Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk
Outdated systems are causing healthcare professionals to lose hours each week, impacting patient care, organizational performance, efficiency, and security, according to a new report from the technology services and solution provider Presidio.
The report is based on a survey of more than 1,000 frontline healthcare professionals in the United States, the United Kingdom, and Ireland. Almost all respondents (98%) said inefficient technologies are causing patient care and safety issues, including delays or errors in patient care, and 89% said those issues are a regular occurrence, with 24% reporting that these incidents occur at least once per shift. On average, the respondents experienced 11 such incidents a month.
Healthcare employees are using legacy software and outdated devices that do not support efficient working practices. Some of the main problems associated with outdated systems were latency issues with EHR systems, disconnected and fragmented platforms, and a lack of mobile access. Due to inefficiencies, almost one-quarter of respondents (23%) said they often resort to workarounds to get the job done, even for basic tasks. That creates significant compliance and security risks, as patient data may be handled outside of approved systems, such as unapproved apps. The use of shadow IT creates blind spots for compliance teams and IT departments. Further, the shadow IT tools may not be HIPAA compliant, lacking key security safeguards.
Some of the main problems reported by the respondents were systems that do not easily share data with other systems (23%), reliance on multiple workarounds to complete basic tasks (23%), technologies in use that act as a barrier to safe and timely care (23%), insufficient staff or budgets to modernize systems (23%), and dependence on outdated and legacy systems (23%).
Healthcare professionals in the United States are more likely than their European counterparts to have modern systems, with 36% of UK healthcare professionals saying they have modern systems, and just 2% in Ireland. In the United States, 63% of respondents said they used modern and effective systems, but that leaves 37% who do not.
When technology fails or data cannot be accessed, patient care suffers. 95% of respondents said patient care was negatively affected by system problems and data access issues, and those issues occur regularly, with 27% of U.S. respondents reporting that errors due to outdated technology occur daily, 26% said they occur a few times a week, and 22% said they occur around once per week. As Presidio explained, the use of outdated technology does not just affect efficiency; it directly drives patient safety incidents. Further, inefficient and outdated technology is a significant factor contributing to clinician burnout, as reported by 80% of respondents.
Investment in technology can help to reduce burnout. The survey revealed that more than half of organizations using real-time data at scale (51%) recognize that outdated technology was a major driver of burnout, compared to 29% in pilot programs and 17% still in planning phases, demonstrating that investment in modern, AI-driven technology systems can significantly improve workforce health. “In a competitive labor market, where skilled healthcare professionals are in high demand, this becomes a strategic advantage,” suggests Presidio.
The survey revealed the biggest benefits for staff were improved operational efficiency (52%), better access to real-time patient data and analyses (48%), and more streamlined tasks to support overextended staff (41%). Top of the wish list for healthcare professionals were AI-assisted automation of data entry (52%), transcription and notetaking (41%), EHR system navigation (40%), prescription entries (39%), and insurance validation (36%), all of which were a drain on their time, limiting face-to-face time with patients.
It is clear from the report that there is a pressing need for AI systems to be used in healthcare to improve efficiency, but adoption has been slow. “Most organizations are still relatively immature in their technology practices, lacking full-scale deployment of new technologies that improve record keeping, access to data, and efficiency,” said Presidio in the report. “Healthcare professionals are ready for AI, and they’re telling IT leaders where it can have the biggest impact.”
The post Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk appeared first on The HIPAA Journal.
Vendor Breaches Announced by Illinois and Virginia Healthcare Providers – The HIPAA Journal
Vendor Breaches Announced by Illinois and Virginia Healthcare Providers The HIPAA Journal
Vendor Breaches Announced by Illinois and Virginia Healthcare Providers
Personic Management Company (Personic Health) and Innovative Physical Therapy have recently confirmed that patient information was compromised in vendor security incidents. Anchorage Neighborhood Health Center has recently disclosed an August cyberattack that exposed patient data.
Personic Management Company (Personic Health)
Vienna, VA-based Personic Management Company LLC, doing business as Personic Health, a wound care specialist, has recently disclosed a data breach involving a third-party software platform used to process patient data. Personic Health was informed on September 1, 2025, that there had been unauthorized access to the platform. Assisted by third-party digital forensics experts, Personic Health launched a comprehensive investigation to determine how the breach occurred and the types of information potentially compromised in the incident.
The investigation confirmed that an unauthorized actor accessed the platform on August 29, 2025, and acquired certain data. The data review was completed on October 13, 2025, and confirmed that the protected health information had been stolen. The breach was reported to the Maine Attorney General as involving the personal and protected health information of up to 10,929 individuals; however, the types of information involved were redacted. The individual notification letters state the exact types of information involved.
Personic Health has taken steps to strengthen security to prevent similar breaches in the future and has offered the affected individuals 24 months of complimentary credit monitoring and identity protection services.
Innovative Physical Therapy
Innovative Physical Therapy (IPT), a network of outpatient physical therapy and rehabilitation centers, has recently disclosed a security incident involving its third-party practice management software provider. The vendor assisted IPT with administrative services, which required access to patients’ protected health information.
On August 25, 2025, IPT’s software vendor notified IPT about a phishing incident that involved unauthorized access to two employee email accounts. The phishing incident was identified on June 26, 2025, and the accounts were immediately secured. The vendor engaged a third-party digital forensics firm to investigate the incident, which confirmed that an unauthorized third party accessed the accounts between June 25 and June 26, 2025.
The vendor reviewed the emails and associated files and identified names in combination with one or more of the following types of information: address, date of birth, diagnosis, lab results, medications, treatment information, health insurance information, provider name, and dates of service. A limited number of individuals also had their Social Security numbers exposed.
In total, 2,023 patients were affected by the breach and were notified by mail by the practice management vendor on October 3, 2025. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. IPT said it has received assurances that its vendor is taking steps to prevent similar incidents in the future, including providing additional cybersecurity awareness training for its workforce.
Anchorage Neighborhood Health Center
Anchorage Neighborhood Health Center in Alaska has started notifying patients about a criminal cyberattack that involved unauthorized access to or acquisition of some of their protected health information. The cyberattack was detected on August 25, 2025, and the investigation confirmed unauthorized access to its network from August 24 to August 25, 2025.
The review of the exposed files was completed on October 10, 2025, when it was confirmed that the data exposed in the incident included names, dates of birth, Social Security numbers, driver’s license/state identification numbers, medical treatment information, and/or health insurance information. Anchorage Neighborhood Health Center said it has already implemented a series of cybersecurity enhancements and plans to take other steps to strengthen security. While data misuse has not been detected, as a precaution, the affected individuals have been offered up to 24 months of complimentary credit monitoring services.
The post Vendor Breaches Announced by Illinois and Virginia Healthcare Providers appeared first on The HIPAA Journal.
Watson Clinic Agrees to $10 Million Data Breach Settlement – The HIPAA Journal
Watson Clinic Agrees to $10 Million Data Breach Settlement The HIPAA Journal
Watson Clinic Agrees to $10 Million Data Breach Settlement
Florida’s Watson Clinic has agreed to pay $10,000,000 to settle class action litigation over a January 2024 data breach that affected 280,278 individuals. The hackers stole sensitive data, including digital images, and posted them on the dark web.
The Lakeland-based medical group serves approximately one million patients annually and employs around 1,600 team members and 350 physicians. Watson Clinic identified unauthorized access to its computer network on February 6, 2024, and the forensic investigation confirmed that hackers first gained access to its network on January 26.
The review of the exposed files confirmed that they contained the protected health information of current and former patients, including names, addresses, dates of birth, Social Security numbers, government identifiers, driver’s license numbers, financial account information, and medical information, including diagnoses, treatments, medical record numbers, and pre- and/or post-operative medically necessary images.
Watson Clinic received the results of the third-party file review in July 2024, announced the data breach in August 2024, and issued notifications to the affected individuals. Shortly thereafter, the first class action lawsuit was filed by plaintiff Charles Viviani in the U.S. District Court for the Middle District of Florida. A second class action lawsuit was filed by plaintiff David Thorpe in the same court, and the two complaints were consolidated in a single action – Viviani v. Watson Clinic, LLP. Additional notifications were mailed in February 2025 following a further investigation into the extent of the data breach.
The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and violation of the Florida Deceptive and Unfair Trade Practices Act. Watson Clinic denies all material claims and contentions in the lawsuit and charges of wrongdoing or liability. While Watson Clinic believes it has a solid defense against all claims, the litigation would likely be protracted and expensive, and any litigation has inherent risks. Therefore, the decision was made to settle the lawsuit. Class counsel believes the settlement is in the best interests of all class members.
Watson Clinic has agreed to establish a $10,000,000 settlement fund, from which attorneys’ fees and expenses, service awards for the named plaintiffs, and settlement administration and notification costs will be deducted. The benefits for class members are considerable compared to many class action settlements, including cash payments of up to $75,000 for certain class members, based on the types of digital images posted on the dark web.
Class members who had one or more digital images published on the dark web will be sent a check without having to submit a claim. The compensation amounts are detailed in the table below. Class members are only eligible to receive one of the payments below, whichever is greater.
| Type of Published Digital Image | Compensation Amount |
| Full face and exposed sensitive areas | $75,000 |
| Partial face and exposed sensitive areas | $40,000 |
| No face and exposed sensitive areas | $10,000 |
| Fall face and partial clothing of sensitive areas | $10,000 |
| Partial face and partial clothing of sensitive areas | $7,500 |
| No face and partial clothing of sensitive areas | $5,000 |
| Non sensitive | $100 |
In addition to the one-off cash payments, class members may also submit a claim for the following benefits:
| Additional benefits (Claim required) | Maximum Amount |
| Reimbursement of documented, unreimbursed ordinary losses | $500 |
| Reimbursement of documented, unreimbursed extraordinary losses and attested lost time | $6,500, including up to 5 hours of lost time at $25 per hour |
| Residual cash payment | $50* |
*The residual cash payments will be paid pro rata from the settlement fund once costs and expenses have been deducted, and digital image exposure cash payments and claims for reimbursement of losses have been paid. The funds will be divided equally between the class members electing to receive a residual cash payment. The cash payment will be a maximum of $50, but may be less, depending on the number of valid claims.
The deadline for objection to and exclusion from the settlement is January 6, 2025. The deadline for submitting a claim is February 5, 2025, and the final fairness hearing has been scheduled for March 9, 2025. Further information can be found on the settlement website: https://watsondatasettlement.com/
The post Watson Clinic Agrees to $10 Million Data Breach Settlement appeared first on The HIPAA Journal.