Author Archives: Steve Alder

Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

Okanogan Behavioral Healthcare, a provider of holistic behavioral health services in Okanogan County, Washington, has agreed to settle a class action lawsuit stemming from a May 2024 data breach that affected 26,429 individuals.

A network intrusion was identified on May 15, 2024, and the forensic investigation determined that an unauthorized third party had access to its network from May 13, 2024, to May 15, 2024. Data exposed in the incident included client names, contact information, dates of birth, Social Security numbers, driver’s license numbers, other identification numbers, and medical information, including diagnosis and treatment information, and health insurance information. The affected individuals started to be notified on August 23, 2024.

A lawsuit was filed – Doe v. Okanogan Behavioral Healthcare – in the Superior Court of the State of Washington for the County of Okanogan in response to the data breach, alleging that the data breach was due to the failure of the defendant to implement reasonable and appropriate cybersecurity measures, and had they been implemented, the data breach could have been prevented. Okanogan Behavioral Healthcare denies wrongdoing and liability, and disagrees with all claims and contentions in the lawsuit; however, a settlement was agreed to avoid further litigation costs and the uncertainty of a trial and associated appeals.

Okanogan Behavioral Healthcare has agreed to cover attorneys’ fees and expenses, settlement notification and administration costs, and a service award for the class representative. Under the terms of the settlement, class members may submit a claim for reimbursement of losses due to the data breach and/or an alternative cash payment or credit monitoring services.

Claims may be submitted for reimbursement of documented, unreimbursed ordinary losses, up to a maximum of $300 per class member, and extraordinary losses up to a maximum of $5,000 per class member. A claim may also be submitted for an alternative cash payment, anticipated to be $50 per class member, or two years of credit monitoring services. The maximum claim is therefore $5,300 plus $50, or $5,300 plus credit monitoring services.

The deadline for objection to the settlement and exclusion is August 4, 2026. The deadline for submitting a claim is September 3, 2026, and the final approval hearing has been scheduled for September 3, 2026.

The post Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

High-Severity Vulnerability Identified in OHIF Viewers DICOM

Posted by Steve Alder

A high-severity vulnerability has been identified in OHIF (Open Health Imaging Foundation) Viewers DICOM, which could be exploited to steal an authenticated clinician’s token via a crafted link.

The Server-Side Request Forgery (SSRF) vulnerability is tracked as CVE-2026-12473 and has a CVSS base score of 8.2 (v3.1) and 8.3 (v4.0). The vulnerability is due to two data sources – DICOMWebProxy and DICOMJSON –  shipped in the default configuration fetching an arbitrary URL parameter without validation.

A global authentication service in OHIF injects the authenticated user’s OIDC Bearer token into the resulting requests, which could be sent to an attacker-controlled server, allowing the OIDC Bearer token to be obtained. The vulnerability does not impact DICOMweb data sources.

The vulnerability affects OHIF DICOM Web Viewer Framework prior to v3.12.0. The vulnerability has been fixed by the maintainer in version 3.12.2, which was released on May 18, 2026. The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12).

Users are advised to update to the fixed version as soon as possible. There are additional requirements for users running OHIF with authentication and those that need dicomwebproxy or dicomjson in authenticated deployments, as detailed in the CISA security advisory.

The post High-Severity Vulnerability Identified in OHIF Viewers DICOM appeared first on The HIPAA Journal.

Why You Don’t Need to Understand HIPAA to Make Your Small Practice HIPAA Compliant

Posted by Steve Alder

A small practice owner who cannot define a Security Risk Analysis, has never read the HIPAA Security Rule, and does not know what a Business Associate Agreement must contain can still operate a practice with a complete, documented, provable HIPAA compliance program. The expertise does not have to live in the practitioner’s head. It has to live in the program. A purpose-built compliance program encodes what HIPAA requires and translates a practice owner’s knowledge of their own practice into a complete compliance record. The practitioner does not need to become a compliance expert. They need a structured program built specifically for them.

What HIPAA Actually Requires a Small Practice to Have

HIPAA’s requirements for a small independent practice are extensive, but they are not open-ended. The HIPAA compliance obligations for a covered entity resolve into four documented outputs that the HHS Office for Civil Rights will look for in any investigation or audit.

The first is a current Security Risk Analysis. The Security Rule requires covered entities to conduct an accurate and thorough assessment of the risks and vulnerabilities to electronic Protected Health Information across every system, device, and workflow the practice uses. The SRA must be current. A practice that completed one two years ago and has since changed its EHR system, added a telehealth platform, or hired new staff has an outdated assessment and a documented gap.

The second is a set of written policies and procedures tailored to the practice. The HIPAA Privacy Rule and Security Rule both require written policies that address each applicable standard. Generic templates do not satisfy this requirement. The HHS Office for Civil Rights treats policies that do not reflect how the practice actually operates as evidence that a compliance program exists on paper only, not in practice.

The third is documented workforce training. The HIPAA training requirement applies to every member of the workforce, including staff who do not directly handle patient records. Training records must show who completed training, what was covered, and when. The record of completion is the compliance artifact. An investigator will ask for documentation, not recollections.

The fourth is a signed Business Associate Agreement with every vendor that creates, receives, maintains, or transmits Protected Health Information on behalf of the practice. This includes EHR vendors, billing services, cloud storage providers, transcription services, and any other third party with access to PHI. A breach involving a vendor without a current agreement exposes the practice to enforcement action regardless of where the fault lies.

These are not judgment calls or matters of interpretation. A practice either has all four, documented and current, or it does not. An OCR investigator will request each of them.

Why Most Small Practices Have Gaps They Cannot See

Most small practices are not non-compliant on purpose. They completed a training session, filed some policies, and reasonably concluded they were covered. The gap between that conclusion and actual compliance is where enforcement actions originate.

Three specific failure patterns appear consistently in OCR investigations of small practices.

The first is the generic template problem. A policy downloaded from a template library describes a hypothetical organization with hypothetical workflows. It does not describe the practice’s actual intake process, its specific EHR configuration, or how its staff handles verbal disclosures in shared clinical spaces. When an investigator asks a staff member to describe their workflow and the answer does not match the written policy, the program is treated as non-implemented. The document existed. The compliance program did not.

The second is the one-time SRA problem. Many practices completed a Security Risk Analysis once, often at the recommendation of their EHR vendor or an IT provider, and have not revisited it since. An SRA is not a one-time obligation. Every material change to the practice’s technology, physical environment, or service delivery model requires a reassessment. A practice that added telehealth after a prior SRA has a gap that the original assessment does not cover. OCR currently maintains an active enforcement initiative targeting incomplete and outdated risk analyses, and the SRA is the first document requested when an investigation opens.

The third is the partial completion problem. Training without a current SRA is partial compliance. Policies without documented training are partial compliance. A signed BAA for the EHR vendor but not the billing service is partial compliance. HIPAA penalties do not recognize partial effort. OCR does not award credit for the components a practice completed. The program must be complete to function as a defense, and partial compliance is treated the same as no compliance when an investigation surfaces a gap.

What Compliance Expertise Actually Consists Of, and Why a Program Can Carry It

A compliance expert knows which safeguards apply to a two-provider dental practice versus a multi-location behavioral health group. They know which questions a Security Risk Analysis must answer for a practice that uses a cloud-based EHR versus one with on-premises servers. They know when a vendor arrangement creates PHI storage exposure the practice has not assessed, and they know how the HIPAA Breach Notification Rule applies to a misdirected fax versus a ransomware incident.

That knowledge is not trivial. It takes years to develop and requires ongoing attention as the regulations change. The argument here is not that it is unimportant. The argument is that a practice owner should not have to carry it personally to operate a compliant practice.

A purpose-built compliance program encodes that expertise into a guided workflow. The practitioner answers questions about their practice: how many locations, which systems, what types of staff, which vendors. The program translates those answers into a practice-specific Security Risk Analysis, practice-specific policies, role-based training assignments, and a managed vendor agreement inventory. The practitioner brings knowledge of the practice. The program brings knowledge of HIPAA.

This is not a theoretical model. Practices with no prior compliance background and no dedicated compliance staff have built and maintained complete, audit-ready programs this way. The expertise is in the platform, not in the practitioner.

What a Complete, Practice-Specific Compliance Program Produces

A complete compliance program generates four outputs that correspond directly to what an OCR investigation will request.

The Security Risk Analysis produced by a purpose-built program is tailored to the practice’s actual systems, locations, workflows, and vendor relationships. It routes around questions that do not apply to a single-location practice and focuses on the vulnerabilities that do. It produces a documented risk register that identifies each vulnerability, assigns a risk level, and records the remediation action and timeline. An SRA without a corresponding risk management plan tells an investigator that risks were identified and ignored. A complete program produces both.

The policies and procedures generated by the program reflect how the practice actually operates, because they are built from the practice’s own SRA responses. They are not generic. They describe real workflows, real staff responsibilities, and real system configurations. When an investigator asks a staff member to describe their role and then compares the answer to the written policy, the two should match. A purpose-built program makes that alignment the default rather than an administrative aspiration.

The training records maintained by the program document completion at the individual level, with timestamps and role-specific assignments. Staff turnover, multiple start dates, and varying training schedules are tracked automatically. The program generates the documentation an investigator will request, not a spreadsheet assembled after the fact.

The Business Associate Agreement inventory tracks every vendor relationship, the date each agreement was executed, and when renewal review is due. Agreements that lapse because no one was tracking the renewal date are one of the most common findings in OCR investigations. A managed inventory with automated reminders eliminates that specific gap.

A practice that can produce all four on demand has a program it can prove. That is the only standard an OCR investigation applies.

The Difference Between Doing Some of It and Having All of It

The cost argument for a complete program is direct. Once a breach occurs, the costs that follow are largely fixed. Patient notification, breach response, reputational damage, and civil liability attach at the moment the breach is confirmed. The one cost that documentation and good-faith compliance can prevent is the government fine.

HIPAA civil penalties are tiered by culpability. A violation attributable to reasonable cause carries a substantially lower maximum penalty than one attributable to willful neglect. A complete, documented compliance program is the evidence of reasonable cause that determines which tier applies. For a small practice, the difference between those tiers can represent tens or hundreds of thousands of dollars. The fine is the cost that prior documentation prevents.

The time investment required to stand up a complete program through purpose-built software is measured in hours, not weeks. Maintenance thereafter requires a few minutes a month to keep the program current as the practice changes. That investment is not proportional to the regulatory risk it eliminates.

Partial completion does not reduce the fine. A practice that completed training but has no current SRA is exposed to the same willful neglect finding as a practice that did nothing, if the SRA gap surfaces during an investigation triggered by a breach. Every component of the program must be in place, documented, and current.

What to Look for in a Compliance Program

Not all HIPAA compliance software produces a complete, provable program. Three criteria distinguish a program that protects a practice during an investigation from one that generates paperwork without building a defense.

The first is practice-specific generation rather than templates. The program must produce documentation that reflects the actual practice, built from the practice’s own responses to guided questions. A policy library or downloadable template set requires the practice to implement, maintain, and update documents that were not written for them. A purpose-built program generates policies from the SRA and keeps them current as the practice changes.

The second is a complete program in a single plan. The brief’s positioning is explicit on this point: partial compliance is not compliance, and a program that places the SRA, policies, training management, or BAA tracking behind separate service tiers or paid add-ons creates the same internal gap the practice is trying to close. Everything HIPAA requires should be included without requiring the practice to choose between cost and completeness.

The third is access to compliance experts. A software workflow handles the structured outputs: the SRA, the policies, the training records, the vendor agreements. It cannot handle the judgment calls that arise when a situation falls outside the structured workflow. How should the practice respond to a patient complaint that may or may not involve an impermissible disclosure? Does a specific cloud storage arrangement create PHI exposure that the SRA must address? Does a particular incident qualify as a notifiable breach under the four-factor harm analysis? Direct access to compliance experts, included in the program rather than billed separately, is what covers those situations. A practice that can call a compliance expert at the moment an unusual situation arises is not navigating HIPAA alone. A practice that cannot is.

The Standard an Investigation Applies

An OCR investigation does not assess how much the practice owner understands about HIPAA. It assesses what the practice can produce: a current Security Risk Analysis, written policies that match actual workflows, training records for every workforce member, and signed Business Associate Agreements with every covered vendor. Those are documents. They are generated by a program, not by regulatory expertise.

A practice owner who cannot define an SRA but runs their compliance program through purpose-built software will produce better documentation than a practice owner who has read the regulations in full but manages compliance manually through binders and spreadsheets. OCR does not see the effort. It sees the record.

The program does not replace the practitioner’s knowledge of their practice. It replaces the requirement that the practitioner also carry expertise in federal health information law. That expertise is already built in. The practice owner’s job is to answer the questions accurately and follow the guidance the program provides. The program does the rest.

The post Why You Don’t Need to Understand HIPAA to Make Your Small Practice HIPAA Compliant appeared first on The HIPAA Journal.

Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches

Posted by Steve Alder

Data security incidents have been announced by the Colorado Health Network and Kentucky Mountain Health Alliance. In both cases, only limited information has been released about the nature of the incidents.

Colorado Health Network

Colorado Health Network Inc., a nonprofit organization that provides health and support services to individuals with HIV/AIDS across Colorado, has recently disclosed a data security incident. The breach notification does not state when the breach was detected or for how long the threat actors had access to its network, only that an unauthorized third-party accessed and removed files from its systems.

The files have been reviewed and found to contain patient names in combination with one or more of the following: Social Security number, driver’s license/state identification card number, passport number, financial account information, debit/credit card information, health insurance information (which may include Medicaid/Medicare information), and medical information. The medical information may include, but is not limited to, diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s/location.

Colorado Health Network started mailing notification letters to the affected individuals on June 18, 2026, and said it has received no reports to suggest that any of the exposed or copied information has been misused. The affected individuals have been advised to monitor their account statements, free credit reports, and explanation of benefits statements for suspicious activity, and to sign up for the complimentary credit monitoring and identity theft protection services that have been offered.

This appears to have been a ransomware attack by the Cephalus ransomware group. Cephalus claimed on its dark web data leak site on August 28, 2025, that it was behind the attack and obtained more than 900 GB of data. The group’s data leak site is not currently accessible, so it is unclear whether the data was leaked online.

The Texas attorney general was informed that 257 Texas residents were affected by the breach. Given that the primary location of business is Colorado, that would suggest that the incident affected more than 500 individuals and should have been reported to the HHS’ Office for Civil Rights (OCR) and added to the OCR data breach portal; however, it is not currently shown on the breach portal.

Kentucky Mountain Health Alliance

Kentucky Mountain Health Alliance, a Hazard, KY-based nonprofit organization that provides primary and specialty care to the homeless, has disclosed a data breach that involved unauthorized access to patient data, some of which was copied in the incident.

While data breach notices should be placed in a prominent location on the home page of the provider’s website under HIPAA, users are required to click on the “more” section and then select the notice from the drop-down menu. The notice states that the information compromised in the includes names plus one or more of the following: Social Security numbers, driver’s license numbers/state identification numbers, passport numbers, financial account information, debit/credit card information, health insurance information, and medical information such as diagnosis, diagnosis code, mental/physical condition, prescription information, provider’s name and location, and health insurance information. Notification letters were issued to the affected individuals on June 12, 2026.

As with the data breach at Colorado Health Network (above), the breach notifications do not elaborate further on the nature of the incident, such as who potentially accessed the data (internal/external), when the incident was detected, or for how long the data was exposed. The website notice makes no mention of credit monitoring services; however, the notice issued to the Massachusetts Office of Consumer Affairs and Business Regulation states that 24 months of complimentary credit monitoring and identity theft protection services are being provided through Epiq. The number of affected individuals has yet to be publicly disclosed.

The post Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches appeared first on The HIPAA Journal.

Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches

Posted by Steve Alder

Data breaches have been announced by Minnesota Epilepsy Group, Campbell University, and the City of Middletown, Ohio.

Minnesota Epilepsy Group

Minnesota Epilepsy Group, the largest epilepsy center in the Midwest, has started notifying current and former patients about a recent cybersecurity incident that may have resulted in unauthorized access to the protected health information of current and former patients. Suspicious network activity was identified on April 7, 2026, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had accessed its network at various times between March 16, 2026, and April 10, 2026.

The parts of the network that were accessed contained files that included patient data. The file review concluded on May 18, 2026, and determined that the exposed information included names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance information. The types of information exposed varied from patient to patient.

Notification letters started to be mailed to the affected individuals on June 5, 2026, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were exposed. Minnesota Epilepsy Group confirmed that it has taken steps to enhance its technical security measures to prevent similar incidents in the future.

City of Middletown, Ohio

The City of Middletown in Ohio has started notifying individuals about a cybersecurity incident that occurred last year that resulted in unauthorized access to sensitive personal and protected health information. The incident was first identified on August 17, 2025, and the forensic investigation determined that its network was accessed by an unauthorized third party between July 29, 2025, and August 17, 2025, during which time files containing sensitive information may have been accessed or acquired.

The data review concluded on May 18, 2026, and determined that data compromised in the incident included names, addresses, Social Security numbers, driver’s license or government identification, financial account information, medical information, and health insurance information. Notification letters were mailed to the individuals with a complete address on file on June 3, 2026. City of Middletown officials have confirmed that steps are being taken to augment security. The HHS’ Office for Civil Rights was informed that the protected health information of 20,608 individuals was compromised in the incident.

This appears to have been a ransomware attack by the SafePay ransomware group, which added the City of Middletown to its dark web data leak site on September 12, 2025, then proceeded to leak the stolen data.

Campbell University, North Carolina

Campbell University in North Carolina is investigating a cybersecurity incident that was first identified on April 1, 2026. The incident involved unauthorized access to one of its cloud-based data storage platforms between March 31, 2026, and April 1, 2026. The university explained that due to its security protections, the incident was contained to a single platform.

The investigation and data review are ongoing, and as such, the total number of affected individuals has yet to be determined. The HHS’ Office for Civil Rights has been informed that the protected health information of at least 500 individuals was involved. The total will be updated when the data review is concluded. The specific type of information involved has not yet been determined, but general categories of data involved have been disclosed. In addition to their name, individuals may have had one or more of the following exposed or stolen in the incident:

Address, date of birth, admission/discharge/death date, medical record number, provider/facility name, medical condition, diagnosis and/or treatment information, lab results, prescriptions and/or medications, personal history, mental health information, insurance/payment amount history information, date of service, payment card information, and/or any information on an individual that was created, used, or disclosed in the course of providing health care services, and Social Security number, driver’s license or state identification number, passport number, student identification number, other government identification number, financial account information, debit/credit card information, health insurance information, medical information, individual taxpayer identification number, identity protection PIN issued by the IRS, parent’s legal surname prior to marriage, digital signature, geolocation, and/or user name and access information for a non-financial account.

Campbell University said it has reset passwords, set up a new instance of the affected platform, strengthened data access policies, and implemented additional technical safeguards.

The post Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches appeared first on The HIPAA Journal.

HIPAA Security Rule Training for Business Associates

Posted by Steve Alder

HIPAA Business Associates that create, receive, maintain, or transmit electronic Protected Health Information on behalf of HIPAA-covered entities are directly subject to the HIPAA Security Rule and must provide security awareness training to their entire workforce, not only to staff who work on healthcare-specific accounts or handle patient data as part of their primary function. The HIPAA Security Rule at 45 CFR 164.308(a)(5) requires covered entities and business associates to “implement a security awareness and training program for all members of its workforce (including management).” The direct applicability of the HIPAA Security Rule to business associates was established by the HITECH Act and confirmed in the 2013 Omnibus Rule, which means the training obligation runs to the business associate as an independently regulated entity rather than solely as a contractual requirement imposed through a HIPAA Business Associate Agreement. A business associate that relies on its covered entity client’s training program to satisfy its own workforce training requirement has misread the regulation.

The Training Scope Goes Beyond Healthcare-Facing Roles

Many business associates operate with workforces that include personnel who are not assigned to healthcare client accounts, do not access patient records, and may not consider themselves to be working in a healthcare context. The HIPAA Security Rule’s training requirement applies to those employees when their roles place them within the organization’s IT security environment. A software developer working on a platform that processes electronic Protected Health Information, an HR coordinator whose email account sits on the same network as systems containing patient data, a legal team member who reviews Business Associate Agreements, and an operations manager who approves the technology stack all fall within the training obligation’s scope. This broader reach distinguishes the Security Rule from the HIPAA Privacy Rule, which directs its training requirement at workforce members whose job functions involve Protected Health Information. The HIPAA Security Rule covers any workforce member whose conduct can affect the security of electronic Protected Health Information through system access, credential use, device handling, or network activity, regardless of whether they handle patient data directly.

Why Business Associate Environments Present Distinct Security Risks

Business associate workforces interact with electronic Protected Health Information in operational contexts that differ from the clinical and administrative settings most HIPAA training content addresses. A billing company processes claims data across hundreds of covered entity clients. A cloud service provider stores electronic Protected Health Information for multiple healthcare organizations on shared infrastructure. A health IT vendor’s support staff access production systems containing patient records to resolve technical issues. In each context, a single compromised credential, a successful phishing attack, or an employee’s unauthorized use of a personal device can expose electronic Protected Health Information belonging to multiple covered entity clients simultaneously. Security awareness training for business associate workforces must reflect those operational realities and address the specific threat patterns that target vendor and service provider environments, including supply chain phishing, business email compromise exploiting covered entity relationships, and credential attacks targeting third-party administrative access.

Building a Training Program Around the Annual Cycle

Annual HIPAA Security Rule training is industry best practice for business associates because the threat environment, the regulatory framework, and the organization’s own service scope all evolve throughout the year. A business associate that expands its services to include a new category of electronic Protected Health Information processing, adopts a new platform used to access covered entity systems, or onboards a new covered entity client may face security risks its current workforce training did not address. Annual training gives the organization a structured opportunity to update content, address changes to internal security policies, reinforce reporting obligations, and produce a new completion record for each workforce member. That annual record supports the six-year documentation retention requirement under 45 CFR 164.316(b) and demonstrates to covered entity clients, OCR auditors, and internal compliance reviewers that the organization maintains a functioning and current security awareness program rather than a one-time onboarding exercise.

Online Security Training Designed for Business Associate Staff

The HIPAA Journal’s Cybersecurity Training for Business Associate Employees is built for organizations that handle electronic Protected Health Information on behalf of covered entities and need a structured online course that reflects the Security Rule obligations, threat patterns, and operational contexts specific to business associate environments. The course covers the regulatory framework governing business associates, electronic Protected Health Information safeguards, healthcare cyber threats including phishing and ransomware, password and credential security, device and media controls, email and messaging risks, incident recognition, and the reporting obligations that run from the business associate to the covered entity. It supports onboarding training before system access is granted, annual refresher delivery across the full workforce, and targeted retraining when policy changes or security events require it, and produces completion records that satisfy the individual-level documentation requirements of the Security Rule’s training mandate.

The post HIPAA Security Rule Training for Business Associates appeared first on The HIPAA Journal.

Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit

Posted by Steve Alder

Bradford Health Services, LLC, and Bradford Health Partners, LLC, were sued over a December 2023 cybersecurity incident that exposed the personal and protected health information of current and former patients. The lawsuit states 32,425 individuals were affected by the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 28,543 individuals.

The unauthorized access was detected on December 8, 2023, and the file review determined that names, dates of birth, driver’s license numbers, medical information, including diagnosis and treatment information, health insurance information, financial account numbers, passport numbers, payment card numbers, plus a means of access to the account, and/or Social Security numbers had been compromised. The data review was not completed until May 2025, and notification letters started to be mailed later that month – 18 months after the breach was first identified. The Hunters International threat group claimed responsibility for the attack and stated that more than 760 GBs of data were exfiltrated from the defendants’ systems.

Multiple class action lawsuits were filed in response to the cyberattack and data breach, which were consolidated – In Re Bradford Health Services, LLC Data Breach Litigation – in the Circuit Court of Jefferson County, Alabama, Birmingham Division, where the lawsuit is still pending. The plaintiffs allege that the data breach was due to the negligence of the defendants, who are alleged to have failed to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims for negligence/wantonness, negligence per se, breach of express or implied contract, and unjust enrichment.

Shortly after the consolidated class action lawsuit was filed, the parties began exploring the possibility of an early resolution to limit costs and avoid the uncertainty of a trial and related appeals.  Following mediation in October 2025, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and has received preliminary approval from the court.

The defendant has agreed to pay attorneys’ fees, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. All class members are entitled to enroll in three years of medical data monitoring services and may also submit a claim for reimbursement of documented losses up to $5,000 per class member, or an alternative cash payment, which is estimated to be $150, but may be higher or lower depending on the number of claims received.

The deadline for objection and exclusion is August 3, 2026, and claims must be submitted by August 17, 2026. The final fairness hearing has been scheduled for September 1, 2026.

The post Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness

Posted by Steve Alder

Cybersecurity risk is growing, and healthcare organizations are struggling to defend a rapidly increasing attack surface. AI tools are being implemented without the secure infrastructure to support them. Most healthcare practices have meaningful gaps in cyberattack recovery readiness, face ongoing and regular third-party vendor disruptions, and there is growing concern that a cyberattack will result in a patient fatality. The current state of cybersecurity in healthcare is far from rosy.

These were some of the findings from the 2026 Healthcare IT Landscape Report from Omega Systems, a leading provider of managed IT and security services to the healthcare and financial services industries. The report is based on a survey of 200 healthcare business leaders in the United States, including CEOs, CISOs, CIOs, CFOs, and COOs, at healthcare organizations with between 50 and 600 employees. The healthcare organizations represented in the report include medical practices, clinics, ambulatory care centers, specialty services, and long-term care facilities.

In 2025, when the study was last conducted, 52% of healthcare organizations said it is inevitable that a cyberattack on a healthcare facility will result in a patient fatality in the next five years. There has been a relative 17% increase in just 12 months, with 61% now expressing that concern. The increase is unsurprising given the lack of cyberattack recovery readiness. In the event of a cyberattack that prevents access to the electronic medical record (EMR) system, 47% said loss of access to patient records would create an immediate patient safety issue and malpractice liabilities, 53% say billing, claims, and scheduling would instantly stop, freezing cash flow at the moment when clinical operations are most compromised, and 25% said they would be unable to maintain baseline care standards, resulting in temporary or even permanent closure.

Omega Systems said 82% of providers acknowledged meaningful gaps in their recovery readiness. Almost one-third (31%) of respondents lack the ability to contain and resolve data breaches quickly; almost one-quarter (24%) do not regularly train teams on incident response; one-fifth (21%) have no independent EMR recovery path or access to a 24/7 SOC team, and 13% have no documented recovery plan at all. AI adoption is almost universal, with 93% of healthcare practices already having adopted AI tools, yet they lack the secure infrastructure to support it safely.

The risk of cyberattacks has never been greater. According to OCR data, 2025 saw more large data breaches reported than any year since records of data breaches have been published, fueled in part by an increase in cyberattacks on vendors, which usually impact multiple healthcare clients and cause considerable disruption.

Omega Systems found that 85% of healthcare practices experienced at least one operational disruption in the past 12 months due to a third-party vendor or vendor of a vendor, and 24% experienced a third-party or vendor breach that directly affected their data or operations.

While vendor incidents are increasing, a concerningly high percentage of respondents – 70% – said they were confident or very confident in their vendors’ cybersecurity posture. Vendors have been engaged and are trusted, and are no longer being questioned about their cybersecurity posture.

OCR is due to issue a final rule implementing proposed changes to the HIPAA Security Rule, one of the requirements of which is annual reverification of cybersecurity measures of their business associates, which will force practices to continually verify vendor cybersecurity. According to Omega Systems reports, currently, 63% of practices are not continuously monitoring their networks and digital supply chains, while 70% say they are confident in the vendors connected to them. “A practice can’t be confident in what they aren’t watching,” warns Omega Systems. “Trust is a natural byproduct of long-term vendor relationships. And that’s precisely what attackers count on. They target vendors because their healthcare clients trust them – and rarely verify the controls behind that trust.”

Omega Systems identified a single root cause of the cybersecurity problem in healthcare – Cybersecurity is a patient safety issue, yet healthcare organizations are still treating cybersecurity as a technical expense. “Sixty-two percent (62%) of healthcare leaders still treat cybersecurity as a technical expense rather than a clinical or fiduciary risk,” explained Omega Systems in the report. “That posture determines what gets funded, what gets deferred, and what gets ignored. It is why the gaps documented in this report persist despite years of escalating threat data.”

OCR investigates all reported data breaches affecting 500 or more individuals, and data breaches are being reported in record numbers. OCR currently has an initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule, which has been expanded to also cover risk management. The survey revealed that six in ten leaders have self-attested to HIPAA-compliance, when they know that their risk analyses identified unresolved vulnerabilities. According to the report, 23% of practices have already filed a breach report with OCR.

“For many, that filing was not the result of negligence. It was the result of a gap that grew faster than their resources could close it,” explained Omega Systems. “Small practice leaders are not ignoring compliance. They are managing it with teams that are stretched thin, budgets that do not go far enough, and requirements that keep changing. The breach notification is often the moment they find out how serious that gap had become.”

When the HIPAA Security Rule update is released, practices will have a lot of ground to cover in a short space of time. Only 24% of practices report that they are fully prepared for the proposed changes; many lack the required in-house staff and have cybersecurity and compliance programs that have been built for a simpler threat landscape.

More than one-third (35%) say their cybersecurity/IT team is understaffed, one-third (33%) underestimate the severity and frequency of cyberattacks, one-quarter (26%) say their cybersecurity/IT team is underfunded and has antiquated cybersecurity technology (23%), and one-fifth (21%) deliberately downplays cyberattack risk to avoid reputational damage.

With the HIPAA Security Rule final rule expected this year (the proposed release date was May 2026), healthcare cybersecurity and compliance programs will have to be overhauled. Omega Systems explains that the leaders will not be the healthcare organizations with the most advanced technology. They will be the ones who have made a governance-level commitment to treating security, compliance, vendor risk, and AI not as separate problems requiring separate solutions, but as one, with a partner accountable for the whole picture.

The post Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness appeared first on The HIPAA Journal.

Hillcrest Convalescent Center Settles Class Action Data Breach Litigation

Posted by Steve Alder

Hillcrest Convalescent Center, a short-term inpatient rehabilitation and skilled nursing facility in Durham, North Carolina, has agreed to settle class action litigation over a June 2024 cyberattack.

Hackers breached its network, resulting in unauthorized access to and the potential theft of patients’ personal and protected health information. The hackers had access to information such as names, addresses, dates of birth, financial account numbers, driver’s license numbers, Social Security numbers, medical treatment information, and health insurance information. The incident affected more than 106,000 individuals, who were notified by mail in March 2025.

The data breach sparked several class action lawsuits, which were consolidated as they had overlapping claims. The consolidated lawsuit – In re Hillcrest Convalescent Center, Inc. Data Breach Litigation – is pending in the Superior Court of Durham County, North Carolina. Hillcrest Convalescent Center denies the allegations of wrongdoing and liability and, in September 2025, filed a motion to dismiss the consolidated complaint. The plaintiffs filed their response in October 2025, and later that month, the defendant filed their reply in further support of the motion to dismiss. Shortly thereafter, the parties began exploring the possibility of a settlement.

During mediation in January 2026, the parties agreed on the material terms of a settlement, which has now been finalized and has received preliminary approval from the court. Under the terms of the settlement, class members may submit a claim for reimbursement of documented out-of-pocket losses due to the data incident up to a maximum of $2,500 per class member. Class members who choose not to submit such a claim may instead claim an alternative cash payment, estimated to be $50 per claimant.

Regardless of the option chosen, class members are eligible to enroll in two years of credit monitoring services, which include a $1 million identity theft insurance policy. Claims must be submitted by August 26, 2026, and the final approval hearing has been scheduled for August 24, 2026. Individuals who do not submit a claim will lose the right to sue the defendant over the data breach and will receive nothing from the settlement. Individuals who want to retain the right to sue can exclude themselves and must do so by July 27, 2026. Objections to the settlement must be filed by July 27, 2026.

The post Hillcrest Convalescent Center Settles Class Action Data Breach Litigation appeared first on The HIPAA Journal.