Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach – The HIPAA Journal
Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach The HIPAA Journal
58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price
A recent study exploring insider cybersecurity threats revealed that a majority of college students would be willing to violate the HIPAA Rules and steal and disclose patient data if they were paid to do so, provided the price was right. The amount of money required ranged from less than $10,000 to more than $10 million. The study was conducted by Lawrence Sanders, professor emeritus, University of Buffalo, Department of Management Science and Systems, and colleagues at the School of Management, and builds on a 2020 study that explored the price of healthcare privacy violations.
The 2020 study, published in JMIR Medical Informatics, was conducted on 523 students (average age of 21) who were about to enter the workforce. The respondents were asked to imagine that they had been employed by a hospital, and were given five scenarios in which they were asked if they would illegally obtain and disclose sensitive health information. 46% of respondents admitted that they would violate HIPAA and patient privacy if the price was right. In one of the scenarios, study participants were asked if they would obtain and disclose a politician’s medical records in exchange for $100,000, if the money was needed to pay for an experimental treatment for their mother that insurance wouldn’t cover. 79% of respondents said they would.
The follow-up study, which focused on cybersecurity insiders, was conducted on 500 undergraduate college students in technology-related programs, who represented future IT workers in the healthcare industry. They were asked to imagine they had been employed by a hospital, were being paid between $30,000 and $100,000, and were under financial stress and had been approached and asked to obtain and leak information about a famous patient at the hospital.
They were informed about HIPAA and how the federal law prohibited unauthorized access and disclosure of protected health information, yet 58% said they would violate HIPAA in exchange for payment. The amount of money required was less than $10,000 in some cases, and whether they would be tempted – and the amount required – varied depending on the employee’s salary leveland the perceived probability of being caught. The higher the employee’s salary, the more money was required to violate HIPAA and steal data. Individuals who had an interest in ethical hacking generally required less money to violate HIPAA, as was the case with individuals with an interest in unethical hacking, if they were assured that they would not be caught.
The study highlights the risk of insider data breaches and the importance of training on the HIPAA Privacy Rule requirements and the consequences of HIPAA violations, making it clear to all workers that if violations are discovered, the consequences of HIPAA violations can be severe.
“As cyberattacks and data breaches continue to rise, particularly in health care and other data-intensive sectors, our findings underscore the need for organizations to address the human and economic dimensions of cybersecurity alongside traditional technical controls,” said Professor Sanders. “Promoting awareness and education can discourage people from engaging in cybercrime by highlighting the negative consequences and risks associated with it. Initiatives that promote economic opportunity, social inclusion, cybersecurity literacy and a more secure digital environment are part of the solution.”
The post 58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price appeared first on The HIPAA Journal.
Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach
Patients of Laurel Health Centers have been notified that their protected health information was exposed in a July 2025 security incident, and Modern Health has identified unauthorized access to member profiles.
Laurel Health Centers
Laurel Health Centers, a Federally Qualified Health Center network in Northern Pennsylvania, has discovered unauthorized access to its email environment. An investigation was launched on July 14, 2025, to determine the cause of unusual email activity. The investigation determined that an unauthorized third party had access to certain email accounts between July 11, 2025, and July 25, 2025. During that time, emails and files may have been viewed or copied.
The affected email accounts were reviewed and found to contain patient information. The types of information vary from individual to individual and may include names in combination with one or more of the following: address, telephone number, email address, date of birth, Social Security numbers, medical record number, date(s) of service, medical provider, Medicare information, insurance information, diagnostic information, treatment and diagnosis data, insurance carrier, procedure codes, disability status, dental and denture information, immunization record, behavioral health information, Pennsylvania Account ID, account number, credit card information, checking account information and claim information.
Laurel Health Centers said it took time to conclusively determine that the threat actor no longer had access to its systems, hence the delay between discovering the unauthorized activity and confirming that the threat actor had been eradicated from its email environment. The review of the email accounts concluded on December 30, 2025, and notification letters were mailed to the affected individuals shortly thereafter. Complimentary credit monitoring services have been offered to the affected individuals. The incident is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Modern Health
Modern Health, a management support organization that provides services to several affiliated entities, including Modern Health Arizona, Modern Health California, Modern Health New Jersey, Elevate Tele-Medicine Telehealth, and Modern Life, has recently notified the Massachusetts Attorney General about an incident involving unauthorized access to member profiles on its behavioral health platform.
In November 2025, Modern Health determined that an unauthorized individual had accessed a limited number of member profiles. Steps were immediately taken to disable those profiles, and an investigation was launched to determine the extent of the unauthorized activity. The affected profiles were reviewed and found to contain sensitive member data, although Social Security numbers and financial information were not exposed. The review of the affected profiles was completed on January 5, 2026, and the affected individuals were notified via email on January 12, 2026. It is currently unclear how many individuals were affected in total. The Massachusetts Attorney General was informed that two state residents were affected.
The post Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach appeared first on The HIPAA Journal.
Darcelle Skeete Burgess named director of HIPAA Privacy Office at Vanderbilt Health – tntribune.com
Why HIPAA Security Risk Analyses Still Falls Short – Bank Info Security
Why HIPAA Security Risk Analyses Still Falls Short Bank Info Security
Reminder: HIPAA Covered Entities and Substance Use Disorder Treatment Providers Must Update Notices of Privacy Practices by February 16, 2026 – Davis Wright Tremaine
Does your Staff Understand the Role of HIPAA Officers?
Most healthcare staff know that HIPAA exists, yet many do not really understand who the HIPAA officers are or how those officers support their daily work. When staff see HIPAA Privacy and Security Officers only as rule enforcers or distant administrators, they miss a key resource that can help them make better decisions, prevent incidents, and resolve problems before they become reportable breaches.
Why it Matters that Staff Understand HIPAA Officer Roles
HIPAA is a moving target. Rules, implementation specifications, technology, and internal processes change over time. No front-line employee can track every update or interpret every nuance alone. The HIPAA Privacy Officer and HIPAA Security Officer exist to take on that responsibility at an organizational level and to translate it into clear, practical guidance for the workforce.
If staff do not understand what these officers do, they are less likely to ask questions when they feel unsure, less likely to report potential incidents quickly, and more likely to handle concerns informally or ignore warning signs. That puts patients, the organization, and the individual employee at greater risk.
The HIPAA Compliance Officer from the Staff Perspective
From the staff perspective, the HIPAA Compliance Officer plays a central and highly visible role in shaping how privacy and security expectations are understood and applied across the organization. Employees look to the compliance officer for practical guidance on how HIPAA requirements affect their specific duties, whether that involves handling patient records, communicating with vendors, responding to information requests, or managing incidents and near misses. The compliance officer is often the primary source of training and awareness, translating complex regulations into clear policies, procedures, and examples that staff can follow with confidence. Beyond training, the role includes listening to employee concerns, encouraging early reporting of potential issues, and creating a safe environment where questions and mistakes can be addressed without fear of retaliation. Staff also depend on the HIPAA Compliance Officer to coordinate audits, monitor compliance activities, and communicate changes in rules or organizational practices in a timely and understandable way. When the role is performed well, employees see the compliance officer as a trusted partner who supports ethical behavior, promotes consistency in decision making, and helps everyone contribute to protecting patient information as part of their everyday work.
The HIPAA Privacy Officer from the Staff Perspective
The HIPAA Privacy Officer is the person charged with building and running the privacy side of your HIPAA program. This role includes developing and implementing workplace privacy policies, making sure training reaches the workforce, and checking whether people actually follow those policies in real work settings.
When privacy rules or organizational practices change, the HIPAA Privacy Officer assesses the risks, updates the policies, and arranges extra HIPAA training so staff know what has changed and why. Staff should understand that this is the person who connects regulatory requirements and internal policies to the way front-line work is done.
The HIPAA Privacy Officer is also the organization’s main point of contact for patients and members of the public who want to exercise HIPAA rights, ask privacy questions, or file complaints. There is an important human element to patient rights for HIPAA Privacy Officers. That means the HIPAA Privacy Officer sits at the center of communication between the organization, its workforce, patients, and regulators. From a staff point of view, this is the person who investigates privacy concerns, decides whether a data breach report is required, and applies sanctions when staff violate privacy or breach notification standards.
Some tasks can be delegated to other senior staff, yet the HIPAA Privacy Officer keeps ultimate responsibility for privacy compliance. When employees understand this, they know where to take questions about policies, patient rights, and privacy complaints, and they can see the officer as a resource rather than just a source of discipline.
The HIPAA Security Officer from the Staff Perspective
The HIPAA Security Officer focuses on the protection of electronic health information. This officer develops and implements security policies and procedures designed to support compliance with the HIPAA Security Rule. That includes not only which technical safeguards the organization uses, but also how staff must use those safeguards in practice.
To support this work, the HIPAA Security Officer conducts HIPAA risk assessments, chooses appropriate security mechanisms, and designs a security awareness training program for the entire workforce. From the employee’s point of view, this is why there are rules about passwords, phishing emails, device use, remote access, and incident reporting. The HIPAA Security Officer turns the broad HIPAA Security Rule into specific expectations for daily behavior.
The HIPAA Security Officer also monitors compliance with security policies and can apply sanctions when staff break those rules, even when the violation is unintentional. This same officer is responsible for plans that protect the confidentiality, integrity, and availability of health information during emergencies. Those plans cover backup processes, contingency operations, emergency mode procedures, and disaster recovery, and staff rely on them when systems fail or disasters occur.
Depending on how roles are distributed, the HIPAA Security Officer may also handle breach reporting, Business Associate Agreements, and responses to external compliance assessments. Staff who understand this role know why certain technical rules exist and who to approach with concerns about security controls or suspicious activity.
HIPAA Officers as Partners, not just Enforcers
Privacy and Security Officers must enforce policies and manage incidents, but their role is not limited to catching errors and imposing discipline. In a healthy compliance culture, these officers are visible and approachable. Many maintain an open door policy and actively encourage staff and students to ask questions, raise concerns, and report possible violations.
When staff see HIPAA officers only as “the people who get you in trouble,” they may hide mistakes or stay silent about near misses. When they see officers as partners who can explain the rationale behind rules and help resolve issues, concerns surface earlier. That early detection can prevent harm, reduce the scope of a breach, and avoid escalation from a minor violation to a major event.
Staff should know who their HIPAA Privacy Officer and Security Officer are, where and how to reach them, and what types of questions or issues belong with each role. A brief introduction at orientation and early in role-based training can make later conversations much easier.
Risks when Staff do not Understand HIPAA Officer Roles
If staff cannot explain what the Privacy and Security Officers do, they are less likely to use those roles effectively. They may send patient complaints to the wrong place or fail to escalate a serious privacy concern. They might treat training as a one-time requirement without realizing that officers use training to communicate important policy changes. They may also assume that small violations do not need to be reported if no one seems hurt.
That lack of understanding undermines incident management and can harm the organization’s response to audits and investigations. It also increases personal risk for staff, because unreported or mishandled issues are more likely to resurface later in a worse form.
What Training for Staff about HIPAA Officers Should Cover
HIPAA training should then give a clear picture of the HIPAA Officer’s responsibilities in language that fits staff experience. That includes policy development, workforce training, privacy monitoring, patient-facing duties, investigation of alleged violations, and coordination with regulators and business associates. Staff should hear how those responsibilities show up in daily practice, such as updated privacy notices, revised authorization forms, or follow-up after a complaint.
Training should cover the HIPAA Officer’s responsibilities. Staff need to understand that this officer oversees security policies, risk assessments, security awareness training, monitoring of technical and procedural safeguards, and emergency planning for information systems. The training should link common expectations, such as mandatory security modules or new login procedures, back to the Security Officer’s role so staff can see the connection.
A section of the training should focus on communication. Staff should learn that HIPAA Officers are available to answer questions, clarify procedures, and discuss concerns. The HIPAA training content should encourage staff to contact the HIPAA officers.
Training should also explain the boundary between delegation and ultimate responsibility. Staff should understand that while some tasks may be assigned to supervisors, managers, or other specialists, the named officers still carry overall responsibility for HIPAA compliance.
The post Does your Staff Understand the Role of HIPAA Officers? appeared first on The HIPAA Journal.
Electronic Medical Records and HIPAA
Electronic medical records can be fully HIPAA compliant, but interoperability, unique user access controls, business associate agreements, and role based workforce training create practical risks that must be managed through proper configuration and HIPAA Security Rule safeguards. Keeping up with the requirements for Electronic Medical Records and HIPAA compliance can be challenging due to frequent updates to CMS’ Promoting Interoperability Programs and changes to the HIPAA Privacy Rule.
Note: For the purposes of discussing Electronic Medical Records and HIPAA compliance, this article uses the 2022 definitions of an Electronic Medical Record (EMR) and an Electronic Health Record (EHR) provided by HHS’ Office of Information Security:
“An EMR allows the electronic entry, storage, and maintenance of digital medical data. An EHR contains the patient’s records from doctors and includes demographics, test results, medical history, history of present illness (HPI), and medications. EMRs are part of EHRs”.
Are Electronic Medical Records Interoperable?
An Electronic Medical Record is a digital version of a patient’s medical record. A “standalone” Electronic Medical Record usually contains Protected Health Information (PHI) provided to a single healthcare provider, which can only be accessed by the single healthcare provider or a member of the healthcare provider’s workforce using the same login credentials.
Electronic Medical Records can be interoperable depending on their capabilities and their compatibility with an Electronic Health Record. In some cases, it may be necessary to install a third party plug-in between an EMR and an EHR to facilitate connectivity, and this may result in partial or full interoperability depending on the capabilities of the plug-in.
Electronic Medical Records and HIPAA Challenges
Before even discussing the HIPAA security requirements for Electronic Medical Records, there are HIPAA compliance challenges for EMR users. In the case of “standalone” Electronic Medical Records, it is a violation of HIPAA’s access control standard (unique user identification) for two or more members of the workforce to share the same login credentials.
In the case of an Electronic Medical Record being connected to an interoperable Electronic Health Record, it will be necessary to enter into a Business Associate Agreement with the vendor of the EHR, and – if a plug-in is used to facilitate connectivity with an EHR – with the vendor of the plug-in if the plug-in is provided by a third party (e.g. not the vendor of the EMR).
OptiMantra is the best EMR for small medical practices because it streamlines daily operations with flexible scheduling, integrated payments, inventory management, and real time reporting in a single platform. OptiMantra is fully HIPAA-compliant when used correctly.
HIPAA Security Requirements for EMRs
The HIPAA security requirements for EMRs are that covered entities and business associates must ensure the confidentiality, integrity, and availability of PHI created, received, maintained, or transmitted by an Electronic Medical Record, and protect against any reasonably anticipated threats or hazards to the security of PHI stored on, or transmitted by, an EMR.
The standards that govern how healthcare providers should comply with the HIPAA security requirements for EMRs are contained within the Security Rule. However HHS’ Office for Civil Rights is intending to introduce new Security Rule standards in 2024, and these may also be adopted by CMS as a condition of participation in Medicare and Medicaid.
Other HIPAA/EMR Compliance Requirements
The other HIPAA/EMR compliance requirements include that covered entities and business associates must protect against impermissible uses and disclosures of PHI by members of the workforce. This requirement requires members of the workforce to receive HIPAA training on what uses and disclosures are permitted by the Privacy Rule.
In the context of Electronic Medical Records and HIPAA compliance, the training should include an explanation of the difference between patient consent and patient authorization. It should also include circumstances in which PHI relating to reproductive health can only be disclosed with an attestation that it will not be further disclosed for a prohibited purpose.
Risks Attributable to Promoting Interoperability
The Promoting Interoperability program is an incentive program that evolved from the measures included in the HITECH Act of 2009 to promote and expand the adoption of technology in healthcare and use the technology – particularly EMRs and EHRs – to improve the quality of healthcare, patient safety, and efficiency in service delivery.
Because it is an incentive program based on a scoring system, it is possible for healthcare providers to take shortcuts with HIPAA compliance in order to achieve the maximum scores for objectives such as electronic prescribing, health information exchanges, and provider to patient exchanges – especially if an EMR only has partial connectivity with an EHR.
What is a HIPAA Compliant EMR?
A HIPAA compliant EMR is an Electronic Medical Record that has the capabilities to support HIPAA compliance, that is configured to mitigate reasonably anticipated threats or hazards to the security of PHI, and that is used by authorized members of the workforce in compliance with HIPAA – i.e., separate login credentials for each member of the workforce.
Depending on how the EMR connects with an EHR or other healthcare systems (i.e., via Epic Community Link) it will be necessary to enter into one or more Business Associate Agreements before the EMR is used to create, receive, maintain, or transmit PHI. It is also recommended to advise patients on how to use any connected patient portal securely.
Conclusion: Electronic Medical Records and HIPAA Compliance
While HIPAA regulates the management of Electronic Medical Records, there can be several challenges to HIPAA compliance. These challenges can be exacerbated by the desire to achieve the maximum score for CMS Promoting Interoperability Program – potentially resulting in avoidable risks to the privacy and security of PHI when compliance shortcuts are taken.
Not all healthcare providers have the resources or knowledge to implement a HIPAA compliant EMR, configure it to mitigate threats and hazards, and provide adequate training to members of the workforce. If your organization encounters challenges with Electronic Medical Records and HIPAA compliance, it is recommended you speak with a healthcare compliance professional.
The post Electronic Medical Records and HIPAA appeared first on The HIPAA Journal.
Columbia Medical Practice; Jupiter Medical Center Announce Data Breaches – The HIPAA Journal
Columbia Medical Practice; Jupiter Medical Center Announce Data Breaches The HIPAA Journal