American Hospital Association Makes Recommendations to Support AI Adoption in Healthcare

Posted by Steve Alder

The American Hospital Association (AHA) has responded to a September 2025 request for information (RFI) from the Office of Science and Technology Policy (OSTP) on regulatory reform on artificial intelligence (AI) to promote innovation and adoption.

The Trump administration is committed to ensuring the United States achieves global dominance in AI and issued the RFI to obtain feedback from businesses and the public on current federal regulations that are hampering AI adoption and innovation. AI has tremendous potential in healthcare, from analyzing and interpreting medical images, aiding clinicians with decision-making, streamlining operations, and easing the considerable administrative burden faced by providers. While AI tools have been adopted in healthcare, the AHA says hospitals and health systems have merely scratched the surface of the potential uses to support them and the patients they serve.

In order to accelerate innovation and adoption, the AHA believes regulations need to be eased. In its response, the AHA explained that around one-quarter of healthcare spending goes on administrative tasks, amounting to around $1 trillion annually. Feedback from member hospitals and health systems indicates that regulatory administrative burdens are contributing to the financial instability of many hospitals, around 40% of which are now operating with negative margins.

The AHA has already voiced opposition against further administrative burdens and costs related to the proposed update to the HIPAA Security Rule and has welcomed the Trump administration’s recognition that overly restrictive regulations lead to higher costs, hamper competition, and stifle innovation. AHA members have voiced their concern that excessive regulation of AI is likely to severely limit adoption and innovation. Given the potential for AI to improve efficiency and enhance the quality of care, a balance needs to be struck between regulation to ensure patient safety while incorporating sufficient flexibility to support innovation.

In the letter to the OSTP, Ashley Thompson, the AHA’s senior vice president of public policy analysis and development, explained that current administrative burdens have forced many hospitals to scale back patient services or close, and that excessive regulatory and administrative burdens have added unnecessary cost and reduced patient access to care. To ensure the full potential of AI in healthcare, the AHA makes four main recommendations for AI reform: leveraging existing policy frameworks to avoid redundancy; removing regulatory barriers; ensuring AI is used safely and effectively; and providing incentives and infrastructure investment to expand the use of AI in healthcare.

Current regulatory frameworks were developed around human clinicians and discrete medical device updates, which may create challenges if the same frameworks are applied to continuously updating AI tools; however, creating a new regulatory framework for AI could result in redundancy and inefficiency.  The AHA recommends that any AI policies be synchronized with existing regulatory frameworks such as HIPAA, the HHS cybersecurity performance goals, FDA rules on premarket testing, and the CMS Medicare Advantage regulations.

The AHA recommends removing regulatory barriers that could stifle innovation, explaining that the current patchwork of state privacy laws and 42 Part 2 regulations has had a direct impact on the ability of hospitals to develop and deploy AI tools. The AHA has already responded to several problematic proposed HIPAA Security Rule update, and recommended voluntary consensus-based cybersecurity practices such as the HHS cybersecurity performance goals, rather than further regulation. The AHA suggests the Trump administration work with Congress to address HIPAA preemption, recommending the enactment of a full HIPAA preemption, as varying state laws are currently creating complications for its members. Further, the AHA supports the removal of all remaining requirements under the Part 2 regulations, which are hindering access to important health information and impacting the ability of SUD providers to leverage AI tools for care delivery.

Regarding patient safety, the AHA recommends that trained clinicians be kept in the decision loop for algorithms that may impact access to care or care delivery, for consistent privacy and security standards for third-party vendors, and to implement policies that include post-deployment standards for AI healthcare tools to ensure the ongoing integrity of those tools.

The AHA has also stressed that infrastructure needs to be improved to support the adoption of AI tools. For instance, hospitals in rural areas often lack reliable broadband and Wi-Fi access, which has proven to be a barrier to digital services and the adoption of AI tools. Incentives should be aligned to support AI adoption, as inadequate reimbursement has meant that many providers do not have the necessary resources to invest in the infrastructure to support the adoption of AI tools. The AHA also encourages cross-agency collaboration to develop training and potential grant funding opportunities to support patient educational efforts on digital health tools.

The post American Hospital Association Makes Recommendations to Support AI Adoption in Healthcare appeared first on The HIPAA Journal.

Only 23% of Ransomware Victims Pay the Ransom

Posted by Steve Alder

The ransomware remediation firm Coveware has reported a growing divide in the ransomware landscape, with larger enterprises facing increasingly targeted, high-cost attacks, whereas attacks on mid-market companies continue to be conducted in volume. Ransomware groups conducting high-volume attacks appear to have found the sweet spot, as while the ransom payments they receive are much lower, the attacks are easier to conduct, and a higher percentage of victims pay up. Attacks on larger companies require more effort, although attacks are far more lucrative when a ransom is paid. Coveware reports that larger organizations are increasingly resisting paying ransoms, having realized that there are few payment benefits, but has warned that these targeted attacks are likely to increase due to falling ransom payments.

Across the board, there has been a sharp fall in both the average and median ransom payments from a 6-year high in Q2, 2025, to the lowest level since Q1, 2023. In Q3, 2025, the average ransom payment fell by 66% to $376,941, with the median ransom payment down 65% to $140,000. In Q1, 2019, 85% of victims of ransomware attacks chose to pay the ransom, compared to a historic low of 23% in Q3, 2025.

When cybercriminals started conducting ransomware attacks, the focus was on file encryption, whereas double extortion tactics are now the norm, with data stolen prior to file encryption. While data can often be recovered from backups, the threat of publication of the data is often enough to see the ransom paid, in an effort to minimize reputation damage from an attack. According to Coveware, 76% of all attacks in Q3, 2025, involved data theft. There has been a growing trend of data theft-focused attacks, with some groups abandoning data encryption altogether. While extortion-only attacks are generally faster and stealthier, Coveware reports that data exfiltration attacks without encryption only have a ransom payment rate of 19% – a record low. That suggests that victims do not believe paying the ransom will result in their data being deleted.

The most common attack vectors frequently change, with phishing and social engineering the most common method of initial access in Q3, 2024, whereas in Q3, 2025, there was a sharp increase in remote access compromise, with phishing/social engineering dropping to around 18% of attacks, almost on a par with the exploitation of software vulnerabilities. Remote access compromise was behind almost 50% of attacks in Q3. Coveware reports that the distinction between different intrusion types is becoming increasingly blurred, such as remote access and social engineering. For example, attacks impersonating SaaS support teams or abusing helpdesk processes trick individuals into providing remote access. “The modern intrusion no longer begins with a simple phishing email or an unpatched VPN. It starts with a convergence of identity, trust, and access across both people and platforms,” explained Coveware.

The two most active ransomware groups in Q3 – Akira (34%0 and Qilin (10%) – are both focused on high-volume attacks that yield relatively low rewards. While a logical response to fewer victims paying a ransom is to conduct even more attacks, Coveware believes it is more likely to trigger more targeted attacks on companies that have the means to pay large ransoms. As security postures have improved, attacks are becoming harder to pull off. One potential consequence is that attackers will focus once again on targeting employees to trick them into providing access, as well as recruiting insiders. Coveware has identified several attacks where employees have been bribed into providing remote access. In one case, the Medusa ransomware group attempted to recruit an employee of a large organization. Medusa promised to pay the employee 15% of any ransom generated if network access through the employee’s computer was provided.

While healthcare remains a lucrative target for ransomware groups, only 9.7% of attacks involving Coveware’s services affected healthcare organizations, putting the industry in joint second place with software services. Professional services was the most commonly attacked sector in Q3, accounting for 17.5% of attacks.

The post Only 23% of Ransomware Victims Pay the Ransom appeared first on The HIPAA Journal.

Sedgebrook & Heartland Health Center Hit with Ransomware Attacks

Posted by Steve Alder

Ransomware attacks have recently been announced by the Illinois retirement village and skilled nursing provider Sedgebrook, and the Nebraska healthcare provider Heartland Health Center.

Sedgebrook

Sedgebrook, a retirement village and skilled nursing facility in Lincolnshire, Illinois, has recently announced a ransomware attack that involved unauthorized access to files containing individuals’ personal and protected health information. The attack was detected on May 5, 2025, when network disruption was experienced. Assisted by third-party digital forensics experts, Sedgebrook determined that a ransomware group had access to its network from May 4 to May 5, 2025, and used ransomware to encrypt files. During that time, data may have been exfiltrated from its network.

The exposed files were reviewed, and on August 26, 2025, it was confirmed that some of those files contained protected health information, including names, addresses, birth dates, Social Security numbers, driver’s license numbers, financial account information, medical treatment information, medical record numbers, and health insurance information. Notification letters started to be mailed to the affected individuals on October 24, 2025.

While no evidence was found to indicate any misuse of the exposed information, individuals whose Social Security numbers or driver’s license numbers were exposed have been offered complimentary credit monitoring and identity theft protection services. Steps have also been taken to improve security to prevent similar incidents in the future. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

Heartland Health Center

Heartland Health Center, a provider of medical, dental, and behavioral health services at clinics in Ravenna and Hastings in Nebraska, has recently disclosed a security breach that was first identified on February 4, 2025. An investigation was launched, with assistance provided by third-party cybersecurity experts, to determine if any sensitive data had been exposed. Following an exhaustive review, Heartland Health Center determined on June 3, 2025, that sensitive data had been exposed and may have been acquired in the attack.

The types of information involved vary from individual to individual and may have include names plus one or more of the following: date of birth, Social Security number, driver license number, financial account number, username and access information for a non-financial account, dates of service, diagnosis information, health insurance information, physician/medical facility information, medical condition/treatment information, medical record number, Medicare or Medicaid number, patient account number, certificate or license number, full face photo, and referral information.

Heartland Health Center said it already had robust cybersecurity measures in place, and they will continue to be reviewed and enhanced as necessary. As a precaution against misuse of patient information, the affected individuals have been offered complimentary single-bureau credit monitoring, credit score, and credit report services. While not described as a ransomware attack, the Medusa ransomware group claimed responsibility for the incident. Medusa is known to exfiltrate and either sell or publish the stolen data, so the affected individuals should ensure that they take advantage of the credit monitoring services on offer. The HHS’ Office for Civil Rights data breach portal is not currently showing the breach, so it is unclear how many individuals have been affected.

The post Sedgebrook & Heartland Health Center Hit with Ransomware Attacks appeared first on The HIPAA Journal.

$19.3 Million Settlement Proposed to Resolve NextGen Class Action Data Breach Lawsuit

Posted by Steve Alder

A $19,375,000 settlement has been proposed to resolve a consolidated class action lawsuit against the electronic health records and practice management software provider NextGen Healthcare over a 2023 ransomware attack that affected more than one million individuals.

The attack was detected on April 28, 2023, and the first complaint was filed on May 5, 2023, in the United States District Court for the Northern District of Georgia, Atlanta Division. Thereafter, more than a dozen further lawsuits were filed, which were consolidated into a single action in the same court. The consolidated lawsuit alleged negligence and negligence per se for failing to implement appropriate safeguards to protect sensitive patient information, invasion of privacy/intrusion upon seclusion, breach of implied contract, breach of bailment, breach of fiduciary duty, unjust enrichment, and breach notification failures, in violation of federal and state laws, including the Official Code of Georgia Annotated (O.C.G.A).

NextGen Healthcare denies all claims and contentions in the lawsuit and maintains there was no wrongdoing or liability. NextGen Healthcare moved to have the lawsuit dismissed; however, the lawsuit was allowed to proceed (see below). Following mediation on June 25, 2025, and August 6, 2025, and after all parties considered the expense and length of proceedings to continue with the litigation, and the risks associated with doing so, the decision was taken to settle the lawsuit.

Under the terms of the settlement, NextGen Healthcare has agreed to establish a $19,375,000 settlement fund to cover attorneys’ fees and expenses, notice costs, settlement administration costs, service awards, and benefits for class members. Class members may submit a claim for documented, unreimbursed losses due to the data breach up to a maximum of $7,500 per class member and up to $250 for lost time (a maximum of 10 hours at $25 per hour). Alternatively, class members may choose to receive a cash payment, which is expected to be $50, but will be subject to a pro rata adjustment. Class members who were residents of California at the time of the data breach may claim an alternative cash payment of $150.

In addition to the above benefits, class members may also claim three years of credit monitoring and identity theft protection services, and should there be any funds remaining in the settlement fund, they will be used to extend the identity and credit monitoring services or will be distributed cy pres to a non-profit cybersecurity organization. The settlement now awaits approval from the court.

August 6, 2024: NextGen Class Action Data Breach Lawsuit Allowed to Proceed

A class action lawsuit against the electronic health record (EHR) and practice management software provider, NextGen Healthcare, over a 2023 ransomware attack has been allowed to proceed.

Hackers had access to NextGen’s computer systems from March 29, 2023, to April 14, 2023, during which time they exfiltrated a huge volume of sensitive data from the NextGen Office system. The data breach was reported to the Maine Attorney General on May 5, 2023, as affecting 1,049,375 individuals. The ransomware attack was the second to be experienced by NextGen in just a few months, with an earlier Blackcat ransomware attack occurring in January 2023.

It is not uncommon for multiple ransomware attacks to be experienced. A recent report from the cybersecurity firm Semperis suggests that three-quarters of companies that have experienced a ransomware attack were attacked multiple times. Threat actors often deploy malware in their attacks, which allows them to conduct further attacks weeks or months later.

More than a dozen lawsuits were filed against NextGen following the data breach. The plaintiffs sought compensatory, statutory, and punitive damages, additional credit monitoring services, and injunctive relief, requiring NextGen to implement additional security measures to ensure the privacy and security of the data it stores. The lawsuits were consolidated into a single lawsuit – Damon X. Miller v. NextGen Healthcare Inc. – in the U.S. District Court for the Northern District of Georgia.

The consolidated lawsuit alleges NextGen could have prevented the data breach if it had implemented reasonable and appropriate security measures, yet failed to do so, even though it had experienced a ransomware attack in January 2023. The consolidated lawsuit asserted 25 claims, including negligence, unjust enrichment, intrusion upon seclusion, breach of implied contract, breach of bailment, breach of fiduciary duty, and violations of multiple state laws in California, Georgia, Illinois, Iowa, Maine, New Jersey, New Mexico, New York, and Pennsylvania.

NextGen attempted to have 22 of the 25 claims dismissed for failure to state a claim. Most of the claims were dismissed in their entirety by U.S. District Judge Thomas Thrash; however, the motion to dismiss five counts was denied, which gives the plaintiffs the green light to proceed with the action. The motion to dismiss the counts of breach of fiduciary duty, litigation expenses, violation of the Georgia Uniform Deceptive Trade Practice Act (GUDTPA), and violation of the California Consumer Privacy Act (CCPA) was denied in entirety, and the motion to dismiss the count of violation of the California Unfair Competition Law (UCL) was denied with respect to one of the plaintiffs and a putative subclass.

NextGen had argued that, as a service provider to healthcare organizations, it did not owe a fiduciary duty to the plaintiffs, as it had no direct relationship with them and the mere receipt and storage of confidential data does not create a fiduciary relationship. Judge Thrash disagreed, as in some circumstances, the retention of private information that patients provided while seeking medical care can create a fiduciary duty under Georgia law. In his ruling, Judge Thrash did not state whether the circumstances in the case rose to that level, as that was not a question that could be resolved through a motion to dismiss.

Judge Thrash ruled that the plaintiffs had plausibly stated a claim for litigation expenses premised on bad faith, and the motion to dismiss the GUDTPA claim was denied as NextGen’s argument was dependent on “a strained reading of an unadopted Report and Recommendation.” The CCPA claim was allowed to proceed, as while NextGen argued that it is a service provider under CCPA, the plaintiffs stated otherwise, and Judge Thrash accepted those allegations as true, at least at this stage of the litigation. The motion to dismiss the California Unfair Competition Law claim was denied, as the defendant was alleged to have accepted payment to securely keep data and failed to take reasonable security measures, and that is sufficient to state a claim for restitution under UCL.

The post $19.3 Million Settlement Proposed to Resolve NextGen Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.