HIPAA Compliance News

September 2025 Healthcare Data Breach Report

Posted by Steve Alder

While the figures in our September 2025 data breach report look encouraging, there is a major caveat. Due to the government shutdown, the HHS’ Office for Civil Rights (OCR) has largely stopped adding data breaches to its data breach portal.  The figures for September are therefore likely to increase considerably when the furlough comes to an end, staff return to work, and the backlog of data breach reports is addressed. While we do not generally update our monthly breach reports after publication, we will revise the figures and re-publish this report when the government shutdown comes to an end.

September 2025 Healthcare Data Breach Report

As of October 22, 2025, OCR has added 26 data breaches affecting 500 or more individuals to its data breach portal – the lowest monthly total since December 2018.  While data breaches are down 56% from August’s 64 data breaches, there are likely to be several more breaches added to that total. That said, there has been a downward trend in healthcare data breaches since April, and the year-to-date total from January 1 to September 30 is 469 data breaches, compared to 554 data breaches in the corresponding period in 2024. Even accounting for missing breach reports due to the government shutdown, data breaches are down considerably from last year.

Healthcare data breaches in the past 12 months

Across the 26 September data breaches on the OCR data breach portal, the protected health information of at least 1,294,769 individuals was exposed or impermissibly disclosed, marking the third consecutive month with a fall in the number of affected individuals, and currently down 65.9% from August. That number could increase considerably, but currently, for the year-to-date, 42,216,193 individuals have had their protected health information exposed or impermissibly disclosed. While this year’s total is higher than in the whole of 2019 and 2020, the number of affected individuals is down 85% compared to last year and 75% compared to 2023.

Individuals affected by healthcare data breaches in the past 12 months.

The Biggest Healthcare Data Breaches Announced in September

Currently, 42% of the month’s breaches (11 incidents) involved the exposure or impermissible disclosure of the protected health information of 10,000 or more individuals. All but one of the 11 data breaches were hacking incidents involving unauthorized access to protected health information stored on network servers, with one incident involving a compromised email account. Goshen Medical Center was the worst-affected covered entity, with more than 456,000 patients affected by its hacking incident. One provider that stands out is Sturgis Hospital, which was investigating a cyberattack that occurred in December 2024, when another intrusion was experienced in June 2025.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Goshen Medical Center NC Healthcare Provider 456,385 Network server hacking incident
Medical Associates of Brevard, LLC FL Healthcare Provider 246,711 Network server hacking incident
Doctors Imaging Group FL Healthcare Provider 171,862 Network server hacking incident – Data theft confirmed
Retina Group of Florida FL Healthcare Provider 152,691 Network server hacking incident
Sturgis Hospital MI Health Plan 77,771 Network server hacking incident
Sturgis Hospital MI Healthcare Provider 77,771 Network server hacking incident
PGA Development, Inc. PA Healthcare Provider 23,899 Network server hacking/IT Incident
Teamsters Union 25 Health Services & Insurance Plan MA Health Plan 19,231 Network server hacking incident
Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice  (“Treasure Health ”) FL Healthcare Provider 13,234 Email account breach
People Encouraging People MD Healthcare Provider 13,083 Ransomware attack – Data theft confirmed

The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to OCR and issue notifications within 60 days of the discovery of a data breach; however, if the total number of affected individuals is not known at that point, an estimate should be provided to OCR. Many regulated entities submit a breach report using a placeholder figure of 500 or 501 affected individuals, then provide an updated total when the file review is concluded. Four data breaches were reported in September using 500 or 501 totals indicative of a placeholder. These data breaches could affect considerably more individuals than the initial breach report suggests.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Cookeville Regional Medical Center TN Healthcare Provider 500 Hacking/IT Incident
Hampton Regional Medical Center SC Healthcare Provider 501 Hacking/IT Incident
Coos County Family Health Services NH Healthcare Provider 501 Hacking/IT Incident
La Perouse, LLC NV Business Associate 501 Hacking/IT Incident

Causes of September 2025 Healthcare Data Breaches

Out of the 23 large healthcare data breaches added to the OCR breach portal in September, 23 (88.5%) were reported as hacking/IT incidents, involving unauthorized access to the protected health information of 1,279,139 individuals, which is 98.8% of the total individuals affected by data breaches in September. The average number of individuals affected by these incidents was 55,615 (median: 6,243 individuals).

Causes of September 2025 healthcare data breaches

The exact nature of the hacking incidents, such as whether ransomware was used to encrypt files, if a ransom demand was received, or even if data was stolen, is often not disclosed. This trend has been growing for several years and is not confined to the healthcare industry. The Identity Theft Resource Center (ITRC) has reported that this trend is evident across many industry sectors.

The remaining three data breaches were unauthorized/disclosure incidents, affecting 15,630 individuals. On average, 5,210 individuals were affected (median: 1,700 individuals). Based on the available data, no loss, theft, or improper disposal incidents were reported to OCR in September. There have been no loss/theft incidents reported since March 2025, and the last reported improper disposal incident was in May 2025.

Location of breaches protected health information in September 2025 healthcare data breaches

Where Did the Data Breaches Occur?

September 2025 healthcare data breaches by regulated entity type

September 2025: individuals affected by healthcare data breaches by regulated entity type

Geographical Distribution of Healthcare Data Breaches in September

Florida and North Carolina were the worst-affected states, with four data breaches affecting 500 or more individuals reported by entities based in those states, and both states top the list in terms of the number of affected individuals, with 584,498 and 465,721 individuals affected, respectively.

State Breaches
Florida & North Carolina 4
Michigan, Pennsylvania & Tennessee 2
Louisiana, Massachusetts, Maryland, Minnesota, Missouri, New Hampshire, Nevada, Oregon, South Carolina, Texas, Virginia, and Washington 1

The table below shows the number of individuals affected by healthcare data breaches based on the state where the regulated entity is based, not necessarily where the affected individuals reside.

State Individuals Affected
Florida 584,498
North Carolina 465,721
Michigan 155,542
Pennsylvania 26,150
Massachusetts 19,231
Maryland 13,083
Missouri 11,538
Louisiana 6,243
Minnesota 3,572
Tennessee 2,957
Oregon 1,700
Texas 1,236
Washington 1,099
Virginia 696
New Hampshire 501
Nevada 501
South Carolina 501

HIPAA Enforcement Activity in September 2025

It has been a busy year of HIPAA enforcement for OCR, with 20 enforcement actions involving settlements or civil monetary penalties announced this year, including one enforcement action in September.  OCR agreed to settle alleged violations of the HIPAA Privacy Rule and Breach Notification Rule with Cadia Healthcare facilities, which agreed to pay $182,000 to resolve the alleged violations.

Cadia Healthcare is a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware. An employee had posted success stories about its patients to its social media channel; however, it had not obtained valid HIPAA authorizations for that purpose, and therefore, the use of PHI in the stories was an impermissible disclosure of PHI. After being notified by OCR, Cadia found that 150 patients had PHI posted online without valid authorizations, deleted the posts, and shut down the success story program; however, notification letters about the HIPAA breach were not issued.  The corrective action plan requires policies and procedures to be revised, training to be provided to staff members, and notification letters to be issued.

The post September 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member

Posted by Steve Alder

An Iowa nurse has been terminated for a HIPAA violation and has lost her unemployment benefits after disclosing the pregnancy status of a 17-year-old patient to a family member without the patient’s consent. Erica Hulsing was a registered nurse at Waverly Health Center in Waverly, Iowa, where she had been employed since September 2016. On April 17, 2025, Hulsing received a call from a family member of a 17-year-old patient inquiring about the patient’s recent stay at the hospital.

The patient had made an explicit request for her pregnancy status to be kept confidential; however, Hulsing informed the family member that the patient had been pregnant. Following the disclosure, the patient and family members filed complaints with the hospital over the disclosure, prompting an internal investigation. The hospital determined that Hulsing had disclosed highly sensitive information about a patient to an individual who was not authorized to receive that information, as the family member was not listed on her consent form. The hospital determined that the disclosure was a violation of the HIPAA Privacy Rule, which prohibits disclosures of protected health information to unauthorized individuals. The disclosure also violated hospital policies on professional conduct, resulting in termination for gross misconduct.

HIPAA gives patients the right to request that disclosures of their health information be restricted, including disclosures of their health information to family members. While individuals under 18 years of age are considered minors, if a 17-year-old consents to treatment under state law, the Privacy Rule generally allows the minor to exercise their own privacy rights.

Hulsing maintained that she was unaware that disclosing the patient’s pregnancy status to a family member violated the HIPAA Rules. Hulsing applied for unemployment benefits while her case was under review, and she was paid $4,214 in benefits; however, last month, Administrative Law Judge Duane Golden ruled that Hulsing was not eligible to receive unemployment benefits as her actions constituted job-related misconduct, and Hulsing was ordered to repay the $4,214 she received.

Disclosing patient information to any unauthorized individual can have serious consequences for both the healthcare professional and the patient. As this case clearly demonstrates, a lack of knowledge about the requirements of HIPAA is not a valid defense against a HIPAA violation. In this case, the patient’s request for confidentiality should have been respected, and the disclosure should only have been made if the patient had consented to the disclosure and that consent had been documented.

Healthcare professionals must ensure that they are aware of the requirements of HIPAA, and should ensure that they stay up to date with state and federal laws. Healthcare providers should ensure that they provide comprehensive HIPAA training to all employees to ensure they are aware of their responsibilities under HIPAA, and should reinforce training through annual refresher training sessions to help prevent HIPAA violations in the workplace.

The post Nurse Fired for Disclosing Teenager’s Pregnancy Status to Family Member appeared first on The HIPAA Journal.

Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations

Posted by Steve Alder

A $182,000 settlement has been agreed between the HHS’ Office for Civil Rights and five Delaware healthcare providers to resolve alleged violations of the HIPAA Privacy and HIPAA Breach Notification Rules. The settlement concerns the posting of patients’ protected health information (PHI) on social media without first obtaining HIPAA-compliant authorizations to use PHI for a purpose not expressly permitted by the HIPAA Privacy Rule, then failing to notify individuals about the impermissible use and disclosure.

Cadia Healthcare is a provider of rehabilitation, skilled nursing, and long-term care services at five facilities in Delaware. Those facilities are Cadia Rehabilitation Broadmeadow in Middletown, Cadia Rehabilitation Renaissance in Millsboro, Cadia Rehabilitation Capital in Dover, and Cadia Rehabilitation Pike Creek and Cadia Rehabilitation Silverside in Wilmington, collectively referred to as the Cadia Healthcare Facilities (Cadia).

Each of the Cadia facilities is a HIPAA-covered entity that is required to comply with the HIPAA Rules. OCR launched an investigation after receiving a complaint on September 20, 2021, about an alleged impermissible disclosure of PHI online.  The complainant alleged that Cadia had used their photograph, name, and information about their condition, treatment, and recovery in an online post but had not obtained authorization to use the information for that purpose.

OCR’s investigation substantiated the allegation and determined that a Cadia employee had posted the patient’s PHI to Cadia’s social media page as part of a success story; however, a signed authorization form had not been obtained prior to that use and disclosure. Under HIPAA, PHI cannot be posted online on websites or social media pages unless a HIPAA-compliant authorization has been obtained from an individual in advance.

OCR notified Cadia about the allegations and the findings of the investigation, and Cadia removed the post and notified the patient that the success story had been removed. OCR also identified other patients whose treatment had been included in a series of success stories. As of February 22, 2022, Cadia had created and posted success stories containing the PHI of 150 patients without obtaining valid HIPAA authorizations. According to OCR, Cadia shut down the success story program in March 2022, but failed to issue notifications to the affected individuals, as required by the HIPAA Breach Notification Rule.

“The internet and social media are important business development tools.  But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure,” said OCR Director Paula M. Stannard. “Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”

In April 2025, OCR entered into a settlement agreement with Cadia to resolve the alleged violations of the HIPAA Rules.  The alleged violations related to two Privacy Rule and one Breach Notification Rule provisions:

  • 45 C.F.R. § 164.530(c) – The failure to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and reasonably safeguard PHI from any intentional or unintentional use or disclosure.
  • 45 C.F.R. § 164.502(a) – The impermissible use or disclosure of PHI
  • 45 C.F.R. § 164.404(a) – The failure to issue timely breach notifications

In addition to paying the financial penalty, the settlement agreement includes a corrective action plan (CAP). Cadia will be monitored for compliance with the CAP for 2 years. The corrective action plan requires Cadia to review and revise, as necessary, its policies and procedures to ensure compliance with the HIPAA Rules. Those policies and procedures must be distributed to the workforce, and HIPAA training must be provided to workforce members. Policies and procedures must be reviewed at least annually and updated as necessary to ensure continued HIPAA compliance. Cadia is also required to issue breach notifications concerning the impermissible disclosures of PHI under the success story program.

Notifications have already been issued, and the Cadia websites currently display a notice about the privacy violations. Cadia confirmed that it had policies and procedures in place requiring patients to sign a written consent form prior to using their information in its success story program. “On February 22, 2022, we learned that one or more of these success stories may have been posted without a valid consent form on file for the patient highlighted in the story. We promptly launched an investigation, removed all success stories from our social media pages, and on March 2, 2022, eliminated the success story program in its entirety,” explained Cadia in its substitute breach notice. “Because we deleted all success stories in 2022, we were unable to definitively determine all individuals who participated in the success story program. Accordingly, out of an abundance of caution, we are notifying individuals who may have participated and for whom we could not locate a valid consent form.”

This is the 20th HIPAA penalty to be imposed by OCR to resolve violations of the HIPAA Rules so far in 2025, making it one of the most active years of HIPAA enforcement. So far this year, OCR has collected more than $8.2 million in civil monetary penalties and settlements.

OCR Penalties to Resolve HIPAA violations - 20107-2025

OCR HIPAA fines and settlements 2017-2025

The post Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations appeared first on The HIPAA Journal.

HHS Releases Updated Security Risk Assessment Tool

Posted by Steve Alder

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP) have announced the release of an updated version of the Security Risk Assessment (SRA) Tool.

The SRA tool was developed to help small to medium-sized healthcare providers comply with the security risk assessment provision of the HIPAA Security Rule, one of the foundational requirements of the Security Rule. A HIPAA risk assessment failure is the most commonly identified HIPAA Security Rule violation, and OCR currently has an active enforcement initiative targeting noncompliance. Through its investigations of complaints, data breaches, and compliance audits, OCR commonly discovers that HIPAA-regulated entities have either failed to conduct a risk assessment or that risk assessments are inaccurate or incomplete. For instance, a risk assessment is conducted based on an incomplete or out-of-date asset inventory.

The enforcement initiative was announced by OCR in October 2024 when the first penalty was imposed on Bryan County Ambulance Authority in Oklahoma. Since then, OCR has imposed 10 financial penalties for risk analysis failures, making it the most common reason for security-related HIPAA civil monetary penalties and settlements.

The SRA tool is an invaluable tool for small and medium-sized healthcare providers, as it guides them through the process of conducting a risk assessment. The latest release, version 3.6, includes several updates to improve usability. A new assessment confirmation button has been added with a reviewed-by date for each section, allowing users to confirm that a section has been reviewed and approved, which will be saved for audit records.

The risk scale has been updated to align with NIST scoring, with the score of “medium” changed to “moderate”. Updated library files will be installed when the new version is installed, mitigating vulnerabilities that may exist in outdated versions. The reports have been updated with new content, including section-specific approval/reviewed-by details and additional information entered by users. There have also been improvements to questions, responses, and education to make the SRA Tool more relevant to the evolving cybersecurity environment and to improve ease of use.

OCR and ASTP are hosting two live webinars this month on the SRA Tool. Experts will provide an introduction to the SRA tool, demonstrate the new features and enhanced reports, and will be available to answer questions about the tool and new features. The webinars will be held on September 15, 2025, at 12 p.m. ET, and on September 16, 2025, at 3 p.m. ET. You can register for the webinar on this link.

The post HHS Releases Updated Security Risk Assessment Tool appeared first on The HIPAA Journal.

July 2025 Healthcare Data Breach Report

Posted by Steve Alder

U.S. healthcare data breaches are down 34.1% month-over-month, and 44.5% fewer individuals had their healthcare data exposed. HIPAA-regulated entities reported 48 data breaches affecting 500 or more individuals in July, 12 fewer than the monthly average over the past 12 months.

Healthcare data breaches in the past 12 months - July 2025

July saw the lowest number of reported healthcare data breaches since September 2024, although the monthly total is likely to increase as there is often a delay between an entity reporting a data breach to the HHS’ Office for Civil Rights (OCR) and it being added to the OCR breach portal. For instance, in August 2024, when we compiled the July 2024 healthcare data breach report, there were 43 data breaches, with the total increasing to 49 over the next few months.

July healthcare data breaches 2020-2025

July’s total is therefore likely to be slightly higher than July 2024, and data breaches are up slightly year-over-year. When we compiled our July 2024 data breach report on July 20, 2024, 435 data breaches affecting 500 or more individuals had been reported to OCR. This year’s total for January 1, 2025, to July 31, 2025, stands at 444 data breaches – a 2% year-over-year increase.

Individuals affected by healthcare data breaches in the past 12 months

There has also been a fall in the number of individuals affected by healthcare data breaches. Across the 48 reported data breaches, 4,397,900 individuals had their healthcare data exposed or impermissibly disclosed – a 44.5% month-over-month reduction, and 1.37 million fewer individuals than the 12-month average of 5,769,912 individuals a month.

Individuals affected by july data breaches 2020 - 2025

While there has been a month-over-month fall in affected individuals based on current data, July’s total will increase further as breached organizations complete their data breach investigations and file reviews. As it stands, the number of affected individuals is down 97.8% from the 200 million+ individuals affected by data breaches last year. It should be noted that the July 2024 total includes the data breach at Change Healthcare, which affected 192.7 million individuals. When we compiled the data for last July’s data breach report, the OCR breach portal only showed 1.2 million affected individuals.

Biggest Healthcare Data Breaches in July 2025

In July, 16 HIPAA-regulated entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates reported data breaches affecting 10,000 or more individuals, all of which were hacking incidents. Two data breaches stand out in terms of the number of affected individuals – the hacking incident at Anne Arundel Dermatology and Radiology Associates of Richmond (RAR), which combined affected more than 3.3 million individuals, 75.6% of the month’s total affected individuals.

It is unclear from the breach reports whether ransomware was used in either of these incidents. Hackers had access to the RAR network for four days in April 2024, but were camped in the Anne Arundel network for three months before the intrusion was detected. Several dermatology practices and medical imaging providers have reported data breaches in recent months, which suggests these types of entities may have been targeted specifically by threat actors.

Three of the top 16 data breaches were reported as ransomware attacks, although ransomware may have been used in more attacks. It is now common for data breach notification letters to omit the cause of the breach, and relatively few mention ransomware, even when ransomware groups have claimed responsibility for an attack.

Name of Regulated Entity State Entity Type Individuals Affected Cause of Breach
Anne Arundel Dermatology MD Healthcare Provider 1,905,000 Hacking incident
Radiology Associates of Richmond, Inc. VA Healthcare Provider 1,419,091 Hacking incident
Zumpano Patricios, P.A. FL Business Associate 279,275 Hacking incident
Cierant Corporation CT Business Associate 232,506 Hacking incident (Cleo VL Trader MFT)
Alera Group, Inc. IL Business Associate 155,567 Hacking incident
McKenzie Memorial Hospital MI Healthcare Provider 58,839 Hacking incident
Wood River Health RI Healthcare Provider 54,926 Hacking incident (Email accounts)
Gastroenterology Consultants of South Texas TX Healthcare Provider 44,579 Ransomware attack (Interlock)
Infinite Services, Inc. NY Healthcare Provider 31,742 Ransomware attack
Self Regional Healthcare SC Healthcare Provider 26,696 Hacking incident at business associate (Nationwide Recovery Service)
Dr. Michael Bilikas and Associates d.b.a. 32 Pearls WA Healthcare Provider 23,517 Ransomware attack
AVALA Holdings LA Healthcare Provider 22,732 Hacking incident
Keys Pathology Associates, PA FL Healthcare Provider 20,000 Hacking incident
Northwest Denture Center, Inc. WA Healthcare Provider 19,419 Hacking incident
Arbor Associates, Inc. MI Business Associate 17,040 Hacking incident
Florida Lung, Asthma & Sleep Specialists (FLASS) FL Healthcare Provider 10,000 Hacking incident

The above list could grow as data breach investigations conclude. The HIPAA Breach Notification Rule requires HIPAA-regulated entities to report a data breach within 60 days of discovery, and when that deadline is reached, data breach investigations may not have concluded. In such cases, many regulated entities submit a breach report with a placeholder figure of 500 or 501 affected individuals as an interim total. In July, five regulated entities reported data breaches using a 500 or 501 figure.

Name of Regulated Entity State Entity Type Breach Size Cause of Breach
Kettering Adventist Healthcare OH Healthcare Provider 501 Hacking/IT Incident (Network server)
Human Development Services of Westchester NY Healthcare Provider 501 Hacking/IT Incident (Email)
Naper Grove Vision Care IL Healthcare Provider 501 Hacking/IT Incident (Network server)
Doctors’ Memorial Hospital FL Healthcare Provider 500 Hacking/IT Incident (Network server)
Northwest Medical Homes, LLC OR Healthcare Provider 500 Hacking/IT Incident (Network server)

Causes of July 2025 Healthcare Data Breaches

Hacking is now the leading cause of data breaches, with July seeing 83.3% of incidents involving hacking or other IT-related issues. On average, 109,620 individuals were affected by these types of data breaches (median: 5,137 individuals).  Hacking/IT incidents accounted for 99.7% of breached healthcare records in July (4,384,794 individuals).

causes of July 2025 healthcare data breaches

There were 8 unauthorized access/disclosure incidents in July, affecting just 13,638 individuals. The average breach size was 1,638 individuals, and the median breach size was 892 individuals. There were no theft incidents, loss incidents, or improper disposal incidents in July, as was the case in June 2025. The most common location of breached protected health information was network servers, followed by email accounts, with just 6 breaches involving protected health information stored in other locations.

Location of breached healthcare data - July 2025

Affected HIPAA Regulated Entities

In July, large data breaches were reported by 37 healthcare providers (3,700,390 affected individuals), 10 business associates (696,727 affected individuals), and one health plan (783 affected individuals). Under HIPAA, it is ultimately the responsibility of each covered entity to ensure the requirements of the HIPAA Breach Notification Rule are met, and some covered entities report breaches that occur at business associates. Many healthcare data breach reports are based on the reporting entity, rather than the entity that suffered the data breach. The charts below show where the breach occurred rather than the entity reporting the data breach.

Data breaches at HIPAA-regulated entities in July 2025

Individuals affected by healthcare data breaches at HIPAA-regulated entities - July 2025

Geographical Distribution of July 2025 Healthcare Data Breaches

HIPAA-regulated entities in 22 U.S. states reported data breaches in July. Florida was the worst-affected state with 9 entities reporting data breaches, although three of those reports were about the same incident, which affected multiple skilled nursing facilities. Texas was the second-worst affected state with 4 data breaches, followed by California, Massachusetts & Michigan, which each had three breaches.

State Individuals Affected
Florida 9
Texas 4
California, Massachusetts & Michigan 3
Georgia, Illinois, New York, Ohio, South Carolina, Virginia & Washington 2
Colorado, Connecticut, Louisiana, Maryland, North Carolina, Pennsylvania, Rhode Island, Tennessee, Wisconsin & West Virginia 1

In terms of affected individuals, Maryland topped the list with 1,905,000 individuals affected by a single data breach, followed by Virginia with 1,421,658 individuals affected by two data breaches. Florida was the third-worst-affected state, with 328,471 individuals affected by its 9 data breaches.

HIPAA Enforcement Activity in July 2025

It has been a busy year of HIPAA enforcement, with 18 settlements and civil monetary penalties announced by OCR up to July 31, 2025. Based on the announcements so far, 2025 looks set to be a record-breaking year for HIPAA penalties.

In October 2024, OCR announced a new enforcement initiative looking at compliance with the risk analysis provision of the HIPAA Security Rule. OCR has targeted this HIPAA provision as it is the most commonly identified HIPAA Security Rule violation, and is a foundational requirement that arguably has the biggest impact on security posture. Two enforcement actions were announced in July, both of which resolved risk analysis failures.

Deer Oaks – The Behavioral Health Solution was investigated over an August 2023 ransomware attack that involved the exfiltration of files containing the protected health information of 171,871 individuals. OCR determined that there had been an impermissible disclosure of patients’ electronic protected health information, and Deer Oaks was unable to provide evidence to show that a thorough and accurate risk analysis had been conducted. The case was settled with a $225,000 penalty and a corrective action plan.

Syracuse ASC (Specialty Surgery Center of Central New York) was investigated over a 2021 ransomware attack that exposed the data of 24,891 current and former patients. Syracuse ASC was unable to provide evidence to show that it had ever conducted a risk analysis to identify risks and vulnerabilities to protected health information. Further, the data breach was identified on March 31, 2021, but OCR and the affected individuals were not notified for six and a half months, four and a half months later than the maximum reporting time under the HIPAA Breach Notification Rule. The case was settled with a $250,000 financial penalty and a corrective action plan. Across the 18 HIPAA penalties in 2025, OCR has collected $7,860,566 to resolve alleged violations of the HIPAA Rules.

The post July 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation

Posted by Steve Alder

A New York business associate has chosen to settle an alleged violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and will pay a $175,000 financial penalty.

BST & Co. CPAs, LLP, is a public accounting, business advisory, and management consulting firm that has clients in the healthcare industry. The provision of services to HIPAA-covered entities requires access to financial information, which includes information protected under HIPAA. As such, BST & Co. CPAs is classed as a business associate and is required to comply with the HIPAA Rules.

OCR launched an investigation following a report of a breach of protected health information in a ransomware attack. The Maze ransomware group had access to the BST & Co. CPAs network between December 4, 2019, and December 7, 2019, and installed ransomware that was used to encrypt files. The attack was detected on December 7, 2019, and the forensic investigation revealed that initial access was achieved following a response to a phishing email.

The ransomware group had access to parts of the network where protected health information was stored. In total, the protected health information of up to 170,000 individuals was potentially compromised in the attack, including names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions relating to patients of the New York medical group, Community Care Physicians P.C. OCR was notified about the attack and data breach on February 16, 2020.

OCR investigates all data breaches impacting 500 or more individuals to determine if noncompliance with the HIPAA Rules was a factor in the data breach. OCR found no evidence to suggest that a HIPAA-compliant risk analysis had been conducted. The risk analysis is a foundational provision of the HIPAA Security Rule and requires regulated entities to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. If the risk analysis is not conducted or is incomplete, risks are likely to remain unaddressed and can be exploited to gain access to protected networks and sensitive data.

OCR currently has a risk analysis enforcement initiative focused on this important Security Rule provision, as while it is one of the most important HIPAA provisions, it is also one of the most common areas of noncompliance. Under this specific enforcement initiative, OCR has resolved ten cases with a financial penalty. So far this year, OCR has announced nineteen enforcement actions that included a financial penalty to resolve HIPAA noncompliance. Sixteen of those investigations uncovered risk analysis failures.

“A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it,” said OCR Director Paula M. Stannard.  “Completing an accurate and thorough risk analysis that informs a risk management plan is a foundational step to mitigate or prevent cyberattacks and breaches.”

In addition to the financial penalty, BST & Co. CPAs has agreed to adopt a corrective action plan and will be monitored for compliance with that plan for 2 years. The plan includes the requirement to conduct a comprehensive and accurate risk analysis and develop and implement a risk management plan to address all identified risks and vulnerabilities. BST & Co. CPAs must also develop, implement, and maintain policies and procedures to ensure HIPAA compliance, distribute those policies and procedures to the workforce, provide HIPAA training to the workforce, and augment its security awareness training program.

With nineteen HIPAA enforcement actions announced by OCR so far this year, 2025 looks set to become the most active year for OCR in terms of HIPAA enforcement. These penalties send a message to all HIPAA-regulated entities about the importance of HIPAA compliance. Across those nineteen enforcement actions, OCR has collected more than $8 million in financial penalties.

OCR penalties for HIPAA violations 2009-2025

The post New York Business Associate Pays $175,000 to Resolve HIPAA Risk Analysis Violation appeared first on The HIPAA Journal.

Healthplex Settles Alleged Cybersecurity Failures with NYDFS for $2 Million

Posted by Steve Alder

Healthplex, one of the largest providers of dental health insurance programs in New York State, has agreed to a settlement with the New York Department of Financial Services (NYDFS) to resolve alleged violations of the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). Healthplex has agreed to pay a $2 million financial penalty to New York State and take steps to improve its cybersecurity posture.

The Cybersecurity Regulation took effect in 2017 and requires all financial institutions operating in New York State to implement and maintain a robust cybersecurity program. Some of the key requirements include conducting risk assessments, managing risks, and implementing security policies and procedures, an incident response plan, and multifactor authentication.

Healthplex is a licensed provider of dental insurance management services and must therefore comply with the Cybersecurity Regulation. NYDFS launched a compliance investigation after Healthplex reported a cybersecurity event to NYDFS on April 8, 2022. Healthplex discovered the incident on November 24, 2021, when employees received a suspicious email from an account associate’s account and reported it internally to the security team.

The investigation confirmed that an account associate in customer service had responded to a phishing email that was received on November 22 or 23, 2021. The email required Office 365 email login credentials to be provided to receive a fax message. The credentials were captured, and the threat actor accessed the Office 365 account. The account was used to send further phishing emails, and it was found to contain the protected health information of 89,955 individuals.

The NYDFS investigation revealed that there was no data retention policy limiting the information stored in email accounts, in violation of § 500.13 of the Cybersecurity Regulation. The employee had worked for the company for approximately 20 years, and their account contained more than 100,000 emails. Further, multifactor authentication (MFA) had not been set up for its Office 365 email environment, so a compromised password was all that was required to access the account and the sensitive and nonpublic data of tens of thousands of individuals.

Healthplex had implemented MFA for its email environment; however, it failed to ensure that MFA was completely operational when it migrated to Office 365 earlier in the year. With the password obtained in the phishing attack, the entire contents of the account could be accessed via a standard web browser. § 500.12(b) of the Cybersecurity Regulation requires MFA to be implemented for remote access to the covered entity’s information systems and third-party applications.

The required cybersecurity program must ensure that a covered entity is able to report cybersecurity events promptly. The Superintendent must be notified within 72 hours of the discovery of a cybersecurity event. While the event was detected on November 24, 2021, the Superintendent was not notified until April 8, 2022, in violation of § 500.17(a) of the Cybersecurity Regulation.  Healthplex had certified that it was compliant with the Cybersecurity Regulation for 2021, but the investigation confirmed that not to be the case, in violation of § 500.17(b). The lack of policies for secure disposal of data on a periodic basis was in violation of § 500.13 of the Cybersecurity Regulation.

In addition to the financial penalty, Healthplex has agreed to strengthen its cybersecurity controls to ensure compliance with the Cybersecurity Regulation and will hire an independent third-party auditor to conduct a current audit of the MFA controls of its business infrastructure and shared systems that support its core business functions.

This is not the first financial penalty for Healthplex over the phishing incident. In 2023, Healthplex settled an investigation with the New York Attorney General and paid a financial penalty of $400,000 to resolve alleged violations of HIPAA and state data security and consumer protection laws.

The post Healthplex Settles Alleged Cybersecurity Failures with NYDFS for $2 Million appeared first on The HIPAA Journal.

Crisis Pregnancy Centers’ Websites Edited After Scrutiny of HIPAA Claims

Posted by Steve Alder

Back in February, The HIPAA Journal reported on the efforts of the non-profit watchdog organizations the Campaign for Accountability and the Electronic Frontier Foundation (EFF) to prevent crisis pregnancy centers (CPCs) from claiming or implying they are bound by the Health Insurance Portability and Accountability Act (HIPAA) on their websites and intake forms, when they are not HIPAA-regulated entities.

Most CPCs are not licensed healthcare providers and are therefore not bound by the HIPAA Rules, yet CPCs have been identified by the Campaign for Accountability and EFF that imply that they are bound by the HIPAA Rules. Regardless of personal opinions about abortion procedures and reproductive healthcare, implying that personal data is protected by HIPAA when it is not is a deceptive business practice.

Under HIPAA, regulated entities are healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities, and all are required to comply with the HIPAA Rules. One of the requirements of HIPAA is to have a notice of privacy practices, which should be displayed in a prominent position in a physical location and be published on the entity’s website. The notice of privacy practices must clearly state how the entity may use and share health information, individuals’ privacy rights, and how to make a complaint about a potential privacy violation, including the right to file a complaint with the Department of Health and Human Services (HHS).

Investigations by the watchdogs identified CPCs that have a website notice of privacy practices, which indicates compliance with the HIPAA Rules. Some even state in their notice of privacy practices that individuals can file a complaint with the HHS if they feel their privacy has been violated. While anyone can file a complaint with the HHS about a potential HIPAA violation, the HHS will not act on any complaint if it is filed against a non-HIPAA-regulated entity. While a CPC may comply with its published privacy policy, uses and disclosures of personally identifiable health information are not subject to HIPAA protections, and implying or stating that information is protected under HIPAA misleads consumers about privacy protections.

Both the Campaign for Accountability and the Electronic Frontier Foundation filed complaints with several state attorneys general about the alleged deceptive business practices. In 2024, the Campaign for Accountability filed complaints with the state attorneys general in Idaho, Minnesota, Washington, Pennsylvania, and New Jersey, and this year, EFF filed complaints with the state attorneys general in Arkansas, Missouri, Texas, and Florida. The complaints included examples of CPCs in the respective states that were alleged to have engaged in deceptive business practices.

The complaints include numerous statements from CPC websites indicating HIPAA compliance, when those entities are not bound by the HIPAA Rules. For example, some CPCs state “client information is held in strict and absolute confidence, according to HIPAA guidelines,” or that they are subject to oversight by the HHS’ Office for Civil Rights, or that their forms are HIPAA-compliant. In one case, a CPC claimed, “If you receive services through [CPC], federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also protects your health information.” In each case, the CPC is not a HIPAA-regulated entity.

In a recent update, the EFF confirmed that its efforts are showing some signs of success. While substantive responses have not been received from state attorneys general, other than confirmations that the complaints have been received, some CPCs have responded and have made changes to their messaging. “Of the 21 CPCs we cited as exhibits in our complaints, six have completely removed HIPAA references from their websites, and one has made partial changes (removed one of two misleading claims). Notably, every center we flagged in our letters to Texas AG Ken Paxton and Arkansas AG Tim Griffin has updated its website—a clear sign that clinics in these states are responding to scrutiny,” said EFF legislative activist, Rindala Alajaji. “While 14 remain unchanged, this is a promising development. These centers are clearly paying attention—and changing their messaging.”

The post Crisis Pregnancy Centers’ Websites Edited After Scrutiny of HIPAA Claims appeared first on The HIPAA Journal.

Washington Children’s Hospital Fires 15 Nurses for Alleged HIPAA Violations

Posted by Steve Alder

Fifteen nurses at Providence Sacred Heart Medical Center & Children’s Hospital in Spokane, Washington, have been terminated for alleged HIPAA violations. The nurses allegedly accessed the medical records of a 12-year-old patient who committed suicide at the children’s hospital on April 13, 2024, when there was no direct treatment relationship.

Starting in early 2024, the patient had been repeatedly admitted to the emergency department of the hospital after several self-harm incidents and attempts to end her own life. Overnight on April 13, 2024, the patient left her room alone and died after jumping off a 4th-floor parking garage. The hospital launched an investigation and has implemented new security protocols, including suicide risk screening for all patients.

Providence Sacred Heart Medical Center is being sued by the child’s parents for alleged negligence and medical malpractice, as while she was being monitored round the clock by a sitter assigned to her room and via video surveillance, those measures were removed on April 13, 2024, according to the lawsuit. The Washington Department of Health launched an investigation, which is ongoing, and has identified deficiencies that Providence Sacred Heart is addressing.

Fifteen nurses have now been terminated in connection with the incident, and another has been disciplined. Under HIPAA, medical records can generally only be accessed for reasons related to treatment, payment, or healthcare operations. Accessing medical records out of curiosity, even with no malicious intent, is a HIPAA violation. Staff members found to have violated HIPAA face sanctions, which for unauthorized medical record access is often termination.

According to a statement provided to The Spokesman-Review, the terminations were all for patient privacy violations, in accordance with the hospital’s sanctions policy. “Providence takes violations of our code of conduct and federal privacy laws that govern private health information very seriously,” said Providence Sacred Heart spokesperson, Jen York. “We review employee conduct and take appropriate action, including termination of employment, where warranted. Patient privacy is one of our top priorities.”

The Washington State Nurses Association was contacted by the nurses and has filed grievances over the terminations and disciplinary action. “Any information accessed pertained directly to the nurses’ duties responding to this crisis,” said WSNA director David Keepnews. “We reject Providence Sacred Heart’s claims that privacy was violated by nurses who were doing their jobs to assist in efforts to save the life of a 12-year-old girl in the hospital’s care.”

The nurses and WSNA suggest that the terminations and disciplinary action were an act of retaliation for speaking with the media. The hospital allegedly conducted an audit of access logs after the publication of a story by InvestigateWest about the suicide. The story included quotes from anonymous sources at the hospital. The nurses claim they were asked if they had spoken to the media and were subsequently fired.

The post Washington Children’s Hospital Fires 15 Nurses for Alleged HIPAA Violations appeared first on The HIPAA Journal.