HIPAA Breach News

Data Breaches Announced by Four Healthcare Providers

Posted by Steve Alder

Data breaches have recently been announced by Western Orthopaedics in Colorado, Community Health Systems in California, Tri-Cities Gastroenterology in Tennessee, and Integrated Pain Associates in Texas.

Western Orthopaedics

Western Orthopaedics, an Englewood, Colorado-based healthcare provider with locations throughout Colorado, has disclosed a security incident that was first identified on October 2, 2025. Assisted by third-party cybersecurity experts, Western Orthopaedics confirmed unauthorized access to its network between September 17, 2025, and September 25, 2025, during which time files containing personal and protected health information may have been viewed or acquired.

The analysis of those files was completed on March 3, 2026, when it was confirmed that the following data elements were potentially compromised: full name, address, phone number, Social Security number, date of birth, password, and/or financial account information, which may include credit/debit card number with or without security or access code, and protected health information such as health insurance information, health insurance plan or subscriber identification number, medical provider name, medical dates of service, and medical cost or billing information.

Additional measures have been taken to improve security, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services. At present, it is unclear how many individuals have been affected. The PEAR cyber extortion group claimed responsibility for the attack and proceeded to leak the stolen data when the ransom was not paid.

Community Health Systems

Community Health Systems Inc., a California healthcare provider serving patients in San Bernardino, Riverside, and San Diego Counties, has recently disclosed a data security incident. According to its April 28, 2026, media notice, suspicious activity was identified within its computer network on or around February 28, 2026. Assisted by third-party security experts, Community Health Systems confirmed unauthorized access to parts of the network where patient data was stored.

The review of the exposed files confirmed that they contained information such as names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, treatment/diagnosis information, prescription information, dates of service, provider names, medical record numbers, patient ID numbers, Medicare/Medicaid ID numbers, health insurance information, and/or medical billing/claims information. Community Health Systems said it is reviewing its policies and procedures related to data protection. At present, it is unclear how many individuals have been affected.

Tri-Cities Gastroenterology

Tri-Cities Gastroenterology, a gastroenterology practice with five locations in Tennessee, has announced a data security incident that occurred on or around December 11, 2025. External cybersecurity professionals assisted with the investigation and confirmed that files were exfiltrated from its network on or around December 11, 2026. The file review confirmed on or around April 22, 2026, that the files contained information such as full names, Social Security numbers, dates of birth, addresses, email addresses, telephone numbers, gender, and medical record numbers.

Notification letters started to be mailed to the affected individuals on April 29, 2026. At that time, no misuse of the stolen data had been identified. Tri-Cities Gastroenterology said it will continue to evaluate and modify its cybersecurity practices and is taking steps to strengthen security. The Insomnia threat group claimed responsibility for the attack and added Tri-Cities Gastroenterology to its dark web data leak site in December. The group proceeded to leak the stolen data, indicating the ransom was not paid.

Integrated Pain Associates

On April 30, 2026, Integrated Pain Associates, a Killeen, Texas-based team of spine and pain specialists, announced a data security incident that was identified in February 2026. The forensic review confirmed unauthorized network access on or around February 24, 2026, and that patient data may have been accessed or acquired.

The review of the affected files is ongoing; however, Integrated Pain Associates has confirmed that the types of data involved include names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnosis/condition information, medication information, health insurance information, provider names, other treatment information, and/or financial account information. Integrated Pain Associates has confirmed that it is offering complimentary credit monitoring and identity theft protection services to the affected individuals. Additional security measures have been implemented to reduce the risk of similar incidents in the future. At present, the breach is not shown on the website of the Office of the Texas Attorney General nor the HHS’ Office for Civil Rights breach portal.

The post Data Breaches Announced by Four Healthcare Providers appeared first on The HIPAA Journal.

Starr Insurance Discloses Ransomware Attack

Posted by Steve Alder

The health insurance company Starr Insurance has disclosed a ransomware attack and data breach. Data breaches have also been reported by the medical imaging company Green Imaging and the AI-based care coordination provider Lena Health.

Starr Insurance

Starr Insurance, a Chambersburg, Pennsylvania-based insurance agency, has recently confirmed that hackers accessed parts of its computer network and potentially obtained a range of sensitive data. Suspicious network activity was identified on November 18, 2025. Assisted by third-party cybersecurity experts, Starr Insurance determined that an unauthorized actor accessed and copied files from its network on November 28, 2025.

The review of the affected data confirmed that the hacker obtained information such as names, addresses, Social Security numbers, driver’s license numbers, financial account information, payment card information, medical information, health insurance information, and online account access information.  Regulators have been notified, and individual notification letters are being sent to the affected individuals. Starr Insurance has enhanced its policies and procedures relating to data protection and security.

At the time of issuing notifications, no attempted or actual misuse of patient data had been identified. Starr Insurance did not state if this was a ransomware attack; however, a ransomware group claimed responsibility for the breach. Akira, one of the most active ransomware groups, claimed to have stolen 15 gigabytes of data in the attack. Akira engages in double extortion, stealing data, encrypting files, and demanding a ransom be paid to obtain the decryption keys and prevent the publication of the stolen data. The stolen data was listed for download, indicating that the ransom was not paid. Based on the breach notice issued by Starr Insurance, complimentary credit monitoring and identity theft protection services do not appear to have been offered to the affected individuals. At the time of publication, the number of affected individuals has yet to be publicly disclosed.

Green Imaging

Green Imaging LLC, a full-service virtual medical imaging network with locations in all 50 U.S. states, has started notifying patients about a data security incident first identified on October 17, 2025. Suspicious activity was identified within its email environment, and the investigation confirmed unauthorized access to a single user’s email account between October 7, 2025, and October 17, 2025.

The review of the account has recently been completed, and the results have been validated. The types of information compromised in the incident vary from individual to individual and may include names in combination with one or more of the following: address, date of birth, Social Security number, driver’s license number, other government issued identification number, clinical/treatment information, diagnosis/condition, procedure type, physician information, medication, and other health and/or health insurance information.

Green Imaging has reviewed its policies and procedures related to data privacy and security and has taken steps to reduce the risk of similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Bloom Circle, Inc. – Lena Health

Bloom Circle, Inc., doing business as Lena Health, a Houston, TX-based provider of an AI-based care coordination platform, has recently notified the HHS’ Office for Civil Rights about a data security incident involving the electronic protected health information of up to 3,651 patients. The exposed data was stored in a public cloud storage container (Amazon S3 bucket). A hacker exploited a vulnerability in December 2025, allowing data to be exfiltrated. A patch was available to address the vulnerability; however, it had not been applied quickly enough to prevent exploitation.

Data compromised in the incident included names, dates of birth, phone numbers, medical record numbers, health information, and recordings of phone calls between patients and providers, in which patients discussed their health issues. A threat actor – FulcrumSec – who engages in data theft and extortion, claimed responsibility for the hack. According to databreaches.net, most of the stolen data related to patients of its client, Houston Methodist Hospital in Texas.

The post Starr Insurance Discloses Ransomware Attack appeared first on The HIPAA Journal.

Congress Members’ Prescription Information Compromised in RXNT Data Breach

Posted by Steve Alder

Further information has come to light about the RXNT data breach, reported by the HIPAA Journal on May 6, 2026. As detailed below, hackers had access to RXNT’s systems for two days in March and stole patient data. While the extent of the data breach has yet to be publicly disclosed, the breach is now known to have involved Congress members’ prescription data.

RXNT’s medical software is used by the Office of the Attending Physician (OAP) to manage care for members of Congress. The software is used to securely transmit prescription information to pharmacies for fulfillment, and some of that information was stolen in the attack, including names, addresses, dates of birth, physician names, and prescription and pharmacy information. Attending physician Brian Monahan has notified the affected members of Congress this week about the exposure of their personal and health data. Congress members’ medical records, Social Security numbers, and financial information were not involved, as the only information entered into the RXNT software is what is required for prescription fulfillment. While the types of information involved have been disclosed, OAP has yet to publicly announce how many individuals have been affected.

Under the HIPAA Breach Notification Rule, business associates such as RXNT have to notify the affected HIPAA-covered entity clients of a breach of unsecured electronic protected health information within 60 days of discovery. Only then does the clock start ticking for issuing individual notifications and notifying the HHS’ Office for Civil Rights. The affected covered entities are ultimately responsible for issuing notifications, which must be issued within 60 days of learning about a breach from their business associate. Covered entities must ensure that those notifications are issued within 60 days of being informed, although they may delegate that responsibility to the business associate. It could therefore take up to two months before the full scale of the data breach is known.

May 6, 2026: RXNT Notifies Customers About Cybersecurity Incident and Data Breach

Networking Technology, Inc., doing business as RXNT, a healthcare software technology company that provides electronic health record software, has started sending notification letters to organizations that use its software to inform them about a recent security incident that exposed patient data. A copy of one of the notification letters was shared with The HIPAA Journal, which states that unauthorized activity was identified within an RXNT solution used by some of its customers. An investigation was immediately launched to determine the nature and scope of the unauthorized activity, with assistance provided by third-party cybersecurity experts.

RXNT has confirmed that an unauthorized actor accessed the solution between March 1, 2026, and March 3, 2026, and obtained a copy of the data stored within the system, which included patient data associated with its customers. The data was reviewed between March 3, 2026, and April 17, 2026, and RXNT can now confirm that patient names, dates of birth, and demographic information such as addresses, contact information, and patient IDs were stolen. Each customer was informed about how many patients were affected.

RXNT said it is taking steps to strengthen security to prevent similar incidents in the future and has offered to handle all breach reporting requirements on behalf of the affected clients (OCR notifications, media notices, individual notifications, and state attorneys general notifications). The affected clients have been given a rather short window to respond and sign up to receive further information about the cybersecurity incident. The notification letters are dated May 1, 2026, and providers are required to register by May 15, 2026. A website has been established specifically for that purpose – RXNTnotification[dot]com.

RXNT has only recently notified the affected organizations and offered to handle breach reporting requirements; therefore, the number of affected individuals has not yet been publicly disclosed. It is clear that multiple clients have been affected, and this has been a significant data breach.

This is a developing data breach story, and further information will be published on this page as it becomes available.

The post Congress Members’ Prescription Information Compromised in RXNT Data Breach appeared first on The HIPAA Journal.

CMS Found to Have Leaked Providers’ SSNs

Posted by Steve Alder

A database created by the Centers for Medicare and Medicaid Services (CMS) has been exposed online, exposing providers’ Social Security numbers. The database can be downloaded, as it was by reporters at the Washington Post. The CMS created a new directory last year to help seniors find healthcare providers covered by insurance plans. The directory lists doctors and other healthcare providers who accept certain insurance plans, in an effort to improve transparency and access to care.

The database created by the CMS to power the provider directory has been found to be leaking some sensitive data. The data that populated the directory was found to contain the Social Security numbers of certain providers, which were linked to their names and other identifying information. The database was publicly accessible for several weeks, and while not immediately visible to individuals who visit the provider directory, it was possible to download the database.

The reporters searched the database and identified dozens of Social Security numbers by reviewing just a sample of rows. The CMS has notified and responded, saying it is working on a fix to resolve the issue that led to the data exposure. “[The problem] stems from incorrect entries of provider or provider-representative-supplied information in the wrong places,” explained the CMS. “The agency has taken steps to address it promptly and reinforce safeguards around data submission and validation”.

The explanation suggests that the exposed Social Security numbers are included in the database due to providers entering Social Security numbers into incorrect fields. The CMS did not confirm how many individuals have had their Social Security numbers exposed. Critics suggest that the rollout of the directory was rushed and that the project did not have sufficient oversight. Initially, when the directory was launched, providers were associated with incorrect health plans, with some pages confirming that a provider was covered by an insurance plan, while other pages said they were out of network.

The post CMS Found to Have Leaked Providers’ SSNs appeared first on The HIPAA Journal.

Ransomware Attack on Good Samaritan Health Center Affects 10,000 Individuals

Posted by Steve Alder

Data breaches have recently been announced by Green Imaging, Good Samaritan Health Center, Wonderland Child & Family Services, and L.A. Care Health Plan.

Good Samaritan Health Center

Good Samaritan Health Center in Atlanta, Georgia, has notified 10,000 individuals about a February 9, 2026, ransomware attack on one of its internal servers. The attack was identified on February 9, 2026, and the server was isolated to contain the attack. The server was restored from backups on the same day. Good Samaritan Health Center said it has found no evidence to suggest that there has been any misuse of data stored on the server, nor was evidence found of any public disclosure of patient data after the attack; however, Good Samaritan Health Center could not rule out the possibility that data had been accessed or stolen.

Data on the server was reviewed, and the files were found to contain names, dates of birth, zip codes, and limited clinical information. Social Security numbers and financial information were not compromised as they were not stored on the server. Good Samaritan Health Center said it has taken steps to strengthen security, including resetting all passwords, enhancing its monitoring systems to detect malware, and providing ongoing security and privacy training to its workforce. The affected individuals have been advised to review the statements they receive from their healthcare providers and insurers, and should report any services or charges for services that were not received.

Wonderland Child & Family Services

Wonderland Child & Family Services has notified 1,283 individuals about an insider data breach. On or around January 26, 2026, Wonderland Child & Family Services identified unusual activity relating to one of its former employees. An investigation was launched to determine the scope and nature of the activity, and legal counsel was retained to investigate further.

The investigation determined that the protected health information of certain individuals may have been viewed or copied by the employee in an unauthorized manner on May 31, 2023. A review was conducted, and the information impermissibly accessed included names, dates of birth, and medical information. Wonderland Child & Family Services said it is reviewing and enhancing its policies and procedures to reduce the likelihood of similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

L.A. Care Health Plan

L.A. Care Health Plan has identified an error with a mailing that resulted in letters intended for one individual being sent to an incorrect health plan member on January 30, 2026. The error was due to a mistake that matched 2,885 member identification numbers with the wrong names when sending annual Health Risk Assessment (HRA) forms to L.A. Care Medi-Cal members. The information in the mailing was limited to member name, health plan name, and program name. No highly sensitive information was included in the mailing. L.A. Care Plan has updated its processes to prevent similar incidents in the future.

The post Ransomware Attack on Good Samaritan Health Center Affects 10,000 Individuals appeared first on The HIPAA Journal.

Vendor Data Breaches Announced by Six HIPAA-Regulated Entities

Posted by Steve Alder

There have been several announcements about data breaches at business associates of HIPAA-regulated entities recently, including Providence St. Joseph Orange and Skin & Beauty Center in California, Management-ILA Managed Health Care Trust Fund in New York, and Ideal Home Care, Duncan Regional Home Care, and Chisholm Trail Hospice in Oklahoma.

Providence St. Joseph Orange, California

Providence St. Joseph Orange, a catholic general hospital in Orange, California, has been affected by a data security incident at its vendor, Pinnacle Holdings, LTD, a health care consulting company. Pinnacle experienced a network disruption in November 2024, and the forensic investigation confirmed unauthorized access to its network between November 11, 2024, and November 25, 2024, during which time files containing protected health information may have been exfiltrated from Pinnacle’s network.

Data potentially compromised in the incident included patients’ first and last name, address, email address, date of birth, encounter ID number, health insurance claim number, health insurance policy number, medical record number, patient account number, patient ID number, phone number, email address, prescription information, social security number, Medicare/Medicaid number, provider name, date of service, health insurance information, treatment cost information, and/or medical/diagnostic information.

It has taken a considerable amount of time for individual notifications to be issued. It took Pinnacle more than a year to notify Providence St. Joseph Orange that it had been affected, with the notification issued on December 30, 2025. On February 27, 2026, Providence St. Joseph Orange notified the HHS’ Office for Civil Rights that the protected health information of 11,329 patients was potentially compromised in the incident. Pinnacle has notified the affected individuals directly and has offered them 2 years of complimentary credit monitoring and identity theft protection services.

Skin & Beauty Center, California (DermCare Management)

Skin & Beauty Center in California has announced that it has been affected by a data breach at its management company, DermCare Management. Dermcare Management is a Hollywood, Florida-based full-service practice management company for more than 70 skincare and dermatology clinics in Florida, Texas, Virginia, and California, that serve more than 600,000 patients.

Suspicious activity was identified on February 26, 2025, and on March 3, 2025, it was confirmed that patient data had been compromised. It has taken a year to review the affected data. On March 2, 2026, it was confirmed that names, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information were impacted. The types of data vary from individual to individual.

The notification letters make no mention of complimentary credit monitoring and identity protection services. The affected individuals have been advised to monitor their free credit reports, financial accounts, and explanation of benefits statements, and should report any suspicious activity to the appropriate institution. It is currently unclear how many patients have been affected.

Other clinics affected by the data breach include:

  • Berman Skin Institute, California
  • Dania Dermatology, Florida
  • Dermatology Treatment and Research Center, Texas
  • Florida Academic Dermatology Center, Florida
  • Hillcrest Plastic Surgery & Dermatology, Florida
  • Hollywood Dermatology, Florida
  • Keys Dermatology, Florida
  • Miami Plastic Surgery, Florida
  • Rendon Center for Dermatology & Aesthetic Medicine, Florida
  • Skin Center of South Miami, Florida

Management-ILA Managed Health Care Trust Fund

Management-ILA Managed Health Care Trust Fund, a provider of medical, behavioral health, and prescription drug benefits, has been affected by a data breach at the New York law firm, Mazzola Mardon, P.C. According to the law firm, the protected health information of 2,123 individuals was potentially compromised in the incident. Mazzola Mardon explained in its April 15, 2026, substitute breach notice, that unusual activity was detected within its network, and third-party cybersecurity specialists confirmed that a hacker accessed its network and downloaded files on August 8, 2025. The review of those files was completed on January 27, 2026, and the affected individuals were notified by mail on March 23, 2026.

In addition to names, data compromised in the incident included one or more of the following: address, date of birth, Social Security number, drivers’ license and/or state identification number, financial account information, mental or physical condition, treatment/diagnosis information, dates of service, provider name, procedure type, prescription information, medical record number, Medicare identification number, health insurance information, and/or billing/claim information. Mazzola Mardon said it is reviewing and enhancing its cybersecurity posture to prevent similar incidents in the future.

Ideal Home Care & Duncan Regional Hospital (DRH Health), Oklahoma

Two more healthcare providers have recently confirmed that they were affected by the data breach at vendor, Doctor Alliance, a healthcare technology firm that provides a software platform that physicians use to review and sign clinical documentation. Doctor Alliance experienced a breach of its platform, with unauthorized access occurring between October 31, 2025, and November 17, 2025. The review of the affected data was completed on April 6, 2026.

  • Ideal Home Care, a home health care service provider in Oklahoma, has confirmed that 1,331 individuals were affected. The information potentially accessed included names, addresses, dates of birth, medical record numbers, dates of care, and diagnosis and treatment information.
  • Duncan Regional Hospital (DRH Health) in Oklahoma was also affected, with the breach affecting patients of Duncan Regional Home Care and Chisholm Trail Hospice. The breach was reported to the HHS’ Office for Civil Rights as affecting 724 patients.  Data compromised included names, addresses, dates of birth, dates of service, health insurance information, medical diagnosis & treatment information, and prescription information.

Other healthcare providers affected by the data breach include Bayada Home Health Care in New Jersey, A Path of Care Home Health and Hospice in Oklahoma, Team Select in Arizona, Community Nurse in Massachusetts, and Enhabit Home Health & Hospice and AccentCare in Texas.

The post Vendor Data Breaches Announced by Six HIPAA-Regulated Entities appeared first on The HIPAA Journal.

Medical Device Maker Medtronic Announces Data Breach

Posted by Steve Alder

The medical device manufacturing giant Medtronic has confirmed that hackers breached its network and exfiltrated data. The company announced the cyberattack on Friday, April 24, 2026, and said the attack was quickly contained and its incident response protocols were activated.

Medtronic manufactures a range of medical products, including pacemakers, defibrillators, heart valves, coronary stents, insulin pumps, continuous glucose monitoring systems, neurosurgery products and imaging systems, surgical robotics, ventilators, and gastrointestinal products. The company is the world’s largest medical device company by revenue, which was $33.5 billion in fiscal year 2025. The company operates in more than 150 countries, employs around 95,000 people worldwide, and serves around 79 million patients annually.

The hackers only accessed a limited portion of its network. Medtronic confirmed that the networks that support its corporate IT systems, products, manufacturing, and distribution operations are separate. Further, hospital customer networks are separate from Medtronic IT networks and are secured and managed by customers’ IT teams. A leading cybersecurity firm has been engaged to investigate the incident and support its investigation and remediation efforts. At present, there has been no identified impact on its products, patient safety, customer connections, manufacturing and distribution operations, or financial reporting systems, and the company is continuing to meet patient needs.

What is not currently known is whether personal or protected health information was accessed or stolen in the incident. If such information has been accessed or stolen, the affected individuals will be identified, and notifications will be issued, and support services will be made available. While mitigating the incident, Medtronic said it is simultaneously working on identifying additional ways that it can optimize system security to prevent similar incidents in the future.

Medtronic is a publicly traded company and is therefore required to notify the U.S. Securities and Exchange Commission (SEC) about material events that may affect shareholders. Its Form 8-K filing with the SEC, Medtronic states that the incident is not expected to have a material impact on its business or financial results. Prior to the announcement and SEC filing on April 18, 2026, the ShinyHunters data theft and extortion group claimed responsibility for the attack. The group claimed to have exfiltrated terabytes of Medtronic data, including personally identifiable information.

ShinyHunters claimed to have stolen more than 9 million records containing PII, although that claim has not been verified by Medtronic. ShinyHunters said it would publish the stolen data if the ransom was not paid by April 21, 2026. The amount of money demanded has not been made public. Medtronic has been removed from the ShinyHunters data leak site, which suggests that the ransom has been paid, although Medtronic has not confirmed whether that is the case.

“This incident highlights a recurring pattern where attackers prioritize corporate IT environments as an entry point, knowing they often contain high-value data but are less rigorously segmented than production or patient-facing systems. Even if Medtronic states there is no impact to products or patient safety, the theft of millions of records, if confirmed, still represents a significant risk, particularly for identity theft, targeted phishing, and supply chain exploitation. In healthcare, “no operational impact” does not mean “no risk”; sensitive data exposure can have long-term downstream consequences.” said, Ensar Seker, CISO at SOCRadar. “From a defender’s perspective, this reinforces the need to treat corporate IT systems with the same level of scrutiny as clinical or operational environments. Strong identity controls, strict network segmentation, and continuous monitoring of data exfiltration paths are critical. Additionally, organizations should assume that groups like ShinyHunters will attempt to monetize even partial or low-sensitivity datasets, so rapid validation, transparent communication, and proactive threat intelligence engagement are essential to reduce reputational and regulatory fallout.”

Medtronic is not the only medical device manufacturer to experience a data breach this year. In January 2026, Massachusetts-based UFP Technologies, a manufacturer of devices and components for wound care, implants, and orthopedic and surgical products, notified the SEC about a cyberattack and data breach. In March 2026, the California implantable orthopedic device manufacturer TriMed announced a cyberattack and data breach, and the medtech company Stryker experienced wiper attack.

The post Medical Device Maker Medtronic Announces Data Breach appeared first on The HIPAA Journal.

Cyberattacks Announced by Florida Physician Specialists & Mile Bluff Medical Center

Posted by Steve Alder

Florida Physician Specialists has started notifying patients affected by a November 2025 hacking incident. Mile Bluff Medical Center in Wisconsin has announced that it is working under downtime procedures as it recovers from an April 2026 ransomware attack.

Florida Physician Specialists

Florida Physician Specialists, a Jacksonville, FL-based multi-specialty private physician practice serving patients in Northeast Florida, started notifying patients on April 24, 2026, about a November 2025 hacking incident that exposed some of their personal and protected health information.

An investigation was launched into a security incident in late November, which confirmed that an unauthorized third party accessed its network between November 27, 2025, and November 29, 2025. The review of the exposed data was completed on April 6, 2026, when it was confirmed that a limited amount of patient data may have been exfiltrated from its network. Data potentially compromised in the incident included names in combination with one or more of the following: Social Security numbers, driver’s license numbers or state identification numbers, other government identification numbers, financial account information, credit or debit card information, medical information, and/or health insurance policy information.

While data may have been stolen, Florida Physician Specialists is unaware of any actual or attempted misuse of the data; however, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring services. The data breach was reported to the Maine Attorney General as affecting 47 Maine Residents, but it is currently unclear how many individuals have been affected in total. There is currently no listing on the HHS Office for Civil Rights website.

Mile Bluff Medical Center

Mile Bluff Medical Center in Mauston, Wisconsin, is dealing with a cyberattack that resulted in the encryption of files on its network.  Security protocols were immediately implemented when the attack was discovered, and an investigation has been launched with assistance provided by third-party partners.

The medical center has confirmed that the cyberattack caused limited and temporary interruptions to certain computer systems, and its phone system has also been impacted. Clinical teams have been working under downtime procedures while the attack is mitigated, and systems can be safely restored. The priority has been to ensure that care continues to be provided to patients. The medical center is working to fully resolve the issues as soon as possible. At this stage of the recovery process, it is too early to tell to what extent, if any, patient data has been affected. No threat group appears to have claimed responsibility for the attack at the time of writing.

The post Cyberattacks Announced by Florida Physician Specialists & Mile Bluff Medical Center appeared first on The HIPAA Journal.

OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced four financial penalties to resolve potential HIPAA violations discovered during investigations of ransomware-related data breaches. The ransomware attacks resulted in the exposure of the electronic protected health information (ePHI) of 427,000 individuals, and $1,165,000 in financial penalties were imposed to resolve the HIPAA violations. In each case, the HIPAA-regulated entity agreed to pay a lower penalty to settle the alleged violations informally and agreed to adopt a corrective action plan to address the noncompliance issues identified by OCR’s investigators. Including these four settlements, OCR has resolved six investigations with financial penalties in 2026, collecting $1,278,000 in penalties.

Financially motivated cyber actors target the healthcare and public health sector, often using ransomware to encrypt files to prevent access to critical data. Threat actors know that healthcare organizations store large volumes of sensitive data and rely on access to the data to provide healthcare services. Without access to medical records, patient safety is put at risk, so victims are more likely that organziations in other sectors to pay the ransom demands to recover quickly. In addition to encryption, sensitive data is often exfiltrated and used as leverage. If the ransom is not paid, the data is sold or leaked online, putting the affected individuals at risk of identity theft and fraud.

In each of the past five years, more than 700 data breaches affecting 500 or more individuals have been reported to OCR, the majority of which were hacking incidents or ransomware attacks. “Hacking and ransomware are the most frequent type of large breach reported to OCR,” said OCR Director Paula M. Stannard, in an announcement about the HIPAA penalties. “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”

One of the most important requirements of the HIPAA Security Rule is a risk analysis, the purpose of which is to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Those risks and vulnerabilities must then be subjected to risk management processes to eliminate them or reduce them to a low and acceptable level. If a risk analysis is not conducted, is not conducted regularly, or is incomplete, risks and vulnerabilities are likely to remain unknown and unaddressed and can be exploited to gain access to internal networks and ePHI.

OCR has made the risk analysis provision of the HIPAA Security Rule an enforcement priority due to its importance, and that initiative is being extended to include risk management. If a data breach is reported or if a complaint is submitted about an unreported data breach, OCR will investigate and will require evidence to show that a risk analysis has been completed and risks have been managed in a timely manner. In each of the four latest enforcement actions, OCR identified risk analysis failures.

In order to complete a comprehensive and accurate risk analysis, HIPAA-regulated entities must identify all locations within the organization where ePHI is located, including how ePHI enters, flows through, and leaves the organization’s information systems. It is therefore essential to create and maintain an accurate and up-to-date asset inventory on which the risk analysis can be based.

In addition to identifying and managing risks and vulnerabilities, HIPAA-regulated entities must ensure that appropriate cybersecurity measures are implemented, including access controls and authentication to restrict access to ePHI to authorized users only. Audit controls must be implemented to record and examine activity in information systems, and logs of information systems activity need to be regularly monitored. Encryption should be implemented to protect ePHI at rest and in transit, and an incident response plan must be developed, implemented, and maintained to ensure a fast response in the event of a successful intrusion. OCR also reminds regulated entities to ensure that workforce members are provided with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Assured Imaging Affiliated Covered Entities – $375,000 HIPAA Penalty

The largest financial penalty announced this month resolved potential HIPAA violations identified by OCR during an investigation of a ransomware-related data breach at Assured Imaging Affiliated Covered Entities (Assured Imaging), a medical imaging and screening service provider with corporate headquarters in Arizona and California. The ransomware attack was discovered on May 19, 2020, and involved the theft of ePHI such as names, contact information, dates of birth, diagnosis and conditions, lab results, medications, and treatment information of 244,813 individuals.

Assured Imaging was unable to provide evidence that a risk analysis had ever been completed. OCR determined that there had been an impermissible disclosure of the ePHI of 244,813 individuals, and that Assured Imaging failed to notify the affected individuals within 60 days, as required by the HIPAA Breach Notification Rule. OCR imposed a $375,000 financial penalty to resolve the alleged HIPAA violations, and the settlement agreement includes a comprehensive corrective action plan. Assured Imaging will be monitored for compliance with the corrective action plan for two years.

Regional Women’s Health Group, dba Axia Women’s Health – $320,000 HIPAA Penalty

Regional Women’s Health Group, which does business as Axia Women’s Health and provides women’s healthcare services to patients in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky, reported a ransomware-related data breach to OCR in December 2020. The ePHI of 37,989 individuals stored in its electronic medical record database was exposed or stolen in the incident, including names, addresses, dates of birth, SSNs, driver’s license numbers, diagnoses or conditions, lab results, and medications.

OCR determined that Axia Women’s Health had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI and imposed a $320,000 financial penalty. Axia Women’s Health opted to settle the alleged violation informally and agreed to implement a comprehensive corrective action plan and will be monitored for compliance with that plan for two years. In addition to conducting a risk analysis, implementing a risk management plan, and providing training to the workforce, Axia Women’s Health is required to implement a process for evaluating environmental and operational changes that affect the security of ePHI, suggesting OCR found potential noncompliance in this area, in addition to the risk analysis failure.

Star Group, L.P. Health Benefits Plan – $245,000 HIPAA Penalty

Star Group, L.P. Health Benefits Plan (SG Health Plan), the self-funded employee benefits plan of a Connecticut-based energy provider, reported a ransomware attack to OCR in October 2021. The forensic investigation determined that the ransomware group exfiltrated files containing the ePHI of 9,316 of its plan members. Data stolen in the attack included names, addresses, dates of birth, SSNs, and health insurance information, such as member identification numbers, claims data, and benefit selection information.

OCR’s investigation determined that SG Health Plan had failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to ePHI, resulting in an impermissible disclosure of the ePHI of 9,316 individuals. OCR resolved the alleged HIPAA violations with a $245,000 financial penalty, and SG Health Plan agreed to adopt a corrective action plan to address the alleged HIPAA violations. SG Health Plan will be monitored for compliance with the plan for 2 years.

Consociate, Inc., dba Consociate Health – $225,000 HIPAA Penalty

Consociate, Inc., doing business as Consociate Health, a third-party administrator of employee-sponsored benefit programs and business associate of health plans, discovered on January 14, 2021, that data in its information systems had been encrypted in a ransomware attack. The forensic investigation determined that its network had first been compromised 6 months previously as a result of a phishing attack.

The threat actor gained access to a server containing the ePHI of 136,539 individuals, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, credit card/bank account numbers, and diagnoses or conditions. OCR determined that Consociate Health failed to conduct an accurate and thorough risk analysis and resolved the alleged HIPAA violation with a $225,000 financial penalty. Consociate Health agreed to adopt a corrective action plan to address the alleged HIPAA violation and will be monitored for compliance with the plan for 2 years.

The post OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks appeared first on The HIPAA Journal.