California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers

Posted by Steve Alder

California Governor Gavin Newsom has added his signature to a bill that strengthens privacy protections for individuals seeking or receiving healthcare services from a family planning center. Prior to the update, California law prohibited a person or business from collecting, using, disclosing, or retaining the personal information of a person located at or within the geolocation of a family planning center, other than as necessary to provide the goods or services requested by that person.

Assembly Bill 45 (AB-45) strengthens privacy protections by prohibiting the collection, use, disclosure, sale, sharing, or retention of personal information of a natural person located at or within the precise geolocation of a family planning center, other than to provide goods and services to an individual, as requested. The requirements do not apply to HIPAA-regulated entities or their business associates, provided that the business associate is contractually obliged to comply with all state and federal laws.

The new law extends the scope of existing law to cover any person, including a natural person, association, proprietorship, corporation, trust, foundation, partnership, or any other organization or group of people acting in concert. The new law uses the same definitions for sale, personal information, and precise geolocation as the California Consumer Protection Act (CCPA), although the definitions apply to all persons. A family planning center is defined as a facility categorized as a family planning center by the North American Industry Classification System adopted by the United States Census Bureau, which includes, but is not limited to, clinics that provide reproductive healthcare services.

The new law makes it unlawful to geofence an entity that provides in-person healthcare services for certain purposes and prohibits the selling or sharing of information with a third party to geofence an entity that provides healthcare services. Healthcare services are defined as “any service provided to a natural person of a medical, surgical, psychiatric, therapeutic, diagnostic, mental health, behavioral health, preventative, rehabilitative, supportive, consultative, referral, or prescribing nature.”

Geofencing is specifically prohibited for the purpose of identifying or tracking an individual seeking or receiving healthcare services, collecting personal information from a person seeking, receiving, or providing healthcare services, sending notifications to a person related to their personal information or healthcare services, and sending advertisements to an individual related to their personal information or healthcare services. There are exceptions to the geofencing restrictions. The owner of the facility is permitted to geofence its own location, geofencing is permitted for research purposes that comply with federal regulations, and geofencing is permitted by labor organizations, although consent must be obtained from individuals if the geofencing results in the collection of names or personal information. Personally identifiable research records of individuals seeking healthcare services are protected and may not be released in response to a subpoena or request made pursuant to other states’ laws that interfere with a person’s rights under the California Reproductive Privacy Act.

There is a limited private cause of action in AB-45, which allows individuals and entities aggrieved by a violation of the provisions of AB-45 to sue for damages, up to a maximum of three times the actual damages, in addition to expenses, costs, and reasonable attorneys’ fees. The California Attorney General will enforce the new law and can impose penalties of up to $25,000 per violation and injunctive relief. Any collected penalties will be used to fund the California Reproductive Justice and Freedom Fund. The new law takes effect on January 1, 2026.

The post California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers appeared first on The HIPAA Journal.

Orthopedics Rhode Island Agrees to Pay $2.9 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

Orthopedics Rhode Island (Ortho RI) has agreed to pay $2.9 million to settle a class action lawsuit stemming from a 2024 ransomware attack. The ransomware attack was detected by Ortho RI on September 7, 2025, with the forensic investigation confirming unauthorized network access from September 4 to September 8, 2024. Information compromised in the incident included names, addresses, dates of birth, billing and claims information, health insurance claims information, diagnoses, medications, test results, x-ray images, and other treatment information. The data breach was reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 377,731 individuals. The affected individuals were notified about the incident via a November 6, 2024, website notice and individual notifications, which were mailed on December 6, 2024.

Seven class action lawsuits were filed against Ortho RI over the data breach, one of which was dismissed. The remaining actions were consolidated in Lavoie-Soria et al. v Orthopedics Rhode Island, Inc. in Kent County Superior Court of the State of Rhode Island, as the lawsuits had overlapping claims and were based on the same facts. The plaintiffs claim to have suffered injuries due to the attack, including lost or diminished value of their private information, lost opportunity costs associated with mitigating the consequences of the data breach, and out-of-pocket losses associated with the prevention, detection, and recovery from identity theft and fraud. The lawsuit asserted claims of negligence and negligence per se due to the failure to implement reasonable and appropriate cybersecurity measures, breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Ortho RI maintains there was no wrongdoing; however, it chose to settle the lawsuit to avoid the costs, risks, and uncertainty of continuing with the litigation. The class representatives believe the settlement is best for all individuals in the settlement class for the same reasons. Under the terms of the settlement, all class members are entitled to claim two years of medical record monitoring services plus one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses related to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may claim an alternative cash payment, which is anticipated to be around $100. Attorneys’ fees, settlement administration costs, service awards for class representatives, and medical record monitoring costs will be deducted from the settlement fund, after which claims will be paid from the remaining funds.

The deadline for objection to and exclusion from the settlement is December 29, 2025. The deadline for submitting a claim is January 13, 2026, and the final approval hearing has been scheduled for January 28, 2026.

The post Orthopedics Rhode Island Agrees to Pay $2.9 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

72% of Healthcare Orgs Report Disruption to Patient Care Due to Cyberattacks

Posted by Steve Alder

A recent survey of U.S. healthcare IT and cybersecurity professionals found that 93% of the surveyed organizations had experienced at least one cyberattack in the past 12 months, and 72% of those reported that the attacks caused disruption to patient care. The negative impacts were typically delayed intake, increased hospital stays, and increased complications from medical procedures, with 29% of respondents reporting an increase in mortality rate. The problem is getting worse, as last year, 69% of healthcare organizations said cyberattacks had negatively impacted patient care.

The survey was conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint on 677 healthcare IT and cybersecurity professionals in the United States. The findings are published in Proofpoint’s report: The 2025 Study on Cyber Insecurity in Healthcare, which looks specifically at the effectiveness of reducing human-targeted cybersecurity risks in the healthcare industry and the cost and impact of cyberattacks on patient safety and care.

Out of the 93% of organizations that experienced a cyberattack, 43 attacks were experienced on average, up from 40 last year. The survey showed that 96% of healthcare organizations experienced at least two incidents involving data loss or exfiltration of patient data, with the majority of respondents reporting that those incidents had a negative impact on patient care.

“Patient safety is inseparable from cyber safety,” said Ryan Witt, vice president of industry solutions at Proofpoint. “This year’s report highlights a stark reality: Cyber threats aren’t just IT issues, they’re clinical risks. When care is delayed, disrupted, or compromised due to a cyberattack, patient outcomes are impacted, and lives are potentially put at risk.”

The report is based on four categories of cyberattacks: cloud/account compromises, supply chain attacks, ransomware attacks, and business email compromise (BEC)/spoofing/impersonation incidents. Supply chain attacks had the biggest impact on patient care, with 87% of victims of supply chain attacks reporting negative impacts such as delayed procedures, poorer outcomes, and increased complications.

When asked about the cost of the single most expensive cyberattack, the answers ranged from $10,000 to more than $25 million, with an average cost of $3.9 million, down from the 2024 average of $4.7 million. The biggest cost was operational disruption, which cost an average of $1,210,172, down 17.6% from last year. Idle time and lost productivity fell by 13.7% year-over-year to an average of $858,832. The average cost of correcting the impact on patient care fell by 21.5% to $853,272, the cost of damage to IT assets and infrastructure fell by 13.8% to $711,060, and the cost of remediation and technical support activities fell by 28.6% to $507,491.

There has been a significant increase in ransomware incidents, which rose from 60% in 2024. While costs are down overall, the cost of ransomware attacks increased from an average of $1.1 million in 2024 to $1.2 million in 2025. The percentage of victims paying the ransom has continued to fall, with 33% of victims choosing to pay compared to 36% last year.

The adoption of AI for security and migration of data to the cloud were the most common protective strategies adopted by healthcare organizations. The survey revealed that 75% of healthcare organizations have or plan to move clinical applications to the cloud, and 30% of respondents use AI for security. The respondents who have adopted AI for security claim the tools are very effective, although 60% said they struggle to protect sensitive data used by AI systems, and the adoption of AI tools is being hampered by interoperability issues and data accuracy problems.

Human error was a key factor in data loss/data exfiltration incidents, with 35% of respondents reporting that data loss was caused by employees not following policies. One-quarter reported data due to privilege access abuse, and one-quarter said it was due to an employee sending PHI to an incorrect recipient. The human factor in cyberattacks is an area being addressed by 76% of organizations. Out of those, 63% said they have regular training and security awareness programs, 51% are monitoring the actions of employees, and 47% are conducting phishing simulations.

“This report underscores the urgent need for healthcare organizations to adopt a human-centric cybersecurity approach—one that not only protects systems and data but also preserves the continuity and quality of care,” said Witt. You can view/download the report here.

The post 72% of Healthcare Orgs Report Disruption to Patient Care Due to Cyberattacks appeared first on The HIPAA Journal.