Author Archives: Steve Alder

Cardiovascular Consultants Pays $3.85M to Settle Data Breach Litigation

Posted by Steve Alder

Cardiovascular Consultants in Arizona has settled a class action lawsuit stemming from a 2023 data breach involving the protected health information of 484,000 individuals. The data breach was detected on September 29, 2023, and the forensic investigation determined that a hacker had gained access to its network two days previously. Files containing patient information were exfiltrated before ransomware was used to encrypt files.

The compromised files contained patient and guarantor information, including names, mailing addresses, birth dates, emergency contact information, Social Security numbers, driver’s license numbers, state ID numbers, insurance policy and guarantor information, diagnosis and treatment information, and other information from medical or billing records. Notification letters were mailed on December 2, 2023.

A class action complaint was filed in December 2023 by plaintiffs Michele Stroup and Georgios Asimakopoulos, and additional plaintiffs later joined the litigation as class representatives. The defendant denied all claims in the lawsuit and sought to have the lawsuit dismissed. That attempt was only partially successful, with a judge granting and denying the motion to dismiss in part. An amended complaint – Stroup, et al. v. Cardiovascular Consultants Ltd. – was filed, which is pending in the Superior Court of the State of Arizona, County of Maricopa.

The lawsuit alleged that the defendant failed to implement reasonable security protections to safeguard its information systems and databases, and that the handling of the data breach was deficient, with notifications unreasonably delayed. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, violation of the Arizona Consumer Fraud Act, and invasion of privacy, all of which were denied by the defendant.

Following mediation, a settlement was agreed that was acceptable to all parties, allowing them to avoid further litigation costs and the uncertainty of a trial. Under the terms of the settlement, Cardiovascular Consultants has agreed to establish a $3,850,000 settlement fund to cover all costs associated with the litigation, including attorneys’ fees and expenses, notice and administration costs, and service awards for the class representatives.

The remainder of the settlement fund will be used to pay benefits to the class members. Class members may claim two years of medical monitoring plus one or two cash payments – a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member and/or a pro rata cash payment, which is estimated to be $75 per class member, but may be higher or lower depending on the number of valid claims received.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 18, 2026. Individuals wishing to object to the settlement or exclude themselves must do so by June 1, 2026. The deadline for submitting a claim is July 1, 2026.

The post Cardiovascular Consultants Pays $3.85M to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Iowa AG Sues Change Healthcare Over 2024 Ransomware Attack

Posted by Steve Alder

Iowa Attorney General Brenna Bird has filed a lawsuit against Change Healthcare, UnitedHealth Group, and Optum over the February 2024 ransomware attack that resulted in the theft of the electronic protected health information of 192.7 million Americans, including 2.2 million Iowans.

AG Bird accuses the defendants of making false representations about their cybersecurity practices and systems before and after the cyberattack. AG Bird claims the defendants played down the seriousness of the incident in the February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC), which stated that a suspected nation state actor had gained access to some of its information systems and that the affected systems had been isolated.

AG Bird said what was described as a relatively benign isolation of systems was in fact the largest healthcare data breach in U.S. history, and one of the largest data breaches of any kind in the United States. “The breach and subsequent shutdown of services, without warning and without adequate backup and redundancies, was so great that it sent the entire U.S. healthcare system into a virtual meltdown,” AG Bird stated in the lawsuit.

Cybercriminals have long targeted U.S. healthcare organizations, and given the high volume of attacks, the defendants should have known that they would be a huge target for cybercriminals, given the volume of sensitive data that flowed through Change Healthcare’s systems and the impact a ransomware attack would have. Despite this, AG Bird alleged that the measures implemented were insufficient and did not match the standards claimed by the defendants. AG Bird alleged that the Change Healthcare cyberattack and data breach “occurred because Change’s systems were insecure, outdated, and lacked appropriate segmentation and redundancies—in violation of Change’s advertised practices, company policies, federal privacy requirements, and basic standards of enterprise information security.”

According to the lawsuit, following a Congressional inquiry into the incident, and over the course of many months, “it became clear that defendants materially misrepresented the quality and characteristics of their cybersecurity systems to Iowans and to Iowa healthcare providers, in violation of Iowa law.” In addition to failing to adequately secure its systems and sensitive data, AG Bird took issue with the time taken to notify the affected individuals, some of whom only learned that their data had been compromised 20 months after their data was stolen.

The lawsuit asserts claims of violations of the Iowa Consumer Fraud Act, Iowa Code, and the Personal Information Security Breach Protection Act. The lawsuit seeks civil monetary penalties of $40,000 per violation of Iowa Code § 714.16(7), civil penalties of $5,000 for each violation of the Iowa Consumer Fraud Act, for all moneys or property acquired in violation of the Iowa Consumer Fraud Act to be disgorged to the Attorney General, and awards of damages on behalf of all persons injured due to the violations of the Iowa Personal Information Security Breach Protection Act. Further, the lawsuit seeks to enjoin the defendants from continuing to commit further unlawful practices pursuant to Iowa Code.

The post Iowa AG Sues Change Healthcare Over 2024 Ransomware Attack appeared first on The HIPAA Journal.

Eye Physicians of Central Florida Data Breach Settlement

Posted by Steve Alder

Eye Physicians of Central Florida has agreed to settle a class action lawsuit stemming from a 2023 data breach that affected more than 31,000 patients. Eye Physicians of Central Florida identified suspicious activity within its computer network on November 5, 2023, and confirmed access by an unauthorized third party. The data breach affected 31,189 patients, according to the breach notice submitted to the HHS’ Office for Civil Rights (OCR).

The hackers gained access to systems containing names, addresses, dates of birth, medical diagnosis and treatment information, provider names, patient ID numbers, procedure codes, dates of service, treatment cost information, financial account information, state ID, health insurance information, and/or prescription information.

A class action lawsuit – Connell v. Eye Physicians of Central Florida, P.L.C. – was filed in the Circuit Court for Orange County, Florida, by plaintiff Alisa Connell individually and on behalf of similarly situated individuals who had data exposed in the incident. Eye Physicians of Central Florida sought to have the lawsuit dismissed, and was partially successful, although the lawsuit was allowed to proceed, and the plaintiff filed an amended complaint asserting claims for negligence and breach of fiduciary duty.

The lawsuit was actively litigated for 18 months, then all parties engaged in private mediation, resulting in a settlement that was agreeable to all parties. Eye Physicians of Central Florida maintains there was no wrongdoing, believes there is no liability, and denies and continues to deny all claims and allegations in the lawsuit.

The settlement provides multiple benefits for the class members. Class members are entitled to claim two years of credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy. In addition, a claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach and attested lost time of up to three hours at $25 per hour. Claims for reimbursement of losses are capped at $2,000 per class member for ordinary losses and $7,500 for extraordinary losses. There is no alternative cash payment.

The post Eye Physicians of Central Florida Data Breach Settlement appeared first on The HIPAA Journal.

Nacogdoches Memorial Hospital Data Breach More Than 257,000 Individuals

Posted by Steve Alder

Nacogdoches Memorial Hospital (NMH), a 226-bed hospital in Nacogdoches, Texas, has recently announced a data security incident that was first identified on January 31, 2026. A hacker gained access to its computer network and information systems and potentially obtained files containing the personal and protected health information of up to 257,073 individuals, according to the notification sent to the Maine Attorney General.

While the data security incident was detected on January 31, 2026, the forensic investigation determined that the hacker first gained access to its network two weeks previously, on January 15, 2026. NMH explained in its notification letters that it has not detected any misuse of the impacted data and that there are no indications that there will be any data misuse.

While NMH said the hacker may have accessed or acquired patient information, with two weeks inside its network, patients should assume that their data has been compromised and should consider taking steps to prevent data misuse, such as implementing a fraud alert or security freeze with one of the three credit reporting bureaus, Equifax, TransUnion, or Experian. The notice to the Maine Attorney General states that complimentary credit monitoring and identity theft protection services are not being offered.

NMH’s investigation determined that the impacted data includes names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, medical record numbers, account numbers, health plan beneficiary numbers, and, for certain individuals, full face photograph images. In response to the cybersecurity incident, NMH has strengthened the security of its information systems and computer network to reduce the risk of similar incidents in the future and is enhancing its cyber preparedness through additional training and updates to its policies and procedures. Law enforcement has been informed, and NMH will assist with any law enforcement investigation. Notification letters were mailed to the affected individuals on March 31, 2026. As of April 1, 2026, no threat group appears to have claimed responsibility for the incident.

The post Nacogdoches Memorial Hospital Data Breach More Than 257,000 Individuals appeared first on The HIPAA Journal.

Free HIPAA Compliance Risk Check for Covered Entities

Posted by Steve Alder

HIPAA compliance is mandatory for organizations that qualify as HIPAA covered entities. But how compliant is your organization really?

Free Online HIPAA Compliance AssessmentWith our 2-minute free HIPAA Compliance Risk Check, you can quickly evaluate the compliance status of your organization and receive a report with actionable insights to immediately improve compliance with HIPAA.

Please note that in order for the report to accurately reflect your organization’s compliance status, you need to be aware of your organization’s current compliance activities when you take our free HIPAA risk check.

Please also note that this check is designed to be used by organizations that are HIPAA covered entities. It is not suitable for solo practitioners or HIPAA Business Associates.

Why Take The HIPAA Compliance Risk Check?

Being aware of your compliance obligations and those of your business partners can be vital because, in the event of a HIPAA violation, ignorance of the HIPAA requirements is not an acceptable defense against enforcement action. This free assessment is:

  • Quick and Convenient: In just two or three minutes, answer a series of targeted questions designed to gauge your organization’s compliance with the latest HIPAA regulations.
  • Instant Results: Receive a compliance score immediately after completing the assessment, giving you a quick snapshot of where your organization stands.
  • 100% Private: Your name and your organization name do not appear on the report and it is only sent to the email address you designate and not copied or stored on any server.

What Does Your Risk Report Include?

  • Your HIPAA Compliance Risk Score: Understand how well your organization adheres to HIPAA standards.
  • Analysis of Compliance Risk Score: Identify specific areas where your organization may be falling short.
  • Tailored Recommendations: Get expert advice on what steps to take to improve your compliance score.

How It Works

  1. Start the Risk Check: Click on this link to get started.
  2. Assessment Steps: You will be taken through a series of multiple choice questions to answer covering a range of HIPAA compliance requirements.
  3. Choose One Answer: Select the answer which best reflects the current situation within the organization.
  4. Receive Your Score: After completing the assessment, you’ll immediately see your HIPAA compliance risk score on screen.
  5. Take Action: Use the insights provided in your report to take actionable steps towards improving your client score.

Your name and your organization name do not appear on the report and you decide what you wish to do with the information. Your email address and your answers to the risk check are not copied or stored on any server, so you can be sure they will remain 100% confidential.

The post Free HIPAA Compliance Risk Check for Covered Entities appeared first on The HIPAA Journal.

DoL OIG to Audit OSHA to Assess Agency’s Efforts to Prevent Workplace Violence

Posted by Steve Alder

The Department of Labor Office of Inspector General will be conducting a federal audit to determine how well the Occupational Safety and Health Administration (OSHA) is addressing the growing problem of workplace violence.

Workplace violence is a significant occupational safety concern, especially in the healthcare industry, where healthcare employees are regularly subjected to physical assaults, verbal threats, and other attacks. According to the U.S. Bureau of Labor Statistics, healthcare workers are five times as likely to suffer nonfatal workplace injuries as professionals in other sectors, and across all sectors, acts of violence and related injuries are the third leading cause of fatal occupational injuries in the United States.

Data from 2022 shows that out of the 5,486 fatal injuries that occurred in the workplace, 849 involved intentional injury caused by another person. A Medscape survey published earlier this year found that almost 70% of physicians believe that physical security at work is a more pressing issue than it was three years ago, and a 2024 poll of members of the American College of Emergency Physicians (ACEP) found that 91% said they had experienced workplace violence or were aware of a college who was a victim of workplace violence in the past year. According to the World Health Organization, up to 38% of healthcare workers experience physical violence at some point in their careers, and the problem is getting worse.

A report produced by the Department of Labor’s Office of Inspector General in 2001 found that OSHA could do more to address workplace violence and recommended a reassessment of its training and outreach programs, and better recordkeeping systems for incidents involving workplace violence. The OIG audit, due to take place this year, will evaluate the steps that OSHA has taken to address workplace violence since that report was published, and how effectively OSHA is working to prevent violence in workplaces. OSHA has yet to implement a standard for workplace violence, although a potential standard on workplace violence for healthcare and social assistance is one of its long-term actions.

The post DoL OIG to Audit OSHA to Assess Agency’s Efforts to Prevent Workplace Violence appeared first on The HIPAA Journal.

Data Breach Reported by Orthopedic Implant Manufacturer TriMed

Posted by Steve Alder

TriMed, a Santa Clarita, California-based manufacturer of upper and lower orthopedic implants, has announced a data security incident involving unauthorized access to parts of its network where order forms and invoices were stored. While in the most part the exposed data only contained information related to the company’s hardware and the individuals who received it, in some cases, the documentation included personal information.

TriMed identified suspicious activity without certain systems in September 2025, prompting an investigation to determine the nature and scope of the activity. The forensic investigation determined that an unauthorized third party had access to parts of its environment between September 13, 2025, and September 21, 2025, during which time, files were potentially accessed and acquired by the unauthorized third party.

TriMed manufactures hardware that is surgically implanted to repair or replace damaged joints. A programmatic and manual review of the exposed files confirmed that they contained information related to that hardware, which would have been ordered on a patient’s behalf, including part type, associated installation components such as screws, or the ordering surgeon’s name. While the affected documents do not typically include personal information, in certain cases, the documents contained names, dates of birth, and medical record numbers. The exposed documents did not contain Social Security numbers or financial information such as bank account or credit/debit card numbers.

TriMed has taken steps to augment security to prevent similar incidents in the future, including strengthening its existing security controls and threat detection practices. Further, TriMed has integrated a global security operations center and will continue to update its security measures, as appropriate, in the future. TriMed reported the incident to law enforcement, but there was no request to delay notifications to the affected individuals. The notification letters were sent as soon as possible once the affected individuals and data categories were identified. While Social Security numbers were not involved, credit monitoring and identity theft protection services have been offered for 24 months, according to the notification letter sent to the Maine Attorney General.

The Maine Attorney General was informed that two Maine residents were affected, but the data breach listing does not state how many individuals were affected in total, and the incident has yet to be added to the HHS’ Office for Civil Rights website. No known threat group appears to have claimed responsibility for the attack.

The post Data Breach Reported by Orthopedic Implant Manufacturer TriMed appeared first on The HIPAA Journal.

Data Breaches Announced by Corewell Health & Rocky Mountain Care

Posted by Steve Alder

Rocky Mountain Care in Utah has announced a January 2026 data breach, and Corewell Health in Michigan has confirmed that more than 19,000 patients have been affected by a data breach at business associate Pinnacle Holdings.

Corewell Health, Michigan

Corewell Health, a non-profit Michigan health system, has recently confirmed that the protected health information of more than 19,000 of its patients has been exposed in a data breach at one of its business associates, Colorado-based Pinnacle Holdings, LTD. Pinnacle Holdings, a provider of consulting services, experienced a network disruption on November 25, 2024, that affected some of its IT systems, including systems containing the protected health information of patients of its clients.

Pinnacle Holdings said immediate action was taken to secure its systems; however, the detailed data review has taken many months to complete due to the complexity of the impacted data. The company has now confirmed that patient names, phone numbers, birth dates, Social Security numbers, driver’s license numbers, health insurance information, prescription information, and dates of service were compromised. The affected Corewell Health patients have been offered complimentary credit monitoring and identity theft protection services, and Pinnacle Holdings has implemented additional safeguards to prevent similar incidents in the future.

The data breach at Pinnacle Holdings affected several of the company’s clients, including the Chicago-based Catholic health system, CommonSpirit Health, as previously reported by The HIPAA Journal. It is currently unclear how many clients were affected in total or the number of individuals whose data was compromised in the incident.

Rocky Mountain Care, Utah

Rocky Mountain Care, a Woods Cross, Utah-based provider of skilled nursing care and home health services to seniors in Utah and Wyoming, has announced a January 2026 cybersecurity incident that involved unauthorized access to parts of its network that contained patient information. The forensic investigation determined that a hacker gained access to files on its network between January 30, 2026, and February 2, 2026. The review of the impacted data is ongoing, so the full impact of the incident has yet to be determined. Rocky Mountain Care said notification letters will be mailed to the affected individuals when the review is concluded

While further details about the attack have not been disclosed, a threat actor has claimed responsibility for the incident. The Qilin threat group added Rocky Mountain Care to its dark web data leak site on February 23, 2026, and issued a ransom demand along with a threat to publish the stolen data if the ransom was not paid. Samples of data allegedly stolen in the attack were also added to the listing. Qilin claimed to have exfiltrated 33 GB of data in the attack and later published the stolen data, indicating the ransom was not paid.

The post Data Breaches Announced by Corewell Health & Rocky Mountain Care appeared first on The HIPAA Journal.

Woodfords Family Services Notifies Patients Affected by April 2024 Ransomware Attack

Posted by Steve Alder

Westbrook, Maine-based Woodfords Family Services, a provider of services to individuals with special needs and their families, has notified the Maine Attorney General about a breach of the personal and protected health information of 8,073 individuals in a ransomware attack, including 7,701 Maine residents.

Suspicious network activity was identified on April 8, 2024. The investigation confirmed that its network had been accessed by the Medusa ransomware group. Immediate action was taken to investigate the incident and ensure the security of its systems, and the forensic investigation ended on May 30, 2024. A preliminary breach notice was issued on June 3, 2024, and a media notice was issued on June 7, 2024, to alert individuals potentially affected by the incident. Some notification letters were mailed to individuals in March 2025, although some people have only recently received notification letters.

While the incident was initially investigated internally, Woodfoods Family Services determined that it was unable to identify the full scope of the incident and engaged data mining specialists on September 25, 2024, to confirm the individuals affected and the types of data involved. The initial data mining process took until October 3, 2025, to complete, then the data had to be reviewed internally. The internal review was completed on January 29, 2026, mailing addresses for the affected individuals were verified, and the last of the notification letters were mailed to the affected individuals on March 27, 2026.

Data compromised in the incident included names, Social Security numbers, driver’s license numbers, financial account information, health insurance information, and diagnosis and treatment information. The affected individuals have been offered a complimentary 12-month membership to credit monitoring and identity theft protection services.

The data breach was reported to the HHS’ Office for Civil Rights in June 2024 using a placeholder figure of at least 500 affected individuals. The total has yet to be updated, although OCR has delayed adding new breach reports to its portal. This is not the first ransomware attack to be experienced by Woodfoods Family Services. An attack on June 19, 2023, involved unauthorized access to the personal information of 17,285 individuals, including the protected health information of 6,691 individuals.

The post Woodfords Family Services Notifies Patients Affected by April 2024 Ransomware Attack appeared first on The HIPAA Journal.