Author Archives: Steve Alder

California Dental Care Provider Announces Data Breach

Posted by Steve Alder

A data breach has been announced by Tieu Dental Corporation in California. The Children’s Council of San Francisco has determined that more than 12,650 individuals have been affected by a ransomware attack.

Tieu Dental Corporation

Tieu Dental Corporation, a California-based provider of oral and maxillofacial surgery services, started has notifying patients about unauthorized access to its computer network last summer. The intrusion was identified on or around July 29, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network between July 28 and July 29, 2025.

The compromised parts of its network were reviewed, and on January 11, 2026, Tieu Dental confirmed that the compromised files included patient data such as names, dates of birth, Social Security numbers, medical records, treatment plans, prescription information, and health insurance information. Tieu Dental has not identified any misuse of patient data as a result of the incident; however, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. No known threat group has publicly claimed responsibility for the incident.

While regulators have been notified, the incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Children’s Council of San Francisco

Children’s Council of San Francisco (CCSF), a nonprofit childcare resource and referral agency, has notified regulators about a data breach impacting 12,655 individuals. CCSF identified a security breach on August 3, 2025, that caused network disruption. Assisted by third-party cybersecurity experts, CCSF secured its network, investigated the incident, and determined that an unknown hacker gained access to its network on August 1, 2025, and acquired certain data. The SafePay ransomware group claimed responsibility for the attack.

The file review was completed on or around February 23, 2026, when it was confirmed that names and Social Security numbers were present in the acquired files. Notification letters were mailed to the affected individuals on March 2, 2026, and complimentary single-bureau credit monitoring and identity theft protection services have been offered.  CCSF notified the Federal Bureau of Investigation about the incident and has implemented measures to harden security and reduce the risk of similar incidents in the future.

The post California Dental Care Provider Announces Data Breach appeared first on The HIPAA Journal.

EMR Practice Management Software Buyer’s Guide

Posted by Steve Alder

Selecting EMR practice management software requires evaluating scheduling, specialty support, charting flexibility, billing, patient engagement tools, support, integrations, future product development, and HIPAA compliance so the platform can support clinical operations, administrative workflows, and long-term practice growth without creating avoidable operational or regulatory risk. An EMR practice management platform affects how a practice books appointments, documents care, collects payment, communicates with patients, coordinates prescriptions and lab work, and protects electronic protected health information. A poor fit creates friction across the entire organization. A strong fit supports daily workflows, reduces administrative burden, and gives the practice room to expand services without replacing core systems.
This buyer’s guide is built around the questions that matter during product evaluation. It focuses on workflow fit, support access, integration depth, product maturity, and compliance controls so practices can assess whether a platform meets current operational needs and can continue to support the business as it grows.

Part 1 – The Essentials Features of EMR Practice Management Software

Is there appointment scheduling?

When selecting EMR practice management software, you want to make sure that it supports your appointment-setting workflow. A few EMRs offer scheduling modules, which allows you to book appointments either in-office or patients can book themselves through a booking link embedded on your website.

Having multiple ways for patients to schedule appointments helps to facilitate the sign-up process for patients while cutting down on time needed for providers to manually input all appointments.

What specialties does the EMR support?

Not all EMRs are designed to support every specialty equally. Some platforms are built for a single use case, while others offer flexibility across modalities.
When asking questions on a demo, you should confirm:

  • Whether the EMR supports your current specialty
  • Whether it can support additional services in the future
  • How charting, workflows, and templates differ by modality

How flexible is the charting and documentation?

When comparing EMRs, evaluate the flexibility of their charting as well as any templates provided. You should ask if SOAP and non-SOAP formats are supported, if the provided templates are able to be customized, and if intake forms and documents easily integrated into the chart.
Flexible charting reduces provider burden and improves documentation quality.

What billing and payment options are available?

An EMR should support a variety of revenue models, including:

  • Insurance billing
  • Cash-pay
  • Subscriptions
  • Installment plans
  • Superbills
  • Integrated payment gateways

This way you are not limited in the ways you can accept payment, which is better for your business and your patients.

Does it include tools for patient engagement?

An EMR should make all interactions between patient and practitioner as seamless as possible. Your EMR should offer the ability for online appointment scheduling along with automated appointment reminders to help limit no-shows. A patient portal is a necessity to help facilitate check in with digital intake forms, access medical records, treatment plans, and invoices, and securely message with the provider with HIPAA compliant messaging.

An EMR focused on patient engagement should also include automated, personalized follow-up to maintain client retention.

Are you locked into a contract?

When selecting an EMR, make sure the billing and contract terms work with your business. Some EMRs require an annual contract with upfront payment, others work on a month-to-month basis with tiered pricing.

When evaluating platforms, choose the one that best fits your budget and financial plans.

Part 2 – Customer Support from EMR Practice Management Software Vendors

Is there a phone line you can call?

When you’re working in a busy practice, you want to ensure that you can pick up the phone and call someone if you’re having any issues with your EMR/EHR. When evaluating systems, be sure to inquire if they offer live assistance. Additionally, check that the support team is US-based, as outsourced support lines tend to operate on different schedules than your practice hours.

Can you speak to someone on the weekends?

If your practice is open on the weekends, you want to be sure that the EMR you choose has support options for you during those open hours. Many EMRs don’t offer live support on the weekends, so this is a good question to ask when demoing products.

Are there onboarding options?

Some EMRs offer multiple onboarding options, some have an onboarding cost required, and other EMRs don’t offer onboarding assistance at all. When evaluating platforms, consider how much time you will have to dedicate to learning the platform and setting up your workflows.

Is support included in the cost?

When inquiring about support options, ask if there is an additional cost for levels of support. Some EMRs include all support options (phone, text, tickets, 1:1s) for free while others charge for certain levels of support.

Part 3 – EMR Practice Management Software Integrations

Does it integrate with labs?

EMRs should integrate with a variety of labs to give you options that can best fit your specialties’ needs. Lab integrations within the EMR should allow you to submit orders and receive results directly in the platform, saving time and minimizing room for errors.

Does it have an integration with pharmacies for e-prescribing?

EMRs should integrate with e-prescription networks to help facilitate workflow. These connections should allow practitioners to submit prescriptions to their patients’ preferred pharmacies directly from the platform.

EMRs that focus on Integrative clinics should also integrate with supplement dispensaries which can help to supply supplements and nutraceuticals directly to the patients from the EMR.

Does it have AI scribing?

Often EMRs integrate with AI Scribes, such as DeepCura, to generate clinic notes in real time. Some EMRs have their own native scribes.

This functionality helps providers save time on charting and follow-ups, while also helping with accuracy of clinical documentation. When inquiring about AI scribing capabilities, be sure to ask if the scribe is able to capture medication and diagnosis names. Some scribes that are not built with healthcare in mind, struggle to capture this data.

Does it integrate with CRMs?

Your EMR should help your practice grow. An EMR that integrates with a CRM helps you improve patient retention and engagement through automated reminders to schedule new appointments, seasonal promotions, and regular email follow-up.

It also ensures data accuracy across both systems. When you have your CRM integrated with your EMR, you ensure that the records are the same in both instances, reducing potential error.

Does it connect to health trackers?

EMRs can connect to different health trackers to provide practitioners with the data received from them inside the EMR. This can help to see patient fitness information such as step count, heart rate and sleep quality to best help aid in their health journey.

This is valuable data to collect from your patients and can improve your care plans and diagnoses. When demoing with EMRs, be sure to ask which (if any) health trackers they connect to. Popular ones include FitBit, Apple Watches, and Oura Rings.

Part 4 – Future-Proofing EMR Practice Management Software

How often are they releasing new features?

Your EMR should be focused on constant improvement. An EMR that listens to its practitioners, and makes changes accordingly, is valuable. A platform that values user feedback should update at least quarterly, with some EMRs releasing new functionality as often as once a month.

Are they utilizing AI?

AI tools can allow you to spend more deliberate time with patients, and less time on documentation. An EMR that is keeping up with the times, will have AI capabilities built into the system or have an integration that facilitates AI within the system.

Can you add additional modalities?

If your business offerings change, you want your EMR to still be able to support you. It is time-consuming and can be expensive to switch EMRs, so you should either be certain that you will only be offering services under your current modality in the future, or ensure that your EMR can grow with your practice.

Part 5 – Compliance Considerations

Do they have a Business Associate Agreement?

The EMR you select should have a BAA that you can easily access. It must be signed prior to creating, receiving, maintaining, or transmitting PHI within the platform.

Are their patient communication tools HIPAA-compliant?

HIPAA compliant two-way texting, text and email appointment reminders, one-off text and emails, and access to a patient portal with messaging should be available through your EMR. Patient portals should include the ability to securely communicate with providers, complete consent and intake forms, and pay bills or invoices through the platform.

Is their data storage method HIPAA-compliant?

HIPAA requires EMRs to encrypt all ePHI using strong standards, retain records for a minimum of 6 years, have secure and regular backups with copies stored in a separate secure location, maintain detailed audit logs, and have role-based access controls.

When searching for the right EMR for your practice, it is critical that you assess their compliance standards. Choosing a platform that does not abide by these standards, can put your patients’ data at risk.

Choose an EMR Practice Management Software That has Everything You Need

This guide recommends selecting an EMR practice management software that is designed for customizability, and adaptability to your practice speciality. It should not only include basic key features, but offer in-depth tools that help manage day to day operations with fluidity. It calls for an EMR that offers advanced scheduling options, patient communication tools, integrations with labs, E-prescribing, up-to-date technology, customer support, and HIPAA compliance features. It supports that an EMR should fit into your practices’ needs with workflows that create structure and save time.

The post EMR Practice Management Software Buyer’s Guide appeared first on The HIPAA Journal.

Long Island Plastic Surgical Group Settles Class Action Lawsuit Over BlackCat Ransomware Attack

Posted by Steve Alder

A consolidated class action lawsuit against Long Island Plastic Surgical Group, P.C has been resolved with a $2,600,000 settlement. Legal action was taken by patients of the Garden City, New York-based private, academic plastic surgery practice in response to a January 4, 2024, ransomware attack by the ALPHV/BlackCat ransomware group. The forensic investigation confirmed that the BlackCat group accessed its network between January 4, 2024, and January 8, 2024, and used ransomware to encrypt files. Prior to encrypting files, sensitive data was exfiltrated from the network, including personal identifiable information (PII) and protected health information (PHI).

Data stolen in the incident included full names, Social Security numbers, driver’s license numbers or state identification numbers, dates of birth, biometric information, account numbers, credit or debit card information, medical information, patient photographs, health insurance policy information, and patient account numbers. In total, more than 161,000 current and former patients were affected. The BlackCat ransomware group demanded payment to prevent the publication of the stolen data on its dark web data leak site. Long Island Plastic Surgical Group chose to pay the ransom to prevent the release of the stolen data and received confirmation that the stolen data had been deleted.

On October 4, 2024, the affected individuals were notified by mail. Shortly after issuing notifications, seven putative class action lawsuits were filed by patients over the incident, alleging they had suffered harm as a result of the data breach. The lawsuits were consolidated – Baum et al. v. Long Island Plastic Surgical Group, P.C. – in the Supreme Court of the State of New York, County of Nassau.

The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the New York Consumer Law for Deceptive Acts and Practices Act. Long Island Plastic Surgical Group denies the allegations and all liability, including claims that the defendants suffered any injury or damage as a result of the incident. To avoid the time, expense, and uncertainties of defending protracted litigation, the defendant agreed to settle the litigation. Class counsel and the class representatives agreed to the settlement as they concluded it was in the best interests of the class members.

Under the terms of the settlement, Long Island Plastic Surgical Group will establish a $2,600,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may choose to receive an alternative pro rata cash payment. An additional pro rata cash payment of up to $1,000 may be claimed by class members who had clinical photographs compromised in the incident.

The amount paid to class members claiming alternative cash payments will depend on the number of claims received, including claims for the additional cash payments. The additional cash payments may also be reduced depending on the remaining funds after legal costs and expenses, service awards, administration and notification costs, and claims for reimbursement of losses have been paid. The deadline for objection to and exclusion from the settlement is May 4, 2026. Claims must be submitted by May 18, 2026, and the final approval hearing has been scheduled for June 2, 2026.

The post Long Island Plastic Surgical Group Settles Class Action Lawsuit Over BlackCat Ransomware Attack appeared first on The HIPAA Journal.

Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach

Posted by Steve Alder

Orthopaedic Institute of Western Kentucky has notified patients that their PHI was compromised in two security incidents at their managed IT services provider. Supportive Home Health Care and Patriot Outpatient has identified unauthorized access to an employee’s email account.

Orthopaedic Institute of Western Kentucky

Orthopaedic Institute of Western Kentucky (now Mercy Health — Western Kentucky Orthopedics) in Paducah, Kentucky, has been affected by two security incidents at one of its business associates, the managed IT services provider Keystone Technologies.

Keystone Technologies notified the orthopedic institute about unauthorized access to Keystone systems on two occasions: the first between April 21, 2025, and April 26, 2025, and the second between July 19, 2025, and August 1, 2025. During both periods, unauthorized individuals exfiltrated files containing patient information. The affected files were reviewed, and the affected individuals were identified in December 2025 and January 2026. Data compromised in the incident included names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment information, and health insurance information. Electronic medical records were not subject to unauthorized access, nor were any of Mercy Health’s systems.

The affected individuals have now been notified and offered a complimentary 12-month membership to a credit monitoring and identity theft protection service. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Supportive Home Health Care and Patriot Outpatient

Superior Care Plus, LLC, doing business as Supportive Home Health Care and Patriot Outpatient, LLC (Patriot), a provider of home healthcare services in Northeast Ohio, has announced a data breach affecting 1,415 of its patients.

On November 17, 2025, suspicious activity was identified within an employee’s email account. An investigation was launched to determine the nature and scope of the activity, and Patriot confirmed that the email account was compromised as a result of the employee responding to a phishing email. No other email accounts or systems were compromised in the incident.

On January 9, 2026, the forensic investigation was completed, and Patriot confirmed that the compromised account contained first and last names, city/ZIP codes, email addresses, health insurance policy numbers, medical treatment information, admission/discharge dates, patient logs, referring facility, start care date, policy name, and referring primary care physician name. A limited number of individuals also had their Social Security numbers and/or Medicare numbers exposed.

Patriot has taken several steps to prevent further unauthorized access to email data. The affected email account was deleted, and the individual, and a new account was created, rather than reactivating the account after a password change. Further training has been provided to the workforce on email security and phishing email identification, and third-party cybersecurity experts have helped Patriot enhance its technical security measures and procedures.

The post Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach appeared first on The HIPAA Journal.

Iran Linked Hacking Group Wipes Data of Leading U.S. Medical Device Manufacturer

Posted by Steve Alder

Stryker, a U.S. medical device and medical equipment manufacturer based in Portage, Michigan, is dealing with a cyberattack linked to the current U.S. military action in Iran. The cyberattack started shortly after midnight and has caused an outage of systems across the organization. An Iran-linked hacking group has claimed responsibility for the attack.

Stryker has operations in 61 countries and has a global workforce of more than 56,000 employees. Stryker said in a filing with the U.S. Securities and Exchange Commission (SEC) that the attack has and is expected to continue to cause “disruptions and limitations of access to certain of the Company’s information systems and business applications.” Stryker is currently unable to provide a timeline for when systems and data will be recovered and when normal operations will resume.

This does not appear to have been a ransomware attack, but rather a data theft and wiping attack. The attack affected Stryker’s Microsoft programs, including the wiping of Windows-based devices such as mobile phones and laptops. Stryker said it has found no indications that ransomware or malware was used, and said it believes it has contained the attack. An investigation has been launched to determine the impact of the attack on its computer systems.

According to the Wall Street Journal, Stryker’s login pages were defaced with the hacking group’s logo. Stryker said it has business continuity measures in place and will continue to support its customers and partners while it recovers from the attack. Stryker has also committed to transparency and said it will keep stakeholders informed as the investigation and recovery processes progress.

An Iran-linked hacking group called Handala immediately claimed responsibility for the attack in an announcement on X. The group claimed its attack has caused disruption at 79 Stryker offices around the world, involved more than 200,000 systems, servers, and mobile devices being wiped, and 50 terabytes of data were exfiltrated in the attack. “We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,” the group said in a post on X.

While the initial access vector is not known, security researcher Kevin Beaumont suggests that Handala actors gained access to Stryker’s Active Directory services and used the Microsoft endpoint management tool Intune to remotely wipe Microsoft devices, including devices used by employees managed under its bring-your-own-device policy.

While Handala appears at face value to be a hacktivist group, the group has been linked to Iran’s Ministry of Intelligence and Security. Palo Alto Networks suggests that Handala is part of the Ministry of Intelligence and Security and masquerades as a hacktivist group, allowing Iran to deny responsibility for its cyber operations.

While Iran has executed a military response to the US-Israel military action, retaliation to the attacks was always likely to involve more than just missiles. Iran has sophisticated cyber capabilities, and any response was likely to take place in cyberspace. Iranian officials stated this week that Tehran would expand its targeting to include economic centers and banks tied to the United States or Israel, and that U.S. companies with ties to the U.S. military or Israel would also be attacked. Stryker has a presence in Israel, including OrthoSpace, an orthopedic device maker that the company acquired in 2019. Handala claimed that Stryker was “a Zionist-rooted corporation.”

“Attacks like this unfortunately aren’t surprising. Even before the latest geopolitical tensions, hacktivist activity targeting healthcare and other critical infrastructure had been steadily increasing, and that trend makes organizations like medical device manufacturers and hospitals more likely to be caught in the crossfire. In many cases, attackers simply find the path of least resistance—an exposed system, an unsecured management console, or credentials that allow them to move deeper into the environment—and once they gain administrative access, they effectively hold the keys to the kingdom and can disrupt everything from mobile devices to operational systems,” Skip Sorrels, Field CTO and CISO, Claroty, said in a statement provided to The HIPAA Journal. “As a former ICU nurse, I’ve seen firsthand how even small technology outages ripple through care delivery, which is why cybersecurity in healthcare must be treated as part of patient safety, with organizations prioritizing visibility into their cyber-physical systems and closing those “open doors” before attackers find them.”

Steve Povolny, Vice President of AI Strategy & Security Research at Exabeam told The HIPAA Journal the attack illustrates how cyber operations are increasingly becoming the asymmetric response of choice during periods of regional conflict or political tension, and that cyber activity from proxy groups provides Tehran with a deniable way to impose costs on Western economies and technology ecosystems.

“Groups like Handala blur the line between hacktivism and state operations, giving governments plausible deniability while still achieving strategic signaling. The cautionary lesson for defenders is that these campaigns are rarely isolated events,” said Povolny. “They are often part of a broader pressure strategy designed to create disruption across multiple industries that support national stability, from healthcare and logistics to energy and manufacturing. Organizations that do not traditionally view themselves as geopolitical targets may increasingly find themselves on the front lines of state-linked cyber conflict.”

The post Iran Linked Hacking Group Wipes Data of Leading U.S. Medical Device Manufacturer appeared first on The HIPAA Journal.

Paubox Research on Email Security Identifies Top Security Risks in 2026

Posted by Steve Alder

New research from Paubox has highlighted the top email security risks for healthcare organizations in 2026. The greatest risk lies not with novel and increasingly sophisticated threats, but the foundational weaknesses in email security that have existed and been exploited by threat actors for years.

The latest data show that cyber threat actors are relying less on vulnerabilities and are focused on compromised credentials for initial access to networks. Email is the leading entry point for cybercriminals and the root cause of many data breaches, especially in healthcare. Cybercriminals are using email to obtain credentials that provide them with the foothold they need for an extensive compromise, including data theft, extortion, and file encryption with ransomware. The extent to which email is used, and the weaknesses in email security that facilitate attacks, have been explored by the leading HIPAA-compliance email firm Paubox in its 2026 Healthcare Email Security Report.

Based on data reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), at least 170 email-related data breaches occurred in 2025 that involved the exposure or acquisition of electronic protected health information (ePHI). There was a slight decline in email incidents year-over-year, although Paubox’s analysis has shown that email-based data breaches are still highly prevalent and, in most cases, were the result of foundational security gaps – poorly configured security tools, a lack of appropriate safeguards, and human factors – that have remained largely unchanged for years and are widespread among HIPAA-covered entities and their business associates.

A concerning number of HIPAA-regulated entities were found to have failed to implement email security measures that have been recommended for many years. Paubox’s analysis of organizations that experienced an email security incident in 2025 found that three-quarters lacked effective DMARC enforcement, a basic security measure that instructs receiving mail servers to ignore, quarantine, or reject emails that fail authentication checks. Worringly, more than half of breached organizations relied on missing or permissive Sender Policy Framework (SPF) records to determine whether an email was sent from a server authorized to use a domain, leaving them at a high risk of phishing and spear phishing emails being delivered to end users.

Out of the HIPAA-covered entities and business associates that experienced an email breach, none enforced the Mail Transfer Agent Strict Transport Security (MTA-STS) security standard, which forces mail servers to encrypt messages to prevent interception in transit. MTA-STS ensures that emails are only delivered via a trusted and secure connection. Without encryption, healthcare organizations are at risk of man-in-the-middle (MITM) attacks.

Microsoft 365 is extensively used in healthcare for email, and while the platform includes multiple security tools, they do not necessarily equate to better security and fewer data breaches. The analysis revealed that 53% of email-related healthcare data breaches occurred in Microsoft 365 environments. What is clear is that healthcare organizations are exposing themselves to email-based attacks due to incomplete and poorly implemented configurations, and the security measures they have deployed have failed to keep pace with modern email threats.

As has long been the case, most email-related incidents are the result of phishing, spoofing, improper handling of emails, and credential compromise, and in the large part, email incidents from these causes are mostly preventable. Unless healthcare organizations address their foundational weaknesses in email security, email will remain a leading cause of cyberattacks and data breaches.

Paubox’s analysis of email security configurations found that 41% of breached organizations fell into a high-risk category. While that percentage should have reduced year-over year, it actually increased from 31% of breached organizations in 2024. There were even cases in 2025 where the same organization experienced multiple email-related data breaches, showing they failed to understand and address the foundational email security weaknesses that were exploited.

It is foundational weaknesses in email security that create the biggest email security risk for healthcare organizations. While there is always a threat of novel and increasingly sophisticated attacks, in reality, there is no driving force compelling threat actors to seek new and more sophisticated attack methods, as the same tried and tested techniques exploiting common security weaknesses are still proving successful.

Looking forward to the rest of 2026 and beyond, healthcare organizations need to consider the foundational security weaknesses that are routinely being exploited, as this is where the bulk of the risk exists. “Future breaches are more likely to occur in environments where the same misconfigurations and security gaps have existed for years, rather than as the result of new attack techniques,” explained Paubox.

Addressing these risks is naturally important for preventing costly operational disruptions and data breaches, but it is also essential for HIPAA compliance. OCR has imposed several penalties for email-related data breaches – not for an individual being duped by a phishing email, but for basic security failures that made such an attack possible.

A comprehensive and accurate risk analysis to assess reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI is vital for HIPAA compliance, and even more important for avoiding penalties under OCR’s current HIPAA enforcement drive. OCR has also stated that it will be expanding this initiative to cover risk management, to ensure that identified risks are reduced to a low and acceptable level.

According to KnowBe4 research, phishing attacks increased by 17% year-over-year. Given the high risk of email-based attacks, the risk analysis must naturally cover email security and risks related to spoofing and phishing; however, Paubox warns that the risk analysis must also cover emerging risks. They include how emerging tools interact with existing infrastructure, AI tools processing PHI outside of sanctioned systems, whether DMARC and SPF are protecting against AI-generated outbound communications, if encryption is being routinely applied or is reliant on user decisions, and if logging and monitoring controls are capturing AI-assisted communications to the same extent as traditional email workflows.

One of the ways that risk can be managed is by reducing human decision points as far as possible, as human error and poor end user security decisions are inevitable. Previous Paubox research found that 86% of healthcare IT leaders admitted awareness that users were bypassing security controls to reduce workflow friction. When encryption was left to the discretion of employees, emails that should have been encrypted were not, either through employee error or the avoidance of workflow disruption. The simple solution for HIPAA compliance is to take the decision away from employees and enforce encryption for all emails in transit. That ensures HIPAA-compliant message delivery regardless of the sender, recipient, or message content. With Paubox, that can be achieved without portals, passwords, or additional steps that impact workflows.

The high number of security incidents in Microsoft 365 environments and the regularity with which threats are bypassing security controls show a clear need for augmented security. Paubox’s email security suite adds additional layers of security on top of Microsoft 365, Google Workspace, and Exchange security measures, without the need for plug-ins, additional staff training, or new workflows.

Through enhanced threat protection and the elimination of the workflow friction that leads employees to bypass security controls, healthcare organizations can make significant email security improvements, prevent email data breaches, and clearly demonstrate HIPAA email compliance in the event of a compliance audit or OCR investigation.

The post Paubox Research on Email Security Identifies Top Security Risks in 2026 appeared first on The HIPAA Journal.

ID Care & CommuniCare Announce Data Breaches

Posted by Steve Alder

ID Care in New Jersey and Barrio Comprehensive Family Health Care Center (CommuniCare) in Texas have confirmed that patients’ personal and protected health information have been compromised in recent data security incidents.

ID Care

ID Care, a New Jersey-based network of board-certified infectious disease specialists, has recently disclosed a data security incident that involved unauthorized access to the personal and protected health information of current and former patients.

Suspicious activity was identified within certain systems on November 5, 2025. Industry-leading cybersecurity specialists were engaged to investigate the activity and confirmed that an unknown actor gained access to its network and accessed or downloaded files without authorization.

ID Care is currently reviewing the affected files, and while that process has not yet been completed, ID Care has confirmed that the affected files contained full names, dates of birth, Social Security numbers, health insurance information, and medical information, including diagnoses, treatment information, and prescription information.

Policies and procedures are being reviewed to reduce the likelihood of similar incidents in the future, and the HHS’ Office for Civil Rights has been notified about the data breach. The data breach is not yet shown on the OCR breach portal, so the scale of the breach is currently unclear.

Barrio Comprehensive Family Health Care Center (CommuniCare)

Barrio Comprehensive Family Health Care Center (CommuniCare), a non-profit clinic in San Antonio, Texas, has identified unauthorized access to an employee’s email account. The email account breach was identified on September 16, 2025, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity. CommuniCare determined that emails in the account had been accessed without authorization, some of which contained patient information.

Following a lengthy review of the affected emails and files, CommuniCare determined on February 19, 2026, that they contained first and last names, in combination with one or more of the following: dates of birth, health insurance account/member/group numbers, clinical information, diagnoses, medical treatment/procedure information, prescription information, provider locations, and patient account numbers.

CommuniCare said it is unaware of any misuse of patient data as a result of the incident, nor does it have any reason to believe that any information in the compromised account will be misused; however, the affected individuals have been advised to remain vigilant against data misuse by monitoring their accounts, explanation of benefits statements, and free credit reports for suspicious activity. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

The post ID Care & CommuniCare Announce Data Breaches appeared first on The HIPAA Journal.

Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine

Posted by Steve Alder

Centerwell, a provider of senior healthcare services in 30 U.S. states, has experienced a cyberattack and data breach. Lakeside Pediatric & Adolescent Medicine has recently notified individuals affected by an October 2024 data breach.

Centerwell

Centerwell, a Louisville, Kentucky-based provider of healthcare services to seniors, has recently reported a data breach to the Texas Attorney General that involved unauthorized access to patient information.

The scale of the breach is currently unclear, other than the personal and protected health information of 4,618 Texas residents was compromised in the incident. The breach could be substantially larger, as Centerwell provides senior healthcare services in 30 U.S. states. The Texas Attorney General was informed on March 6, 2026, that data compromised in the incident includes names, addresses, dates of birth, and medical information. At the time of writing, the affected individuals have not been informed by mail, and no known threat group has publicly claimed responsibility for the incident.

This post will be updated when further information about the incident is released.

Lakeside Pediatric & Adolescent Medicine

Lakeside Pediatric & Adolescent Medicine (Lakeside), a Coeur d’Alene, Idaho-based healthcare provider, has started notifying patients about an October 2024 data security incident. Lakeside identified unauthorized access to its computer systems in late 2024. The forensic investigation confirmed that an unauthorized third party accessed its computer systems on November 1, 2024, and on December 15, 2024, Lakeside confirmed that there had been unauthorized access and potential acquisition of files containing patient information.

On January 1, 2025, Lakeside confirmed in a website breach notice that personal and protected health information had been compromised in the incident, although the data review was ongoing at that time. On or around December 26, 2025, Lakeside confirmed the data types involved, although the website notice has not been updated to state what those data types are.

In a breach notice submitted to the Washington Attorney General, Lakeside confirmed that single-bureau credit monitoring and identity theft protection services are being offered to the affected individuals, and that 1,314 Washington residents were affected. The incident has not yet been listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals in total have been affected.

The post Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine appeared first on The HIPAA Journal.

Texas Governor Instructs State Agencies to Audit Chinese Medical Devices

Posted by Steve Alder

Texas Governor Greg Abbot has ordered all state agencies and state-owned medical facilities to conduct an audit of patient monitoring devices to ensure that they do not have unresolved vulnerabilities that could be exploited to gain access to Texans’ sensitive health information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United States Food and Drug Administration (FDA) have issued warnings about vulnerabilities in patient monitoring devices manufactured in China. Devices have been found to contain a backdoor that can be used by a remote attacker to gain access to sensitive patient data.

There has been a proliferation of Chinese-manufactured medical devices within the U.S. healthcare system. The concern is that these devices have backdoors that can be exploited by state-sponsored hacking groups to obtain the private medical information of Americans. Governor Abbot wants to make sure that the private medical data of Texans cannot be obtained by China. “I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data,” Governor Abbot said in a letter to the Texas Health and Human Services Commission (HHSC), Texas Department of State Health Services (DSHS), and the Texas Cyber Command (TXCC).

Governor Abbot has directed state agencies to take action to ensure that sensitive medical data is protected. HHSC and DSHS have been asked to review all state-owned medical facilities under their jurisdiction and attest that all new purchases of medical devices were procured in compliance with the November 19, 2024, Executive Order GA-48, which requires the hardening of cybersecurity by the state government.

HHSC, DSHS, and public systems of higher education are required to catalog all state-owned medical devices capable of transmitting data via a network, or that can be accessed remotely, and share that inventory with TXCC. Assisted by TXCC, HHSC, DSHS, and public systems of higher education, are required to review their cybersecurity policies related to the protection of personal health information at all state-owned medical facilities under their jurisdiction, and specifically include how policies address FDA and CISA-issued alerts for internet-connected medical devices.

TXCC has been instructed to review whether Contec CMS8000 and Epsimed MN-120 patient monitors, and any other devices used by HHSC, DSHS, and public systems of higher education, have been the subject of an FDA safety notice, and to ensure that any that have are placed on the prohibited technology list.

TXCC is also required to convene appropriate executives at HHSC, DSHS, and public systems of higher education and make recommendations for addressing emergent cybersecurity risks, monitoring of devices, and mitigation strategies. Governor Abbot has committed to proposing legislation in the next session to better protect Texans’ private medical data from hostile foreign actors, such as China.

The post Texas Governor Instructs State Agencies to Audit Chinese Medical Devices appeared first on The HIPAA Journal.