Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns

Posted by Steve Alder

Several cybersecurity firms have tracked a surge in ransomware attacks in Q3, 2025, as groups such as Akira, Qilin, and Inc Ransom have stepped up their attacks. According to Beazley Security, a subsidiary of Beazley Insurance, those three groups accounted for 65% of all ransomware attacks in the quarter. Akira had a surge in attacks, conducting 39% of all attacks in the quarter, over 20% more than the second most active group, Qilin, with 18%, and Inc Ransom with 8%.

The Beazley Security Quarterly Threat Report for Q3, 2025, shows an 11% increase in additions to dark web data leak sites compared to Q2, 2025. The biggest increase in attacks came in August, which accounted for 26% of all publicly disclosed attacks in the past six months, with high levels of ransomware activity continuing in September, which accounted for 19% of all disclosed ransomware attacks in the previous six months.

While attacks are up overall, there has not been much change in the rate of attacks on the healthcare sector, which has remained fairly constant, accounting for 12% of attacks in Q2, 2025, and 11% of attacks in Q3, making it the 4th most targeted sector. In Q3, there was a significant increase in attacks targeting the business services sector, which accounted for 28% of attacks, up from 19% in Q2. Professional services & associations was the second most targeted sector, accounting for 18% of attacks in Q3.

Beazley identified some interesting attack trends, including the continuing preference for using compromised credentials for initial access, most commonly compromised credentials for publicly accessible VPN solutions. Compromised VPN credentials were the initial access vector in 48% of attacks in Q3, up from 38% in Q2, 2025, with external services the next most common attack vector, accounting for 23% of attacks.

Compromised credentials for remote desktop services took third spot, followed by supply chain attacks and social engineering, with each of those attack vectors accounting for around 6% of all attacks in the quarter. While the top three attack vectors remain the same as in Q2, 2025, there was an increase in exploits of vulnerabilities in external services, which overtook compromised credentials to take second spot. The supply of valid credentials primarily comes from infostealer campaigns, and while there was a significant law enforcement action – Operation ENDGAME – targeting Lumma Stealer infrastructure, there was a subsequent spike in Rhadamanthys information activity, indicating the strong demand for credentials.

Akira typically targets VPNs for initial access, and in Q3, most attacks involved credential stuffing and brute force attempts to guess weak passwords, demonstrating the importance of implementing and enforcing password policies and ensuring that multifactor authentication is used. Any accounts that cannot be protected by MFA should have compensating controls. Akira also targeted vulnerabilities in SonicWall devices, where organizations were slow to patch vulnerabilities.

Qilin likewise targeted VPNs using brute force tactics to exploit weak passwords, and also abused valid compromised credentials. INC Ransom also appears to favor compromised valid credentials, gaining access to victims’ environments via VPNs and remote desktop services.

While accounting for a relatively small number of attacks, Beazley warns that several attacks started with downloads of trojanized software installers, including popular productivity and administrative tools such as PDF editors.  Ransomware actors use SEO poisoning to get their malicious download sites appearing at the top of the search engine results, along with malicious adverts (malvertising) that direct users to malicious sites.

Executing the downloaded installer may install the desired software, but it also installs malware. This technique was a common initial access vector in Rhysida ransomware attacks that Beazley investigated. Beazley suggests that organizations should consider security tools such as web filters for protecting against these attack vectors, and should ensure that they cover these techniques in organizational security awareness training programs.

The post Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns appeared first on The HIPAA Journal.

I’m a HIPAA Privacy Manager. What’s That Mean?

Posted by Amy Schultz

The Privacy Department is led by the HIPAA Privacy Manager, but who is the Department? For some small organizations, it’s just the Privacy Officer. For others, there is a team of people who work diligently to keep the Privacy Officer informed and the organization compliant. When someone asks what you do for a living, how would you explain it? If I say to staff that I’m a Privacy Manager, I typically get blank stares. I then mention HIPAA or Patient Rights, and that’s when I get a head nod or two.

Privacy Officer sounds official, but honestly, what I do every day is way more involved in privacy operations than your typical privacy officer. This is the time to learn and soak up everything you can. Having a team is so important, even if it’s just one extra person. The Privacy Officer is limited without the people who make the department functional every day. Whether you’re a specialist just starting out or a manager like me with years of experience, the daily grind is tackled by us. We are diligent and timely in keeping our patients’ PHI safeguarded, giving our colleagues guidance, and keeping our organization compliant. It really falls to the department team. With that said, credit is due to the unicorns of the privacy world who work for smaller organizations and run the whole privacy office by themselves. I know they are out there, and I applaud you all.

The daily operations are our bread and butter. From handling the daily investigations and incident reports to addressing patients’ requests and helping our colleagues with privacy concerns/questions. All the daily tasks add up to enable us to be the privacy subject matter experts for our company. But is it enough? How many years of experience or certifications does it take to rise to the privacy officer title? What other traits are required?

I’m fortunate to work in a multifunctional healthcare organization that has allowed me to experience a variety of privacy scenarios over my time, from occupational health to continued care, urgent care, and hospitals. I think it’s important to experience as much as you can to really feel confident in your decisions and take accountability for the department. This can be the difference between a team member and a department leader. I think a lot can be said about being not only a sponge for information but also motivational. A positive mindset has always been a strong trait I would encourage any leader to possess. We should be thinking of this as we continue to strengthen our craft.

In the healthcare privacy space, where do you see yourself in five or ten years? For me, it’s always been as a Privacy Officer, the end game. But what does it take to get there? I have spent over 13 years in the healthcare compliance/privacy industry and still feel like I’m learning something new every day. The policies, rules, and laws change, so we adapt. This industry keeps evolving and growing, so my advice is to do the same. 

Helping people must be a big part of this journey, personally and professionally. Learning and becoming an expert in the healthcare privacy field can make it possible to help fellow colleagues and patients every day. As I continue my role, I hope to never forget this. What we do as privacy experts is important. We may be behind the scenes, but we keep our company compliant and lawful. We keep striving to be better than we were yesterday and help those who need it. Continue to do the work, keep your company HIPAA compliant, and never stop learning. One day, you might be a Privacy Officer. 



The post I’m a HIPAA Privacy Manager. What’s That Mean? appeared first on The HIPAA Journal.

Geisinger Health & Nuance Communications Data Breach Litigation Settled for $5 Million

Posted by Steve Alder

The Danville, Pennsylvania-based healthcare provider Geisinger Health and its former IT vendor Nuance Communications, Inc., have agreed to a $5 million settlement to resolve class action litigation over a 2023 insider data breach involving a former Nuance Communications employee.

On or around November 29, 2023, Geisinger Health learned that a former Nuance Communications employee, Andre J. Burk (also known as Max Vance), accessed the sensitive data of Geisinger Health patients two days after he was terminated by Nuance Communications. The data had been provided to Nuance Communications in connection with the services the IT company was contracted to provide. The breach was detected by Geisinger Health, rather than Nuance Communications, and it alerted its IT vendor about the breach.

Under HIPAA, business associates of HIPAA-regulated entities must comply with the HIPAA Security Rule, one of the requirements of which is to ensure that access rights are immediately revoked when employees are terminated. When notified about the unauthorized access, Nuance Communications terminated the former employee’s access rights and launched an investigation, which revealed that the former employee had potentially obtained the protected health information of more than 1.2 million Geisinger Health patients, including names, dates of birth, Social Security numbers, medical information, and health insurance information.

The affected individuals started to be notified about the data breach on June 24, 2024. The delay in notification was at the request of law enforcement. The HHS’ Office for Civil Rights was informed that the protected health information of 1,276,026 individuals was involved. Max Vance is now facing criminal charges over the data theft – one count of obtaining information from a protected computer – and his trial is scheduled for early January 2026.

Several lawsuits were filed against Geisinger Health and Nuance Communications, Inc. in response to the data breach, which were consolidated into a single action in July 2024 – In re: Geisinger Health Data Security Incident Litigation – in the U.S. District Court for the Middle District of Pennsylvania. The consolidated lawsuit alleged that the defendants failed to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard the plaintiffs’ and class members’ personal and protected health information.

The lawsuit alleged that Geisinger Health failed to ensure that its vendors employed reasonable security measures, that Nuance Communications failed to properly monitor systems for intrusions, there was insufficient network segmentation, and a failure to comply with FTC guidelines, the HIPAA Rules, and the defendants did not adhere to industry standard cybersecurity measures. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and declaratory judgment and injunctive relief against both defendants, and breach of fiduciary duty against defendant Geisinger Health.

The defendants disagree with the claims in the lawsuit; however, they chose to settle with no admission of wrongdoing to avoid the expense and uncertainty of a trial and related appeals. The settlement received preliminary approval from District Court Judge Matthew W. Brann on November 18, 2025. Under the terms of the settlement, the defendants will establish a $5,000,000 settlement fund, from which attorneys’ fees and expenses, service awards, and settlement administration costs will be deducted. The remainder of the funds will be used to pay benefits to the class members.

The class consists of 1,308,363 class members who may choose to receive a one-year membership to a credit monitoring and identity theft protection service. In addition, a claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to $5,000 per class member. Alternatively, instead of a claim for reimbursement of losses, class members may choose to receive a pro rata cash payment. The final approval hearing has been scheduled for March 16, 2026, and claims must be submitted by March 18, 2026.

June 24, 2024: Geisinger: Former Business Associate Employee Unlawfully Accessed PHI of More Than 1.2 Million Patients

More than one million Geisinger patients are being notified that their protected health information has been unlawfully accessed by a former employee of one of its business associates, Nuance Communications.

Nuance Communications provides information technology services to Geisinger, which requires access to systems containing patient information. On November 29, 2023, Geisinger detected unauthorized access to patient data by a former Nuance employee and immediately notified Nuance about the incident. Nuance immediately terminated the former employee’s access and launched an investigation, which confirmed that the former employee accessed patient data two days after they were terminated.

The former employee may have viewed and acquired the data of more than one million Geisinger patients. The data varied from patient to patient and may have included names, addresses, phone numbers, dates of birth, admission/discharge/transfer codes, medical record numbers, facility name abbreviations, and race and gender information. Nuance has confirmed that the employee did not have access to Social Security numbers, financial information, or claims/insurance information.

The Department of Justice can pursue criminal charges for HIPAA violations under the Social Security Act when individuals knowingly violate HIPAA. When an employee of a HIPAA-covered entity or business associate has their employment terminated, HIPAA still applies. The penalties for accessing and obtaining protected health information are severe and can include a hefty fine and jail time. A tier 1 violation carries a maximum penalty of up to a year in jail, a tier 2 violation carries a jail term of up to 5 years, and a sentence of up to 10 years in jail is possible for a tier 3 violation – obtaining PHI for personal gain or with malicious intent. Geisinger has confirmed that the unauthorized access was reported to law enforcement and the former Nuance employee has been arrested and is facing federal criminal charges.

Due to the high risk of unauthorized access to patient data by former employees, HIPAA-covered entities and their business associates are required to develop and implement procedures for terminating access to electronic protected health information when employment comes to an end under the workforce security standard of the HIPAA Security Rule – 45 CFR § 164.308 (3)(ii)(C). This incident clearly shows why it is vital to revoke access immediately upon termination of employment. The HHS’ Office for Civil Rights has taken action over violations of this Security Rule provision in 2020 (City of New Haven) and 2018 (Pagosa Springs Medical Center).

The Risant Health-owned health system has confirmed that Nuance Communications is mailing notifications to the affected individuals. Patients have been advised to review the statements they receive from their health plans and contact their health insurer if any services appear on their statements that they have not received. A helpline has been set up for individuals requiring further information about the breach – 855-575-8722. The helpline is manned from 9 a.m. to 9 p.m. ET Monday to Friday. Callers should quote engagement number B124651.

The breach was reported to the HHS’ Office for Civil Rights as affecting 1,276,026 individuals.

This article has been updated to state the number of people affected by the breach, as that information was unavailable at the time of the initial post.

The post Geisinger Health & Nuance Communications Data Breach Litigation Settled for $5 Million appeared first on The HIPAA Journal.

Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk

Posted by Steve Alder

Outdated systems are causing healthcare professionals to lose hours each week, impacting patient care, organizational performance, efficiency, and security, according to a new report from the technology services and solution provider Presidio.

The report is based on a survey of more than 1,000 frontline healthcare professionals in the United States, the United Kingdom, and Ireland. Almost all respondents (98%) said inefficient technologies are causing patient care and safety issues, including delays or errors in patient care, and 89% said those issues are a regular occurrence, with 24% reporting that these incidents occur at least once per shift. On average, the respondents experienced 11 such incidents a month.

Healthcare employees are using legacy software and outdated devices that do not support efficient working practices. Some of the main problems associated with outdated systems were latency issues with EHR systems, disconnected and fragmented platforms, and a lack of mobile access. Due to inefficiencies, almost one-quarter of respondents (23%) said they often resort to workarounds to get the job done, even for basic tasks. That creates significant compliance and security risks, as patient data may be handled outside of approved systems, such as unapproved apps. The use of shadow IT creates blind spots for compliance teams and IT departments. Further, the shadow IT tools may not be HIPAA compliant, lacking key security safeguards.

Some of the main problems reported by the respondents were systems that do not easily share data with other systems (23%), reliance on multiple workarounds to complete basic tasks (23%), technologies in use that act as a barrier to safe and timely care (23%), insufficient staff or budgets to modernize systems (23%), and dependence on outdated and legacy systems (23%).

Healthcare professionals in the United States are more likely than their European counterparts to have modern systems, with 36% of UK healthcare professionals saying they have modern systems, and just 2% in Ireland. In the United States, 63% of respondents said they used modern and effective systems, but that leaves 37% who do not.

When technology fails or data cannot be accessed, patient care suffers. 95% of respondents said patient care was negatively affected by system problems and data access issues, and those issues occur regularly, with 27% of U.S. respondents reporting that errors due to outdated technology occur daily, 26% said they occur a few times a week, and 22% said they occur around once per week. As Presidio explained, the use of outdated technology does not just affect efficiency; it directly drives patient safety incidents. Further, inefficient and outdated technology is a significant factor contributing to clinician burnout, as reported by 80% of respondents.

Investment in technology can help to reduce burnout. The survey revealed that more than half of organizations using real-time data at scale (51%) recognize that outdated technology was a major driver of burnout, compared to 29% in pilot programs and 17% still in planning phases, demonstrating that investment in modern, AI-driven technology systems can significantly improve workforce health. “In a competitive labor market, where skilled healthcare professionals are in high demand, this becomes a strategic advantage,” suggests Presidio.

The survey revealed the biggest benefits for staff were improved operational efficiency (52%), better access to real-time patient data and analyses (48%), and more streamlined tasks to support overextended staff (41%). Top of the wish list for healthcare professionals were AI-assisted automation of data entry (52%), transcription and notetaking (41%), EHR system navigation (40%), prescription entries (39%), and insurance validation (36%), all of which were a drain on their time, limiting face-to-face time with patients.

It is clear from the report that there is a pressing need for AI systems to be used in healthcare to improve efficiency, but adoption has been slow. “Most organizations are still relatively immature in their technology practices, lacking full-scale deployment of new technologies that improve record keeping, access to data, and efficiency,” said Presidio in the report. “Healthcare professionals are ready for AI, and they’re telling IT leaders where it can have the biggest impact.”

The post Healthcare’s Reliance on Outdated IT Putting Patient Safety and Cybersecurity at Risk appeared first on The HIPAA Journal.

Vendor Breaches Announced by Illinois and Virginia Healthcare Providers

Posted by Steve Alder

Personic Management Company (Personic Health) and Innovative Physical Therapy have recently confirmed that patient information was compromised in vendor security incidents. Anchorage Neighborhood Health Center has recently disclosed an August cyberattack that exposed patient data.

Personic Management Company (Personic Health)

Vienna, VA-based Personic Management Company LLC, doing business as Personic Health, a wound care specialist, has recently disclosed a data breach involving a third-party software platform used to process patient data. Personic Health was informed on September 1, 2025, that there had been unauthorized access to the platform. Assisted by third-party digital forensics experts, Personic Health launched a comprehensive investigation to determine how the breach occurred and the types of information potentially compromised in the incident.

The investigation confirmed that an unauthorized actor accessed the platform on August 29, 2025, and acquired certain data. The data review was completed on October 13, 2025, and confirmed that the protected health information had been stolen.  The breach was reported to the Maine Attorney General as involving the personal and protected health information of up to 10,929 individuals; however, the types of information involved were redacted. The individual notification letters state the exact types of information involved.

Personic Health has taken steps to strengthen security to prevent similar breaches in the future and has offered the affected individuals 24 months of complimentary credit monitoring and identity protection services.

Innovative Physical Therapy

Innovative Physical Therapy (IPT), a network of outpatient physical therapy and rehabilitation centers, has recently disclosed a security incident involving its third-party practice management software provider. The vendor assisted IPT with administrative services, which required access to patients’ protected health information.

On August 25, 2025, IPT’s software vendor notified IPT about a phishing incident that involved unauthorized access to two employee email accounts. The phishing incident was identified on June 26, 2025, and the accounts were immediately secured. The vendor engaged a third-party digital forensics firm to investigate the incident, which confirmed that an unauthorized third party accessed the accounts between June 25 and June 26, 2025.

The vendor reviewed the emails and associated files and identified names in combination with one or more of the following types of information: address, date of birth, diagnosis, lab results, medications, treatment information, health insurance information, provider name, and dates of service. A limited number of individuals also had their Social Security numbers exposed.

In total, 2,023 patients were affected by the breach and were notified by mail by the practice management vendor on October 3, 2025. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. IPT said it has received assurances that its vendor is taking steps to prevent similar incidents in the future, including providing additional cybersecurity awareness training for its workforce.

Anchorage Neighborhood Health Center

Anchorage Neighborhood Health Center in Alaska has started notifying patients about a criminal cyberattack that involved unauthorized access to or acquisition of some of their protected health information. The cyberattack was detected on August 25, 2025, and the investigation confirmed unauthorized access to its network from August 24 to August 25, 2025.

The review of the exposed files was completed on October 10, 2025, when it was confirmed that the data exposed in the incident included names, dates of birth, Social Security numbers, driver’s license/state identification numbers, medical treatment information, and/or health insurance information. Anchorage Neighborhood Health Center said it has already implemented a series of cybersecurity enhancements and plans to take other steps to strengthen security. While data misuse has not been detected, as a precaution, the affected individuals have been offered up to 24 months of complimentary credit monitoring services.

The post Vendor Breaches Announced by Illinois and Virginia Healthcare Providers appeared first on The HIPAA Journal.