HSCC Publishes Preview of Health Sector AI Cybersecurity Risk Guidance

Posted by Steve Alder

In Q1, 2026, the Health Sector Coordinating Council (HSCC) plans to publish AI cybersecurity guidelines for the healthcare sector. Last week, the HSCC Cybersecurity Working Group (CWG) published previews of the cybersecurity guidance ahead of the full release next year.

Artificial intelligence has tremendous potential in healthcare; however, it introduces cybersecurity risks that must be managed and reduced to a reasonable level. To better prepare the health sector, the HSCC CWG established an AI Cybersecurity Task Force in October 2024, consisting of individuals from 115 healthcare organizations across the spectrum. The Cybersecurity Task Group has considered the complexity and the associated risks of AI technology in clinical, administrative, and financial health sector applications, and divided the identified AI issues into five manageable workstreams of discrete functional risk areas:

  • Education and enablement
  • Cyber operations & defense
  • Governance
  • Secure by design
  • Third-party AI risk and supply chain transparency

Significant progress has been made across all workstreams, and in January, guidance will be published covering each of these areas. The guidelines will include best practices for healthcare organizations to adopt, and while not legally binding, they will help the sector effectively manage and reduce AI cybersecurity risks.

Ahead of the release, HSCC CWG published one-page summaries for each of these workstreams detailing the objectives, key focus areas, and deliverables in each area. HSCC CWG has also published a foundational document that describes the most important AI terms that healthcare organizations need to be aware of.

The education and enablement workstream covers the common terms and language used throughout the guidance to familiarize users with the use of AI in their functional environments and help them better understand risk and apply control activities.

The cyber operations and defense workstream provides practical playbooks for preparing for, detecting, responding to, and recovering from AI cyber incidents. That includes identifying requirements for conducting optimized AI-specific cybersecurity operations, defining AI-driven threat intelligence processes with appropriate safeguards to support clinical workflows, establishing operational guardrails for AI technologies beyond LLMs, including predictive machine learning systems and embedded device AI, and establishing clear governance and accountability.

The governance workstream provides a comprehensive framework that can be used by healthcare organizations of all sizes to manage the cybersecurity risks in their own clinical environments and ensure that AI is used securely and responsibly. The objective of the secure by design workstream is to define and develop secure-by-design principles specifically for AI-enabled medical devices, including practical guidance and tools to empower manufacturers and stakeholders to ensure the cybersecurity of AI-enabled medical devices throughout the entire product lifecycle.

Third-party AI risks and supply chain transparency aims to strengthen security, trust, and resilience through the enhancement of visibility and transparency of third-party tools, establishing oversight and governance polices, and standardizing processes for procurement, vetting, and lifecycle management.

The guidance will help to improve awareness and understanding of critical risk areas and provides a roadmap for implementing new AI technologies while ensuring safety and responsible use.

The post HSCC Publishes Preview of Health Sector AI Cybersecurity Risk Guidance appeared first on The HIPAA Journal.

Data Breaches Announced by Sun Valley Surgery Center & American Associated Pharmacies

Posted by Steve Alder

Data breaches have recently been identified by Sun Valley Surgery Center in Nevada and American Associated Pharmacies in Alabama.

Sun Valley Surgery Center

Sun Valley Surgery Center in North Las Vegas, Nevada, has identified unauthorized access to its computer network. Anomalous activity was identified within its information systems on September 3, 2025. The forensic investigation confirmed that an unauthorized third party accessed parts of its network where sensitive patient information was stored.

Data potentially compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license/state-issued identification numbers, passport/other government identification numbers, and health information such as health histories, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN numbers/patient identification numbers. Sun Valley Surgery Center has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Approximately 27,000 individuals were potentially affected.

American Associated Pharmacies

One of the largest independent pharmacy organizations in the United States has recently fallen victim to a ransomware attack that resulted in the encryption of data on its systems. Scottsboro, AL-based American Associated Pharmacies (AAP) identified suspicious activity, including file encryption, within its computer network on October 23, 2024. Immediate action was taken to contain and mitigate the incident, including shutting down all affected systems and changing passwords to prevent further unauthorized access. The forensic investigation confirmed that initial access occurred ten days prior to the attack on October 13, 2024.

Assisted by third-party cybersecurity professionals, AAP determined that before file encryption, the attackers exfiltrated files from its network. The review of those files has recently been completed, and individual notifications are now being mailed to the affected individuals. Data compromised in the incident varies from individual to individual and may include names, addresses, birth dates, Social Security numbers, passport numbers, driver’s license number/other government-issued identification numbers, bank/financial account numbers/routing numbers, clinical/treatment information, medical information, provider names, medical record numbers, health insurance information, prescription information and/or usernames and passwords.

Several steps have been taken to augment security to prevent similar incidents in the future, including implementing further monitoring tools and expanding the use of multifactor authentication. The affected individuals have been advised to monitor their free credit reports, account statements, and explanation of benefits statements for suspicious activity. Credit monitoring and identity theft protection services have been offered to certain individuals, according to the notification sent to the Maine Attorney General. That notification indicates 8,032 individuals have been affected, including 25 Maine residents.

The post Data Breaches Announced by Sun Valley Surgery Center & American Associated Pharmacies appeared first on The HIPAA Journal.

EHR Vendor Identifies Business Associate Data Breach

Posted by Steve Alder

Data breaches have recently been announced by the EHR vendor CareTracker (Amazing Charts) and the Wisconsin health system, Marshfield Clinic.

CareTracker (Amazing Charts)

CareTracker Inc., doing business as Amazing Charts, an electronic health record and practice management platform provider, has been affected by a security incident at one of its vendors. On June 19, 2025, Amazing Charts identified unusual activity within a system managed by a third-party vendor. Immediate action was taken to secure the vendor’s environment, and an investigation was launched to determine the nature and scope of the activity.

The investigation confirmed unauthorized access to the service provider’s network between June 15, 2025, and June 19, 2025. Files were then reviewed to determine the individuals affected and the types of data involved. Due to the complexity of the data review, that process has only recently been completed.

Data potentially compromised in the incident included names in combination with one or more of the following: diagnoses, treatment information, physician names, medical record numbers, and health insurance information. Notification letters have recently been mailed to the affected individuals, and complimentary credit monitoring services have been offered for 12 months. At the time of notification, no misuse of the affected information had been identified.

Marshfield Clinic Health System

Marshfield Clinic Health System, an integrated health system serving Wisconsin and Michigan’s Upper Peninsula, identified unauthorized access to certain employee email accounts on or around August 27, 2025. The forensic investigation confirmed that an unauthorized third party had access to the accounts from August 26 to August 27, 2025, and potentially accessed or copied emails containing patient information. The types of information compromised in the incident varied from individual to individual and may have included names, medical record numbers, health insurance information, diagnosis, and treatment information.

The affected individuals are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post EHR Vendor Identifies Business Associate Data Breach appeared first on The HIPAA Journal.