Liberty Resources Announces July 2024 Data Breach

Posted by Steve Alder

Liberty Resources, a Syracuse, NY-based human services agency, has announced a security incident that was first identified 16 months ago, on July 22, 2024. Liberty Resources said an immediate and thorough investigation was conducted, and that the investigation into the incident is still ongoing. It is unclear why the investigation has taken so long.

According to its website data breach notice, the specific information compromised in the incident has yet to be confirmed. Employees and patients have been warned that the impacted data likely includes names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information. Since the investigation has not yet concluded, it is unclear how many individuals have been affected.

While no evidence has been found to indicate any misuse of the affected information, employees and clients have been advised to remain vigilant against identity theft and fraud. While not stated by Liberty Resources, this appears to have been a cyberattack by the Rhysida threat group, which added Liberty Resources to its data leak site and threatened to sell the 665 GB of data allegedly stolen in the attack. Rhysida claims on its data leak site that the data that has not been sold has been published. The group claims the leaked data includes 885,433 files, and if the claim is true, that may go some way to explaining why the investigation and data review have taken so long.

Gold Coast Health Plan Members Affected by Conduent Data Breach

Gold Coast Health Plan in Camarillo, CA, confirmed on December 2, 2025, that members’ protected health information was potentially compromised in a cyberattack on its business associate, Conduent Business Solutions. Conduent, a long-term provider of administrative services to Gold Coast Health Plan, determined on January 13, 2025, that the email account of one of its employees was accessed by an unauthorized individual between October 21, 2024, and January 13, 2025. The forensic investigation has taken several months to complete, and recently, Gold Coast Health Plan learned that the protected health information of 540 members was compromised in the incident, including their names, health plan identification numbers, dates of service, costs of service, and claim numbers. Social Security numbers and financial information were not involved.

“We deeply regret that the private information of some [of] our members was possibly exposed during this cyberattack,” said Robert Franco, GCHP’s chief compliance officer. “We are working closely with Conduent to ensure the necessary safeguards are in place to prevent a future breach.”

The post Liberty Resources Announces July 2024 Data Breach appeared first on The HIPAA Journal.

High Severity Vulnerabilities Patched in Mirion Medical EC2 Software NMIS BioDose

Posted by Steve Alder

Mirion Medical has issued patches to fix five high-severity vulnerabilities in its EC2 Software NMIS BioDose software. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to the application, modify program executables, access sensitive information, and potentially remotely execute code.

Mirion Medical EC2 Software NMIS BioDose is tracking software used by healthcare providers to keep track of inventory, doses, patient information, and billing. The vulnerabilities affect software versions prior to v23.0. Users have been urged to update to v23.0 or later versions to prevent the vulnerabilities from being exploited. Users with an active support contract can update to the latest version via the software. At the time of issuing the updated version, there had been no known exploitation of the vulnerabilities in the wild.

CVE-2025-64298 – CVSS v3.1: 8.4 | CVSS v4: 8.6

NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQL Server Express is used are exposed in the Windows share accessed by clients in networked installs. The directory has insecure directory paths by default, allowing access to the SQL Server database and configurations, which may contain sensitive data.

CVE-2025-61940 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database, and while users must supply a password in the client software, the underlying database connection always has access. An option has been added to use Windows user authentication with the database to restrict the database connection.

CVE-2025-62575 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account – nmdbuser – and other created accounts have the sysadmin role, which could lead to remote code execution through the use of certain built-in stored procedures.

CVE-2025-64642 – CVSS v3.1: 8.0 | CVSS v4: 7.1

In NMIS/BioDose V22.02 and previous versions, installation directory paths have insecure file permissions by default. In certain deployments, this can allow users to modify program executables and libraries.

CVE-2025-64778 – CVSS v3.1: 7.3 | CVSS v4: 8.4

NMIS/BioDose software V22.02 and previous versions have executable binaries with plaintext hard-coded passwords, which could be exploited to gain unauthorized access to the application and database.

The post High Severity Vulnerabilities Patched in Mirion Medical EC2 Software NMIS BioDose appeared first on The HIPAA Journal.

Europol Takes Down Illegal Crypto Mixing Laundering Service Used by Ransomware Actors

Posted by Steve Alder

A cryptocurrency mixing service used by criminals to launder the proceeds from their illegal activities has been shut down by Europol, Eurojust, and law enforcement agencies in Switzerland and Germany.

Cybercriminals, such as ransomware actors, typically receive payment for their attacks in cryptocurrency. Cryptocurrency transactions are not anonymous, as all transactions are recorded on the public blockchain and can be traced to the wallets receiving the funds. That means the proceeds from cybercrime can be traced to individuals if the wallet address is linked to a real-world identity. Cybercriminals use cryptocurrency mixing services to launder the proceeds from their attacks, then redirect their anonymized funds to cryptocurrency exchanges to cash out.

The law enforcement operation was a week-long effort – Operation Olympia – between November 24 and November 26, targeting Cryptomixer, an illegal cryptocurrency mixing service that law enforcement agencies have been trying to shut down since its creation in 2016. According to Europol, Cryptomixer was the mixing service of choice for cybercriminals, and was used by ransomware gangs, payment card fraudsters, drug and weapons traffickers, and nation state hackers such as North Korea’s Lazarus Group to launder funds from their illegal activities. Since 2016, more than €1.3 billion in Bitcoin ($1.5 billion) has passed through Cryptomixer infrastructure.

Funds were deposited in the mixing service, pooled for a long and randomized period, then redistributed to destination addresses at random times. Mixing services such as Cryptomixer make pseudonymous cryptocurrency transactions anonymous, concealing the origin of cryptocurrency by making it difficult to trace specific coins, allowing cybercriminals to launder funds from their activities without the risk of being identified. More than €25 million ($28 million) in Bitcoin was confiscated, three servers in Switzerland and the cryptomixer.io clear web domain were seized, along with more than 12 terabytes of data.

The operation was part of a broader international effort by law enforcement agencies to tackle cybercrime by targeting the services that cybercriminals use to hide their financial transactions. Operation Olympia mirrors a similar effort in 2023 by Europol and law enforcement agencies in the United States and Germany that resulted in the seizure of the infrastructure behind the ChipMixer mixing service, which at the time was the go-to mixing service for cybercriminals, through which more than $3 billion in cryptocurrency had passed. In that operation, as well as seizing the infrastructure, more than $50 billion in Bitcoin was confiscated.

The post Europol Takes Down Illegal Crypto Mixing Laundering Service Used by Ransomware Actors appeared first on The HIPAA Journal.

Texas Attorney General Dismisses Complaint Against HHS Seeking Vacatur of HHS Final Rules

Posted by Steve Alder

Texas Attorney General Ken Paxton has filed a joint stipulation of dismissal without prejudice, seeking to dismiss all claims in a September 2024 complaint against the U.S. Department of Health and Human Services (HHS), former HHS Secretary Xavier Becerra, and former Office for Civil Rights (OCR) Director Melanie Fontes Rainer. On November 24, 2025, the court granted Paxton’s request and dismissed the lawsuit.

The complaint was filed in response to the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Final Rule issued by the Biden Administration and added to the Federal Register in April 2024. The complaint sought declaratory and injunctive relief against the enforcement of the rule by the HHS, and to vacate another final rule, the HIPAA Privacy Rule of 2000. AG Paxton alleged that the HHS had overstepped its authority when issuing both final rules.

The decision to dismiss the lawsuit was likely influenced by a ruling in a separate lawsuit, filed in Texas last year by Dr. Carmen Purl, who runs Dr. Purl’s Fast Care Walk-in Clinic in Dumas, Texas. The lawsuit, Carmen Purl, et al., v. United States Department of Health and Human Services et al, was filed in the U.S. District Court for the Northern District of Texas, Amarillo Division, also in response to the HIPAA Privacy Rule to Support Reproductive Healthcare Privacy Final Rule.

The reproductive healthcare final rule was issued by the Biden administration as part of its response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization in 2022 that overturned Roe v. Wade, which for 50 years had protected the right to abortion prior to the point of fetal viability. With Roe v. Wade overturned, the legality of abortion became a state rather than federal matter, and almost half of U.S. states subsequently passed laws banning or restricting abortions.

The final rule created a new subclass of protected health information, reproductive health information, restricting disclosures of that information to government authorities and law enforcement. The final rule effectively prevented states from obtaining reproductive health information to hold individuals and healthcare providers liable under state law for abortions obtained legally out of state.

Purl alleged that the final rule was arbitrary and capricious and exceeded the HHS’s statutory authority, claiming the final rule impaired the clinic’s ability to participate in public health investigations and comply with state law that requires suspected child abuse to be reported. The lawsuit was successful, with the court dismissing the defendants’ motion to dismiss and vacating most of the modifications to the HIPAA Privacy Rule, which were deemed unlawful for distinguishing between different types of health information to accomplish political ends. The Notice of Privacy Practices requirements for healthcare providers covered by the Part 2 regulations relating to substance use disorder were not vacated. While the lawsuit originated in the state of Texas, the ruling had nationwide effect. The HHS chose not to appeal the decision.

The court’s decision to vacate the Reproductive Healthcare Privacy Final Rule achieved some of the main goals of AG Paxton’s complaint, which likely played a key role in the decision to seek dismissal of the complaint. Since the complaint was dismissed without prejudice, AG Paxton retains the right to refile the same complaint in the future, should he so wish.

The decision to dismiss the complaint is good news for Americans, as the HIPAA Privacy Rule ensures that their personally identifiable health information is protected and can only be used for reasons related to treatment, payment for healthcare, and healthcare operations without their express consent. The HIPAA Privacy Rule also gave patients rights over their health information, allowing them to obtain a copy of their health data, request errors be corrected, ask for restrictions on disclosures, and be provided with an accounting of disclosures of their PHI to learn who has been provided with their health information.

The post Texas Attorney General Dismisses Complaint Against HHS Seeking Vacatur of HHS Final Rules appeared first on The HIPAA Journal.