Author Archives: Steve Alder

California Radiology Provider Announces 13,000-Record Data Breach

Posted by Steve Alder

Data breaches have been reported by Radiology Associates of San Luis Obispo, North Oaks Health System, The Children’s Center of Hamden, Huron Regional Medical Center, and Franklin Dermatology Group.

Pacific Imaging Management (Radiology Associates of San Luis Obispo)

Pacific Imaging Management, doing business as Radiology Associates of San Luis Obispo in California, has identified unauthorized access to certain employee email accounts. Suspicious activity was identified within its email environment on March 13, 2025. An investigation was launched, which revealed that certain email accounts were accessed by an unauthorized third party at various times between February 3, 2025, and March 17, 2025.

The accounts were reviewed and found to contain the protected health information of 13,158 individuals. The types of data involved vary from individual to individual and are detailed in the individual notification letters that started to be mailed on September 10, 2025. Policies and procedures are being reviewed and enhanced, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

North Oaks Health System, Louisiana

North Oaks Health System, one of the largest community hospital organizations in Louisiana, has experienced a breach of its email system, which exposed the protected health information of 6,243 patients.  Suspicious activity was identified in certain employee email accounts on June 4, 2025. The affected accounts were immediately secured, and an investigation was launched to determine the extent of the breach.

The investigation confirmed that certain emails and attachments in the compromised accounts were accessed between May 28, 2025, and June 5, 2025, and some of those emails contained patient information such as names, birth dates, health insurance information, and clinical information related to the services received at North Oaks. A limited number of Social Security numbers were also exposed. North Oaks is enhancing its security protocols, technical safeguards, monitoring, and employee cybersecurity training to prevent similar incidents in the future.

Children’s Center of Hamden, Connecticut

The Children’s Center of Hamden (TCCOH), a nonprofit behavioral health center in Hamden, Connecticut, has recently announced a security incident that was first identified on December 28, 2025. Unusual activity was identified within its computer systems, and third-party digital forensics experts were engaged to investigate. They confirmed unauthorized access to its network, including systems that contained patient information. On June 29, 2025, it was confirmed that files containing patients’ protected health information were accessed or acquired in the attack.

The file review was completed on August 7, 2025, and confirmed that names, dates of birth, Social Security numbers, driver’s license information, passport information, biometric data, and diagnosis and treatment information had been exposed. Notification letters have been mailed to the 5,213 individuals, and steps have been taken to enhance security.

Huron Regional Medical Center, South Dakota

Huron Regional Medical Center in South Dakota identified suspicious activity within its computer network on or around May 31, 2025. An investigation was launched to determine the nature and scope of the suspicious activity, with assistance provided by third-party digital forensics experts. Unauthorized network access was confirmed, and the exposed files were reviewed and found to contain information such as names, addresses, phone numbers, dates of birth, dates of service, cost of services, health insurance information, lab results, medical diagnostic images, prescription information, Medicare/Medicaid numbers, diagnoses, and treatment information.

Huron Regional Medical Center is reviewing its policies, procedures, and data security measures and will make enhancements to better defend against future attacks. Individual notification letters started to be mailed to the affected individuals on September 9, 2025. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Franklin Dermatology Group

Franklin Dermatology Group in Tennessee has recently confirmed that it was affected by the cyberattack and data breach at the collections vendor, Nationwide Recovery Service (NRS). A hacking group had access to the NRS network between July 5, 2024, and July 11, 2024, and copied certain files from its network. Those files contained names, dates of birth, Social Security numbers, health insurance information, financial account information, and/or protected health information.

Franklin Dermatology Group was notified that it had been affected on February 7, 2025, and NRS said it would be issuing notifications to the affected individuals, although Franklin Dermatology Group said NRS reneged on that promise on April 3, 2025. Franklin Dermatology Group issued notifications to the affected individuals in September 2025 and has offered them complimentary single-bureau credit monitoring, credit score, and credit report services for 12 months. The breach was recently reported to the Maine Attorney General as affecting 2,457 individuals. In total, the NRS data breach has affected more than 545,000 individuals.

The post California Radiology Provider Announces 13,000-Record Data Breach appeared first on The HIPAA Journal.

Teamsters Union 25 Health Services & Insurance Plan Hacking Incident Affects 19,000 Members

Posted by Steve Alder

Teamsters Union 25 Health Services & Insurance Plan, a health and wellness benefits plan for members of Teamsters Union Local 25, a trade union representing truck drivers, warehouse workers, clerical workers, and service and technology employees, identified suspicious activity within its computer network on or around August 1, 2025, potentially indicating unauthorized access.

Third-party cybersecurity experts were engaged to investigate the activity and confirmed unauthorized access to the network. Further investigation uncovered evidence that certain data on the network was accessed and potentially copied without authorization. The data related to members of the Teamsters Union 25 Health Services & Insurance Plan and the Teamsters Union 25 Investment Plan.

The review of the affected files was completed on August 18, 2025, and notification letters were mailed to the affected individuals on September 3, 2025. The affected individuals have been offered 12-24 months of complimentary credit monitoring and identity theft protection services, and steps have been taken to enhance security to prevent similar breaches in the future. The data involved varies from individual to individual and may include names, member IDs, Social Security numbers, health information, and health insurance information. The HHS’ Office for Civil Rights was informed that the protected health information of 19,231 individuals was compromised in the incident.

Anthony L. Jordan Health Corporation

Anthony L. Jordan Health Corporation (AJHC) in Rochester, New York, has fallen victim to a phishing attack that involved unauthorized access to the email, OneDrive, and SharePoint accounts of three employees. Suspicious activity was identified in an employee’s email account on June 30, 2025. The account was immediately secured, and an investigation was launched to determine the nature and scope of the incident.

The investigation confirmed that an unauthorized actor had accessed the accounts at various times between April 30, 2025, and July 9, 2025, after the employees responded to phishing emails. The purpose of the unauthorized access appeared to be to fraudulently obtain funds from Jordan Health, rather than to obtain patient data; however, unauthorized access to patient information could not be ruled out.

The affected accounts were reviewed and found to contain patient information such as names, dates of birth, medical record numbers, provider names, dates of service, and health insurance information. In total, 2,974 patients potentially had information compromised in the incident. Jordan Health has provided additional cybersecurity awareness training to the workforce to prevent similar incidents in the future.

Sentara Health

Last week, Sentara Health notified 696 patients about a mailing incident that disclosed a limited amount of patient data. The mailing was sent to patients of a specific Sentara Behavioral Health Specialists provider to advise them of the departure of that provider from Sentara.

An error was made when compiling the list of recipients for the mailing, resulting in the mismatching of patients’ names and addresses. Letters intended for one patient were sent to a different patient, resulting in the disclosure of the patient’s name, location of the practice, and the provider’s name. Sentara Health addressed the matter with the employee in question, according to its internal policies and procedures, and has taken steps to prevent similar incidents in the future, including evaluating additional training opportunities.

The post Teamsters Union 25 Health Services & Insurance Plan Hacking Incident Affects 19,000 Members appeared first on The HIPAA Journal.

R1 RCM & Dignity Health to Pay $675,000 to Settle Data Breach Lawsuit

Posted by Steve Alder

A $675,000 settlement has been agreed upon to resolve a class action data breach lawsuit against R1 RCM Inc., a revenue cycle management company,  and Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus in Henderson, Nevada.

The lawsuit stems from a data breach at R1 RCM, which was detected on November 23, 2023. R1 RCM determined that the hacker had exfiltrated sensitive data such as names, contact information, dates of birth, Social Security numbers, service locations, diagnosis information, patient account numbers, and medical record numbers.  The data breach was reported to the HHS’ Office for Civil Rights as affecting 16,121 individuals.

The lawsuit – Heather Hillbom v. R1 RCM, Inc. and Dignity Health dba Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus – was filed in the U.S. District Court for the District of Nevada on April 5, 2024, and alleged that the defendants were negligent by failing to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. The defendants maintain there was no wrongdoing and that there is no liability; however, the decision was made to settle the lawsuit to avoid the costs and risks associated with continuing with the litigation.

Under the terms of the settlement, class members are entitled to claim two years of three-bureau credit monitoring services and identity theft protection services through CyEx Medical Shield Total.  In addition, all class members may claim a monetary payment, which will be calculated after attorneys’ fees, credit monitoring costs, legal expenses, settlement administration costs, service awards, and claims for out-of-pocket expenses have been deducted from the settlement fund. Claims may also be submitted for reimbursement of documented, unreimbursed, out-of-pocket losses. Up to $500 may be claimed as reimbursement for ordinary out-of-pocket expenses, and up to $2,500 for extraordinary out-of-pocket expenses, such as losses to fraud and identity theft.

The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 14, 2025. The deadline for objecting to and exclusion from the settlement is October 13, 2025, and all claims must be received by November 11, 2025.

The post R1 RCM & Dignity Health to Pay $675,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Adena Health to Pay $17.8 Million to Settle Pixel Lawsuit

Posted by Steve Alder

Adena Health System, a nonprofit health system serving patients in south central and southern Ohio, has agreed to pay $17.8 million to resolve claims that it unlawfully disclosed patient data to third parties via tracking pixels on its MyChart patient portal.

Adena Health is one of many health systems to use tools such as Meta Pixel and Google Analytics code to track users on its website; however, these tools were also implemented on its patient portal, which requires users to log in. Whilst on the website and patient portal, users’ data was collected, which may have included personally identifiable information (PII) and protected health information (PHI). That information was automatically sent to companies such as Meta and Google.

A lawsuit was filed over the disclosures, which were alleged to have occurred without the knowledge or consent of the data subjects. Users of the patient portal could book appointments, research medical conditions, learn about treatment options, and communicate with their providers. The lawsuit alleged that health conditions, preferred treatment options, physicians’ details, and search queries were all collected by the tracking tools and were transmitted to third parties. If a user was logged into their Facebook account at the time, the lawsuit claims the unique Facebook identifier was also transmitted, allowing them to be personally identified. The lawsuit claims the tools were knowingly added to the website and that Adena Health unjustly profited from the disclosures.

The lawsuit alleged negligence, breach of confidence, breach of fiduciary duty, unjust enrichment, invasion of privacy, and a violation of the Electronic Communications Privacy Act, and claimed that there is civil liability for criminal actions – the knowing disclosure of individually identifiable health information to a third party. Adena Health denies wrongdoing and liability and disagrees with the claims and contentions in the lawsuit; however, it agreed to a settlement to bring the litigation to an end to avoid the risks and uncertainties of trial and further litigation costs.

Under the terms of the settlement, the 89,000 class members who visited the patient portal between November 1, 2022, and June 3, 2024, are entitled to claim a cash payment of $21 and a year of credit monitoring and identity theft protection services, valued at $179 per person. The settlement now awaits approval from the court.

The post Adena Health to Pay $17.8 Million to Settle Pixel Lawsuit appeared first on The HIPAA Journal.

Feds Offer $10 Million Reward for Ransomware Administrator Who Attacked U.S. Healthcare Orgs

Posted by Steve Alder

The U.S. Department of Justice has charged a Ukrainian serial ransomware criminal who is alleged to have been the administrator of multiple ransomware operations. Volodymyr Viktorovich Tymoshchuk, through online monikers including deadforz, Boba, msfv, and farnetwork, is alleged to have been the administrator of the LockerGaga, MegaCortex, and Nefilim ransomware operations between December 2018 and October 2021.

Tymoshchuk, along with his accomplices, conducted or played a key role in ransomware attacks on more than 250 victims in the United States between July 2019 and June 2020 using the LockerGaga and MegaCortex ransomware variants, as well as hundreds of victims worldwide. An international law enforcement operation targeting the LockerGoga and MegaCortex ransomware schemes in September 2022 obtained decryption keys, which were made available to victims via the No More Ransom Project. Many potential victims were able to prevent file encryption after receiving prompt notifications from law enforcement that their networks had been compromised.

Under the Nefilim ransomware scheme, Tymoshchuk and his accomplices claimed many more victims in the United States and worldwide between July 2020 and October 2021. Through those attacks, Tymoshchuk caused millions of dollars in losses due to disruption to business operations, damage to computer systems, and ransom payments. As administrator of the ransomware operations, Tymoshchuk recruited and provided access to the infrastructure and encryptor to conduct attacks.

One of the affiliates of the Nefilim ransomware operation was Ukrainian national Artem Stryzhak, who was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025. Stryzhak has been charged with conspiracy to commit fraud and related activity. Stryzhak primarily targeted companies in the United States, Canada, or Australia that had annual revenues of over $100 million, although a Nefilim administrator encouraged him to target larger companies with more than $200 million in annual revenues. The Nefilim administrators allowed Stryzhak to keep 80% of any ransoms he generated, while they would retain 20%. Any victim who refused to pay had their stolen data leaked on the group’s Corporate Leaks websites.

Tymoshchuk has been charged with two counts of conspiracy to commit fraud and related activity in connection with computers, three counts of causing intentional damage to a protected computer, one count of unauthorized access to a protected computer, and one count of transmitting a threat to disclose confidential information. “Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said U.S. Attorney Joseph Nocella Jr. for the Eastern District of New York. “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

The U.S. Department of State is offering up to $10 million as a reward for information leading to the location, arrest, or conviction of Tymoshchuk, plus a further $1 million reward for information that leads to convictions of other members of the LockerGaga, MegaCortex, and Nefilim ransomware groups. The rewards are offered under the Transnational Organized Crime (TOC) Rewards Program.

The post Feds Offer $10 Million Reward for Ransomware Administrator Who Attacked U.S. Healthcare Orgs appeared first on The HIPAA Journal.

Editorial: HIPAA Compliance Challenges for Small Medical Practices

Posted by Steve Alder

Healthcare providers, health plans, healthcare clearinghouses, and their business associates are all required to comply with the HIPAA Rules; however, there are unique challenges for small medical practices. Large healthcare organizations have greater resources to devote to compliance, and can attract and pay for dedicated compliance professionals, in-house IT and cybersecurity staff, cutting-edge cybersecurity solutions, and staff training programs.

Small medical practices have limited resources and are forced to make difficult decisions about where to allocate funds due to budget constraints. Investments in the business that boost revenue and profits often take priority over investments to ensure HIPAA compliance and improve cybersecurity. Small practices often cannot afford to have a dedicated HIPAA Privacy and Security Officer, and compliance duties fall on administrative staff, nurses, and physicians, who have many other responsibilities. There may also not be an in-house IT department to oversee security.

Despite financial constraints, HIPAA compliance and cybersecurity are not optional. The HHS’ Office for Civil Rights (OCR) has made it clear that the size of a practice is irrelevant when it comes to HIPAA compliance. While OCR has previously focused its enforcement efforts on larger practices, in recent years, OCR has taken a keen interest in smaller practices and has imposed several penalties for noncompliance. OCR has made it clear with these penalties that small medical practices can no longer fly under the radar.

The probability of noncompliance being discovered is increasing. While hackers and ransomware groups have historically focused their efforts on attacking larger healthcare organizations with deeper pockets, smaller healthcare practices are increasingly being targeted for the simple reason that they are easier to attack, as they have fewer resources to devote to cybersecurity, and healthcare organizations of all sizes are at risk of insider threats, more so than any other sector.

OCR’s figures show a 239% increase in hacking-related data breaches between 2018 and 2023, and a 278% increase in ransomware attacks. OCR investigates all data breaches affecting 500 or more individuals to determine if they were due to noncompliance, as well as many smaller breaches. Complaints about potential HIPAA violations are also being reported to OCR in record numbers, and OCR has rekindled its HIPAA audit program. Noncompliance has never been more likely to be discovered.

HIPAA Compliance Challenges for Small Medical Practices to Overcome

With fewer resources available to devote to HIPAA compliance, achieving and maintaining HIPAA compliance can be a real challenge for small and medium-sized healthcare providers. While small practices are not expected to invest as heavily in cybersecurity as large healthcare providers, they must ensure that they have appropriate measures, relative to their size, to protect against common cybersecurity threats.

Small medical practices must ensure they have written policies and procedures to demonstrate their good faith effort to comply with the HIPAA Rules. HIPAA compliance is not inherently complicated. The HIPAA Rules are publicly available, and OCR has created many resources to help small practices achieve and maintain compliance, yet there are several areas where smaller practices have compliance programs that fall short of requirements.

Document All HIPAA Compliance Efforts

A lack of documentation to prove HIPAA compliance is all too common. As far as OCR is concerned, if it hasn’t been documented, it didn’t happen. If a complaint or data breach is investigated, the first thing OCR will request is documentation to demonstrate HIPAA compliance in the area under investigation. That may be policies and procedures for responding to patients who exercise their rights under HIPAA, HIPAA and security awareness training records, incident response plans, and patient notifications, or evidence that a risk analysis has been conducted and risks have been reduced to a reasonable and appropriate level. Many financial penalties have resulted from the failure to document the practice’s good-faith effort to comply with the HIPAA Rules. Maintaining accurate documentation is a fundamental requirement of HIPAA.

Conduct Regular Risk Analyses

The most commonly identified HIPAA violation is the failure to conduct an accurate and comprehensive risk analysis. Under OCR’s current enforcement initiative, proof that a risk analysis has been conducted will need to be provided in the event of a data breach investigation. Risk analyses are ongoing requirements that should be conducted annually, and following any material change to policies and procedures, or when new technology is introduced.

The “comprehensive” requirement means that there is a prerequisite to the risk analysis. An accurate and up-to-date inventory of all devices and locations where PHI is stored, maintained, transmitted, or accessed is required, on which the risk analysis can be based. Take advantage of the HHS Security Risk Assessment tool, which has been developed specifically to help small and medium-sized healthcare providers by walking them through the risk analysis process. You must also ensure that everything is documented so you can demonstrate that an accurate and comprehensive risk analysis has been conducted. Naturally, any identified risks and vulnerabilities must be mitigated in a timely manner.

Reduce the Risk of Human Error with Regular Training

Staff training often gets neglected. It can be difficult with a small workforce to take workers away from their work duties and provide regular training on HIPAA policies and procedures, as well as security awareness training. Training should be provided at hire, and refresher training provided annually. Take advantage of training vendors and third-party courses if you lack the internal resources to develop your own training courses.

Training should teach employees about their responsibilities with respect to the privacy and security of PHI, patient rights under HIPAA, social media use, and the correct handling of PHI in all forms. Ensure you provide regular security awareness training covering common threats such as phishing, social engineering, malware, and educate the workforce on security best practices. To develop a culture of compliance, staff members must be given proper education, and through regular training, you will be able to prevent many accidental HIPAA violations. Bear in mind that patients have become a lot more knowledgeable about HIPAA and their rights, and complaints about potential HIPAA violations are being reported in record numbers.

Maintain Business Associate Agreements with All Vendors

With limited resources, small medical practices will naturally need to outsource some functions to third-party service providers such as IT companies, managed services providers, cloud providers, software providers, revenue cycle management companies, and more. A small practice may rely on two dozen or more vendors, and each one that requires contact with PHI must sign a business associate agreement (BAA) before being provided with access to PHI.

The BBA should make clear what the vendor’s responsibilities are under HIPAA, the safeguards that are required to protect PHI, and the requirement to obtain a BAA before using any subcontractor that requires access to PHI. The BAA should stipulate responsibilities and timeframes for reporting security incidents. There are many free templates available on which small practices can base their business associate agreements.

Business associates should be vetted to ensure their security is up to scratch, which can be time-consuming for small practices. Time can be saved by choosing vendors who can provide evidence of their security practices and who attest that their products or services are HIPAA compliant.

Implement Strong Access Controls

Small medical practices are likely to be targeted with phishing, social engineering, and brute force attempts to guess credentials. To counter these threats, practices need to have strong access controls. Each member of the workforce must have unique credentials, password complexity requirements should be set and enforced in line with current NIST recommendations, and multi-factor authentication should be implemented to add an additional layer of security, especially for any Internet accessible account or system.

Maintain and Review Security Event Logs and PHI Access

Even with the best security, cybercriminals may exploit human weaknesses or find a way to access your network. Data encryption at rest and in transit is strongly recommended, and a requirement of HIPAA unless an alternative safeguard is implemented that provides an equivalent level of protection. Regular backups must be performed of all critical data, backups checked to make sure data recovery is possible, and backups should be stored securely off-site. Small practices have been forced to permanently close due to the inability to recover data following a ransomware attack.

HIPAA requires detailed audit logs to be created, maintained, and reviewed to identify access, use, copying, and modification of ePHI. The logs should be continuously monitored, which, for small practices with limited resources, naturally requires automation. Consider partnering with a managed service provider (MSP) or managed security service provider (MSSP) and leveraging their expertise and monitoring capabilities. Without an automated system for monitoring ePHI access logs, including AI-aided detection of anomalous activity, privacy violations can continue for years.

Develop and Test an Incident Response and Business Continuity Plan

Small practices must prepare for the worst and assume that there will be a breach or HIPAA violation. An incident response plan must be developed that includes procedures to follow in the event of a cyberattack or event that damages information systems containing ePHI, or involves potential unauthorized access or disclosures.

The plan must include each individual’s responsibilities, the procedures that must be followed, processes for mitigating damage, and vendors that can assist, such as digital forensics experts and cybersecurity professionals. The plan must be tested to ensure that it is effective and that everyone is aware of their responsibilities. The incident response plan should also include policies and procedures for issuing notifications to the HHS, affected individuals, and the media. Small practices have been fined for breach response failures.

Prioritize Cybersecurity Spending to Get the Biggest Bang for Each Buck

Budgetary constraints at small medical practices mean difficult decisions must be made about cybersecurity, so each security product purchased must have a significant impact on reducing risk. Leverage affordable tools to ensure that email is secured, encrypt data at rest and in transit as far as is possible, and take advantage of HIPAA-compliant service providers rather than trying to build your own security from scratch. Enlist the services of an MSP or MSSP to assist with Security Rule compliance and benefit from their expertise; just make sure the vendor’s responsibilities are clearly stated in the BAA and service level agreement.

Small practices may have to make compromises as their resources may not stretch to cutting-edge security in every area. To get the biggest bang for each buck, the HHS Cybersecurity Performance Goals are a good place to start. They include proven cybersecurity measures that will have the biggest impact on improving your security posture.

Keep Up to Date with Regulatory Changes

Major changes to the HIPAA Rules are relatively infrequent, but there are pending Privacy Rule and Security Rule updates, and minor changes are more frequent. It is the responsibility of small medical practices to keep up to date with regulatory changes, as a lack of knowledge is not a valid excuse for noncompliance. Keeping abreast of any proposed HIPAA changes will give small practice owners plenty of time to make the necessary updates to their policies, procedures, and data privacy and security practices. Regularly check the HHS.gov website for proposed updates and new guidance, and sign up for The HIPAA Journal newsletter to get updates sent directly to your inbox.

HIPAA Compliance is a Continuous Process

HIPAA compliance is a continuous process, not a one-time effort at checking all the compliance boxes, and that naturally requires an investment in time and resources. To ensure compliance is maintained, consider conducting annual HIPAA audits and documentation checks, and regularly review privacy and security policies to ensure that they continue to be effective. Investing time and resources into developing your compliance program will be money well spent.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: HIPAA Compliance Challenges for Small Medical Practices appeared first on The HIPAA Journal.

HHS Releases Updated Security Risk Assessment Tool

Posted by Steve Alder

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP) have announced the release of an updated version of the Security Risk Assessment (SRA) Tool.

The SRA tool was developed to help small to medium-sized healthcare providers comply with the security risk assessment provision of the HIPAA Security Rule, one of the foundational requirements of the Security Rule. A HIPAA risk assessment failure is the most commonly identified HIPAA Security Rule violation, and OCR currently has an active enforcement initiative targeting noncompliance. Through its investigations of complaints, data breaches, and compliance audits, OCR commonly discovers that HIPAA-regulated entities have either failed to conduct a risk assessment or that risk assessments are inaccurate or incomplete. For instance, a risk assessment is conducted based on an incomplete or out-of-date asset inventory.

The enforcement initiative was announced by OCR in October 2024 when the first penalty was imposed on Bryan County Ambulance Authority in Oklahoma. Since then, OCR has imposed 10 financial penalties for risk analysis failures, making it the most common reason for security-related HIPAA civil monetary penalties and settlements.

The SRA tool is an invaluable tool for small and medium-sized healthcare providers, as it guides them through the process of conducting a risk assessment. The latest release, version 3.6, includes several updates to improve usability. A new assessment confirmation button has been added with a reviewed-by date for each section, allowing users to confirm that a section has been reviewed and approved, which will be saved for audit records.

The risk scale has been updated to align with NIST scoring, with the score of “medium” changed to “moderate”. Updated library files will be installed when the new version is installed, mitigating vulnerabilities that may exist in outdated versions. The reports have been updated with new content, including section-specific approval/reviewed-by details and additional information entered by users. There have also been improvements to questions, responses, and education to make the SRA Tool more relevant to the evolving cybersecurity environment and to improve ease of use.

OCR and ASTP are hosting two live webinars this month on the SRA Tool. Experts will provide an introduction to the SRA tool, demonstrate the new features and enhanced reports, and will be available to answer questions about the tool and new features. The webinars will be held on September 15, 2025, at 12 p.m. ET, and on September 16, 2025, at 3 p.m. ET. You can register for the webinar on this link.

The post HHS Releases Updated Security Risk Assessment Tool appeared first on The HIPAA Journal.

HHS Agrees to Settlement Requiring the Restoration of Deleted Health Data and Websites

Posted by Steve Alder

The Trump administration has agreed to settle a lawsuit filed by the Washington State Medical Association (WSMA) and eight other plaintiffs that sought to stop and reverse the deletion of important public health and science data from federal websites. Under the terms of the settlement, the Department of Health and Human Services is required to restore more than 100 datasets and webpages that were deleted since January 2025.

On January 20, 2025, President Trump signed several executive orders, two of which concerned gender identity and diversity, equity, and inclusion (DEI) – Executive Order 14168: Ending Radical and Wasteful Government DEI Programs and Preferencing & Executive Order 14151: Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government. Over the course of several months, the Trump administration directed federal agencies such as the Centers for Disease Control and Prevention (CDC), National Institutes of Health (NIH), and Food and Drug Administration (FDA) to delete public health information that had previously been published on those agencies’ websites.

The deleted content included public health information relating to LGBTQ health, gender and reproductive health, vaccine guidance, Mpox treatment, pregnancy risk, opioid use disorder, HIV/AIDS research, and the NIH HIV Risk reduction tool, data from clinical trials, and more.

A lawsuit was filed in federal court to stop the deletion of data from taxpayer-funded websites, restore the deleted content, and establish legal protection to prevent future efforts to suppress public health information. The lawsuit was filed by the WSMA, Washington State Nurses Association, Washington Chapter of the American Academy of Pediatrics, AcademyHealth, Association of Nurses in AIDS Care, Fast-Track Cities Institute, International Association of Providers of AIDS Care, National LGBT Cancer Network, and Vermont Medical Society.

The defendants were Robert F. Kennedy Jr., Department of Health and Human Services (HHS), Matthew Buzzelli, CDC, Jay Bhattacharya, NIH, Martin A. Makary, FDC, Thomas J. Engels, Health Resources and Services Administration, Charles Ezell, and the Office of Personnel Management.

The lawsuit – Washington State Medical Association et al. v. Kennedy et al.– alleged that the deleted data was critical to public health research and combatting morbidity and mortality, and the removal of health-related data in response to the executive orders violated the Administrative Procedure Act, the separation of powers principle, the Paperwork Reduction Act, the Public Health Service Act, and the Prematurity Research Expansion and Education for Mothers Who Deliver Infants Early Act.

“The unannounced and unprecedented deletion of these federal webpages and datasets came as a shock to the medical and scientific communities, which had come to rely on them to monitor and respond to disease outbreaks, assist physicians and other clinicians in daily care, and inform the public about a wide range of healthcare issues,” wrote the plaintiffs in the lawsuit. “Health professionals, nonprofit organizations, and state and local authorities used the websites and datasets daily to care for their patients, provide resources to their communities, and promote public health.”

The lawsuit alleged that thousands of databases have been deleted, depriving the medical community and the public of accessing critical resources. The defendants have restored some of the deleted datasets and webpages, in some instances in response to court orders, but the restoration has been inconsistent and scattershot. The plaintiffs claimed that the defendants made “arbitrary, capricious and unreasoned” decisions to delete critical resources that, under American law, are required to be made available to the American people.

“Access to trustworthy information allows us to solve real problems, improve health outcomes, and plan for the future. If we don’t stand up for data now, we risk losing the tools we rely on to make progress, regardless of politics,” said Dr. Aaron Carroll, president and CEO of AcademyHealth.

On September 2, 2025, the WSMA announced that it was thrilled that a settlement had been reached, which requires the HHS to restore webpages and data that were wrongfully deleted, and make them available again to physicians, scientists, medical professionals, and the American public.” Under the terms of the settlement, the HHS is required to restore the deleted websites, webpages, and datasets that were taken down this year and have not already been restored, as detailed in Appendix A of the complaint.

“I am extremely proud of the health care community in Washington state and our partners in this case for pushing back on this egregious example of government overreach,” said John Bramhall, MD, PhD, president of the WSMA. “This was not a partisan issue – open data benefits everyone, and ensuring its availability should be a bipartisan priority.”

The post HHS Agrees to Settlement Requiring the Restoration of Deleted Health Data and Websites appeared first on The HIPAA Journal.

Data Breaches Announced by US HealthConnect & Altos Inc.

Posted by Steve Alder

The medical education provider US HealthConnect and the California billing services vendor Altos Inc have recently announced cyberattacks and data breaches.

US HealthConnect

US HealthConnect, a provider of continuing medical education and promotional education to healthcare providers, has recently announced a cybersecurity incident that was identified on January 25, 2025. Suspicious activity was identified within its computer network, and third-party cybersecurity specialists were engaged to investigate to determine the nature and scope of the activity.

The investigation confirmed that an unauthorized third party had access to its network and may have obtained certain information from the affected systems, including names and Social Security numbers. After validating the results and obtaining up-to-date contact information, notification letters started to be issued on September 4, 2025.

US HealthConnect has enhanced its existing policies and procedures and implemented additional administrative and technical safeguards to protect against similar incidents in the future, and the affected individuals have been offered up to 24 months of complimentary credit monitoring and identity theft protection services.  The data breach has been reported to regulators, although it is currently unclear how many individuals have been affected.

Altos Inc.

Altos Inc., a provider of medical billing, medical transcription & medical management services to healthcare providers in southern California, has discovered that an internal system containing patients’ protected health information has been accidentally exposed to the Internet.

The security error was identified on June 17, 2025. The exposed system was immediately secured, and an investigation was launched to determine how the error occurred and the information that had been exposed. On July 21, 2025, Altos determined that the exposed system contained the protected health information of 6,414 individuals, including names, addresses, dates of birth, Social Security numbers, and health information.

In addition to securing the exposed system and implementing procedures to reduce the risk of similar incidents in the future, additional security reviews have been conducted, and steps are being taken to improve its overall security posture. While there have been no reports of misuse of patient data in connection with the incident, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Data Breaches Announced by US HealthConnect & Altos Inc. appeared first on The HIPAA Journal.