Large Vision Care Provider Announced Breach of Patient Data

Posted by Steve Alder

Data breaches have been announced by CEI Vision Partners, MedicareCompareUSA, Academic Urology & Urogynecology of Arizona, and the Friesen Group.

CEI Vision Partners

CEI Vision Partners (CVP), a network of more than 300 ophthalmologists and 700 optometrists across the United States (now part of EyeCare Partners), has disclosed a 2024 data breach to several state attorneys general. According to the notifications, CVP identified unauthorized access to its computer network on May 26, 2024. The forensic investigation confirmed that a threat actor had access to its network between May 24, 2024, and May 27, 2024, and potentially obtained files containing patient information.

The extensive review and data validation process was completed on June 10, 2025. CVP determined that information potentially compromised in the cyberattack included names, birth dates, Social Security numbers, financial account information, health insurance information, and limited clinical information. Notification letters are being mailed to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. CVP has also confirmed that it is enhancing its technical security measures to prevent similar incidents in the future. There is currently no data breach listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

MedicareCompareUSA

MedicareCompareUSA, the nation’s largest provider-controlled Medicare insurance agency and a business associate of several HIPAA-covered health insurers, issued notification letters in May 2025 about a security incident involving unauthorized access to employee email accounts. Suspicious activity was identified within its email system in November 2024. A forensic investigation was initiated to determine the nature and scope of the unauthorized activity, and it was confirmed that certain email accounts were accessed by an unauthorized third party between November 5, 2024, and November 21, 2024.

The accounts were reviewed and found to contain names, birth dates, Social Security numbers, driver’s license/state identification numbers, financial account information, health insurance information, Medicare information, and individual taxpayer identification numbers. The breach also involved the data of Humana members, including names, dates of birth, health insurance policy numbers, Medicare numbers, and Social Security numbers.

Complimentary credit monitoring services have been offered to the affected individuals, additional email security measures have been implemented, and further email security training has been provided to the workforce. The Washington attorney general was informed that MedicareCompareUSA is issuing notification letters to 822 Humana members in Washington state who have been affected. The HHS’ Office for Civil Rights was informed that 5,782 individuals were affected in total.

Friesen Group

Friesen Group, a California-based provider of business support services to healthcare companies, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected at least 500 individuals. The 500 figure is a commonly used placeholder when the number of affected individuals has not been confirmed by the HIPAA breach reporting deadline.

According to its website notice, a data security incident was identified by The Friesen Group on or around May 19, 2025. Its incident response protocols were initiated, and an investigation was launched to determine the nature and scope of the unauthorized activity. While the investigation is ongoing, Friesen Group says the unauthorized access was only for “a limited period of time.” It is not yet possible to determine the number of individuals affected or the types of data involved.

No misuse of data has been identified so far, but as a precaution, the affected individuals have been advised to remain vigilant against potential misuse of their information and should check their credit reports, account statements, and Explanation of Benefits statements carefully and report any suspicious activity to the appropriate entity. Friesen Group performed a reset of user passwords and has implemented new endpoint detection and monitoring tools.

Academic Urology & Urogynecology of Arizona

Academic Urology & Urogynecology of Arizona has recently confirmed that sensitive patient data may have been stolen in a recent cybersecurity incident, identified on May 22, 2025. A forensic investigation was conducted to determine the nature and scope of the unauthorized activity, and the investigation and file review are ongoing. Academic Urology has published a substitute data breach notice on its website that warns patients that the following information may have been stolen in the incident:

Full name, address, Social Security number, driver’s license number/government-issued identification number, tribal identification card, date of birth, digital signatures, passport number, taxpayer identification number/IRS-issued identity protection personal identification number, health insurance information, any information in an individual’s application and claims history, including any appeals records, diagnosis/conditions information, lab results, medications, credit card information, and potentially other types of sensitive data.

At the time of publication of the website notice, no misuse of patient data had been identified. Since the investigation is ongoing, it is currently unclear how many individuals have been affected. While ransomware was not mentioned in the breach notice, this appears to have been an attack by the Inc Ransom ransomware group, which added Academic Urology to its dark web data leak site in June 2025.

The post Large Vision Care Provider Announced Breach of Patient Data appeared first on The HIPAA Journal.

Federal Judge Blocks HHS from Sharing Medicaid Data with ICE

Posted by Steve Alder

A federal judge has ordered the U.S. Department of Health and Human Services (HHS) to stop sharing the data of Medicaid enrollees with Immigration and Customs Enforcement (ICE) at the Department of Homeland Security for immigration enforcement purposes.

The Medicaid program provides health insurance for individuals with limited income and resources, such as low-income adults, children, pregnant women, elderly adults, and people with disabilities. There are currently around 79 million Medicaid enrollees in the United States. Anyone living in the United States illegally is not permitted to enroll in the federal Medicaid program, although seven states permit non-U.S. citizens to participate in their state Medicaid programs, but do not bill the federal government for the costs.

In June 2025, under the direction of HHS Secretary Robert F. Kennedy Jr., the HHS’s Centers for Medicare and Medicaid Services (CMS) started sharing the personal data of Medicaid recipients with ICE under a new data-sharing agreement. Staff at the CMS attempted to block the data transfers but were overruled by Secretary Kennedy’s advisors. ICE has had a 12-year policy of not using Medicaid data for enforcement purposes, and CMS has previously restricted the use of Medicaid data to the administration of its healthcare programs.

The HHS maintains that the access is being provided as part of the Trump Administration’s push to rid the country of illegal aliens. The data provided by the CMS provides ICE agents with identity and location information to allow those individuals to be found by enforcement officers, and stop federal funds intended for law-abiding Americans from being used to pay for Medicaid benefits for illegal aliens.

When the decision to share Medicaid data with ICE came to light in June, a coalition of 20 state attorneys general took legal action to prevent the HHS from sharing Medicaid data with ICE; however, a further agreement was entered into in July, which provided DHS with daily access to the Medicaid data stream. The shared data includes names, addresses, birth dates, ethnicities, and Social Security numbers, which may not be downloaded, but can be viewed by ICE officials until September 9, 2025, between 9 a.m. and 5 p.m.

The state attorneys general argued that the sharing of Medicaid data with DHS was in violation of HIPAA and threatened to undermine the Medicaid program. “The move to use Medicaid data for immigration enforcement upended longstanding policy protections without notice or consideration for the consequences,” said California Attorney General Rob Bonta. “As the president continues to overstep his authority in his inhumane anti-immigrant crusade, this is a clear reminder that he remains bound by the law.”

Judge Vince Chhabria, a District Court Judge in the Northern District of California, sided with the state attorneys general and ruled that the HHS must stop sharing Medicaid data with ICE for immigration enforcement purposes that was obtained from the 20 states that participated in the lawsuit. The preliminary injunction will remain in place until 14 days after HHS and DHS complete a reasoned decision-making process that complies with the Administrative Procedures Act, or the litigation is concluded.

In his ruling granting a preliminary injunction, Judge Chhabria said, “Using CMS data for immigration enforcement threatens to significantly disrupt the operation of Medicaid—a program that Congress has deemed critical for the provision of health coverage to the nation’s most vulnerable residents.” While he wrote that there is nothing categorially unlawful about the DHS obtaining data on individuals obtained from government agencies such as the HHS for immigration enforcement purposes, since 2013, ICE has had a well-publicized policy against using Medicaid data for its enforcement activities, and the CMS has a long-standing policy of not sharing patients’ personal data for reasons other than those related to its healthcare programs, and even states so on its website.

“Given these policies, and given that the various players in the Medicaid system have relied on them, it was incumbent upon the agencies to carry out a reasoned decisionmaking process before changing them,” wrote Chhabria in his ruling. “The record in this case strongly suggests that no such process occurred.”

The post Federal Judge Blocks HHS from Sharing Medicaid Data with ICE appeared first on The HIPAA Journal.

Healthplex Settles Alleged Cybersecurity Failures with NYDFS for $2 Million

Posted by Steve Alder

Healthplex, one of the largest providers of dental health insurance programs in New York State, has agreed to a settlement with the New York Department of Financial Services (NYDFS) to resolve alleged violations of the NYDFS Cybersecurity Regulation (23 NYCRR Part 500). Healthplex has agreed to pay a $2 million financial penalty to New York State and take steps to improve its cybersecurity posture.

The Cybersecurity Regulation took effect in 2017 and requires all financial institutions operating in New York State to implement and maintain a robust cybersecurity program. Some of the key requirements include conducting risk assessments, managing risks, and implementing security policies and procedures, an incident response plan, and multifactor authentication.

Healthplex is a licensed provider of dental insurance management services and must therefore comply with the Cybersecurity Regulation. NYDFS launched a compliance investigation after Healthplex reported a cybersecurity event to NYDFS on April 8, 2022. Healthplex discovered the incident on November 24, 2021, when employees received a suspicious email from an account associate’s account and reported it internally to the security team.

The investigation confirmed that an account associate in customer service had responded to a phishing email that was received on November 22 or 23, 2021. The email required Office 365 email login credentials to be provided to receive a fax message. The credentials were captured, and the threat actor accessed the Office 365 account. The account was used to send further phishing emails, and it was found to contain the protected health information of 89,955 individuals.

The NYDFS investigation revealed that there was no data retention policy limiting the information stored in email accounts, in violation of § 500.13 of the Cybersecurity Regulation. The employee had worked for the company for approximately 20 years, and their account contained more than 100,000 emails. Further, multifactor authentication (MFA) had not been set up for its Office 365 email environment, so a compromised password was all that was required to access the account and the sensitive and nonpublic data of tens of thousands of individuals.

Healthplex had implemented MFA for its email environment; however, it failed to ensure that MFA was completely operational when it migrated to Office 365 earlier in the year. With the password obtained in the phishing attack, the entire contents of the account could be accessed via a standard web browser. § 500.12(b) of the Cybersecurity Regulation requires MFA to be implemented for remote access to the covered entity’s information systems and third-party applications.

The required cybersecurity program must ensure that a covered entity is able to report cybersecurity events promptly. The Superintendent must be notified within 72 hours of the discovery of a cybersecurity event. While the event was detected on November 24, 2021, the Superintendent was not notified until April 8, 2022, in violation of § 500.17(a) of the Cybersecurity Regulation.  Healthplex had certified that it was compliant with the Cybersecurity Regulation for 2021, but the investigation confirmed that not to be the case, in violation of § 500.17(b). The lack of policies for secure disposal of data on a periodic basis was in violation of § 500.13 of the Cybersecurity Regulation.

In addition to the financial penalty, Healthplex has agreed to strengthen its cybersecurity controls to ensure compliance with the Cybersecurity Regulation and will hire an independent third-party auditor to conduct a current audit of the MFA controls of its business infrastructure and shared systems that support its core business functions.

This is not the first financial penalty for Healthplex over the phishing incident. In 2023, Healthplex settled an investigation with the New York Attorney General and paid a financial penalty of $400,000 to resolve alleged violations of HIPAA and state data security and consumer protection laws.

The post Healthplex Settles Alleged Cybersecurity Failures with NYDFS for $2 Million appeared first on The HIPAA Journal.