New York Counseling Provider and Florida Cancer Center Announce Data Breaches
Family Counseling Services of the Finger Lakes in New York and the Cancer Care Center of North Florida have confirmed that patient data was compromised in recent hacking incidents.
Family Counseling Services of the Finger Lakes
Family Counseling Services of the Finger Lakes in New York has discovered unauthorized access to its email environment. Suspicious activity was identified on or around February 4, 2025, and the forensic investigation confirmed that a limited number of email accounts had been accessed by an unauthorized third party between January 14, 2025, and February 4, 2025.
The email accounts were immediately secured, and a review was conducted to determine the extent of data exposure. The file review was completed on June 30, 2025, and confirmed that the exposed data included full names, in combination with one or more of the following: date of birth, Social Security number, driver’s license number, bank account number, medical information, and health insurance information.
Family Counseling Service is unaware of any misuse of the exposed data; however, the affected individuals have been advised to remain vigilant against identity theft and fraud. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Cancer Care Center of North Florida
Cancer Care Center of North Florida has been affected by two security incidents, one involving unauthorized access to email accounts and a network server hacking incident. Both incidents involved the Integrated Oncology Network (ION).
As previously reported by the HIPAA Journal, the phishing incident affected multiple ION members. Between December 13, 2024, and December 16, 2024, an unauthorized third party gained access to certain emails and SharePoint files. The files contained names, addresses, dates of birth, financial account information, diagnosis, lab results, medication, treatment information, health insurance and claims information, provider names, and/or dates of treatment, and for a limited number of individuals, their Social Security numbers. Cancer Care Center of North Florida notified the HHS’ Office for Civil Rights that 976 patients of its Lake Butler location were affected.
The hacking incident involved unauthorized access to certain ION systems between March 31, 2025, and April 10, 2025. ION discovered the intrusion on April 11, 2025, and said only limited systems were affected. The review of the affected files is ongoing, but it has been confirmed that the compromised information includes names, address, date of birth, medical record number, diagnoses/conditions, diagnostic imaging, diagnostic test results, lab results, medications, treatment information, health insurance information, provider names, dates of treatment, driver’s license numbers, and/or financial account information.
The breach has affected multiple ION practices, which were notified between July 11, 2025, and August 6, 2025. Cancer Care Center of North Florida has confirmed that 1,789 of its patients were affected.
The post New York Counseling Provider and Florida Cancer Center Announce Data Breaches appeared first on The HIPAA Journal.
Data Breaches Announced by The Black Hills Regional Eye Institute & The Children’s Center of Hamden
Data breaches have recently been announced by Black Hills Regional Eye Institute in South Dakota and the Children’s Center of Hamden in New York.
Black Hills Regional Eye Institute
The Black Hills Regional Eye Institute in Rapid City, South Dakota, has fallen victim to a cyberattack that was identified on or around January 8, 2025. Systems were rapidly taken offline to prevent further unauthorized access and to contain the incident, and an investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed on or around February 7, 2025, that patient information had been accessed and acquired by the threat actor, who had access to certain systems from January 4, 2025, to January 8, 2025.
A comprehensive file review was conducted to determine the individuals affected and the types of data involved, which concluded on July 30, 2025. Black Hills Regional Eye Institute determined that the compromised data included patients’ first and last names in combination with one or more of the following: date of birth, Social Security number, driver’s license number, diagnoses, treatment information, medical history, medical record number, medications, provider name, surgical information, insurance information, and/or credit card information.
While sensitive data was acquired, Black Hills Regional Eye Institute has not found any evidence to indicate any misuse of that information. All staff and patients affected by the incident have been advised to remain vigilant against identity theft and fraud, and individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. Regulators have been notified, although the incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
The Children’s Center of Hamden
The Children’s Center of Hamden (TCCOH), a nonprofit behavioral health organization in Connecticut, has notified more than 5,000 individuals about the exposure of some of their personal and health information. Potential unauthorized activity was identified within its computer network on December 28, 2024. Assisted by third-party cybersecurity experts, TCCOH confirmed that files containing patient information had been exposed and were potentially acquired by the attackers.
The file review was completed on June 29, 2025, and it was confirmed that employee and client data were compromised in the incident, including first and last names, Social Security numbers, and protected health information. Notification letters were mailed to the affected individuals on August 28, 2025. The incident is not yet shown on the HHS’ Office for Civil Rights portal; however, the Maine Attorney General was informed that 5,213 individuals have been affected. Complimentary credit monitoring services are being offered for 12 months.
The post Data Breaches Announced by The Black Hills Regional Eye Institute & The Children’s Center of Hamden appeared first on The HIPAA Journal.
HHS-OIG Imposes Three Penalties for EMTALA Violations
The Department of Health and Human Services Office of Inspector General (HHS-OIG) has agreed to settle alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) patient dumping statute with UAB Medical West, Frankfort Regional Medical Center, and Flowers Hospital.
EMTALA is a federal law that ensures universal access to emergency medical care. EMTALA requires Medicare-participating hospitals to provide a medical screening examination to determine if a patient presenting at the hospital has an emergency medical condition, and provide stabilizing treatment for that condition or arrange an appropriate transfer to another facility if the hospital cannot provide the necessary treatment. Hospitals with specialized capabilities must accept transfers of patients with specialized needs if they have the capacity to provide treatment. These requirements apply to all individuals presenting at a hospital, regardless of their insurance status or ability to pay.
Frankfort Regional Medical Center
Frankfort Regional Medical Center (FRMC) was investigated by HHS-OIG after self-reporting a potential EMTALA violation that occurred in June 2022. A patient presented at the FRMC emergency department via ambulance, complaining about heat exhaustion after working in a hot factory for seven hours. The patient complained about a severe frontal headache, nausea, and had projectile vomited in the ambulance en route to the hospital. The patient rated his headache as an 8 on the 1-10 scale, had clammy skin, and had vomiting/dry heaving. Diagnostic blood work revealed the patient had hyponatremia (low blood salt), hypokalemia (low blood potassium), and mild dehydration, and the physician’s notes stated he was tachycardic.
The ED physician went to speak with the patient, who was upset, and he was allowed to go back to sleep. Two hours later, the patient was difficult to arouse, lethargic, and bradycardic, and his respiration rate was slowing. The ED staff were unsuccessful in trying to arouse the patient with ammonia salts. The patient was provided with Narcan by the ED physician, who suspected a possible drug overdose. The patient then got upset and started to walk around the ED. The police department was called to arrest the patient for trespassing.
The patient sat down in an ED hallway with his arms crossed and head down, and was unresponsive to the ED staff and was no longer verbal. The ED physician cleared the patient to be discharged to jail with instructions for adult dehydration and a clinical note of a drug overdose. Within 24 hours, the patient was admitted to another hospital and received treatment for heat exhaustion. HHS-OIG determined EMTALA had been violated, and the case was settled with a $110,000 financial penalty.
UAB Medical West
UAB Medical West is a Birmingham, AL-based health system that operates a 200-bed UAB Medical West Hospital and numerous primary care facilities in and around Birmingham. UAB Medical West was investigated over a potential EMTALA violation following a complaint about an alleged failure to provide stabilizing treatment to a patient with an emergency medical condition.
HHS-OIG investigated and determined that in May 2023, a patient who presented at the freestanding UAB Medical West Emergency Department (ED) was discharged from the hospital without appropriate treatment, with an instruction to drive to another hospital for a consultation with a urologist and to get stabilizing treatment. The patient had presented at the ED with acute urinary retention – a medical condition that requires immediate medical attention.
Under EMTALA, UAB Medical West was required to provide stabilizing treatment. While staff at the hospital attempted to catheterize the patient, those efforts were unsuccessful, and the patient was not provided with any pain relief, despite the ED having a urologist on-call and access to urology supplies at its main ED. HHS-OIG and UAB Medical West agreed to settle the alleged EMTALA violation with a $100,000 financial penalty.
Flowers Hospital
Flowers Hospital, a 311-bed hospital in Dothan, Alabama, was investigated over an alleged failure to accept two patients who had been transferred to the hospital to receive specialized medical care, as the hospitals where the patients presented lacked the capabilities to provide appropriate care. Both refused transfers occurred in May 2021.
One patient had presented at the ED of an unrelated hospital following an assault and was determined to have multiple facial fractures, including on both sides of his lower jaw. A transfer was attempted as the hospital did not have an oral maxillofacial surgical (OMFS) specialist. The request was denied by Flowers Hospital, which claimed that its OMFS specialist only treated patients with old fractures, not patients with new traumas.
Another patient presented at the ED of a hospital with severe dental pain, which had been worsening for a week. Since the hospital did not have an OMFS specialist, a transfer was attempted, but was declined by the OMFS specialist because Flowers Hospital was not the closest facility with physicians able to provide the necessary stabilizing treatment. HHS-OIG determined that both refusals violated EMTALA, and the case was settled with a $150,000 financial penalty.
The post HHS-OIG Imposes Three Penalties for EMTALA Violations appeared first on The HIPAA Journal.
New HHS-OIG Exclusions and Financial Penalties – The HIPAA Journal
New HHS-OIG Exclusions and Financial Penalties The HIPAA Journal
New HHS-OIG Exclusions and Financial Penalties – The HIPAA Journal
New HHS-OIG Exclusions and Financial Penalties The HIPAA Journal
New HHS-OIG Exclusions and Financial Penalties
Before hiring any individual or onboarding a new vendor, healthcare organizations that participate in federal healthcare programs such as Medicare or Medicaid must complete due diligence and check to ensure that the individual or entity is not excluded from participating in federally funded healthcare programs.
The Department of Health and Human Services Office of Inspector General (HHS-OIG) maintains an exclusions list consisting of individuals and entities that have been prohibited from participating in federal healthcare programs. Individuals and entities are added to the List of Excluded Individuals and Entities (LEIE) after being found guilty of fraud, abuse, or neglect, although they may be added to the list for other reasons at the discretion of HHS-OIG.
Failure to check the LEIE and subsequently billing federal healthcare programs for products or services provided by an excluded individual or entity can result in a significant fine. In addition to pre-engagement checks of the database, healthcare organizations must conduct regular checks of the LEIE for existing employees, contractors, and vendors. All checks must be documented to maintain an audit trail.
Free Webinar on Sanctions and Exclusions Compliance
Readers of the HIPAA Journal are invited to attend a free webinar, where they will be able to hear from leading compliance experts who will give their expert advice about implementing and maintaining an effective screening program that goes beyond the basic requirements to include establishing and managing conflict of interest programs.
The webinar – The Complete Exclusion Screening Playbook: From Sanctions to Conflicts of Interest – will take place on Tuesday, September 9, 2025. You can find out more and register for the event here.
Recent LEIE additions and Financial Penalties
HHS-OIG has recently announced four new additions to the LEIE, and one financial penalty for a healthcare provider for employing an excluded individual and billing federal healthcare programs for products or services provided by that individual.
- Kidspeace National Centers of New England, Inc., in Ellsworth, Maine, was discovered to have employed an excluded speech pathologist. In this case, the individual was not employed directly, but through a contractor. The alleged violation was settled with HHS-OIG on July 31, 2025, with a $44,736.78 financial penalty.
- Brant Jolly, of Fayetteville, Arkansas, has been excluded from participating in federally funded healthcare programs for 10 years for violating the False Claims Act by causing the submission of false claims to Medicare for lab tests that were either never ordered, never rendered, or involved deceased beneficiaries.
- Nirmal Mulye, PhD, based in Miami, Florida, was added to the LEIE by HHS-OIG for defaulting on payment obligations. Dr. Mulye had previously founded a company that was determined to have underpaid Medicaid rebates, then defaulted on his payment obligations under an active settlement agreement. Dr. Mulye will remain on the LEIE until reinstated by HHS-OIG after curing the default.
- Andres Gomes, MD, of Puerto Rico, defaulted on his payments under a False Claims Act settlement agreement with the Department of Justice and HHS-OIG. The settlement agreement resolved allegations that Dr. Gomes did not pay proper remuneration to physicians for patient referrals to clinics for the surgical treatment of peripheral arterial disease. Dr. Gomes will remain on the LEIE until he cures the default.
The post New HHS-OIG Exclusions and Financial Penalties appeared first on The HIPAA Journal.
Florida Considers Rule to Improve Healthcare Data Breach Transparency – The HIPAA Journal
Florida Considers Rule to Improve Healthcare Data Breach Transparency The HIPAA Journal
Florida Considers Rule to Improve Healthcare Data Breach Transparency
Healthcare providers in Florida could have new data breach reporting requirements if a recently proposed Florida Administrative Code Regulation Rule is adopted. The rule was proposed by the Agency for Health Care Administration (AHCA) to improve healthcare data breach transparency and preparedness for security incidents. If adopted, healthcare providers will be required to have a contingency plan for information technology incidents, to ensure that critical operations and patient care services can continue during an interruption to normal operations.
The contingency plan must consist of a written policy containing procedures and information regarding the maintenance of critical operations and essential patient care; a procedure for ensuring regular, secure, redundant on-site and off-site data backups (within the continental United States) and verification of the restorability of backed-up data.
An information technology incident is defined as “an observable occurrence or data disruption or loss in an information technology system or network that permits or is caused by unauthorized access of data in electronic form.” The definition covers cyberattacks and insider breaches, including good-faith authorized access by an employee if the data accessed by the employee is used in an unauthorized manner or for an unauthorized purpose.
The new rule will require all covered providers to report an information technology incident to AHCA within 24 hours of the provider determining that an information technology incident has occurred. While not required to be provided in the information technology incident report to AHCA, on request, providers must give AHCA a copy of the police report, incident report, computer forensics report, policies regarding information technology incidents, a list of the information disclosed, the steps taken in response to the incident, and a copy of the contingency plan.
Since healthcare providers are likely also HIPAA-covered entities, these new requirements will be in addition to any requirements under HIPAA. The AHCA will be holding a rule development workshop on September 17, 2025, about the proposed rule.
|
Covered Providers |
||||
| Abortion clinics | Birth centers | Home health agencies | Intermediate care facilities for persons with developmental disabilities | Prescribed pediatric extended care centers |
| Adult day care centers | Companion services or homemaker services providers | Home medical equipment providers | Laboratories authorized to perform testing under the Drug-Free Workplace Act | Residential treatment centers for children and adolescents |
| Adult family-care homes | Crisis stabilization units | Homes for special services | Nurse registries | Residential treatment facilities |
| Ambulatory surgical centers | Health care clinics and | Hospices | Nursing homes | Short-term residential treatment facilities |
| Assisted living facilities | Health care services pools | Hospitals | Organ, tissue, and eye procurement organizations. | Transitional living facilities |
The post Florida Considers Rule to Improve Healthcare Data Breach Transparency appeared first on The HIPAA Journal.