Federal Judge Blocks HHS from Sharing Medicaid Data with ICE

Posted by Steve Alder

A federal judge has ordered the U.S. Department of Health and Human Services (HHS) to stop sharing the data of Medicaid enrollees with Immigration and Customs Enforcement (ICE) at the Department of Homeland Security for immigration enforcement purposes.

The Medicaid program provides health insurance for individuals with limited income and resources, such as low-income adults, children, pregnant women, elderly adults, and people with disabilities. There are currently around 79 million Medicaid enrollees in the United States. Anyone living in the United States illegally is not permitted to enroll in the federal Medicaid program, although seven states permit non-U.S. citizens to participate in their state Medicaid programs, but do not bill the federal government for the costs.

In June 2025, under the direction of HHS Secretary Robert F. Kennedy Jr., the HHS’s Centers for Medicare and Medicaid Services (CMS) started sharing the personal data of Medicaid recipients with ICE under a new data-sharing agreement. Staff at the CMS attempted to block the data transfers but were overruled by Secretary Kennedy’s advisors. ICE has had a 12-year policy of not using Medicaid data for enforcement purposes, and CMS has previously restricted the use of Medicaid data to the administration of its healthcare programs.

The HHS maintains that the access is being provided as part of the Trump Administration’s push to rid the country of illegal aliens. The data provided by the CMS provides ICE agents with identity and location information to allow those individuals to be found by enforcement officers, and stop federal funds intended for law-abiding Americans from being used to pay for Medicaid benefits for illegal aliens.

When the decision to share Medicaid data with ICE came to light in June, a coalition of 20 state attorneys general took legal action to prevent the HHS from sharing Medicaid data with ICE; however, a further agreement was entered into in July, which provided DHS with daily access to the Medicaid data stream. The shared data includes names, addresses, birth dates, ethnicities, and Social Security numbers, which may not be downloaded, but can be viewed by ICE officials until September 9, 2025, between 9 a.m. and 5 p.m.

The state attorneys general argued that the sharing of Medicaid data with DHS was in violation of HIPAA and threatened to undermine the Medicaid program. “The move to use Medicaid data for immigration enforcement upended longstanding policy protections without notice or consideration for the consequences,” said California Attorney General Rob Bonta. “As the president continues to overstep his authority in his inhumane anti-immigrant crusade, this is a clear reminder that he remains bound by the law.”

Judge Vince Chhabria, a District Court Judge in the Northern District of California, sided with the state attorneys general and ruled that the HHS must stop sharing Medicaid data with ICE for immigration enforcement purposes that was obtained from the 20 states that participated in the lawsuit. The preliminary injunction will remain in place until 14 days after HHS and DHS complete a reasoned decision-making process that complies with the Administrative Procedures Act, or the litigation is concluded.

In his ruling granting a preliminary injunction, Judge Chhabria said, “Using CMS data for immigration enforcement threatens to significantly disrupt the operation of Medicaid—a program that Congress has deemed critical for the provision of health coverage to the nation’s most vulnerable residents.” While he wrote that there is nothing categorially unlawful about the DHS obtaining data on individuals obtained from government agencies such as the HHS for immigration enforcement purposes, since 2013, ICE has had a well-publicized policy against using Medicaid data for its enforcement activities, and the CMS has a long-standing policy of not sharing patients’ personal data for reasons other than those related to its healthcare programs, and even states so on its website.

“Given these policies, and given that the various players in the Medicaid system have relied on them, it was incumbent upon the agencies to carry out a reasoned decisionmaking process before changing them,” wrote Chhabria in his ruling. “The record in this case strongly suggests that no such process occurred.”

The post Federal Judge Blocks HHS from Sharing Medicaid Data with ICE appeared first on The HIPAA Journal.

Healthplex Settles Alleged Cybersecurity Failures with NYDFS for $2 Million

Posted by Steve Alder

Healthplex, one of the largest providers of dental health insurance programs in New York State, has agreed to a settlement with the New York Department of Financial Services (NYDFS) to resolve alleged violations of the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). Healthplex has agreed to pay a $2 million financial penalty to New York State and take steps to improve its cybersecurity posture.

The Cybersecurity Regulation took effect in 2017 and requires all financial institutions operating in New York State to implement and maintain a robust cybersecurity program. Some of the key requirements include conducting risk assessments, managing risks, and implementing security policies and procedures, an incident response plan, and multifactor authentication.

Healthplex is a licensed provider of dental insurance management services and must therefore comply with the Cybersecurity Regulation. NYDFS launched a compliance investigation after Healthplex reported a cybersecurity event to NYDFS on April 8, 2022. Healthplex discovered the incident on November 24, 2021, when employees received a suspicious email from an account associate’s account and reported it internally to the security team.

The investigation confirmed that an account associate in customer service had responded to a phishing email that was received on November 22 or 23, 2021. The email required Office 365 email login credentials to be provided to receive a fax message. The credentials were captured, and the threat actor accessed the Office 365 account. The account was used to send further phishing emails, and it was found to contain the protected health information of 89,955 individuals.

The NYDFS investigation revealed that there was no data retention policy limiting the information stored in email accounts, in violation of § 500.13 of the Cybersecurity Regulation. The employee had worked for the company for approximately 20 years, and their account contained more than 100,000 emails. Further, multifactor authentication (MFA) had not been set up for its Office 365 email environment, so a compromised password was all that was required to access the account and the sensitive and nonpublic data of tens of thousands of individuals.

Healthplex had implemented MFA for its email environment; however, it failed to ensure that MFA was completely operational when it migrated to Office 365 earlier in the year. With the password obtained in the phishing attack, the entire contents of the account could be accessed via a standard web browser. § 500.12(b) of the Cybersecurity Regulation requires MFA to be implemented for remote access to the covered entity’s information systems and third-party applications.

The required cybersecurity program must ensure that a covered entity is able to report cybersecurity events promptly. The Superintendent must be notified within 72 hours of the discovery of a cybersecurity event. While the event was detected on November 24, 2021, the Superintendent was not notified until April 8, 2022, in violation of § 500.17(a) of the Cybersecurity Regulation.  Healthplex had certified that it was compliant with the Cybersecurity Regulation for 2021, but the investigation confirmed that not to be the case, in violation of § 500.17(b). The lack of policies for secure disposal of data on a periodic basis was in violation of § 500.13 of the Cybersecurity Regulation.

In addition to the financial penalty, Healthplex has agreed to strengthen its cybersecurity controls to ensure compliance with the Cybersecurity Regulation and will hire an independent third-party auditor to conduct a current audit of the MFA controls of its business infrastructure and shared systems that support its core business functions.

This is not the first financial penalty for Healthplex over the phishing incident. In 2023, Healthplex settled an investigation with the New York Attorney General and paid a financial penalty of $400,000 to resolve alleged violations of HIPAA and state data security and consumer protection laws.

The post Healthplex Settles Alleged Cybersecurity Failures with NYDFS for $2 Million appeared first on The HIPAA Journal.

Arizona Orthopedics Practice Announces Data Breach

Posted by Steve Alder

Data breaches have recently been reported by Integrated Orthopedics of Arizona, Glen Falls Hospital in New York, and South Coast Pediatrics in California.

Integrated Orthopedics of Arizona

Integrated Orthopedics of Arizona (IOA) in Phoenix, Arizona, has recently notified patients about a breach of its email tenant. Unauthorized activity was identified on or around April 7, 2025. Assisted by third-party cybersecurity experts, IOA confirmed unauthorized access to the email system, and some emails had been copied.

The email system was reviewed to determine the individuals affected and the types of data involved, and that process was completed on June 19, 2025. The affected individuals had either visited IOA for healthcare services or their information was provided by other healthcare providers. The breached information included some or all of the following: name, address, date of birth, medical record number, patient ID/ account number, Medicare number, Medicaid number, health insurance information, diagnosis information, treatment information including date(s) and location, doctor’s name, lab or test results, and for a small subset of individuals, driver’s license number and/or Social Security number. IOA has offered the affected individuals 24 months of complimentary credit monitoring and identity theft protection services, and has taken steps to improve email security.

Glens Falls Hospital, New York

Glens Falls Hospital in New York has recently confirmed that patient data was compromised in an Oracle Health/Cerner cybersecurity incident in January this year. The data was stored on legacy servers that were awaiting migration to Oracle Cloud, when hackers gained access. The hackers may have breached the servers as early as January 22, 2025, and accessed medical records stored on those servers. The compromised information included patients’ names, Social Security numbers, medical record numbers, physicians’ names, diagnoses, medications, test results, medical images, and treatment information.

Glen Falls Hospital said it was not using Oracle Health or Cerner as its electronic health vendor at the time, having terminated that relationship on November 2, 2024, yet it was still affected by the incident. Glen Falls Hospitals was provided with a list of the affected individuals on June 6, 2025, and has been working with Oracle Health to notify those individuals and provide them with 24 months of complimentary credit monitoring and identity theft protection services. There is currently no entry relating to the breach on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

South Coast Pediatrics, California

South Coast Pediatrics, a pediatric medical group with locations in Bristol, Spurgeon, and Anaheim in California, has notified 7,000 individuals about a June 2025 cyberattack that involved unauthorized access to computers containing patient information. The attack was identified on June 12, 2025, and steps were immediately taken to contain the threat, assess the impact, and restore its systems.

The forensic investigation confirmed that patient data was present on the affected computers, including name, address, date of birth, medical record number, diagnosis, and treatment codes/descriptions. Steps have been taken to enhance network security and prevent similar incidents in the future. The affected patients have been advised to remain vigilant against instances of identity theft and fraud.

The post Arizona Orthopedics Practice Announces Data Breach appeared first on The HIPAA Journal.