Security Researcher Identifies Exposed 150,000-record Home Health Care Database

Posted by Steve Alder

Cybersecurity researcher Jeremiah Fowler has found an exposed 23.7 GB database containing more than 145,000 files, such as PDFs, PNGs, and other image files. The database has been linked to the California home health and palliative care provider, Archer Health. Fowler analyzed a sample of the files and identified patient names, contact information, Social Security numbers, and patient ID numbers. The files included medical documents such as discharge summaries, which included health information such as conditions, diagnoses, admission and discharge dates, treatment information, care plan information, as well as assessments and home health certifications.

Many of the image files were screenshots of healthcare management software that showed active dashboards, logging, tracking, and scheduling details. Some of the folder names included patients’ first and last names – a bad security practice. As Fowler pointed out, personally identifiable information such as patient names can easily be exposed through error or monitoring logs. Fowler was able to link the database to Archer Health and notified the company about the exposed database, which was secured within hours and is no longer accessible. Archer Health thanked Fowler for bringing the matter to their attention and confirmed that an investigation had been launched, and any security issues that led to the exposure would be addressed.

It was not possible to tell how long the database was exposed, if it was accessed or copied by any unauthorized individuals, or whether the database was maintained by Archer Health or one of its vendors. Since only a sample of files was analyzed, it is unclear how many patients had their data exposed.

Mailing Error Impacts More Than 3,100 Arizonans

The Arizona Health Care Cost Containment System (AHCCCS), Arizona’s Medicaid agency, has notified 3,177 members about an impermissible disclosure of a limited amount of protected health information. On August 29, 2025, a mailing error was identified with a routine mailing regarding members’ health plan enrollment when a member called AHCCCS after receiving a misdirected letter.

The mailing was immediately halted, and an investigation was launched to determine the cause of the error, the individuals affected, and the information involved. The letters did not include any highly sensitive information, such as Social Security numbers, only a member’s name, AHCCCS identification number, and health plan name. In each case, the letters were sent to one incorrect recipient. HCCCS said it has conducted a review of its mailing processes and procedures and has taken steps to prevent similar mis-mailings in the future.

The post Security Researcher Identifies Exposed 150,000-record Home Health Care Database appeared first on The HIPAA Journal.

Flo Health; Google; Flurry to Pay $59.5M to Settle Privacy Lawsuit

Posted by Steve Alder

A settlement has been finalized to resolve a litigation against Flo Health, Inc., Google LLC, and Flurry, Inc., over the use of tracking code on Flo Health’s fertility tracking app. Under the terms of the settlement, the defendants will pay almost $60 million to cover legal costs, expenses, and benefits for the plaintiffs and class members.

The Flo Health app is one of the most popular health and wellness apps and has over 38 million monthly users. Prior to using the app, users are asked a series of personal questions about their general, sexual, and gynecological health and menstrual cycles. Further questions are asked as use of the app continues, with the answers used to provide tailored health and wellness advice. Users are told that their information will remain private and confidential and will not be shared with any third parties unless consent is provided, yet code within the app (software development kits) shared that data with the defendants, without the knowledge or consent of app users.

Several lawsuits were filed against Flo Health and the other defendants, which were consolidated into a single action due to the actions having overlapping claims – Erica Frasco, et al v. Flo Health, Inc., Meta Platforms, Inc., Google, LLC, and Flurry, Inc. The lawsuit alleged common law invasion of privacy – intrusion upon seclusion, invasion of privacy, violation of the California Constitution, breach of contract, breach of implied contract, unjust enrichment, and violations of the Stored Communications Act, California Confidentiality of Medical Information Act, Cal. Bus & Prof. Code, and the comprehensive Computer Data Access and Fraud Act.

Meta Platforms Inc. was also a named defendant; however, Meta chose not to settle, and the case proceeded to a jury trial. The jury sided with the plaintiffs and found that Meta was in violation of the California Invasion of Privacy Act. Meta Platforms intends to file an appeal. While the settlement was announced in July, the details have only recently been provided to Judge James Donato in the U.S. District Court for the Northern District of California, San Francisco Division. Under the terms of the settlement, $59.5 million will be paid by the defendants: Google has agreed to pay $48 million, Flo Health will pay $8 million, and Flurry will pay $3.5 million. Flo Health has also committed to ensuring app users’ privacy, and will display a prominent notice on its website to that effect for a period of one year following final approval of the settlement.

Attorneys for the plaintiffs will receive one-third of the settlement amount, which will also cover legal expenses, settlement administration costs, and service awards for the eight named plaintiffs. The remainder of the settlement will be used to pay for benefits for the class members. The class consists of all app users who used the app between November 1, 2016, and February 28, 2019.

The post Flo Health; Google; Flurry to Pay $59.5M to Settle Privacy Lawsuit appeared first on The HIPAA Journal.

Bayhealth Medical Center Agrees to Settle 2024 Data Breach Lawsuit

Posted by Steve Alder

Bayhealth Medical Center in Dover, Delaware, has agreed to settle a proposed class action lawsuit stemming from a 2024 ransomware attack. The attack was detected on July 31, 2024, when suspicious activity was observed within its computer network. The forensic investigation determined that the threat actor had access to its systems from July 27 to July 31, 2024, and that files were exfiltrated during the attack. The data breach was reported to the HHS’ Office for Civil Rights on October 14, 2024, as involving the electronic protected health information of 497,047 individuals. The stolen files contained patients’ names, medical information, and Social Security numbers. The Rhysida ransomware group claimed responsibility for the attack and uploaded samples of the stolen data to its dark web data leak site, including identification documents, Social Security numbers, contact information, and other sensitive patient data.

Rhysida is a ransomware-as-a-service group that has been in operation since at least 2023. The group engages in double extortion tactics, demanding payment for the decryptor and to prevent the publication or sale of stolen data. Rhysida often states that stolen data will be auctioned to the highest bidder, only leaking the data if a buyer cannot be found. The lawsuit claims that Rhysida demanded a 25 Bitcoin ransom, which at the time was valued at approximately $1.4 million, and gave a payment deadline of August 14, 2024.

Bayhealth was quick to notify patients about the incident, adding a notice to its Facebook page on August 3, 2024. Then, on August 7, 2024, the CEO of Bayhealth confirmed publicly that the company was aware of Rhysida’s claim of data theft and the posting of certain data on the group’s data leak site. Bayhealth patient Sally Cannon Dunlop discovered in August 2024 that some of her ePHI had been published on the dark web, which she believed came from the attack on Bayhealth. Later that month, she filed a lawsuit individually and on behalf of other similarly situated individuals, alleging negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty, seeking compensatory, exemplary, punitive damages, and statutory damages.

Dunlop alleges that Bayhealth failed to implement reasonable and appropriate safeguards to protect patient data, and that the ransomware attack was the latest in a string of hacking-related data breaches that were a result of a failure of Bayhealth to follow FTC guidelines and comply with the HIPAA Rules. Bayhealth denies any wrongdoing; however, last month, following mediation, it agreed to settle the litigation. The details of the settlement are being finalized, and the settlement agreement is due to receive preliminary approval in early October.

The post Bayhealth Medical Center Agrees to Settle 2024 Data Breach Lawsuit appeared first on The HIPAA Journal.

Cyber Insurance Claims Fall But Ransomware Losses Increase

Posted by Steve Alder

There’s good and bad news on the ransomware front. Attacks are down year-over-year; however, successful attacks are proving even costlier to mitigate, according to the Mid-Year Risk Report from the cyber risk management company Resilience. The company saw a 53% reduction in cyber insurance claims in the first half of the year, which indicates organizations are getting better at preventing attacks; however, when ransomware attacks succeed, they have been causing increased financial harm, with losses 17% year-over-year. While ransomware accounted for just 9.6% of claims in H1, 2025, ransomware attacks accounted for 91% of incurred losses.

On average, a successful ransomware attack causes $1.18 million in damages, up from $1.01 million in 2024, and the cost is even higher in healthcare. Resilience’s healthcare clients suffered average losses of $1.3 million in 2024, and in the first half of 2025, some healthcare providers faced extortion demands as high as $4 million. While it is too early to tell what the severity of claims will be in 2025 until claims are settled, Resilience said there are indications that the average severity of incurred losses for healthcare ransomware attacks this year could be $2 million, up from an average of $705,000 in 2024 and $1.6 million in 2023.

One of the most active ransomware groups this year has been Interlock, which has attacked many healthcare organizations. In a concerning development, Interlock has been observed stealing cyber insurance policies and using them to benchmark and set higher ransom demands. In at least two ransomware attacks, the threat actor referenced the victim’s cyber insurance policy in the ransom demands, and in at least one case, set the ransom demand to just below the policy payout limit.

Resilience warns that cyberattacks are increasing in sophistication and that AI is increasingly being leveraged for social engineering and phishing campaigns. Social engineering and phishing attacks were linked to 88% of incurred losses in H1, 2025. AI-assisted phishing campaigns are more difficult for users to identify and for organizations to block. The success rate of traditional phishing and social engineering attempts is 12%, compared to 54% for AI-assisted attacks. Resilience reports that 1.8 billion credentials were compromised in H1, 2025 alone, an increase of 800% since January 2025. Social engineering and phishing stood out as leading causes of attacks, along with the inadvertent disclosure of sensitive data due to errors made using tracking technologies.

HIPAA Security Rule Compliance May Not Sufficiently Reduce Risk

Resilience cited one example of a healthcare provider that had invested significantly in cybersecurity yet still fell victim to an attack. The investigation revealed that while reasonable decisions had been made concerning cybersecurity, there were naturally trade-offs due to budgetary constraints. Those tradeoffs meant vulnerabilities were created that were ultimately exploited. Despite investing in cybersecurity, the organization’s risk assessments had not been updated in around four years, which is an aspect of compliance that the HHS’ Office for Civil Rights is actively enforcing due to its importance on security posture.

While the organization initially tested its endpoint protection to ensure it was effective, there was no routine testing after implementation to ensure those measures continued to provide adequate protection. Vendor risk management largely consisted of checks of security policy documents, rather than active monitoring, which only occurred for a few vendors. Incident response plans and disaster recovery exercises failed to consistently meet the organization’s recovery objectives, but the issue was not addressed due to limited resources and competing priorities. Gaps were identified in its backup procedures, as the threat actor was able to encrypt clinical images that had been missed from backups. That gave the threat actor significant leverage in ransom negotiations. The organization found that its assumed security posture bore little resemblance to its actual defensive capabilities.

Cybersecurity Recommendations for Healthcare Organizations

Naturally, there will be cybersecurity tradeoffs with budgetary restrictions, but the security gaps identified in that case study are all too common in healthcare. Resilience suggests that these security gaps are often a consequence of a focus on HIPAA compliance. The problem is that HIPAA only sets baseline standards for security, and the HIPAA Security Rule is more than 2 decades old.  A focus on compliance may help avoid regulatory penalties, but may not effectively reduce risks or adequately protect against modern threats.

“Organizations deploying disconnected security tools without strategic coordination create gaps between systems, while annual assessments become check-box exercises using outdated measures of effectiveness,” suggests Resilience. “Effective healthcare cybersecurity requires quantifying cyber risks in financial terms rather than relying on subjective ratings. Loss exceedance curves model potential impacts based on organization-specific factors, enabling leaders to understand exactly what risks could cost in business disruption, recovery expenses, and regulatory fines. When expressed financially, security discussions shift from technical justifications to strategic investment decisions.”

Based on its analysis of the current threat landscape, Resilience recommends healthcare organizations prioritize the following areas to improve their cybersecurity posture and limit the harm of a successful attack

  • Implement a comprehensive backup strategy with particular attention to imaging files, databases, and system configurations
  • Ensure regular tests are conducted to validate recovery capabilities and timeframes under realistic attack scenarios
  • Treat your cyber insurance policy as part of your crown jewels, and ensure it is properly secured
  • Implement robust training programs that address phishing, social engineering, and proper data handling procedures
  • Ensure there is continuous monitoring of third-party vendors’ security postures
  • Adopt methodologies that translate cyber risks into financial terms to allow leadership to make informed investment decisions based on actual risk reduction potential rather than compliance
  • Implement and regularly test your incident response plan, including patient safety considerations and regulatory notification requirements

The post Cyber Insurance Claims Fall But Ransomware Losses Increase appeared first on The HIPAA Journal.