State Medicaid Agencies Need to Improve Security Controls for MMIS and E&E Systems

Posted by Steve Alder

Penetration tests conducted on ten State Medicaid Management Information Systems (MMIS) and Eligibility & Enrollment (E&E) systems have revealed they contain vulnerabilities that could potentially be exploited in sophisticated cyberattacks. The penetration tests were conducted on behalf of the Department of Health and Human Services’ Office of Inspector General (HHS-OIG) by a third-party penetration testing company between 2020 and 2022 to determine the effectiveness of information technology system controls in preventing attacks on web-facing MMIS and E&E systems.

The penetration tests were conducted in response to an increase in cyberattacks targeting MMIS and E&E systems. These systems are attractive targets as they contain significant amounts of valuable and sensitive data. HHS-OIG has observed an increase in multiple threat types targeting these systems, including ransomware attacks, phishing, and denial-of-service attacks. Between 2012 and 2023, at least six U.S. states have experienced cyberattacks that resulted in access being gained to significant amounts of Medicaid data, including an attack in Texas in 2021 that affected approximately 1.8 million individuals, a data breach in Utah that affected 780,000 Medicaid recipients, and a data breach in South Carolina that affected 228,000 Medicaid recipients.

The penetration tests simulated cyberattacks. While the security controls were found to be generally effective at blocking unsophisticated or limited cyberattacks, improvements are required to prevent more sophisticated attacks and persistent threats. The cybersecurity controls implemented by the nine states – Alabama, Illinois, Maryland, Massachusetts, Michigan, Minnesota, South Carolina, South Dakota, Utah – and Puerto Rico responded to and blocked some of the HHS-OIG’s simulated cyberattacks, but not others. Simulated phishing attempts were also conducted on a selection of employees to determine whether they had received adequate security awareness training.

The most common NIST security controls that were identified as ineffective in most of the audited states were website transmission confidentiality and integrity controls; flaw remediation controls to properly identify, report, and correct software flaws; information input validation controls to verify the validity or properly sanitize the information system input for public-facing systems; and error handling controls to prevent disclosure of information.

The common causes were developers and contractors that were unaware of government standards or industry best practices; the failure to securely configure and patch flaws in a timely manner; the failure to assess all components in MMIS and E&E systems (e.g. third party plug-ins and libraries); infective procedures for testing security controls; and delays in detecting, reporting, and fixing flaws in systems.

HHS-OIG made 27 recommendations to the nine states and Puerto Rico for improving security controls, policies, and procedures. The most common recommendations included: patching outdated servers; improving input sanitization on web servers; enhancing vulnerability detection tools; conducting periodic evaluations of the effectiveness of security controls; updating cryptographic settings; improving vulnerability management strategies; and ensuring server configurations support secure protocols

The post State Medicaid Agencies Need to Improve Security Controls for MMIS and E&E Systems appeared first on The HIPAA Journal.

Ransomware Groups’ Evolving Tactics Spur 44% Increase in Ransom Demands

Posted by Steve Alder

Ransomware groups are conducting fewer attacks than a year ago, and are increasingly adopting a more targeted approach using stealthy tactics to achieve more impactful results, according to the 2025 Global Threat Landscape Report from the network detection and response (NDR) company ExtraHop.

Indiscriminate attacks are being dropped in favor of targeted, sophisticated attacks that allow ransomware actors to spend longer inside victims’ networks as they move undetected to achieve an extensive compromise before deploying their file-encrypting payloads. Attacks are designed to cause maximum damage and extensive downtime, which both increases the likelihood of a ransom being paid and allows them to obtain higher ransom payments. ExtraHop reports that in the space of a year, the average ransom demand has increased by more than one million dollars, from $2.5 million a year ago to $3.6 million, although ransom demands are higher for healthcare organizations and government entities. 70% of victims end up paying the ransom.

Last year, ExtraHop tracked an average of 8 incidents per organization compared to 5-6 incidents this year. Ransomware actors typically have access to victims’ networks for almost two weeks before they launch their attack, during which time sensitive data is exfiltrated. It typically takes victims more than two weeks to respond to a security alert and contain an attack, with the attacks causing an average downtime of around 37 hours.

Only 17% of attacks are detected during the reconnaissance phase, with 29% detected during initial access, but 30% of attacks are detected later on in the attack phase when file exfiltration has commenced (12%), data is encrypted (13%), or the ransom note is received (5%). While attacks are becoming increasingly sophisticated and harder to detect with traditional security tools, the initial access vectors have largely remained unchanged, with phishing and social engineering the most common means of infiltration. Phishing/social engineering was the infiltration method in 33.7% of attacks, software vulnerabilities were exploited in 19.4% of attacks, supply chain compromises were behind 13.4% of attacks, and software misconfigurations were exploited in 13% of attacks. ExtraHop has observed a marked increase in the use of compromised credentials for initial access, which were used in 12.2% of attacks. Legitimate credentials allow attackers to access networks, move laterally, and remain in networks undetected for extended periods, often escalating privileges to compromise more sensitive systems.

The biggest areas of cybersecurity risk for defenders were the public cloud (53.8%), third-party services and integrations (43.7%), and generative AI applications (41.87%). The main challenges faced by defenders were limited visibility into their entire environment (41%), insufficient staffing or a skills gap (35.5%), alert fatigue due to an overwhelming number of security alerts (34%), poorly integrated tools (34%), insufficient or manual SOC workflows (33%), insufficient budget and executive support (29%), and organizational silos (26%). The problem for many organizations is that they are grappling with a complex range of equally pressing obstacles.

ExtraHop’s advice is to first understand the full attack surface, which means knowing exactly what is in the network and where vulnerabilities exist. While it is important to have robust perimeter defenses, internal traffic must be monitored as attackers are increasingly able to penetrate defenses. Through effective monitoring, organizations can identify and block attacks before escalation, data theft, and encryption. While it is essential to understand what threat actors are doing today, it is important to keep abreast of evolving tactics to be prepared for what will happen tomorrow, including attackers’ use of emerging technologies.

The post Ransomware Groups’ Evolving Tactics Spur 44% Increase in Ransom Demands appeared first on The HIPAA Journal.

Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement

Posted by Steve Alder

Fraser Child and Family Center has agreed to pay $750,000 to settle class action litigation over a 2024 data breach. Fraser Child and Family Center is a Minnesota-based provider of autism, mental health, behavioral health, and disability services. Between May 30, 2024, and June 2, 2024, an unauthorized third party was able to access parts of its IT environment that contained the protected health information of approximately 67,000 individuals. Information potentially stolen in the incident included names, addresses, dates of birth, Social Security numbers, and medical information. The affected individuals were notified about the breach in September 2024.

Class action lawsuits were filed in response to the data breach by four plaintiffs, individually and on behalf of their minor children and similarly situated individuals. Since the lawsuits had overlapping claims and were based on the same facts, they were consolidated into a single lawsuit – In re: Fraser Child and Family Center – which was filed in the District Court for Hennepin County, Minnesota.

The lawsuit asserted several claims, including negligence, breach of contract, breach of fiduciary duty, invasion of privacy – intrusion upon seclusion, unjust enrichment, and a failure to provide adequate breach notifications. Fraser Child and Family Center denies wrongdoing and liability and filed a motion to dismiss. Shortly thereafter, all parties began to explore the possibility of early resolution of the litigation, and a settlement was agreed upon that was acceptable to all parties. The settlement agreement has now been finalized and has received preliminary approval from the court.

Following the data breach, Fraser Child and Family Center implemented additional safeguards to further protect information stored on its network. In addition, a $750,000 settlement fund will be established to cover attorneys’ fees and expenses, settlement administration costs, service awards for the plaintiffs, and benefits for the class members.

All class members are entitled to claim two years of credit monitoring services, which can be either the CyEx Identity Defense Complete package for adults or the CyEx Minor Defense package for minors. In addition, a claim may be submitted for reimbursement of documented, out-of-pocket losses due to the data breach up to a maximum of $2,500 per class member. In lieu of a claim for reimbursement of losses, class members may submit a claim for a cash payment. Cash payments will be paid after all the above costs and expenses have been paid, and the funds will be divided equally between class members who submit a claim for a cash payment.

Class members wishing to object to the settlement or exclude themselves must do so by November 3, 2025. Claims must be submitted by December 1, 2025, and the final fairness hearing has been scheduled for November 20, 2025.

The post Fraser Child and Family Center Agrees to $760,000 Data Breach Settlement appeared first on The HIPAA Journal.

September 2025 Healthcare Data Breach Report

Posted by Steve Alder

While the figures in our September 2025 data breach report look encouraging, there is a major caveat. Due to the government shutdown, the HHS’ Office for Civil Rights (OCR) has largely stopped adding data breaches to its data breach portal.  The figures for September are therefore likely to increase considerably when the furlough comes to an end, staff return to work, and the backlog of data breach reports is addressed. While we do not generally update our monthly breach reports after publication, we will revise the figures and re-publish this report when the government shutdown comes to an end.

September 2025 Healthcare Data Breach Report

As of October 22, 2025, OCR has added 26 data breaches affecting 500 or more individuals to its data breach portal – the lowest monthly total since December 2018.  While data breaches are down 56% from August’s 64 data breaches, there are likely to be several more breaches added to that total. That said, there has been a downward trend in healthcare data breaches since April, and the year-to-date total from January 1 to September 30 is 469 data breaches, compared to 554 data breaches in the corresponding period in 2024. Even accounting for missing breach reports due to the government shutdown, data breaches are down considerably from last year.

Healthcare data breaches in the past 12 months

Across the 26 September data breaches on the OCR data breach portal, the protected health information of at least 1,294,769 individuals was exposed or impermissibly disclosed, marking the third consecutive month with a fall in the number of affected individuals, and currently down 65.9% from August. That number could increase considerably, but currently, for the year-to-date, 42,216,193 individuals have had their protected health information exposed or impermissibly disclosed. While this year’s total is higher than in the whole of 2019 and 2020, the number of affected individuals is down 85% compared to last year and 75% compared to 2023.

Individuals affected by healthcare data breaches in the past 12 months.

The Biggest Healthcare Data Breaches Announced in September

Currently, 42% of the month’s breaches (11 incidents) involved the exposure or impermissible disclosure of the protected health information of 10,000 or more individuals. All but one of the 11 data breaches were hacking incidents involving unauthorized access to protected health information stored on network servers, with one incident involving a compromised email account. Goshen Medical Center was the worst-affected covered entity, with more than 456,000 patients affected by its hacking incident. One provider that stands out is Sturgis Hospital, which was investigating a cyberattack that occurred in December 2024, when another intrusion was experienced in June 2025.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Goshen Medical Center NC Healthcare Provider 456,385 Network server hacking incident
Medical Associates of Brevard, LLC FL Healthcare Provider 246,711 Network server hacking incident
Doctors Imaging Group FL Healthcare Provider 171,862 Network server hacking incident – Data theft confirmed
Retina Group of Florida FL Healthcare Provider 152,691 Network server hacking incident
Sturgis Hospital MI Health Plan 77,771 Network server hacking incident
Sturgis Hospital MI Healthcare Provider 77,771 Network server hacking incident
PGA Development, Inc. PA Healthcare Provider 23,899 Network server hacking/IT Incident
Teamsters Union 25 Health Services & Insurance Plan MA Health Plan 19,231 Network server hacking incident
Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice  (“Treasure Health ”) FL Healthcare Provider 13,234 Email account breach
People Encouraging People MD Healthcare Provider 13,083 Ransomware attack – Data theft confirmed

The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to OCR and issue notifications within 60 days of the discovery of a data breach; however, if the total number of affected individuals is not known at that point, an estimate should be provided to OCR. Many regulated entities submit a breach report using a placeholder figure of 500 or 501 affected individuals, then provide an updated total when the file review is concluded. Four data breaches were reported in September using 500 or 501 totals indicative of a placeholder. These data breaches could affect considerably more individuals than the initial breach report suggests.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Cookeville Regional Medical Center TN Healthcare Provider 500 Hacking/IT Incident
Hampton Regional Medical Center SC Healthcare Provider 501 Hacking/IT Incident
Coos County Family Health Services NH Healthcare Provider 501 Hacking/IT Incident
La Perouse, LLC NV Business Associate 501 Hacking/IT Incident

Causes of September 2025 Healthcare Data Breaches

Out of the 23 large healthcare data breaches added to the OCR breach portal in September, 23 (88.5%) were reported as hacking/IT incidents, involving unauthorized access to the protected health information of 1,279,139 individuals, which is 98.8% of the total individuals affected by data breaches in September. The average number of individuals affected by these incidents was 55,615 (median: 6,243 individuals).

Causes of September 2025 healthcare data breaches

The exact nature of the hacking incidents, such as whether ransomware was used to encrypt files, if a ransom demand was received, or even if data was stolen, is often not disclosed. This trend has been growing for several years and is not confined to the healthcare industry. The Identity Theft Resource Center (ITRC) has reported that this trend is evident across many industry sectors.

The remaining three data breaches were unauthorized/disclosure incidents, affecting 15,630 individuals. On average, 5,210 individuals were affected (median: 1,700 individuals). Based on the available data, no loss, theft, or improper disposal incidents were reported to OCR in September. There have been no loss/theft incidents reported since March 2025, and the last reported improper disposal incident was in May 2025.

Location of breaches protected health information in September 2025 healthcare data breaches

Where Did the Data Breaches Occur?

September 2025 healthcare data breaches by regulated entity type

September 2025: individuals affected by healthcare data breaches by regulated entity type

Geographical Distribution of Healthcare Data Breaches in September

Florida and North Carolina were the worst-affected states, with four data breaches affecting 500 or more individuals reported by entities based in those states, and both states top the list in terms of the number of affected individuals, with 584,498 and 465,721 individuals affected, respectively.

State Breaches
Florida & North Carolina 4
Michigan, Pennsylvania & Tennessee 2
Louisiana, Massachusetts, Maryland, Minnesota, Missouri, New Hampshire, Nevada, Oregon, South Carolina, Texas, Virginia, and Washington 1

The table below shows the number of individuals affected by healthcare data breaches based on the state where the regulated entity is based, not necessarily where the affected individuals reside.

State Individuals Affected
Florida 584,498
North Carolina 465,721
Michigan 155,542
Pennsylvania 26,150
Massachusetts 19,231
Maryland 13,083
Missouri 11,538
Louisiana 6,243
Minnesota 3,572
Tennessee 2,957
Oregon 1,700
Texas 1,236
Washington 1,099
Virginia 696
New Hampshire 501
Nevada 501
South Carolina 501

HIPAA Enforcement Activity in September 2025

It has been a busy year of HIPAA enforcement for OCR, with 20 enforcement actions involving settlements or civil monetary penalties announced this year, including one enforcement action in September.  OCR agreed to settle alleged violations of the HIPAA Privacy Rule and Breach Notification Rule with Cadia Healthcare facilities, which agreed to pay $182,000 to resolve the alleged violations.

Cadia Healthcare is a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware. An employee had posted success stories about its patients to its social media channel; however, it had not obtained valid HIPAA authorizations for that purpose, and therefore, the use of PHI in the stories was an impermissible disclosure of PHI. After being notified by OCR, Cadia found that 150 patients had PHI posted online without valid authorizations, deleted the posts, and shut down the success story program; however, notification letters about the HIPAA breach were not issued.  The corrective action plan requires policies and procedures to be revised, training to be provided to staff members, and notification letters to be issued.

The post September 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.