Author Archives: Steve Alder

Rockhill Women’s Care & Harbor Regional Center Announced Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by the OB/GYN practice Rockhill Women’s Care and Harbor Regional Center, a California provider of services to individuals with developmental disabilities.

Rockhill Women’s Care

Rockhill Women’s Care, an OB/GYN practice with locations in Overland Park in Kansas and Lees Summit in Missouri, has experienced a significant data breach, involving unauthorized access to the electronic protected health information of up to 70,129 patients.

While it is unclear from the notification letters exactly when its network was first compromised, the intrusion was detected on February 26, 2025. Third-party cybersecurity experts were engaged to investigate the intrusion, and law enforcement was notified. The investigation confirmed that patient information had been exposed and may have been exfiltrated. The data mining exercise to determine the exact types of data involved and the individuals affected was completed on August 13, 2025.

The types of data involved vary from individual to individual and include names in combination with one or more of the following: address, date of birth, Social Security number, medical treatment information, and/or health insurance information. After verifying the results and contact information, individual notification letters started to be mailed to the affected individuals on or around September 30, 2025. At the time of issuing notification letters, Rockhill Women’s Care was unaware of any misuse of the exposed data. Rockhill Women’s Care said patient privacy is taken very seriously, and steps have been taken to enhance its security measures to prevent similar incidents from occurring in the future.

Harbor Regional Center

Harbor Regional Center, a nonprofit organization that works with the California Department of Developmental Services to provide services to more than 20,000 adults and children with developmental disabilities in the South Bay, Harbor, Long Beach, and the southeast areas of Los Angeles County, has recently announced a security incident involving unauthorized access to an employee’s email account.

The email account breach was identified on September 2, 2025, and an investigation was launched to determine the nature and scope of the activity. On September 29, 2025, it was determined that a limited amount of protected health information was exposed and may have been obtained by an unauthorized third party.

The types of data involved vary from individual to individual and may include names in combination with one or more of the following: address, date of birth, Social Security number, medical record number, patient ID or account number, Medicare/Medicaid number, health insurance information, medical diagnosis and treatment information, medical history, prescription information, medical lab or test result, treatment location, treatment date, and provider name.

Harbor Regional Center has not identified any misuse of the exposed information; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Harbor Regional Center said it has implemented additional security measures and is reviewing its data policies and procedures. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Rockhill Women’s Care & Harbor Regional Center Announced Data Breaches appeared first on The HIPAA Journal.

VITAS Hospice Services Discovers Month-Long Network Intrusion

Posted by Steve Alder

VITAS Hospice Services, LLC, the largest for-profit hospice chain in the United States, has notified the California and Texas attorneys general about a data security incident that exposed sensitive patient data. An unauthorized individual compromised an account used by one of its vendors, and through that account was able to access certain Vitas systems.

The security breach was identified on October 24, 2025, and the forensic investigation determined that there was unauthorized access to its systems for more than a month between September 21, 2025, and October 27, 2025. During that time, the unauthorized third party was able to view and download the personal information of current and former Vitas patients.

Vitas has been working with a third-party cybersecurity firm to investigate the cause of the breach and has taken steps to strengthen vendor oversight and improve its data protection protocols. At the time of issuing notifications to the affected individuals, Vitas was unaware of any misuse of the exposed data; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.

Data compromised in the incident varies from individual to individual and may include names in combination with some or all of the following: address, phone number, date of birth, Social Security number, driver’s license number, next of kin contact information including name, phone number and email address, diagnosis, medications, lab results, conditions, treatment information, health insurance information, and other personal information.

It is currently unclear exactly how many individuals have been affected, as neither the California nor Texas attorneys general publish figures for the total size of the data breach. The Texas Attorney General was told that 5,633 individuals in the state were affected by the breach. The HIPAA Journal has not found any further attorney general notifications at the time of writing, but the breach could be more expansive, as the company has locations in 15 U.S. states.

The post VITAS Hospice Services Discovers Month-Long Network Intrusion appeared first on The HIPAA Journal.

Trinity Health; Precision Imaging Centers Settle Class Action Data Breach Lawsuits

Posted by Steve Alder

Trinity Health in Michigan and Precision Imaging Centers in Florida have agreed to settle class action lawsuits that alleged negligence and violations of state laws in related to breaches of patients’ electronic protected health information.

Trinity Health Settles Litigation Stemming from Accellion FTA Data Breach

The Livonia, Michigan-based Catholic Health System, Trinity Health Corporation, and co-defendants Valley Surgical Specialists Medical Group, Inc., Daniel Evan Swartz, MD, and Rame Deme Iberdemaj, have agreed to settle class action litigation stemming from a 2021 data breach involving its secure file transfer platform, Accellion FTA.

On or around January 29, 2021, Accellion notified Trinity Health that hackers had gained access to the Accellion FTA by exploiting a zero-day vulnerability. Trinity Heath used the Accellion FTA for sending secure email, and determined that the files on the Accellion FTA had likely been downloaded by an unauthorized third party. The files contained names, addresses, email addresses, dates of birth, medical record numbers, lab results, medications, claims information, Social Security numbers, and credit card information. Notification letters were sent to 18,153 California residents, who were offered one year of complimentary credit monitoring, identity theft protection, and fraud resolution services.

A class action lawsuit – Jane Doe v. Trinity Health Corporation – was filed on May 20, 2021, in the Fresno County Superior Court over the data breach, seeking damages, restitution, and injunctive relief. The lawsuit alleged that Trinity Health had failed to adequately secure patient data by failing to encrypt the data on the Accellion FTA. The lawsuit asserted claims of violations of the California Confidentiality of Medical Information Act, California Security Notification Laws, and claimed the defendants had engaged in unlawful and unfair business acts and practices, in violation of Cal. Bus. & Prof. Code §§ 17200 et seq.

Trinity Health and the other defendants deny any wrongdoing; however, they chose to settle the lawsuit rather than incur additional costs continuing with the litigation and face the uncertainty of trial and any related appeals. Class counsel and the class representative believe the settlement is fair and is in the best interests of the class members.

Trinity Health has agreed to establish a $450,000 settlement fund to pay attorneys’ fees (maximum $150,000), attorneys’ expenses (maximum $25,000), service awards (maximum $5,000), and settlement administration costs. The remainder of the fund will be used to pay benefits to the class members. Class members may submit a claim for reimbursement of documented out-of-pocket expenses due to the data breach and can claim a one-off cash payment.

Claims for reimbursement of losses are capped at $1,000 per class member, and the cash payments are anticipated to be $231 if 5% of class members submit a claim, $115 if 10% of class members submit a claim, and $11 if all class members submit a claim. The deadline for filing a claim is January 19, 2026, and the final fairness hearing has been scheduled for April 29, 2026. Individuals wishing to object to or opt out of the settlement have until December 19, 2025, to do so.

Precision Imaging Centers to Pay Up to $200,000 to Settle Data Breach Litigation

Precision Imaging Centers, a Jacksonville, Florida-based provider of MRI, PET, CT, ultrasound, and X-ray imaging services, has agreed to settle class action litigation stemming from a cybersecurity incident that was identified on November 2, 2022. Hackers breached its network and gained access to files containing the personally identifiable information (PII) and protected health information (PHI) of current and former patients, including names, dates of birth, contact information, Social Security numbers, driver’s license numbers, diagnoses, and other medical and health information. Individual notification letters were mailed to the affected individuals on or around June 27, 2023, and the data was reported to the Maine Attorney General as affecting 31,010 individuals.

The first class action lawsuit in response to the data breach was filed by plaintiff Lauren Boyle, which was followed by complaints by four other individuals: Philipp Groebe, Natalie Luttrell, Bijoy Shroff, Cheryl Wearing, and Paige Demaio. The lawsuits asserted overlapping claims and were consolidated in a single complaint, In Re Precision Imaging Centers Data Breach Litigation, in the Circuit Court for the Fourth Judicial Circuit in and for Duval County, Florida.

The consolidated lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and violation of the Florida Deceptive and Unfair Trade Practices Act, all of which were denied by the defendant, who maintains there was no wrongdoing or liability. The plaintiffs believe all claims are legitimate and that the data breach could have and should have been prevented had reasonable and appropriate cybersecurity measures been implemented.

Precision Imaging Centers sought to have the complaint dismissed; however, the court denied the motion with prejudice, with the plaintiffs voluntarily dropping the Florida Deceptive and Unfair Trade Practices Act violation claim. On April 17, 2025, all parties attended mediation, and an agreement in principle was reached to settle the litigation with no admission of wrongdoing. The terms of the settlement have now been finalized and given preliminary approval by the court.

Under the terms of the settlement, Precision Imaging Centers has agreed to pay up to $200,000 to settle the litigation. Class members may submit a claim for reimbursement of documented out-of-pocket ordinary expenses and attested lost time (up to 4 hours at $20 per hour) up to a maximum of $500 per class member. Class members may also submit a claim for reimbursement of extraordinary losses, including up to 8 hours of lost time at $20 per hour, capped at $5,000 per class member.

Class members who submit a valid claim are also entitled to receive two years of credit monitoring services. The settlement has been capped at $200,000, and if that total is reached, claims will be paid pro rata. Precision Imaging Centers has also agreed to implement a range of cybersecurity measures to address the causes of the cyberattack, which will be maintained for at least three years. Further, any patient who has not received services from the company for five years or more will have their Social Security numbers purged from its systems or encrypted.

The final fairness hearing has been scheduled for January 8, 2026, and the deadline for submitting a claim is January 31, 2026. Individuals who wish to object to the settlement or exclude themselves have until January 1, 2026, to do so.

The post Trinity Health; Precision Imaging Centers Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

AccuCare Home Health Services Pays $20,000 Fine for Employing Excluded Individual

Posted by Steve Alder

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has agreed to a $20,000 settlement with AccuCare Home Health Services to resolve allegations that the home healthcare provider employed an individual on the HHS-OIG exclusions list and billed services provided by that individual to federally funded healthcare programs.

AccuCare Home Health Services is a Mesa, Arizona-based provider of home health care services, specializing in skilled nursing, physical therapy, occupational therapy, speech therapy, and medical social services. According to HHS-OIG, AccuCare Home Health Services was discovered to have employed a home healthcare aide who was not permitted to participate in any federally funded healthcare program, and billed products or services provided by that individual to federal health care programs. The alleged violation was settled with a $20,000 financial penalty.

Healthcare organizations must ensure that a check is conducted of the HHS-OIG List of Excluded Individuals and Entities (LEIE) prior to onboarding a new employee. Regular checks must also be conducted on all employees, since individuals may be added to the LEIE after their employment commences. The HHS’ Office for Civil Rights imposes relatively few financial penalties for HIPAA violations; however, when it comes to HHS OIG compliance, there is a much greater risk of a financial penalty if violations are identified. HHS-OIG regularly imposes significant financial penalties for claiming for items and services provided by excluded individuals and companies, submitting false claims, and violations of the Stark Law and the Anti-Kickback Statute. In addition to a financial penalty, there is a risk of being added to the HHS exclusion list, which will prohibit an individual or company from participating in federally funded health care programs.

On November 12, 2025, HHS-OIG announced that William Mangan, DO (Dr. Mangan) of Okemos, Michigan, had agreed to be excluded from participating in federally funded healthcare programs for a period of 10 years in connection with False Claims Act violations. Dr. Mangan was investigated by HHS-OIG in connection with allegations that he ordered genetic tests, durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) that were not reasonable or medically necessary and submitted claims to federally funded health care programs. Dr. Mangan claimed that he had evaluated patients and falsely certified that the ordered products were medically necessary when he failed to perform an adequate review.

Individuals can face severe penalties for knowingly causing products or services to be billed to federally funded healthcare programs when they are on the HHS-OIG exclusion list. Erik X. Alonso, 55, of Miami, Florida, had been convicted of conspiracy to commit health care fraud in 2015 for offenses in the Southern District of Florida. As a result of the conviction, Alonso was placed on the exclusion list and was fully aware that he was prohibited from participating in work that was billed to federally funded healthcare programs. In March 2022, Alonso started working for a telehealth mental health provider in New Hampshire and provided services to patients in the state that he knew would be billed to Medicaid. Alonso caused New Hampshire Medicaid to pay approximately $173,998.83 based on false and fraudulent claims. The healthcare fraud was discovered, and Alonso entered a guilty plea to one count of healthcare fraud and is awaiting sentencing. He now faces up to 10 years in jail.

The post AccuCare Home Health Services Pays $20,000 Fine for Employing Excluded Individual appeared first on The HIPAA Journal.

Bill Introduced to Repeal Proposed OSHA Heat Standard for Indoor and Outdoor Workplaces

Posted by Steve Alder

Rep. Mark Messmer (R-IN) has introduced a bill that seeks to repeal safety and health legislation introduced by the Biden administration to protect Americans against heat injury and illness in both indoor and outdoor work settings. Rep. Messmer introduced the Health Workforce Standards Act of 2025 on November 20, 2025, to repeal the Occupational Safety and Health Administration’s  (OSHA) Heat Injury and Illness Prevention in Outdoor and Indoor Work Settings proposed rule. The bill is co-sponsored by 23 Republican representatives in 16 U.S. states and is supported by more than two dozen industry organizations.

OSHA’s proposed standard applies to most employers in the general industry, construction, maritime, and agriculture sectors where OSHA has jurisdiction, and requires them to implement a plan to evaluate and control heat hazards in the workplace and protect their workers from hazardous heat. Rep. Messmer claims that OSHA’s proposed rule would impose impracticable and unnecessary requirements on residential construction employers, noncompliance with which would attract excessive financial penalties.

Rep. Messmer said the sweeping and unworkable heat standards were fast-tracked by the Biden administration, and these heavy-handed regulations are likely to crush innovation, increase costs, and undermine productivity. The proposed rule would require almost all American businesses and institutions to follow rigid, one-size-fits-all, federal workplace standards based on predetermined temperature thresholds, regardless of industry, climate, or existing safety protocols.

“The Biden Heat Rule was never about safety, but was rather, unsurprisingly, focused upon expanding federal bureaucratic control over hard-working Americans,” said Rep. Messmer in a press release announcing the bill. “My Heat Workforce Standards Act empowers employers to maintain safe and realistic workplace standard parameters which allow for both their workers and the business to thrive.”

Rep. Messmer maintains that if OHSA’s proposed rule is implemented, there would be redundant and egregious regulation requirements in all 50 states, with little variance considered for industry-specific outdoor and indoor heat variables and differences in climate. Employers who already had heat injury prevention measures in place would not be recognized, and it would remove state governments’ ability to create targeted heat rules specific to their climate and local industries.

“Needless to say, California, Florida, and Michigan are miles apart when it comes to heat, and heat hazards in construction are very different from the hazards in manufacturing or agriculture. That is why any standard intended to prevent and reduce heat-related injuries must be flexible and keep workers safe in ways that best address their unique environments and challenges,” Tim Walberg, House Education and Workforce Committee Chairman, said. “The Biden-Harris proposed heat rule does not have that much-needed flexibility, which is why this bill is a necessary step in protecting workers and preventing federal overreach so we can help workers earn a living and get home safe.”

The post Bill Introduced to Repeal Proposed OSHA Heat Standard for Indoor and Outdoor Workplaces appeared first on The HIPAA Journal.

Threat Actors Time Attacks to Coincide with Periods of Reduced Vigilance

Posted by Steve Alder

Thanksgiving weekend is just a few days away, and while many healthcare employees will be enjoying time off work, it will be a particularly busy time for cybercriminals. Many hacking and ransomware attacks occur over Thanksgiving weekend when staffing levels are lower, and fewer eyes are monitoring for indicators of compromise.

The high level of ransomware attacks during holiday periods has recently been confirmed by the cybersecurity firm Semperis, which reports that in the United States, 56% of ransomware attacks occur on a weekend or holiday, and 47% of ransomware attacks on healthcare organizations occur during these times when staffing levels are reduced.

“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long-lasting business disruptions,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor.

The Semperis 2025 Ransomware Holiday Risk Report is based on an analysis of responses to a detailed global ransomware survey of 1,500 IT and security professionals conducted in the first half of the year by Censuswide. The survey suggests that ransomware groups research their targets and time their attacks to coincide with material corporate events such as mergers, acquisitions, IPOs, and layoffs, and exploit the organizational disruption and reduced security focus during these events. “Organizations are under intense pressure to sustain operations while transforming their form and protocols during an IPO or merger, and cannot afford downtime, making them more likely to pay quickly to restore operations,” said Inglis. “During these times, it is critical to remain vigilant and situationally aware that bad actors may be lurking, looking to plant ransomware.”

In healthcare, 96% of organizations maintain a security operations center, with 80% managing it in-house and 20% outsourcing to a third-party vendor. During weekends and holiday periods, 73% of healthcare organizations reduce their SOC staffing levels by 50% or more, and 5% of organizations said they eliminate their SOC staffing entirely on weekends and holidays. The main reasons given for reducing or eliminating staffing levels were to improve work/life balance (63%), because the organization was closed during holidays and weekends (43%), and 36% of respondents said they did not expect an attack to take place.

Smaller organizations were the most likely to cut or eliminate SOC staffing levels on weekends and during holiday periods because they thought they would be unlikely to be attacked. While reducing staffing levels to give employees weekends and holidays off is all well and good, there is no time off for hackers. If internal staffing levels are to be reduced, there must be adequate monitoring, staff on call, or a third-party vendor providing cover.

There has been a marked increase in organizations bringing their SOC in-house, which is up 28 percentage points from last year, which has coincided with a 30% percentage point increase in below 50% staffing levels during holidays and weekends to maintain a better work/life balance. The reason for the shift in bringing SOCs in-house was not explored in the study, but there could be several factors at play.

“Being able to see what’s happening might enable organizations to pivot and adapt faster based on changing operations, business needs, and regulatory reporting requirements,” Courtney Guss, Semperis Director of Crisis Management, said. “The ROI of outsourcing also seems to be shifting as AI begins to handle some Tier 1 work, leaving the more complex work for SOC analysts.”

The survey also probed respondents on their identity infrastructure and the methods used for protection. The majority (90%) scan for vulnerabilities, although only 38% have vulnerability remediation procedures, and only 63% automate recovery. Concerningly, 10% of respondents said they do not have an identity threat detection and response strategy.

One of the most effective ways to defend against ransomware attacks is by tightening identity systems, most commonly Active Directory, Entra ID, and Okta,” former Australian Prime Minister Malcolm Turnbull said. “These are the digital keys that determine who can access what within an organization. In nearly every major ransomware incident, weak or compromised credentials have been the initial entry point. Strengthening identity systems is therefore not just good practice but a critical line of defense.

The post Threat Actors Time Attacks to Coincide with Periods of Reduced Vigilance appeared first on The HIPAA Journal.

Goshen Health & Hancock Health Settle Pixel Data Breach Lawsuits

Posted by Steve Alder

Goshen Health System and Hancock Health in Indiana have agreed to settle class action lawsuits that alleged patients’ protected health information was disclosed to unauthorized third parties via website tracking technologies.

Goshen Health Hospital Data Breach Settlement

On May 23, 2023, a class action lawsuit – Kaitlin Lamarr v. Goshen Health System, Inc. d/b/a Goshen Health Hospital – was filed in the Elkhart County Superior Court, Indiana, against Goshen Health System, doing business as Goshen Health Hospital, over the use of tracking technologies on its website. The lawsuit alleged that these tools, which included Meta Pixel, disclosed patients’ personally identifiable information to Meta and other unauthorized third parties without patients’ knowledge or permission.

The lawsuit asserted claims of negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Indiana Deceptive Consumer Sales Act and the Indiana Wiretapping Act. Goshen Health Hospital denies any wrongdoing, disagrees with the claims and contentions in the lawsuit, and believes that it would have prevailed at summary judgment and/or trial; however, after considering the uncertainty, risks, and expense of proceeding with the litigation, it was more desirable and beneficial to settle the litigation. The plaintiff and class counsel believe that the settlement negotiated with the defendant is reasonable and fair and is in the best interests of the class.

The class consists of individuals who logged into the Goshen Health patient portal between January 1, 2020, and December 31, 2023. Under the terms of the settlement, class members are entitled to submit a claim for a one-off cash payment of $25, and will automatically receive a code to enroll in a Privacy Shield Pro product, which includes dark web watchlist, VPN in touch, password scan, private search functionality, password defense, digital vault, and data broker opt-out services.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 16, 2025. The deadline for submitting a claim is November 29, 2025.

Hancock Regional Hospital Data Breach Settlement

A similar lawsuit Jennifer Fleece v. Board of Trustees of Hancock Regional Hospital – was filed against Hancock Regional Hospital in the Marion County Superior Court, Indiana, over the use of tracking technologies on its website, which were alleged to have impermissibly disclosed patients’ protected health information to Meta and other third parties without patients’ knowledge or consent.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Indiana Deceptive Consumer Sales Act. Hancock Regional Hospital maintains that there was no wrongdoing and disputes that it committed, or threatened or attempted to commit, any wrongful act, omission, or violation of law or duty alleged in the lawsuit, and while believing it had a good defense against all of the asserted claims, determined that a settlement was the best course of action. The plaintiff and class counsel believe the settlement is fair.

The settlement class consists of individuals who logged into the patient portal between January 1, 2020, and December 31, 2023. Claims may be submitted for a one-off $25 cash payment, and class members who submit a claim will receive a code to enroll in a Privacy Shield Pro product, which includes dark web watchlist, VPN in touch, password scan, private search functionality, password defense, digital vault, and data broker opt-out services. The final fairness hearing has been scheduled for December 18, 2025, and claims must be submitted by December 1, 2025.

The post Goshen Health & Hancock Health Settle Pixel Data Breach Lawsuits appeared first on The HIPAA Journal.

Delta Dental of Virginia Data Breach Affects 146,000 Individuals

Posted by Steve Alder

Delta Dental of Virginia has notified almost 146,000 members about a security incident that may have exposed their protected health information, and Saint Mary’s Home of Erie in Pennsylvania is investigating a network security incident that exposed residents’ sensitive information.

Delta Dental of Virginia

Delta Dental of Virginia, the largest dental benefits carrier in the Commonwealth of Virginia, has notified 145,918 individuals about an April 2025 security incident that exposed some of their personal and protected health information.

Suspicious activity was identified within an employee’s email account on April 23, 2025. Independent cybersecurity experts were engaged to investigate the activity, and unauthorized access to the email account was confirmed. The account was first accessed by an unauthorized third party on March 21, 2025, and access remained possible until the account was secured on April 23, 2025. During that time, certain emails and attachments within the account may have been viewed or acquired.

The account was reviewed, and notification letters started to be mailed to the affected individuals on November 21, 2025. The information potentially stolen included first and last names, Social Security numbers, state or federal government ID numbers, driver’s license numbers, financial information, and protected health information such as medical and health insurance information.

Delta Dental of Virginia has implemented additional safeguards to improve email security, and further security awareness training has been provided to the workforce. Individuals whose Social Security numbers or driver’s license numbers were potentially compromised have been offered complimentary credit monitoring, dark web monitoring, and identity theft protection services for 12 months. Those services include a $1 million identity theft and fraud reimbursement insurance policy. Several law firms have announced that they have opened investigations into potential class action litigation over the data breach.

Saint Mary’s Home of Erie

Saint Mary’s Home of Erie (SMHE), a non-profit continuing care retirement community in Erie, Pennsylvania, has recently announced a data security incident that was identified on August 27, 2025, prior to SMHE being acquired by the Lake Erie College of Osteopathic Medicine (LECOM).

The forensic investigation confirmed that an unauthorized third party had access to its network from August 26, 2025, to August 28, 2025. Immediate action was taken to secure its network to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the incident. The investigation determined that files and folders on its network may have been accessible to unauthorized individuals. The review of those files is ongoing, and the exact types of data involved and the number of affected individuals have yet to be confirmed.

In the interim, the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of at least 501 individuals. The total will be updated when the review is concluded, and notification letters will be mailed to the affected individuals.

The post Delta Dental of Virginia Data Breach Affects 146,000 Individuals appeared first on The HIPAA Journal.

HSCC Updates Model Contract Language Framework for HDOs & MDMs

Posted by Steve Alder

The Health Sector Coordinating Council (HSCC) has published updated Model Contract Language for MedTech Cybersecurity to help healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) address the challenge of ensuring the cybersecurity of medical devices.

Medical devices can introduce cybersecurity risks that must be managed and reduced to a reasonable and appropriate level to comply with the HIPAA Security Rule. The devices must also meet the safety and effectiveness requirements of the Food and Drug Administration (FDA), which include cybersecurity for the entire life cycle of the devices.

The cybersecurity of medical devices is a shared responsibility between the HDO and the MDM; however, historically, cybersecurity accountability has been inconsistently reconciled in the purchase contract negotiation process due to factors such as uneven MDM capabilities and investment in cybersecurity controls, and varying cybersecurity expectations among HDOs.

If there are ambiguities in cybersecurity responsibilities due to the contract language – or a failure to clearly state in contracts the responsibilities of each party with respect to cybersecurity – it is likely to result in downstream disputes, insufficient security, and potential patient safety issues.

“In today’s partnership between HDOs and MDMs, cybersecurity requirements are often unclear, resulting in a lack of understanding and prioritization of cybersecurity best practices. For HDOs and MDMs alike, this leads to an investment in security controls that are not always aligned between stakeholders,” explained HSCC.

The HSCC Cybersecurity Working Group (CWG) formed the Model Contract Language Task Group in 2020 to help address these issues. The Working Group consists of 50 representatives from HDOs, MDMs, group purchasing organizations, and security and compliance specialists. After two years of deliberations, the Task Group published the first version of the Model Contract Language in 2022, which serves as a neutral framework for the contractual cybersecurity relationships between HDOs and MDMs.

The aim of the Model Contract Language is to help HDOs protect themselves and their patients from cybersecurity threats by establishing and maintaining appropriate security contract terms and commitments from MDMs concerning their products, services, and solutions. Version 1 has been downloaded more than 1,500 times from the HSCC CWG website since its publication.

In 18 months after publication, users submitted almost 100 comments to HSCC. The Task Group reconvened last year to review the feedback and has now incorporated many of the recommendations in Version 2, which it is hoped will simplify the contracting process, making it more predictable and less costly and time-consuming.

The main improvements made in Version 2 are revisions and expansions to align with the changed regulatory environment; updates to reflect increasing security maturity and better alignment with expectations between stakeholders; resolution of unclear separation in areas where terms describe shared responsibilities; and simplification of the language to improve clarity and structure to help speed up contract negotiations.

HSCC says the Model Contract Language can be used as a standalone agreement with an MDM, or as an addendum to a Business Associate Agreement (BAA), Master Service Agreement (MSA), or Request for Proposal (RFP). The document can serve as a template that can be tailored to meet the specific compliance needs of each HDO.

The post HSCC Updates Model Contract Language Framework for HDOs & MDMs appeared first on The HIPAA Journal.