CISA Seeks Feedback on Updated Software Bill of Materials Guidance

Posted by Steve Alder

One of the biggest security headaches in healthcare is managing third-party risk. Healthcare organizations can implement extensive security measures to protect their internal networks and sensitive data, only for a security flaw in a medical device or third-party software solution to be exploited, circumventing their security protections.

While patches can be applied to address known vulnerabilities, software and firmware may contain third-party components and dependencies. Since there may be little visibility into those components and dependencies, risks are impossible to mitigate effectively.

To improve visibility and help with risk management, all medical devices should be provided with a Software Bill of Materials (SBOM), which is a formal, machine-readable inventory of all software components and dependencies used in a medical device. The Food and Drug Administration (FDA) now requires SBOMs to be provided with premarket submissions of medical devices, to help ensure cybersecurity for the whole lifecycle of the device.

The Cybersecurity and Infrastructure Security Agency (CISA) is pushing for SBOMs to be included with software to improve transparency and supply chain security. CISA has previously published SBOM guidance, which has now been updated to reflect the current state of maturity in software transparency.

“SBOMs provide a detailed inventory of software components, enabling organizations to identify vulnerabilities, assess risk, and make informed decisions about the software they use and deploy,” explained CISA. “As adoption of SBOMs has grown across the public and private sectors, so too has the need for machine-processable formats that support scalable implementation and integration into broader cybersecurity practices.”

While the guidance  – 2025 Minimum Elements for a Software Bill of Materials (SBOM) – is primarily intended for federal agencies, CISA is encouraging other entities to use the guidance to help them understand what they can expect from vendors’ SBOMs. The update includes new SBOM data fields, the name of the tool used to create the SBOM, the software’s cryptographic hash, and several revisions. Public comment is sought on the new draft guidance until October 3, 2025, allowing individuals to share their knowledge for incorporation into the guidance ahead of the release of the final version.

The post CISA Seeks Feedback on Updated Software Bill of Materials Guidance appeared first on The HIPAA Journal.

Legacy Treatment Services Data Breach Affects 42,000 Individuals

Posted by Steve Alder

Data breaches have recently been confirmed by Legacy Treatment Services/Community Treatment Solutions in New Jersey, Washington Gastroenterology, Woodlawn Hospital in Indiana, and Children’s Home & Aid (Brightpoint) in Illinois.

Legacy Treatment Services

Legacy Treatment Services, a New Jersey provider of behavioral health and addiction treatment services, has notified the Maine Attorney General about an October 2024 cybersecurity incident involving the personal and protected health information of 41,826 individuals. Some of the affected individuals had received services from Community Treatment Solutions (CTS) in Moorestown, New Jersey.

The incident was identified on or around October 11, 2024, when connectivity to its network was disrupted. The forensic investigation confirmed unauthorized access to its network between October 6, 2024, and October 11, 2024. A file review was initiated, and on July 18, 2025, confirmation was received that employee and patient data were accessed and acquired in the incident.

The data involved varied from individual to individual and included first and last names along with one or more of the following: addresses, phone numbers, email addresses, Social Security numbers, birth dates, driver’s license numbers/state ID numbers, passport numbers, financial account numbers, routing numbers, bank names, credit/debit card numbers/CVV/expiration dates/PIN or security codes, login information, diagnoses, clinical information, treatment/procedure Information, treatment types/locations, treatment cost information, doctors’ names, medical record numbers, patient account numbers, health insurance information, prescription information, and/or biometric information.

While no evidence has been found to indicate any misuse of that information, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Washington Gastroenterology

Washington Gastroenterology has recently started notifying patients about a cybersecurity incident detected on or around March 10, 2025. The exact nature of the incident was not disclosed in its substitute breach notice, only that certain data was accessed by an unknown third party. The affected data was reviewed, and it was confirmed that the breach was limited to a legacy system, which contained names, Social Security numbers, and medical information. No current networks or affiliate systems were involved.

Individual notification letters started to be mailed to the affected individuals on May 23, 2025; however, it later emerged that further individuals were affected, and notification letters are now being mailed to those individuals. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals. The data breach has been reported to regulators, but the incident is not currently shown on the OCR data breach portal or the Washington Attorney General website, so it is currently unclear how many individuals have been affected.

Woodlawn Hospital

Woodlawn Hospital in Rochester, Indiana, has identified unauthorized access to its computer network. The intrusion was identified on June 30, 2025, and the forensic investigation confirmed unauthorized access between June 25, 2025, and June 30, 2025. During that time, files containing patient data were copied from its network.

The files are currently being reviewed, but it has been confirmed that they contain names, addresses, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, medical information, and health insurance information. Notification letters will be mailed to the affected individuals when the file review is concluded. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Children’s Home & Aid (Brightpoint)

Children’s Home & Aid, doing business as Brightpoint in Illinois, has identified unauthorized access to an employee’s email account. The security incident was detected on or around February 27, 2025, and the forensic investigation confirmed unauthorized access to the account between January 12, 2025, and February 27, 2025. Following a programmatic and manual review of the account, it was determined on June 16, 2025, that the account contained the personal and protected health information of 1,051 individuals.

The data involved varied from individual to individual and may have included names, Social Security numbers, driver’s license numbers/ government-issued identification numbers, financial account information, health insurance information, and/or medical information.  Brightpoint has reviewed its security policies and procedures and has taken steps to reduce the risk of similar incidents in the future.

The post Legacy Treatment Services Data Breach Affects 42,000 Individuals appeared first on The HIPAA Journal.

Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach

Posted by Steve Alder

Healthcare Services Group, Inc. (HSG), a Bensalem, PA-based provider of environmental, dining, and nutritional support services to healthcare facilities, has recently notified the Maine Attorney General about a major data breach involving unauthorized access to systems containing the personal and protected health information of 624,496 individuals, including 3,871 Maine residents.

HCSG provides its services to more than 3,000 healthcare facilities in 48 U.S. states and employs more than 45,000 individuals. HSG first disclosed the security incident on October 16, 2024, in a FORM 8-K filing with the U.S. Securities and Exchange Commission (SEC), explaining that a cybersecurity incident was identified on October 9, 2024, when unauthorized activity was identified within some of its systems.

HSG initiated its cybersecurity incident response process, and an investigation was launched to determine the cause of the activity, with assistance provided by third-party cybersecurity specialists. At the time, the full nature of the incident was unknown, although it was not expected to have a material impact on its financial condition or the results of operations. The breach report indicates initial access to its network occurred on September 27, 2024, twelve days before the intrusion was detected. HSG has been reviewing the exposed files and determined on June 3, 2025, that personal and protected health information was potentially stolen.

Notification letters started to be mailed to the affected individuals on August 25, 2025, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, in Maine at least. While the Maine Attorney General has published a copy of the breach notification letter, a website error means it is not currently viewable, and there is currently no substitute breach notice on the HSG website, so the types of information exposed in the incident and the nature of the cyberattack are currently unknown.

This post will be updated when further information becomes available.

The post Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach appeared first on The HIPAA Journal.