Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients

Posted by Steve Alder

Four employees of Baptist Health’s Jay Hospital in Florida have been terminated for allegedly taking unauthorized photographs of patients and sharing the images on the Snapchat social media platform. The privacy violations reportedly occurred in February 2025. The employees were alleged to have entered patients’ rooms late at night and photographed patients while they were sleeping or medicated without the patients’ knowledge or consent.

Personal injury attorney Joe Zarzaur was contacted by three patients who were recently notified about the privacy violations by the hospital. It is unclear why it took so long for the affected patients to be notified, or how many patients have been affected. The nature of the photographs was not disclosed to the patients. According to Zazaur, the patients were informed that the photographs were “unflattering” and “horrible.” They were not told how many photographs were taken, exactly what the photographs showed, and were not allowed to see any of the images.

One of the patients was notified about the privacy violation while they were still admitted at Jay Hospital, and another was informed when they visited an outpatient rehab facility. At least two of the affected patients are taking legal action for invasion of privacy and are being represented by Zarzaur.

“Upon learning of the allegation, we immediately conducted a preliminary investigation and notified the appropriate authorities and the patients,” explained a spokesperson for Jay Hospital. “Following the investigation, the individuals involved were terminated. We are committed to protecting the privacy, safety, and dignity of our patients. As this matter involves patient privacy and is currently under investigation, we are unable to share further details at this time.”

The sharing of protected health information (PHI) for reasons unrelated to treatment, payment, or hospital operations is not permitted by the HIPAA Privacy Rule, unless consent is obtained from the subject of the PHI.  Photographs of patients are classed as PHI, and the employees clearly violated HIPAA as well as ethical and professional standards.

The post Florida Hospital Fires Employees for Taking Unauthorized Photographs of Sedated Patients appeared first on The HIPAA Journal.

Greater Cincinnati Behavioral Health Services Pays $850K to Settle Data Breach Litigation

Posted by Steve Alder

Greater Cincinnati Behavioral Health Services (GCBHS) has agreed to pay up to $850,000 to resolve all claims related to a December 2023 ransomware attack that involved unauthorized access to patient and employee information. GCBHS identified the cyberattack on December 10, 2023, and determined that initial access to its network occurred the previous day. The DragonForce ransomware group was behind the attack, and initial access was gained using compromised employee credentials. Those credentials gave the ransomware group access to 72 GB of sensitive data, including employee and patient information.

The breach was reported to the Maine Attorney General as affecting approximately 62,000 individuals, and the HHS’ Office for Civil Rights was told that the protected health information of up to 50,000 individuals was exposed in the attack. The affected employees and patients started to be notified about the data breach on June 12, 2024, and learned that their names, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, health information, and health insurance information had been exposed and potentially stolen.

Two class action lawsuits were filed in response to the breach, which were consolidated into a single complaint – In Re: Greater Cincinnati Behavioral Health Services Data Incident Litigation – in the Court of Common Pleas for Hamilton County, Ohio. The consolidated complaint alleged the defendant had failed to implement reasonable and appropriate cybersecurity measures to protect sensitive data on its network. The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. GCBHS denies all claims of wrongdoing and liability.

All parties attended mediation, and while a settlement was not agreed upon, following months of continued negotiations, a settlement in principle was agreed to resolve the litigation that was acceptable to all parties. The settlement agreement has recently received preliminary approval from the court. Under the terms of the settlement, GCBHS has agreed to pay a maximum of $850,000 to resolve the litigation, inclusive of attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives. There are approximately 61,850 individuals in the settlement class.

Class members may submit a claim for reimbursement of documented, unreimbursed losses up to a maximum of $5,000 per class member. A pro rata cash payment can be claimed, which is expected to be in the range of $60 to $120. Additionally, all class members are entitled to claim a one-year subscription to the three-bureau CyEx Medical Shield service. The deadline for objection to and exclusion from the settlement is November 11, 2025. The deadline for submitting a claim is December 11, 2025, and the final approval hearing has been scheduled for January 14, 2026.

The post Greater Cincinnati Behavioral Health Services Pays $850K to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members

Posted by Steve Alder

Approximately 462,000 current and former customers of Blue Cross Blue Shield of Montana (BCBSMT) have been affected by a cyberattack on its New Jersey-based business associate, Conduent Business Services. Conduent Business Services provides BCBSMT with payment, document processing, and other back office services, which require access to BCBSMT members’ protected health information. On January 13, 2025, Conduent Business Services identified a security incident that caused operational disruption – terminology typically used to describe a ransomware attack.

Conduent Business Services was able to restore access to the affected systems and return to normal business operations within a few days. The investigation confirmed unauthorized access to its IT environment commencing on October 21, 2024, and lasting for almost three months. During that time, files were exfiltrated from its network. On April 9, 2025, Conduent Business Services disclosed the cyberattack in a filing with the U.S. Securities and Exchange Commission (SEC). At the time, it was unclear exactly how many individuals had been affected.

On October 8, 2025, Conduent Business Services notified the California Attorney General about the data breach, which reportedly affected approximately 4.3 million individuals. It is unclear how many of the company’s clients were affected by the breach, and if the breach affected any other HIPAA-covered entity clients. The breach is not currently listed on the HHS’ Office for Civil Rights website.

BCBSMT notified the Montana State Auditor’s Office about the data breach in early October, almost one year after the breach was first detected by its business associate. BCBSMT claims to have been notified that it was affected earlier this year and has been conducting its own investigation and reviewing the affected data. The review was not completed until September 23, 2025. The BCBSMT data breach is not listed on the OCR breach portal, although the breach portal has not been updated by OCR since September 24, 2025, due to the government shutdown. The Montana State News Bureau learned about the data breach after submitting a records request. The obtained documents indicate that up to 462,000 Montanans have been affected, and that the compromised information included names, birth dates, Social Security numbers, treatment and diagnosis codes, provider names, and claims amounts.

The Montana Commissioner of Securities and Insurance has launched an investigation to determine if there has been a violation of state data breach notification laws, which require individuals to be notified about a data breach in a timely manner. Breached entities must also notify the Department of Justice about a data breach without unreasonable delay, but there is currently no listing on the DOJ consumer protection website about the data breach. The state auditor is seeking answers to questions about the data breach and has requested a copy of its privacy and security policies. Should BCBSMT be determined to have failed to comply with state laws, financial penalties may be imposed.

The post Business Associate Data Breach Affects 462,000 Blue Cross Blue Shield of Montana Members appeared first on The HIPAA Journal.