Rockhill Women’s Care & Harbor Regional Center Announced Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by the OB/GYN practice Rockhill Women’s Care and Harbor Regional Center, a California provider of services to individuals with developmental disabilities.

Rockhill Women’s Care

Rockhill Women’s Care, an OB/GYN practice with locations in Overland Park in Kansas and Lees Summit in Missouri, has experienced a significant data breach, involving unauthorized access to the electronic protected health information of up to 70,129 patients.

While it is unclear from the notification letters exactly when its network was first compromised, the intrusion was detected on February 26, 2025. Third-party cybersecurity experts were engaged to investigate the intrusion, and law enforcement was notified. The investigation confirmed that patient information had been exposed and may have been exfiltrated. The data mining exercise to determine the exact types of data involved and the individuals affected was completed on August 13, 2025.

The types of data involved vary from individual to individual and include names in combination with one or more of the following: address, date of birth, Social Security number, medical treatment information, and/or health insurance information. After verifying the results and contact information, individual notification letters started to be mailed to the affected individuals on or around September 30, 2025. At the time of issuing notification letters, Rockhill Women’s Care was unaware of any misuse of the exposed data. Rockhill Women’s Care said patient privacy is taken very seriously, and steps have been taken to enhance its security measures to prevent similar incidents from occurring in the future.

Harbor Regional Center

Harbor Regional Center, a nonprofit organization that works with the California Department of Developmental Services to provide services to more than 20,000 adults and children with developmental disabilities in the South Bay, Harbor, Long Beach, and the southeast areas of Los Angeles County, has recently announced a security incident involving unauthorized access to an employee’s email account.

The email account breach was identified on September 2, 2025, and an investigation was launched to determine the nature and scope of the activity. On September 29, 2025, it was determined that a limited amount of protected health information was exposed and may have been obtained by an unauthorized third party.

The types of data involved vary from individual to individual and may include names in combination with one or more of the following: address, date of birth, Social Security number, medical record number, patient ID or account number, Medicare/Medicaid number, health insurance information, medical diagnosis and treatment information, medical history, prescription information, medical lab or test result, treatment location, treatment date, and provider name.

Harbor Regional Center has not identified any misuse of the exposed information; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Harbor Regional Center said it has implemented additional security measures and is reviewing its data policies and procedures. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Rockhill Women’s Care & Harbor Regional Center Announced Data Breaches appeared first on The HIPAA Journal.

VITAS Hospice Services Discovers Month-Long Network Intrusion

Posted by Steve Alder

VITAS Hospice Services, LLC, the largest for-profit hospice chain in the United States, has notified the California and Texas attorneys general about a data security incident that exposed sensitive patient data. An unauthorized individual compromised an account used by one of its vendors, and through that account was able to access certain Vitas systems.

The security breach was identified on October 24, 2025, and the forensic investigation determined that there was unauthorized access to its systems for more than a month between September 21, 2025, and October 27, 2025. During that time, the unauthorized third party was able to view and download the personal information of current and former Vitas patients.

Vitas has been working with a third-party cybersecurity firm to investigate the cause of the breach and has taken steps to strengthen vendor oversight and improve its data protection protocols. At the time of issuing notifications to the affected individuals, Vitas was unaware of any misuse of the exposed data; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.

Data compromised in the incident varies from individual to individual and may include names in combination with some or all of the following: address, phone number, date of birth, Social Security number, driver’s license number, next of kin contact information including name, phone number and email address, diagnosis, medications, lab results, conditions, treatment information, health insurance information, and other personal information.

It is currently unclear exactly how many individuals have been affected, as neither the California nor Texas attorneys general publish figures for the total size of the data breach. The Texas Attorney General was told that 5,633 individuals in the state were affected by the breach. The HIPAA Journal has not found any further attorney general notifications at the time of writing, but the breach could be more expansive, as the company has locations in 15 U.S. states.

The post VITAS Hospice Services Discovers Month-Long Network Intrusion appeared first on The HIPAA Journal.

What training does The HIPAA Journal provide?

Posted by PJ Murray

The HIPAA Journal provides a full suite of online HIPAA and related cybersecurity training programs, designed for different roles and types of organizations.

The main HIPAA products are:

  • Accredited HIPAA Certification for Individuals
    A certificate course for people entering or progressing in healthcare that covers HIPAA rules and real world scenarios, and issues an accredited certificate that can be shown to employers and used during onboarding.

  • HIPAA Training for Healthcare Employees
    A workforce course for covered entities of all sizes that satisfies HIPAA training requirements on HIPAA rules and regulations, suitable for new hire onboarding and annual refresher training, with lessons focused on how to safeguard protected health information in day to day work.

  • HIPAA Training for Small Medical Practice Employees
    A version of the workforce course tailored to small medical practices, with extra modules on the specific HIPAA challenges they face, also suitable for onboarding and refresher training.

  • HIPAA Training for Students
    A course for healthcare students and faculty that satisfies HIPAA training requirements for students working in any HIPAA covered environment and includes student specific modules and examples to prepare them for clinical placements.

  • HIPAA Training for Business Associate Employees
    A dedicated course for employees of business associates that meets HIPAA training requirements and includes modules on the particular compliance challenges that arise when handling protected health information on behalf of covered entities.

The main cybersecurity products are:

  • Cybersecurity Training for Healthcare Employees
    A certificate course for healthcare staff that teaches them to recognize cyber threats and handle health records securely, providing practical, attacker focused cybersecurity awareness to sit alongside standard HIPAA training.
  • Cybersecurity Training for Healthcare Students
    A cybersecurity course for healthcare students and faculty that can be added to HIPAA Training for Students, giving learners extra protection by teaching online threat awareness and safer behavior before and during clinical placements.
  • Cybersecurity Training for Business Associate Employees
    A healthcare focused cybersecurity course for employees of business associates that complements HIPAA Training for Business Associate Employees, with content aimed at reducing the risk of breaches when vendors and service providers handle patient data.
  • Healthcare Cybersecurity Training for Individuals
    A healthcare specific cybersecurity course that individual learners can purchase alongside Accredited HIPAA Certification for Individuals to demonstrate their understanding of cyber risks to protected health information and medical records.

All of these training courses are self paced online programs built by The HIPAA Journal’s compliance team using more than a decade of breach and enforcement analysis, with practical examples, coverage of emerging issues such as generative AI, messaging platforms and social media, randomized quizzes with certificates, and optional free modules on Texas and California medical privacy laws and on small medical practice challenges.

The post What training does The HIPAA Journal provide? appeared first on The HIPAA Journal.

Does the HIPAA Training from The HIPAA Journal satisfy the regulatory requirements for training?

Posted by PJ Murray

Yes, The HIPAA training from The HIPAA Journal has been specifically designed to satisfy the mandatory regulatory requirements to train your workforce on HIPAA rules and regulations. Under the HIPAA Privacy Rule and Security Rule, covered entities and business associates must ensure that all relevant workforce members receive training on HIPAA requirements and on how to perform their roles in compliance with those requirements. The HIPAA Journal’s courses are built around those obligations and provide comprehensive coverage of the HIPAA rules and regulations employees need to understand, including the core Privacy, Security, and Breach Notification Rule concepts, permitted uses and disclosures of PHI, patient rights, safeguards, incident reporting, and common real world risk areas such as email, messaging, and social media.

However, HIPAA also requires training on each organization’s own internal policies and procedures, which the regulations state will “depend on the size and type of activities” of the covered entity and on the results of its HIPAA risk assessment. Those internal policies are necessarily different in every organization, so they cannot be built into a single generic online course. The HIPAA Journal training deliberately does not attempt to cover those local policies and procedures; instead, organizations typically combine The HIPAA Journal’s rules-and-regulations training with their own site-specific policy and procedure training to fully meet all HIPAA training obligations.

The post Does the HIPAA Training from The HIPAA Journal satisfy the regulatory requirements for training? appeared first on The HIPAA Journal.