California Attorney General Rob Bonta has filed a lawsuit against the genetic testing company formerly known as 23andMe over its 2023 data breach that affected almost 7 million Americans. The lawsuit alleges multiple violations of state consumer privacy and data protection laws.

23andMe is a provider of direct-to-consumer DNA testing services. Consumers purchase kits for collecting saliva samples, which are sent to the company for DNA analysis. Consumers are given a report detailing their ancestry, ethnicity, and genetic health predispositions, and can access a platform that allows them to trace their biological relatives.

In 2023, 23andMe discovered that around 14,000 accounts had been subject to unauthorized access over a period of around 5 months, resulting in a breach of the personal and genetic information of 6.9 million individuals, including 855,541 California residents. Access to the accounts was gained using a technique known as credential stuffing. Credentials obtained in a data breach on one platform are used to try to access accounts another platform. The technique only works if users reuse their usernames and passwords on multiple platforms. In the case of the 23andMe attack, some of the credentials were stolen from MyHeritage, a separate genealogy site that 23andMe encouraged its users to set up an account with.

The data breach was discovered when the threat actor offered the stolen data for sale on a dark web hacking forum in October 2023. Initially, 23andMe downplayed the incident, maintaining that there had been no breach of its systems, placing the blame on customers for the poor security practice of re-using credentials on multiple platforms. 23andMe also said the breach involved data from its DNA Relatives feature, which was essentially publicly available information. 23andMe paid the threat actor to remove data that had been posted online, stop any sale of stolen data, and to receive information about the vulnerabilities that were exploited by the threat actor to access data.

23andMe, which filed for Chapter 11 bankruptcy protection in March 2025, faced class action litigation over the data breach and agreed to pay $30 million to settle claims related to the data breach, then increased the settlement fund to up to $50 million. The settlement received final approval from a judge in January 2026.

The California Department of Justice, part of a multistate coalition that investigated the data breach, determined that security vulnerabilities were exploited that should not have existed, and that the company’s handing of the breach was “entirely unacceptable.” The investigation determined that there was a well-known risk of unauthorized account access through credential stuffing, yet 23and Me failed to implement reasonable and appropriate security procedures to reduce risk. The data breach was only detected when the threat actor offered stolen data for sale in October 2023. AG Bonta alleged that 23andMe missed several opportunities to detect the credential stuffing attack, such as a suspicious spike in login attempts in July 2023, and a Reddit post discussing a potential 23andMe data breach in August 2023.

A coding error in the DNA Relatives feature meant doctored queries could be sent to the 23andMe database, and when creating and implementing its data security protocols, 23andMe failed to properly account for genetic data and its high level of sensitivity. 23andMe informed its customers that it adhered to the highest industry standards for data security; when its security practices were far below industry standards. Further, when the breach was announced, AG Bonta alleges that 23andMe made misleading statements, repeatedly stating that there had been no breach of 23andMe systems, despite the threat actor informing the company of multiple exploitable vulnerabilities within its systems, some of which were exploited in the attack.

The state Attorney General’s lawsuit was filed in the San Francisco Superior Court, California, and alleges that the company failed to implement and maintain reasonable and appropriate security procedures and practices, made untrue and misleading statements regarding its security measures and practices prior to the data breach, as well as misleading statements about the circumstances of the breach. Those failures are alleged to have violated the California Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act. The lawsuit seeks millions of dollars in civil fines to resolve the alleged violations.

The California Attorney General has also challenged 23andMe’s sale of consumers’ genetic information and materials in bankruptcy. That lawsuit is pending in the in U.S. Bankruptcy Court for the Eastern District of Missouri.

The post California AG Files Lawsuit Over 23andMe Data Breach appeared first on The HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) has announced a revised schedule of virtual town hall meetings for its Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) rulemaking.

CISA was affected by the failure of lawmakers to agree on funding for the Department of Homeland Security (DHS), which resulted in a 76-day partial shutdown that ended on April 30, 2026. The shutdown significantly reduced CISA’s operational capacity, with only 38% of its staff remaining on the job over that period. While CISA’s core cyber defense operations were maintained during the partial shutdown, CISA’s outreach activities were a casualty. The CIRCIA virtual town hall meetings initially scheduled for March and April 2026 had to be delayed.

The aim of CIRCIA is to help the government respond quickly to cyber threats and disseminate key information to critical infrastructure sectors in response to those threats. When a final rule is issued, CIRCIA will require critical infrastructure entities to rapidly report significant cybersecurity incidents and ransomware payments to CISA. Covered critical infrastructure entities will be required to notify CISA of any ransom payment within 24 hours and certain cyber incidents within 72 hours.

The rapid reporting required under CIRCIA will allow CISA to quickly deploy resources and provide emergency assistance; build a comprehensive, coordinated, and centralized approach to understanding cyber risks across different critical infrastructure sectors; and identify cyber trends and rapidly share threat intelligence with network defenders and warn potential victims about threats.

Ahead of the publication of a final rule, CISA is seeking stakeholder feedback on the requirements of the CIRCIA Notice of Proposed Rulemaking (NPRM). The aim is to ensure that national cybersecurity is strengthened while minimizing the compliance burden on critical infrastructure entities.

The special topics of interest that were due to be covered in the town hall meetings have not been changed; however, the schedule differs from the original proposal. CISA will be hosting four four-hour virtual town hall meetings, starting on June 15, 2026.

A general session will be hosted on June 15, 2026, followed by a June 16, 2026, virtual meeting for Group A critical infrastructure sectors. These will be followed by a general session on June 17, 2026, and a virtual meeting for Group B critical infrastructure sectors.

• The Group A session is for the communications, dams, emergency services, food and agriculture, government facilities, healthcare and public health, transportation systems, and water and wastewater sectors.
• The Group B session is for the chemical, commercial facilities, critical manufacturing, defense industrial base, energy, financial services, information technology, and nuclear reactors, materials, and waste sectors.

While initially tentatively scheduled for 13:30 a.m. to 3:30 p.m, they have since been moved to 4:30 p.m. to 8:30 p.m. Advance registration is required, and registration will close two business days before the meeting, although early registration is recommended. The sessions will be recorded, and transcripts will be published in the CISA docket for CIRCIA rulemaking.

“CISA is working to maximize the impact of CIRCIA to significantly improve our Nation’s cybersecurity posture. At the same time, CISA values the interest and concern our stakeholders have that CIRCIA will be implemented with minimal unnecessary burden to entities in critical infrastructure sectors,” said Nick Andersen, acting director, CISA. “CISA appreciates our stakeholders’ patience with waiting for our rescheduled town hall meetings to provide their critical input as we finalize this rule. As an agency built on collaboration and coordination, CISA is committed to hearing from the American people, critical infrastructure owners and operators, and other community members.”

The post CISA Announces Rescheduled CIRCIA Virtual Town Hall Meetings appeared first on The HIPAA Journal.

Delta Dental Insurance and Delta Dental of New York (Delta Dental) have agreed to pay a fine of $2.25 million to the New York Department of Financial Services to settle alleged violations of New York cybersecurity regulations. The violations were discovered during an investigation of a 2023 hacking incident that affected almost 7.1 million of its customers.

The incident in question occurred over the Memorial Day weekend in 2023 and was detected by Delta Dental on June 1, 2023. A Russian-speaking cybercriminal group called Clop (aka Cl0p) exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer managed file transfer solution, accessed the solution between May 27 and May 30, 2023, and exfiltrated approximately 60,000 files. The group then demanded a ransom to prevent the publication of the stolen files.

By July 6, 2023, Delta Dental confirmed that a range of sensitive personal and protected health information had been stolen, including names, addresses, Social Security numbers, driver’s license numbers, financial account information, and health information. Delta Dental was one of around 2,700 companies to fall victim to the automated mass exploitation attacks.

Delta Dental Insurance, a dental insurance underwriter, and its subsidiary, Delta Dental of New York, were investigated by the New York Department of Financial Services after being notified about the data breach on December 15, 2023. The Department of Financial Services identified several violations of state laws, including the failure to provide timely notice about the data breach. Under N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.17(a)(1), covered entities are required to notify the superintendent about a cybersecurity incident within 72 hours of discovery.

According to the consent order, Delta Dental did not implement and maintain a written policy addressing incident response, in breach of the New York Cybersecurity regulations for financial services companies – 23 NYCRR § 500.3(n), and did not have a written incident response plan that sufficiently addressed its reporting obligations to regulators, in violation of 500.16(b)(6). Further, Delta Dental did not implement policies and procedures for the secure disposal of data no longer required for business purposes, as required by § 500.13.

The investigation found that most of the data stolen in the attack had been on the server for more than 30 days. By default, MOVEit Transfer sets the data retention period as 30 days; however, Delta Dental had changed the retention period first to 45 days, and then to 60 days for many folders. Some folders had data retention settings disabled and there were no written policies regarding requesting, reviewing, or approving changes to the data retention settings.

Delta Dental is required to pay the financial penalty, although there are no corrective actions required by the order. Provided Delta Dental complies with the consent order, the New York Department of Financial Services will take no further action. “The Department’s nation-leading cybersecurity regulation requires financial institutions to have robust policies in place to protect the personal information of New Yorkers,” said Kaitlin Asrow, acting superintendent of the New York Department of Financial Services. “As cybersecurity threats continue to grow, the Department is committed to holding institutions accountable.”

The post Delta Dental Fined $2.25 Million Over 2023 MOVEit Transfer Hack appeared first on The HIPAA Journal.

House Republicans have made a fresh attempt to introduce federal data privacy legislation that, if passed, will replace the current patchwork of state privacy laws. The new privacy bill – the Securing and Establishing Consumer Uniform Rights and Enforcement over Data (SECURE Data) Act, and a companion bill covering financial firms – the GUARD Financial Data Act – were introduced by Republican members of the House Committee on Energy and Commerce and the House Committee on Financial Services. Unlike previous attempts to enact comprehensive federal data privacy legislation, the SECURE Data Act and GUARD Financial Data Act are not bipartisan. No input was sought from Democratic committee members.

Efforts to develop the bills were led by Congressman John Joyce, M.D., Chairman of the House Committee on Energy and Commerce, who led the Energy and Commerce Data Privacy Working Group, and Congressman John Joyce, M.D. (PA-13), Chairman of the Energy and Commerce Subcommittee on Oversight and Investigations and leader of the Energy and Commerce Data Privacy Working Group.

The bills were developed following more than a year of stakeholder consultation, and aim to create new federal data privacy standards, and are based on common data subject rights and provisions from states that have implemented their own comprehensive data privacy laws.

Key consumer rights in the SECURE Data Act include:

• The right to know data is being collected and used
• The right to access a copy of the personal data collected by an entity, including in a portable format
• The right to request that their personal data be deleted
• The right to opt out of targeted advertising, the sale of their personal data, and certain automated decisions
• To only process sensitive data with a consumer’s consent
• To only process a child or teen’s personal data with parental consent

The obligations for covered businesses under the SECURE Data Act include:

• Limiting the collection of personal data to what is “adequate, relevant, and reasonably necessary for the purposes disclosed to consumers
• Required disclosure of the personal data shared with others, and any personal data processed in or sold to China, Russia, or other foreign adversaries.
• Implementation of data security practices to protect the personal data they process.

There are specific requirements for data brokers, which include:

• Data minimization, disclosure, and data security requirements.
• Registration with the FTC, including disclosure of the privacy and data security practices and personal data sold.
• The FTC will establish a searchable public-facing registry of data brokers, where consumers can learn how to exercise their privacy rights.

“This bill establishes clear, enforceable protections so that Americans remain in charge of their own data and companies are held accountable for its safe keeping,” Energy and Commerce Chair Brett Guthrie, R-Ky., and Rep. John Joyce, R-Penn., said in a joint statement. “We look forward to working with our colleagues to build support for this bill and advance data privacy protections fit for our 21st century economy.”

The SECURE Data Act would apply to nonfinancial firms that control consumer data, exempting financial data and financial institutions covered by the Gramm-Leach-Bliley Act. The companion bill, the GUARD Financial Data Act, would update the Gramm-Leach-Bliley Act and would exempt nonfinancial firms. While there is a clear need for federal data privacy legislation to replace data privacy laws that vary considerably from state to state, for certain states such as California, it would mean a watering down of their current privacy protections for state residents. For instance, the SECURE Data Act does not include a private cause of action, which means individuals whose privacy is violated would not be able to sue for SECURE Data Act violations.

The SECURE Data Act has been criticized for failing to implement meaningful privacy protections and weakening protections for consumers in states that have placed limits on the collection, use, and sharing of consumers’ data. Critics say the legislation ultimately protects corporations and big tech firms rather than protecting consumers’ privacy. “We should be protecting the little guy with a bill that empowers consumers, not one that pre-empts consumer protections at the behest of Big Tech,” said Energy and Commerce Ranking Member Frank Pallone (D-NJ).

Some privacy groups have criticized the bill for important omissions, such as failing to address AI-related privacy harms. There are no provisions limiting the data that can be collected on consumers for training AI algorithms, and while companies are required to disclose if they are using AI-based automated decision-making systems, consumers do not have the right to opt out.

There are grave concerns that if enacted, it will allow big tech firms to continue collecting and using vast amounts of consumer data. “It places the onus on regular people to wade through reams of privacy policies and ask tech companies to stop abusing our data, and it leaves us without real recourse — even blocking us from going to court — if our requests go unanswered. On top of that, the bill would entirely destroy the work that states have been doing for years to protect their residents,” said American Civil Liberties Union attorney Cody Venzke.

While previous efforts to pass a comprehensive federal data privacy law, such as the American Data Privacy and Protection Act (ADDPA), have been bipartisan, bicameral, and have proposed stronger privacy protections, they have all failed to be enacted. While there is a good chance that the SECURE Data Act would be passed by the House of Representatives, it may be difficult, in its current form, for the bill to survive a Senate vote.

The post House Republicans Make New Attempt to Introduce Federal Data Privacy Legislation appeared first on The HIPAA Journal.

The Maine House of Representatives has voted unanimously to advance a bill that seeks to strengthen cybersecurity at Maine hospitals to prevent cyberattacks and ensure continuity of care following cyber intrusions. The bill faces further votes in the House and Senate in the coming days.

The bill was proposed by Rep. Julie McCabe (D-Lewiston), a member of the Health and Human Services Committee, following two cyberattacks last year that impacted five Maine hospitals –  Covenant Health’s St. Mary’s Hospital in Lewiston, St. Joseph’s Hospital in Bangor, and Central Maine Medical Center’s hospitals in Lewiston, Bridgton, and Rumford. The Covenant Health ransomware attack alone affected 478,188 individuals, and along with the cyberattack on Central Maine Medical Center, around one-third of state residents were affected.

Those cyberattacks had a negative impact on patient care, crippling basic communication services, exposing serious breakdowns in hospitals’ protocols, and causing major disruption to patient care that lasted for weeks, including disruptions to preventative care and cancer care. “Cyberattacks pose a serious risk to our already-fragile health care system,” said McCabe. “We’ve already seen how a cyberattack can impact Maine hospitals and leave patients in dire straits. This legislation will help ensure that our hospitals are prepared to deal with these types of incidents, respond promptly and effectively to patient needs, and protect sensitive information.”

The bill – LD 2103 – requires hospitals to adopt measures to prevent and respond to cybersecurity incidents, and also includes provisions requiring workplace safety measures to protect patients, visitors, and employees from aggressive and violent behavior. According to the Occupational Safety and Health Administration (OSHA), healthcare workers are 4-5 times as likely to suffer injuries due to violence as employees in all other sectors. The bill requires hospitals to have a process in place to receive and record incidents and threats of violence and prohibits representatives or employees of a hospital from interfering with a person making a report.

All hospitals will be required to have a cybersecurity plan consistent with cybersecurity best practices established by the U.S. Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), Department of Commerce, National Institute of Standards and Technology (NIST), and the Healthcare and Public Health Sector Coordinating Council (HSCC).

The cybersecurity plan must be consistent with HIPAA and be reviewed at least annually. At a minimum, the plan must include provisions to ensure timely notifications to law enforcement, state regulators, patients, and employees about cybersecurity intrusions. All hospitals must have a backup communication response provision to ensure continuity of care for patients in the event of a disruption of hospital computer systems due to a cybersecurity intrusion. That includes a compliant process for patients who experience challenges accessing medical care, a system to triage patients within 48 hours of submitting a complaint about emergent symptoms, and timely management of complaints related to prescriptions.

There is a provision to ensure the triage of all hospital services in the event of disruption to computer systems, including procedures for diverting hospital services, and written agreements with other hospitals to facilitate the continuity of care for patients during any disruption due to a cybersecurity incident. Hospitals must have a written security incident response plan documenting how hospital employees are to report suspected or known security incidents, including how the hospital will respond clinically, and provisions for internal and external communications. Hospitals must also have a system for ensuring that all manually charted medical information is incorporated into electronic medical records in a timely manner.

Cybersecurity training for hospital employees and board members is required at least annually, and incident response and downtime procedures must be reviewed, tested, and updated, as necessary, at least once a year. Further, following any cybersecurity incident, hospitals are required to review the response and take steps to improve procedures for responding to future cybersecurity incidents.

The post Maine House Unanimously Passes Bill to Strengthen Cybersecurity at Maine Hospitals appeared first on The HIPAA Journal.

Texas Governor Greg Abbot has ordered all state agencies and state-owned medical facilities to conduct an audit of patient monitoring devices to ensure that they do not have unresolved vulnerabilities that could be exploited to gain access to Texans’ sensitive health information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United States Food and Drug Administration (FDA) have issued warnings about vulnerabilities in patient monitoring devices manufactured in China. Devices have been found to contain a backdoor that can be used by a remote attacker to gain access to sensitive patient data.

There has been a proliferation of Chinese-manufactured medical devices within the U.S. healthcare system. The concern is that these devices have backdoors that can be exploited by state-sponsored hacking groups to obtain the private medical information of Americans. Governor Abbot wants to make sure that the private medical data of Texans cannot be obtained by China. “I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data,” Governor Abbot said in a letter to the Texas Health and Human Services Commission (HHSC), Texas Department of State Health Services (DSHS), and the Texas Cyber Command (TXCC).

Governor Abbot has directed state agencies to take action to ensure that sensitive medical data is protected. HHSC and DSHS have been asked to review all state-owned medical facilities under their jurisdiction and attest that all new purchases of medical devices were procured in compliance with the November 19, 2024, Executive Order GA-48, which requires the hardening of cybersecurity by the state government.

HHSC, DSHS, and public systems of higher education are required to catalog all state-owned medical devices capable of transmitting data via a network, or that can be accessed remotely, and share that inventory with TXCC. Assisted by TXCC, HHSC, DSHS, and public systems of higher education, are required to review their cybersecurity policies related to the protection of personal health information at all state-owned medical facilities under their jurisdiction, and specifically include how policies address FDA and CISA-issued alerts for internet-connected medical devices.

TXCC has been instructed to review whether Contec CMS8000 and Epsimed MN-120 patient monitors, and any other devices used by HHSC, DSHS, and public systems of higher education, have been the subject of an FDA safety notice, and to ensure that any that have are placed on the prohibited technology list.

TXCC is also required to convene appropriate executives at HHSC, DSHS, and public systems of higher education and make recommendations for addressing emergent cybersecurity risks, monitoring of devices, and mitigation strategies. Governor Abbot has committed to proposing legislation in the next session to better protect Texans’ private medical data from hostile foreign actors, such as China.

The post Texas Governor Instructs State Agencies to Audit Chinese Medical Devices appeared first on The HIPAA Journal.

At a Thursday hearing, the Senate Health, Education, Labor and Pensions (HELP) Committee heard testimony from Thomas Keane, M.D., M.B.A., Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology (ASTP/ONC) on the HHS’s efforts to make improvements in health and care through the access, exchange, and use of data.

“My top priority is fostering greater data liquidity in the U.S. health care system so that patients and their clinicians are in the driver’s seat. I see how modern data standards, combined with artificial intelligence (AI), can make health care more affordable, accessible, and can support improved health outcomes,” explained Keane.

It has been a decade since the 21^st Century Cures Act was enacted in 2016. Key provisions of the act have been implemented, such as the establishment of the Trusted Exchange Framework and Common Agreement (TEFCA) for nationwide health information exchange across health information networks. TEFCA Exchange began in earnest in January 2024, and 11 Qualified Health Information Networks have now signed up and been vetted to facilitate data exchange. More than 70,000 locations nationwide are connected, and the exchange of more than 400 million health records is now supported. While TEFCA has yet to reach its full potential, when that happens, a healthcare provider will be able to access a patient’s full health history, regardless of the electronic health record system where that information is stored.

While the technology exists to support the seamless exchange of health data, information does not always flow unimpeded. At the hearing, HELP Committee members expressed frustration that health data is being blocked by healthcare providers, developers of certified health IT, and health information networks and exchanges. The 21^st Century Cures Act prohibited information blocking; however, it took until 2023 to finalize the financial penalties for developers of health IT, and another year to finalize the financial penalties for healthcare providers, and penalties have yet to be imposed for information blocking.

At the hearing, Keane confirmed that the federal government is taking action against entities engaged in information blocking. Since the HHS launched its information blocking complaint portal, more than 1,500 complaints have been filed alleging information blocking, the majority of which were filed by patients. Keane confirmed that ASTP/ONC has started actively enforcing its information blocking rules. A major enforcement initiative was launched in September 2025, targeting noncompliance, which allocated additional resources to support investigations and hold entities accountable for blocking the sharing of electronic health information. In the Fall of last year, the HHS warned developers, providers, and health information exchanges that it announced that it would start cracking down on information blocking.

Since then, ASTP/ONC has been working closely with the HHS Office of Inspector General to ensure that bad actors face meaningful consequences for information blocking, and in February this year, ASTP/ONC sent notices to developers of certified health IT about potential non-conformity under the ONC Health IT Certification Program, requesting information and explanations about non-conformity issues. Should information blocking be confirmed, health IT developers could face penalties of up to $1 million per violation, while providers could be prevented from receiving Medicare payments.

Keane explained that ASTP/ONC is collaborating with the Federal Trade Commission (FTC), Department of Justice (DoJ), and state governments to identify potential anti-competitive business practices and other practices that are preventing the seamless exchange of health information. ASTP/ONC is also continuing to work with providers, health information networks, and health IT developers to improve understanding of what constitutes information blocking and the steps they must take to ensure compliance with the law.

“In [the] not-so-distant future, an individual with multiple chronic conditions can keep all their health information in one secure digital place and share it instantly with a new provider, a caregiver, or a trusted app—no matter where they live or where they receive care,” Keane said.

The post HHS Confirms Active Enforcement of Information Blocking Rules appeared first on The HIPAA Journal.

The U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) plans to use artificial intelligence (AI) tools to identify fraudulent claims before they are paid.

While estimates of total losses from healthcare fraud vary, around $60 billion is thought to be lost to Medicare fraud each year. In 2023, the HHS Office of Inspector General (HHS-OIG), the primary agency responsible for tackling Medicare and Medicaid fraud, identified more than $100 billion in improper payments across the Medicare and Medicaid programs. Estimates suggest that between 3% and 10% of total healthcare spending is being lost to fraud. While HHS-OIG, in conjunction with the Department of Justice and the CMS, investigates fraud and prosecutes fraudsters, only a fraction of fraudulently paid funds is recovered.

In a February 25, 2026, press release, Vice President J.D. Vance, Secretary of Health and Human Services (HHS) Robert F. Kennedy, Jr., and CMS Administrator Dr. Mehmet Oz announced some of the new steps that are being taken to crack down on healthcare fraud as part of a broader effort by the Trump to improve affordability, protect patients, and reduce the burden on taxpayers, who ultimately foot the bill for healthcare fraud.

“For decades, Medicare fraud has drained billions from American taxpayers—that ends now,” said Secretary Kennedy. “We are replacing the old ‘pay and chase’ model with a real-time ‘detect and deploy’ strategy, using advanced AI tools to identify fraud instantly and stop improper payments before they go out the door.”

In the press release, the HHS confirmed that one of the actions is deferring $259.5 million of quarterly federal Medicaid funding in Minnesota while further investigations are conducted into fraudulent or unsupported claims, along with a nationwide moratorium on Medicare enrollment for certain Durable Medical Equipment, Prosthetics, Orthotics and Supplies (DMEPOS), which has historically been an area of major healthcare fraud.  The HHS has also issued a call to action for Americans to support fraud prevention, including seeking stakeholder input on ways the CMS can expand and strengthen its fraud prevention efforts.

“CMS is done trying to catch fraudsters with their hands in the cookie jar—instead, we’re padlocking the jar and letting them starve,” said Administrator Oz. “This proactive approach will help us crush fraud, protect taxpayer dollars, and make sure the vulnerable Americans who depend on our programs get the care they need.”

As part of the healthcare fraud prevention drive, the HHS and CMS issued a Request for Information (RFI) seeking input from a broad range of stakeholders on ways to strengthen the ability of the CMS to prevent, detect, and respond to fraud, waste, and abuse in Medicare, Medicaid, The Children’s Health Insurance Program (CHIP), and the Health Insurance Marketplace. That includes input on analytics, methodologies, data-driven approaches, and AI tools that would be most effective at identifying indicators of potential healthcare fraud, waste, or abuse.

The feedback will inform future rulemaking, including a potential “Comprehensive Regulations to Uncover Suspicious Healthcare (CRUSH) proposed rule, and other programmatic changes for tackling healthcare fraud. While the CMS and the HHS-OIG have long been using predictive modelling and data analytics to identify fraud and waste, the HHS recognizes the potential of AI tools for identifying fraud before claims are paid.

The CMS has asked for suggestions on how AI can be incorporated into Medicare Advantage coding oversight and hospital billing. Specifically, the types of AI solutions, including off-the-shelf products, that are most effective and efficient for assisting human coders with large volumes of records.

The CMS has asked stakeholders to share information on the key features and learning capabilities required in AI solutions to improve accuracy and prevent errors, the lessons learned when implementing AI solutions, how AI could be used to improve efficiency and accuracy of hospital billing, solutions that could help address coding issues related to overpayments, underpayments, and suggestions on how AI solutions can be used for compliance oversight.

While there is tremendous potential for AI tools to be used in fraud prevention and detection, they must not come at the expense of the privacy of Medicare and Medicaid beneficiaries. There will also need to be robust safeguards and oversight to ensure that legitimate and necessary medical care for law-abiding Americans is not put at risk.

The post HHS Issues RFI Seeking Input on AI Tools and Methodologies for Healthcare Fraud Prevention appeared first on The HIPAA Journal.