Settlement Agreed to Resolve Weirton Medical Center Data Breach Lawsuit

Posted by Steve Alder

Weirton Medical Center in West Virginia has agreed to a settlement to resolve class action litigation over a January 2024 ransomware attack that involved the exfiltration of sensitive data from its network. Hackers had access to its computer network between January 14 and January 18, 2024, and used ransomware to encrypt files. Data stolen in the attack included names, dates of birth, Social Security numbers, health insurance information, and treatment information. The affected individuals were notified on March 18, 2024, and the data breach was reported to the HHS Office for Civil Rights as affecting 26,793 individuals.

Four class action lawsuits were filed in response to the data breach in the U.S. District Court for the Northern District of West Virginia, naming Trish Yano, Matthew Foltz, Leslie Telek, and Judy Mullins as plaintiffs. The lawsuits were consolidated into a single lawsuit – In re Weirton Medical Center Data Breach Litigation – on June 21, 2024. The lawsuit asserted claims of negligence and negligence per se for failing to protect sensitive data on its network from unauthorized access, as well as unjust enrichment, breach of implied contract, breach of confidence, and breach of fiduciary duty.

The lawsuit survived a motion to dismiss, and all parties filed a joint motion to stay proceedings pending mediation. Weirton Medical Center disagreed with all claims and contentions in the lawsuit; however, after a full day of mediation, the material terms of a settlement were agreed upon by all parties. The settlement has now been finalized and resolves the litigation in its entirety, with no admission of liability or wrongdoing.

All class members are entitled to claim one of two cash payments and credit monitoring services. A claim may be submitted for reimbursement of actual documented, unreimbursed losses that were more likely than not caused by the data breach up to a maximum of $5,000 per class member.  Alternatively, class members may claim a cash payment of $50.00, without providing any documentation to prove losses.

All class members can claim one year of three-bureau credit monitoring services, which include identity theft protection and recovery services, and a $1,000,000 identity theft insurance policy. The deadline for exclusion from and objection to the settlement is October 6, 2025. Claims must be submitted by November 5, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 3, 2025.

The post Settlement Agreed to Resolve Weirton Medical Center Data Breach Lawsuit appeared first on The HIPAA Journal.

Department of Labor Confirms Key Rulemaking Initiatives

Posted by Steve Alder

The U.S. Department of Labor has recently shared insights into the key actions being taken by the department to ensure safety and health in the workplace while reducing unnecessary burdens on employers and employees.

New regulations are important to ensure that Americans have a safe and healthful working environment, especially in hazardous working environments such as indoor and outdoor settings where workers may be exposed to extreme heat. While there is a clear need for further regulations in some areas to ensure that employers adequately protect their workers, some existing regulations are placing unnecessary burdens on employers with little benefit provided to employees.

The announcement follows the Trump Administration’s semiannual Unified Agenda of Regulatory and Deregulatory Actions, which details the actions currently being taken or under consideration. For the Department of Labor, that includes more than 100 areas of rulemaking, including new rules and rule changes that will ensure that U.S. workers are properly protected, while supporting business growth and advancing the Trump Administration’s goal of putting American workers and businesses first.

“Eliminating red tape and crafting smart regulations that spur job creation will bring us even closer to reaching the Golden Age of the American Worker,” said U.S. Secretary of Labor Lori Chavez-DeRemer. “The Department of Labor is committed to helping President Trump and the entire Administration implement this bold regulatory agenda, which focuses on flexibility, transparency, and common-sense reform to ensure every hardworking family has a fair shot at achieving the American Dream.”

On April 15, 2025, President Trump signed an executive order – Lowering Drug Prices by Once Again Putting Americans First – that seeks to reduce the prices Americans pay for prescription drugs. One aspect of that executive order concerns pharmacy benefit managers (PMBs) – the prescription drug middlemen that negotiate prices with drug companies.

Under the Biden Administration, the Federal Trade Commission (FTC) launched an inquiry into PMBs in June 2022. The interim report, published by the FTC in July 2024, found that PMBs may be contributing to higher out-of-pocket costs for patients. The FTC has recently filed a lawsuit against three major PMBs alleging they are enriching themselves by manipulating the drug supply chain. The Department of Labor has confirmed it is looking at ways to improve transparency around the direct and indirect compensation PMBs receive from employer-sponsored health plans and is looking at ways to improve market transparency in pricing and cost-sharing information for consumers.

An area where further regulation may be required concerns heat illness and injury prevention in indoor and outdoor work settings. The Occupational Safety and Health Administration (OSHA) has been considering implementing a heat safety standard for some time, and in July 2024, OSHA proposed a new rule that would apply to all employers and would be triggered when employees are exposed to temperatures of 80º F for more than fifteen minutes in any given sixty-minute period. This was an area where OSHA was expected to row back on further regulation. Public hearings on the proposed rule took place over the summer, and OSHA has confirmed that it is “continuing to examine how to establish standards specifically related to heat-related injury and illness prevention.”

Since 2021, the Department of Labor has had no regulatory guidance addressing joint employer liability under the Fair Labor Standards Act (FLSA). A rule was proposed to address this in 2020, although it was blocked by a court decision. The department is continuing to look at the circumstances under which businesses can be held liable as a joint employer. Also under the FLSA, the Department of Labor is looking at the circumstances under which a worker should be classified as an employee or independent contractor for the purpose of federal wage and hour requirements, and will be defining and delimiting exemptions for executive, administrative, professional, outside sales, and computer employees, including whether salaried employees are exempt from FLSA minimum wage and overtime requirements.

Under the H-2A program, employers in the agricultural industry are permitted to hire foreign workers for temporary or seasonal jobs when domestic workers are unavailable. Under the Biden administration, a final rule was issued in June 2024 to improve protections for these workers; however, the rule was suspended in June 2025. The Department of Labor has proposed to rescind some of the burdensome requirements for growers using the program for agricultural labor. The Department of Labor is also considering updates to the Adverse Effect Wage Rate Methodology for calculating the prevailing wage for H-2A workers, which has been criticized for exceeding the actual local market wages.

“This regulatory agenda reflects our steadfast commitment to restoring economic opportunity by fostering innovation and reducing unnecessary burdens on employers,” said Deputy Secretary of Labor Keith Sonderling. “By modernizing outdated rules and prioritizing clarity and efficiency, we’re building a more agile, worker-centered labor policy framework that fuels economic growth and prosperity. Under President Trump’s leadership, the Department of Labor is delivering the regulatory certainty that American workers and businesses need to thrive.”

The post Department of Labor Confirms Key Rulemaking Initiatives appeared first on The HIPAA Journal.

NYS DOH Cybersecurity Regulation Deadline Fast Approaching

Posted by Steve Alder

Next month, the New York State Department of Health (DOH) cybersecurity regulation for general hospitals comes into force, and all covered hospitals will be required to comply with all the new requirements. The cybersecurity regulation (10 NYCRR 405.46) took effect on October 2, 2024, and with immediate effect, general hospitals had to implement policies and procedures for reporting a material cybersecurity incident to the New York Department of Health’s Surge Operations Center (SOC) within 72 hours. Covered hospitals were given a year to implement compliance programs covering the other new requirements, and the deadline for compliance is now less than a month away. The compliance deadline is October 2, 2025.

Cybersecurity Requirements for General Hospitals

Hospitals in New York State already need to comply with the HIPAA Security Rule, but the cybersecurity regulation introduces many new requirements. Simply being HIPAA-compliant is no longer enough. Hospitals in the state, under HIPAA, are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information; however, the cybersecurity regulation takes things further, as the requirements apply to electronic nonpublic information. The definition is broader than HIPAA, and applies to personally identifiable information (PII), which is information that could be used to identify a natural person, not just patients, as well as business-related records.

General hospitals are required to implement a cybersecurity program based on the hospital’s risk assessment. The cybersecurity regulation stipulates several required elements that go above and beyond those specified by HIPAA. The cybersecurity program must identify internal and external risks that may threaten the security or integrity of nonpublic information within the hospital’s systems and that may threaten the continuity of the hospital’s business and operations. Policies and procedures must be implemented to protect information systems and any nonpublic information stored within those systems from unauthorized access and other malicious acts. Defensive infrastructure is required, and systems must be in place for detecting and responding to cybersecurity events, which will allow the recovery of normal operations and services.

Policies and protocols must be implemented for limiting user access privileges to systems containing nonpublic information, and there must be regular reviews of access privileges. There is a new requirement for measures to mitigate the threat of email-based attacks, such as spoofing, phishing, and fraud, and regular reviews of email controls must be conducted to ensure they continue to be effective.

Security measures and controls include encryption of data at rest and in transit, and there are data minimization requirements. Policies and procedures are required for the secure disposal of nonpublic information that is no longer required. Multifactor authentication, risk-based authentication, or other compensating controls are required to protect against unauthorized access to nonpublic information.

In contrast to HIPAA, which requires regular risk analyses, hospitals are required to conduct an annual risk assessment to identify risks and vulnerabilities to nonpublic information, and the cybersecurity program must be assessed annually to ensure it remains effective. Testing is required, including annual penetration tests by a qualified internal or external party. Hospitals must have an incident response plan for dealing with cybersecurity incidents, and documentation demonstrating compliance must be maintained for six years.

Hospitals are required to appoint a Chief Information Security Officer (CISO), who must be a qualified senior or executive-level staff member with proper training, experience, and expertise, and the cybersecurity program must be managed by qualified cybersecurity personnel or a third-party service provider.

New Cybersecurity Requirements Likely to Be Rigorously Enforced

The HIPAA Journal has spoken with information governance strategist Matthew Bernstein, who has over 20 years’ experience helping organizations analyze risks, transform written policy into day-to-day practice, and make their data findable, compliant, and secure. Hospitals rely on his firm, Bernstein Data, to integrate retention schedules, discovery and classification, and defensible disposition into one operating model that meets HIPAA and state mandates while trimming storage costs and shrinking the ransomware “attack surface”.

Bernstein has warned that hospitals believing they are compliant with the new requirements because they are HIPAA compliant could be in for a shock, and any hospital waiting to implement the changes until the DOH starts enforcing the cybersecurity regulation could well end up paying a considerable financial penalty. The language of the regulation closely mirrors the NYS Department of Financial Services (DFS) requirements, and penalties for noncompliance can run from $1 million to $5 million.

“It’s clear that the NYS Dept of Health is taking a leaf from the NYS Department of Financial Services’ book, and that should be concerning to hospitals.  The DFS has been an aggressive regulator about cybersecurity shortcomings of NYS companies, including healthcare providers with a “financial services” business, such as its recent $2 million settlement with Healthplex,” explained Bernstein. “There are significant commonalities between the new DOH regulation and the infamous 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies, and these requirements present new challenges for hospitals. It’s not just about a small set of defined PHI and making sure breaches are reported; there’s an expansive set of “personal” and “business-related” information to protect, and new risk assessment and mitigation operations to be adopted.”

With the compliance deadline fast approaching, hospitals need to ensure they have the policies, procedures, and protocols in place to comply with the new requirements. “New York hospitals don’t need to solve everything overnight, but they do need to demonstrate governance and intent,” Bernstein said. “Drafting a preliminary compliance roadmap with specific roles, accountability structures, and implementation priorities can go a long way in signaling good faith to regulators, board members, and insurers. Think of it as the scaffolding on which everything else will be built.”

The post NYS DOH Cybersecurity Regulation Deadline Fast Approaching appeared first on The HIPAA Journal.