Health Plan Members’ PHI Exposed in Cyberattack on Fieldtex Products

Posted by Steve Alder

Data breaches have been announced by Fieldtex Products in New York State and the Utah ear, nose & throat specialists, Cache Valley Ear ENT.

Fieldtex Products, New York

Fieldtex Products, a medical supply fulfillment organization based in Rochester, New York, has announced a data security incident involving unauthorized access to its computer systems. The intrusion was identified on August 19, 2025, and action was immediately taken to secure its network and prevent further unauthorized access. A third-party digital forensics team was engaged to investigate the incident, which confirmed that a limited amount of protected health information had been exposed and may have been accessed or stolen in the attack.

The exposed data related to the over-the-counter healthcare-related products provided by Fieldtex to members of its health plan clients. In order to provide those products, health plans provided Fieldtex with protected health information such as patient names, addresses, dates of birth, insurance member identification numbers, plan names, effective terms, and gender.

The analysis of the exposed data was completed on September 30, 2025, and the affected health plans were notified immediately. Fieldtex has sent notification letters to the affected individuals on behalf of the health plans that authorized Fieldtex to provide direct notice and has offered those individuals complimentary credit monitoring services.

At the time of issuing notification letters, Fieldtex was unaware of any misuse of the exposed data. Steps have been taken to improve security, and data security policies and procedures are being reviewed. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Cache Valley Ear, Nose & Throat, Utah

Legal counsel for Cache Valley Ear, Nose & Throat (Cache Valley ENT) has notified state attorneys general about a February 2025 data security incident that exposed patient information. Suspicious activity was identified within its network on February 4, 2025. An investigation was launched to determine the nature and scope of the activity, with assistance provided by third-party cybersecurity experts.

The North Logan, Utah-based healthcare provider confirmed that data may have been viewed or copied on February 4, 2025. The review of the exposed data was completed on November 4, 2025, when it was confirmed that names, addresses, provider names, drug names, and insurance provider names were involved. While highly sensitive patient data such as Social Security numbers and financial information do not appear to have been involved, out of an abundance of caution, the affected individuals have been offered 12 or 24 months of complimentary credit monitoring and identity theft protection services. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Health Plan Members’ PHI Exposed in Cyberattack on Fieldtex Products appeared first on The HIPAA Journal.

Main Line Fertility Center Settles Tracking Technology Lawsuit

Posted by Steve Alder

Main Line Fertility Center in Pennsylvania will pay cash payments to individuals whose sensitive data may have been disclosed to third parties via website tracking technologies. Like many healthcare providers, Main Line Fertility Center deployed third-party tracking tools and analytics code on its public website, including Meta Pixel. While these tools can provide valuable data to website owners, their use is problematic in healthcare due to the potential for sensitive data to be transferred to the providers of those tools. Depending on how and where these tools are deployed, they can potentially transfer personally identifiable and health information to those third parties.

In the case of Main Line Fertility Center, it was alleged to have used these tools without patients’ knowledge or consent, resulting in individually identifiable information being transferred to third parties, such as Meta. Anonymous plaintiff Jane Doe filed a lawsuit – Jane Doe v. Main Line Fertility, Ltd. – in the Court of Common Pleas of Philadelphia County, Pennsylvania, alleging the use of these tools without the knowledge or consent of patients amounted to negligence and violated the Pennsylvania Unfair Trade Practices Act. The lawsuit also asserted claims of invasion of privacy, breach of implied contract, and unjust enrichment.

Main Line Fertility Center maintains that there was no wrongdoing and filed its preliminary objections to the complaint on September 19, 2024; however, the court overruled the objections and ordered Main Line Fertility Center to file its answer to the plaintiff’s complaint, which was filed on February 6, 2024. Following substantive discovery efforts and extensive settlement discussions, Main Line Fertility Center agreed to participate in private mediation, and the material terms of a settlement were agreed upon. The full terms of the settlement have now been finalized, and the settlement has received preliminary approval from the court.

Similar to several other pixel-related settlements in recent months, class members will be provided with a cash payment and membership to a Privacy Shield Pro product. Class members wishing to submit a claim can elect to receive a one-time cash payment of $35, and if they submit a valid and timely claim, they will receive a code to enroll in the PRivacy Shield Pro product. Main Line Fertility Center has also agreed to pay attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives.

The deadline for opting out of and objecting to the settlement is December 1, 2025, and claims must be submitted by December 29, 2025. The final fairness hearing has been scheduled for January 6, 2026.

The post Main Line Fertility Center Settles Tracking Technology Lawsuit appeared first on The HIPAA Journal.

Data Breaches Announced by Ennoble Care & Circa Health; Dermatology Associates of Concord

Posted by Steve Alder

Data breaches have recently been announced by Ennoble Care & Circa Health in New Jersey and Dermatology Associates of Concord in Massachusetts.

Ennoble Care/Circa Health, New Jersey

Ennoble Care & Circa Health, LLC, a Hackensack, NJ-based provider of primary care, palliative care, and hospice services to individuals in Georgia, Kansas, Maryland, New York, New Jersey, Oklahoma, Pennsylvania, Virginia, and Washington, D.C., has announced an email account breach that was identified on April 17, 2025.

Ennoble Care said the investigation into the incident is ongoing; however, it has been determined that patient information has been exposed and may have been obtained by an unauthorized individual. The types of information involved include names, addresses, dates of birth, hospice status, status dates, and orders status (CTI, SN, MSW, CH, HHA, etc.). No evidence was found to indicate that its cloud-based electronic health record was compromised.

While no evidence has been found to indicate misuse of the exposed data, the affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring the explanation of benefits statements that they receive from their health insurance providers. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Dermatology Associates of Concord, Massachusetts

Dermatology Associates of Concord (DAC), a provider of dermatology services to individuals in the greater Boston area, has notified the Massachusetts Attorney General about a recent security incident affecting a currently undisclosed number of individuals. Suspicious activity was identified within its computer systems on September 19, 2025. Assisted by third-party cybersecurity experts, DAC determined that an unauthorized third party accessed a specific computer system between September 18, 2025, and September 19, 2025, and copied files from that system.

The files are being reviewed to determine the types of data involved and the individuals affected, and that process has not yet concluded. While data was stolen, DAC is unaware of any misuse of that information. DAC said it has notified law enforcement about the incident and has augmented its security protocols to prevent similar incidents in the future.

Notification letters will be mailed to the affected individuals when the data review is completed, and complimentary single-bureau credit monitoring, credit report, credit score, and fraud assistance services will be made available to the affected individuals for a period of 24 months.

The post Data Breaches Announced by Ennoble Care & Circa Health; Dermatology Associates of Concord appeared first on The HIPAA Journal.

More Than CMIA and HIPAA: Which Medical Privacy Regulations Apply to You in California?

Posted by PJ Murray

The Confidentiality of Medical Information Act (CMIA) is just one of several state laws and regulations that apply to medical privacy in California and influence how staff handle patient information. Alongside HIPAA and CMIA, healthcare organizations may also have to comply with the Patient Access to Health Records Act (PAHRA), Medi-Cal confidentiality rules, California’s Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA), state rules governing artificial intelligence in healthcare (including CCPA’s automated decision-making regulations), and SB81 on patient access and protection. Together, these laws help explain why privacy and security policies in California can look different from those in other states. 

HIPAA was designed to create a national “floor” of privacy and security standards, but in California that floor is only the starting point. When state law gives patients more rights or stronger protections than HIPAA does in a particular area, the California law takes precedence for that issue, while HIPAA still applies in the background. As a result, California providers often have to reconcile multiple overlapping rules when deciding how to use, disclose, and protect health information.

CMIA is the core California medical privacy statute. It applies broadly to providers, plans, contractors, and many consumer-facing digital health apps when they store or process identifiable medical information. CMIA tightly limits when information can be used or disclosed without authorization, adds extra protections for sensitive services, and requires safeguards for electronic information. A key difference from HIPAA is CMIA’s private right of action, which allows patients to sue for negligent, unauthorized disclosures, even when there was no intent to cause harm. That is a major reason California organizations stress strict access control, “need-to-know” use of records, and zero tolerance for snooping or gossip.

PAHRA strengthens and accelerates patient access rights beyond HIPAA. California providers generally must acknowledge or respond to access requests within a few days and provide copies within a much shorter deadline than HIPAA’s. Patients can also submit an addendum to correct or clarify their records, and that addendum must be attached with future relevant disclosures. PAHRA and CMIA together also limit parental access to minors’ sensitive records when the minor has the right to consent to care, so staff must pay close attention to who is entitled to see what.

Other important laws fill gaps that HIPAA and CMIA do not fully cover. Medi-Cal regulations protect beneficiary information, including social and economic data used for eligibility and benefits, and restrict its use mainly to treatment, billing, and program administration. CCPA/CPRA applies to eligible businesses for personal information that is not PHI or CMIA “medical information,” such as website tracking data, marketing lists, and some HR records. CCPA/CPRA also gives consumers rights to know, correct, and in some cases delete data. California also regulates the use of AI in healthcare through a mix of privacy, consumer, and professional rules that emphasize transparency, security, and maintaining human clinical judgment. In practice, these rules often appear as internal policies: which AI tools may be used, what kind of data may be entered, how outputs must be reviewed, and when patients must be informed.

SB81, California’s Patient Access and Protection law, adds targeted protections for immigration-related information. It treats a patient’s place of birth and immigration status as protected medical information and prohibits disclosures for immigration enforcement without a valid authorization or court order. It also requires healthcare organizations, including public college health centers, to establish “safe” non-public areas where patients can receive care without fear of immigration agents entering unless they have proper legal authority. This law shapes how front desks, security, and clinical teams respond to requests from law enforcement and why staff should receive specific training on these scenarios.

Because all these laws overlap, California healthcare organizations usually design their policies around the most protective rule that applies. CMIA is central, but real-world privacy practice is also shaped by PAHRA, Medi-Cal rules, CCPA/CPRA, AI-related requirements, and SB81. For healthcare staff and students, the safest approach is to follow their organization’s written policies, complete required training, and ask their privacy or compliance team whenever they are unsure. This overview is for training and general information, not legal advice, but it highlights why CMIA is just one piece of a much larger California privacy framework.

The post More Than CMIA and HIPAA: Which Medical Privacy Regulations Apply to You in California? appeared first on The HIPAA Journal.