California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers

Posted by Steve Alder

California Governor Gavin Newsom has added his signature to a bill that strengthens privacy protections for individuals seeking or receiving healthcare services from a family planning center. Prior to the update, California law prohibited a person or business from collecting, using, disclosing, or retaining the personal information of a person located at or within the geolocation of a family planning center, other than as necessary to provide the goods or services requested by that person.

Assembly Bill 45 (AB-45) strengthens privacy protections by prohibiting the collection, use, disclosure, sale, sharing, or retention of personal information of a natural person located at or within the precise geolocation of a family planning center, other than to provide goods and services to an individual, as requested. The requirements do not apply to HIPAA-regulated entities or their business associates, provided that the business associate is contractually obliged to comply with all state and federal laws.

The new law extends the scope of existing law to cover any person, including a natural person, association, proprietorship, corporation, trust, foundation, partnership, or any other organization or group of people acting in concert. The new law uses the same definitions for sale, personal information, and precise geolocation as the California Consumer Protection Act (CCPA), although the definitions apply to all persons. A family planning center is defined as a facility categorized as a family planning center by the North American Industry Classification System adopted by the United States Census Bureau, which includes, but is not limited to, clinics that provide reproductive healthcare services.

The new law makes it unlawful to geofence an entity that provides in-person healthcare services for certain purposes and prohibits the selling or sharing of information with a third party to geofence an entity that provides healthcare services. Healthcare services are defined as “any service provided to a natural person of a medical, surgical, psychiatric, therapeutic, diagnostic, mental health, behavioral health, preventative, rehabilitative, supportive, consultative, referral, or prescribing nature.”

Geofencing is specifically prohibited for the purpose of identifying or tracking an individual seeking or receiving healthcare services, collecting personal information from a person seeking, receiving, or providing healthcare services, sending notifications to a person related to their personal information or healthcare services, and sending advertisements to an individual related to their personal information or healthcare services. There are exceptions to the geofencing restrictions. The owner of the facility is permitted to geofence its own location, geofencing is permitted for research purposes that comply with federal regulations, and geofencing is permitted by labor organizations, although consent must be obtained from individuals if the geofencing results in the collection of names or personal information. Personally identifiable research records of individuals seeking healthcare services are protected and may not be released in response to a subpoena or request made pursuant to other states’ laws that interfere with a person’s rights under the California Reproductive Privacy Act.

There is a limited private cause of action in AB-45, which allows individuals and entities aggrieved by a violation of the provisions of AB-45 to sue for damages, up to a maximum of three times the actual damages, in addition to expenses, costs, and reasonable attorneys’ fees. The California Attorney General will enforce the new law and can impose penalties of up to $25,000 per violation and injunctive relief. Any collected penalties will be used to fund the California Reproductive Justice and Freedom Fund. The new law takes effect on January 1, 2026.

The post California Strengthens Privacy Protections for Individuals Visiting Family Planning Centers appeared first on The HIPAA Journal.

Orthopedics Rhode Island Agrees to Pay $2.9 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

Orthopedics Rhode Island (Ortho RI) has agreed to pay $2.9 million to settle a class action lawsuit stemming from a 2024 ransomware attack. The ransomware attack was detected by Ortho RI on September 7, 2025, with the forensic investigation confirming unauthorized network access from September 4 to September 8, 2024. Information compromised in the incident included names, addresses, dates of birth, billing and claims information, health insurance claims information, diagnoses, medications, test results, x-ray images, and other treatment information. The data breach was reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 377,731 individuals. The affected individuals were notified about the incident via a November 6, 2024, website notice and individual notifications, which were mailed on December 6, 2024.

Seven class action lawsuits were filed against Ortho RI over the data breach, one of which was dismissed. The remaining actions were consolidated in Lavoie-Soria et al. v Orthopedics Rhode Island, Inc. in Kent County Superior Court of the State of Rhode Island, as the lawsuits had overlapping claims and were based on the same facts. The plaintiffs claim to have suffered injuries due to the attack, including lost or diminished value of their private information, lost opportunity costs associated with mitigating the consequences of the data breach, and out-of-pocket losses associated with the prevention, detection, and recovery from identity theft and fraud. The lawsuit asserted claims of negligence and negligence per se due to the failure to implement reasonable and appropriate cybersecurity measures, breach of implied contract, unjust enrichment, and breach of fiduciary duty.

Ortho RI maintains there was no wrongdoing; however, it chose to settle the lawsuit to avoid the costs, risks, and uncertainty of continuing with the litigation. The class representatives believe the settlement is best for all individuals in the settlement class for the same reasons. Under the terms of the settlement, all class members are entitled to claim two years of medical record monitoring services plus one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses related to the data breach up to a maximum of $5,000 per class member. Alternatively, class members may claim an alternative cash payment, which is anticipated to be around $100. Attorneys’ fees, settlement administration costs, service awards for class representatives, and medical record monitoring costs will be deducted from the settlement fund, after which claims will be paid from the remaining funds.

The deadline for objection to and exclusion from the settlement is December 29, 2025. The deadline for submitting a claim is January 13, 2026, and the final approval hearing has been scheduled for January 28, 2026.

The post Orthopedics Rhode Island Agrees to Pay $2.9 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

72% of Healthcare Orgs Report Disruption to Patient Care Due to Cyberattacks

Posted by Steve Alder

A recent survey of U.S. healthcare IT and cybersecurity professionals found that 93% of the surveyed organizations had experienced at least one cyberattack in the past 12 months, and 72% of those reported that the attacks caused disruption to patient care. The negative impacts were typically delayed intake, increased hospital stays, and increased complications from medical procedures, with 29% of respondents reporting an increase in mortality rate. The problem is getting worse, as last year, 69% of healthcare organizations said cyberattacks had negatively impacted patient care.

The survey was conducted by the Ponemon Institute on behalf of cybersecurity firm Proofpoint on 677 healthcare IT and cybersecurity professionals in the United States. The findings are published in Proofpoint’s report: The 2025 Study on Cyber Insecurity in Healthcare, which looks specifically at the effectiveness of reducing human-targeted cybersecurity risks in the healthcare industry and the cost and impact of cyberattacks on patient safety and care.

Out of the 93% of organizations that experienced a cyberattack, 43 attacks were experienced on average, up from 40 last year. The survey showed that 96% of healthcare organizations experienced at least two incidents involving data loss or exfiltration of patient data, with the majority of respondents reporting that those incidents had a negative impact on patient care.

“Patient safety is inseparable from cyber safety,” said Ryan Witt, vice president of industry solutions at Proofpoint. “This year’s report highlights a stark reality: Cyber threats aren’t just IT issues, they’re clinical risks. When care is delayed, disrupted, or compromised due to a cyberattack, patient outcomes are impacted, and lives are potentially put at risk.”

The report is based on four categories of cyberattacks: cloud/account compromises, supply chain attacks, ransomware attacks, and business email compromise (BEC)/spoofing/impersonation incidents. Supply chain attacks had the biggest impact on patient care, with 87% of victims of supply chain attacks reporting negative impacts such as delayed procedures, poorer outcomes, and increased complications.

When asked about the cost of the single most expensive cyberattack, the answers ranged from $10,000 to more than $25 million, with an average cost of $3.9 million, down from the 2024 average of $4.7 million. The biggest cost was operational disruption, which cost an average of $1,210,172, down 17.6% from last year. Idle time and lost productivity fell by 13.7% year-over-year to an average of $858,832. The average cost of correcting the impact on patient care fell by 21.5% to $853,272, the cost of damage to IT assets and infrastructure fell by 13.8% to $711,060, and the cost of remediation and technical support activities fell by 28.6% to $507,491.

There has been a significant increase in ransomware incidents, which rose from 60% in 2024. While costs are down overall, the cost of ransomware attacks increased from an average of $1.1 million in 2024 to $1.2 million in 2025. The percentage of victims paying the ransom has continued to fall, with 33% of victims choosing to pay compared to 36% last year.

The adoption of AI for security and migration of data to the cloud were the most common protective strategies adopted by healthcare organizations. The survey revealed that 75% of healthcare organizations have or plan to move clinical applications to the cloud, and 30% of respondents use AI for security. The respondents who have adopted AI for security claim the tools are very effective, although 60% said they struggle to protect sensitive data used by AI systems, and the adoption of AI tools is being hampered by interoperability issues and data accuracy problems.

Human error was a key factor in data loss/data exfiltration incidents, with 35% of respondents reporting that data loss was caused by employees not following policies. One-quarter reported data due to privilege access abuse, and one-quarter said it was due to an employee sending PHI to an incorrect recipient. The human factor in cyberattacks is an area being addressed by 76% of organizations. Out of those, 63% said they have regular training and security awareness programs, 51% are monitoring the actions of employees, and 47% are conducting phishing simulations.

“This report underscores the urgent need for healthcare organizations to adopt a human-centric cybersecurity approach—one that not only protects systems and data but also preserves the continuity and quality of care,” said Witt. You can view/download the report here.

The post 72% of Healthcare Orgs Report Disruption to Patient Care Due to Cyberattacks appeared first on The HIPAA Journal.

Five Healthcare Providers Warn Patients About Cyberattacks & Data Breaches

Posted by Steve Alder

Cyberattacks and data breaches have been announced by Crenshaw Community Hospital in Alabama, Waveny LifeCare in Connecticut, Aunt Martha’s Health and Wellness in Illinois, Pulse Urgent Care Center in California, and MyCardiologist in Florida.

Crenshaw Community Hospital

Crenshaw Community Hospital in Luverne, Alabama, has recently announced a security incident. Crenshaw Community Hospital said the incident was detected on June 16, 2025, and involved “network disruption that impacted the functionality and access of certain computer systems.” Third-party cybersecurity experts were engaged to investigate the incident and provide help with securing its environment. The investigation into the attack is ongoing, but it has been determined that certain files were copied from its systems.

The ransomware group, Payouts King, has claimed responsibility for the attack. The group is known to engage in double extortion, stealing data and demanding payment to prevent its publication and for the decryption keys to unlock files. The group claims to have exfiltrated 53 GB of data, and has listed Crenshaw Community Hospital on its dark web data leak site, and claims to have published the entire dataset as the ransom was not paid.

Crenshaw Community Hospital is still reviewing the affected data to determine the individuals affected and the types of data involved. Individual notification letters will be mailed when the file review is concluded. In the meantime, all patients have been advised to remain vigilant against identity theft and fraud by monitoring their account statements, explanation of benefits statements, and free credit reports.

Waveny LifeCare

Waveny LifeCare Network, a New Canaan, Connecticut-based provider of senior living and healthcare services, has experienced a cyberattack that disrupted its network systems. The attack was detected on or around May 28, 2025, and immediate action was taken to contain the incident and secure its systems. Waveny LifeCare engaged third-party cybersecurity experts to assist with the investigation, who confirmed that the attackers accessed certain data on its network.

The investigation and file review are ongoing, but it has been confirmed that the following types of information were involved: name, address, date of birth, admission/discharge date, date of death, telephone number, email address, Social Security number, medical record number, patient account number, facial photographic images, laboratory test results, medical imaging results, driver’s license number, electronic health records, health insurance account or policy number, payment information, Medicare or Medicaid information, and/or financial account number. While sensitive data was accessed, no evidence has been found to date to indicate that any of that information has been misused. Notification letters will be sent to the affected individuals when the file review is concluded.

Aunt Martha’s Health and Wellness

Aunt Martha’s Health and Wellness, a provider of community health, wellness, and support services in Illinois, has fallen victim to a ransomware attack. The attack was detected on August 13, 2025, when suspicious network activity was observed. The forensic investigation confirmed that a threat actor gained access to its computer network on August 12, 2025, exfiltrated sensitive data, and deployed malware that encrypted files. The attack was rapidly contained, and systems and data were restored from backups, without paying the ransom. No evidence has been found to indicate that any of the compromised data has been misused; however, the affected individuals have been advised to remain vigilant against identity theft and fraud.

While the file review is ongoing, Aunt Martha’s Health and Wellness has identified the general categories of information exposed in the incident as name, address, birth date, provider/facility name, medical condition, diagnosis information, treatment information, lab results, prescriptions/medications, personal history, mental health information, insurance/payment amount history information, date(s) of service, Social Security number, medical information, health insurance information, and driver’s license or state identification number. Other information created, used, or disclosed in the course of providing health care services may also have been compromised.

Pulse Urgent Care Center

Pulse Urgent Care Center, which has locations in Redding and Red Bluff in California, is alerting patients about a network security breach that was identified on March 24, 2025.  The incident was investigated and determined to involve network access by an unauthorized third party who deployed malicious software. The attack caused temporary disruption to its IT systems; however, network access and data were rapidly restored from backups, and normal operations were quickly resumed.

The investigation confirmed on May 1, 2025, that some patient data had been exposed and many have been viewed or acquired. The types of data involved vary from individual to individual, and may include names, dates of birth, home addresses, phone numbers, diagnoses, service dates, and treatment information. Pulse Urgent Care Center has strengthened its web server infrastructure and has implemented enhanced safeguards to prevent similar incidents in the future. Individual notification letters state the specific information involved for each individual. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

MyCardiologist

Cardiovascular Medicine Associates, PA, which does business as MyCardiologist, a cardiology practice with nine locations in South Florida, is alerting patients about a cyberattack involving the theft of data from its network. The attack was detected on June 12, 2025, when suspicious activity was observed within its email system. Third-party investigators determined that its email system was compromised on May 30, 2025, and an unauthorized third party had access to its environment until June 12, 2025, when the security breach was identified and blocked. The forensic investigation confirmed that the threat actor copied data from its environment.

Notification letters started to be mailed to the affected individuals on October 7, 2025, following a comprehensive and time-consuming review of the affected data. The review confirmed that names, addresses, dates of birth, clinical information, diagnoses, provider names/locations, and Medicare numbers were compromised in the incident. No evidence has been found to indicate that any of the impacted data has been misused; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Five Healthcare Providers Warn Patients About Cyberattacks & Data Breaches appeared first on The HIPAA Journal.