Healthcare Workers Violating Patient Privacy by Uploading Sensitive Data to GenAI and Cloud Accounts

Posted by Steve Alder

Research conducted by the cybersecurity company Netskope indicates healthcare workers routinely expose sensitive data such as protected health information (PHI) by using generative AI tools such as ChatGPT and Google Gemini and by uploading data to personal cloud storage services such as Google Drive and OneDrive.

The healthcare industry has fully embraced AI tools, with almost all organizations using AI tools to some degree to improve efficiency. According to data collected by Netskope Threat Labs, 88% of healthcare organizations have integrated cloud-based genAI apps into their operations, 98% use apps that incorporate genAI features, 96% use apps that leverage user data for training, and 43% are experimenting with running genAI infrastructure locally.

As more healthcare organizations incorporate AI tools into their operations and make them available to their workforces, fewer healthcare workers are using personal AI accounts for work purposes; however, 71% of healthcare workers still use personal AI accounts, down from 87% the previous year. If genAI tools are not HIPAA-compliant and the developers will not sign business associate agreements, using those tools with PHI violates HIPAA and puts organizations at risk of regulatory penalties. Further, uploading patient data to genAI tools and cloud storage services without robust safeguards in place can erode patient trust.

“Beyond financial consequences, breaches erode patient trust and damage organizational credibility with vendors and partners,” Ray Canzanese of Netskope said. It is clear that there needs to be greater oversight of the use of AI tools, and a pressing need for authorized tools to be provided to reduce “shadow AI” risks.

According to Netskope, the mishandling of HIPAA-regulated data is the leading security concern in the healthcare sector, and PHI is the most common type of sensitive data uploaded to personal cloud apps, genAI apps, and other unapproved locations. Netskope reports that 81% of all data policy violations were for regulated healthcare data, with the remainder including source code, secrets, and intellectual property.

“Healthcare organizations must balance the benefits of genAI with the implementation of strict data governance policies to mitigate associated risks,” warns Netskope. Netskope recommends the adoption of enterprise-grade genAI applications with robust security features to ensure that sensitive and regulated data is properly protected, along with data loss prevention (DLP) tools for monitoring and controlling access to genAI tools to prevent privacy violations. Netskope says 54% of healthcare organizations now have DLP policies, up from 31% the previous year. The most commonly blocked genAI apps in healthcare are DeepAI, Tactiq, and Scite, with 44%, 40%, and 36% of healthcare organizations blocking these apps with their DLP tools due to privacy risks and there being more secure alternatives.

While genAI tools certainly have a place in healthcare and can help improve efficiency, there are significant security challenges. Netskope warns that healthcare organizations must remain vigilant, implement comprehensive security measures, and enforce data protection policies, as well as incorporate the risks into their cybersecurity awareness training.

The report also warns of the risk of malware infections via cloud apps. Threat actors are increasingly using cloud apps to deploy information stealers and ransomware, with GitHub, OneDrive, Amazon S3, and Google Drive being the most common. Rather than trying to breach networks themselves, threat actors use social engineering to trick healthcare employees into compromising their own systems with first-stage malware payloads, which give threat actors initial access to networks. Netskope recommends inspecting all HTTP and HTTPS traffic for phishing and malware, blocking apps that serve no business purpose or pose a disproportionate risk to the organization, and using remote browser isolation technology when categories of websites need to be visited that pose a higher risk, such as newly registered domains.

The post Healthcare Workers Violating Patient Privacy by Uploading Sensitive Data to GenAI and Cloud Accounts appeared first on The HIPAA Journal.

Union Health System: Almost 263,000 Individuals Affected by Oracle Health/Cerner Hack

Posted by Steve Alder

Union Health System, a Terre Haute, Indiana-based integrated health system that operates two hospitals and a medical group, has been affected by a security incident at Oracle Health/Cerner. Oracle Health recently notified healthcare providers about a security incident involving legacy Cerner servers, which had yet to be migrated to Oracle Cloud. Oracle acquired Cerner in 2022. A hacker was able to access and obtain data hosted in the Oracle Health/Cerner data migration environment, and then tried to extort the affected companies.

Oracle Health has released little information about the incident and maintains it is the responsibility of its HIPAA-covered entity clients to determine if there has been a breach that warrants notifications under the HIPAA Breach Notification Rule. Union Health said it received confirmation of the data breach from Oracle Health/Cerner on March 15, 2024. Oracle Health explained that it detected a cybersecurity incident on February 20, 2025, and its forensic investigation confirmed that the unauthorized third party’s initial access occurred on or after January 22, 2025. Union Health received a list of the affected individuals from Oracle Health/Cerner on March 22, 2025.

The compromised data included names plus Social Security numbers, dates of birth, driver’s license numbers, treating physicians’ names, dates of service, medication information, health insurance information, and diagnostic and treatment information. The breach was recently reported to the HHS’ Office for Civil Rights by Union Health as affecting 262,831 individuals.

While the data breach was confirmed by Oracle Health/Cerner in March, that was not the first time that Union Health was made aware of the data breach. An “unknown party” contacted Union Health claiming to be in possession of patient data. Union Health verified the individual’s claims on February 24, 2025, and identified the information as likely having been obtained from Oracle Health/Cerner. Union Health then proactively reached out to Oracle Health about the incident for confirmation, which was obtained on March 15, 2025. Union Health made it clear in the notification letters that the breach occurred at Oracle Health/Cerner and no Union Health systems were accessed. Union Health said it is offering the affected individuals complimentary credit monitoring services.

A lawsuit has already been filed against Union Health and Oracle Health/Cerner over the data breach. The lawsuit, Cerner Corporation d/b/a Oracle Health, Inc. and Union Health System, Inc. – was filed in the U.S. District Court for the Western District of Missouri by plaintiff Shannon Smith, who is represented by John F. Garvey of Stranch, Jennings & Garvey, PLLC.

The lawsuit claims that the defendants’ inadequate security practices violated HIPAA and allowed cybercriminals to gain access to sensitive personally identifiable information (PII) and protected health information (PHI), and that the failure amounts to negligence. The lawsuit cites eight causes of action – negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of fiduciary duty, breach of confidence, and declaratory judgment.

The lawsuit also takes issue with the time taken to issue notification letters, which were not sent until 89 days after the breach occurred, keeping the affected individuals in the dark and depriving them of the opportunity to try to mitigate their injuries in a timely manner.  The lawsuit claims the data breach has placed the plaintiff and class members at a present, continuing, and significant risk of suffering identity theft. The lawsuit seeks a jury trial, compensatory, exemplary, punitive, and statutory damages, injunctive relief, attorneys’ fees, and legal costs and expenses.

This is one of two security incidents to be confirmed by Oracle in 2025. In a separate incident, a hacker obtained usernames, passkeys, and encrypted passwords of an undisclosed number of Oracle customers. “Oracle would like to state unequivocally that the Oracle Cloud – also known as Oracle Cloud Infrastructure or OCI – has not experienced a security breach. No OCI customer environment has been penetrated,” explained Oracle. “No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.” Oracle confirmed that a hacker gained access to two obsolete servers but did not obtain any usable passwords, as the passwords were either encrypted or hashed.

The post Union Health System: Almost 263,000 Individuals Affected by Oracle Health/Cerner Hack appeared first on The HIPAA Journal.