Florida Pediatric ENT Specialists Confirm Data Breach Affecting 44,000 Individuals

Posted by Steve Alder

Pediatric Otolaryngology Head & Neck Surgery Associates has reported a data breach affecting almost 44,000 patients. Anchorage Neighborhood Health Clinic in Alaska is investigating a potential security breach that may have affected up to 10,000 patients, and Valley Mountain Regional Center has exposed data over the Internet.

Pediatric Otolaryngology Head & Neck Surgery Associates, Florida

Pediatric Otolaryngology Head & Neck Surgery Associates (POHNS) in Florida recently reported a data breach to the HHS Office for Civil Rights affecting 43,446 individuals. POHNS first announced the data breach on April 25, 2025. Unusual activity was identified within its computer network on February 24, 2025. The forensic investigation confirmed unauthorized access between February 19 and February 24, 2025, including access to patients’ protected health information. The file review confirmed that a range of patient data had been exposed, although the information involved varied from individual to individual.

Data potentially compromised in the incident included names in combination with one or more of the following: address, email address, phone number, Social Security number, driver’s license/state ID number, financial account information, taxpayer ID number, digital signature, date of birth, medical diagnosis/treatment information, prescription information, date of service, patient ID number, provider name, medical record number, Medicare/Medicaid number, health insurance information, health insurance claim number, health insurance policy number, and/or treatment cost information. Notification letters have been mailed to the affected individuals who have been offered complimentary credit monitoring and identity protection services.

Anchorage Neighborhood Health Clinic, Alaska

Anchorage Neighborhood Health Clinic, a Federally Qualified Health Center in Alaska, has confirmed to local media that it is investigating a claim from a hacker about unauthorized access to the personal and health information of 10,000 patients.

Notifications have been issued to patients warning them about a potential security incident after the health center learned that the hacker had contacted certain patients directly. In some cases, the emails sent to patients included information such as their name, address, Social Security number, date of birth, phone number, driver’s license, and health insurance information. Patients have been advised not to interact with any communications they receive from the hacker.

On August 26, 2025, the health center posted a notice on its Facebook page explaining that technical difficulties are being experienced with computer systems, which prevent appointment scheduling, and that phone lines are down. Some progress has been made restoring the affected systems; however, a follow-up post on September 2, 2025, warned that there was only limited computer access due to ongoing technical difficulties, and the phone lines had not been restored by September 9, 2025. The Facebook posts suggest that this was a ransomware attack. The investigation is ongoing, and the extent of any data theft has yet to be confirmed.

Valley Mountain Regional Center

Valley Mountain Regional Center, a Stockton, CA-based provider of support services to individuals with intellectual and developmental disabilities and their families, has recently notified 529 individuals about the accidental exposure of some of their protected health information. On July 14, 2025, a list of State Supplemental Payment (SSP) vendors was posted on its website.

An SSP is an additional payment from the state government that is used to help individuals with disabilities who are living independently. Valley Mountain Regional Center said it discovered that the list contained consumer information such as name, address, city, state, zip code, phone number, vendor name, service code, and service description.

The error was identified quickly, and the list was removed within 18 hours of posting. Valley Mountain Regional Center said it is unaware of any misuse of the exposed information and stressed that Social Security numbers and financial account information were not exposed. Steps have been taken to improve policies and protocols to ensure that similar errors are not made in the future.

The post Florida Pediatric ENT Specialists Confirm Data Breach Affecting 44,000 Individuals appeared first on The HIPAA Journal.

New York Blood Center Enterprises Notifies Individuals Affected by January Ransomware Attack

Posted by Steve Alder

New York Blood Center Enterprises, the operator of 19 blood donor centers in New York and New Jersey, has notified the Maine Attorney General about its January 2025 ransomware attack and has provided further information on the findings of its investigation. As previously announced and reported below, the attack was detected on January 26, 2025. The forensic investigation confirmed that an unauthorized third party had access to its computer network between January 20 and January 26, 2025, and obtained a copy of a subset of files stored on the network.

The files were reviewed, and New York Blood Center Enterprises obtained a preliminary list of individuals whose names and sensitive data were involved on June 30, 2025. The draft list was reviewed, and “an extensive analysis” was conducted to develop a final list of the individuals to notify. The final list was obtained on August 12, 2025. The types of information involved vary from individual to individual and may include names in combination with Social Security numbers, driver’s license numbers, other government identification card numbers, and/or financial account information.

New York Blood Center Enterprises started mailing notification letters to the affected individuals on September 5, 2025, and individuals whose Social Security number or driver’s license number was involved have been offered one year of complimentary credit monitoring and identity theft protection services. New York Blood Center Enterprises said it has enhanced its security protocols and technical safeguards to further protect and monitor its systems.

The notification letters do not mention ransomware, although New York Blood Center Enterprises previously stated that ransomware was involved. The threat group responsible for the attack has not been disclosed, and no group is known to have claimed responsibility for the attack. The notification letter to the Maine Attorney General states that 8 Maine residents were affected, but the breach report does not state how many individuals were affected in total. The HHS’ Office for Civil Rights does not yet show the breach, so it is currently unclear how many individuals have been affected in total.

January 31, 2025: New York Blood Center Enterprises Grappling with Ransomware Attack

A ransomware group has attacked another U.S. blood donation organization. New York Blood Center Enterprises (NYBCe) is one of the largest community-based, non-profit blood collection and distribution organizations in the United States. NYBCe operates 19 donor centers in New York and New Jersey and provides blood and stem cell products to around 70 hospitals in the area. Through its operating divisions in Connecticut, Delaware, Kansas, Minnesota, Missouri, Nebraska, Rhode Island, and Wisconsin, transfusion-related services are provided to more than 500 hospitals nationwide serving around 75 million people.

On Sunday, January 26, 2025, suspicious activity was identified in its IT systems. Third-party cybersecurity experts were engaged to investigate, and it was confirmed that the suspicious activity was due to a ransomware attack. Steps were taken to contain the threat and eject the threat actor from its network, and work is underway to restore its systems as quickly and safely as possible. Law enforcement has been notified, workarounds are being implemented to restore its services and fulfill orders, and NYBCe has been in regular communication with its hospital partners and is working on minimizing disruption to blood supplies.

At this stage, NYBCe is unable to provide a timeline for when its systems will be restored. While the incident has affected the functionality of its IT systems, all blood donor centers remain operational and its community blood drives are continuing with donations being accepted; however, the IT issues caused by the ransomware attack mean processing times are likely to be longer than normal at its donation centers and blood drives and some donation center activities and blood drives may need to be rescheduled. The attack could not have come at a worse time. On January 21, 2025, just a few days before the attack, NYBCe declared a blood emergency due to a 30% reduction in blood donations in recent weeks that has caused a blood shortage in the region. Some blood drives have had to be canceled as a result of the attack.

It is currently unclear which ransomware group is behind the attack and whether donor information was stolen. NYBCe has been providing updates on its website and will issue notifications to any affected individuals if it is confirmed that personal information has been stolen. Ransomware attacks on blood collection and distribution organizations can cause serious disruption to blood supplies. A July 2024 ransomware attack on the Florida-based blood organization, OneBlood, disrupted blood supplies to the 350 hospitals it serves in Alabama, Florida, Georgia, and North and South Carolina, forcing them to implement their critical blood shortage protocols.

A ransomware attack on a pathology service provider to the UK’s NHS in June 2024 caused major disruption to blood transfusions in London and prolonged blood shortages due to the significant reduction in capacity.  A ransomware attack on the Swiss pharma firm OctaPharma in April 2024 resulted in the closure of all blood plasma donation centers in the United States for several weeks.

The post New York Blood Center Enterprises Notifies Individuals Affected by January Ransomware Attack appeared first on The HIPAA Journal.

Settlement Agreed to Resolve Weirton Medical Center Data Breach Lawsuit

Posted by Steve Alder

Weirton Medical Center in West Virginia has agreed to a settlement to resolve class action litigation over a January 2024 ransomware attack that involved the exfiltration of sensitive data from its network. Hackers had access to its computer network between January 14 and January 18, 2024, and used ransomware to encrypt files. Data stolen in the attack included names, dates of birth, Social Security numbers, health insurance information, and treatment information. The affected individuals were notified on March 18, 2024, and the data breach was reported to the HHS Office for Civil Rights as affecting 26,793 individuals.

Four class action lawsuits were filed in response to the data breach in the U.S. District Court for the Northern District of West Virginia, naming Trish Yano, Matthew Foltz, Leslie Telek, and Judy Mullins as plaintiffs. The lawsuits were consolidated into a single lawsuit – In re Weirton Medical Center Data Breach Litigation – on June 21, 2024. The lawsuit asserted claims of negligence and negligence per se for failing to protect sensitive data on its network from unauthorized access, as well as unjust enrichment, breach of implied contract, breach of confidence, and breach of fiduciary duty.

The lawsuit survived a motion to dismiss, and all parties filed a joint motion to stay proceedings pending mediation. Weirton Medical Center disagreed with all claims and contentions in the lawsuit; however, after a full day of mediation, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and resolves the litigation in its entirety, with no admission of liability or wrongdoing.

All class members are entitled to claim one of two cash payments and credit monitoring services. A claim may be submitted for reimbursement of actual documented, unreimbursed losses that were more likely than not caused by the data breach up to a maximum of $5,000 per class member.  Alternatively, class members may claim a cash payment of $50.00, without providing any documentation to prove losses.

All class members can claim one year of three-bureau credit monitoring services, which include identity theft protection and recovery services, and a $1,000,000 identity theft insurance policy. The deadline for exclusion from and objection to the settlement is October 6, 2025. Claims must be submitted by November 5, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 3, 2025.

The post Settlement Agreed to Resolve Weirton Medical Center Data Breach Lawsuit appeared first on The HIPAA Journal.

Department of Labor Confirms Key Rulemaking Initiatives

Posted by Steve Alder

The U.S. Department of Labor has recently shared insights into the key actions being taken by the department to ensure safety and health in the workplace while reducing unnecessary burdens on employers and employees.

New regulations are important to ensure that Americans have a safe and healthful working environment, especially in hazardous working environments such as indoor and outdoor settings where workers may be exposed to extreme heat. While there is a clear need for further regulations in some areas to ensure that employers adequately protect their workers, some existing regulations are placing unnecessary burdens on employers with little benefit provided to employees.

The announcement follows the Trump Administration’s semiannual Unified Agenda of Regulatory and Deregulatory Actions, which details the actions currently being taken or under consideration. For the Department of Labor, that includes more than 100 areas of rulemaking, including new rules and rule changes that will ensure that U.S. workers are properly protected, while supporting business growth and advancing the Trump Administration’s goal of putting American workers and businesses first.

“Eliminating red tape and crafting smart regulations that spur job creation will bring us even closer to reaching the Golden Age of the American Worker,” said U.S. Secretary of Labor Lori Chavez-DeRemer. “The Department of Labor is committed to helping President Trump and the entire Administration implement this bold regulatory agenda, which focuses on flexibility, transparency, and common-sense reform to ensure every hardworking family has a fair shot at achieving the American Dream.”

On April 15, 2025, President Trump signed an executive order – Lowering Drug Prices by Once Again Putting Americans First – that seeks to reduce the prices Americans pay for prescription drugs. One aspect of that executive order concerns pharmacy benefit managers (PMBs) – the prescription drug middlemen that negotiate prices with drug companies.

Under the Biden Administration, the Federal Trade Commission (FTC) launched an inquiry into PMBs in June 2022. The interim report, published by the FTC in July 2024, found that PMBs may be contributing to higher out-of-pocket costs for patients. The FTC has recently filed a lawsuit against three major PMBs alleging they are enriching themselves by manipulating the drug supply chain. The Department of Labor has confirmed it is looking at ways to improve transparency around the direct and indirect compensation PMBs receive from employer-sponsored health plans and is looking at ways to improve market transparency in pricing and cost-sharing information for consumers.

An area where further regulation may be required concerns heat illness and injury prevention in indoor and outdoor work settings. The Occupational Safety and Health Administration (OSHA) has been considering implementing a heat safety standard for some time, and in July 2024, OSHA proposed a new rule that would apply to all employers and would be triggered when employees are exposed to temperatures of 80º F for more than fifteen minutes in any given sixty-minute period. This was an area where OSHA was expected to row back on further regulation. Public hearings on the proposed rule took place over the summer, and OSHA has confirmed that it is “continuing to examine how to establish standards specifically related to heat-related injury and illness prevention.”

Since 2021, the Department of Labor has had no regulatory guidance addressing joint employer liability under the Fair Labor Standards Act (FLSA). A rule was proposed to address this in 2020, although it was blocked by a court decision. The department is continuing to look at the circumstances under which businesses can be held liable as a joint employer. Also under the FLSA, the Department of Labor is looking at the circumstances under which a worker should be classified as an employee or independent contractor for the purpose of federal wage and hour requirements, and will be defining and delimiting exemptions for executive, administrative, professional, outside sales, and computer employees, including whether salaried employees are exempt from FLSA minimum wage and overtime requirements.

Under the H-2A program, employers in the agricultural industry are permitted to hire foreign workers for temporary or seasonal jobs when domestic workers are unavailable. Under the Biden administration, a final rule was issued in June 2024 to improve protections for these workers; however, the rule was suspended in June 2025. The Department of Labor has proposed to rescind some of the burdensome requirements for growers using the program for agricultural labor. The Department of Labor is also considering updates to the Adverse Effect Wage Rate Methodology for calculating the prevailing wage for H-2A workers, which has been criticized for exceeding the actual local market wages.

“This regulatory agenda reflects our steadfast commitment to restoring economic opportunity by fostering innovation and reducing unnecessary burdens on employers,” said Deputy Secretary of Labor Keith Sonderling. “By modernizing outdated rules and prioritizing clarity and efficiency, we’re building a more agile, worker-centered labor policy framework that fuels economic growth and prosperity. Under President Trump’s leadership, the Department of Labor is delivering the regulatory certainty that American workers and businesses need to thrive.”

The post Department of Labor Confirms Key Rulemaking Initiatives appeared first on The HIPAA Journal.