Author Archives: Steve Alder

FTC Imposes $1.9 Million Penalty on Evoke Wellness for Deceptive Marketing Campaign

Posted by Steve Alder

The Federal Trade Commission (FTC) has proposed a $1.9 million settlement to resolve claims that Evoke Wellness, a Florida-based substance use disorder treatment clinic, engaged in deceptive business practices and deliberately misled consumers who were seeking substance use disorder treatment by pretending to be other clinics.

According to the January 2025 complaint, Evoke Wellness, LLC, Evoke Health Care Management, and their officers, Jonathan Mosley and James Hull, conducted a deceptive Google Ads campaign targeting consumers conducting online searches for substance use disorder treatment clinics. According to the FTC, the campaign used the specific names of other clinics as keywords to ensure Evoke’s ads appeared when searches were made for those clinics. The ads prominently displayed the names of the impersonated clinics, misleading consumers into calling the telephone number for Evoke’s telemarketing call center.

When the number was called, the Evoke telemarketers would explain that they had reached a centralized admissions office or an addiction treatment hotline, rather than an Evoke call center. Even when the caller maintained that they wanted to deal with the specific clinic they were trying to reach, the telemarketers continued with the deception, falsely claiming they had a relationship with that clinic.

In the complaint, the FTC alleged that the campaign ran over 2 years from 2021 through 2023 and involved at least 68,510 misleading Google search ads. The campaign is alleged to have generated at least 3,500 calls from individuals seeking treatment for substance use disorder. The FTC alleges that Evoke’s conduct violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018.

The consent order imposes a $7 million civil monetary penalty on the defendants to resolve the FTC’s claims; however, only $1.9 million is payable due to the defendants’ financial position. The consent order prohibits Evoke from impersonating other businesses and substance use disorder clinics, and engaging in deceptive advertising practices such as using competitors’ names in search engine advertisements and making misrepresentations related to their substance use disorder services. Evoke is also required to establish a compliance program that must include monitoring its call centers for misrepresentations and taking corrective action against any agent who violates the consent order.

Should Evoke be later found to have violated the terms of the consent order, the suspended portion of the civil monetary penalty will become immediately payable. The proposed consent order was filed in the U.S. District Court for the Southern District of Florida and now awaits approval from the District Court Judge. “Opioids have ravaged American communities, killing well over one hundred Americans per day and ruining the lives of countless others,” said FTC Chairman Andrew N. Ferguson. “Today’s settlement helps consumers affected by opioid addiction navigate their path to recovery by preventing fraudsters from leading them astray.”

The post FTC Imposes $1.9 Million Penalty on Evoke Wellness for Deceptive Marketing Campaign appeared first on The HIPAA Journal.

PHI Stolen in Sensata Technologies Ransomware Attack

Posted by Steve Alder

A ransomware attack on Sensata Technologies involved the theft of health and wellness plan data. A former Evoke Wellness employee has been accused of stealing patient data for identity theft, and limited PHI has been impermissibly disclosed due to mailing errors at Blue Shield of California and AffirmedRx PBC.

Sensata Technologies Hit with Ransomware Attack

Sensata Technologies, Inc., a leading industrial technology firm that makes sensor and control solutions, has been hit with a ransomware attack. The attack was identified on April 6, 2025, when files were encrypted on its network. Sensata implemented its response protocols to contain the incident, and an investigation was launched with assistance provided by a third-party cybersecurity firm. Law enforcement was also notified about the attack.

The forensic investigation confirmed that the ransomware group had access to its network between March 28, 2025, and April 6, 2025, during which time files were accessed and copied from its network. Over the past two months, Sensata reviewed the affected files and has confirmed that they contained the personal and protected health information of 15,630 members of the company’s Health and Welfare Benefit Plan.

In addition to names and addresses, one or more of the following data types were involved: date of birth, Social Security number, tax identification number, driver’s license number or state-issued identification card number, passport number, other government-issued identification number, financial account information, payment card information, medical information, and/or health insurance information. Individual notification letters have been mailed, and complimentary credit and identity monitoring have been offered to the affected individuals. Sensata has confirmed that it is taking steps to enhance security.

Former Evoke Wellness Employee Accused of PHI Theft, Identity Theft, And Fraud

A former employee of an Evoke Wellness addiction treatment center in Hilliard, Ohio, has been accused of stealing patients’ protected health information for identity theft and fraud. A police investigation was launched after police conducted a vehicle stop and found four fraudulent IDs and twenty-four pre-paid cards in the man’s possession. The man was employed by Evoke Wellness between November 2021 and July 2024, and allegedly accessed patient data and obtained names, contact information, dates of birth, and Social Security numbers without authorization. Evoke Wellness was unaware of the data theft until notified by law enforcement, and launched an internal investigation and confirmed the unauthorized access.

So far, the police investigation has identified 240 victims, although the actual number could be much higher. The man has also been accused of selling stolen data on the dark web to individuals who used the information to fraudulently obtain funds and rack up credit card charges in the victims’ names. Evoke Wellness has not yet listed the breach on its website, and there is no breach report on the HHS’ Office for Civil Rights breach portal. That said, media notices are only required for breaches affecting 500 or more individuals, and OCR does not list data breaches affecting fewer than 500 individuals on its data breach portal.

Blue Shield of California Data Merge Error Results in Impermissible PHI Disclosure

The health plan provider, Blue Shield of California (BSC), has notified 1,543 individuals about an impermissible disclosure of their protected health information. On April 4, 2025, BSC discovered that an incorrect data merge resulted in certain BSC members’ data being added to other members’ data, which could be viewed in the Member Health Record feature on its member portal.

An investigation was launched, which confirmed that the error involved an identifying key being assigned to two or more different individuals, even though they had different names, dates of birth, and Social Security numbers. The mail merge occurred on June 27, 2024, and was identified on April 4, 2025, when the data was immediately suppressed.

The data potentially viewed by other members was limited to member visit information, visit dates, medications, immunization records, lab results, diagnoses, and health conditions. The merged information did not involve another member’s name, date of birth, Subscriber identification number, address, phone number, email address, or highly sensitive information such as their Social Security number, driver’s license number, or financial information. Out of an abundance of caution, BSC has offered the affected individuals complimentary access to the Experian IdentityWorks identity theft protection service for 12 months.

AffirmedRx PBC Mailing Error Results in PHI Disclosure

AffirmedRx PBC, a Louisville, Kentucky-based pharmacy benefits management company, has notified 1,089 members about an impermissible disclosure of some of their protected health information. On May 16, 2025, AffirmedRx PBC identified an error with a mailing involving letters sent on May 14, 2025. The letters advised the recipient about a change in medication information.

The error resulted in a mismatch of names and addresses on the envelopes. The letters included an individual’s name and medication information only, and in each instance, were sent to the address of one other member. AffirmedRx PBC has advised anyone receiving a letter from AffirmedRx PBC dated May 14, 2025, to disregard the information in the letter and to destroy that letter, and if not yet opened, to mail the letter after clearly adding “return to sender” to the envelope.

AffirmedRx PBC has implemented additional safeguards to prevent similar incidents in the future and has provided additional training to appropriate personnel to reinforce its privacy protocols.

The post PHI Stolen in Sensata Technologies Ransomware Attack appeared first on The HIPAA Journal.

Legislation Introduced to Make Violence Against Healthcare Workers a Federal Crime

Posted by Steve Alder

Companion bills have recently been introduced in the House of Representatives and the Senate that seek to make violent attacks on employees of hospitals and healthcare organizations a federal crime. Data released by the U.S. Bureau of Labor Statistics in 2018 revealed that healthcare workers are five times more likely to experience violence in the workplace than workers in other industries. In 2018, healthcare workers accounted for 73% of all nonfatal workplace injuries and illnesses due to violence, and there was an increase in violent incidents during the COVID-19 pandemic.

In January 2024, a poll conducted by the American College of Emergency Physicians revealed that 91% of respondents had either personally experienced violence in the workplace or were aware of a colleague who was a victim of violence in the past year. 40% of respondents said they knew of an attack on a healthcare worker in a trauma center that resulted in moderate to severe disability or death. Last year, the American College of Surgeons reported an increase in violence against surgeons. Jay J. Doucet, MD, MSc, FRCSC, FACS, director of the trauma division at the University of California (UC) San Diego Health, said, “We’ve had six surgeons killed in the last few years.”

While many incidents are perpetrated by patients in emergency rooms and psychiatric units, healthcare workers are also assaulted in other settings, including home health, doctor’s surgeries, maternity units, and elsewhere, and not just by patients. There have been reports of violent behavior from visitors, intimate partners, outsiders, and coworkers.

Violence in the workplace is contributing to an increase in work-related stress, burnout, and job dissatisfaction, and has led many workers to quit the profession. The risk of violence is also making recruitment more difficult. A 2024 National Nurses United Report warned that high and rising rates of workplace violence and employer failure to implement effective prevention strategies are contributing to the current staffing crisis. A 2023 survey revealed that almost half of nurses (45.5%) reported an increase in workplace violence in the past year, and six in 10 nurses reported having either changed or left their job or profession or considered doing so due to workplace violence.

The increase in violence against healthcare workers has prompted bipartisan legislation to make attacks on healthcare workers a federal crime. The bipartisan Save Healthcare Workers Act was introduced last month in the Senate (S.1600) by Sens. Cindy Hyde-Smith (R-MI) and Angus King (I-ME), and the companion House bill (H.R. 3178) by Reps. Mariannette Miller-Meeks (R-IA) and Madeleine Dean (D-PA).  The proposed legislation would give healthcare workers similar protections as workers in the airline industry.

There have been previous attempts to introduce similar legislation, such as the Safety from Violence for Healthcare Employees (SAVE) Act in 2023, but none have been successful. While around thirty states have introduced laws that make attacks on healthcare workers a felony, federal legislation is required to discourage attacks and ensure the perpetrators face appropriate justice.

“State and local authorities are now and will continue to be responsible for prosecuting the overwhelming majority of violent crimes in the United States, including assault and intimidation against hospital employees,” according to the bill. “These authorities can address the problem of assault and intimidation against hospital employees more effectively with greater Federal law enforcement involvement… existing Federal law is inadequate to address the problem.”

The legislation calls for federal prison sentences of up to 10 years for attacks on healthcare workers, and enhanced penalties for acts of violence against healthcare workers involving a deadly or dangerous weapon or inflicting bodily injury. Those more serious attacks, as well as violent acts committed during emergency declarations, would be punishable with a jail term of up to 20 years. The legislation has exemptions from prosecution for individuals with intellectual or physical disabilities.

“I believe the federal government can help deter violence and keep our healthcare workers safe by establishing stronger penalties for those who assault hospital employees,” Hyde-Smith said. “Our legislation will protect these workers and, importantly, the people who rely on their care.”

The post Legislation Introduced to Make Violence Against Healthcare Workers a Federal Crime appeared first on The HIPAA Journal.

Optical Software Solution Provider Ocuco Reports 241K-Record Data Breach

Posted by Steve Alder

Ocuco Inc., a Dublin, Ireland-based provider of optical software solutions for eyecare businesses, has recently notified the HHS’ Office for Civil Rights about a data breach involving the protected health information of 240,961 individuals.

Ocuco claims to be the world’s largest provider of retail optical software solutions, with its US operations based in Florida. Ocuco’s software includes the Acuitas practice management and electronic health record system, which is used by thousands of eye care practices, clinics, and lens manufacturing labs.

Relatively little information has been released by Ocuco about the data breach at the time of writing, other than the information disclosed in the May 30, 2025, OCR breach report, which lists the incident as a network server hacking incident. This appears to have been a ransomware attack by a ransomware group known as Killsec, aka Kill Security.

Killsec claims to be a hacktivist group, but it is a financially motivated ransomware-as-a-service organization that targets government agencies and private sector businesses. On April 1, 2025, Killsec added Ocuco to its dark web data leak site, and the stolen data has since been listed for download, which suggests the ransom was not paid.

While the HIPAA Journal has not verified whether protected health information is available for download, the fact that the data breach has been reported to the HHS’ Office for Civil Rights shows that protected health information has been exposed and most likely stolen in the attack.

The dark web data leak site listing includes screenshots of the stolen data, including business files, appointment information, and several folders related to U.S. and Canadian eyecare clients, including Costco, HoustonEye, Kaiser, Mayo Clinic, Optos, Specsavers, and more. Several law firms have already opened investigations into potential class action lawsuits in response to the data breach.

This post will be updated when further information becomes available.

The post Optical Software Solution Provider Ocuco Reports 241K-Record Data Breach appeared first on The HIPAA Journal.

ComplianceJunction Introduces API Integration to Streamline HIPAA Training for Healthcare Staffing Platforms

Posted by Steve Alder

ComplianceJunction has announced a new API-based integration designed to simplify HIPAA compliance training for healthcare staffing platforms. This program aims to assist staffing agencies and healthcare organizations with automating the delivery and tracking of mandatory HIPAA training for temporary and contract workers. ComplianceJunction has built a reputation as the top provider of HIPAA training.

The integration enables healthcare staffing platforms to incorporate ComplianceJunction’s training modules directly into their existing systems. This allows for automated assignment of training to new hires, real-time monitoring of course completion, and centralized reporting to ensure compliance with HIPAA regulations. By embedding training into the onboarding process, the integration seeks to reduce administrative tasks and ensure that all staff members receive necessary compliance education promptly. This approach aligns with industry trends emphasizing the importance of continuous education and streamlined compliance processes in healthcare staffing.

ComplianceJunction’s training courses have previously received accreditation from organizations such as the American Health Information Management Association (AHIMA), allowing healthcare professionals to earn Continuing Education Units (CEUs) upon completion. This accreditation underscores the quality and relevance of the training content provided and motivates staff.

The API integration is part of ComplianceJunction’s broader efforts to enhance HIPAA compliance training through technology, aiming to support healthcare organizations in maintaining high standards of data privacy and security.

Further details and demonstration access are available at:
https://www.compliancejunction.com/partner-program-hrplatform-integration/

The post ComplianceJunction Introduces API Integration to Streamline HIPAA Training for Healthcare Staffing Platforms appeared first on The HIPAA Journal.

Episource Ransomware Attack Affects Multiple Healthcare Customers

Posted by Steve Alder

Episource LLC, a provider of medical coding, risk adjustment services, and software solutions for healthcare providers and health plans, has experienced a cyberattack involving the theft of customer data. A network intrusion was detected on February 6, 2025, after suspicious activity had been identified within its network. All computer systems were powered down to prevent further unauthorized access, law enforcement was notified, and third-party cybersecurity experts were engaged to assist with the investigation and determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed there had been unauthorized access to its computer systems between January 27, 2025, and February 6, 2025. The California Attorney General was notified about the breach on June 6, 2025, and at that time, Episource said it was unaware of any misuse of the compromised data. Individual notification letters have been issued on a rolling basis since April 23, 2025.

The review of the compromised files confirmed that they contained a range of data, which varied from individual to individual. Potentially compromised data included names and contact information (address, phone number, and email address), together with one or more of the following:

  • Health information: diagnosis information, treatment information, prescriptions, test results, medical images, medical record numbers, and doctors’ names.
  • Health plan information: health plan policies, company names, member/group ID numbers, and Medicaid/Medicare payor ID numbers
  • Other personal information, such as date of birth

Episource said it is strengthening system security to prevent similar breaches in the future, and that the affected individuals are being offered two years of complimentary credit monitoring and identity theft protection services. Episource did not disclose the nature of the attack in its notification letters; however, this appears to be a ransomware attack. The group responsible is currently unknown.

Sharp Community Medical Group and Sharp HealthCare have confirmed that they have been affected by the incident, but it is currently unclear how many other clients have been impacted. The number of affected individuals is also currently unknown, as the data breach is not yet displayed on the OCR breach portal.

The post Episource Ransomware Attack Affects Multiple Healthcare Customers appeared first on The HIPAA Journal.

Bipartisan Healthcare Cybersecurity Act Introduced in House and Senate

Posted by Steve Alder

Last week, a pair of bipartisan bills were introduced in the House of Representatives and Senate that seek to enhance the cybersecurity of the healthcare and public health (HPH) sector by improving coordination at the federal level to ensure that government agencies can respond quickly and efficiently to cyberattacks on HPH sector entities.

Healthcare cyberattacks have increased significantly in recent years, with more than 700 data breaches affecting 500 or more individuals reported to the HHS’ Office for Civil Rights in each of the past four years. In the past couple of years, a huge volume of healthcare records has been breached. In 2023, the protected health information of more than 172 million individuals was exposed or impermissibly disclosed in healthcare data breaches, and 278 million individuals were affected by healthcare data breaches in 2024.

In 2024, a ransomware group breached the systems of Change Healthcare, stole the records of an estimated 190 million individuals, and used ransomware to encrypt files. The attack caused massive disruption to the revenue cycles of healthcare providers across the country due to the prolonged outage of Change Healthcare’s systems, considerable disruption to patient care across the country, and the stolen data was leaked on the dark web.

The Healthcare Cybersecurity Act of 2025 was introduced by Congressman Jason Crow (D-CO), who was joined in introducing the legislation by Congressman Brian Fitzpatrick (R-PA). A companion bill was introduced in the Senate by Senators Jacky Rosen (D-NV) and Todd Young (R-IN). Congressman Crow previously introduced the Healthcare Cybersecurity Act in the 117th and 118th Congresses. “As technology advances, we must do more to protect Americans’ sensitive data,” said Congressman Crow. “That’s why I’m leading bipartisan legislation to strengthen our defenses and protect families from cyberattackers.”

If passed, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) would be required to collaborate on improving HPH sector cybersecurity. A liaison would be created between the two agencies to coordinate the responses to cyberattacks, and the act would authorize cybersecurity training for all relevant personnel. The bill also requires CISA and the HHS to conduct a study to identify the specific risks faced by the HPH sector.

“Cyberattacks on our healthcare system endanger more than data—they put lives at risk. I’ve long worked to strengthen our nation’s cyber defenses where Americans are most exposed, from small businesses to hospitals. This bipartisan bill takes direct, strategic action: empowering CISA and HHS to coordinate real-time threat sharing, expanding cybersecurity training for providers, and establishing a dedicated liaison to bolster response. We’re not just responding to attacks—we’re building the infrastructure to prevent them, protect patient privacy, and defend a vital pillar of our national security,” said Congressman Fitzpatrick.

The post Bipartisan Healthcare Cybersecurity Act Introduced in House and Senate appeared first on The HIPAA Journal.

High Severity Vulnerability Identified in MicroDicom DICOM Viewer

Posted by Steve Alder

A high-severity vulnerability has been identified in the MicroDicom DICOM Viewer, a popular free-to-use software for viewing and manipulating DICOM medical images.

The vulnerability can be exploited remotely in a low complexity attack, and successful exploitation can allow the execution of arbitrary code on vulnerable installations of DICOM Viewer; however, user interaction is required to exploit the vulnerability. A threat actor would need to convince a user to open a malicious DICOM file locally or visit a specially crafted malicious web page, for example, through social engineering or phishing.

The vulnerability affects DICOM Viewer version 2025.2 (Build 8154) and prior versions and is tracked as CVE-2025-5943.  The vulnerability is an out-of-bounds write issue, where it is possible to write to memory outside the bounds of the intended buffer and execute arbitrary code. The vulnerability has been assigned a CVSS v4 base score of 8.6 out of 10 and a CVSS v3.1 base score of 8.8 out of 10. While there have been no known cases of the vulnerability being exploited in the wild at the time of disclosure, prompt patching is recommended. The vulnerability has been fixed in version 2025.3 and later versions.

The vulnerability was identified by independent security researcher Michael Heinzl, who reported the vulnerability to the U.S. Cybersecurity and Infrastructure Agency (CISA). The latest announcement follows a May 2025 disclosure of two high-severity vulnerabilities, a February 2025 disclosure of a medium-severity vulnerability that can be exploited in a machine-in-the-middle (MitM) attack, and four high-severity vulnerabilities identified in 2024 and disclosed in March and June last year.

Since vulnerabilities are frequently discovered, it is advisable to locate DICOM Viewer behind a firewall, to isolate it from business networks, and if remote access is required, to use a secure method of connection such as a Virtual Private Network (VPN) and ensure that the VPN is kept up to date.

The post High Severity Vulnerability Identified in MicroDicom DICOM Viewer appeared first on The HIPAA Journal.

Trump Administration Appoints Deputy HHS Secretary & National Coordinator for Health IT

Posted by Steve Alder

There have been a further two appointments to leadership positions at the U.S. Department of Health and Human Services (HHS). Robert F. Kennedy, Jr., has sworn in Jim O’Neill as Deputy HHS Secretary, and Thomas Keane, MD, MBA, has been named as the new Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology. Last week, the HHS appointed Paula M Stannard as the new Director of the HHS’ Office for Civil Rights (OCR).

Deputy HHS Secretary, Jim O'Neill

Jim O’Neill, Deputy Secretary, Department of Health and Human Services.

Jim O’Neill is a HHS veteran, having served in the department for almost six years between 2002 and 2008, first as Director of the Speech and Editorial Division, then Associate Deputy Secretary and Senior Advisor to the Deputy Secretary, and as Principal Associate Deputy Secretary between 2007 and 2008. In the latter role, O’Neill led reforms at the U.S. Food and Drug Administration (FDA) to overhaul food safety regulations and implemented the FDA Amendments Act to improve the safety of drugs and medical devices.

After leaving the HHS, O’Neill oversaw the development of tools and techniques for enhancing background checks as a member of the Suitability and Security Clearance Performance Accountability Council, served as Managing Director at the global macro hedge fund Clarium Captial Management, Acting CEO of the Thiel Foundation supporting nonprofits promoting technology and freedom, and co-founded the Thiel Fellowship, which has helped many young entrepreneurs found science and tech firms.

O’Neill has also served on the Board of Directors at Advantage Therapeutics Inc., as Board Observer at Oisin Biotechnologies, and was on the Board of Directors at the SENS Research Foundation, where as CEO he led efforts to research and develop regenerative medicine solutions for age-related diseases such as Alzheimer’s, heart disease, and cancer.

“Jim O’Neill’s extensive experience in Silicon Valley and government makes him ideally suited to transition HHS into a technological innovation powerhouse. He will help us harness cutting-edge AI, telemedicine, and other breakthrough technologies to deliver the highest quality medical care for Americans,” said Secretary Kennedy. “As my deputy, he will lead innovation and help us reimagine how we serve the public. Together, we will promote outcome-centric medical care, champion radical transparency, uphold gold-standard science, and empower Americans to take charge of their own health.”

“I am deeply honored to return to HHS,” said Deputy Secretary O’Neill. “All Americans deserve to be healthy, happy, and prosperous, and President Trump and Secretary Kennedy have the right vision and leadership to get us there.”

Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology, Thomas Keane, MD.

Thomas Keane, MD. Assistant Secretary for Technology Policy/National Coordinator for Health Information Technology.

Thomas Keane, MD, MBA, has also rejoined the HHS, becoming the second Assistant Secretary for Technology Policy and the ninth National Coordinator for Health Information Technology (ASTP/ONC). Dr. Keane, a physician, engineer, and interventionalist radiologist, previously served at the HHS as Senior Advisor to the Deputy Secretary of Health and Human Services.

Keane was an administrator of the COVID-19 Provider Relief Fund and led the development of the AHRQ National Nursing Home COVID Action Network, which helped improve infection control and safety practices in nursing facilities. Dr. Keane has also served as CEO of Radiology Associates of Southeastern Ohio, an interventional radiology fellow at Johns Hopkins Hospital, and a radiology resident at New York Presbyterian Hospital. In the new role, DR. Keane will play a key role in shaping the future of Health IT and the HHS technology strategy.

The post Trump Administration Appoints Deputy HHS Secretary & National Coordinator for Health IT appeared first on The HIPAA Journal.