the patient and family members filed complaints with the hospital over the disclosure, prompting an internal investigation. The hospital determined that Hulsing had disclosed highly sensitive information about a patient to an individual who was not authorized to receive that information, as the family member was not listed on her consent form. The hospital determined that the disclosure was a violation of the HIPAA Privacy Rule, which prohibits disclosures of protected health information to unauthorized individuals. The disclosure also violated hospital policies on professional conduct, resulting in termination for gross misconduct.

HIPAA gives patients the right to request that disclosures of their health information be restricted, including disclosures of their health information to family members. While individuals under 18 years of age are considered minors, if a 17-year-old consents to treatment under state law, the Privacy Rule generally allows the minor to exercise their own privacy rights.

Hulsing maintained that she was unaware that disclosing the patient’s pregnancy status to a family member violated the HIPAA Rules. Hulsing applied for unemployment benefits while her case was under review, and she was paid $4,214 in benefits; however, last month, Administrative Law Judge Duane Golden ruled that Hulsing was not eligible to receive unemployment benefits as her actions constituted job-related misconduct, and Hulsing was ordered to repay the $4,214 she received.

Disclosing patient information to any unauthorized individual can have serious consequences for both the healthcare professional and the patient. As this case clearly demonstrates, a lack of knowledge about the requirements of HIPAA is not a valid defense against a HIPAA violation. In this case, the patient’s request for confidentiality should have been respected, and the disclosure should only have been made if the patient had consented to the disclosure and that consent had been documented.

Healthcare professionals must ensure that they are aware of the requirements of HIPAA, and should ensure that they stay up to date with state and federal laws. Healthcare providers should ensure that they provide comprehensive HIPAA training to all employees to ensure they are aware of their responsibilities under HIPAA, and should reinforce training through annual refresher training sessions to help prevent HIPAA violations in the workplace.

The post Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member appeared first on The HIPAA Journal.