HIPAA Compliance News

58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price

Posted by Steve Alder

A recent study exploring insider cybersecurity threats revealed that a majority of college students would be willing to violate the HIPAA Rules and steal and disclose patient data if they were paid to do so, provided the price was right. The amount of money required ranged from less than $10,000 to more than $10 million. The study was conducted by Lawrence Sanders, professor emeritus, University of Buffalo, Department of Management Science and Systems, and colleagues at the School of Management, and builds on a 2020 study that explored the price of healthcare privacy violations.

The 2020 study, published in JMIR Medical Informatics, was conducted on 523 students (average age of 21) who were about to enter the workforce. The respondents were asked to imagine that they had been employed by a hospital, and were given five scenarios in which they were asked if they would illegally obtain and disclose sensitive health information. 46% of respondents admitted that they would violate HIPAA and patient privacy if the price was right. In one of the scenarios, study participants were asked if they would obtain and disclose a politician’s medical records in exchange for $100,000, if the money was needed to pay for an experimental treatment for their mother that insurance wouldn’t cover. 79% of respondents said they would.

The follow-up study, which focused on cybersecurity insiders, was conducted on 500 undergraduate college students in technology-related programs, who represented future IT workers in the healthcare industry. They were asked to imagine they had been employed by a hospital, were being paid between $30,000 and $100,000, and were under financial stress and had been approached and asked to obtain and leak information about a famous patient at the hospital.

They were informed about HIPAA and how the federal law prohibited unauthorized access and disclosure of protected health information, yet 58% said they would violate HIPAA in exchange for payment. The amount of money required was less than $10,000 in some cases, and whether they would be tempted – and the amount required – varied depending on the employee’s salary leveland the perceived probability of being caught. The higher the employee’s salary, the more money was required to violate HIPAA and steal data. Individuals who had an interest in ethical hacking generally required less money to violate HIPAA, as was the case with individuals with an interest in unethical hacking, if they were assured that they would not be caught.

The study highlights the risk of insider data breaches and the importance of training on the HIPAA Privacy Rule requirements and the consequences of HIPAA violations, making it clear to all workers that if violations are discovered, the consequences of HIPAA violations can be severe.

“As cyberattacks and data breaches continue to rise, particularly in health care and other data-intensive sectors, our findings underscore the need for organizations to address the human and economic dimensions of cybersecurity alongside traditional technical controls,” said Professor Sanders. “Promoting awareness and education can discourage people from engaging in cybercrime by highlighting the negative consequences and risks associated with it. Initiatives that promote economic opportunity, social inclusion, cybersecurity literacy and a more secure digital environment are part of the solution.”

The post 58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price appeared first on The HIPAA Journal.

OCR Advises HIPAA-Regulated Entities to Take Steps to Harden System Security

Posted by Steve Alder

In the first of its 2026 quarterly cybersecurity newsletters, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) urged HIPAA-regulated entities to take steps to harden system security and make it more difficult for hackers to gain access to their networks and sensitive patient and health plan member data.

The HIPAA Security Rule requires HIPAA-regulated entities to ensure the confidentiality, integrity, and availability of electronic protected health information that the regulated entity creates, receives, maintains, or transmits, which must include identifying risks and vulnerabilities to ePHI and taking timely action to reduce those risks and vulnerabilities to a low and acceptable level. OCR Director Paula Stannard has already stated this year that OCR will be looking closely at HIPAA Security Rule compliance. OCR will continue with its risk analysis enforcement initiative, which will evolve to include risk management to ensure that regulated entities are taking prompt action to reduce risks and vulnerabilities to ePHI identified by their risk analyses.

OCR explained in the newsletter that risks can be reduced by creating a set of standardized security controls and settings for different types of electronic information systems, addressing security weaknesses and vulnerabilities, and customizing electronic information systems to reduce the attack surface.

OCR reminded medical device manufacturers that they have an obligation to ensure that their devices include accurate labelling to allow users to take steps to ensure the security of the devices throughout the product lifecycle, and the importance of following Food and Drug Administration (FDA) guidance on security risk management, security architecture, and security testing. Healthcare providers need to read the labelling on their devices carefully and ensure they understand how the devices should be configured to remain safe and effective through the entire product lifecycle.

OCR highlighted three key areas for hardening system security, all of which are vital for HIPAA Security Rule compliance. Threat actors search for known vulnerabilities that can be exploited to gain a foothold in a network, including vulnerabilities in operating systems, software, and device firmware. Whether the device is brand new or has been in use for some time, patches must be applied to fix known vulnerabilities. It may not be possible to patch vulnerabilities as soon as they are discovered; however, other remedial actions should be taken, as recommended by vendors, to reduce the risk of exploitation until patches are released and can be applied. A comprehensive and accurate IT asset inventory should be maintained, and policies and procedures developed and implemented to ensure a good patching cadence for all operating systems, software, and devices.

All organizations should take steps to reduce the attack surface by removing unnecessary software and devices, including software and devices that are no longer used, software features included in operating systems that serve no purpose for the regulated entity, and generic and service accounts created during the installation process. Accounts created during installation may have default passwords, which must be changed. OCR explained that in many of its investigations, accounts have been found for well-known databases, networking software, and anti-malware solutions that still have default passwords that provide privileged access.

Many cyberattacks occur as a result of misconfigurations. HIPAA-regulated entities must ensure security measures are installed, enabled, and properly configured. “Security measures often found in operating systems, as well as some other software, intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as, for example, access controls, encryption, audit controls, and authentication,” explained OCR. “A regulated entity’s risk analysis and risk management plan can inform its decisions regarding the implementation of these and other security measures.”

As OCR will be scrutinizing risk management and has advised regulated entities of their responsibilities to harden system security, all regulated entities should ensure they take the advice on board. “Defining, creating, and applying system hardening techniques is not a one-and-done exercise,” explained OCR. “Evaluating the ongoing effectiveness of implemented security measures is important to ensure such measures remain effective over time,” and is essential for HIPAA Security Rule compliance.

The post OCR Advises HIPAA-Regulated Entities to Take Steps to Harden System Security appeared first on The HIPAA Journal.

Is Saying Someone Died a HIPAA Violation?

Posted by Steve Alder

In answer to the question is saying someone died a HIPAA violation, it depends on who is making the statement, who the statement is made to, and what other information is disclosed with the statement. Saying someone died can be a HIPAA violation, but – as this blog discusses – in most cases it is not.

Among other purposes, the HIPAA Privacy Rule protects the privacy of individually identifiable health information relating to the past, present, or future health condition of an individual. Organizations subject to the HIPAA Privacy Rule – and their workforces – must comply with this requirement with respect to a deceased individual “for a period of 50 years following the death of the individual”.

However, not all organizations are subject to the HIPAA Privacy Rule. If, for example, an employee of a private nursing home which does not qualify as a HIPAA “covered entity” revealed somebody had died, it is not a HIPAA violation because the nursing home is not required to protect the privacy of individually identifiable health information (Note: although this might not be a violation of HIPAA, disclosing private information of this nature may violate state privacy laws in some circumstances).

Even when an organization is subject to the HIPAA Privacy Rule, it is not automatically the case that saying someone died is a HIPAA violation. “Covered entities” are permitted to disclose individually identifiable health information to specific people, subject to the disclosure being limited to the minimum necessary to achieve the purpose of the disclosure, and subject to any prior expressed wish of the deceased relating to what information can be disclosed. Healthcare providers should receive HIPAA training on permitted disclosures of this nature.

Who Can Be Told Someone Has Died Under HIPAA?

The HIPAA Privacy Rule stipulates who can be told when someone has died in sections §164.510(b) and §164.512(g). The first section allows covered entities to disclose information about deceased individuals to family members, other relatives, close personal friends, or any other individual identified by the deceased individual while they were alive. All disclosures to people in this group are subject to the verification requirements of §164.514(h).

Persons or entities that were involved in the deceased person´s care or payment for health care can also be told the patient has died under §164.510(b), while §164.512(g) permits covered entities to disclose individually identifiable health information to a coroner or medical examiner to identify the deceased person, determine the cause of death, or other duty as authorized by law. Under this section, covered entities can also tell funeral directors somebody has died.

In all permitted circumstances, the information disclosed must be the minimum necessary to achieve the purpose of the disclosure, and must respect any wishes known by the covered entity prior to the patient’s death. If a patient died (say) due to injuries sustained in a road accident, but also suffered from a lung condition, covered entities are not permitted to disclose the lung condition or any other related treatment or payment for the treatment.

When is Saying Someone Died a HIPAA Violation?

There are not many circumstances when saying someone died is a HIPAA violation and usually violations of this nature only occur when a member of a covered entity’s workforce:

  • Discloses information to somebody not permitted by the HIPAA Privacy Rule,
  • Discloses more than the minimum necessary information about the deceased, or
  • Discloses information it is known the deceased did not want disclosed.

However, it is important to note the HIPAA Privacy Rule generally applies to a deceased person’s health information in the same way as a living person’s health information. In the same way as an individual’s “personal representative” can authorize disclosures of health information not permitted by the HIPAA Privacy Rule on the individual’s behalf when they are alive, a personal representative can do the same when the individual is deceased.

In most states, a deceased individual’s “personal representative” is the next of kin. If the next of kin authorizes a disclosure to somebody not permitted by the HIPAA Privacy Rule, a disclosure of more than the minimum necessary information, or a disclosure of information the deceased did not want disclosed, these events are no longer HIPAA compliance violations. If you are still uncertain about when is saying someone died a HIPAA violation, you should seek professional compliance advice.

The post Is Saying Someone Died a HIPAA Violation? appeared first on The HIPAA Journal.

Final Rule Implementing Proposed HIPAA Privacy Rule Changes Edges Closer

Posted by Steve Alder

In January 2021, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a proposed update to the HIPAA Privacy Rule – Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement.

The purpose of the update is to revise the HIPAA Privacy Rule to strengthen individuals’ rights to access their own health information, improve care coordination, and reduce the compliance burden on healthcare providers and health plans, while continuing to protect the privacy of patients. Under the Biden administration, the proposed update did not appear to be a priority for the HHS, and there have been no signs during the first year of the new Trump administration that a final rule is any closer to being published; however, that changed on January 14, 2026, when OCR Director Paula M. Stannard published a notification of Tribal consultation on the 2021 Rule in the Federal Register.

It has been five years since the proposed update to the HIPAA Privacy Rule was published in the Federal Register, and while there has been little mention of the proposed update over the past half-decade, a final rule appears to be close to publication. Ahead of the final rule, a Tribal consultation meeting will be held virtually via Zoom on February 6, 2026, pursuant to Executive Order 13175 and the HHS Tribal Consultation Policy.

The consultation will cover several different topics, with OCR seeking feedback on the proposed changes to strengthen individuals’ rights to their own health information; the measures proposed to improve care coordination and case management; the enhanced flexibilities for disclosures of patient information in emergencies and threatening circumstances; the support for the use of telecommunications relay services by individuals and workforce members who are deaf, hard of hearing, deaf-blind, or who have a speech disability;  and the expanded permission to use and disclose the PHI of Armed Forces service personnel for national readiness purposes.

While the Tribal consultation is a sign of progress toward a final rule implementing some or all of the proposed changes, there are no indications at present when the final rule will be published. When and if that time comes, HIPAA-regulated entities will be given sufficient time to update their policies, procedures, and practices and provide training to the workforce on the new Privacy Rule requirements before OCR starts enforcement.

In the meantime, OCR has indicated that it is continuing with its enforcement initiatives targeting the HIPAA Right of Access provision of the HIPAA Privacy Rule, parental access to the medical records of minor children, and the risk analysis provision of the HIPAA Security Rule, and an expansion of that program to cover risk management. OCR has also indicated that a new enforcement initiative will soon be launched for the confidentiality of substance use disorder treatment records, pursuant to the recent changes to the Part 2 regulations to align them more closely with HIPAA.

The post Final Rule Implementing Proposed HIPAA Privacy Rule Changes Edges Closer appeared first on The HIPAA Journal.

Texas Attorney General Dismisses Complaint Against HHS Seeking Vacatur of HHS Final Rules

Posted by Steve Alder

Texas Attorney General Ken Paxton has filed a joint stipulation of dismissal without prejudice, seeking to dismiss all claims in a September 2024 complaint against the U.S. Department of Health and Human Services (HHS), former HHS Secretary Xavier Becerra, and former Office for Civil Rights (OCR) Director Melanie Fontes Rainer. On November 24, 2025, the court granted Paxton’s request and dismissed the lawsuit.

The complaint was filed in response to the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Final Rule issued by the Biden Administration and added to the Federal Register in April 2024. The complaint sought declaratory and injunctive relief against the enforcement of the rule by the HHS, and to vacate another final rule, the HIPAA Privacy Rule of 2000. AG Paxton alleged that the HHS had overstepped its authority when issuing both final rules.

The decision to dismiss the lawsuit was likely influenced by a ruling in a separate lawsuit, filed in Texas last year by Dr. Carmen Purl, who runs Dr. Purl’s Fast Care Walk-in Clinic in Dumas, Texas. The lawsuit, Carmen Purl, et al., v. United States Department of Health and Human Services et al, was filed in the U.S. District Court for the Northern District of Texas, Amarillo Division, also in response to the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Final Rule.

The reproductive healthcare final rule was issued by the Biden administration as part of its response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization in 2022 that overturned Roe v. Wade, which for 50 years had protected the right to abortion prior to the point of fetal viability. With Roe v. Wade overturned, the legality of abortion became a state rather than federal matter, and almost half of U.S. states subsequently passed laws banning or restricting abortions.

The final rule created a new subclass of protected health information, reproductive health information, restricting disclosures of that information to government authorities and law enforcement. The final rule effectively prevented states from obtaining reproductive health information to hold individuals and healthcare providers liable under state law for abortions obtained legally out of state.

Purl alleged that the final rule was arbitrary and capricious and exceeded the HHS’s statutory authority, claiming the final rule impaired the clinic’s ability to participate in public health investigations and comply with state law that requires suspected child abuse to be reported. The lawsuit was successful, with the court dismissing the defendants’ motion to dismiss and vacating most of the modifications to the HIPAA Privacy Rule, which were deemed unlawful for distinguishing between different types of health information to accomplish political ends. The Notice of Privacy Practices requirements for healthcare providers covered by the Part 2 regulations relating to substance use disorder were not vacated. While the lawsuit originated in the state of Texas, the ruling had nationwide effect. The HHS chose not to appeal the decision.

The court’s decision to vacate the Reproductive Healthcare Privacy Final Rule achieved some of the main goals of AG Paxton’s complaint, which likely played a key role in the decision to seek dismissal of the complaint. Since the complaint was dismissed without prejudice, AG Paxton retains the right to refile the same complaint in the future, should he so wish.

The decision to dismiss the complaint is good news for Americans, as the HIPAA Privacy Rule ensures that their personally identifiable health information is protected and can only be used for reasons related to treatment, payment for healthcare, and healthcare operations without their express consent. The HIPAA Privacy Rule also gave patients rights over their health information, allowing them to obtain a copy of their health data, request errors be corrected, ask for restrictions on disclosures, and be provided with an accounting of disclosures of their PHI to learn who has been provided with their health information.

The post Texas Attorney General Dismisses Complaint Against HHS Seeking Vacatur of HHS Final Rules appeared first on The HIPAA Journal.

OCR Requests HIPAA Risk Management Questions for Upcoming Video Presentation

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is working on a video presentation to explain the requirements of the risk management process of the HIPAA Security Rule and has requested risk management questions from HIPAA-regulated entities.

The risk analysis is a foundational element of the HIPAA Security Rule that requires risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) to be identified. OCR frequently identifies risk analysis failures in its investigations of data breaches, complaints, and through its HIPAA compliance audit program, including incomplete and nonexistent risk analyses. It is the most commonly identified HIPAA Security Rule violation, and a frequent reason for imposing a financial penalty.

OCR has released guidance to help HIPAA-regulated entities conduct a risk analysis, and a downloadable risk assessment tool for small- and medium-sized regulated entities to guide them through the process. After conducting a risk analysis, all identified risks and vulnerabilities to ePHI must be subjected to a risk management process, detailed in § 164.308(a)(1)(ii)(B) of the administrative safeguards of the HIPAA Security Rule. Risk management is defined as “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [Security Standards: General Rules].”

Two of OCR’s enforcement actions this year included penalties for risk management failures – the $3,000,000 penalty for Solara Medical Supplies and the $1,500,000 Warby Parker, Inc. HIPAA violation penalty. To clear up any potential confusion about the risk management process, OCR is producing a video presentation – HHS’ OCR Presents: The HIPAA Security Rule: Risk Management.

Nick Heesters, OCR’s Senior Advisor for Cybersecurity, will be covering various aspects of the risk management provision of the HIPAA Security Rule in the presentation. Heesters will flesh out what is required in terms of risk management, the use of cybersecurity resources, and he will provide insights into OCR’s investigations into potential risk management HIPAA violations.

Since this will be a pre-recorded video presentation rather than a live webinar, OCR has requested questions from HIPAA-regulated entities about the risk management requirement of the HIPAA Security Rule, a selection of which will be answered during the presentation. If you have any questions related to risk management, this is an ideal opportunity to get the answers you seek. Questions should be submitted to OCR no later than  December 8, 2025, via email at OCRPresents@hhs.gov

The post OCR Requests HIPAA Risk Management Questions for Upcoming Video Presentation appeared first on The HIPAA Journal.

More Than CMIA and HIPAA: Which Medical Privacy Regulations Apply to You in California?

Posted by PJ Murray

The Confidentiality of Medical Information Act (CMIA) is just one of several state laws and regulations that apply to medical privacy in California and influence how staff handle patient information. Alongside HIPAA and CMIA, healthcare organizations may also have to comply with the Patient Access to Health Records Act (PAHRA), Medi-Cal confidentiality rules, California’s Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA), state rules governing artificial intelligence in healthcare (including CCPA’s automated decision-making regulations), and SB81 on patient access and protection. Together, these laws help explain why privacy and security policies in California can look different from those in other states. 

HIPAA was designed to create a national “floor” of privacy and security standards, but in California that floor is only the starting point. When state law gives patients more rights or stronger protections than HIPAA does in a particular area, the California law takes precedence for that issue, while HIPAA still applies in the background. As a result, California providers often have to reconcile multiple overlapping rules when deciding how to use, disclose, and protect health information.

CMIA is the core California medical privacy statute. It applies broadly to providers, plans, contractors, and many consumer-facing digital health apps when they store or process identifiable medical information. CMIA tightly limits when information can be used or disclosed without authorization, adds extra protections for sensitive services, and requires safeguards for electronic information. A key difference from HIPAA is CMIA’s private right of action, which allows patients to sue for negligent, unauthorized disclosures, even when there was no intent to cause harm. That is a major reason California organizations stress strict access control, “need-to-know” use of records, and zero tolerance for snooping or gossip.

PAHRA strengthens and accelerates patient access rights beyond HIPAA. California providers generally must acknowledge or respond to access requests within a few days and provide copies within a much shorter deadline than HIPAA’s. Patients can also submit an addendum to correct or clarify their records, and that addendum must be attached with future relevant disclosures. PAHRA and CMIA together also limit parental access to minors’ sensitive records when the minor has the right to consent to care, so staff must pay close attention to who is entitled to see what.

Other important laws fill gaps that HIPAA and CMIA do not fully cover. Medi-Cal regulations protect beneficiary information, including social and economic data used for eligibility and benefits, and restrict its use mainly to treatment, billing, and program administration. CCPA/CPRA applies to eligible businesses for personal information that is not PHI or CMIA “medical information,” such as website tracking data, marketing lists, and some HR records. CCPA/CPRA also gives consumers rights to know, correct, and in some cases delete data. California also regulates the use of AI in healthcare through a mix of privacy, consumer, and professional rules that emphasize transparency, security, and maintaining human clinical judgment. In practice, these rules often appear as internal policies: which AI tools may be used, what kind of data may be entered, how outputs must be reviewed, and when patients must be informed.

SB81, California’s Patient Access and Protection law, adds targeted protections for immigration-related information. It treats a patient’s place of birth and immigration status as protected medical information and prohibits disclosures for immigration enforcement without a valid authorization or court order. It also requires healthcare organizations, including public college health centers, to establish “safe” non-public areas where patients can receive care without fear of immigration agents entering unless they have proper legal authority. This law shapes how front desks, security, and clinical teams respond to requests from law enforcement and why staff should receive specific training on these scenarios.

Because all these laws overlap, California healthcare organizations usually design their policies around the most protective rule that applies. CMIA is central, but real-world privacy practice is also shaped by PAHRA, Medi-Cal rules, CCPA/CPRA, AI-related requirements, and SB81. For healthcare staff and students, the safest approach is to follow their organization’s written policies, complete required training, and ask their privacy or compliance team whenever they are unsure. This overview is for training and general information, not legal advice, but it highlights why CMIA is just one piece of a much larger California privacy framework.

The post More Than CMIA and HIPAA: Which Medical Privacy Regulations Apply to You in California? appeared first on The HIPAA Journal.

Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk

Posted by Steve Alder

Outdated systems are causing healthcare professionals to lose hours each week, impacting patient care, organizational performance, efficiency, and security, according to a new report from the technology services and solution provider Presidio.

The report is based on a survey of more than 1,000 frontline healthcare professionals in the United States, the United Kingdom, and Ireland. Almost all respondents (98%) said inefficient technologies are causing patient care and safety issues, including delays or errors in patient care, and 89% said those issues are a regular occurrence, with 24% reporting that these incidents occur at least once per shift. On average, the respondents experienced 11 such incidents a month.

Healthcare employees are using legacy software and outdated devices that do not support efficient working practices. Some of the main problems associated with outdated systems were latency issues with EHR systems, disconnected and fragmented platforms, and a lack of mobile access. Due to inefficiencies, almost one-quarter of respondents (23%) said they often resort to workarounds to get the job done, even for basic tasks. That creates significant compliance and security risks, as patient data may be handled outside of approved systems, such as unapproved apps. The use of shadow IT creates blind spots for compliance teams and IT departments. Further, the shadow IT tools may not be HIPAA compliant, lacking key security safeguards.

Some of the main problems reported by the respondents were systems that do not easily share data with other systems (23%), reliance on multiple workarounds to complete basic tasks (23%), technologies in use that act as a barrier to safe and timely care (23%), insufficient staff or budgets to modernize systems (23%), and dependence on outdated and legacy systems (23%).

Healthcare professionals in the United States are more likely than their European counterparts to have modern systems, with 36% of UK healthcare professionals saying they have modern systems, and just 2% in Ireland. In the United States, 63% of respondents said they used modern and effective systems, but that leaves 37% who do not.

When technology fails or data cannot be accessed, patient care suffers. 95% of respondents said patient care was negatively affected by system problems and data access issues, and those issues occur regularly, with 27% of U.S. respondents reporting that errors due to outdated technology occur daily, 26% said they occur a few times a week, and 22% said they occur around once per week. As Presidio explained, the use of outdated technology does not just affect efficiency; it directly drives patient safety incidents. Further, inefficient and outdated technology is a significant factor contributing to clinician burnout, as reported by 80% of respondents.

Investment in technology can help to reduce burnout. The survey revealed that more than half of organizations using real-time data at scale (51%) recognize that outdated technology was a major driver of burnout, compared to 29% in pilot programs and 17% still in planning phases, demonstrating that investment in modern, AI-driven technology systems can significantly improve workforce health. “In a competitive labor market, where skilled healthcare professionals are in high demand, this becomes a strategic advantage,” suggests Presidio.

The survey revealed the biggest benefits for staff were improved operational efficiency (52%), better access to real-time patient data and analyses (48%), and more streamlined tasks to support overextended staff (41%). Top of the wish list for healthcare professionals were AI-assisted automation of data entry (52%), transcription and notetaking (41%), EHR system navigation (40%), prescription entries (39%), and insurance validation (36%), all of which were a drain on their time, limiting face-to-face time with patients.

It is clear from the report that there is a pressing need for AI systems to be used in healthcare to improve efficiency, but adoption has been slow. “Most organizations are still relatively immature in their technology practices, lacking full-scale deployment of new technologies that improve record keeping, access to data, and efficiency,” said Presidio in the report. “Healthcare professionals are ready for AI, and they’re telling IT leaders where it can have the biggest impact.”

The post Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk appeared first on The HIPAA Journal.

September 2025 Healthcare Data Breach Report

Posted by Steve Alder

While the figures in our September 2025 data breach report look encouraging, there is a major caveat. Due to the government shutdown, the HHS’ Office for Civil Rights (OCR) has largely stopped adding data breaches to its data breach portal.  The figures for September are therefore likely to increase considerably when the furlough comes to an end, staff return to work, and the backlog of data breach reports is addressed. While we do not generally update our monthly breach reports after publication, we will revise the figures and re-publish this report when the government shutdown comes to an end.

September 2025 Healthcare Data Breach Report

As of October 22, 2025, OCR has added 26 data breaches affecting 500 or more individuals to its data breach portal – the lowest monthly total since December 2018.  While data breaches are down 56% from August’s 64 data breaches, there are likely to be several more breaches added to that total. That said, there has been a downward trend in healthcare data breaches since April, and the year-to-date total from January 1 to September 30 is 469 data breaches, compared to 554 data breaches in the corresponding period in 2024. Even accounting for missing breach reports due to the government shutdown, data breaches are down considerably from last year.

Healthcare data breaches in the past 12 months

Across the 26 September data breaches on the OCR data breach portal, the protected health information of at least 1,294,769 individuals was exposed or impermissibly disclosed, marking the third consecutive month with a fall in the number of affected individuals, and currently down 65.9% from August. That number could increase considerably, but currently, for the year-to-date, 42,216,193 individuals have had their protected health information exposed or impermissibly disclosed. While this year’s total is higher than in the whole of 2019 and 2020, the number of affected individuals is down 85% compared to last year and 75% compared to 2023.

Individuals affected by healthcare data breaches in the past 12 months.

The Biggest Healthcare Data Breaches Announced in September

Currently, 42% of the month’s breaches (11 incidents) involved the exposure or impermissible disclosure of the protected health information of 10,000 or more individuals. All but one of the 11 data breaches were hacking incidents involving unauthorized access to protected health information stored on network servers, with one incident involving a compromised email account. Goshen Medical Center was the worst-affected covered entity, with more than 456,000 patients affected by its hacking incident. One provider that stands out is Sturgis Hospital, which was investigating a cyberattack that occurred in December 2024, when another intrusion was experienced in June 2025.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Goshen Medical Center NC Healthcare Provider 456,385 Network server hacking incident
Medical Associates of Brevard, LLC FL Healthcare Provider 246,711 Network server hacking incident
Doctors Imaging Group FL Healthcare Provider 171,862 Network server hacking incident – Data theft confirmed
Retina Group of Florida FL Healthcare Provider 152,691 Network server hacking incident
Sturgis Hospital MI Health Plan 77,771 Network server hacking incident
Sturgis Hospital MI Healthcare Provider 77,771 Network server hacking incident
PGA Development, Inc. PA Healthcare Provider 23,899 Network server hacking/IT Incident
Teamsters Union 25 Health Services & Insurance Plan MA Health Plan 19,231 Network server hacking incident
Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice  (“Treasure Health ”) FL Healthcare Provider 13,234 Email account breach
People Encouraging People MD Healthcare Provider 13,083 Ransomware attack – Data theft confirmed

The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to OCR and issue notifications within 60 days of the discovery of a data breach; however, if the total number of affected individuals is not known at that point, an estimate should be provided to OCR. Many regulated entities submit a breach report using a placeholder figure of 500 or 501 affected individuals, then provide an updated total when the file review is concluded. Four data breaches were reported in September using 500 or 501 totals indicative of a placeholder. These data breaches could affect considerably more individuals than the initial breach report suggests.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Cookeville Regional Medical Center TN Healthcare Provider 500 Hacking/IT Incident
Hampton Regional Medical Center SC Healthcare Provider 501 Hacking/IT Incident
Coos County Family Health Services NH Healthcare Provider 501 Hacking/IT Incident
La Perouse, LLC NV Business Associate 501 Hacking/IT Incident

Causes of September 2025 Healthcare Data Breaches

Out of the 23 large healthcare data breaches added to the OCR breach portal in September, 23 (88.5%) were reported as hacking/IT incidents, involving unauthorized access to the protected health information of 1,279,139 individuals, which is 98.8% of the total individuals affected by data breaches in September. The average number of individuals affected by these incidents was 55,615 (median: 6,243 individuals).

Causes of September 2025 healthcare data breaches

The exact nature of the hacking incidents, such as whether ransomware was used to encrypt files, if a ransom demand was received, or even if data was stolen, is often not disclosed. This trend has been growing for several years and is not confined to the healthcare industry. The Identity Theft Resource Center (ITRC) has reported that this trend is evident across many industry sectors.

The remaining three data breaches were unauthorized/disclosure incidents, affecting 15,630 individuals. On average, 5,210 individuals were affected (median: 1,700 individuals). Based on the available data, no loss, theft, or improper disposal incidents were reported to OCR in September. There have been no loss/theft incidents reported since March 2025, and the last reported improper disposal incident was in May 2025.

Location of breaches protected health information in September 2025 healthcare data breaches

Where Did the Data Breaches Occur?

September 2025 healthcare data breaches by regulated entity type

September 2025: individuals affected by healthcare data breaches by regulated entity type

Geographical Distribution of Healthcare Data Breaches in September

Florida and North Carolina were the worst-affected states, with four data breaches affecting 500 or more individuals reported by entities based in those states, and both states top the list in terms of the number of affected individuals, with 584,498 and 465,721 individuals affected, respectively.

State Breaches
Florida & North Carolina 4
Michigan, Pennsylvania & Tennessee 2
Louisiana, Massachusetts, Maryland, Minnesota, Missouri, New Hampshire, Nevada, Oregon, South Carolina, Texas, Virginia, and Washington 1

The table below shows the number of individuals affected by healthcare data breaches based on the state where the regulated entity is based, not necessarily where the affected individuals reside.

State Individuals Affected
Florida 584,498
North Carolina 465,721
Michigan 155,542
Pennsylvania 26,150
Massachusetts 19,231
Maryland 13,083
Missouri 11,538
Louisiana 6,243
Minnesota 3,572
Tennessee 2,957
Oregon 1,700
Texas 1,236
Washington 1,099
Virginia 696
New Hampshire 501
Nevada 501
South Carolina 501

HIPAA Enforcement Activity in September 2025

It has been a busy year of HIPAA enforcement for OCR, with 20 enforcement actions involving settlements or civil monetary penalties announced this year, including one enforcement action in September.  OCR agreed to settle alleged violations of the HIPAA Privacy Rule and Breach Notification Rule with Cadia Healthcare facilities, which agreed to pay $182,000 to resolve the alleged violations.

Cadia Healthcare is a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware. An employee had posted success stories about its patients to its social media channel; however, it had not obtained valid HIPAA authorizations for that purpose, and therefore, the use of PHI in the stories was an impermissible disclosure of PHI. After being notified by OCR, Cadia found that 150 patients had PHI posted online without valid authorizations, deleted the posts, and shut down the success story program; however, notification letters about the HIPAA breach were not issued.  The corrective action plan requires policies and procedures to be revised, training to be provided to staff members, and notification letters to be issued.

The post September 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.