CISA Issues Guidance for Proactively Defending Against Insider Threats – The HIPAA Journal
CISA Issues Guidance for Proactively Defending Against Insider Threats The HIPAA Journal
CISA Issues Guidance for Proactively Defending Against Insider Threats
Insider threats are one of the leading causes of data breaches in healthcare, more so than in many other industry sectors. A 2018 study by Verizon found insider incidents outnumbered incidents involving external parties, with 56% of healthcare data breaches due to insiders and 43% due to external actors. A study by the cybersecurity firm Metomic found that the percentage of healthcare organizations reporting no insider incidents has declined from 34% in 2019 to 24% in 2024.
Insider incidents can stem from a lack of knowledge about HIPAA or disregard for patient privacy, such as when healthcare employees snoop on medical records. Negligent insiders can easily expose patient data by failing to follow the organization’s policies and procedures, and malicious insiders steal patient information for financial gain or revenge. Copying patient information to take to a new practice or employer is also common.
Due to the high risk of insider threats in healthcare and other critical infrastructure sectors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging critical infrastructure organizations to take decisive action against insider threats, and has published a new resource specifically developed for critical infrastructure organizations and state, local, tribal, and territorial (SLTT) governments to help them assemble a multi-disciplinary insider threat management team. The guidance includes proven strategies for proactively preventing, detecting, mitigating, and responding to insider threats.
Insiders have institutional knowledge and legitimate access rights, allowing them to easily access and steal sensitive data, and detecting insider breaches can be a challenge. Insider incidents can cause significant harm to healthcare organizations, including reputational damage, revenue loss, and harm to people and key assets. “Whether driven by intent or accident, insider threats pose one of the most serious risks to organizational security and resilience- demanding proactive measures to detect, prevent, and respond,” explained CISA.
“Insider threats remain one of the most serious challenges to organizational security because they can erode trust and disrupt critical operations,” said Acting CISA Director Dr. Madhu Gottumukkala. “CISA is committed to helping organizations confront this risk head-on by delivering practical strategies, expert guidance, and actionable resources that empower leaders to act decisively — building resilient, multi-disciplinary teams, fostering accountability, and safeguarding the systems Americans rely on every day.”
Combating insider threats requires an insider threat mitigation program that includes physical security, cybersecurity, personnel awareness, and partnerships with the community, and assembling a multi-disciplinary insider threat management team is a critical part of that process. The threat management team should oversee the insider threat management program, monitor for potential threats, and act quickly to mitigate the consequences of negligent and malicious insider actions. With an effective insider threat management team in place, organizations can reduce the damage and frequency of insider threat incidents.
A threat management team will be far more effective than any one individual, with teams able to be scaled and adjusted in scope and capability as the organization matures and evolves. Having a range of insider threat subject matter experts will allow the organization to obtain varied perspectives and generate more accurate and holistic threat assessments. Team members should include threat analysts, general counsel, human resources, the CISO, CSO, as well as external parties, including investigators, law enforcement, and medical or mental health counselors.
In the guidance, CISA offers a framework consisting of four stages – Plan, Organize, Execute, and Maintain (POEM). The Plan stage allows the organization to structure and scope the role of the threat management team. The Organize phase involves the team guiding employee awareness, creating a culture of reporting, and providing the necessary support to relevant departments to identify potential insider threat activity. The Execute phase involves upholding the insider threat mitigation program, and the Maintain phase is concerned with developing the threat management team to ensure it remains effective over time.
“Insider threats can disrupt operations, compromise safety, and cause reputational damage without warning. Organizations with mature insider threat programs are more resilient to disruptions, should they occur. People are the first and best line of defense against malicious insider threats, and organizations should act now to safeguard their people and assets,” said CISA Executive Assistant Director for Infrastructure Security Steve Casapulla.
The post CISA Issues Guidance for Proactively Defending Against Insider Threats appeared first on The HIPAA Journal.
Patients Learn Their Health Data Was Compromised More Than a Year Ago – The HIPAA Journal
Patients Learn Their Health Data Was Compromised More Than a Year Ago The HIPAA Journal
Patients Learn Their Health Data Was Compromised More Than a Year Ago
Alpine Ear, Nose, and Throat in Colorado, The Phia Group in Massachusetts, and Community Health Northwest Florida have started notifying patients that their personal and health information was impermissibly accessed over a year ago.
Alpine Ear, Nose, and Throat, Colorado
Alpine Ear, Nose, and Throat in Fort Collins, Colorado, has mailed notification letters to 65,648 individuals warning them that some of their protected health information was exposed in a security incident identified by Alpine ENT on November 19, 2024. Alpine ENT engaged its managed service provider to investigate the incident, and it was confirmed that an unauthorized third party accessed and exfiltrated files containing patients’ protected health information.
Alpine ENT’s legal counsel explained in the notification letters that a substitute data breach notice was published on the Alpine ENT website on January 17, 2025, although at the time, the investigation was ongoing. The data mining and review processes were completed on October 9, 2025, and in the subsequent months, Alpine ENT worked to verify the impacted individuals and obtained up-to-date contact information. Notification letters were mailed to the affected individuals on January 30, 2026, 14 months after the breach was first identified.
The BianLian ransomware group claimed responsibility for the attack and added Alpine ENT to its data leak site in early December 2024. Data compromised in the incident included names, demographic information, dates of birth, medical information, health information, financial account information, credit card numbers, CVC, and expiration dates, and Social Security numbers. At the time of issuing notifications, Alpine ENT said it had not identified any instances of identity theft as a result of the incident; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.
The Phia Group, Massachusetts
The Phia Group, LLC, a Canton, Massachusetts-based provider of healthcare cost containment services to health benefit plans and their third-party administrators, has recently notified individuals about a July 2024 security incident that exposed personal and protected health information. According to The Phia Group, an intrusion was detected on July 9, 2024, and the investigation confirmed that its network had been subject to unauthorized access between July 8, 2024, and July 9, 2024. During that time, files containing sensitive data may have been acquired.
A review was conducted to identify the affected clients, the types of data involved, and the affected individuals. The affected clients were notified, and The Phia Group coordinated with them to issue notifications. Data potentially compromised in the incident included names, addresses, dates of birth, Social Security numbers, financial account information, driver’s license/state ID numbers, health insurance information, and medical information, including provider information, treatment information, prescriptions, and Medicare/Medicaid information. Data security has been enhanced to prevent similar incidents in the future, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.
Community Health Northwest Florida
On January 26, 2026, Community Health Northwest Florida (CHNF) started notifying individuals about a security incident that was identified on December 24, 2024. CHNF engaged third-party cybersecurity experts to investigate the activity, who confirmed that an unauthorized third party had accessed files on its network that contained patient information.
CHNF said it conducted a comprehensive and time-consuming review and engaged a data mining company to identify the affected individuals. It took until January 19, 2026, to obtain the full list of affected individuals, and notification letters were mailed 10 days later. Data compromised in the incident included names, dates of birth, Social Security numbers, driver’s license or state identification card numbers, financial account numbers, credit or debit card numbers, patient identification and medical record numbers, medical information, and health insurance information.
CHNF has updated its policies and procedures, implemented additional technical safeguards, and enhanced its security measures to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.
The post Patients Learn Their Health Data Was Compromised More Than a Year Ago appeared first on The HIPAA Journal.
Bayada Home Health Care Affected by Doctor Alliance Data Breach – The HIPAA Journal
Bayada Home Health Care Affected by Doctor Alliance Data Breach The HIPAA Journal
Bayada Home Health Care Affected by Doctor Alliance Data Breach
Bayada Home Health Care, a New Jersey-based home healthcare provider serving 22 U.S. states, has recently announced a data breach involving a third-party vendor, Doctor Alliance. Doctor Alliance provides services that facilitate physician signatures on clients’ Home Health Certifications and Plans of Care, which involve access to patients’ protected health information.
On December 4, 2025, Doctor Alliance notified Bayada Home Health Care about a cybersecurity incident involving access and potential acquisition of client data by an unauthorized third party. According to Doctor Alliance, an unauthorized third party had access to the Doctor Alliance network between October 31 and November 6, 2025, and November 14 and 17, 2025. During that time, Home Health Certification and Plan of Care forms may have been acquired.
Bayada Home Health Care said it is not aware that any of its forms were copied; however, unauthorized data access could not be ruled out. The exposed forms contained a range of sensitive patient information, including names, dates of birth, diagnoses, medical/physical treatment information, provider information, health insurance plan information, prescription information, hospital admissions/discharges, and disability information, and for a subset of individuals, Social Security numbers.
Bayada Home Health Care said it has discontinued using Doctor Alliance as a vendor in response to the data breach. A review has been conducted of its policies and procedures relating to third-party vendors, and steps have been taken to minimize the risk of similar incidents in the future. The data breach has been reported to state attorneys general and the HHS’ Office for Civil Rights. The incident is not currently listed on the OCR data breach portal, so it is unclear how many individuals have been affected.
Marion County Public Health Department, Indiana
Marion County Public Health Department in Indiana has identified an insider incident involving unauthorized access to the protected health information of 792 clients. An employee was discovered to have accessed more than the necessary patient information to complete their job duties, including names, addresses, dates of birth, and lab test results for clients who received tests that were processed by the Marion County Public Health Department lab.
Marion County Public Health Department said it has found no evidence to suggest that any of the accessed information has been misused and stressed that no financial information was accessed by the employee. In response to the incident, further training has been provided to staff members on the HIPAA minimum necessary standard and its internal policies, and technical safeguards have been enhanced to limit access to protected health information to the minimum necessary for job duties.
The post Bayada Home Health Care Affected by Doctor Alliance Data Breach appeared first on The HIPAA Journal.
Employer Action Needed: HIPAA Notice Revisions Required for Substance Use Disorder Record Protections – JD Supra
December 2025 Healthcare Data Breach Report – The HIPAA Journal
December 2025 Healthcare Data Breach Report The HIPAA Journal
December 2025 Healthcare Data Breach Report
In the final month of 2025, a further 41 healthcare data breaches affecting 500 or more individuals were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) by HIPAA-regulated entities. December’s total was the joint second-lowest monthly total of the year and the fourth month in a row where data breaches have been reported in unusually low numbers. Over the past four months, an average of 40.75 large data breaches have been reported per month, compared to an average of 66.5 large data breaches per month for the preceding four months. December 2025’s total is the lowest December total since 2019.
One possible explanation for the unusually low total is the 43-day government shutdown, due to the failure of Congress to pass appropriations legislation. All but non-essential staff at the HHS were furloughed, during which time no breach reports were added to the OCR breach portal. While data breach reports have now been added to the breach portal for that period, it is possible that OCR has yet to fully clear the backlog, and the totals for September to December may increase over the coming weeks.
As it stands, there are currently 697 data breaches listed for 2025, a 6% reduction from the 742 large data breaches reported in 2024. The 697 total will almost certainly increase. When we compiled our December 2024 healthcare data breach report on January 20, 2025, 721 large healthcare data breaches were listed. A further 21 were added to the breach portal for 2024 in the following weeks and months.
Across the 41 healthcare data breaches currently listed for December 2025, the protected health information of only 345,564 individuals was exposed or impermissibly disclosed. The number of affected individuals in each of the past four months has also been atypically low, with an average of 1,336,061 individuals affected each month. For the preceding four months (May to August), the average monthly total was 8,181,449 individuals. The totals for the past four months will certainly increase, as many data breach investigations are ongoing, and it has yet to be determined how many individuals have been affected.
December 2025’s 346,564 affected individuals is the lowest monthly total since December 2017, when 343,260 individuals were affected. Currently, 60,976,942 individuals are known to have been affected by healthcare data breaches in 2025, a 78.9% reduction from 2024, although 2024’s total includes the gargantuan data breach at Change Healthcare, which affected 192,700,000 individuals.
Largest Healthcare Data Breaches Reported in December 2025
Only five data breaches were reported in December that affected 10,000 or more individuals, the largest of which was a hacking incident at the Rochester, NY-based medical supply fulfillment organization, Fieldtex Products. While Fiedtex Products reported a breach affecting 104,071 individuals, in December, a total of four separate breach reports were filed with OCR by Fieldtex Products, affecting a total of 139,009 individuals, plus a further breach report was filed in November, affecting 35,748 individuals. These five incidents are thought to be due to the same hacking incident detected by Fieldtex Products on August 19, 2025.
AllerVie Health, a Texas-based network of allergy and asthma centers, fell victim to a ransomware attack in November 2025, with the hackers found to have had access to its network from October 24, 2025, to November 3, 2025. The Anubis ransomware group claimed responsibility for the attack. Medical Center LLP, doing business as Dublin Medical Center in Georgia, experienced a hacking incident that affected 20,641 individuals, and Variety Care in Oklahoma was affected by a cyberattack on its business associate TriZetto, a provider of administrative services to HIPAA-regulated entities. Variety Care was one of many covered entities affected by the data breach. While the total number of affected individuals has yet to be confirmed, the Trizetto data breach is now known to have affected more than 700,000 individuals.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Fieldtex Products, Inc. | NY | Business Associate | 104,071 | Hacking incident |
| AllerVie Health | TX | Healthcare Provider | 80,521 | Ransomware attack (Anubis) |
| Medical Center, LLP | GA | Healthcare Provider | 32,090 | Hacking incident |
| Fieldtex Products, Inc. | NY | Business Associate | 20,641 | Hacking incident |
| Variety Care | OK | Healthcare Provider | 17,163 | Hacking incident at business associate (TriZetto Provider Solutions) |
Six data breaches were reported in December 2025, with totals of 500 or 501 affected individuals. These are commonly used ‘placeholder’ estimates when the investigation is still ongoing as the deadline for reporting the data breach to OCR approaches. These totals will almost certainly increase and will be updated when the data breach investigations are concluded.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Associated Radiologists of the Finger Lakes, P.C. | NY | Business Associate | 501 | Hacking Incident |
| Glendale Obstetrics & Gynecology PCA | AZ | Healthcare Provider | 501 | Hacking Incident |
| Reproductive Medicine Associates of Michigan | MI | Healthcare Provider | 501 | Hacking incident – Data theft confirmed |
| Mitchell County Department of Social Services | NC | Healthcare Provider | 501 | Ransomware attack – Data theft confirmed |
| Greater St. Louis Oral & Maxillofacial Surgery PC | MO | Healthcare Provider | 501 | Compromised email account in a phishing attack |
| Madison Healthcare Services | MN | Healthcare Provider | 500 | Hacking incident – Worldleaks threat group claimed responsibility |
Causes of December 2025 Healthcare Data Breaches
Hacking and other IT incidents accounted for 80.5% of the month’s data breaches, with 33 such incidents reported, affecting 327,095 individuals – 94.4% of the month’s total. The average breach size was 9,912 individuals, and the median breach size was 2,511 individuals. There were 8 unauthorized access/disclosure incidents in December, affecting 19,469 individuals. The average breach size was 2,434 individuals, and the median breach size was 1,469 individuals. No loss, theft, or improper disposal incidents were reported in December.
The most common location of breached protected health information was network servers, followed by six incidents involving compromised email accounts.
Where did the Data Breaches Occur?
Healthcare providers were the worst-affected regulated entities in December, reporting 29 of the month’s 41 data breaches (191,900 individuals). Six data breaches were reported by health plans (12,272 individuals) and six by business associates (142,392 individuals). When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure that breach notifications are sent and OCR is notified. The covered entities may choose to delegate the notification responsibilities to the business associate, although oftentimes, the affected HIPAA-covered entities report the breach. For instance, covered entities affected by the data breach at Trizetto Provider Solutions reported the breach, even though it occurred at their business associate (or subcontractor of their business associate). To better reflect business associates, the charts below show data breach figures based on where the data breach occurred, rather than the entity reporting the data breach.
Geographic Distribution of Healthcare Data Breaches
California was the worst-affected state in December in terms of data breaches, with nine HIPAA-regulated entities known to have been affected. The high total is due to the data breach at Trizetto Provider Solutions, which was either a business associate of a subcontractor of a business associate of six of the nine affected entities. New York ranked second, but four of its five data breaches were reported by the same entity, Fieldtex Products.
| State | Data Breaches |
| California | 9 |
| New York | 5 |
| Texas | 4 |
| Maryland, Michigan, Minnesota, Missouri, Oklahoma, Oregon & Tennessee | 2 |
| Arizona, Florida, Georgia, Illinois, Louisiana, Maine, Massachusetts, North Carolina & Ohio | 1 |
While California topped the list for data breaches, New York was the worst state in terms of the number of affected individuals, followed by Texas.
| State | Individuals Affected |
| New York | 140,320 |
| Texas | 85,728 |
| Georgia | 32,090 |
| California | 31,013 |
| Oklahoma | 18,275 |
| Missouri | 9,343 |
| Oregon | 6,473 |
| Louisiana | 4,519 |
| Maryland | 4,027 |
| Tennessee | 3,138 |
| Illinois | 2,511 |
| Massachusetts | 1,638 |
| Ohio | 1,629 |
| Michigan | 1,560 |
| Maine | 1,259 |
| Florida | 1,036 |
| Minnesota | 1,003 |
| Arizona | 501 |
| North Carolina | 501 |
HIPAA Enforcement Activity in December 2025
In December, OCR announced one HIPAA enforcement action that involved a financial penalty. Texas-based Concentra, Inc., was investigated after OCR received a complaint from an individual who had not been provided with timely access to his medical and billing records. Concentra agreed to settle the alleged HIPAA Right of Access violation and paid a $112,500 penalty. This was the 54th financial penalty under the HIPAA Right of Access enforcement initiative, which commenced in late 2019 and is ongoing. It has been a busy year of HIPAA enforcement, with OCR resolving 21 HIPAA violation cases with regulated entities in 2025 with a financial penalty. OCR collected $8,330,066 in penalties from those enforcement actions.
State attorneys general also enforce the HIPAA Rules, although 2025 was a quiet year, with only one financial penalty imposed to resolve a data breach investigation. Orthopedics NY LLP (OrthoNY) paid $500,000 to settle alleged cybersecurity failures that led to a breach of the protected health information of more than 656,000 individuals. The New York Attorney General cited violations of HIPAA and state cybersecurity laws.
The post December 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.