Author Archives: Steve Alder

Alphabet’s Verily Sued by Former Executive Over Alleged HIPAA Breaches

Posted by Steve Alder

A lawsuit has been filed against Alphabet-owned Verily by a former employee who alleges that the personally identifiable health information of more than 25,000 patients was misused, and the company failed to report the HIPAA breaches, as required by the Health Insurance Portability and Accountability Act (HIPAA).

Verily, formerly Google Life Sciences, is a research organization owned by Google’s parent company, Alphabet. The Verily platform drives AI-powered precision health solutions that help pharmaceutical firms bring new therapies to market sooner and health systems and payers improve patient outcomes at a lower cost. The lawsuit alleges that an internal investigation confirmed HIPAA breaches involving HIPAA-protected data obtained from 14 HIPAA-regulated entities. The lawsuit claims patient data was used without authorization, in violation of the HIPAA Privacy Rule. Further, while the investigation uncovered misuses of patient data, Verily failed to disclose the breach, delaying notifications while contract renewals were negotiated with the affected covered entities, in violation of the HIPAA Breach Notification Rule.

The lawsuit was filed last year; however, it failed to be reported by the media until it was spotted by CNBC, which reported on the lawsuit last week. The lawsuit was filed by Ryan Sloan, a former chief commercial officer at Verily Onduo, Verily’s diabetes and hypertension business. The lawsuit is currently pending in the United States District Court for the Northern District of California in San Francisco, having survived a motion to dismiss or resolve the lawsuit through arbitration.

Sloan was hired by Verily in 2020 and was employed until he was terminated in January 2023. Sloan claims that he and Julia Feldman, general counsel at Onduo, discovered the HIPAA violations in January 2022 and reported them to senior management. Sloan claims that patient data was used for research, marketing campaigns, press releases, and national conferences, which are not uses permitted by the HIPAA Privacy Rule unless consent is obtained from patients.

Sloan claims that he and Feldman repeatedly raised the matter with senior management, and an internal investigation confirmed that there had been several HIPAA breaches of business associate agreements between Verily and HIPAA-covered entities, including Quest Diagnostics, Highmark Health, Walgreens Boots Alliance, and others. Despite the discovery of HIPAA breaches, Sloan alleges no notifications were issued.

He claims that during a contact negotiation between Verily and Highmark Health in August 2022, Verily misrepresented that it was fully compliant with the HIPAA Rules at all times, when the company knew that HIPAA violations had occurred, including with Highmark Health data. The lawsuit claims that Feldman was terminated later that month, along with another individual who was aware of the HIPAA breaches. Sloan was terminated in January 2023, which he claims was in response to repeatedly raising concerns about the HIPAA violations and the alleged cover-up of the HIPAA breaches.

There is no private cause of action under HIPAA, so individuals are not permitted to sue for HIPAA violations. Only the HHS’ Office for Civil Rights (OCR) and state attorneys general have the authority to take legal action for HIPAA violations. The lawsuit, Sloan v. Verily Life Sciences LLC, claims that Verily retaliated against Sloan after he raised the HIPAA violations in good faith, in breach of his employment contract. Verily denies the allegations.

“Verily believes the allegations and contentions alleged in this employment matter that was commenced in 2023 are completely without merit. Verily will defend itself to the full extent of the law,” said a Verily spokesperson in a statement to CNBC. “Verily is an equal opportunity employer, and takes its responsibility and commitment to abide by all laws and regulations seriously.  As this is an ongoing legal matter, Verily will not be providing further comment at this time.”

The post Alphabet’s Verily Sued by Former Executive Over Alleged HIPAA Breaches appeared first on The HIPAA Journal.

What is the Best EMR for Small Practices in 2025?

Posted by Steve Alder

Whether you are starting a new practice or looking to grow your existing business, choosing the right electronic medical record system (EMR) is key to improving revenues and profits. An EMR is more than a system for managing large data records. An EMR is an invaluable tool at the heart of your practice that facilitates many aspects of your practice’s operations, such as scheduling, payments, insurance billing, record requests, patient engagement, telehealth, patient follow-ups, and HIPAA compliance.

In addition to ensuring accurate patient records, an EMR is an invaluable tool for aiding decision-making, improving efficiency by streamlining documentation, and eliminating manual administrative tasks that inevitably impact revenue-generating activities and patient care. An EMR can significantly improve the patient experience by streamlining scheduling, providing patients with easy access to their health data to improve engagement, and facilitating communication, helping to improve satisfaction and attract new patients.

With an EMR that is the right fit for your practice, you can reduce the administration burden on clinicians and administrative staff and improve efficiency, allowing you to spend more time providing high-quality, personalized, value-based care.

An EMR Streamlines Operations and Improves Efficiency

An EMR improves efficiency, streamlines data management and billing processes, while helping ensure compliance with HIPAA and state laws, but it is vital to get the right EMR solution for your practice that meets your current needs and has the scalability to support your practice as it grows.

There is a myriad of EMRs to choose from, and while Epic and Oracle Cerner are the most commonly used enterprise EMRs, they require a significant investment and are not well-suited for solo providers and small independent practices, as they prioritize operational scale and standardization.

EMRs for small practices are more affordable, easier to use, and offer far greater flexibility, often providing scope for customization to support specialty-specific workflows and value-based individualized care. The best EMR for small practices will allow you to streamline practice operations while meeting your regulatory obligations under HIPAA, EPCS, and other federal and state regulations, allowing you to concentrate on providing the highest quality patient care.

With the right EMR, you will be able to significantly reduce time-consuming administrative tasks, improve clinical accuracy, and deliver a better patient experience, helping you to reduce the churn rate and win more business.

Choosing an EMR for Small Practices

Cost is naturally a key consideration for small practices. Setting up a new practice costs hundreds of thousands of dollars, after which there are likely to be considerable budgetary constraints. You naturally need to get good value for money and a significant return on your investment, but it is important to look past the cost of licenses and initial setup costs, which include data migration if you are changing EMRs. There are often ongoing monthly expenses, add-on costs for integrations and improving core EMR functionality, limited logins, and locked-in insurance billing partners and other vendors.

If you are starting out and have a handful of clients, what works initially may not be sustainable over time. Transitioning to a new EMR when you outgrow your current platform can be time-consuming and costly, with data migration headaches and a long learning curve, which will inevitably negatively impact operations until the staff gets up to speed.

It is therefore important to choose an EMR for small practices that has comprehensive features, supports extensive integrations, with workflow automation allowing for efficient practice management. The solution should incorporate business features, including billing and analytics, while supporting telehealth, electronic prescriptions, and compliance, with scalability to support the changing needs of your practice. The support options should not be overlooked, as if you experience any technical problems or require customizations, assistance should be provided quickly to allow you to rapidly resolve your issues.

A free EMR may seem like the best choice if you have a limited budget and competing priorities. While initially you could save hundreds or thousands of dollars, you may end up paying more in the long term due to limited functionality, a lack of live customer support.  You will generally only get basic features, and the core components generally do not extend to billing, comprehensive reporting, and analytics. Free EMRs are generally only free up to a point and often require an upgrade to a full or premium package to get more than the basic EMR functions. There are also security and compliance risks associated with free EMRs, many of which are open source.

If you have a clear vision for your practice and your area of specialization, a free EMR may be a good choice, but the lack of flexibility can be limiting, and the money saved on capital outlay could be lost – and more. There are, however, excellent low-cost EMRs for small practices with extensive functionality and comprehensive integrations to meet your current and future needs, that are easy to use and support individualized care.

Security and Compliance

Two areas that should not be overlooked are security and compliance. Security needs to be built into the core of the design, as the EMR contains the crown jewels of your business, and hackers are actively targeting small practices. Free EMRs are typically open source, which means the code is available to anyone to inspect, but that doesn’t mean that it has been thoroughly inspected, nor that there is an active community looking at the code to identify security weaknesses. Data leakage and security vulnerabilities can prove extremely costly.

While small practices were once able to fly under the radar, regulators are taking a keen interest in HIPAA compliance at small medical practices. The HHS’ Office for Civil Rights (OCR) has an enforcement initiative on patient access, and in recent years, many financial penalties have been imposed on small providers for noncompliance. The HHS is also cracking down on information blocking, so it is vital that your EMR provides an easy-to-use patient portal and supports seamless health data exchange.

The Best EMRs for Small Practices

The best EMRs for small practices strike a good balance between cost and functionality, providing the functions to meet your operational needs, scalability to grow with your practice, and support to resolve technical or usability issues quickly, without hidden costs.

The best EMRs for small practices streamline operations, allowing you to improve patient engagement, reduce the burden of compliance, and have flexibility and support customizations to meet your unique needs. To save you time in your search, the HIPAA Journal has assessed EMRs for small practices to help you find the best EMR to meet your practice’s needs.

OptiMantra is the Best EMR for Small Practices

In our opinion, OptiMantra is the best EMR for sole providers and small independent primary care, functional medicine, mental health, and aesthetics-focused practices due to a comprehensive range of features and integrations, excellent customer support, scalability, and scope for customization. The platform provides excellent value for money with one of the lowest monthly costs, and many features included with the license that other platforms provide only as paid add-on features.

OptiMantra is an all-in-one solution with a comprehensive suite of functions, including charting, scheduling, e-prescribing, billing, video chat for telehealth, and an integrated lab network for bloodwork and tests. The platform includes a HIPAA-compliant patient portal with email and text reminders to improve engagement and reduce no-shows, and an extensive library of forms, including MSQ, symptom surveys, mental health questionnaires, and email, text, and fax templates.

OptiMantra offers a full suite of clinical, billing, point of sale, digital, and cloud integrations, ensuring seamless integration with the most commonly used third-party service providers. The platform streamlines small practice operations, allows charting on the go through tablet and mobile-friendly interfaces, helping practices improve efficiency and concentrate on patient care. OptiMantra also reports that clinics see an average 37% increase in revenue in the first year of using the platform, and if you ever decide to change platforms, there is no tie-in other than a month’s notice.

OptiMantra is rated highly by users, with a 5/5 score on G2 and a 4.8/5 score on Capterra, and is universally praised for customer support, with responses typically received within an hour, earning OptiMantra a 2025 Best Customer Support software badge from Gartner-owned Software Advice.  OptiMantra is also highly responsive to suggestions and rapidly implements tweaks to improve usability in response to customer requests.

While we feel OptiMantra is the best EMR for small practices for features, flexibility, cost-effectiveness, and customer service, other platforms are worthy of consideration.

AdvancedMD is a Comprehensive All-in-one Solution with Strong Revenue Management Features

AdvancedMD is an all-in-one cloud-based EMR system aimed at small practices, although those at the larger end of the category. The platform includes a suite of features for independent medical practices, including mental health, physical therapy, and medical healthcare organizations, and has integrated scheduling, charting, billing, claims, e-prescribing, and telehealth capabilities, with a good patient portal and patient messaging feature for improving engagement.

The platform offers excellent stability and accessibility, and robust security for HIPAA Security Rule compliance, including multi-factor authentication. AdvancedMD has an excellent scheduling system, a good patient portal, and impressive revenue management features, making it an ideal choice for practices with their one in-house billing teams.

While the platform has extensive features to support single physicians and small practices, with excellent scalability to support practices as they grow, there are more cost-effective choices due to high set-up fees. Due to the high initial cost, users typically do not tend to see a return on their investment for 14 months, and the system generally takes around 2 months to fully implement. Once set up, the platform is easy to use and navigate, with well-functioning modules that are intuitive and a great choice for compliance, with a comprehensive audit trail with all actions time and date stamped.

AdvancedMD has a 3.6/5 rating on Capterra and a 3.6/5 rating on G2 and is praised for its customizable features and the ability to tailor workflows to specific practice needs, and while the platform is reliable with excellent uptime, it is prone to lag times during busy periods, and customer service and issue resolution are often subject to delays. Overall, the platform is a good choice for larger practices and medical groups.

Practice Fusion is a Good Low-Cost Choice Providing Basic EMR Functionality

Practice Fusion is a solid choice for practices with restrictive budgets, especially for new sole provider practices and small practices with 3 or fewer signing staff. Practice Fusion is an entry-level cloud-based EMR system that initially provided free-to-use basic functionality, although it has now moved to a subscription-only service with a 14-day free trial.

Set up is straightforward, and the platform is intuitive and easy to use, without a steep learning curve. The platform has basic reporting and scheduling capabilities, web-based charting and e-prescribing, and lab, imaging, and billing services, and a good patient portal.

Practice Fusion provides online and telephone support, although it has no dedicated customer service representatives for users, and response times can be slow, sometimes taking days rather than hours to resolve issues.

The platform has a 3.8/5 rating on G2 and a 3.7/5 rating on Capterra, with users praising the platform for ease of use, its lab and imaging integrations, and web-based charting and e-prescribing. There is a lack of integrations and interoperability, although improvements are continuously being made to integrate with other portals and improve patient record importing, and extend integrations with vendors. Users report some system stability issues, with occasional downtime due to crashes.

For single providers and practices with 3 or fewer signing staff, Practice Fusion is a good choice due to ease-of-use, solid core functions, a good patient portal, and lab, imaging, and billing capabilities. A free trial is strongly recommended, as there is a minimum tie-in of 12 months for subscriptions with no early cancellation.

The post What is the Best EMR for Small Practices in 2025? appeared first on The HIPAA Journal.

Sen. Wyden Urges FTC to Take Action Against Microsoft for “Gross Cybersecurity Negligence”

Posted by Steve Alder

Senator Ron Wyden (D-OR) has written to Andrew Ferguson, Chair of the Federal Trade Commission (FTC), requesting the FTC investigate Microsoft and hold it responsible for “gross cybersecurity negligence,” which Sen. Wyden believes has contributed to the barrage of ransomware attacks on critical infrastructure entities.

In the letter, Sen. Wyden cites figures from a February 2025 report published by the Director of National Intelligence (DNI) indicating more than 5,000 ransomware attacks in 2024, a 15% increase from 2024, and a 103% increase from 2022. Around half of the victims of those attacks are located in the United States. Those attacks have caused enormous harm to healthcare providers, put patient care at risk, and pose a continuing threat to national security.

Sen. Wyden believes Microsoft is at fault for many of these attacks because of its de facto monopoly on operating systems, combined with dangerous software engineering decisions that have made the Windows operating system vulnerable to ransomware attacks. Sen. Wyden explained that Microsoft chooses the security measures enabled by default in the Windows operating system, and while any user can alter the settings, many do not, as they are unaware of the risks associated with the default security settings.

Cybersecurity Vulnerability Exploited in Ascension Ransomware Attack

Sen Wyden used the 2024 hack of Ascension, one of the largest health systems in the United States, as an example of how easy it is for ransomware groups to breach the networks of critical infrastructure entities. The ransomware group gained access to privileged accounts on Ascension’s Active Directory Server using a privilege escalation technique called kerberoasting, after an Ascension contractor clicked a malicious link in a Bing search result on an Ascension laptop and inadvertently downloaded malware.

The malware provided the attacker with initial access, they moved laterally, and gained administrative privileges to the Microsoft Active Directory Server. The attacker exfiltrated data, then used ransomware to encrypt files. The electronic protected health information of 5.6 million patients was compromised in the attack. The attack was made possible due to a long-standing post-exploitation vulnerability.

Kerberoasting is an attack technique that exploits Microsoft’s continued support for an insecure encryption technology – RC4 – from the 1980s. Microsoft is well aware of the risk from kerberoasting, and how it can be exploited to obtain Active Directory credentials. For more than a decade, cybersecurity experts have warned of the dangers of kerberoasting, yet no action has been taken by Microsoft to mitigate the threat, even though more secure methods of encryption are supported by Windows.

The Advanced Encryption Standard (AES) is vastly superior to RC4, is supported by Windows, and recommended by the U.S. government, yet Microsoft does not use AES by default in Windows. The result of that software engineering decision is that hackers with access to a corporate network can exploit the weaknesses in RC4 encryption technology to crack administrators’ privileged accounts.

Sen. Wyden said Microsoft has stated that the risk can be mitigated by setting long passwords of 14 or more characters, yet Microsoft does not require passwords of that length to be set for privileged accounts by default. Sen. Wyden wrote to Microsoft in July 2024, warning about the threat of kerberoasting, and in October 2024, Microsoft published a blog post warning about the vulnerability and how the threat can be mitigated. Microsoft also promised to issue a software update to fix the issue. Almost a year on, and no fix has been forthcoming. Also in October 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that Iranian hackers were using the kerberoasting technique to attack U.S. organizations.

Despite the technique being used by threat actors, the warning was added to an obscure part of its website and was not promoted. Rather than issue a prominent and easy-to-read warning as requested by Sen. Wyden, the blog post was highly technical in nature. As a result, many companies may not have seen the post or acted on the advice, leaving their crown jewels – Active Directory credentials – at risk.

FTC Action Required to Force Microsoft to Provide Secure Software by Default

Kerberoasting is just one technique that can be used to exploit vulnerabilities. Sen. Wyden provided further examples of Microsoft’s cybersecurity failures that have been exploited by nation-state actors to attack Microsoft customers, including attacks by China in 2023 and, more recently, the vulnerability in Microsoft SharePoint that was mass exploited by hackers linked to the Chinese government this year.

“There is one company benefiting from this status quo: Microsoft itself. Instead of delivering secure software to its customers, Microsoft has built a multibillion-dollar secondary business selling cybersecurity add-on services to those organizations that can afford it,” Sen. Wyden wrote in the letter. “At this point, Microsoft has become like an arsonist selling firefighting services to their victims. And yet government agencies, companies, and nonprofits like Ascension have no choice but to continue to use the company’s software, even after they are hacked, because of Microsoft’s near-monopoly over enterprise IT.”

Sen. Wyden believes that the FTC should take action to hold Microsoft to account, and if no action is taken, Microsoft is likely to continue to deliver dangerous, insecure software to critical infrastructure entities and the government, and further attacks are inevitable.

The post Sen. Wyden Urges FTC to Take Action Against Microsoft for “Gross Cybersecurity Negligence” appeared first on The HIPAA Journal.

California Radiology Provider Announces 13,000-Record Data Breach

Posted by Steve Alder

Data breaches have been reported by Radiology Associates of San Luis Obispo, North Oaks Health System, The Children’s Center of Hamden, Huron Regional Medical Center, and Franklin Dermatology Group.

Pacific Imaging Management (Radiology Associates of San Luis Obispo)

Pacific Imaging Management, doing business as Radiology Associates of San Luis Obispo in California, has identified unauthorized access to certain employee email accounts. Suspicious activity was identified within its email environment on March 13, 2025. An investigation was launched, which revealed that certain email accounts were accessed by an unauthorized third party at various times between February 3, 2025, and March 17, 2025.

The accounts were reviewed and found to contain the protected health information of 13,158 individuals. The types of data involved vary from individual to individual and are detailed in the individual notification letters that started to be mailed on September 10, 2025. Policies and procedures are being reviewed and enhanced, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

North Oaks Health System, Louisiana

North Oaks Health System, one of the largest community hospital organizations in Louisiana, has experienced a breach of its email system, which exposed the protected health information of 6,243 patients.  Suspicious activity was identified in certain employee email accounts on June 4, 2025. The affected accounts were immediately secured, and an investigation was launched to determine the extent of the breach.

The investigation confirmed that certain emails and attachments in the compromised accounts were accessed between May 28, 2025, and June 5, 2025, and some of those emails contained patient information such as names, birth dates, health insurance information, and clinical information related to the services received at North Oaks. A limited number of Social Security numbers were also exposed. North Oaks is enhancing its security protocols, technical safeguards, monitoring, and employee cybersecurity training to prevent similar incidents in the future.

Children’s Center of Hamden, Connecticut

The Children’s Center of Hamden (TCCOH), a nonprofit behavioral health center in Hamden, Connecticut, has recently announced a security incident that was first identified on December 28, 2025. Unusual activity was identified within its computer systems, and third-party digital forensics experts were engaged to investigate. They confirmed unauthorized access to its network, including systems that contained patient information. On June 29, 2025, it was confirmed that files containing patients’ protected health information were accessed or acquired in the attack.

The file review was completed on August 7, 2025, and confirmed that names, dates of birth, Social Security numbers, driver’s license information, passport information, biometric data, and diagnosis and treatment information had been exposed. Notification letters have been mailed to the 5,213 individuals, and steps have been taken to enhance security.

Huron Regional Medical Center, South Dakota

Huron Regional Medical Center in South Dakota identified suspicious activity within its computer network on or around May 31, 2025. An investigation was launched to determine the nature and scope of the suspicious activity, with assistance provided by third-party digital forensics experts. Unauthorized network access was confirmed, and the exposed files were reviewed and found to contain information such as names, addresses, phone numbers, dates of birth, dates of service, cost of services, health insurance information, lab results, medical diagnostic images, prescription information, Medicare/Medicaid numbers, diagnoses, and treatment information.

Huron Regional Medical Center is reviewing its policies, procedures, and data security measures and will make enhancements to better defend against future attacks. Individual notification letters started to be mailed to the affected individuals on September 9, 2025. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Franklin Dermatology Group

Franklin Dermatology Group in Tennessee has recently confirmed that it was affected by the cyberattack and data breach at the collections vendor, Nationwide Recovery Service (NRS). A hacking group had access to the NRS network between July 5, 2024, and July 11, 2024, and copied certain files from its network. Those files contained names, dates of birth, Social Security numbers, health insurance information, financial account information, and/or protected health information.

Franklin Dermatology Group was notified that it had been affected on February 7, 2025, and NRS said it would be issuing notifications to the affected individuals, although Franklin Dermatology Group said NRS reneged on that promise on April 3, 2025. Franklin Dermatology Group issued notifications to the affected individuals in September 2025 and has offered them complimentary single-bureau credit monitoring, credit score, and credit report services for 12 months. The breach was recently reported to the Maine Attorney General as affecting 2,457 individuals. In total, the NRS data breach has affected more than 545,000 individuals.

The post California Radiology Provider Announces 13,000-Record Data Breach appeared first on The HIPAA Journal.

Teamsters Union 25 Health Services & Insurance Plan Hacking Incident Affects 19,000 Members

Posted by Steve Alder

Teamsters Union 25 Health Services & Insurance Plan, a health and wellness benefits plan for members of Teamsters Union Local 25, a trade union representing truck drivers, warehouse workers, clerical workers, and service and technology employees, identified suspicious activity within its computer network on or around August 1, 2025, potentially indicating unauthorized access.

Third-party cybersecurity experts were engaged to investigate the activity and confirmed unauthorized access to the network. Further investigation uncovered evidence that certain data on the network was accessed and potentially copied without authorization. The data related to members of the Teamsters Union 25 Health Services & Insurance Plan and the Teamsters Union 25 Investment Plan.

The review of the affected files was completed on August 18, 2025, and notification letters were mailed to the affected individuals on September 3, 2025. The affected individuals have been offered 12-24 months of complimentary credit monitoring and identity theft protection services, and steps have been taken to enhance security to prevent similar breaches in the future. The data involved varies from individual to individual and may include names, member IDs, Social Security numbers, health information, and health insurance information. The HHS’ Office for Civil Rights was informed that the protected health information of 19,231 individuals was compromised in the incident.

Anthony L. Jordan Health Corporation

Anthony L. Jordan Health Corporation (AJHC) in Rochester, New York, has fallen victim to a phishing attack that involved unauthorized access to the email, OneDrive, and SharePoint accounts of three employees. Suspicious activity was identified in an employee’s email account on June 30, 2025. The account was immediately secured, and an investigation was launched to determine the nature and scope of the incident.

The investigation confirmed that an unauthorized actor had accessed the accounts at various times between April 30, 2025, and July 9, 2025, after the employees responded to phishing emails. The purpose of the unauthorized access appeared to be to fraudulently obtain funds from Jordan Health, rather than to obtain patient data; however, unauthorized access to patient information could not be ruled out.

The affected accounts were reviewed and found to contain patient information such as names, dates of birth, medical record numbers, provider names, dates of service, and health insurance information. In total, 2,974 patients potentially had information compromised in the incident. Jordan Health has provided additional cybersecurity awareness training to the workforce to prevent similar incidents in the future.

Sentara Health

Last week, Sentara Health notified 696 patients about a mailing incident that disclosed a limited amount of patient data. The mailing was sent to patients of a specific Sentara Behavioral Health Specialists provider to advise them of the departure of that provider from Sentara.

An error was made when compiling the list of recipients for the mailing, resulting in the mismatching of patients’ names and addresses. Letters intended for one patient were sent to a different patient, resulting in the disclosure of the patient’s name, location of the practice, and the provider’s name. Sentara Health addressed the matter with the employee in question, according to its internal policies and procedures, and has taken steps to prevent similar incidents in the future, including evaluating additional training opportunities.

The post Teamsters Union 25 Health Services & Insurance Plan Hacking Incident Affects 19,000 Members appeared first on The HIPAA Journal.

R1 RCM & Dignity Health to Pay $675,000 to Settle Data Breach Lawsuit

Posted by Steve Alder

A $675,000 settlement has been agreed upon to resolve a class action data breach lawsuit against R1 RCM Inc., a revenue cycle management company,  and Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus in Henderson, Nevada.

The lawsuit stems from a data breach at R1 RCM, which was detected on November 23, 2023. R1 RCM determined that the hacker had exfiltrated sensitive data such as names, contact information, dates of birth, Social Security numbers, service locations, diagnosis information, patient account numbers, and medical record numbers.  The data breach was reported to the HHS’ Office for Civil Rights as affecting 16,121 individuals.

The lawsuit – Heather Hillbom v. R1 RCM, Inc. and Dignity Health dba Dignity Health – St. Rose Dominican Hospital, Rosa de Lima Campus – was filed in the U.S. District Court for the District of Nevada on April 5, 2024, and alleged that the defendants were negligent by failing to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. The defendants maintain there was no wrongdoing and that there is no liability; however, the decision was made to settle the lawsuit to avoid the costs and risks associated with continuing with the litigation.

Under the terms of the settlement, class members are entitled to claim two years of three-bureau credit monitoring services and identity theft protection services through CyEx Medical Shield Total.  In addition, all class members may claim a monetary payment, which will be calculated after attorneys’ fees, credit monitoring costs, legal expenses, settlement administration costs, service awards, and claims for out-of-pocket expenses have been deducted from the settlement fund. Claims may also be submitted for reimbursement of documented, unreimbursed, out-of-pocket losses. Up to $500 may be claimed as reimbursement for ordinary out-of-pocket expenses, and up to $2,500 for extraordinary out-of-pocket expenses, such as losses to fraud and identity theft.

The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 14, 2025. The deadline for objecting to and exclusion from the settlement is October 13, 2025, and all claims must be received by November 11, 2025.

The post R1 RCM & Dignity Health to Pay $675,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Adena Health to Pay $17.8 Million to Settle Pixel Lawsuit

Posted by Steve Alder

Adena Health System, a nonprofit health system serving patients in south central and southern Ohio, has agreed to pay $17.8 million to resolve claims that it unlawfully disclosed patient data to third parties via tracking pixels on its MyChart patient portal.

Adena Health is one of many health systems to use tools such as Meta Pixel and Google Analytics code to track users on its website; however, these tools were also implemented on its patient portal, which requires users to log in. Whilst on the website and patient portal, users’ data was collected, which may have included personally identifiable information (PII) and protected health information (PHI). That information was automatically sent to companies such as Meta and Google.

A lawsuit was filed over the disclosures, which were alleged to have occurred without the knowledge or consent of the data subjects. Users of the patient portal could book appointments, research medical conditions, learn about treatment options, and communicate with their providers. The lawsuit alleged that health conditions, preferred treatment options, physicians’ details, and search queries were all collected by the tracking tools and were transmitted to third parties. If a user was logged into their Facebook account at the time, the lawsuit claims the unique Facebook identifier was also transmitted, allowing them to be personally identified. The lawsuit claims the tools were knowingly added to the website and that Adena Health unjustly profited from the disclosures.

The lawsuit alleged negligence, breach of confidence, breach of fiduciary duty, unjust enrichment, invasion of privacy, and a violation of the Electronic Communications Privacy Act, and claimed that there is civil liability for criminal actions – the knowing disclosure of individually identifiable health information to a third party. Adena Health denies wrongdoing and liability and disagrees with the claims and contentions in the lawsuit; however, it agreed to a settlement to bring the litigation to an end to avoid the risks and uncertainties of trial and further litigation costs.

Under the terms of the settlement, the 89,000 class members who visited the patient portal between November 1, 2022, and June 3, 2024, are entitled to claim a cash payment of $21 and a year of credit monitoring and identity theft protection services, valued at $179 per person. The settlement now awaits approval from the court.

The post Adena Health to Pay $17.8 Million to Settle Pixel Lawsuit appeared first on The HIPAA Journal.

Feds Offer $10 Million Reward for Ransomware Administrator Who Attacked U.S. Healthcare Orgs

Posted by Steve Alder

The U.S. Department of Justice has charged a Ukrainian serial ransomware criminal who is alleged to have been the administrator of multiple ransomware operations. Volodymyr Viktorovich Tymoshchuk, through online monikers including deadforz, Boba, msfv, and farnetwork, is alleged to have been the administrator of the LockerGaga, MegaCortex, and Nefilim ransomware operations between December 2018 and October 2021.

Tymoshchuk, along with his accomplices, conducted or played a key role in ransomware attacks on more than 250 victims in the United States between July 2019 and June 2020 using the LockerGaga and MegaCortex ransomware variants, as well as hundreds of victims worldwide. An international law enforcement operation targeting the LockerGoga and MegaCortex ransomware schemes in September 2022 obtained decryption keys, which were made available to victims via the No More Ransom Project. Many potential victims were able to prevent file encryption after receiving prompt notifications from law enforcement that their networks had been compromised.

Under the Nefilim ransomware scheme, Tymoshchuk and his accomplices claimed many more victims in the United States and worldwide between July 2020 and October 2021. Through those attacks, Tymoshchuk caused millions of dollars in losses due to disruption to business operations, damage to computer systems, and ransom payments. As administrator of the ransomware operations, Tymoshchuk recruited and provided access to the infrastructure and encryptor to conduct attacks.

One of the affiliates of the Nefilim ransomware operation was Ukrainian national Artem Stryzhak, who was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025. Stryzhak has been charged with conspiracy to commit fraud and related activity. Stryzhak primarily targeted companies in the United States, Canada, or Australia that had annual revenues of over $100 million, although a Nefilim administrator encouraged him to target larger companies with more than $200 million in annual revenues. The Nefilim administrators allowed Stryzhak to keep 80% of any ransoms he generated, while they would retain 20%. Any victim who refused to pay had their stolen data leaked on the group’s Corporate Leaks websites.

Tymoshchuk has been charged with two counts of conspiracy to commit fraud and related activity in connection with computers, three counts of causing intentional damage to a protected computer, one count of unauthorized access to a protected computer, and one count of transmitting a threat to disclose confidential information. “Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said U.S. Attorney Joseph Nocella Jr. for the Eastern District of New York. “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

The U.S. Department of State is offering up to $10 million as a reward for information leading to the location, arrest, or conviction of Tymoshchuk, plus a further $1 million reward for information that leads to convictions of other members of the LockerGaga, MegaCortex, and Nefilim ransomware groups. The rewards are offered under the Transnational Organized Crime (TOC) Rewards Program.

The post Feds Offer $10 Million Reward for Ransomware Administrator Who Attacked U.S. Healthcare Orgs appeared first on The HIPAA Journal.

Editorial: HIPAA Compliance Challenges for Small Medical Practices

Posted by Steve Alder

Healthcare providers, health plans, healthcare clearinghouses, and their business associates are all required to comply with the HIPAA Rules; however, there are unique challenges for small medical practices. Large healthcare organizations have greater resources to devote to compliance, and can attract and pay for dedicated compliance professionals, in-house IT and cybersecurity staff, cutting-edge cybersecurity solutions, and staff training programs.

Small medical practices have limited resources and are forced to make difficult decisions about where to allocate funds due to budget constraints. Investments in the business that boost revenue and profits often take priority over investments to ensure HIPAA compliance and improve cybersecurity. Small practices often cannot afford to have a dedicated HIPAA Privacy and Security Officer, and compliance duties fall on administrative staff, nurses, and physicians, who have many other responsibilities. There may also not be an in-house IT department to oversee security.

Despite financial constraints, HIPAA compliance and cybersecurity are not optional. The HHS’ Office for Civil Rights (OCR) has made it clear that the size of a practice is irrelevant when it comes to HIPAA compliance. While OCR has previously focused its enforcement efforts on larger practices, in recent years, OCR has taken a keen interest in smaller practices and has imposed several penalties for noncompliance. OCR has made it clear with these penalties that small medical practices can no longer fly under the radar.

The probability of noncompliance being discovered is increasing. While hackers and ransomware groups have historically focused their efforts on attacking larger healthcare organizations with deeper pockets, smaller healthcare practices are increasingly being targeted for the simple reason that they are easier to attack, as they have fewer resources to devote to cybersecurity, and healthcare organizations of all sizes are at risk of insider threats, more so than any other sector.

OCR’s figures show a 239% increase in hacking-related data breaches between 2018 and 2023, and a 278% increase in ransomware attacks. OCR investigates all data breaches affecting 500 or more individuals to determine if they were due to noncompliance, as well as many smaller breaches. Complaints about potential HIPAA violations are also being reported to OCR in record numbers, and OCR has rekindled its HIPAA audit program. Noncompliance has never been more likely to be discovered.

HIPAA Compliance Challenges for Small Medical Practices to Overcome

With fewer resources available to devote to HIPAA compliance, achieving and maintaining HIPAA compliance can be a real challenge for small and medium-sized healthcare providers. While small practices are not expected to invest as heavily in cybersecurity as large healthcare providers, they must ensure that they have appropriate measures, relative to their size, to protect against common cybersecurity threats.

Small medical practices must ensure they have written policies and procedures to demonstrate their good faith effort to comply with the HIPAA Rules. HIPAA compliance is not inherently complicated. The HIPAA Rules are publicly available, and OCR has created many resources to help small practices achieve and maintain compliance, yet there are several areas where smaller practices have compliance programs that fall short of requirements.

Document All HIPAA Compliance Efforts

A lack of documentation to prove HIPAA compliance is all too common. As far as OCR is concerned, if it hasn’t been documented, it didn’t happen. If a complaint or data breach is investigated, the first thing OCR will request is documentation to demonstrate HIPAA compliance in the area under investigation. That may be policies and procedures for responding to patients who exercise their rights under HIPAA, HIPAA and security awareness training records, incident response plans, and patient notifications, or evidence that a risk analysis has been conducted and risks have been reduced to a reasonable and appropriate level. Many financial penalties have resulted from the failure to document the practice’s good-faith effort to comply with the HIPAA Rules. Maintaining accurate documentation is a fundamental requirement of HIPAA.

Conduct Regular Risk Analyses

The most commonly identified HIPAA violation is the failure to conduct an accurate and comprehensive risk analysis. Under OCR’s current enforcement initiative, proof that a risk analysis has been conducted will need to be provided in the event of a data breach investigation. Risk analyses are ongoing requirements that should be conducted annually, and following any material change to policies and procedures, or when new technology is introduced.

The “comprehensive” requirement means that there is a prerequisite to the risk analysis. An accurate and up-to-date inventory of all devices and locations where PHI is stored, maintained, transmitted, or accessed is required, on which the risk analysis can be based. Take advantage of the HHS Security Risk Assessment tool, which has been developed specifically to help small and medium-sized healthcare providers by walking them through the risk analysis process. You must also ensure that everything is documented so you can demonstrate that an accurate and comprehensive risk analysis has been conducted. Naturally, any identified risks and vulnerabilities must be mitigated in a timely manner.

Reduce the Risk of Human Error with Regular Training

Staff training often gets neglected. It can be difficult with a small workforce to take workers away from their work duties and provide regular training on HIPAA policies and procedures, as well as security awareness training. Training should be provided at hire, and refresher training provided annually. Take advantage of training vendors and third-party courses if you lack the internal resources to develop your own training courses.

Training should teach employees about their responsibilities with respect to the privacy and security of PHI, patient rights under HIPAA, social media use, and the correct handling of PHI in all forms. Ensure you provide regular security awareness training covering common threats such as phishing, social engineering, malware, and educate the workforce on security best practices. To develop a culture of compliance, staff members must be given proper education, and through regular training, you will be able to prevent many accidental HIPAA violations. Bear in mind that patients have become a lot more knowledgeable about HIPAA and their rights, and complaints about potential HIPAA violations are being reported in record numbers.

Maintain Business Associate Agreements with All Vendors

With limited resources, small medical practices will naturally need to outsource some functions to third-party service providers such as IT companies, managed services providers, cloud providers, software providers, revenue cycle management companies, and more. A small practice may rely on two dozen or more vendors, and each one that requires contact with PHI must sign a business associate agreement (BAA) before being provided with access to PHI.

The BBA should make clear what the vendor’s responsibilities are under HIPAA, the safeguards that are required to protect PHI, and the requirement to obtain a BAA before using any subcontractor that requires access to PHI. The BAA should stipulate responsibilities and timeframes for reporting security incidents. There are many free templates available on which small practices can base their business associate agreements.

Business associates should be vetted to ensure their security is up to scratch, which can be time-consuming for small practices. Time can be saved by choosing vendors who can provide evidence of their security practices and who attest that their products or services are HIPAA compliant.

Implement Strong Access Controls

Small medical practices are likely to be targeted with phishing, social engineering, and brute force attempts to guess credentials. To counter these threats, practices need to have strong access controls. Each member of the workforce must have unique credentials, password complexity requirements should be set and enforced in line with current NIST recommendations, and multi-factor authentication should be implemented to add an additional layer of security, especially for any Internet accessible account or system.

Maintain and Review Security Event Logs and PHI Access

Even with the best security, cybercriminals may exploit human weaknesses or find a way to access your network. Data encryption at rest and in transit is strongly recommended, and a requirement of HIPAA unless an alternative safeguard is implemented that provides an equivalent level of protection. Regular backups must be performed of all critical data, backups checked to make sure data recovery is possible, and backups should be stored securely off-site. Small practices have been forced to permanently close due to the inability to recover data following a ransomware attack.

HIPAA requires detailed audit logs to be created, maintained, and reviewed to identify access, use, copying, and modification of ePHI. The logs should be continuously monitored, which, for small practices with limited resources, naturally requires automation. Consider partnering with a managed service provider (MSP) or managed security service provider (MSSP) and leveraging their expertise and monitoring capabilities. Without an automated system for monitoring ePHI access logs, including AI-aided detection of anomalous activity, privacy violations can continue for years.

Develop and Test an Incident Response and Business Continuity Plan

Small practices must prepare for the worst and assume that there will be a breach or HIPAA violation. An incident response plan must be developed that includes procedures to follow in the event of a cyberattack or event that damages information systems containing ePHI, or involves potential unauthorized access or disclosures.

The plan must include each individual’s responsibilities, the procedures that must be followed, processes for mitigating damage, and vendors that can assist, such as digital forensics experts and cybersecurity professionals. The plan must be tested to ensure that it is effective and that everyone is aware of their responsibilities. The incident response plan should also include policies and procedures for issuing notifications to the HHS, affected individuals, and the media. Small practices have been fined for breach response failures.

Prioritize Cybersecurity Spending to Get the Biggest Bang for Each Buck

Budgetary constraints at small medical practices mean difficult decisions must be made about cybersecurity, so each security product purchased must have a significant impact on reducing risk. Leverage affordable tools to ensure that email is secured, encrypt data at rest and in transit as far as is possible, and take advantage of HIPAA-compliant service providers rather than trying to build your own security from scratch. Enlist the services of an MSP or MSSP to assist with Security Rule compliance and benefit from their expertise; just make sure the vendor’s responsibilities are clearly stated in the BAA and service level agreement.

Small practices may have to make compromises as their resources may not stretch to cutting-edge security in every area. To get the biggest bang for each buck, the HHS Cybersecurity Performance Goals are a good place to start. They include proven cybersecurity measures that will have the biggest impact on improving your security posture.

Keep Up to Date with Regulatory Changes

Major changes to the HIPAA Rules are relatively infrequent, but there are pending Privacy Rule and Security Rule updates, and minor changes are more frequent. It is the responsibility of small medical practices to keep up to date with regulatory changes, as a lack of knowledge is not a valid excuse for noncompliance. Keeping abreast of any proposed HIPAA changes will give small practice owners plenty of time to make the necessary updates to their policies, procedures, and data privacy and security practices. Regularly check the HHS.gov website for proposed updates and new guidance, and sign up for The HIPAA Journal newsletter to get updates sent directly to your inbox.

HIPAA Compliance is a Continuous Process

HIPAA compliance is a continuous process, not a one-time effort at checking all the compliance boxes, and that naturally requires an investment in time and resources. To ensure compliance is maintained, consider conducting annual HIPAA audits and documentation checks, and regularly review privacy and security policies to ensure that they continue to be effective. Investing time and resources into developing your compliance program will be money well spent.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: HIPAA Compliance Challenges for Small Medical Practices appeared first on The HIPAA Journal.