City of Long Beach Notifies Individuals Affected by November 2023 Cyberattack

Posted by Steve Alder

It has taken more than a year for current and former residents of the City of Long Beach in California to learn that some of their personally identifiable and protected health information was compromised in a cyberattack. Notifications have been sent to multiple U.S. states confirming that the information of 470,060 individuals was exposed and potentially stolen in the attack. That figure includes 258,191 individuals whose protected health information was compromised. No ransomware group is known to have claimed responsibility for the attack.

The cyberattack was detected on or around November 14, 2023, and the forensic investigation confirmed on March 18, 2024, that sensitive data had been accessed or acquired by the threat actor. It then took a further 13 months before notification letters were mailed to the affected individuals. City officials confirmed that notification letters started to be mailed on April 14, 2025.

City officials explained that most of the affected systems were restored and brought back online within a matter of weeks after the attack was detected, and while confirmation of unauthorized access to data was confirmed in March 2024, in an October 7, 2024, update, the city explained that third party cybersecurity professionals were still trying to determine the nature and scope of the data stolen in the attack. The city explained in the notice that complimentary credit monitoring and identity theft protection services would be offered to individuals whose Social Security numbers were involved. “This process of identifying specific individuals’ sensitive information is incredibly detailed, time-intensive, can be lengthy, and has been ongoing to date,” explained city officials in the October 2024 notice. “Progress is being made, and the process may be close to completion in the upcoming months.”

In the latest notification, city officials explained that between the attack and April 14, 2025, there have been no indications that any of the impacted information has been misused for the purpose of committing identity theft or fraud, and said the notification letters were being issued as required by law and out of an abundance of caution. Long Beach Mayor Rex Richardson said, “This has proven to be an unprecedented event for our organization, and we continue to take this investigation and its findings seriously.” The individual notifications confirm that credit monitoring and identity theft protection services are being provided for 12 months to individuals whose Social Security numbers were compromised.

The post City of Long Beach Notifies Individuals Affected by November 2023 Cyberattack appeared first on The HIPAA Journal.

Healthcare Orgs Fined for Employing Nurses on the HHS-OIG Exclusion List

Posted by Steve Alder

This month, the Department of Health and Human Services’ Office of Inspector General (HHS-OIG) agreed to settlements with two healthcare providers who employed nurses on the HHS-OIG exclusion list, who provided items or services that were billed to federally funded healthcare programs.

The exclusion list, formally known as the List of Excluded Individuals and Entities (LEIE), contains entities and individuals excluded from participating in federally funded healthcare programs. The exclusion list was established to prevent fraud, waste, and abuse in federally funded healthcare programs. If an individual or entity has been added to the list, they are not permitted to participate in federally funded healthcare programs in any capacity.

There are many different reasons for exclusion, including fraud convictions, patient abuse and neglect, felony drug convictions, submission of false claims, and participation in illegal kickback schemes. Certain violations carry a mandatory minimum exclusion period, with HHS-OIG having discretion over how long an entity or individual remains on the list. While it is possible to be removed from the list after the minimum term has expired, the excluded company/individual must complete a formal reinstatement process, which can take some time.

Prior to hiring any individual or onboarding a new supplier, healthcare organizations need to review the exclusion list to make sure the company or individual has not been excluded. The responsibilities do not end there, as if an individual or company is added to the exclusion list after hiring/onboarding, penalties can be imposed for continuing to employ that individual or the continued use of a company’s services. Regular screenings of the workforce should be conducted, along with monthly checks of vendors to ensure OIG compliance. Many companies choose to ease this compliance headache by using automated screening and other third-party compliance services.

In April 2025, two companies were discovered to have failed to conduct exclusion list checks, resulting in the employment of excluded individuals. Advancare Healthcare Services in Lombard, Illinois, was discovered to have employed a registered nurse who was on the exclusion list and had been barred from participating in federally funded healthcare programs. The nurse had provided items or services that were billed to Medicare or Medicaid. Advancare Healthcare Services agreed to settle the alleged exclusion list violation, paid a $41,596.68 penalty, and was required to terminate the nurse’s employment.

Associated Clinicians of East Texas, PLLC, which does business as Diagnostic Clinic of Longview, was discovered to have employed a licensed vocational nurse who had been added to the exclusion list. The nurse provided items or services billed to federally funded healthcare programs. Diagnostic Clinic of Longview agreed to settle the alleged violation, paid a $77,877.45 financial penalty, and was required to terminate the nurse’s employment.

The post Healthcare Orgs Fined for Employing Nurses on the HHS-OIG Exclusion List appeared first on The HIPAA Journal.