Author Archives: Steve Alder

Carespring Health Care Management & LifeBridge Health Settle Class Action Data Breach Lawsuits

Posted by Steve Alder

Carespring Health Care Management in Ohio and LifeBridge Health in Maryland have agreed to settle class action lawsuits stemming from data breaches.

Carespring Health Care Management

Carespring Health Care Management has agreed to settle a class action lawsuit stemming from an October 2023 cyberattack and data breach. Hackers gained access to the protected health information of 64,609 individuals, including names, dates of birth, Social Security numbers, financial information, health insurance information, and medical information.

The first class action lawsuit over the data breach was filed by plaintiff Phyllis Rise on August 29, 2024. Four related actions were subsequently filed by other affected individuals. The five lawsuits were consolidated – Rice, et al., v. Carespring Health Care Management, LLC – in the Court of Common Pleas for Clermont County, Ohio, as the lawsuits had overlapping claims.

The consolidated lawsuit asserted several claims, including negligence/negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, fraud, misrepresentation, unjust enrichment, bailment, wantonness, and the failure to provide adequate notice about the data breach. Carespring Health Care Management denies all claims asserted in the lawsuit.

To avoid the expense, delay, and uncertainties of litigation, all parties agreed to a settlement, with no admission of liability or wrongdoing. Carespring Health Care Management will pay up to $305,000 to cover attorneys’ fees and expenses, service awards of $2,500 for each of the five class representatives, and benefits for the class members. Class members may submit a claim for two years of single-bureau credit monitoring services, and a claim for up to $4,500 as compensation for documented, unreimbursed losses resulting from the data breach. If a claim is not submitted for reimbursement of losses, class members may claim an alternative $50 cash payment

The deadline for objection to and exclusion from the settlement is March 17, 2026. Claims must be submitted by April 16, 2026, and the final fairness hearing has been scheduled for April 28, 2026.

LifeBridge Health

LifeBridge Health Inc., a Maryland-based holding company for four Maryland hospitals and other affiliated entities, has agreed to pay $575,000 to settle class action litigation stemming from a cybersecurity incident detected in November 2024. LifeBridge Health determined that a hacker intermittently accessed its computer systems between August 27, 2024, and September 21, 2024, and potentially obtained patients’ protected health information. The affected individuals were notified about the data breach on April 1, 2025.

A lawsuit was filed in the Circuit Court for Baltimore County, Maryland, in response to the data breach, alleging it could have been prevented had LifeBridge Health implemented reasonable and appropriate cybersecurity measures. The lawsuit – Ragin v. LifeBridge Health, Inc. – asserted claims of negligence, alleged breach of implied contract, and breach of the implied covenant of good faith and fair dealing. LifeBridge Health denies all allegations in the lawsuit and maintains there was no wrongdoing. While believing that it would have prevailed at trial, the decision was taken to settle the litigation to avoid the cost, distraction, and uncertainty of trial and related appeals.

A $575,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. The remainder of the fund will be used to pay for benefits for the class members. LifeBridge Health has also agreed to make data security enhancements to better protect patient data.

A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a flat cash payment, which will be paid pro rata after all valid claims have been paid. The cash payment is estimated to be $100 per class member, but may be higher or lower depending on the number of valid claims received. The deadline for objection to and exclusion from the settlement is February 28, 2026. The deadline for submitting a claim is February 28, 2026, and the final fairness hearing has been scheduled for March 20, 2026.

The post Carespring Health Care Management & LifeBridge Health Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.

HHS Office for Civil Rights Establishes Part 2 Enforcement Program

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has established a civil enforcement program for the 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations.

The Coronavirus Aid, Relief, and Economic Security (CARES) Act, an economic stimulus bill signed into law on March 27, 2020, included a section (Section 3221) related to the confidentiality and disclosure of substance use disorder (SUD) records. The CARES Act directed the HHS to implement changes to align the Part 2 regulations more closely with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, to enhance protections and improve patient rights, while allowing a more flexible approach to the sharing of SUD records with patient consent to improve care coordination.

In February 2024, the HHS issued a final rule that modified the Part 2 regulations by implementing the changes mandated by Section 3221 of the CARES Act. The final rule improves coordination among providers treating patients for SUD, aligns certain Part 2 requirements with the HIPAA Privacy Rule and HIPAA Breach Notification Rule, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.

The final rule also implemented a new penalty structure, mirroring that of HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. OCR has been granted authority to enforce compliance, and if violations are identified, they will be subject to the same range of enforcement mechanisms as HIPAA. Violations of the Part 2 regulations can be resolved with civil monetary penalties, resolution agreements, monetary settlements, and corrective action plans to address areas of noncompliance.

The enforcement program uses newly established mechanisms of civil enforcement to protect the confidentiality of SUD records by covered SUD programs. “At President Trump’s direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative,” said HHS Secretary Robert F. Kennedy, Jr. “Americans seeking treatment for substance use disorder deserve comprehensive care without sacrificing their privacy or legal protections.”

This is the first time that mechanisms have been established and will help to ensure that the privacy of Americans seeking treatment for substance use disorder is protected. “OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens,” said OCR Director Paula M. Stannard. “OCR is uniquely positioned to enforce patient rights and the regulated community’s obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA.”

OCR must be notified about any breach of SUD records, and the agency will investigate breaches to determine if they were the result of noncompliance. On February 16, 2026, OCR started accepting complaints about potential violations of the Part 2 regulations, including civil rights and breach notifications related to SUD records.

Complaints about potential Part 2 violations should be submitted via the OCR breach portal. Individuals are encouraged to file a complaint if they believe that their civil rights or health information privacy have been violated, but also if they suspect that the civil rights or health information privacy of other individuals have been violated. Complaints will be investigated, and if substantiated, violations will be resolved through the newly established enforcement mechanisms.

The OCR breach portal has been updated to show entities and individuals that have experienced breaches of Part 2 records. As with the section of the OCR breach portal for HIPAA breach reports, a summary of each breach of Part 2-covered records is listed. The listings include basic information about the breach – The name of the Part 2 Program, state, individuals affected, breach submission date, type of breach, and the location of breached information. When OCR has completed its investigation of the breach, the complaints will be moved to the archive, with brief notes added from OCR’s investigation. The breach portal only includes large breaches of SUD records – those affecting 500 or more individuals. Smaller breaches are not made public, although the breach reporting requirements are the same, irrespective of the size of the breach.

The post HHS Office for Civil Rights Establishes Part 2 Enforcement Program appeared first on The HIPAA Journal.

Data Breach Settlements Agreed by Centrelake Medical Group & Des Moines Orthopaedic Surgeons

Posted by Steve Alder

Class action lawsuits over data breaches at Centrelake Medical Group and Des Moines Orthopaedic Surgeons have been resolved with settlements.

Centrelake Medical Group Settlement

Centrelake Medical Group, the operator of 8 medical imaging and oncology centers in California, has agreed to settle a class action lawsuit stemming from a 2019 cybersecurity incident that affected 197,661 patients. Centrelake Medical Group experienced a ransomware attack in February 2019. The hackers had access to its servers from January 9 to February 19, 2019, and potentially obtained information such as names, phone numbers, addresses, Social Security numbers, health insurance information, diagnoses, services performed, dates of service, medical record numbers, referring provider information, and driver’s license numbers.

A lawsuit was filed in response to the data breach – April Kay Moore, et al. v. Centrelake Medical Group, Inc. – in the Superior Court of California, County of Los Angeles Civil Division, which asserted claims of breach of express and/or implied contractual promise, breach of covenant of good faith and fair dealing, violation of Civil Code § 56, et seq., and violation of California Business and Professions Code § 17200, et seq.

Centrelake Medical Group denies all claims of liability and wrongdoing but determined that the litigation would likely be protracted and expensive, and agreed to a settlement. Centrelake Medical Group has agreed to pay $525,000 for attorneys’ fees and expenses, $2,500 for each of the class representatives, and will cover notice and settlement costs.

Class members are entitled to enroll in two years of free medical and credit monitoring services, and claims may be submitted for documented, unreimbursed losses due to the data breach. A cap of $500 has been placed on ordinary losses due to the data breach, and a cap of $3,500 has been placed on extraordinary losses. Individuals who were California residents at the time of the data breach may also claim an additional $50 cash payment. The deadline for submitting a claim is June 12, 2026, and the final fairness hearing has been scheduled for July 14, 2026.

Des Moines Orthopaedic Surgeons Settlement

Des Moines Orthopaedic Surgeons in Iowa has agreed to settle class action litigation over a 2023 data breach. Des Moines Orthopaedic Surgeons experienced a data security incident in February 2023 that impacted its computer systems and resulted in the theft of the protected health information of 307,864 current and former patients. Data compromised in the incident included names, Social Security numbers, dates of birth, driver’s license numbers, state identification numbers, passports, direct deposit bank information, medical information, and health insurance information.

Three class action lawsuits were filed in response to the data breach, which were consolidated – Rogers, et al., v. Des Moines Orthopaedic Surgeons, P.C. – in the Iowa District Court for Dallas County. The plaintiffs alleged that the data breach was due to the failure to implement appropriate cybersecurity measures to protect patient data. Des Moines Orthopaedic Surgeons denies all claims of liability and wrongdoing; however, opted to settle the litigation to avoid the costs, expense, distraction, burden, and disruption to business operations from continuing with the litigation.

The settlement includes monetary relief for the class members, which has been capped at $1,000,000. Class members are entitled to claim three years of three-bureau credit monitoring and identity theft protection services. In addition, a claim may be submitted for reimbursement of losses due to the data breach and compensation for lost time. A claim may be submitted for reimbursement of documented, unreimbursed ordinary out-of-pocket losses up to a maximum of $400 per class member, up to four hours of lost time at $25 an hour, and reimbursement of documented, unreimbursed extraordinary losses up to a maximum of $5,000 per class member.

If a claim for reimbursement of losses and lost time is not submitted, class members may claim an alternative cash payment. Those payments are $25 if their Social Security number was not compromised, and $100 if their Social Security number was compromised. The deadline for submitting a claim is March 23, 2026, and the final fairness hearing has been scheduled for April 2, 2026. Individuals wishing to object to the settlement or exclude themselves have until February 23, 2026, to do so.

The post Data Breach Settlements Agreed by Centrelake Medical Group & Des Moines Orthopaedic Surgeons appeared first on The HIPAA Journal.

February 16, 2026: Compliance Deadline for Part 2 Final Rule

Posted by Steve Alder

The deadline for compliance with the 42 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records (Part 2) Final Rule was February 16, 2026. Entities subject to the Part 2 regulations must ensure compliance with the new requirements, which are now in effect and being actively enforced. The Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records was announced by the HHS’ Office for Civil Rights (OCR) on February 13, 2026. In that announcement, OCR confirmed that, from February 16, 2026, OCR will accept complaints alleging violations of the regulation that protects the confidentiality of SUD patient records and alleged breach notification violations.

The final rule was issued by OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) on February 8, 2024, to better align the Part 2 regulations with the Health Insurance Portability and Accountability Act (HIPAA). The final rule took effect on April 16, 2024, and entities covered by the Part 2 regulations were given 11 months to comply with the new requirements.

Aligning the Part 2 regulations more closely with HIPAA removes barriers to information sharing and should improve care coordination, without eliminating important privacy protections. The final rule expanded patient rights regarding uses and disclosures of SUD records and has made compliance less complex for entities subject to both sets of regulations.

Some of the key new requirements are detailed below:

  • A single patient consent for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations is permitted
  • HIPAA-regulated entities may redisclose SUD records received under that consent in accordance with the HIPAA Privacy Rule
  • Part 2 records no longer need to be segregated
  • SUD records may be disclosed to public health authorities if de-identified in accordance with HIPAA standards
  • Patients may obtain an accounting of disclosures of their SUD records
  • Patients may request restrictions on certain disclosures of their SUD records
  • Patients may file complaints with the HHS about potential Part 2 violations
  • Covered entities must establish a complaints program
  • Restrictions on the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order
  • A safe harbor requires investigative agencies to take steps if they discover they have received Part 2 records without having first obtained the required court order
  • The HIPAA Breach Notification Rule requirements apply to Part 2 records. Entities experiencing a breach of Part 2 records must self-report the data breaches to the HHS and issue individual notifications

A final rule issued under the Biden administration in December 2024HIPAA Privacy Rule to Support Reproductive Health Care Privacy – to prohibit disclosures of reproductive health information related to criminal, civil, or administrative investigations was overturned by a Texas judge last year. The final rule included a section relating to 45 C.F.R. 164.520 (notice of privacy practices – NPP), concerning SUD records, which remains in place. The deadline for updating and distributing NPPs to reflect the heightened protections for SUD records is also February 16, 2026.

The requirements under HIPAA for NPPs are detailed in this post – HIPAA Notice of Privacy Practices. Before the February 16, 2026, deadline, entities subject to the Part 2 regulations must update their NPPs. The NPP must notify individuals about the permitted uses and disclosures of Part 2 records, explain the legal rights of individuals with respect to their Part 2 records, explain the more stringent limits on Part 2 records and how they differ from HIPAA, how the use of SUD records in civil, criminal, administrative, or legislative proceedings against an individual are limited, and notify individuals that the use or disclosure of Part 2 records for treatment, payment, and health care operations generally requires the individual’s written consent.

If SUD records are created or maintained by the entity, the additional elements that must be included in the NPP are explained below:

  • Notice about rights with respect to SUD records – Individuals must receive “adequate notice of the uses and disclosures of such records, and of the individual’s rights and the covered entity’s legal duties with respect to such records.” While HIPAA permits certain uses and disclosures of protected health information without authorization, the rules are different for SUD records. If the HIPAA NPP and the Part 2 NPP are combined, then the NPP must contain all of the required elements under 42 CFR 2.22.
  • Limits on the Use of SUD Records – Covered entities must state the difference between Part 2 and HIPAA. A statement must be included with respect to SUD treatment records to explain that “[SUD Records] received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.”
  • Notice about other laws that are more restrictive than HIPAA – The permitted uses and disclosures explained in the NPP are limited by laws more restrictive than HIPAA, such as Part 2, and the description of uses and disclosures must reflect the more stringent law. If another law permits or requires disclosures, the description in the NPP about uses and disclosures must include sufficient detail to place the individual on notice of uses and disclosures permitted or required by HIPAA, along with any other applicable law, including Part 2.
  • Notice about redisclosure of Part 2 records – The NPP must contain a statement advising patients about the potential redisclosure of records. If information is disclosed pursuant to the HIPAA Privacy Rule, the records could potentially be redisclosed and will no longer be protected under the HIPAA Privacy Rule.
  • Fundraising – If an entity that creates or maintains Part 2 records intends to use that information for fundraising purposes for the benefit of the covered entity, individuals must be presented with a clear and conspicuous opportunity to choose not to receive fundraising communications.

In August 2025, HHS Secretary Robert F. Kennedy Jr. delegated the authority for enforcing compliance with the Part 2 regulations to OCR. Enforcement of compliance with the Part 2 regulations will follow the same process as enforcement of HIPAA compliance, meaning OCR can enter into resolution agreements, monetary settlements, and corrective action plans with entities subject to the Part 2 regulations and can also impose civil monetary penalties for noncompliance. The financial penalties for noncompliance also align with HIPAA, increasing from $500 for a first offense and $5,000 for subsequent offenses to the current HIPAA penalties, which in 2025, range from $141 to $2.1 million, with criminal penalties also possible. The penalty amounts are subject to annual increases in line with inflation.

The post February 16, 2026: Compliance Deadline for Part 2 Final Rule appeared first on The HIPAA Journal.

2025 Healthcare Data Breach Report

Posted by Steve Alder

More than 700 healthcare data breaches affecting 500 or more individuals are being reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) each year. While that unwelcome trend didn’t change in 2025, there was a year-over-year reduction in healthcare data breaches. Based on the current data downloaded from OCR, data breaches have fallen by 4.3% year-over-year.

While that could signal a turn in the tide, it is perhaps a little early to draw such conclusions, as data breaches from 2025 are still being added to the OCR breach portal. When we compiled our 2024 healthcare data breach report in January 2025, 725 large healthcare data breaches were listed on the OCR breach portal. That total increased to 742 data breaches over the following few months. While a similar number of late additions would still mean an annual decrease in data breaches, there was a 43-day shutdown of the federal government in late 2025 due to the failure of Congress to pass appropriations legislation. During that period, no data breaches were added to the OCR breach portal. The late additions in 2026 could therefore be considerably higher than in previous years.

What is clear is that the large annual increases in data breaches between 2018 and 2021 appear to have come to an end, with data breaches plateauing in the 700 to 750 range, which is around two large healthcare data breaches a day – twice the rate in 2018.

Healthcare data breaches 2021-2025

While data breaches are only down slightly, there has been a massive reduction in the number of individuals affected by healthcare data breaches. In 2024, a new record was set for breached healthcare records, with 289,162,330 individuals having their protected health information exposed or impermissibly disclosed in 2024. In 2025, at least 61,556,256 individuals had their protected health information exposed or impermissibly disclosed, a 78.7% percentage decrease from 2024. Even if the 192,700,000 individuals affected by the Change Healthcare ransomware attack in 2024 are discounted entirely, last year’s would still be significantly down year-over-year, largely due to a fall in the number of mega data breaches affecting more than 1 million individuals. In 2024, there were 18 of these mega breaches, but only 9 mega breaches were reported in 2025.  The average data breach size fell from 389,707 individuals (median: 6,702 individuals) in 2024 to 86,699 individuals (median: 4,011 individuals) in 2025.

Individuals affected by healthcare data breaches 2021-2025

The Biggest Healthcare Data Breaches of 2025

The table below shows the top 20 healthcare data breaches of 2025, the biggest of which was a hacking incident at the insurance company Aflac, which affected more than 22.6 million individuals globally and involved unauthorized access to the protected health information of almost 14 million individuals in the United States. While the nature of the attack was not disclosed, the cyberattack is thought to be the work of the Scattered Spider hacking group, a financially-motivated English-speaking hacking group whose members are primarily located in the United States and the United Kingdom.

While most of the top 20 data breaches were hacking incidents, the data breach at Blue Shield of California involved the use of tracking tools on its website, which may have disclosed personal information and, in some cases, protected health information to third parties such as Meta Platforms and Google. The data breach at Serviceaide involved an improperly secured database, which could be freely accessed via the internet without any authentication, and two of the top 20 data breaches of 2025 involved compromised email accounts: Numotion and Onsite Mammography.

The table below could change over the coming few months as many investigations of 2025 healthcare data breaches have not yet concluded. For instance, the data breach at Covenant Health was reported to OCR as affecting just 7,864 individuals, but in January 2025, the Maine Attorney General was informed that 478,188 individuals were affected. The OCR data breach portal has yet to be updated with the new total.  Further, the OCR breach portal currently lists 64 data breaches with totals of 500 or 501 affected individuals – placeholder figures commonly used when data reviews have yet to conclude.

Rank Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
1 Aflac Incorporated (“Aflac”) GA Health Plan 13,924,906 Hacking incident
2 Yale New Haven Health System CT Healthcare Provider 5,556,702 Hacking incident
3 Episource, LLC CA Business Associate 5,418,866 Hacking incident
4 Blue Shield of California CA Business Associate 4,700,000 PHI disclosure due to website tracking tools
5 DaVita Inc. CO Healthcare Provider 2,689,826 Ransomware attack
6 Anne Arundel Dermatology MD Healthcare Provider 1,905,000 Hacking incident
7 Radiology Associates of Richmond, Inc. VA Healthcare Provider 1,419,091 Hacking incident
8 Southeast Series of Lockton Companies, LLC (Lockton) GA Business Associate 1,124,727 Hacking incident
9 Community Health Center, Inc. CT Healthcare Provider 1,060,936 Hacking incident
10 Frederick Health MD Healthcare Provider 934,326 Ransomware attack
11 McLaren Health Care MI Healthcare Provider 743,131 Ransomware attack
12 Medusind Inc. FL Business Associate 701,475 Hacking incident
13 Kelly & Associates Insurance Group, Inc. MD Business Associate 553,332 Hacking incident
14 Decisely Insurance Services, LLC GA Business Associate 537,603 Hacking incident
15 United Seating and Mobility, LLC d/b/a Numotion TN Healthcare Provider 529,004 Phishing attack
16 Serviceaide, Inc. CA Business Associate 483,126 Database exposed on the internet
17 Goshen Medical Center NC Healthcare Provider 456,385 Hacking incident
18 Ascension Health MO Healthcare Provider 437,329 Hacking incident at a business associate
19 Northwest Radiologists, Inc./Mount Baker Imaging WA Healthcare Provider 362,713 Hacking incident
20 Onsite Mammography MA Business Associate 357,265 Compromised email account

 

2025 Healthcare Data Breaches
Data Breach Size Number of breaches
10,000,000+ 1
1,000,000 – 9,999,999 8
500,000 – 999,999 6
100,000 – 499,000 64
10,000 – 99,999 176
1,000 – 9,999 309
500 – 999 146
Total 710

Average size of healthcare data breaches 2009-2025

Median size of healthcare data breaches 2009-2025

2025 Healthcare Data Breach Causes

Hacking and other IT incidents continue to dominate the breach reports. The majority of these incidents are hacking incidents, as has been the case for many years. There has been a growing trend in recent years of entities suffering data breaches failing to disclose the root cause of the data breach, such as if a hacking incident involved data theft, extortion, malware, or ransomware. The Identity Theft Resource Center reports that this is a problem across all industry sectors, not just healthcare.

Causes of 2025 healthcare data breaches

The problem with the lack of information in breach notices is that individuals are not given sufficient information to make an accurate determination about the level of risk they face. Most ransomware attacks involve data theft and extortion. If the ransom is not paid, the stolen data is leaked on the dark web or sold. According to the cybersecurity firm Black Fog, 96% of ransomware attacks involve data theft, and the ransomware remediation firm Coveware reports that in Q4, 2025, only 20% of ransomware victims paid the ransom. Those figures suggest that 76.8% of ransomware attacks result in data being leaked. If the breach victims are told that ransomware was involved, their data will likely be leaked, and it would be prudent to take steps to prevent data misuse. If they are only told that their data has been exposed, they may incorrectly assume that they do not face a high risk of data misuse and may choose to take no action.

Black Fog reports that ransomware attacks reached record levels in 2025, with 1,174 confirmed attacks across all industry sectors, and healthcare was the worst affected sector, accounting for 22% of attacks. There has also been a growing trend of data theft and extortion, with threat actors skipping file encryption. The PEAR threat group emerged in 2025 and only engages in data theft and extortion. The group claimed many healthcare victims in 2025. Other common IT incidents in 2025 include improperly secured databases, which exposed healthcare data via the internet, and phishing attacks that resulted in unauthorized access to email accounts.

Hacking incidents at HIPAA-regulated entities 2021-2025

Individuals affected by Hacking incidents at HIPAA-regulated entities 2021-2025

Hacking and other IT incidents tend to affect more individuals than other types of breaches. In 2025, these incidents affected an average of 105,623 individuals (median: 5,434 individuals), compared to an average of 9,909 individuals (median: 1,662 individuals) for unauthorized access/disclosure incidents, and an average of 4,402 individuals (median: 1,690 individuals) for loss/theft incidents.

While there were small decreases in hacking/IT incidents, loss/theft incidents, and improper disposal incidents year-over-year, there was a 17.4% increase in unauthorized access/disclosure incidents. These incidents include data theft by malicious insiders and inadvertent data exposures due to carelessness by employees. Staff HIPAA training can go a long way toward reducing these types of breaches. Making all staff members aware of their responsibilities under HIPAA and the consequences of HIPAA violations if they are discovered can help to reduce the risk of these types of breaches.

Unauthorized access/disclosure incidents at HIPAA-regulated entities 2021-2025

Individuals affected by Unauthorized access/disclosure incidents at HIPAA-regulated entities 2021-2025

Regular security awareness training can help to eradicate risky security practices that frequently result in data breaches. It is also important for regulated entities to have the software, policies, and procedures in place to allow them to identify and remediate insider incidents quickly. Loss and theft incidents are becoming far less common due to the shift to cloud storage of PHI, and easier-to-implement and more cost-effective encryption options. While these incidents were once a leading cause of healthcare data breaches, they are now relatively rare.

Loss and theft data breaches at HIPAA regulated entities 2021-2025

individuals affected by Loss and theft data breaches at HIPAA regulated entities 2021-2025

Improper disposal incidents are also something of a rarity. In 2025, there was only one such incident at a HIPAA-regulated entity, although it was a significant data breach, affecting more than 35,000 individuals.

improper disposal data breaches at HIPAA regulated entities 2021-2025

individuals affected by improper disposal data breaches at HIPAA regulated entities 2021-2025

Location of Breached Protected Health Information

A majority of the year’s data breaches involved exposed and stolen protected health information stored on network servers (61.5%), with almost a quarter of data breaches (24.9%) involving compromised email accounts. Physical PHI – paper and films – was compromised in 5.6% of the year’s data breaches, and 4.6% of data breaches involved unauthorized access to electronic medical records.

Location of breached protected health information in 2025

Data Breaches at HIPAA-Regulated Entities

The OCR data breach portal currently lists 523 data breaches at healthcare providers, 56 data breaches at health plans, and two data breaches at healthcare clearinghouses. A further 128 data breaches were reported by business associates of HIPAA-covered entities.

When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure compliance with the notification requirements of the HIPAA Breach Notification Rule. The covered entity may delegate the responsibility of issuing notifications to the business associate, or the covered entity may choose to issue notifications, or a combination of the two. Some healthcare data breach reports fail to take this into account, resulting in business associate data breaches being undercounted.

The charts below are based on the entity that experienced the data breach, rather than the entity that reported the breach. In 2025, 57.5% of data breaches occurred at healthcare providers, 35.8% at business associates, 6.5% at health plans, and 0.3% at healthcare clearinghouses.

Data breaches at HIPAA-regulated entities in 2025

Individuals affected by data breaches at HIPAA-regulated entities in 2025

Geographical Distribution of Healthcare Data Breaches

Data breaches affecting 500 or more individuals were reported by HIPAA-regulated entities in 49 U.S states, the District of Columbia, and Puerto Rico in 2025. The only state to avoid a large healthcare data breach in 2025 was Vermont.

State/Territory Data Breaches State/Territory Data Breaches
California 69 Kansas 8
Florida 47 Oklahoma 8
Texas 47 Arkansas 7
New York 44 Iowa 7
Ohio 37 Nebraska 7
Pennsylvania 32 South Carolina 7
Michigan 26 Alaska 6
Illinois 25 Alabama 6
Georgia 23 Colorado 6
North Carolina 22 Maine 6
Missouri 20 Utah 5
Indiana 18 Idaho 4
Massachusetts 17 Mississippi 4
Maryland 17 Montana 4
Minnesota 17 New Mexico 4
Tennessee 16 Nevada 4
Virginia 16 Rhode Island 4
Washington 16 West Virginia 4
Wisconsin 16 New Hampshire 3
Arizona 15 Delaware 2
Louisiana 13 Hawaii 2
New Jersey 12 South Dakota 2
Connecticut 11 Wyoming 2
Oregon 10 District of Columbia 1
Kentucky 9 North Dakota 1

While California was the worst-affected state in terms of data breaches, Georgia took top spot for affected individuals.

State/Territory Affected Individuals State/Territory Affected Individuals
Georgia 16,050,351 Minnesota 222,210
California 11,849,467 Iowa 218,559
Connecticut 7,048,122 Wisconsin 199,972
Maryland 3,809,252 Rhode Island 176,500
Florida 3,372,753 Maine 158,054
Colorado 2,708,292 Idaho 154,525
Virginia 1,900,219 South Dakota 132,161
Michigan 1,812,898 Louisiana 114,599
North Carolina 1,484,108 Nebraska 114,313
Texas 1,034,662 South Carolina 97,122
New York 1,032,819 Nevada 90,241
Tennessee 832,230 Alaska 90,073
Pennsylvania 811,816 Oregon 86,813
Missouri 787,413 New Mexico 86,235
Washington 628,651 West Virginia 76,191
Indiana 621,441 New Hampshire 73,816
Ohio 577,751 Mississippi 60,205
Illinois 513,672 Puerto Rico 50,000
Massachusetts 465,095 Utah 42,651
New Jersey 448,143 Oklahoma 38,342
Kansas 438,181 Montana 36,485
Arkansas 261,435 Wyoming 15,883
Arizona 243,894 Delaware 14,635
Kentucky 233,836 Hawaii 8,972
Alabama 228,199 District of Columbia 1,847

HIPAA Violation Penalties in 2025

HIPAA penalties 2009-2025

Last year, OCR almost set a new record for HIPAA enforcement actions, with 21 investigations of complaints and data breaches resolved with settlements or civil monetary penalties. While 2025 saw the second-highest-ever number of HIPAA cases resolved with financial penalties, OCR only collected $8,330,066 in fines, as the majority of penalties were imposed for violations of a single HIPAA provision.

HIPAA Penalties 2017-2025

In 2025, a key focus for OCR was compliance with the risk analysis provision of the HIPAA Security Rule. A comprehensive, organization-wide risk analysis is vital for security. If a risk analysis is not conducted or if it is incomplete, risks are likely to remain unaddressed and may be found and exploited by threat actors. OCR’s compliance audits and data breach investigations have frequently identified risk analysis failures, prompting OCR to launch a risk analysis enforcement initiative.

By focusing on this vital aspect of HIPAA compliance, rather than investigating data breaches more broadly for HIPAA noncompliance, OCR has been able to make significant inroads into addressing its backlog of data breach investigations. The consequence of this approach is that by focusing on violations of a single HIPAA provision, financial penalties are lower.

Area of Noncompliance Number of Enforcement Actions
Risk Analysis 16
Breach notifications 5
Impermissible disclosure of ePHI 4
Recording and monitoring activity in information systems 3
Right of Access 3
Risk management 3
Social media 1
Information access management 1
Procedures to create and maintain retrievable exact copies of ePHI 1

In 2025, 76% of all enforcement actions included a penalty for a risk analysis failure. OCR has also started to look closely at compliance with the Breach Notification Rule, which was the second most common reason for a financial penalty. The HIPAA Breach Notification Rule requires notices to OCR, individuals, and the media within 60 days of the discovery of a data breach. More than one-fifth of enforcement actions included a penalty for breach notification failures.

OCR has confirmed that its enforcement priorities in 2026 will be largely the same as in 2025. OCR will continue with its HIPAA Right of Access and risk analysis enforcement initiatives, with the latter being expanded to include risk management. In addition to demonstrating that risks have been identified, OCR will want to see evidence that the identified risks have been managed and reduced in a timely manner.

OCR HIPAA Settlements in 2025

HIPAA-Regulated Entity Penalty Amount Reason for Penalty
Elgon Information Systems $80,000 Risk analysis failure
Virtual Private Network Solutions $90,000 Risk analysis failure
USR Holdings $337,750 Risk analysis failure; recording activity in information systems; procedures to create and maintain retrievable exact copies of ePHI; impermissible disclosure of 2,903 individuals’ PHI
Solara Medical Supplies $3,000,000 Risk analysis failure; risk management failure; breach notification failure (individuals, media, HHS); impermissible disclosure of the PHI of 114,007 and 1,531 individuals,
South Broward Hospital District (Memorial Health System) $60,000 HIPAA Right of Access failure
Northeast Surgical Group $10,000 Risk analysis failure
Health Fitness Corporation $227,816 Risk analysis failure
Northeast Radiology, P.C. $350,000 Risk analysis failure
Guam Memorial Hospital Authority $25,000 Risk analysis failure
PIH Health $600,000 Risk analysis failure; breach notification failure (media notice, HHS notice); impermissible disclosure of PHI
Comprehensive Neurology, PC $25,000 Risk analysis failure
Vision Upright MRI $5,000 Risk analysis failure; breach notification failure
BayCare Health System $800,000 Information access management failure (minimum necessary standard); risk management failure; lack of information system activity reviews
Comstar, LLC $75,000 Risk analysis failure
Deer Oaks – The Behavioral Health Solution $225,000 Risk analysis failure; impermissible disclosure of ePHI
Syracuse ASC (Specialty Surgery Center of Central New York) $250,000 Risk analysis failure; breach notification failure (OCR, individuals)
BST & Co. CPAs, LLP $175,000 Risk analysis failure
Cadia Healthcare Facilities $182,000 Social media disclosure without authorization; breach notification failure
Concentra Inc. $112,500 HIPAA Right of Access failure

OCR HIPAA Civil Monetary Penalties in 2025

HIPAA-Regulated Entity Penalty Amount Reason for Penalty
Warby Parker $1,500,000 Risk analysis failure; risk management failure; lack of monitoring of activity in information systems containing ePHI.
Oregon Health & Science University $200,000 HIPAA Right of Access failure

State attorneys general also enforce HIPAA compliance and can impose financial penalties, although some state attorneys general impose fines for violations of state data privacy and security rules. In 2025, only one enforcement action was announced by a state attorney general. The New York attorney general imposed a $500,000 financial penalty on Orthopedics NY LLP for cybersecurity failures that led to a data breach affecting 656,086 individuals. The penalty was imposed for violations of New York laws, although the HIPAA Security Rule was undoubtedly also violated.

The post 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Emergency Medical Services Authority & Compassion Health Care Settle Data Breach Litigation

Posted by Steve Alder

Emergency Medical Services Authority in Oklahoma and Compassion Health Care in North Carolina were sued over cyberattacks and data breaches. Settlements have now been agreed to resolve both class action lawsuits.

Emergency Medical Services Authority Data Breach Settlement

Emergency Medical Services Authority (EMSA), the largest provider of pre-hospital emergency medical care in the state of Oklahoma, has agreed to settle a class action lawsuit stemming from a cyberattack detected on February 13, 2024. EMSA determined that hackers accessed its network between February 10, 2024, and February 13, 2024, and acquired files containing patient and employee data. The data breach affected 611,743 individuals and included names, addresses, dates of birth, dates of service, and  Social Security numbers.

Two class action lawsuits were filed in response to the data breach, which were consolidated in the Oklahoma District Court of Oklahoma County – Wade Quick and Laura Lance v Emergency Medical Services Authority. EMSA denies all claims of liability, fault, and wrongdoing, and sought to have the lawsuit dismissed. The court sustained in part and denied in part the motion to dismiss, and the lawsuit proceeded to discovery. A second motion to dismiss was filed for lack of jurisdiction, and after the plaintiffs filed their response, all parties agreed to resolve the lawsuit with a settlement rather than continuing to litigate.

Under the terms of the settlement, EMSA will establish a $1.5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for the class members, and benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $3,000 per class member.  A claim may also be submitted for compensation for up to four hours of lost time at $15 per hour. While documentation is not required for the lost time claim, class members must sign an attestation that includes a brief description of the lost time. Lost time payments are included in the £3,000 cap per class member.

Class members may also claim two years of single-bureau credit monitoring and identity theft protection services. The deadline for submitting a claim is March 5, 2026. The final fairness hearing has been scheduled for April 5, 2026.

Compassion Health Care Data Breach Settlement

The Yanceyville, North Carolina-based medical practice, Compassion Health Care, has agreed to pay up to $600,000 to settle a class action lawsuit over a breach of the protected health information of 23,600 individuals. A cybersecurity incident was identified on or around March 17, 2025, and the forensic investigation confirmed that an unauthorized third party hacked its systems, and potentially obtained protected health information such as names, addresses, phone numbers, date of births or ages, Social Security numbers, driver’s license numbers, health insurance information, claims information, and clinical/diagnostic information. The affected individuals were notified about the data breach on or around May 16, 2025.

The first class action lawsuit over the data breach was filed on May 23, 2025, followed by a further two lawsuits. An amended complaint was filed in the Caswell County Superior Court for the State of North Carolina on July 2, 2025, adding the additional plaintiffs – Allin v. Compassion Health Care. The lawsuit alleged that the cyberattack occurred as a result of the failure to implement reasonable and appropriate cybersecurity measures. The lawsuit asserted claims of negligence/negligence per se, breach of implied contract, breach of confidence, and unjust enrichment.

Shortly after the amended lawsuit was filed, the defendant provided the plaintiffs with informal discovery, including information about the cybersecurity measures implemented prior to the data breach. After arms-length discussions, the material terms of a settlement were agreed upon. The settlement has now been finalized, with no admission of liability or wrongdoing, and the settlement has received preliminary approval from the court. The $600,000 will be used to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach, or class members may claim an alternative cash payment of $40.

The deadline for submitting a claim differs based on CPT ID. Class members with a CPT ID under 20,000 have until February 23, 2026, to submit a claim. Class members with a CPT ID over 20,000 have until May 4, 2026, to submit a claim. The final fairness hearing has been scheduled for May 4, 2026.

The post Emergency Medical Services Authority & Compassion Health Care Settle Data Breach Litigation appeared first on The HIPAA Journal.

Healthcare Remains the Sector Most Targeted by Ransomware Groups as Attacks Increase 49% YOY

Posted by Steve Alder

A new record was set for ransomware attacks last year, with disclosed ransomware attacks increasing by 49% year-over-year to a record-high of 1,174 attacks, according to Black Fog’s 2025 State of Ransomware Report. There was also a 37% year-over-year increase in undisclosed attacks, with 7,079 victims added to dark web data leak sites in 2025. The figures indicate that globally, 86% of ransomware attacks are not disclosed by victims.

Data theft almost always occurs with ransomware attacks. In 2025, 96% of attacks involved data exfiltration prior to file encryption, which results in greater organizational harm. Data exfiltration has contributed to the significant increase in breach costs, as data theft results in greater reputational harm and increased regulatory exposure. In 2025, the average cost of a data breach was $4.44 million globally, and $7.42 million for healthcare data breaches. Healthcare retained its position as the sector most targeted by ransomware groups in 2025, accounting for 22% of disclosed attacks. All sectors experienced an increase in attacks in 2025, apart from education, which saw a 13% year-over-year decrease in attacks.

The breakup of large ransomware groups has led to a fragmentation of the ransomware ecosystem, and the number of active ransomware groups continued to increase in 2025. Black Fog tracked 130 different ransomware groups in 2025, of which 52 were new groups that emerged in 2025, a 9% increase from 2024. Several groups that emerged in 2025 have disproportionately targeted the healthcare sector, including Sinobi, Insomnia, and Devman. Devman issued the largest ever ransom demand of $91 million in 2025 for its attack on China’s real estate development company Shimao Group Holdings. World Leaks, widely believed to be a rebrand of Hunters International, has also claimed several healthcare victims, as have all of the top three most prolific and dangerous ransomware groups of the year: Qilin, Akira & Play.

There was a surge in activity by the most prolific ransomware group – Qilin – in 2025, which claimed a total of 1,115 disclosed and undisclosed attacks. Qilin was behind two of the most impactful healthcare ransomware attacks of the year – ApolloMD and Covenant Health. The ransomware attack on ApolloMD was detected in May 2025, yet it took until February 2026 to confirm that the protected health information of more than 626,500 patients was compromised.

The attack on Covenant Health also occurred in May 2025. Initial access was gained on May 18, 2025, and, as was the case with the attack on ApolloMD, sensitive data was rapidly identified and exfiltrated. The Covenant Health attack was detected on May 26, 2025, when the affected systems were shut down to contain the incident. Disruption continued into June, and the attack was initially disclosed a month later, although the initial breach report suggested that the protected health information of just 7,864 individuals was compromised in the incident. As the investigation progressed, it became clear that data theft was far more extensive. In December 2025, when the investigation concluded, Covenant Health confirmed that 478,188 patients had been affected.

Akira was the second-most active group, claiming a total of 776 victims in 2025, with the third most active group – Play – accounting for 405 ransomware attacks. Black Fog identified the emergence of large-scale, AI-enabled attacks last year, when a ransomware group hijacked Anthropic’s Claude model to autonomously perform reconnaissance, exploitation, and data theft – the first time that an AI-led ransomware campaign has been identified.

“The global impact of ransomware across 2025 has been unprecedented. From high street chains to hospitals, ransomware doesn’t respect borders, the size of organization, or the sector you’re in. It’s brought vital services, established companies – and the smaller partners who depend on them – to a grinding halt,” Dr Darren Williams, Founder and CEO of BlackFog said. “The disruption they cause is only part of the story. Attackers aren’t just breaking in – they’re intent on stealing data to power extortion. By weaponizing AI they can outpace defenders at a new scale and use stealthy targeted techniques to slip past traditional security measures. Putting protections in place to close these gaps and prevent data exfiltration has to take priority as attackers focus on targeting organizations’ most sensitive information.”

The post Healthcare Remains the Sector Most Targeted by Ransomware Groups as Attacks Increase 49% YOY appeared first on The HIPAA Journal.

Data Breaches Announced by MedRevenu & EyeCare Partners

Posted by Steve Alder

Data breaches have been confirmed by the revenue cycle management company MedRevenu Inland Physicians Hospitalist Services, and the Missouri-based eye care provider, EyeCare Partners.

MedRevenu Inland Physicians Hospitalist Services

MedRevenu Inland Physicians Hospitalist Services, a Montclair, CA-based vendor that provides revenue cycle management services to healthcare providers, has recently notified the California Attorney General about a cybersecurity incident. The incident occurred on or around December 12, 2024, and caused disruption to its network. The forensic investigation determined that files containing personal and protected health information may have been accessed or acquired in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers/government identification numbers, health insurance information, medical information, financial account numbers, payment card numbers, and access information.

MedRevenu said it is reviewing and enhancing its cybersecurity measures and has offered the affected individuals complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months. The BianLian threat group claimed responsibility for the attack and added MedRevenu to its dark web data leak site on December 14, 2024. Since data has been leaked, the affected individuals should ensure that they sign up for the credit monitoring services being offered and carefully check their account statements for data misuse, going back to December 2024. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

EyeCare Partners

EyeCare Partners, LLC, a St. Louis, MO-based nationwide provider of eye care services, has recently announced an email security incident that was first identified on January 28, 2025. Suspicious email activity was identified, and an investigation was launched, which confirmed that an unauthorized third-party had accessed multiple managed email accounts between December 3, 2024, and January 28, 2025.

It took until November 11, 2025, to review the compromised accounts, and notifications were issued to appropriate state attorneys general in February 2026. Data compromised in the incident includes names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health plan information, and limited clinical information.

EyeCare Partners said it has no reason to believe that any of the exposed information has been misused for identity theft or fraud; however, out of an abundance of caution, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 24 months. EyeCare Partners said it has reviewed and enhanced its technical security measures and has provided further reminders to employees about how to recognize and avoid phishing attempts. The incident has been reported to the HHS’ Office for Civil Rights as affecting 17,110 individuals, including patients of The Ophthalmology Group, Ophthalmology Consultants, and Ophthalmology Associates.

The post Data Breaches Announced by MedRevenu & EyeCare Partners appeared first on The HIPAA Journal.

Pinehurst Radiology Associates & Tallahassee Memorial HealthCare Settle Class Action Data Breach Lawsuits

Posted by Steve Alder

Pinehurst Radiology Associates has agreed to settle a class action lawsuit over a January 2025 data breach, and Tallahassee Memorial HealthCare has agreed to settle class action litigation over its use of pixels on its website.

Pinehurst Radiology Associates Settlement

Pinehurst Radiology Associates, a medical diagnostic imaging center in Pinehurst, North Carolina, has agreed to settle a class action lawsuit over a January 2025 security incident that affected 8,682 individuals. Pinehurst Radiology Associates identified a cybersecurity incident on January 20, 2025, and determined that patients’ protected health information had been exposed. Data exposed in the incident included names, addresses, dates of birth, Social Security numbers, diagnoses, treatment information, medical record numbers, health insurance information, and Medicare/Medicaid numbers. The affected patients were notified on or around May 22, 2025.

Two class action lawsuits were filed in response to the data breach, which were consolidated in the Superior Court of Moore County, North Carolina – McNeill, et al. v. Pinehurst Radiology Associates, PLLC. The plaintiffs alleged that the data breach resulted from negligence because reasonable and appropriate cybersecurity measures had not been implemented. Pinehurst Radiology Associates denies all claims of wrongdoing, fault, and liability.

All parties explored the possibility of an early settlement, and an agreement on the material terms was reached on September 30, 2025. The final terms of the settlement have been negotiated, and it has received preliminary approval from the court. Pinehurst Radiology Associates has agreed to pay for CyEx Medical Shield Complete medical data monitoring services for 12 months for all class members, which include a $1 million identity theft insurance policy. Claims may also be submitted for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $500 per class member. Losses must have been incurred between January 20, 2025, and April 9, 2026. The deadline for opting out and objection is March 7, 2026. Claims must be submitted by April 9, 2026, and the final fairness hearing has been scheduled for April 6, 2026.

Tallahassee Memorial HealthCare Settlement

Tallahassee Memorial HealthCare has agreed to pay benefits to current and former patients whose personal and protected health information may have been disclosed to third parties, such as Meta Platforms and Google Inc., due to pixels and other tracking and analytics tools on the Tallahassee Memorial HealthCare website.

According to the lawsuit, these tools collected data relating to website use, which may have included personal and protected health information depending on the user’s interactions with the website. The lawsuit claims that these disclosures occurred for marketing and advertising purposes, without the knowledge or consent of website users. The lawsuit claims that the disclosures violated the Florida Security of Communications Act and the Electronic Communications Privacy Act. The lawsuit also asserted claims of invasion of privacy, breach of implied contract, unjust enrichment, and breach of confidence.

Tallahassee Memorial HealthCare denies all claims of wrongdoing and liability, and all material allegations in the lawsuit, but chose to settle the litigation to avoid the cost and uncertainty of a trial and related appeals. The plaintiffs believe all claims have merit but agreed that the settlement is fair and in the best interests of all class members. Under the terms of the settlement, class members can claim a 24-month membership to CyEx Financial Shield Complete, as well as a cash payment of $17. The final fairness hearing has been scheduled for March 2, 2026.

The post Pinehurst Radiology Associates & Tallahassee Memorial HealthCare Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.