Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions
The Department of Health and Human Services Office for Inspector General (HHS-OIG) has announced two settlements with healthcare providers to resolve alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) due to the failure to provide adequate medical screening examinations and stabilizing treatment to patients with emergency mental health complaints.
EMTALA requires Medicare-participating hospitals to provide a medical screening examination to anyone seeking treatment for a potential emergency medical condition, regardless of their ability to pay. Stabilizing treatment must be provided to the patient, or the patient may be transferred to another facility if the hospital is unable to provide stabilizing treatment within its capabilities.
North Carolina Baptist Hospital (NCBH) was investigated by HHS-OIG and was found to have violated EMTALA on two occasions in August 2021. A patient presented at the Emergency Department requesting a psychiatric evaluation, a psychotropic medication refill, and complained of back pain at an 8/10 level. The patient was triaged and found to have abnormal vital signs. Around four hours later, NCHB’s records showed that the patient left the facility without being seen. Two days later, the patient returned to the ED two days after jumping off a bridge and being hit by a truck, and later died from the injuries.
The same month, a patient with a history of schizoaffective disorder, bipolar disorder, and depression presented to the hospital with psychological issues, having arrived by ambulance due to a psychiatric disturbance. In the ED, the patient experienced auditory hallucinations and made bizarre, illogical statements. The patient was given intravenous fluids and was discharged home the following day, without having been given a detailed psychiatric evaluation. At the time of discharge, the patient refused to leave and claimed she could not walk or see. After speaking with a doctor, she was given a bus token and was escorted off the premises by a security guard. After her mother called the hospital to inquire about her whereabouts, the patient was found in a hospital robe at a bus stop. Around one week later, the patient was involuntarily committed to a psychiatric facility. NCBH settled the alleged EMTALA violations and paid a $200,000 financial penalty.
Swedish American Hospital (SAH) in Rockford, Illinois, was investigated over an alleged EMTALA violation in 2024 when a patient was not provided with appropriate medical screening after presenting at the hospital’s Emergency Department, complaining of suicidal ideation. The previous day, SAH referred the patient to a mental health professional at an outpatient facility, who signed a petition for involuntary admission. The patient presented at the hospital with the petition; however, the patient did not receive an appropriate medical screening examination, was not provided with stabilizing treatment, and was discharged two hours after presenting at the hospital. SAH settled the alleged violation with HHS-OIG and paid a $100,000 financial penalty.
The post Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions appeared first on The HIPAA Journal.
Hospital Sisters Health System Settles Class Action Data Breach Lawsuit for $7.6 Million
A class action lawsuit against Hospital Sisters Health System has been settled for $7.6 million. The lawsuit relates to an August 2023 cyberattack that affected approximately 883,000 individuals. The cyberattack caused an outage of computer systems, phone lines, and websites, and its MyChart and MyPrevea applications were taken offline for several days, leaving the health system unable to take payments. The investigation confirmed that the threat actor accessed systems containing patient and employee information between August 16, 2023, and August 27, 2023, and potentially exfiltrated data. Notification letters started to be mailed to the affected individuals on October 26, 2023.
Several class action lawsuits were filed against Hospital Sisters Health System in response to the data breach. Since they had overlapping claims and were based on the same facts, the lawsuits were consolidated into a single action – In re Hospital Sisters Health System Data Breach Litigation, in the Circuit Court of the Seventh Judicial Circuit of the State of Illinois, Sangamon County, Chancery Division.
The lawsuit alleged that Hospital Sisters Health System was negligent because it failed to implement reasonable and appropriate security measures to protect its network and patient and employee data from unauthorized access, and had those measures been implemented, the data breach could have been prevented. Hospital Sisters Health System denies all claims asserted in the lawsuit and denies all allegations of wrongdoing and liability. Class counsel and the plaintiffs believe that the legal claims asserted in the lawsuit have merit.
After assessing the strengths and weaknesses of the case, the plaintiffs and defendants moved to settle the litigation to avoid the burden, expense, risk, and uncertainty of continued litigation. Class counsel and the plaintiffs believe that the settlement is fair and provides substantial benefits for the settlement class. Under the terms of the settlement, all class members are entitled to enroll in financial data monitoring services for two years. The CyEx Financial Shield package includes fraud and identity monitoring, including monitoring for unauthorized financial transactions and compromised bank and financial account numbers. Class members will also benefit from a $1 million financial fraud insurance policy.
Class members are also eligible to claim one of two cash benefits. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $5,000 per class member. Alternatively, they can submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees, expenses, settlement administration costs, class representative awards, financial data monitoring costs, and claims have been paid.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 4, 2025. Class members wishing to object to the settlement or exclude themselves must do so by November 14, 2025, and the deadline for submitting a claim is November 14, 2025.
The post Hospital Sisters Health System Settles Class Action Data Breach Lawsuit for $7.6 Million appeared first on The HIPAA Journal.
Cybersecurity Awareness Month 2025: Building a Cyber Strong America – The HIPAA Journal
Cybersecurity Awareness Month 2025: Building a Cyber Strong America The HIPAA Journal
Cybersecurity Awareness Month 2025: Building a Cyber Strong America
October is Cybersecurity Awareness Month – a global initiative that aims to educate the public and businesses about the importance of cybersecurity and protecting against cyber threats to systems and data. The initiative is led by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and this year’s theme is “Building a Cyber Strong America. The main focus this year is improving cybersecurity at the government entities and small and medium-sized businesses that operate and maintain the nation’s critical infrastructure, as well as the myriad of vendors and suppliers that support or are connected to critical infrastructure.
CISA is issuing a call to action to all critical infrastructure entities and vendors that support those entities to take steps to improve cybersecurity, starting with four essential steps to improve baseline security:
- Avoid phishing
- Use strong passwords
- Require multifactor authentication
- Update business software
Phishing is the initial access vector in many cyberattacks, providing threat actors with the credentials they need to access internal systems and data and conduct a comprehensive attack on the organization. According to the cybersecurity firm SentinelOne, phishing attacks have increased by 1,265%, with that increase driven by the growth of GenAI. These attacks target employees and trick them into disclosing credentials, opening malicious email attachments, or clicking links that direct them to malicious sites where malware is downloaded. While technical defenses such as spam filters can reduce the number of threats that reach employees, it is vital to train the workforce on how to recognize and report suspicious emails.
A system is only as secure as the password used to protect it, so it is essential that passwords are used that are difficult to guess and are resistant to automated brute force attempts. According to Hive Systems, even a password consisting of 10 random numbers could be cracked in less than a day, compared to 803,000 years for a 10-character password consisting of numbers, upper and lower case letters, and special characters. Strong passwords should be mandatory for all users.
Even strong passwords are not sufficient by themselves, as while they may be difficult to brute force, they can be obtained by threat actors through phishing, for example. Multifactor authentication adds an additional layer of protection, ensuring that a password alone is not sufficient to access accounts, systems, and devices. Implementing multifactor authentication will significantly improve security, and where possible, phishing-resistant multifactor authentication should be implemented.
Threat actors target vulnerabilities in software and operating systems and exploit them to gain access to the networks of critical infrastructure entities and their vendors. All business software and operating systems should be kept up to date, with patches and security updates applied promptly to fix vulnerabilities before they can be exploited. After completing these four essential steps to improve baseline security, the next step is to level up defenses through additional actions, such as implementing logging on all systems. Logs should be monitored for anomalous activity, including hacking incidents and insider threats.
Ransomware is one of the biggest threats, especially in healthcare. These attacks lock victims out of systems and prevent access to critical data, causing massive disruption to business operations. It is therefore essential to ensure that all critical information is backed up securely, as this will allow a fast recovery in the event of an attack. In addition to making multiple backups and securing one copy off-site, backups should be checked to ensure that file recovery is possible. A backup plan should also be developed to reach the recovery point in the shortest possible time frame.
Data encryption is another key protection to safeguard data at rest and in transit. If a threat actor gains access to files, the data cannot be viewed. Threat information sharing is also a key part of building a strong cyber America. By informing CISA about cyberattacks and sharing pertinent information, CISA can take steps to warn others and help them avoid similar threats.
Healthcare organizations should also consider implementing the cybersecurity performance goals (CPGs) developed by the Department of Health and Human Services in collaboration with CISA. The CPGs set a floor of safeguards that will help prevent successful cyberattacks, and the enhanced CPGs help healthcare organizations mature their cybersecurity capabilities. The 2025 HIPAA Journal Annual Survey indicated a lack of awareness of these important CPGs.
“Critical infrastructure – whether in the hands of state and local entities, private businesses, or supply chain partners – is the backbone of our daily lives,” said Acting CISA Director Madhu Gottumukkala. “Whenever it’s disrupted, the effects ripple through communities across America. That’s why this year CISA is prioritizing the security and resilience of small and medium businesses, and state, local, tribal, and territorial government (SLTT) that facilitate the systems and services [that] sustain us every day. This includes things like clean water, secure transportation, quality healthcare, secure financial transactions, rapid communications, and more. Together, we must make resilience routine so America stays safe, strong, and secure.”
The post Cybersecurity Awareness Month 2025: Building a Cyber Strong America appeared first on The HIPAA Journal.
Data Exfiltrated in Hacking Incident at Healthcare Interactive Inc. – The HIPAA Journal
Data Exfiltrated in Hacking Incident at Healthcare Interactive Inc. The HIPAA Journal
Connecticut Medical Rehabilitation Center Announces Hacking Incident – The HIPAA Journal
Connecticut Medical Rehabilitation Center Announces Hacking Incident The HIPAA Journal
Connecticut Medical Rehabilitation Center Announces Hacking Incident
Gaylord Specialty Healthcare is notifying patients affected by a December hacking incident, and Gainwell Technologies has reported a breach involving the data of Medicaid recipients in Georgia.
Gaylord Specialty Healthcare, Connecticut
Gaylord Farm Association Inc., doing business as Gaylord Specialty Healthcare, a nonprofit medical rehabilitation center in Wallingford, Connecticut, has recently started notifying patients about a December 2024 security incident that potentially involved unauthorized access to patient information.
Suspicious activity was identified within its computer network on December 19, 2024, and the forensic investigation confirmed unauthorized access to its network from December 16 to December 19. Files were reviewed to determine the types of information involved and the individuals affected. On August 25, 2025, Gaylord learned that the impacted data included names, dates of birth, Social Security numbers, taxpayer ID numbers, driver’s license or state ID numbers, passport numbers, account numbers, routing numbers, payment card numbers, payment card CVVs, medical record numbers, mental or physical condition, treatment information, diagnoses and diagnosis codes, treatment locations, procedure types, provider names, treatment costs, medical date of services, admission/discharge dates, prescriptions, billing/claims information, health insurance information and/or patient account numbers.
Gaylord said it issued a provisional notice to the HHS’ Office for Civil Rights about the data breach and uploaded a breach notice to its website on February 28, 2025; however, the incident is not yet shown on the HHS’ data breach portal, which suggests the initial estimate indicated that fewer than 500 individuals were affected. Gaylord said the delay in issuing individual notifications was due to the complex and time-consuming review of the affected files, which required a manual review of thousands of documents. Security policies, procedures, and practices have been reviewed and enhanced to prevent similar breaches in the future. The total number of affected individuals is not currently known, although the breach was reported to the Maine Attorney General as affecting 75 Maine residents.
Gainwell Technologies, Virginia
Gainwell Technologies, a provider of technology solutions and software to healthcare organizations and government agencies, has recently announced a data breach affecting 912 Medicaid recipients in Georgia. Gainwell Technologies is the fiscal agent for Medicaid in the state, and contracts with Georgia’s Department of Community Health. According to a statement issued by the contractor, on July 23, 2025, an unauthorized caller requested access to payments to providers and gained access to a reimbursement account that contained patient information.
The account contained billing statements that included Medicaid recipients’ names, Medicaid ID numbers, coverage information, and payment information for the periods when services were received. Gainwell Technologies said it is unaware of any misuse of the affected data but has offered complimentary credit monitoring services to the affected individuals for a period of one year as a precaution.
The post Connecticut Medical Rehabilitation Center Announces Hacking Incident appeared first on The HIPAA Journal.
Data Exfiltrated in Hacking Incident at Healthcare Interactive Inc.
Healthcare Interactive Inc. has confirmed that data was exfiltrated in a July 2025 hacking incident. Data breaches have also been reported by the Health Department of the City of St. Joseph in Missouri and Viva Health in Alabama.
Healthcare Interactive (HCIactive)
Healthcare Interactive Inc., a provider of AI-powered software solutions for insurance enrollment and benefits administration, has recently announced a July 2025 hacking incident that involved the exfiltration of files from its network. Suspicious activity was identified within its computer network on or around July 22, 2025. An investigation was launched to identify the cause of the activity, which confirmed unauthorized access to its network and data exfiltration from its network between July 8, 2025, and July 12, 2025.
The review of the exposed files confirmed that they contained protected health information such as names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, health insurance enrollment information, medical record numbers, diagnoses, lab results, prescriptions, and other care and treatment information, medical images, doctors’ names, and health insurance claims information.
While sensitive data was stolen, Healthcare Interactive said it is unaware of any misuse of that information; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. Security policies and procedures are being reviewed, and additional safeguards are being implemented to better secure its systems and data. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.
City of St. Joseph Health Department, Missouri
The Health Department of the City of St. Joseph in Missouri experienced a hacking incident that caused network disruption on June 9, 2025. Third-party cybersecurity experts were engaged to investigate and determine the nature and scope of the activity. The investigation confirmed that there may have been unauthorized access to files containing patient data, and files may have been exfiltrated from the network.
Data mining experts were engaged to review the files, and on September 4, 2025, it was confirmed that 11,538 patients had been affected and had some of their protected health information exposed. The types of information involved vary from individual to individual and may include first and last names, dates of birth, driver’s license numbers/state identification numbers, passport numbers, Social Security numbers, and medical diagnosis and treatment information. The health department engaged cybersecurity experts to review its security practices and protocols, and enhancements have been made based on their recommendations.
Viva Health, Alabama
Viva Health, an Alabama-based health insurance company that works with the Alabama Medicaid agency, has identified an exposed file on its website that contained the protected health information of 4,945 of its members. The exposed file was identified on August 27, 2025, and the investigation confirmed that it was accessible via the website from June 14, 2025, to August 27, 2025. The file contained limited member information – Medicare numbers, member IDs, group numbers, county of residence, and authorization numbers from August and September 2024. The file did not include members’ names, nor highly sensitive information such as Social Security numbers or financial information. As a precaution against data misuse, members have been advised to monitor their Explanation of Benefits statements and have been offered one year of complimentary credit monitoring services.
The post Data Exfiltrated in Hacking Incident at Healthcare Interactive Inc. appeared first on The HIPAA Journal.