HHS Releases Updated Security Risk Assessment Tool

Posted by Steve Alder

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP) have announced the release of an updated version of the Security Risk Assessment (SRA) Tool.

The SRA tool was developed to help small to medium-sized healthcare providers comply with the security risk assessment provision of the HIPAA Security Rule, one of the foundational requirements of the Security Rule. A HIPAA risk assessment failure is the most commonly identified HIPAA Security Rule violation, and OCR currently has an active enforcement initiative targeting noncompliance. Through its investigations of complaints, data breaches, and compliance audits, OCR commonly discovers that HIPAA-regulated entities have either failed to conduct a risk assessment or that risk assessments are inaccurate or incomplete. For instance, a risk assessment is conducted based on an incomplete or out-of-date asset inventory.

The enforcement initiative was announced by OCR in October 2024 when the first penalty was imposed on Bryan County Ambulance Authority in Oklahoma. Since then, OCR has imposed 10 financial penalties for risk analysis failures, making it the most common reason for security-related HIPAA civil monetary penalties and settlements.

The SRA tool is an invaluable tool for small and medium-sized healthcare providers, as it guides them through the process of conducting a risk assessment. The latest release, version 3.6, includes several updates to improve usability. A new assessment confirmation button has been added with a reviewed-by date for each section, allowing users to confirm that a section has been reviewed and approved, which will be saved for audit records.

The risk scale has been updated to align with NIST scoring, with the score of “medium” changed to “moderate”. Updated library files will be installed when the new version is installed, mitigating vulnerabilities that may exist in outdated versions. The reports have been updated with new content, including section-specific approval/reviewed-by details and additional information entered by users. There have also been improvements to questions, responses, and education to make the SRA Tool more relevant to the evolving cybersecurity environment and to improve ease of use.

OCR and ASTP are hosting two live webinars this month on the SRA Tool. Experts will provide an introduction to the SRA tool, demonstrate the new features and enhanced reports, and will be available to answer questions about the tool and new features. The webinars will be held on September 15, 2025, at 12 p.m. ET, and on September 16, 2025, at 3 p.m. ET. You can register for the webinar on this link.

The post HHS Releases Updated Security Risk Assessment Tool appeared first on The HIPAA Journal.

HHS Agrees to Settlement Requiring the Restoration of Deleted Health Data and Websites

Posted by Steve Alder

The Trump administration has agreed to settle a lawsuit filed by the Washington State Medical Association (WSMA) and eight other plaintiffs that sought to stop and reverse the deletion of important public health and science data from federal websites. Under the terms of the settlement, the Department of Health and Human Services is required to restore more than 100 datasets and webpages that were deleted since January 2025.

On January 20, 2025, President Trump signed several executive orders, two of which concerned gender identity and diversity, equity, and inclusion (DEI) – Executive Order 14168: Ending Radical and Wasteful Government DEI Programs and Preferencing & Executive Order 14151: Defending Women from Gender Ideology Extremism and Restoring Biological Truth to the Federal Government. Over the course of several months, the Trump administration directed federal agencies such as the Centers for Disease Control and Prevention (CDC), National Institutes of Health (NIH), and Food and Drug Administration (FDA) to delete public health information that had previously been published on those agencies’ websites.

The deleted content included public health information relating to LGBTQ health, gender and reproductive health, vaccine guidance, Mpox treatment, pregnancy risk, opioid use disorder, HIV/AIDS research, and the NIH HIV Risk reduction tool, data from clinical trials, and more.

A lawsuit was filed in federal court to stop the deletion of data from taxpayer-funded websites, restore the deleted content, and establish legal protection to prevent future efforts to suppress public health information. The lawsuit was filed by the WSMA, Washington State Nurses Association, Washington Chapter of the American Academy of Pediatrics, AcademyHealth, Association of Nurses in AIDS Care, Fast-Track Cities Institute, International Association of Providers of AIDS Care, National LGBT Cancer Network, and Vermont Medical Society.

The defendants were Robert F. Kennedy Jr., Department of Health and Human Services (HHS), Matthew Buzzelli, CDC, Jay Bhattacharya, NIH, Martin A. Makary, FDC, Thomas J. Engels, Health Resources and Services Administration, Charles Ezell, and the Office of Personnel Management.

The lawsuit – Washington State Medical Association et al. v. Kennedy et al.– alleged that the deleted data was critical to public health research and combatting morbidity and mortality, and the removal of health-related data in response to the executive orders violated the Administrative Procedure Act, the separation of powers principle, the Paperwork Reduction Act, the Public Health Service Act, and the Prematurity Research Expansion and Education for Mothers Who Deliver Infants Early Act.

“The unannounced and unprecedented deletion of these federal webpages and datasets came as a shock to the medical and scientific communities, which had come to rely on them to monitor and respond to disease outbreaks, assist physicians and other clinicians in daily care, and inform the public about a wide range of healthcare issues,” wrote the plaintiffs in the lawsuit. “Health professionals, nonprofit organizations, and state and local authorities used the websites and datasets daily to care for their patients, provide resources to their communities, and promote public health.”

The lawsuit alleged that thousands of databases have been deleted, depriving the medical community and the public of accessing critical resources. The defendants have restored some of the deleted datasets and webpages, in some instances in response to court orders, but the restoration has been inconsistent and scattershot. The plaintiffs claimed that the defendants made “arbitrary, capricious and unreasoned” decisions to delete critical resources that, under American law, are required to be made available to the American people.

“Access to trustworthy information allows us to solve real problems, improve health outcomes, and plan for the future. If we don’t stand up for data now, we risk losing the tools we rely on to make progress, regardless of politics,” said Dr. Aaron Carroll, president and CEO of AcademyHealth.

On September 2, 2025, the WSMA announced that it was thrilled that a settlement had been reached, which requires the HHS to restore webpages and data that were wrongfully deleted, and make them available again to physicians, scientists, medical professionals, and the American public.” Under the terms of the settlement, the HHS is required to restore the deleted websites, webpages, and datasets that were taken down this year and have not already been restored, as detailed in Appendix A of the complaint.

“I am extremely proud of the health care community in Washington state and our partners in this case for pushing back on this egregious example of government overreach,” said John Bramhall, MD, PhD, president of the WSMA. “This was not a partisan issue – open data benefits everyone, and ensuring its availability should be a bipartisan priority.”

The post HHS Agrees to Settlement Requiring the Restoration of Deleted Health Data and Websites appeared first on The HIPAA Journal.

Data Breaches Announced by US HealthConnect & Altos Inc.

Posted by Steve Alder

The medical education provider US HealthConnect and the California billing services vendor Altos Inc have recently announced cyberattacks and data breaches.

US HealthConnect

US HealthConnect, a provider of continuing medical education and promotional education to healthcare providers, has recently announced a cybersecurity incident that was identified on January 25, 2025. Suspicious activity was identified within its computer network, and third-party cybersecurity specialists were engaged to investigate to determine the nature and scope of the activity.

The investigation confirmed that an unauthorized third party had access to its network and may have obtained certain information from the affected systems, including names and Social Security numbers. After validating the results and obtaining up-to-date contact information, notification letters started to be issued on September 4, 2025.

US HealthConnect has enhanced its existing policies and procedures and implemented additional administrative and technical safeguards to protect against similar incidents in the future, and the affected individuals have been offered up to 24 months of complimentary credit monitoring and identity theft protection services.  The data breach has been reported to regulators, although it is currently unclear how many individuals have been affected.

Altos Inc.

Altos Inc., a provider of medical billing, medical transcription & medical management services to healthcare providers in southern California, has discovered that an internal system containing patients’ protected health information has been accidentally exposed to the Internet.

The security error was identified on June 17, 2025. The exposed system was immediately secured, and an investigation was launched to determine how the error occurred and the information that had been exposed. On July 21, 2025, Altos determined that the exposed system contained the protected health information of 6,414 individuals, including names, addresses, dates of birth, Social Security numbers, and health information.

In addition to securing the exposed system and implementing procedures to reduce the risk of similar incidents in the future, additional security reviews have been conducted, and steps are being taken to improve its overall security posture. While there have been no reports of misuse of patient data in connection with the incident, out of an abundance of caution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Data Breaches Announced by US HealthConnect & Altos Inc. appeared first on The HIPAA Journal.

Data Breaches Announced by Washington, Florida, and Minnesota Healthcare Providers

Posted by Steve Alder

Data breaches have recently been announced by Northwest Medical Specialties in Washington, Medical Associates of Brevard in Florida, and Twin Cities Pain Clinic in Minnesota.

Northwest Medical Specialties

Northwest Medical Specialties, PLLC (NWMS), a physician-owned practice with six locations in the South Puget Sound area of Washington state, has started notifying patients about a recent security incident that potentially involved unauthorized access to some of their protected health information.

NWMS was contacted by an unidentified party on August 18, 2025, who claimed to have accessed its network and sensitive patient data. After securing the network and engaging third-party digital forensics specialists to investigate a potential breach, it was concluded that patient data was potentially copied without authorization. The review of the affected files was completed on August 22, 2025, and confirmed that the potentially compromised data included full names, dates of birth, Social Security numbers, and medical information. Notification letters are now being sent to the affected individuals, who have been offered complimentary credit monitoring services.

NWMS said it is reviewing its policies and procedures related to data privacy and security and has implemented additional technical safeguards to further enhance system security. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so the total number of affected individuals cannot yet be confirmed; however, the Washington Attorney General was notified that 3,846 Washingtonians were affected.

Medical Associates of Brevard

Medical Associates of Brevard, a provider of comprehensive healthcare services to residents of Brevard County in Florida, has recently notified state attorneys general about a recent criminal cyberattack that occurred on or around January 17, 2025. Third-party cybersecurity experts were engaged to investigate the incident and review the files on the compromised parts of its network. The review was completed on July 7, 2025, when it was confirmed that the potentially compromised data included names, dates of birth, medical treatment information, health insurance information, Social Security numbers, driver’s license numbers/state identification numbers, and, for a limited number of individuals, financial account information.

Notification letters were mailed to the affected individuals on September 5, 2025. Complimentary credit monitoring and identity theft protection services have been offered, and a series of cybersecurity enhancements have been made to prevent similar incidents in the future. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Twin Cities Pain Clinic

Twin Cities Pain Clinic, a specialized pain management medical group with six locations in Minnesota, has recently disclosed an email security incident that has exposed patient data. Suspicious activity was identified within an employee’s email account on or around July 9, 2025. A digital forensics firm was engaged to investigate the activity and confirmed on July 31, 2025, that an unauthorized user had accessed the account and a limited number of files stored within SharePoint.

A data mining review was initiated to identify any patients who may have had their protected health information exposed. On August 18, 2025, the review was completed, and determined that patient data was present within emails, attachments, and SharePoint. The exposed data included full names, dates of birth, mailing addresses, phone numbers, email addresses, Social Security numbers, medical record numbers, treatment notes, provide information, Social Security numbers, health insurance information, and financial account information.

Legal counsel is conducting a full review of security practices and systems, and enhanced security protocols and security awareness training will be implemented. While no evidence was found to suggest any information had been downloaded or otherwise removed from its email or SharePoint environments, as a precaution, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 24 months.

The post Data Breaches Announced by Washington, Florida, and Minnesota Healthcare Providers appeared first on The HIPAA Journal.