Healthcare Compliance Pros Launches Advanced HIPAA Compliance – openPR.com
Healthcare Compliance Pros Launches Advanced HIPAA Compliance – openPR.com
Florida Medication Management Provider Discloses 150K-record Data Breach – The HIPAA Journal
Florida Medication Management Provider Discloses 150K-record Data Breach
Outcomes One, a Florida-based business associate of health plans, has disclosed a phishing incident that has affected almost 150,000 individuals. Emergency Responders Health Center in Idaho has experienced an email breach affecting more than 1,500 individuals.
Outcomes One, Inc., Florida
Outcomes One, Inc., a Florida-based provider of medication therapy management and medication adherence technology solutions to health plans, is notifying 149,094 individuals about a recent email security incident. An employee identified unusual activity in his Outcomes One email account on July 1, 2025, and reported it to the security team. The email account was immediately secured, and an investigation was launched to determine the cause of the activity. The investigation confirmed that the breach was limited to a single employee email account, which had been accessed by an unauthorized third party following a response to a phishing email. Outcomes One said the attack was identified and remediated within an hour.
The account was reviewed and found to contain names in combination with one or more of the following: demographic information, health insurance information, medication information, and medical provider names. The breach notice provided to the California Attorney General indicates the affected individuals had Aetna Health Insurance plans. Outcomes One has provided additional training for the workforce to help with phishing email identification, and additional safeguards have been implemented to reduce the risk of similar breaches in the future.
Emergency Responders Health Center
Emergency Responders Health Center in Boise, Idaho (EHRC), has recently disclosed an email security incident. Unusual activity was identified in an employee’s email account on April 11, 2025. The account was secured, and an investigation was launched to determine the nature and scope of the activity. Assisted by third-party cybersecurity experts, EHRC determined that several email accounts had been accessed by an unauthorized third party. All email accounts have now been secured.
EHRC published a substitute breach notice on its website on July 23, 2025; however, at the time, the investigation and review of the affected accounts were ongoing, so it was not possible to state how many individuals had been affected or the types of information involved. The list of affected individuals was finalized on September 16, 2025, when it was confirmed that a total of 1,528 individuals had been affected, including 526 residents of Washington state. The exposed information included names, dates of birth, driver’s license numbers, Social Security Numbers, medical information, and health insurance information.
Notification letters started to be mailed to the affected individuals on September 26, 2025. To date, EHRC has not identified any misuse of the impacted data, but as a precaution, has offered the affected individuals a complimentary 12-month membership to a credit monitoring and identity theft protection service. EHRC said several steps have been taken to prevent similar breaches in the future. Staff members have received additional security training, user credentials have been changed, and monitoring has been enhanced.
The post Florida Medication Management Provider Discloses 150K-record Data Breach appeared first on The HIPAA Journal.
SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit – The HIPAA Journal
SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit
Individuals who used SSM Health’s MyChart patient portal when tracking tools were active are entitled to claim a cash payment and a 12-month membership to a digital privacy and identity protection service to compensate them for having their personal and health data disclosed to third parties such as Meta and Google.
The settlement resolves all claims in the lawsuit, Jane Doe v. SSM Health Care Corporation, d/b/a SSM Health, which was filed in the Circuit Court for the City of St. Louis in the State of Missouri on December 5, 2022. The lawsuit alleged that SSM Health added Meta Pixel and other third-party tracking technologies on its MyChart patient portal, which collected and transmitted protected health information to third-party tracking vendors, including their status as patients, their physicians, health conditions, treatments, facilities visited, and other sensitive data, without their knowledge or consent.
Tracking tools are used extensively across the internet and track user activity on websites. The data collected by these tools can be used for advertising and marketing purposes. In healthcare, if these tools are used on authenticated web pages such as patient portals, they can collect sensitive health data and transmit that information to technology vendors. Such disclosures violate HIPAA unless a business associate agreement is obtained or valid HIPAA authorizations.
The plaintiff alleged that SSM Health’s use of these tools amounted to negligence. The lawsuit also asserted claims of invasion of privacy – intrusion upon seclusion, breach of implied contract, breach of fiduciary duty, unjust enrichment, and a violation of the Illinois Consumer Fraud and Deceptive Practices Act. SSM Health denies all claims and contentions in the lawsuit and maintains there was no wrongdoing; however, a settlement was agreed to bring the litigation to an end to avoid the costs, risks, and uncertainty of a jury trial. Class counsel and the plaintiff believe the settlement is fair.
Under the terms of the settlement, users who logged into the SSM Health MyChart patient portal between July 6, 2020, and February 10, 2023, when tracking tools were installed, are entitled to claim a 12-month membership to the CyEx Privacy Shield Pro service, which provides dark web monitoring, data broker opt-out, and identity protection services. In addition, class members may submit a claim for a cash payment of $31.50.
The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 21, 2025. Individuals wishing to opt out of or exclude themselves from the settlement have until October 27, 2025, to do so, and claims must be submitted by November 25, 2025. Further information can be found on the settlement website: https://ssmhealthdatasettlement.com/
The post SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit appeared first on The HIPAA Journal.