Rancho Family Medical Group Agrees to Pay $315K to Settle Data Breach Litigation

Posted by Steve Alder

Rancho Family Medical Group, a primary care medical group serving patients in Southern California, has agreed to pay $315,000 to settle class action litigation stemming from a 2023 data breach that exposed patients’ protected health information.

Rancho FMG was notified on January 11, 2024, about a security incident at its vendor KMJ Health Solutions. KMJ provided the medical group with online signout and charge capture systems and experienced a security incident on November 19, 2023, that exposed patient information such as names, dates of birth, medical record numbers, treatment locations, dates of services, and medical procedure codes.

The vendor was unable to determine exactly which patients had been affected or the exact types of data involved, as the impacted data had been wiped and was unrecoverable. On or around March 12, 2024, Rancho FMG notified all potentially affected patients, including current patients and patients going back ten years. Approximately 11,500 notification letters were mailed, although the HHS’ Office for Civil Rights was informed that 10,480 individuals had been affected.

Shortly after notifications were mailed, a class action lawsuit was filed in the Superior Court of California, County of Riverside, by one of the affected patients, Catrina Brannon, individually and on behalf of similarly situated individuals. The lawsuit asserted claims of violations of the California Confidentiality of Medical Information Act (CMIA) and California’s Unfair Competition Law (UCL).

Rancho FMG denies any wrongdoing and disagrees with all claims and contentions in the lawsuit. Prior to engaging in extensive motion practice, the parties agreed to mediate to avoid unnecessary legal costs, and a settlement was negotiated that was acceptable to all parties. Under the terms of the settlement, Rancho FMG will establish a $315,000 settlement fund to cover notice and administration expenses, fee awards and expenses, service awards, and benefits to the class members. All class members will receive a code to activate three years of three-bureau credit monitoring services.

In addition, class members may submit a claim for reimbursement of up to four hours of lost time remedying issues arising from the data breach at a rate of $17 per hour. Claims may also be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach, and any funds remaining in the settlement will be paid as a pro rata cash payments, which will not exceed $1,000 per class member. The cash payments will depend on the number of valid claims received.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for January 28, 2026. The deadline for objection to and exclusion from the settlement is December 29, 2025, and claims must be submitted by December 29, 2025.

The post Rancho Family Medical Group Agrees to Pay $315K to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Rockhill Women’s Care & Harbor Regional Center Announced Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by the OB/GYN practice Rockhill Women’s Care and Harbor Regional Center, a California provider of services to individuals with developmental disabilities.

Rockhill Women’s Care

Rockhill Women’s Care, an OB/GYN practice with locations in Overland Park in Kansas and Lees Summit in Missouri, has experienced a significant data breach, involving unauthorized access to the electronic protected health information of up to 70,129 patients.

While it is unclear from the notification letters exactly when its network was first compromised, the intrusion was detected on February 26, 2025. Third-party cybersecurity experts were engaged to investigate the intrusion, and law enforcement was notified. The investigation confirmed that patient information had been exposed and may have been exfiltrated. The data mining exercise to determine the exact types of data involved and the individuals affected was completed on August 13, 2025.

The types of data involved vary from individual to individual and include names in combination with one or more of the following: address, date of birth, Social Security number, medical treatment information, and/or health insurance information. After verifying the results and contact information, individual notification letters started to be mailed to the affected individuals on or around September 30, 2025. At the time of issuing notification letters, Rockhill Women’s Care was unaware of any misuse of the exposed data. Rockhill Women’s Care said patient privacy is taken very seriously, and steps have been taken to enhance its security measures to prevent similar incidents from occurring in the future.

Harbor Regional Center

Harbor Regional Center, a nonprofit organization that works with the California Department of Developmental Services to provide services to more than 20,000 adults and children with developmental disabilities in the South Bay, Harbor, Long Beach, and the southeast areas of Los Angeles County, has recently announced a security incident involving unauthorized access to an employee’s email account.

The email account breach was identified on September 2, 2025, and an investigation was launched to determine the nature and scope of the activity. On September 29, 2025, it was determined that a limited amount of protected health information was exposed and may have been obtained by an unauthorized third party.

The types of data involved vary from individual to individual and may include names in combination with one or more of the following: address, date of birth, Social Security number, medical record number, patient ID or account number, Medicare/Medicaid number, health insurance information, medical diagnosis and treatment information, medical history, prescription information, medical lab or test result, treatment location, treatment date, and provider name.

Harbor Regional Center has not identified any misuse of the exposed information; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Harbor Regional Center said it has implemented additional security measures and is reviewing its data policies and procedures. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Rockhill Women’s Care & Harbor Regional Center Announced Data Breaches appeared first on The HIPAA Journal.

VITAS Hospice Services Discovers Month-Long Network Intrusion

Posted by Steve Alder

VITAS Hospice Services, LLC, the largest for-profit hospice chain in the United States, has notified the California and Texas attorneys general about a data security incident that exposed sensitive patient data. An unauthorized individual compromised an account used by one of its vendors, and through that account was able to access certain Vitas systems.

The security breach was identified on October 24, 2025, and the forensic investigation determined that there was unauthorized access to its systems for more than a month between September 21, 2025, and October 27, 2025. During that time, the unauthorized third party was able to view and download the personal information of current and former Vitas patients.

Vitas has been working with a third-party cybersecurity firm to investigate the cause of the breach and has taken steps to strengthen vendor oversight and improve its data protection protocols. At the time of issuing notifications to the affected individuals, Vitas was unaware of any misuse of the exposed data; however, as a precaution against identity theft and fraud, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months.

Data compromised in the incident varies from individual to individual and may include names in combination with some or all of the following: address, phone number, date of birth, Social Security number, driver’s license number, next of kin contact information including name, phone number and email address, diagnosis, medications, lab results, conditions, treatment information, health insurance information, and other personal information.

It is currently unclear exactly how many individuals have been affected, as neither the California nor Texas attorneys general publish figures for the total size of the data breach. The Texas Attorney General was told that 5,633 individuals in the state were affected by the breach. The HIPAA Journal has not found any further attorney general notifications at the time of writing, but the breach could be more expansive, as the company has locations in 15 U.S. states.

The post VITAS Hospice Services Discovers Month-Long Network Intrusion appeared first on The HIPAA Journal.

What training does The HIPAA Journal provide?

Posted by PJ Murray

The HIPAA Journal provides a full suite of online HIPAA and related cybersecurity training programs, designed for different roles and types of organizations.

The main HIPAA products are:

  • Accredited HIPAA Certification for Individuals
    A certificate course for people entering or progressing in healthcare that covers HIPAA rules and real world scenarios, and issues an accredited certificate that can be shown to employers and used during onboarding.

  • HIPAA Training for Healthcare Employees
    A workforce course for covered entities of all sizes that satisfies HIPAA training requirements on HIPAA rules and regulations, suitable for new hire onboarding and annual refresher training, with lessons focused on how to safeguard protected health information in day to day work.

  • HIPAA Training for Small Medical Practice Employees
    A version of the workforce course tailored to small medical practices, with extra modules on the specific HIPAA challenges they face, also suitable for onboarding and refresher training.

  • HIPAA Training for Students
    A course for healthcare students and faculty that satisfies HIPAA training requirements for students working in any HIPAA covered environment and includes student specific modules and examples to prepare them for clinical placements.

  • HIPAA Training for Business Associate Employees
    A dedicated course for employees of business associates that meets HIPAA training requirements and includes modules on the particular compliance challenges that arise when handling protected health information on behalf of covered entities.

The main cybersecurity products are:

  • Cybersecurity Training for Healthcare Employees
    A certificate course for healthcare staff that teaches them to recognize cyber threats and handle health records securely, providing practical, attacker focused cybersecurity awareness to sit alongside standard HIPAA training.
  • Cybersecurity Training for Healthcare Students
    A cybersecurity course for healthcare students and faculty that can be added to HIPAA Training for Students, giving learners extra protection by teaching online threat awareness and safer behavior before and during clinical placements.
  • Cybersecurity Training for Business Associate Employees
    A healthcare focused cybersecurity course for employees of business associates that complements HIPAA Training for Business Associate Employees, with content aimed at reducing the risk of breaches when vendors and service providers handle patient data.
  • Healthcare Cybersecurity Training for Individuals
    A healthcare specific cybersecurity course that individual learners can purchase alongside Accredited HIPAA Certification for Individuals to demonstrate their understanding of cyber risks to protected health information and medical records.

All of these training courses are self paced online programs built by The HIPAA Journal’s compliance team using more than a decade of breach and enforcement analysis, with practical examples, coverage of emerging issues such as generative AI, messaging platforms and social media, randomized quizzes with certificates, and optional free modules on Texas and California medical privacy laws and on small medical practice challenges.

The post What training does The HIPAA Journal provide? appeared first on The HIPAA Journal.