Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas

Posted by PJ Murray

In addition to HIPAA and the Texas Medical Records Privacy Act/HB300, several other laws apply to the privacy and security of medical records in Texas. Laws such as the Texas Identity Theft Enforcement and Protection Act, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, SB1188 and the Texas Medical Practice Act create a layered system of protections that often go beyond HIPAA’s minimum requirements.

Before HIPAA, medical confidentiality in Texas was governed mainly by the Texas Health and Safety Code, which already limited how health information could be used and disclosed, and gave patients rights to see their records. HIPAA then introduced federal privacy and security rules, but only for a narrower group of “covered entities.” To close that gap, Texas passed the Texas Medical Records Privacy Act in 2001, extending HIPAA-style protections to more organizations that handle Texans’ health information. HB300, passed in 2011, strengthened that Act by tightening rules for electronic disclosures, shortening deadlines for responding to patient access requests, and expanding breach notification requirements. HB300 is important, but it operates alongside a broader set of Texas privacy and security laws.

The Texas Identity Theft Enforcement and Protection Act (TITEPA) is not limited to healthcare, but it heavily affects healthcare organizations because it applies to any business that handles personal identifying information about Texas residents. Its definition of “sensitive personal information” is broader than HIPAA’s definition of PHI, so some data that is not PHI still has to be protected as if it were. Organizations must secure this information, dispose of it safely, and notify individuals (and sometimes the Attorney General) if computerized sensitive personal information is acquired by an unauthorized person. Because these requirements sit next to HIPAA’s breach rules, many healthcare organizations in Texas treat all patient-related information like PHI and apply HIPAA-level safeguards across the board.

The Texas Data Privacy and Security Act (TDPSA) is aimed at consumer data generally, but it also touches healthcare. Covered entities and business associates are exempt for PHI but not for other personally identifying data they collect, such as marketing lists, website tracking data, appointment booking details, or some HR data. For this non-PHI data, organizations must limit collection to what is necessary, obtain informed consent for certain uses (such as targeted marketing), and honor rights to access, correct, or request deletion where those rights apply. Deletion rights do not override medical record retention requirements, so PHI and medical records still must be kept according to Texas rules.

The Texas Responsible AI Governance Act and SB1188 add AI- and EHR-specific obligations. The AI Governance Act applies broadly to developers and users of AI, including healthcare organizations that use AI in clinical or administrative workflows. Patients must be told when AI is used in diagnosis or clinical decision support (outside emergencies), and patient authorization is required if PHI is sent to AI systems for purposes beyond treatment, payment, healthcare operations, or required-by-law disclosures. 

SB1188 goes further by requiring AI-generated diagnostic outputs to be reviewed under standards set by the Texas Medical Board and documented in the medical record, and by imposing specific security and functionality requirements on EHRs. It restricts storing certain data types in EHRs, such as credit scores or voter-registration status, and sets rules around parental access to minors’ electronic records – with exceptions for sensitive services such as reproductive, substance use, or mental health care.

The Texas Medical Practice Act and related code provisions add professional and confidentiality duties for licensed healthcare professionals on top of all this. In many cases, state law requires written consent for disclosures that go beyond treatment, payment, healthcare operations, or disclosures explicitly required by law, and adds extra protections for especially sensitive categories such as mental health, substance use, HIV testing, and genetic information. These provisions are updated regularly and can override or refine how other laws apply in specific scenarios. Because all of these laws overlap, organizations that handle medical information about Texas residents generally follow a “most protective law wins” approach. HIPAA and the Texas Medical Records Privacy Act/HB300 are central pieces of Texas medical privacy law, but real-world practice is also shaped by TITEPA, the TDPSA, the Responsible AI Governance Act, SB1188, and the Medical Practice Act. For workforce members, the safest course is to follow organizational policies, complete required training, and ask their privacy or compliance teams when they are unsure.



The post Are You Really Compliant? The Stricter Medical Privacy Regulations in Texas appeared first on The HIPAA Journal.

Kaiser Foundation Health Plan Settles Unwanted Text Message Lawsuit

Posted by Steve Alder

The risk of sending unwanted marketing communications to consumers has been highlighted by a $10.5 million settlement with Kaiser Foundation Health Plan, which is alleged to have continued sending marketing text messages to individuals who opted out of receiving marketing communications.

Legal action was taken against Kaiser Foundation Health Plan, doing business as Kaiser Permanente, by Jonathan Fried, who alleged that the defendant violated federal and Florida state law by continuing to send marketing text messages after he had submitted an opt-out request to stop receiving the communications.

The lawsuit, Jonathan Fried v. Kaiser Foundation Health Plan, Inc., d/b/a Kaiser Permanente, was filed individually and on behalf of similarly situated individuals over the alleged sending of unwanted text messages marketing Kaiser Permanente’s products and services. According to the lawsuit, the defendant sent or failed to stop further messages from being sent after consumers replied with the word STOP or performed a similar opt-out instruction. According to the lawsuit, the failure to honor the opt-out requests violated the federal Telephone Consumer Protection Act (TCPA) and the Florida Telephone Solicitation Act (FTSA). The violations are alleged to have occurred between January 21, 2021, and August 20, 2025.

Kaiser maintains there was no wrongdoing and denies and continues to deny the allegations in the lawsuit; however, a settlement was agreed to bring the litigation to an end to avoid the cost of a trial and related appeals, and the risks and uncertainties for both sides from continuing with the litigation. Kaiser has agreed to pay up to $10,500,000 to settle the litigation. The settlement fund will cover attorneys’ fees and expenses, a service award for the class representative, settlement administration costs, and cash payments for the class members.

There are two settlement classes, one applying to all individuals in the United States who were sent more than one text message regarding the defendant’s goods or services in any 12-month period between January 21, 2021, and August 20, 2025, after replying to a message with STOP or performing a similar opt-out instruction. The Florida FTSA class includes all persons who resided in Florida and received more than one text message between the same dates about the defendant’s goods or services at least 15 days after opting not to receive the communications.

Class members who submit a valid claim will receive a payment of up to $75 per qualifying text message they received. If the number of claims exceeds the funds in the settlement, then claims will be paid pro rata. Should any funds remain in the settlement fund after all claims have been paid, then they will be refunded to Kaiser.

The settlement has received preliminary approval from the court, and claims must be submitted by February 12, 2026. The deadline for opting out and exclusion from the settlement is December 29, 2025. The final approval hearing has been scheduled for January 28, 2026.

The post Kaiser Foundation Health Plan Settles Unwanted Text Message Lawsuit appeared first on The HIPAA Journal.

$3.5 Million Mindpath Health Data Breach Settlement Gets First Nod

Posted by Steve Alder

A California Superior Court judge has given preliminary approval to a settlement to resolve litigation against Community Psychiatry Management, LLC, operating as Mindpath Health, to resolve a class action lawsuit stemming from two email data breaches in 2022 that affected 193,947 individuals.

Mindpath Health is a California-based mental health service provider serving patients in seven U.S. states. In March 2022 and again in June 2022, unauthorized individuals gained access to Microsoft Office 365 business accounts that contained the protected health information of Mindpath Health patients and other individuals. The breach was discovered in June during a routine audit of its email environment, which identified suspicious account activity.

The investigation confirmed that two email accounts had been subject to unauthorized access in March and June 2022, exposing names, addresses, Social Security numbers, dates of birth, medical diagnoses, prescriptions, treatment information, and health insurance information. Notification letters were sent to the affected individuals on January 10, 2023, almost seven months after the breach was identified

A class action lawsuit was filed in the Eastern District of California by plaintiff Corina Lowrey on January 30, 2023, followed by two further complaints from other Mindpath Health patients. The lawsuits were consolidated into a single complaint – Lowrey, et. al., v. Community Psychiatry Management, LLC – in the Superior Court of California, County of Los Angeles.

The plaintiffs claimed that the breach was a direct consequence of cybersecurity failures by the defendant, with the lawsuit asserting claims of negligence, breach of fiduciary duty, breach of implied contract, breach of confidence, unjust enrichment/quasi-contract, and violations of the California Constitutional Right to Privacy, California Confidentiality of Medical Information Act, California Unfair Competition Law, California Consumer Records Act, California Consumer Privacy Act, and California Consumer Legal Remedies Act.

The defendant maintains that there was no wrongdoing and disagrees with all claims and contentions in the lawsuit; however, following two full-day mediation sessions, all parties reached an agreement to settle the litigation to avoid further legal expenses from what would likely be protracted litigation and the uncertainty of trial and related appeals.

Under the terms of the settlement, the defendant will establish a $3.5 million settlement fund from which attorneys’ fees ($1,166,666.67) and expenses (up to $35,000), settlement administration costs (up to $202,900), and service awards ($5,000 for each of the three plaintiffs) will be deducted. The remainder of the settlement will be used to pay for benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $1,500 per class member, and up to $10,000 as reimbursement for documented, unreimbursed extraordinary losses, including losses due to identity theft and fraud. All class members who submit a valid claim are entitled to three years of credit monitoring services.

As an alternative to the credit monitoring services, class members can choose to receive a pro rata cash payment, expected to be approximately $50. The cash payments may be adjusted upwards or downwards depending on the number of valid claims received. Individuals who were California residents at the time of either of the two email security incidents may claim an additional pro rata cash payment of $50. These payments may also be adjusted based on the number of valid claims received.

The final approval hearing has been scheduled for February 19, 2026. Individuals wishing to object to the settlement, exclude themselves, or submit a claim for benefits must do so by January 5, 2026.

The post $3.5 Million Mindpath Health Data Breach Settlement Gets First Nod appeared first on The HIPAA Journal.

Editorial: Cryptocurrencies’ Central Role in Healthcare Ransomware Attacks

Posted by Steve Alder

One of the benefits of cryptocurrencies is greater financial accessibility for unbanked populations, which includes individuals in remote areas who do not have access to banking infrastructure, but also cybercriminals, who cannot directly put the proceeds from their illegal activities directly through banks, at least not without raising red flags about the source of those funds.

Cryptocurrencies have been a godsend for cybercriminals and have played a central role in the massive rise in cybercriminal activity over the past decade, fueling the current ransomware epidemic. The first cryptocurrency, Bitcoin, was invented in 2008 and launched in 2009, and rapidly became a major currency in black market activities, including the first modern dark net market, the Silk Road, which exclusively adopted Bitcoin as payment in 2011.

A brief history of ransomware

While the earliest form of ransomware, widely thought to be the AIDS Trojan, was first distributed in 1989, the modern ransomware phenomenon started with CryptoLocker, a particularly successful ransomware variant that first appeared in 2013. Cryptolocker used strong, industry-standard encryption, requiring a decryption key to recover data. The Cryptolocker campaign was relatively short-lived, running from September 2013 until May 2014, when the command-and-control infrastructure was seized by law enforcement. During that short period of activity, the ransomware generated millions of dollars in ransom payments.

Businesses could recover from Cryptolocker ransomware attacks without paying the ransom, provided they had an effective backup strategy and had a valid backup of their data stored securely offline; however, tactics changed in late 2019, when the Maze ransomware group combined data theft with encryption. Data could still be recovered from backups, but if the ransom was not paid, the stolen data would be leaked online or sold. This double extortion tactic proved highly effective and has since been adopted by most major ransomware players.

The Cryptolocker campaign in 2013/2014 saw ransom demands issued of 10 Bitcoin, which at the time was worth around $2,000. Today, according to Sophos, the average ransom demand is around $1 million. According to Chainalysis, at least $813.55 million was paid to ransomware groups in 2024, and Verizon reports that 44% of cyberattacks involved ransomware in 2024, compared to 10% of attacks in 2021.

The ransomware remediation firm Coveware reports that in Q1, 2018, 85% of victims of ransomware attacks paid the ransom to recover their files and prevent the release of stolen data. The percentage of victims paying the ransom has been steadily falling, dropping to 23% in Q3, 2025. Despite this drop off, ransomware remains a major threat, with attacks increasing in 2025.

A cybercrime epidemic fueled by cryptocurrencies

The ransomware epidemic would not have been possible without cryptocurrencies. Prior to Bitcoin, extortion of companies through hacking, ransomware, and data theft was relatively unheard of; however, cryptocurrencies have allowed cybercriminals to easily profit from their activities with relatively little risk.

Security and transparency are often touted as key benefits of cryptocurrencies. All cryptocurrency transactions are recorded on a public, distributed ledger (blockchain), secured with advanced cryptography. While each transaction is recorded and publicly available, cryptocurrencies provide a high degree of anonymity for cybercriminals.

Cryptocurrencies do not provide full anonymity, as most public blockchains use public keys or wallet addresses as identification; however, it is difficult to link a wallet address to a real-world identity. Further, cybercriminals use mixing services that make it difficult to track the origins of funds, as well as privacy coins that encrypt transactions and make tracing funds more problematic.

In addition to giving cybercriminals an easy way to profit from their attacks, cryptocurrencies have helped cybercriminal groups sell their products and services. Cybercriminals develop malware and ransomware and offer it as a paid service along with the infrastructure that supports it, all paid for in relatively anonymous cryptocurrency.  Ransomware-as-a-service groups provide the encryptor and tools to allow their affiliates to conduct attacks for a percentage of the profits, naturally paid in cryptocurrency.

While cryptocurrency has helped to create the current ransomware epidemic and benefits cybercriminals greatly, it is not cryptocurrencies that are the problem. There are important benefits to cryptocurrencies. They are free from government interference and are managed by a distributed network of users, making them resilient to any single point of failure. There is global accessibility, and the limited supply helps to protect against inflation, compared to traditional currencies. These and other benefits mean cryptocurrencies are here to stay and will likely become ubiquitous.

Governments and law enforcement are grappling with how to disrupt cybercriminals’ business model to make attacks less profitable, and organizations must ensure that they have the defenses in place to prevent, detect, and quickly recover from attacks. That means better cybersecurity infrastructure and training for staff, and well-tested incident response plans to ensure recovery in the fastest possible time frame.

Improving defenses against ransomware attacks

The increase in both the volume and sophistication of ransomware attacks is forcing companies to invest more in cybersecurity. According to Gartner, spending on cybersecurity is expected to rise to $207 billion in 2025, up from $165 billion last year, to deal with the increased threat.

In many industries, especially healthcare, there has been a massive expansion of the attack surface, with increasing numbers of portable electronic devices connecting to networks, and rapidly growing numbers of IoT and IoMT devices, often coupled with incomplete and out-of-date inventories. Devices are connected to networks that are not supplied with a software bill of materials (SBOM) that lists all third-party components, and increasing numbers of vulnerabilities are being discovered, growing the patching burden considerably.

Cybercriminals have embraced artificial intelligence tools and are using AI to accelerate malware development and improve the effectiveness of their social engineering and phishing campaigns. With cybercriminals’ use of AI tools outpacing defensive use at many healthcare organizations, this is an area where investment needs to increase.

According to the IBM Cost of a Data Breach report, organizations with many defense tools that have AI capabilities are able to identify a breach 30% faster than organizations that do not, potentially allowing ransomware attacks to be thwarted before data theft and encryption, or at least in time to limit the impact of an attack.

Prompt patching is important to decrease the window of opportunity for exploitation; however, organizations must maintain an accurate and up-to-date asset inventory; otherwise, devices are likely to be missed from patching schedules. Regular risk analyses must be conducted to identify risks and vulnerabilities to ePHI, and these also need to be based on an accurate and up-to-date asset inventory.

For small and medium-sized healthcare organizations with limited budgets for cybersecurity, every dollar needs to be spent wisely. To get the best returns for each dollar spent, the HHS cybersecurity performance goals (HPH CPGs) are a good place to start. The CPGs include high-impact measures proven to be effective at decreasing risk, strengthening cybersecurity against the most common access vectors.

It is also important not to neglect cybersecurity awareness training. Many attacks target employees, the weakest link in the cybersecurity chain. While turning every employee into a cybersecurity titan may be a lofty goal, employees should be made aware of the threats that they are likely to encounter and be taught cybersecurity best practices to minimize risk.

Even with the most robust cybersecurity defenses, it is impossible to completely eradicate risk. A mistake by an employee, a missed patch, or a zero-day vulnerability could easily lead to a successful attack. It is vital to prepare for such an attack and have an incident response plan to ensure business continuity and a fast recovery. Plans for different types of attacks should be developed and tested with tabletop exercises to ensure that everyone is aware of their responsibilities and the plans are effective.

Steve Alder, Editor-in-Chief, The HIPAA Journal

The post Editorial: Cryptocurrencies’ Central Role in Healthcare Ransomware Attacks appeared first on The HIPAA Journal.