New Texas Law Gives Physicians 3 Days to Communicate Sensitive Test Results to Patients

Posted by Steve Alder

Texas Governor Greg Abbott has signed a bill into law that provides physicians in the state with a 3-day window to review sensitive medical test results and communicate the findings to patients before they are notified electronically, and the test result is added to their electronic medical record.

Senate Bill 922, titled Relating to the disclosure of certain medical information by electronic means, was introduced by Sen. Kelly Hancock (R-North Richland Hills) and Rep. Caroline Fairly (R-Amarillo) in response to calls from physicians in the state to give them time to review sensitive test results and communicate that information to patients.

The bill was in response to a provision of the 21st Century Cures Act that required the immediate release of health information to patients’ information portals. Since the spring of 2021, test results have been sent to patients’ information portals immediately. While rapid access to health information has its benefits, there have been many cases where patients have received a cancer diagnosis via their smartphone rather than have the results explained by a physician in an informative and compassionate manner.

“As an oncologist, I’ve had many conversations with patients about their cancer-related tests. It is always a confusing and scary time for them, as the results can be life-changing. Oncologists are trained to convey this information in a timely, informative, and supportive manner so that patients understand not only what the test means but what options they have. This is an opportunity to offer hope and reassurance to the patient,” explained David Gerber, MD, on behalf of the Texas Medical Association in testimony provided to the House Public Health Committee.

Dr. Gerber testified about many horror stories, such as patients being alerted about a cancer diagnosis via a smartphone notification during a business dinner, while reading a bedtime story to a young child, and during the commute to work. Dr. Gerber estimated that as many as three in four patients received pathology test results before the physician who ordered the test had viewed them. “Although this bill places a brief pause on the electronic transfer of some test results to a patient, it allows for a physician to call a patient with the results at any time,” Dr. Gerber said. “Giving the right information, rather than just the fastest information.”

The new law will take effect on September 1, 2025, and applies to pathology and radiology reports that have a reasonable likelihood of showing a finding of a malignancy, and any test result that may reveal a genetic marker. The new law will ensure that patients continue to receive timely medical information; however, there will be a 3-day delay from the finalization of the test results before they can be disclosed to a patient or the patient’s representative by electronic means.

The post New Texas Law Gives Physicians 3 Days to Communicate Sensitive Test Results to Patients appeared first on The HIPAA Journal.

Mount Sinai Health System Settles Web Tracking Lawsuit for $5.3 Million

Posted by Steve Alder

Mount Sinai Health System, the largest hospital network in New York City, has agreed to a $5.3 million settlement to resolve allegations it violated federal and state laws by sharing the personal health information of website and patient portal users with Facebook without their knowledge or consent.

Legal action was taken against Mount Sinai Health over its use of the Facebook Pixel and Conversions Application Programming Interface (CAPI) on its website and MyChart patient portal between October 2020 and October 2023. The tool can collect information about website users and transmit that information to Facebook. Mount Sinai Health has denied any wrongdoing and specifically denies that any medical information from either its website or patient portal was shared with Facebook.

The lawsuit – Cooper, et al., v. Mount Sinai Health System, Inc. – was filed in the United States District Court for the Southern District of New York by plaintiffs Ronda Cooper, Coral Fraser, David Gitlin, and Gilbert Manda, who alleged that their personally identifiable health information was being collected and shared with Facebook without their knowledge or consent due to the implementation of CAPI, in violation of the federal Electronic Communications Privacy Act and New York Deceptive Trade Practices. The lawsuit also asserted claims of negligence, invasion of privacy, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, constructive bailment, and breach of implied covenant of good faith and fair dealing.

The lawsuit survived a motion to dismiss and proceeded to discovery. During discovery, the parties engaged in mediation, and a settlement was agreed in principle to bring the litigation to an end to avoid the cost and risk of a trial and related appeals, while giving appropriate benefits to class members. The terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court.

The settlement class consists of 1,314,147 individuals, and claims will be accepted from individuals who logged into their MyChart account via the mountsinai.org website between October 27, 2020, and October 27, 20-23. Under the terms of the settlement, Mount Sinai Health has agreed to establish a $5,256,588 settlement fund to cover legal costs and expenses and claims from class members. The plaintiffs’ attorneys will receive up to 35% of the settlement fund and reimbursement of court-approved attorneys’ expenses. Settlement administration costs of up to $200,000 will also be deducted, along with service awards of $2,500 per named plaintiff. The remainder of the settlement fund will be distributed to class members on a pro rata basis.

The deadline for objecting to the settlement, opting out, and filing a claim for benefits is October 14, 2025. The final approval hearing has been scheduled for October 24, 2025.

The post Mount Sinai Health System Settles Web Tracking Lawsuit for $5.3 Million appeared first on The HIPAA Journal.

Mower County, MN Confirms HIPAA-Data Compromised in June Ransomware Attack

Posted by Steve Alder

Data breaches have recently been announced by Mower County in Minnesota, Seasons Living in Oregon, Dr. Doug’s Pediatric Dentistry in Utah, and Provail in Washington State.

Mower County, Minnesota

Officials in Mower County, Minnesota, have confirmed that HIPAA-protected data was acquired by hackers in a June 2025 ransomware attack. The ransomware attack was identified on June 18, 2025, and an investigation is underway to determine the types of data involved and the individuals affected. The stolen data related to individuals who have previously received services from the County Health and Human Services Department.

Individual notification letters will be mailed to the affected individuals when the investigation is concluded, and County officials have confirmed that complimentary credit monitoring and identity theft protection services will be provided. In the meantime, anyone who has previously received services from the Health and Human Services Department has been advised to be vigilant against identity theft and fraud by reviewing their account statements, explanation of benefits statements, and free credit reports.

Seasons Living

Seasons Living, an assisted living facility in Lake Oswego, Oregon, has disclosed a security incident involving the theft of sensitive data. The security breach was identified on March 4, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network and acquired files containing information related to its vendors, applicants, tenants, owners, and current and former employees.

In a press release about the incident, Seasons Living CEO Eric Jacobsen said the incident has been fully contained, unauthorized access to its network has been blocked, and additional security measures have been implemented to prevent similar incidents in the future. He also confirmed that complimentary credit monitoring services are being provided to all affected individuals.

The press release does not mention the types of data involved; however, a hacker has taken credit for the attack and claims to have stolen information such as names, addresses, birthdates, Social Security and driver’s license numbers, health insurance information, medical records, and financial information. The data breach is not currently listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Dr. Doug’s Pediatric Dentistry

Dr. Doug’s Pediatric Dentistry in Logan, Utah, has recently announced a data security incident that was detected in September 2024. Unusual activity was identified in an employee’s email account. The password was reset, and an investigation was launched, which confirmed that the breach was confined to a single email account and no other systems were affected.

The account was reviewed to determine whether any patient information was present, and contact information was verified to allow notification letters to be mailed. Those processes were concluded in June 2025. The information potentially compromised in the incident includes names, dates of birth, diagnosis or dental treatment information, and Medicaid numbers/health insurance information. A very limited number of patients also had their Social Security numbers and/or driver’s license numbers exposed. The incident has been reported to regulators, although it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals were affected.

Provail

Provail, a nonprofit provider of disability services in Washington State, has recently disclosed a cybersecurity incident that was detected on or around June 8, 2025. Suspicious network activity was identified, and the forensic investigation confirmed that an unauthorized actor had access to its network between June 7, 2025, and June 9, 2025, and viewed or acquired files containing sensitive client data.

The investigation and file review are ongoing; however, it has been confirmed that the data compromised in the incident included names in combination with one or more of the following: diagnosis/condition information, lab results, medications, other treatment information, addresses, dates of birth, driver’s license numbers, Social Security numbers, other identifying information, claims information, credit card numbers, bank account numbers, and other financial information.

Individual notification letters will be mailed to the affected individuals when the investigation and file review are concluded. The OCR breach portal includes a placeholder figure of at least 501 affected individuals.

The post Mower County, MN Confirms HIPAA-Data Compromised in June Ransomware Attack appeared first on The HIPAA Journal.