I’m a HIPAA Privacy Manager. What’s That Mean?

Posted by Amy Schultz

The Privacy Department is led by the HIPAA Privacy Manager, but who is the Department? For some small organizations, it’s just the Privacy Officer. For others, there is a team of people who work diligently to keep the Privacy Officer informed and the organization compliant. When someone asks what you do for a living, how would you explain it? If I say to staff that I’m a Privacy Manager, I typically get blank stares. I then mention HIPAA or Patient Rights, and that’s when I get a head nod or two.

Privacy Officer sounds official, but honestly, what I do every day is way more involved in privacy operations than your typical privacy officer. This is the time to learn and soak up everything you can. Having a team is so important, even if it’s just one extra person. The Privacy Officer is limited without the people who make the department functional every day. Whether you’re a specialist just starting out or a manager like me with years of experience, the daily grind is tackled by us. We are diligent and timely in keeping our patients’ PHI safeguarded, giving our colleagues guidance, and keeping our organization compliant. It really falls to the department team. With that said, credit is due to the unicorns of the privacy world who work for smaller organizations and run the whole privacy office by themselves. I know they are out there, and I applaud you all.

The daily operations are our bread and butter. From handling the daily investigations and incident reports to addressing patients’ requests and helping our colleagues with privacy concerns/questions. All the daily tasks add up to enable us to be the privacy subject matter experts for our company. But is it enough? How many years of experience or certifications does it take to rise to the privacy officer title? What other traits are required?

I’m fortunate to work in a multifunctional healthcare organization that has allowed me to experience a variety of privacy scenarios over my time, from occupational health to continued care, urgent care, and hospitals. I think it’s important to experience as much as you can to really feel confident in your decisions and take accountability for the department. This can be the difference between a team member and a department leader. I think a lot can be said about being not only a sponge for information but also motivational. A positive mindset has always been a strong trait I would encourage any leader to possess. We should be thinking of this as we continue to strengthen our craft.

In the healthcare privacy space, where do you see yourself in five or ten years? For me, it’s always been as a Privacy Officer, the end game. But what does it take to get there? I have spent over 13 years in the healthcare compliance/privacy industry and still feel like I’m learning something new every day. The policies, rules, and laws change, so we adapt. This industry keeps evolving and growing, so my advice is to do the same. 

Helping people must be a big part of this journey, personally and professionally. Learning and becoming an expert in the healthcare privacy field can make it possible to help fellow colleagues and patients every day. As I continue my role, I hope to never forget this. What we do as privacy experts is important. We may be behind the scenes, but we keep our company compliant and lawful. We keep striving to be better than we were yesterday and help those who need it. Continue to do the work, keep your company HIPAA compliant, and never stop learning. One day, you might be a Privacy Officer. 



The post I’m a HIPAA Privacy Manager. What’s That Mean? appeared first on The HIPAA Journal.

Geisinger Health & Nuance Communications Data Breach Litigation Settled for $5 Million

Posted by Steve Alder

The Danville, Pennsylvania-based healthcare provider Geisinger Health and its former IT vendor Nuance Communications, Inc., have agreed to a $5 million settlement to resolve class action litigation over a 2023 insider data breach involving a former Nuance Communications employee.

On or around November 29, 2023, Geisinger Health learned that a former Nuance Communications employee, Andre J. Burk (also known as Max Vance), accessed the sensitive data of Geisinger Health patients two days after he was terminated by Nuance Communications. The data had been provided to Nuance Communications in connection with the services the IT company was contracted to provide. The breach was detected by Geisinger Health, rather than Nuance Communications, and it alerted its IT vendor about the breach.

Under HIPAA, business associates of HIPAA-regulated entities must comply with the HIPAA Security Rule, one of the requirements of which is to ensure that access rights are immediately revoked when employees are terminated. When notified about the unauthorized access, Nuance Communications terminated the former employee’s access rights and launched an investigation, which revealed that the former employee had potentially obtained the protected health information of more than 1.2 million Geisinger Health patients, including names, dates of birth, Social Security numbers, medical information, and health insurance information.

The affected individuals started to be notified about the data breach on June 24, 2024. The delay in notification was at the request of law enforcement. The HHS’ Office for Civil Rights was informed that the protected health information of 1,276,026 individuals was involved. Max Vance is now facing criminal charges over the data theft – one count of obtaining information from a protected computer – and his trial is scheduled for early January 2026.

Several lawsuits were filed against Geisinger Health and Nuance Communications, Inc. in response to the data breach, which were consolidated into a single action in July 2024 – In re: Geisinger Health Data Security Incident Litigation – in the U.S. District Court for the Middle District of Pennsylvania. The consolidated lawsuit alleged that the defendants failed to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard the plaintiffs’ and class members’ personal and protected health information.

The lawsuit alleged that Geisinger Health failed to ensure that its vendors employed reasonable security measures, that Nuance Communications failed to properly monitor systems for intrusions, there was insufficient network segmentation, and a failure to comply with FTC guidelines, the HIPAA Rules, and the defendants did not adhere to industry standard cybersecurity measures. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and declaratory judgment and injunctive relief against both defendants, and breach of fiduciary duty against defendant Geisinger Health.

The defendants disagree with the claims in the lawsuit; however, they chose to settle with no admission of wrongdoing to avoid the expense and uncertainty of a trial and related appeals. The settlement received preliminary approval from District Court Judge Matthew W. Brann on November 18, 2025. Under the terms of the settlement, the defendants will establish a $5,000,000 settlement fund, from which attorneys’ fees and expenses, service awards, and settlement administration costs will be deducted. The remainder of the funds will be used to pay benefits to the class members.

The class consists of 1,308,363 class members who may choose to receive a one-year membership to a credit monitoring and identity theft protection service. In addition, a claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to $5,000 per class member. Alternatively, instead of a claim for reimbursement of losses, class members may choose to receive a pro rata cash payment. The final approval hearing has been scheduled for March 16, 2026, and claims must be submitted by March 18, 2026.

June 24, 2024: Geisinger: Former Business Associate Employee Unlawfully Accessed PHI of More Than 1.2 Million Patients

More than one million Geisinger patients are being notified that their protected health information has been unlawfully accessed by a former employee of one of its business associates, Nuance Communications.

Nuance Communications provides information technology services to Geisinger, which requires access to systems containing patient information. On November 29, 2023, Geisinger detected unauthorized access to patient data by a former Nuance employee and immediately notified Nuance about the incident. Nuance immediately terminated the former employee’s access and launched an investigation, which confirmed that the former employee accessed patient data two days after they were terminated.

The former employee may have viewed and acquired the data of more than one million Geisinger patients. The data varied from patient to patient and may have included names, addresses, phone numbers, dates of birth, admission/discharge/transfer codes, medical record numbers, facility name abbreviations, and race and gender information. Nuance has confirmed that the employee did not have access to Social Security numbers, financial information, or claims/insurance information.

The Department of Justice can pursue criminal charges for HIPAA violations under the Social Security Act when individuals knowingly violate HIPAA. When an employee of a HIPAA-covered entity or business associate has their employment terminated, HIPAA still applies. The penalties for accessing and obtaining protected health information are severe and can include a hefty fine and jail time. A tier 1 violation carries a maximum penalty of up to a year in jail, a tier 2 violation carries a jail term of up to 5 years, and a sentence of up to 10 years in jail is possible for a tier 3 violation – obtaining PHI for personal gain or with malicious intent. Geisinger has confirmed that the unauthorized access was reported to law enforcement and the former Nuance employee has been arrested and is facing federal criminal charges.

Due to the high risk of unauthorized access to patient data by former employees, HIPAA-covered entities and their business associates are required to develop and implement procedures for terminating access to electronic protected health information when employment comes to an end under the workforce security standard of the HIPAA Security Rule – 45 CFR § 164.308 (3)(ii)(C). This incident clearly shows why it is vital to revoke access immediately upon termination of employment. The HHS’ Office for Civil Rights has taken action over violations of this Security Rule provision in 2020 (City of New Haven) and 2018 (Pagosa Springs Medical Center).

The Risant Health-owned health system has confirmed that Nuance Communications is mailing notifications to the affected individuals. Patients have been advised to review the statements they receive from their health plans and contact their health insurer if any services appear on their statements that they have not received. A helpline has been set up for individuals requiring further information about the breach – 855-575-8722. The helpline is manned from 9 a.m. to 9 p.m. ET Monday to Friday. Callers should quote engagement number B124651.

The breach was reported to the HHS’ Office for Civil Rights as affecting 1,276,026 individuals.

This article has been updated to state the number of people affected by the breach, as that information was unavailable at the time of the initial post.

The post Geisinger Health & Nuance Communications Data Breach Litigation Settled for $5 Million appeared first on The HIPAA Journal.

Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk

Posted by Steve Alder

Outdated systems are causing healthcare professionals to lose hours each week, impacting patient care, organizational performance, efficiency, and security, according to a new report from the technology services and solution provider Presidio.

The report is based on a survey of more than 1,000 frontline healthcare professionals in the United States, the United Kingdom, and Ireland. Almost all respondents (98%) said inefficient technologies are causing patient care and safety issues, including delays or errors in patient care, and 89% said those issues are a regular occurrence, with 24% reporting that these incidents occur at least once per shift. On average, the respondents experienced 11 such incidents a month.

Healthcare employees are using legacy software and outdated devices that do not support efficient working practices. Some of the main problems associated with outdated systems were latency issues with EHR systems, disconnected and fragmented platforms, and a lack of mobile access. Due to inefficiencies, almost one-quarter of respondents (23%) said they often resort to workarounds to get the job done, even for basic tasks. That creates significant compliance and security risks, as patient data may be handled outside of approved systems, such as unapproved apps. The use of shadow IT creates blind spots for compliance teams and IT departments. Further, the shadow IT tools may not be HIPAA compliant, lacking key security safeguards.

Some of the main problems reported by the respondents were systems that do not easily share data with other systems (23%), reliance on multiple workarounds to complete basic tasks (23%), technologies in use that act as a barrier to safe and timely care (23%), insufficient staff or budgets to modernize systems (23%), and dependence on outdated and legacy systems (23%).

Healthcare professionals in the United States are more likely than their European counterparts to have modern systems, with 36% of UK healthcare professionals saying they have modern systems, and just 2% in Ireland. In the United States, 63% of respondents said they used modern and effective systems, but that leaves 37% who do not.

When technology fails or data cannot be accessed, patient care suffers. 95% of respondents said patient care was negatively affected by system problems and data access issues, and those issues occur regularly, with 27% of U.S. respondents reporting that errors due to outdated technology occur daily, 26% said they occur a few times a week, and 22% said they occur around once per week. As Presidio explained, the use of outdated technology does not just affect efficiency; it directly drives patient safety incidents. Further, inefficient and outdated technology is a significant factor contributing to clinician burnout, as reported by 80% of respondents.

Investment in technology can help to reduce burnout. The survey revealed that more than half of organizations using real-time data at scale (51%) recognize that outdated technology was a major driver of burnout, compared to 29% in pilot programs and 17% still in planning phases, demonstrating that investment in modern, AI-driven technology systems can significantly improve workforce health. “In a competitive labor market, where skilled healthcare professionals are in high demand, this becomes a strategic advantage,” suggests Presidio.

The survey revealed the biggest benefits for staff were improved operational efficiency (52%), better access to real-time patient data and analyses (48%), and more streamlined tasks to support overextended staff (41%). Top of the wish list for healthcare professionals were AI-assisted automation of data entry (52%), transcription and notetaking (41%), EHR system navigation (40%), prescription entries (39%), and insurance validation (36%), all of which were a drain on their time, limiting face-to-face time with patients.

It is clear from the report that there is a pressing need for AI systems to be used in healthcare to improve efficiency, but adoption has been slow. “Most organizations are still relatively immature in their technology practices, lacking full-scale deployment of new technologies that improve record keeping, access to data, and efficiency,” said Presidio in the report. “Healthcare professionals are ready for AI, and they’re telling IT leaders where it can have the biggest impact.”

The post Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk appeared first on The HIPAA Journal.

Vendor Breaches Announced by Illinois and Virginia Healthcare Providers

Posted by Steve Alder

Personic Management Company (Personic Health) and Innovative Physical Therapy have recently confirmed that patient information was compromised in vendor security incidents. Anchorage Neighborhood Health Center has recently disclosed an August cyberattack that exposed patient data.

Personic Management Company (Personic Health)

Vienna, VA-based Personic Management Company LLC, doing business as Personic Health, a wound care specialist, has recently disclosed a data breach involving a third-party software platform used to process patient data. Personic Health was informed on September 1, 2025, that there had been unauthorized access to the platform. Assisted by third-party digital forensics experts, Personic Health launched a comprehensive investigation to determine how the breach occurred and the types of information potentially compromised in the incident.

The investigation confirmed that an unauthorized actor accessed the platform on August 29, 2025, and acquired certain data. The data review was completed on October 13, 2025, and confirmed that the protected health information had been stolen.  The breach was reported to the Maine Attorney General as involving the personal and protected health information of up to 10,929 individuals; however, the types of information involved were redacted. The individual notification letters state the exact types of information involved.

Personic Health has taken steps to strengthen security to prevent similar breaches in the future and has offered the affected individuals 24 months of complimentary credit monitoring and identity protection services.

Innovative Physical Therapy

Innovative Physical Therapy (IPT), a network of outpatient physical therapy and rehabilitation centers, has recently disclosed a security incident involving its third-party practice management software provider. The vendor assisted IPT with administrative services, which required access to patients’ protected health information.

On August 25, 2025, IPT’s software vendor notified IPT about a phishing incident that involved unauthorized access to two employee email accounts. The phishing incident was identified on June 26, 2025, and the accounts were immediately secured. The vendor engaged a third-party digital forensics firm to investigate the incident, which confirmed that an unauthorized third party accessed the accounts between June 25 and June 26, 2025.

The vendor reviewed the emails and associated files and identified names in combination with one or more of the following types of information: address, date of birth, diagnosis, lab results, medications, treatment information, health insurance information, provider name, and dates of service. A limited number of individuals also had their Social Security numbers exposed.

In total, 2,023 patients were affected by the breach and were notified by mail by the practice management vendor on October 3, 2025. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. IPT said it has received assurances that its vendor is taking steps to prevent similar incidents in the future, including providing additional cybersecurity awareness training for its workforce.

Anchorage Neighborhood Health Center

Anchorage Neighborhood Health Center in Alaska has started notifying patients about a criminal cyberattack that involved unauthorized access to or acquisition of some of their protected health information. The cyberattack was detected on August 25, 2025, and the investigation confirmed unauthorized access to its network from August 24 to August 25, 2025.

The review of the exposed files was completed on October 10, 2025, when it was confirmed that the data exposed in the incident included names, dates of birth, Social Security numbers, driver’s license/state identification numbers, medical treatment information, and/or health insurance information. Anchorage Neighborhood Health Center said it has already implemented a series of cybersecurity enhancements and plans to take other steps to strengthen security. While data misuse has not been detected, as a precaution, the affected individuals have been offered up to 24 months of complimentary credit monitoring services.

The post Vendor Breaches Announced by Illinois and Virginia Healthcare Providers appeared first on The HIPAA Journal.

Watson Clinic Agrees to $10 Million Data Breach Settlement

Posted by Steve Alder

Florida’s Watson Clinic has agreed to pay $10,000,000 to settle class action litigation over a January 2024 data breach that affected 280,278 individuals. The hackers stole sensitive data, including digital images, and posted them on the dark web.

The Lakeland-based medical group serves approximately one million patients annually and employs around 1,600 team members and 350 physicians. Watson Clinic identified unauthorized access to its computer network on February 6, 2024, and the forensic investigation confirmed that hackers first gained access to its network on January 26.

The review of the exposed files confirmed that they contained the protected health information of current and former patients, including names, addresses, dates of birth, Social Security numbers, government identifiers, driver’s license numbers, financial account information, and medical information, including diagnoses, treatments, medical record numbers, and pre- and/or post-operative medically necessary images.

Watson Clinic received the results of the third-party file review in July 2024, announced the data breach in August 2024, and issued notifications to the affected individuals. Shortly thereafter, the first class action lawsuit was filed by plaintiff Charles Viviani in the U.S. District Court for the Middle District of Florida. A second class action lawsuit was filed by plaintiff David Thorpe in the same court, and the two complaints were consolidated in a single action – Viviani v. Watson Clinic, LLP. Additional notifications were mailed in February 2025 following a further investigation into the extent of the data breach.

The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and violation of the Florida Deceptive and Unfair Trade Practices Act. Watson Clinic denies all material claims and contentions in the lawsuit and charges of wrongdoing or liability. While Watson Clinic believes it has a solid defense against all claims, the litigation would likely be protracted and expensive, and any litigation has inherent risks. Therefore, the decision was made to settle the lawsuit. Class counsel believes the settlement is in the best interests of all class members.

Watson Clinic has agreed to establish a $10,000,000 settlement fund, from which attorneys’ fees and expenses, service awards for the named plaintiffs, and settlement administration and notification costs will be deducted. The benefits for class members are considerable compared to many class action settlements, including cash payments of up to $75,000 for certain class members, based on the types of digital images posted on the dark web.

Class members who had one or more digital images published on the dark web will be sent a check without having to submit a claim. The compensation amounts are detailed in the table below. Class members are only eligible to receive one of the payments below, whichever is greater.

Type of Published Digital Image Compensation Amount
Full face and exposed sensitive areas $75,000
Partial face and exposed sensitive areas $40,000
No face and exposed sensitive areas $10,000
Fall face and partial clothing of sensitive areas $10,000
Partial face and partial clothing of sensitive areas $7,500
No face and partial clothing of sensitive areas $5,000
Non sensitive $100

In addition to the one-off cash payments, class members may also submit a claim for the following benefits:

Additional benefits (Claim required) Maximum Amount
Reimbursement of documented, unreimbursed ordinary losses $500
Reimbursement of documented, unreimbursed extraordinary losses and attested lost time $6,500, including up to 5 hours of lost time at $25 per hour
Residual cash payment $50*

*The residual cash payments will be paid pro rata from the settlement fund once costs and expenses have been deducted, and digital image exposure cash payments and claims for reimbursement of losses have been paid. The funds will be divided equally between the class members electing to receive a residual cash payment. The cash payment will be a maximum of $50, but may be less, depending on the number of valid claims.

The deadline for objection to and exclusion from the settlement is January 6, 2025. The deadline for submitting a claim is February 5, 2025, and the final fairness hearing has been scheduled for March 9, 2025. Further information can be found on the settlement website: https://watsondatasettlement.com/

The post Watson Clinic Agrees to $10 Million Data Breach Settlement appeared first on The HIPAA Journal.