ComplianceJunction Introduces API Integration to Streamline HIPAA Training for Healthcare Staffing Platforms

Posted by Steve Alder

ComplianceJunction has announced a new API-based integration designed to simplify HIPAA compliance training for healthcare staffing platforms. This program aims to assist staffing agencies and healthcare organizations with automating the delivery and tracking of mandatory HIPAA training for temporary and contract workers. ComplianceJunction has built a reputation as the top provider of HIPAA training.

The integration enables healthcare staffing platforms to incorporate ComplianceJunction’s training modules directly into their existing systems. This allows for automated assignment of training to new hires, real-time monitoring of course completion, and centralized reporting to ensure compliance with HIPAA regulations. By embedding training into the onboarding process, the integration seeks to reduce administrative tasks and ensure that all staff members receive necessary compliance education promptly. This approach aligns with industry trends emphasizing the importance of continuous education and streamlined compliance processes in healthcare staffing.

ComplianceJunction’s training courses have previously received accreditation from organizations such as the American Health Information Management Association (AHIMA), allowing healthcare professionals to earn Continuing Education Units (CEUs) upon completion. This accreditation underscores the quality and relevance of the training content provided and motivates staff.

The API integration is part of ComplianceJunction’s broader efforts to enhance HIPAA compliance training through technology, aiming to support healthcare organizations in maintaining high standards of data privacy and security.

Further details and demonstration access are available at:
https://www.compliancejunction.com/partner-program-hrplatform-integration/

The post ComplianceJunction Introduces API Integration to Streamline HIPAA Training for Healthcare Staffing Platforms appeared first on The HIPAA Journal.

Episource Ransomware Attack Affects Multiple Healthcare Customers

Posted by Steve Alder

Episource LLC, a provider of medical coding, risk adjustment services, and software solutions for healthcare providers and health plans, has experienced a cyberattack involving the theft of customer data. A network intrusion was detected on February 6, 2025, after suspicious activity had been identified within its network. All computer systems were powered down to prevent further unauthorized access, law enforcement was notified, and third-party cybersecurity experts were engaged to assist with the investigation and determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed there had been unauthorized access to its computer systems between January 27, 2025, and February 6, 2025. The California Attorney General was notified about the breach on June 6, 2025, and at that time, Episource said it was unaware of any misuse of the compromised data. Individual notification letters have been issued on a rolling basis since April 23, 2025.

The review of the compromised files confirmed that they contained a range of data, which varied from individual to individual. Potentially compromised data included names and contact information (address, phone number, and email address), together with one or more of the following:

  • Health information: diagnosis information, treatment information, prescriptions, test results, medical images, medical record numbers, and doctors’ names.
  • Health plan information: health plan policies, company names, member/group ID numbers, and Medicaid/Medicare payor ID numbers
  • Other personal information, such as date of birth

Episource said it is strengthening system security to prevent similar breaches in the future, and that the affected individuals are being offered two years of complimentary credit monitoring and identity theft protection services. Episource did not disclose the nature of the attack in its notification letters; however, this appears to be a ransomware attack. The group responsible is currently unknown.

Sharp Community Medical Group and Sharp HealthCare have confirmed that they have been affected by the incident, but it is currently unclear how many other clients have been impacted. The number of affected individuals is also currently unknown, as the data breach is not yet displayed on the OCR breach portal.

The post Episource Ransomware Attack Affects Multiple Healthcare Customers appeared first on The HIPAA Journal.

Bipartisan Healthcare Cybersecurity Act Introduced in House and Senate

Posted by Steve Alder

Last week, a pair of bipartisan bills were introduced in the House of Representatives and Senate that seek to enhance the cybersecurity of the healthcare and public health (HPH) sector by improving coordination at the federal level to ensure that government agencies can respond quickly and efficiently to cyberattacks on HPH sector entities.

Healthcare cyberattacks have increased significantly in recent years, with more than 700 data breaches affecting 500 or more individuals reported to the HHS’ Office for Civil Rights in each of the past four years. In the past couple of years, a huge volume of healthcare records has been breached. In 2023, the protected health information of more than 172 million individuals was exposed or impermissibly disclosed in healthcare data breaches, and 278 million individuals were affected by healthcare data breaches in 2024.

In 2024, a ransomware group breached the systems of Change Healthcare, stole the records of an estimated 190 million individuals, and used ransomware to encrypt files. The attack caused massive disruption to the revenue cycles of healthcare providers across the country due to the prolonged outage of Change Healthcare’s systems, considerable disruption to patient care across the country, and the stolen data was leaked on the dark web.

The Healthcare Cybersecurity Act of 2025 was introduced by Congressman Jason Crow (D-CO), who was joined in introducing the legislation by Congressman Brian Fitzpatrick (R-PA). A companion bill was introduced in the Senate by Senators Jacky Rosen (D-NV) and Todd Young (R-IN). Congressman Crow previously introduced the Healthcare Cybersecurity Act in the 117th and 118th Congresses. “As technology advances, we must do more to protect Americans’ sensitive data,” said Congressman Crow. “That’s why I’m leading bipartisan legislation to strengthen our defenses and protect families from cyberattackers.”

If passed, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) would be required to collaborate on improving HPH sector cybersecurity. A liaison would be created between the two agencies to coordinate the responses to cyberattacks, and the act would authorize cybersecurity training for all relevant personnel. The bill also requires CISA and the HHS to conduct a study to identify the specific risks faced by the HPH sector.

“Cyberattacks on our healthcare system endanger more than data—they put lives at risk. I’ve long worked to strengthen our nation’s cyber defenses where Americans are most exposed, from small businesses to hospitals. This bipartisan bill takes direct, strategic action: empowering CISA and HHS to coordinate real-time threat sharing, expanding cybersecurity training for providers, and establishing a dedicated liaison to bolster response. We’re not just responding to attacks—we’re building the infrastructure to prevent them, protect patient privacy, and defend a vital pillar of our national security,” said Congressman Fitzpatrick.

The post Bipartisan Healthcare Cybersecurity Act Introduced in House and Senate appeared first on The HIPAA Journal.

High Severity Vulnerability Identified in MicroDicom DICOM Viewer

Posted by Steve Alder

A high-severity vulnerability has been identified in the MicroDicom DICOM Viewer, a popular free-to-use software for viewing and manipulating DICOM medical images.

The vulnerability can be exploited remotely in a low complexity attack, and successful exploitation can allow the execution of arbitrary code on vulnerable installations of DICOM Viewer; however, user interaction is required to exploit the vulnerability. A threat actor would need to convince a user to open a malicious DICOM file locally or visit a specially crafted malicious web page, for example, through social engineering or phishing.

The vulnerability affects DICOM Viewer version 2025.2 (Build 8154) and prior versions and is tracked as CVE-2025-5943.  The vulnerability is an out-of-bounds write issue, where it is possible to write to memory outside the bounds of the intended buffer and execute arbitrary code. The vulnerability has been assigned a CVSS v4 base score of 8.6 out of 10 and a CVSS v3.1 base score of 8.8 out of 10. While there have been no known cases of the vulnerability being exploited in the wild at the time of disclosure, prompt patching is recommended. The vulnerability has been fixed in version 2025.3 and later versions.

The vulnerability was identified by independent security researcher Michael Heinzl, who reported the vulnerability to the U.S. Cybersecurity and Infrastructure Agency (CISA). The latest announcement follows a May 2025 disclosure of two high-severity vulnerabilities, a February 2025 disclosure of a medium-severity vulnerability that can be exploited in a machine-in-the-middle (MitM) attack, and four high-severity vulnerabilities identified in 2024 and disclosed in March and June last year.

Since vulnerabilities are frequently discovered, it is advisable to locate DICOM Viewer behind a firewall, to isolate it from business networks, and if remote access is required, to use a secure method of connection such as a Virtual Private Network (VPN) and ensure that the VPN is kept up to date.

The post High Severity Vulnerability Identified in MicroDicom DICOM Viewer appeared first on The HIPAA Journal.