Author Archives: Steve Alder

House Republicans Make New Attempt to Introduce Federal Data Privacy Legislation

Posted by Steve Alder

House Republicans have made a fresh attempt to introduce federal data privacy legislation that, if passed, will replace the current patchwork of state privacy laws. The new privacy bill – the Securing and Establishing Consumer Uniform Rights and Enforcement over Data (SECURE Data) Act, and a companion bill covering financial firms – the GUARD Financial Data Act – were introduced by Republican members of the House Committee on Energy and Commerce and the House Committee on Financial Services. Unlike previous attempts to enact comprehensive federal data privacy legislation, the SECURE Data Act and GUARD Financial Data Act are not bipartisan. No input was sought from Democratic committee members.

Efforts to develop the bills were led by Congressman John Joyce, M.D., Chairman of the House Committee on Energy and Commerce, who led the Energy and Commerce Data Privacy Working Group, and Congressman John Joyce, M.D. (PA-13), Chairman of the Energy and Commerce Subcommittee on Oversight and Investigations and leader of the Energy and Commerce Data Privacy Working Group.

The bills were developed following more than a year of stakeholder consultation, and aim to create new federal data privacy standards, and are based on common data subject rights and provisions from states that have implemented their own comprehensive data privacy laws.

Key consumer rights in the SECURE Data Act include:

  • The right to know data is being collected and used
  • The right to access a copy of the personal data collected by an entity, including in a portable format
  • The right to request that their personal data be deleted
  • The right to opt out of targeted advertising, the sale of their personal data, and certain automated decisions
  • To only process sensitive data with a consumer’s consent
  • To only process a child or teen’s personal data with parental consent

The obligations for covered businesses under the SECURE Data Act include:

  • Limiting the collection of personal data to what is “adequate, relevant, and reasonably necessary for the purposes disclosed to consumers
  • Required disclosure of the personal data shared with others, and any personal data processed in or sold to China, Russia, or other foreign adversaries.
  • Implementation of data security practices to protect the personal data they process.

There are specific requirements for data brokers, which include:

  • Data minimization, disclosure, and data security requirements.
  • Registration with the FTC, including disclosure of the privacy and data security practices and personal data sold.
  • The FTC will establish a searchable public-facing registry of data brokers, where consumers can learn how to exercise their privacy rights.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” Energy and Commerce Chair Brett Guthrie, R-Ky., and Rep. John Joyce, R-Penn., said in a joint statement. “We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

The SECURE Data Act would apply to nonfinancial firms that control consumer data, exempting financial data and financial institutions covered by the Gramm-Leach-Bliley Act. The companion bill, the GUARD Financial Data Act, would update the Gramm-Leach-Bliley Act and would exempt nonfinancial firms. While there is a clear need for federal data privacy legislation to replace data privacy laws that vary considerably from state to state, for certain states such as California, it would mean a watering down of their current privacy protections for state residents. For instance, the SECURE Data Act does not include a private cause of action, which means individuals whose privacy is violated would not be able to sue for SECURE Data Act violations.

The SECURE Data Act has been criticized for failing to implement meaningful privacy protections and weakening protections for consumers in states that have placed limits on the collection, use, and sharing of consumers’ data. Critics say the legislation ultimately protects corporations and big tech firms rather than protecting consumers’ privacy. “We should be protecting the little guy with a bill that empowers consumers, not one that pre-empts consumer protections at the behest of Big Tech,” said Energy and Commerce Ranking Member Frank Pallone (D-NJ).

Some privacy groups have criticized the bill for important omissions, such as failing to address AI-related privacy harms. There are no provisions limiting the data that can be collected on consumers for training AI algorithms, and while companies are required to disclose if they are using AI-based automated decision-making systems, consumers do not have the right to opt out.

There are grave concerns that if enacted, it will allow big tech firms to continue collecting and using vast amounts of consumer data. “It places the onus on regular people to wade through reams of privacy policies and ask tech companies to stop abusing our data, and it leaves us without real recourse — even blocking us from going to court — if our requests go unanswered. On top of that, the bill would entirely destroy the work that states have been doing for years to protect their residents,” said American Civil Liberties Union attorney Cody Venzke.

While previous efforts to pass a comprehensive federal data privacy law, such as the American Data Privacy and Protection Act (ADDPA), have been bipartisan, bicameral, and have proposed stronger privacy protections, they have all failed to be enacted. While there is a good chance that the SECURE Data Act would be passed by the House of Representatives, it may be difficult, in its current form, for the bill to survive a Senate vote.

The post House Republicans Make New Attempt to Introduce Federal Data Privacy Legislation appeared first on The HIPAA Journal.

Alabama Ophthalmology Associates Data Breach Settlement Gets First Nod

Posted by Steve Alder

Alabama Ophthalmology Associates, P.C., has settled a class action lawsuit that was filed in response to a January 2025 cyberattack on its computer systems. The intrusion was identified on January 30, 2025, and the forensic investigation confirmed unauthorized access to its network between January 22 and January 30, 2025.

The hackers had access to files containing names, dates of birth, Social Security numbers, medical record numbers, treatment information, medical history information, and health insurance information. The Alabama Ophthalmology data breach affected 131,576 individuals, and notification letters were mailed in April 2025. Multiple class action lawsuits were filed in response to the data breach, which were consolidated as they had overlapping claims – In re Alabama Ophthalmology Associates, P.C., Data Breach Litigation – in the Circuit Court of Jefferson County, Alabama.

The consolidated lawsuit alleged that the defendant failed to implement reasonable and appropriate safeguards to protect sensitive data on its network, resulting in unauthorized access and exposure of patient data, and failed to issue adequate breach notifications. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, fraud, misrepresentation, unjust enrichment, bailment, wantonness, and failure to provide adequate notice pursuant to any breach notification statute or common law duty.

The defendant denies all claims and contentions in the lawsuit and maintains that there was no wrongdoing and that there is no liability. To avoid further legal costs and the uncertainty of a trial, all parties explored early resolution of the lawsuit, and a settlement was ultimately agreed upon that was acceptable to all parties.

Class members are entitled to claim two years of medical data monitoring and identity theft protection services, plus one of two cash payments. A claim may be submitted for documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or a claim may be submitted for an alternative pro rata cash payment, the value of which will depend on the number of valid claims received. The cash payments are expected to be around $60 per class member. The deadline for objection and exclusion is June 5, 2026. Claims must be submitted by June 25, 2026, and the final fairness hearing has been scheduled for July 6, 2026.

The post Alabama Ophthalmology Associates Data Breach Settlement Gets First Nod appeared first on The HIPAA Journal.

OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced four financial penalties to resolve potential HIPAA violations discovered during investigations of ransomware-related data breaches. The ransomware attacks resulted in the exposure of the electronic protected health information (ePHI) of 427,000 individuals, and $1,165,000 in financial penalties were imposed to resolve the HIPAA violations. In each case, the HIPAA-regulated entity agreed to pay a lower penalty to settle the alleged violations informally and agreed to adopt a corrective action plan to address the noncompliance issues identified by OCR’s investigators. Including these four settlements, OCR has resolved six investigations with financial penalties in 2026, collecting $1,278,000 in penalties.

Financially motivated cyber actors target the healthcare and public health sector, often using ransomware to encrypt files to prevent access to critical data. Threat actors know that healthcare organizations store large volumes of sensitive data and rely on access to the data to provide healthcare services. Without access to medical records, patient safety is put at risk, so victims are more likely that organziations in other sectors to pay the ransom demands to recover quickly. In addition to encryption, sensitive data is often exfiltrated and used as leverage. If the ransom is not paid, the data is sold or leaked online, putting the affected individuals at risk of identity theft and fraud.

In each of the past five years, more than 700 data breaches affecting 500 or more individuals have been reported to OCR, the majority of which were hacking incidents or ransomware attacks. “Hacking and ransomware are the most frequent type of large breach reported to OCR,” said OCR Director Paula M. Stannard, in an announcement about the HIPAA penalties. “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”

One of the most important requirements of the HIPAA Security Rule is a risk analysis, the purpose of which is to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Those risks and vulnerabilities must then be subjected to risk management processes to eliminate them or reduce them to a low and acceptable level. If a risk analysis is not conducted, is not conducted regularly, or is incomplete, risks and vulnerabilities are likely to remain unknown and unaddressed and can be exploited to gain access to internal networks and ePHI.

OCR has made the risk analysis provision of the HIPAA Security Rule an enforcement priority due to its importance, and that initiative is being extended to include risk management. If a data breach is reported or if a complaint is submitted about an unreported data breach, OCR will investigate and will require evidence to show that a risk analysis has been completed and risks have been managed in a timely manner. In each of the four latest enforcement actions, OCR identified risk analysis failures.

In order to complete a comprehensive and accurate risk analysis, HIPAA-regulated entities must identify all locations within the organization where ePHI is located, including how ePHI enters, flows through, and leaves the organization’s information systems. It is therefore essential to create and maintain an accurate and up-to-date asset inventory on which the risk analysis can be based.

In addition to identifying and managing risks and vulnerabilities, HIPAA-regulated entities must ensure that appropriate cybersecurity measures are implemented, including access controls and authentication to restrict access to ePHI to authorized users only. Audit controls must be implemented to record and examine activity in information systems, and logs of information systems activity need to be regularly monitored. Encryption should be implemented to protect ePHI at rest and in transit, and an incident response plan must be developed, implemented, and maintained to ensure a fast response in the event of a successful intrusion. OCR also reminds regulated entities to ensure that workforce members are provided with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Assured Imaging Affiliated Covered Entities – $375,000 HIPAA Penalty

The largest financial penalty announced this month resolved potential HIPAA violations identified by OCR during an investigation of a ransomware-related data breach at Assured Imaging Affiliated Covered Entities (Assured Imaging), a medical imaging and screening service provider with corporate headquarters in Arizona and California. The ransomware attack was discovered on May 19, 2020, and involved the theft of ePHI such as names, contact information, dates of birth, diagnosis and conditions, lab results, medications, and treatment information of 244,813 individuals.

Assured Imaging was unable to provide evidence that a risk analysis had ever been completed. OCR determined that there had been an impermissible disclosure of the ePHI of 244,813 individuals, and that Assured Imaging failed to notify the affected individuals within 60 days, as required by the HIPAA Breach Notification Rule. OCR imposed a $375,000 financial penalty to resolve the alleged HIPAA violations, and the settlement agreement includes a comprehensive corrective action plan. Assured Imaging will be monitored for compliance with the corrective action plan for two years.

Regional Women’s Health Group, dba Axia Women’s Health – $320,000 HIPAA Penalty

Regional Women’s Health Group, which does business as Axia Women’s Health and provides women’s healthcare services to patients in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky, reported a ransomware-related data breach to OCR in December 2020. The ePHI of 37,989 individuals stored in its electronic medical record database was exposed or stolen in the incident, including names, addresses, dates of birth, SSNs, driver’s license numbers, diagnoses or conditions, lab results, and medications.

OCR determined that Axia Women’s Health had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI and imposed a $320,000 financial penalty. Axia Women’s Health opted to settle the alleged violation informally and agreed to implement a comprehensive corrective action plan and will be monitored for compliance with that plan for two years. In addition to conducting a risk analysis, implementing a risk management plan, and providing training to the workforce, Axia Women’s Health is required to implement a process for evaluating environmental and operational changes that affect the security of ePHI, suggesting OCR found potential noncompliance in this area, in addition to the risk analysis failure.

Star Group, L.P. Health Benefits Plan – $245,000 HIPAA Penalty

Star Group, L.P. Health Benefits Plan (SG Health Plan), the self-funded employee benefits plan of a Connecticut-based energy provider, reported a ransomware attack to OCR in October 2021. The forensic investigation determined that the ransomware group exfiltrated files containing the ePHI of 9,316 of its plan members. Data stolen in the attack included names, addresses, dates of birth, SSNs, and health insurance information, such as member identification numbers, claims data, and benefit selection information.

OCR’s investigation determined that SG Health Plan had failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to ePHI, resulting in an impermissible disclosure of the ePHI of 9,316 individuals. OCR resolved the alleged HIPAA violations with a $245,000 financial penalty, and SG Health Plan agreed to adopt a corrective action plan to address the alleged HIPAA violations. SG Health Plan will be monitored for compliance with the plan for 2 years.

Consociate, Inc., dba Consociate Health – $225,000 HIPAA Penalty

Consociate, Inc., doing business as Consociate Health, a third-party administrator of employee-sponsored benefit programs and business associate of health plans, discovered on January 14, 2021, that data in its information systems had been encrypted in a ransomware attack. The forensic investigation determined that its network had first been compromised 6 months previously as a result of a phishing attack.

The threat actor gained access to a server containing the ePHI of 136,539 individuals, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, credit card/bank account numbers, and diagnoses or conditions. OCR determined that Consociate Health failed to conduct an accurate and thorough risk analysis and resolved the alleged HIPAA violation with a $225,000 financial penalty. Consociate Health agreed to adopt a corrective action plan to address the alleged HIPAA violation and will be monitored for compliance with the plan for 2 years.

The post OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks appeared first on The HIPAA Journal.

Healthcare AI Firm Sued Over Alleged Unlawful Disclosures of Genetic Data

Posted by Steve Alder

Tempus AI, a publicly traded healthcare artificial intelligence company, is facing multiple class action lawsuits over the alleged unauthorized collection and disclosure of genetic testing results, which were derived from genetic testing by Ambry Genetics Corporation (Ambry Genetics).

Ambry Genetics offers comprehensive genetic testing services, including screening and diagnosis of inherited and non-inherited diseases. Tempus AI was founded in 2015 and builds tech solutions around clinical care and research products. In February 2025, Tempus AI acquired Ambry Genetics for $600 million, and as a condition of the acquisition, Ambry Genetics was required to disclose its vast database of genetic data to Tempus AI. The database contained the genetic information of hundreds of thousands of individuals.

Tempus AI used Ambry Genetics’ genetic database to train its AI models. Tempus AI had signed agreements with more than 70 companies, including large and mid-sized pharmaceutical firms such as AstraZeneca, Bristol Myers Squibb, Pfizer, and GlaxoSmithKline, and biotechnology firms such as Incyte, Servier, Aspera Biomedicines, and Whitehawk Therapeutics. Genetic data derived from Ambry Genetics testing services was provided to those clients under those agreements.

Several class action lawsuits were filed against Tempus AI over the use of genetic data to train the AI models and the subsequent disclosures of genetic data. The lawsuits were consolidated into a single complaint – Farrier et al v. Tempus AI, Inc. – on April 15, 2026, in the U.S. District Court for the Northern District of Illinois. The lawsuit alleges that Tempus AI violated the Illinois Genetic Information Privacy Act (GIPA) and other state statutes by compelling Ambry Genetics to disclose the genetic data collected through its testing services and violating the same laws by disclosing the genetic data through its agreements with third-party partners. The lawsuit claims that Tempus AI has profited enormously from selling genetic data without the knowledge or written consent of the data subjects. The lawsuit alleges that the class members’ genetic data was disclosed to those clients in deals totaling $1.1 billion.

Tempus AI claims to have a clinical and molecular data library consisting of 45 million de-identified patient records, including 8.5 million clinical records, 2 million medical images, and 1 million matched clinical-genomic records. The lawsuit alleges that Tempus AI and Ambry Genetics misled the public by claiming that they only disclose de-identified genetic information, when that is not the case. Further, the lawsuit claims that genetic information “cannot be deidentified because such data serves as an inherently unique biomarker,” and like DNA, the information is inherently identifiable.

The 21-count lawsuit asserts claims for negligence, unjust enrichment, fraudulent concealment, Conversion, invasion of privacy-intrusion upon seclusion, breach of contract, breach of implied contract, breach of fiduciary duty, and violations of consumer and data protection laws, deceptive trade practices laws in California, Florida, Georgia, Illinois, Michigan, New York, and West Virginia.

The plaintiffs seek a jury trial and damages, injunctive relief, and any other remedies that the Court deems appropriate to redress Tempus AI’s alleged unlawful and unauthorized data collection and disclosures, including an order from the court compelling Tempus AI to cease sharing individuals’ genetic data without first providing the data subjects with proper notice and obtaining their written consent.

The post Healthcare AI Firm Sued Over Alleged Unlawful Disclosures of Genetic Data appeared first on The HIPAA Journal.

Absolute Dental Settles Class Action Data Breach Lawsuit for $3.3M

Posted by Steve Alder

A class action lawsuit filed against Absolute Dental Group, LLC, and Judge Consulting, Inc., over a 2025 data breach has been settled for $3,300,000. Absolute Dental is a Nevada-based dental care provider, and Judge Consulting is a provider of technology consulting, staffing solutions, and corporate training services. Absolute Dental contracted with Judge Consulting as its managed services provider and was responsible for the daily management and operations of Absolute Dental’s IT systems.

Absolute Dental identified suspicious activity within its network on February 26, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network between February 19, 2025, and March 5, 2025. Access was gained through an account associated with Judge Consulting. The hackers had access to names, contact information, Social Security numbers, driver’s license numbers, health information, health insurance information, financial information, and other sensitive data. The data breach was one of the largest of the year, affecting 1,223,635 individuals.

Several class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Jordan et al. v. Absolute Dental Group, LLC, et al., – in the U.S. District Court for the District of Nevada. The lawsuit alleged that the defendants failed to adequately secure patient data, failed to properly monitor their systems for intrusions, and failed to provide timely notice to the victims of the breach. The lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, breach of fiduciary, breach of confidence, invasion of privacy, violations of the Nevada Privacy of Information Collected on the Internet From Consumers Act, and declaratory and injunctive relief.

Following mediation, the plaintiffs and the defendants agreed to a settlement that was acceptable to all parties, with no admission of wrongdoing, fault, or liability by the defendants. A $3,300,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the five class representatives. The remainder of the settlement fund will be used to pay for benefits for the class members.

Class members may choose to submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may claim an alternative pro rata cash payment, the value of which will depend on the number of valid claims received. Residents of California at the time of the data breach also qualify for an additional cash payment. The deadline for objection to and exclusion from the settlement is June 9, 2026. Claims must be submitted by June 18, 2026, and the final approval hearing has been scheduled for July 30, 2026.

The post Absolute Dental Settles Class Action Data Breach Lawsuit for $3.3M appeared first on The HIPAA Journal.

OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism

Posted by Steve Alder

A proposal to allow the Office of Personnel Management (OPM) to collect the personally identifiable health information of federal employees and their family members has attracted strong criticism due to privacy and security risks, and the potential for HIPAA violations and data misuse.

Per the December 12, 2025, notice about the information collection request (ICR) – Federal Employees Health Benefits (FEHB) and Postal Service Health Benefits (PSHB) Programs Service Use and Cost Data – OPM requires insurance carriers to submit FEHB and PSHB program claims data to OPM. Under the proposal, insurance carriers are required to make monthly submissions of claims-level data, including the protected health information of current and former federal workers and their family members, including personal identifiers. According to OPM, the data will “enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans.”  While there are clear benefits to be gained from collecting and analyzing the data, such as lowering costs and improving care quality, the proposal has raised significant privacy and security concerns.

The Trump administration is seeking unprecedented access to workers’ medical information– information protected under the Health Insurance Portability and Accountability Act (HIPAA). The data being sought is not government data; it is protected health information maintained by HIPAA-regulated entities. Information submitted to OPM under the proposal would populate a government database, but OPM has failed to fully explain exactly how that information will be used, maintained, and protected. As such, there are legitimate concerns that the requested data may be used for reasons other than the stated purpose, especially given the Trump administration’s attempts over the past 12 months to obtain personal information from the Social Security Administration and the Internal Revenue Service.

“OPM is collecting service use and cost data from FEHB and PSHB Carriers, including medical claims, pharmacy claims, encounter data, and provider data. This data will enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans,” explained OPM in the notice. “OPM requires Carriers to report necessary information and permit audits and examinations to manage the FEHB Program effectively.”

In the notice, OPM explains that under HIPAA, covered entities such as health plans are permitted to disclose protected health information – including service use and cost data – to health oversight agencies, including OPM, for oversight activities authorized under 45 CFR 165.512(d)(1). The notice calls for 65 carriers to make ongoing, monthly submissions of claims-level data and quarterly manufacturer rebate data for federal employees and retirees. The carriers hold data for more than 8 million Americans, including federal workers, mail carriers, retired members of Congress, and their immediate family members.

The use of such broad terms for data categories has set alarm bells ringing. OPM will potentially be provided with a huge volume of sensitive, personally identifiable information, including information about treatments sought and received. Encounter data, for instance, could potentially encompass full medical records and doctors’ notes, information over and above what is necessary for the stated health oversight activities.

De-identified data could potentially be used to achieve the stated purpose, but OPM makes no mention of stripping out personal identifiers. As such, there are legitimate concerns from privacy groups that OPM could create a huge database of highly sensitive information that could easily be misused. For instance, for targeting specific employees based on the healthcare services they sought and received, or assisting the administration with its DEI, gender-affirming care, and reproductive health care initiatives, or any other healthcare services being targeted.

Aside from the potential for data misuse, the proposal will create significant compliance and legal risks for the carriers. OPM states in the notice that the HIPAA Privacy Rule permits disclosures of protected health information for health oversight activities, but requests a broad swathe of protected health information, the provision of which will likely violate the minimum necessary standard.  The minimum necessary standard – 45 CFR 164.502(b), 164.514(d) – applies to data disclosed for health oversight activities. “When using or disclosing protected health information or when requesting protected health information… a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

In its current form, the proposal lacks detailed information about the purpose for the disclosure, and the broad categories of data requested will require carriers to walk a HIPAA compliance tightrope. While the Trump administration may have no intention of enforcing HIPAA compliance regarding the OPM data disclosures, future administrations may take an entirely different view, and the data disclosures will expose carriers to significant legal risk. It is currently unclear how carriers intend to comply with the proposal.

While HIPAA permits disclosures of protected health information for health oversight activities, they are not required disclosures under HIPAA. Carriers may choose to only disclose information that they deem appropriate and necessary, although, without further detail about the exact purposes for the disclosures, it will be difficult to determine what information is appropriate and necessary, and the compliance and administrative burden would be significant.

In addition to concerns about protected health information being provided to the government and how that information will be used, concerns have been raised about OPM’s ability to protect a database of highly sensitive protected health information, given the extent to which government entities are targeted by threat actors, and OPM’s and the Trump administration’s history of safeguarding sensitive data. OPM experienced two massive data breaches in 2015, one involving the personal information of 4.2 million current and former federal employees and another involving the theft of the personal records of more than 22 million Americans. The Chinese government is alleged to have been behind the attacks.

The proposal has attracted significant criticism. The Association of Federal Health Organizations (AFHO) points out that this is not the first time that OPM has sought to establish a healthcare claims data warehouse, having made a similar proposal in 2010. The same HIPAA compliance concerns that were voiced 16 years ago still apply to the latest proposal. AFHO had argued that only de-identified data should be shared; however, today, the sharing of de-identified data with OPM carries significant compliance risks. AFHO is concerned that, given the detailed information OPM already has on enrolees and their family members, there is a risk that de-identified data could be re-identified, and the HIPAA Privacy Rule does not permit the sharing of de-identified data when there is a risk of reidentification. AFHO suggests an agreement between OPM and the CMS to use the CMS edge server system to query data, thereby eliminating the risk of re-identification, or to enter into a contract with the Health Care Cost Institute, which could translate raw data into actionable insights.

Robert H. Shriver, III, Managing Director of Civil Service Strong, a project of Democracy Forward Foundation, voiced strong opposition to ICR. Specifically, due to the failure of OPM to justify the proposed data collection and clearly state exactly how the data will be used, the failure to explain how data will be safeguarded, and the risk of data abuse. “OPM’s ICR is especially concerning given the Trump-Vance Administration’s explicit contempt for federal workers and its pattern of recklessness with highly sensitive data,” wrote Shriver in comments in response to the ICR notice. He said the Trump administration has demonstrated that it cannot be trusted with sensitive data, citing the recent admission by the Trump administration that sensitive Social Security Administration data was sent to unauthorized individuals, shared on nongovernmental servers, and, through DOGE activities in particular, it is “playing fast and loose with government data.”

Jonathan Foley, a former OPM employee who advised on the FEHB program under the Obama and Biden administrations, believes there are valuable benefits to be gained from collecting and analysing personally identifiable data, but warned of the considerable potential for data misuse and the privacy risks. In his comments in response to the notice, Foley said the Trump administration has a poor record of properly handling sensitive information and has attempted to link identifiable data across federal programs and use it for reasons unrelated to the original purpose for which the data was collected. Foley suggests that de-identified data could be collected and maintained by a trusted entity other than OPM, with guardrails preventing federal authorities from demanding direct access to the data from that trusted entity. CVS Health suggests that OPM should convene a stakeholder working group to determine the specific data elements required to support the requested goals and to establish a consistent reporting framework.

Most recently, on April 17, 2026, a group of 16 Democratic members of the House Oversight Committee wrote to OPM Director Scott Kupor and Office of Management and Budget Director Russell Vought, calling for the withdrawal of the proposed plan due to the potential for data misuse, HIPAA violations, and concern that OPM lacks the necessary safeguards to responsibly protect sensitive data. “More than 8 million Americans receive health insurance under the FEHB and PSHB programs, including federal workers, mail carriers, and their immediate family members. They should be able to make medical decisions in consultation with their doctors—not the federal government,” wrote the senators. “We therefore demand that OPM halt all plans to collect private health insurance data and provide a briefing on the decision to enact this policy.” The senators have asked the Directors to explain the decision to obtain such an expansive dataset without any guardrails or protections for employee privacy.

The post OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism appeared first on The HIPAA Journal.

Minidoka Memorial Hospital Recovering from Easter Cyberattack

Posted by Steve Alder

Minidoka Memorial Hospital was the victim of a cyberattack on Easter morning, and two further healthcare providers have confirmed they have been affected by the data breach at business associate Doctor Alliance: A Path of Care Home Health and Hospice and Team Select Holdings.

Minidoka Memorial Hospital, Idaho

Minidoka Memorial Hospital in Rupert, Idaho, has confirmed media reports of a cybersecurity incident. On April 17, 2026, Minidoka Memorial Hospital issued a statement on its Facebook page confirming that it experienced a cyber incident on Easter morning that temporarily impacted some of its computer systems.

While the incident did not prevent the hospital from providing care to patients, certain emergency patients were transferred to Intermountain Health Cassia Regional Hospital due to the inability to access certain medical imaging systems. Full access to those systems was restored on April 19, 2026. Minidoka Memorial Hospital said it was not necessary to postpone scheduled appointments, and patients with new health concerns continued to be treated, with the hospital operating under established downtime procedures until such time as systems are restored.

The investigation into the incident is ongoing, and the extent of unauthorized access to patient data has yet to be determined. According to Databreaches.net, a new threat group called Blackwater has claimed responsibility for the attack and has threatened to release the stolen data on April 24, 2026, if the ransom is not paid. Minidoka Memorial Hospital is one of three victims currently listed on the darkweb data leak site.

A Path of Care Home Health and Hospice, Oklahoma

A Path of Care Home Health and Hospice in Oklahoma has notified 3,849 individuals about a data breach at its business associate, Doctor Alliance. Doctor Alliance notified A Path of Care Home Health and Hospice on January 12, 2026, that it had been affected by the incident. A Path of Care Home Health and Hospice confirmed that the breach was limited to Doctor Alliance systems and that its own IT systems were unaffected.

The incident involved unauthorized access to documents containing patient information via a Doctor Alliance web portal between October 31, 2025, and November 17, 2025. The data compromised in the incident was limited to names, addresses, dates of birth, medical record numbers, dates of care, and diagnosis and treatment information. Doctor Alliance confirmed to A Path of Care Home Health and Hospice that several steps have been taken to improve security, including enhancing access controls, expanding monitoring capabilities, and strengthening detection, logging, and alerting measures. A Path of Care Home Health and Hospice has also taken steps to reduce the risk of similar incidents in the future, including conducting additional checks to ensure that medical record requests are coming from a verified source.

A Path of Care Home Health and Hospice is aware of claims that some of the information accessed by the unauthorized third party was further disclosed to other unauthorized individuals, although Doctor Alliance denied any knowledge of any further disclosures.

Team Select, Arizona

Team Select Holdings in Arizona and its affiliated entities were also affected by the data security incident at Doctor Alliance, although the breach was more limited, affecting 949 individuals. Team Select used the Doctor Alliance document management platform to facilitate physicians’ signatures on physician orders and notes. On January 11, 2026, Team Select was informed that it had been affected and that there had been unauthorized access to the platform between November 4, 2025, and November 6, 2025, and between November 14, 2025, and November 17, 2025.

Data compromised in the incident included names, Social Security numbers, dates of birth, addresses, phone numbers, gender information, medical record numbers, dates of care, Medicare or Medicaid IDs, diagnoses, medications, treatment information, physician information, and/or home health provider information. Team Select said it is reviewing its existing policies and procedures with its third-party vendors and working to evaluate additional measures that can be implemented to reduce the risk of similar incidents in the future.

The post Minidoka Memorial Hospital Recovering from Easter Cyberattack appeared first on The HIPAA Journal.

Ransomware Attack on Hospital Caribbean Medical Center Affects 92,000 Individuals

Posted by Steve Alder

A ransomware attack on Hospital Caribbean Medical Center in Puerto Rico has affected up to 92,000 individuals. Data breaches have also been announced by Murray County Medical Center in Minnesota and Aligned Orthopedic Partners in Maryland.

Hospital Caribbean Medical Center, Puerto Rico

A major data breach has been announced by Hospital Caribbean Medical Center in Fajardo, Puerto Rico. While it is unclear when the attack occurred, the hospital issued a press release on February 8, 2026, about a cyberattack that targeted its information systems. The intrusion was detected by its monitoring systems, and steps were immediately taken to contain the incident and prevent further unauthorized access to its IT systems.

The types of information exposed in the incident were not detailed in the press release, nor was the number of affected individuals; however, the incident is now shown on the HHS’ Office for Civil Rights breach portal as affecting up to 92,000 individuals. Hospital Caribbean Medical Center said it has reinforced its monitoring systems, implemented additional updates to its technological infrastructure, and strengthened its internal security protocols.

While not described as a ransomware attack, a ransomware group claimed responsibility for the incident. A group known as The Gentlemen added Hospital Caribbean Medical Center to its dark web data leak site on February 17, 2026, claiming to have exfiltrated sensitive data, including patient information, and threatened to release the stolen data if the ransom was not paid.

Murray County Medical Center, Minnesota

The County of Murray has announced a data security incident that affected current and former patients of Murray County Medical Center in Slayton, Minnesota. The data breach was first announced in early March 2026, although the incident was first detected on August 21, 2025, when suspicious activity was observed in its IT systems.

A leading IT security firm was engaged to assist with the investigation, secure its network, and determine whether any sensitive data had been exposed or stolen in the incident. Unauthorized access to computer systems was confirmed; however, it took until January 27, 2026, to determine that patient and employee data had been compromised in the incident. Information exposed or stolen included patient names, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health insurance information, medical treatment information, and medical history information.

The data breach has recently been added to the HHS’ Office for Civil Rights breach portal as affecting 5,073 individuals. Murray County Medical Center has implemented additional safeguards to prevent similar incidents in the future and is offering the affected individuals complimentary credit monitoring and identity theft protection services.

Aligned Orthopedic Partners, Maryland

ASC Ortho Management Company, LLC, which does business as Aligned Orthopedic Partners, has announced a data security incident involving its email platform. Suspicious activity was identified on December 8, 2025, and the investigation confirmed that an unknown actor accessed the platform between November 16, 2026, and December 16, 2026, during which time, personal and protected health information may have been viewed or acquired.

The email system was reviewed, and on February 17, 2026, Aligned Orthopedic Partners confirmed that the exposed data included names, dates of birth, Social Security numbers, driver’s license or state identification numbers, Medicaid or Medicare numbers, financial account numbers, medical dates of service, medical provider names, mental or physical condition, medical treatment information, diagnosis or clinical information, prescription information, health insurance information, patient account numbers, and medical record numbers.

Notification letters were mailed to the affected individuals on April 17, 2026, and complimentary identity protection services have been offered. Steps have been taken to augment security to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Ransomware Attack on Hospital Caribbean Medical Center Affects 92,000 Individuals appeared first on The HIPAA Journal.

Tangoe Data Breach Settlement Receives Preliminary Approval

Posted by Steve Alder

Tangoe, a provider of software solutions for managing telecom, mobile, and cloud expenses, has agreed to a settlement to resolve a class action lawsuit stemming from a November 2022 security incident. Tangoe experienced a cyberattack, exposing sensitive data such as names, dates of birth, Social Security numbers, medical information, health insurance information, medication information, billing and claims information, and financial account information. Hackers had access to its systems between November 15, 2022, and November 17, 2022.

The breach affected some of its healthcare clients and involved unauthorized access to the protected health information of 4,765 individuals, according to the breach notice filed with the HHS’ Office for Civil Rights. While the breach occurred in November 2022, it took until November 1, 2023, for the affected individuals to be notified. A lawsuit – Kevin McLinden v. Tangoe US, Inc.– was filed in the Superior Court for Marion County, Indiana, over the data breach, alleging Tangoe failed to implement reasonable and appropriate cybersecurity measures, leading to an entirely preventable data breach. Tangoe denies all claims and contentions in the lawsuit, including claims of wrongdoing, fault, and liability.

After prolonged and extensive arm’s length negotiations, all parties agreed to a settlement to avoid the expense and length of protracted litigation and the uncertainty of a trial and any related appeals. Under the terms of the settlement, class members are entitled to claim two years of credit monitoring services, which include a $1 million identity theft insurance policy. In addition to the credit monitoring services, class members may claim one or more cash payments.

A claim may be submitted for compensation for documented, unreimbursed ordinary losses due to the data breach incurred between November 2022 and June 3, 2026. Claims for reimbursement of ordinary losses have been capped at $750 per class member. A claim may also be submitted for compensation for lost time up to a maximum of four hours at $25 per hour ($100). The lost time claims are included in the $750 ordinary losses cap.

A claim may also be submitted for reimbursement of extraordinary losses, such as documented, unreimbursed losses due to identity theft and fraud. Claims for extraordinary losses have been capped at $5,000 per class member. If a claim for reimbursement of losses/lost time is not submitted, class members are eligible to claim an alternative pro rata cash payment. The cash payments will be paid from the remainder of the settlement fund, and are expected to be around $50, but may be higher or lower depending on the number of claims received. No proof is required to submit a claim for an alternative cash payment.

The deadline for exclusion and objection to the settlement is May 4, 2026. Claims must be submitted by June 3, 2026, and the final fairness hearing has been scheduled for June 11, 2026. Individuals who do nothing will receive no benefits and will lose the right to sue the defendant over the data breach or participate in other lawsuits related to the data breach.

The post Tangoe Data Breach Settlement Receives Preliminary Approval appeared first on The HIPAA Journal.