Category: HIPAA News

Lakeview Health Systems LLC agreed to settle through negotiation of a class action lawsuit related to a January 2024 cyberattack that exposed the personal and protected health information of 10,772 individuals.

The cyberattack involved unauthorized access to Lakeview Health Systems’ network. Files that were accessed and potentially obtained contained personal and health information. The exposed information included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, patient identification numbers, diagnoses, treatment information, prescription information, and health insurance information.

Following notification of the breach, affected individuals filed lawsuits against Lakeview Health Systems. The plaintiffs alleged that the organization failed to adequately protect sensitive information stored on its network. The plaintiffs asserted that the data breach could have been avoided.

Lakeview Health Systems statesthat it engaged in no wrongdoing and bears no liability related to the incident. The lawsuits contained similar allegations and were consolidated into a single case, Skov et al., v. Lakeview Health Systems, L.L.C, in the Circuit Court of Duval County, Florida. The lawsuit remains pending.

The parties agreed to resolve the matter through a negotiated settlement. The settlement was reached to avoid the costs, risks, disruptions, and uncertainties associated with continuing litigation.

Under the settlement terms, the defendant agreed to pay attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives.

Settlement class members may submit claims for reimbursement of documented and unreimbursed ordinary losses resulting from the data breach. The maximum reimbursement for ordinary losses is $2,000 per class member.

Class members may also seek reimbursement for extraordinary losses. The maximum reimbursement available for extraordinary losses is $5,000. The settlement also provides compensation for lost time. Class members may submit claims for up to four hours of lost time at a rate of $20 per hour. One year of credit monitoring services is also available under the settlement.

Class members who do not submit claims for reimbursement of losses, lost time, or credit monitoring services may instead request a one-time cash payment of $50.

The settlement establishes several deadlines for class members. The deadline to object to the settlement or request exclusion from the settlement class is July 23, 2026. Claims must be submitted by August 24, 2026. A final fairness hearing is scheduled for October 8, 2026.

The approved source states that the settlement has been negotiated to resolve claims associated with the January 2024 cyberattack and that the underlying lawsuit remains pending at this time.

Alabama Ophthalmology Associates, P.C. has agreed to settle a class action lawsuit arising from a January 2025 cyberattack that resulted in unauthorized access to patient data affecting 131,576 individuals.

Incident Timeline and Scope

Alabama Ophthalmology Associates, P.C. suffered a cyberattack on its computer network on January 30, 2025. A forensic investigation confirmed that unauthorized access to the network occurred between January 22 and January 30, 2025.

The compromised files included personal data and protected health information (PHI), such as names, dates of birth, Social Security numbers, medical record numbers, treatment information, medical history information, and health insurance information.

The data breach impacted 131,576 individuals. Notification letters were issued to affected individuals in April 2025.

Litigation and Allegations

After the breach, Alabama Ophthalmology Associates faced multiple class action lawsuits. These lawsuits were consolidated due to overlapping claims and proceeded as In re Alabama Ophthalmology Associates, P.C., Data Breach Litigation in the Circuit Court of Jefferson County, Alabama.

The consolidated complaint alleged that Alabama Ophthalmology Associates, P.C. did not implement reasonable and appropriate safeguards to protect sensitive data stored on its network. The claims also asserted that the organization failed to provide adequate breach notifications.

The legal claims included negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, fraud, misrepresentation, unjust enrichment, bailment, wantonness, and failure to provide adequate notice under applicable breach notification requirements.

The defendant denied all allegations and stated that no wrongdoing occurred and that no liability exists.

Settlement Terms

The parties reached a settlement agreement to avoid additional legal expenses and the uncertainty associated with trial proceedings.

Under the settlement, class members are eligible to receive two years of medical data monitoring and identity theft protection services.

Class members may also choose between two forms of financial compensation. A claim for documented, unreimbursed losses may be filed  up to a maximum of $5,000 per individual. Alternatively, class members may elect to receive a pro rata cash payment, which is expected to be approximately $60 per individual depending on the number of valid claims submitted.

Deadlines and Court Proceedings

The deadline for class members to object to or exclude themselves from the settlement is June 5, 2026. Claims must be submitted by June 25, 2026. A final fairness hearing has been scheduled for July 6, 2026.

Navia Benefit Solutions disclosed a network attack that exposed the personal and protected health information of 2,697,540 individuals after unauthorized access to its systems from December 22, 2025, through January 15, 2026.

Summary of Incident

Navia Benefit Solutions based in Renton, Washington reported that hackers had access to its network for about three weeks from late December 2025 to mid‑January 2026. The incident potentially affected 2,697,540 current and former participants and their dependents.

Incident Timeline

The company identified the attack on or around January 15, 2026. Forensic analysis conducted by the company confirmed unauthorized access to its computer environment from December 22, 2025, to January 15, 2026. Navia posted a substitute breach notice on its website on March 13, 2026, and began mailing individual notification letters to affected individuals on March 18, 2026.

Organization Profile

Navia Benefit Solutions manages tax‑advantaged healthcare and dependent care accounts for employers and offers employee benefits administration services. The company reported having more than 10,000 clients and more than 1 million participants.

Data Potentially Compromised

Navia reported that the data potentially compromised in the incident included names, email addresses, phone numbers, and Social Security numbers.

Washington State Health Care Authority’s substitute notice specified additional data elements for its affected members, including first and last names, addresses, phone numbers, Navia ID numbers, enrollment start and end dates, email addresses, employee IDs, Social Security numbers, and dates of birth.

Notifications and Breach Response

Navia notified federal law enforcement and launched an investigation to determine the nature and scope of the incident. The company offered affected individuals complimentary credit monitoring and identity theft protection services for 12 months.

Navia stated that it took steps to secure its systems by implementing additional security measures and giving additional HIPAA training to its employees. Navia did not mention whether the incident involved ransomware or whether a ransom demand was received, and no ransomware group claimed responsibility.

Affected Clients and Records

The Department of Health and Human Services was notified and a media notice was issued in compliance with the HIPAA Breach Notification Rule.
The incident is reportable under HIPAA and, at the time of the company’s disclosure, the incident was not yet shown on the HHS Office for Civil Rights breach portal.

Washington State Health Care Authority confirmed that records going back seven years were compromised for approximately 27,000 current and former Public Employees Benefits Board members, 5,600 current and former School Employees Benefits Board members, and 3,000 current and former Compacts of Free Association islander members. Thirty‑seven school districts that contracted with Navia prior to January 2020 also received notification about the potential compromise of their data.

The U.S. Department of Health and Human Services Office for Civil Rights announced a settlement with MMG Fusion, LLC resolving an investigation into potential violations of the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule following a breach affecting approximately 15 million individuals.

Investigation Timeline and Breach Activity

MMG Fusion, LLC is a Maryland software company that operates as a business associate because it gets access to protected health information (PHI) from HIPAA covered healthcare providers and provides software used to communicate with patients of those covered entities. The Office for Civil Rights initiated the investigation in March 2023 after receiving a complaint on January 6, 2023 concerning an unreported security incident at MMG Fusion. The complaint related to an alleged data breach that had not been reported to the Office for Civil Rights and had not been disclosed to affected covered entities.

The investigation determined that an unauthorized actor infiltrated MMG Fusion’s information system in December 2020 and gained access to PHI. The accessed information included names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. The unauthorized actor also exfiltrated the data from MMG Fusion’s network and posted the information on the dark web.

Regulatory Findings

The Office for Civil Rights determined that the incident resulted in an impermissible disclosure of PHI affecting approximately 15 million individuals. The investigation also determined that MMG Fusion had not conducted an accurate and thorough risk analysis to identify risks and vulnerabilities to electronic protected health information prior to the breach. The investigation further determined that MMG Fusion failed to notify affected covered entity clients about the breach as required under the HIPAA Breach Notification Rule.

Settlement Terms and Financial Resolution

The Office for Civil Rights resolved the investigation through a settlement agreement with MMG Fusion rather than pursuing a civil monetary penalty through enforcement proceedings. Under the settlement terms, MMG Fusion agreed to pay $10,000 to the Office for Civil Rights. The Office for Civil Rights considered the financial condition of MMG Fusion when determining the settlement amount. The settlement also requires MMG Fusion to comply with a corrective action plan that will be monitored by the Office for Civil Rights for three years.

Corrective Action Plan Requirements

The corrective action plan requires MMG Fusion to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities affecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).

MMG Fusion must develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis.

The company must develop, maintain, and revise written policies and procedures to ensure compliance with the HIPAA Privacy Rule and HIPAA Security Rule.

MMG Fusion must ensure that workforce members receive training regarding policies and procedures related to the HIPAA Privacy Rule and HIPAA Security Rule.

The company must also perform a breach risk assessment related to the December 2020 cyberattack and notify affected covered entities about the breach incident to the extent possible.

Additional corrective action plan requirements include providing the Office for Civil Rights with training materials used for workforce training and providing a comprehensive list of affected covered entity clients.

MMG Fusion must also provide covered entity clients with the identities of individuals whose ePHI is reasonably believed to have been impacted to the extent possible.

Healthcare Interactive reported a security incident involving the compromise of the personal data and protected health information (PHI) of 3,056,950 individuals.

Healthcare Interactive, also called HCIactive, submitted a data breach report to the HHS’ Office for Civil Rights on September 22, 2025, with a placeholder figure of 501 affected individuals. Back then, the scope of the data breach was still unknown because the analysis of the breached data was in progress. Although the Maine Attorney General received notification in September that there were 87,565 affected individuals, the present confirmed number of breach victims is much bigger.

The Oregon Attorney General received notification on January 7, 2026, about the compromise of the personal data and protected health information (PHI) of 3,056,950 individuals. This data breach is one of the biggest healthcare data breaches, ranking 5th in 2025.

Unauthorized Access And Types of Data Compromised

Healthcare Interactive is a company based in Ellicott City, MD providing AI-powered software programs for insurance enrollment and benefits management. On or about July 22, 2025, HCIactive detected suspicious activity in its computer system. As mentioned on its substitute data breach notice, an unauthorized third party got access to its system between July 8, 2025 and July 12, 2025, and extracted files. However, the breach notice sent to the Oregon Attorney General indicated that the unauthorized party accessed the network for much longer, from June 17, 2025 to July 22, 2025.

The breached information of the affected individuals vary from each other, which possibly included the following: names, addresses, phone numbers, email addresses, birth dates, medical insurance policy identifiers, member and group identifiers, explanations of benefits, billing codes, medical diagnoses, treatment details, prescriptions, laboratory test results, medical images, names of doctors, and other healthcare information. The threat actor responsible for attack is presently unidentified.

Regulatory And Response Actions

Healthcare Interactive did not find any proof that indicate the misuse of the stolen data, though as a safety measure, the impacted individuals have been given free credit monitoring and identity theft protection services. The company stated it examined its security guidelines and has added extra steps to enhance security to avoid the same incidents later on.

In a press release on December 19, 2026, Healthcare Interactive announced the building up of its leadership team and operational framework to promote its “AI First and AI Everywhere” mission. This initiative includes extended leadership management involving AI security and data privacy, zero trust enforcement, detection of AI-driven anomaly, advanced encryption, and compliance-driven security checks, and improving leadership involving ERISA, SOC 2, HIPAA, ISO 27001 management and compliance.

Murfreesboro Medical Clinic & SurgiCenter based in Tennessee decided to resolve a class action litigation associated with a major data breach that happened in April 2023. The data breach was because of unauthorized access to the protected health information (PHI) of 559,000 patients.

On or around April 22, 2023, Murfreesboro Medical Clinic found that a cyber extortion operation acquired access to its network and stole patient and employee information. The following data had been breached in the incident: names, home addresses, birth dates, phone numbers, full or partial Social Security Numbers, driver’s license numbers, dependent details, dates of service, medical and diagnostic data relevant to those dates of service, medical record numbers, lab test results, procedure records, prescription details, and health insurance and enrolment information. The affected people were informed regarding the attack in May 2023. The BianLian ransomware group confessed to have been behind the attack.

Murfreesboro Medical Clinic & SurgiCenter is facing six class action lawsuits because of the data breach. The lawsuits were consolidated on September 7, 2023, into a single lawsuit because of the same claims. The Krenk et al. v. Murfreesboro Medical Clinic and SurgiCenter and Murfreesboro Medical Clinic litigation was filed in the 16th Judicial Circuit Court of Rutherford County, Tennessee. The combined lawsuit stated that the cyberattack happened as a result of the defendants’ negligence and failure to abide with their statutory and common law duties. The defendant  denies all contentions of liability and wrongdoing.

Considering the probable costs, delay, and risks that come with ongoing lawsuit, all parties agreed to have a settlement. The court already gave preliminary approval of the settlement agreed upon by the parties. The settlement will pay for the attorneys’ fees and expenses (approximately $350,000), compensation of lost time and losses for the class members, class representatives’ service awards ($3,000 per class representative, totaling $24,000), and credit monitoring and identity theft protection services.

Class members may file a claim for about $500 as refund for unreimbursed, documented out-of-pocket expenditures stemming from the data breach, such as about two hours of lost time worth $25 per hour. The claims for lost time have an aggregate cap of $200,000 and will be paid pro rata when that total is exceeded. Class members could furthermore avail credit monitoring and identity theft protection services for two years, including a $1,000,000 identity theft insurance coverage.

Murfreesboro Medical Clinic & SurgiCenter likewise decided to enhance its business procedures and enhance security, the price of which will be not be covered from the settlement arrangement. They include retaining data security program for a minimum of three years, offering HIPAA training to the employees on data security and managing suspicious emails, employing proper firewall and data segregation methods, ensuring protocols are applied for erasing records, and keeping a policy for dealing with data security incidents.

The schedule of the final fairness hearing is January 16, 2026. Claims should be submitted until April 14, 2026.

Main Line Fertility Center, based in Pennsylvania, will compensate individuals with cash for the potential impermissible disclosure of their sensitive data to third parties via website tracking technologies. Main Line Fertility Center used third-party tracking applications and analytics code on its website, such as Meta Pixel. Although these tools can offer important information to website owners, their use is not encouraged in healthcare due to the possible transfer of sensitive data to the developers of those applications. Depending on the way these tools are implemented, it is possible to transfer protected health information (PHI) and personally identifiable information (PII) to those third parties.

Regarding the Main Line Fertility Center case, it was alleged to have utilized these tracking tools without informing the patients, resulting in the transfer of individually identifiable information to third parties like Meta. The Jane Doe v. Main Line Fertility, Ltd. lawsuit filed by an anonymous plaintiff Jane Doe in the Court of Common Pleas of Philadelphia County, Pennsylvania claimed that using these tools without the patient’s knowledge or permission amounted to negligence and a violation of the Pennsylvania Unfair Trade Practices Act. The lawsuit additionally stated claims of unjust enrichment, invasion of privacy, and breach of implied contract.

On September 19, 2024, Main Line Fertility Center claimed that no wrongdoing was done and filed its objections to the lawsuit. Nevertheless, the court rejected the objections and instructed Main Line Fertility Center to file an answer to the plaintiff’s lawsuit, which was submitted on February 6, 2024. Following extensive discovery attempts and settlement conversations, Main Line Fertility Center agreed to take part in private mediation, and decided on the material terms of a settlement. The court already gave preliminary approval of the finalized terms of the settlement.

According to the terms of settlement, class members will receive a cash payment and a membership to Privacy Shield Pro. Class members may submit a claim to receive a one-time $35 cash payment, and in case they file a valid and timely claim, they will be given a code to register for the Privacy Shield Pro product. Main Line Fertility Center likewise will pay attorneys’ fees and costs, service awards for the class representatives, and settlement administration costs.

The last day for opting out of and objecting to the settlement is December 1, 2025. Individuals may file claims until December 29, 2025. The schedule of the final fairness hearing is January 6, 2026.

A federal court judge issued preliminary approval to Yale New Haven Health’s $18 million settlement proposal to resolve claims arising from a 2025 data breach. Non-profit health system Yale New Haven Health manages five acute care hospitals, including the Yale School of Medicine, a medical foundation, and some outpatient services in Rhode Island, Connecticut, and New York. The health system has over 12,000 employees, which includes 4,500 university and community doctors.

On April 11, 2025, the health system reported the data breach to the HHS’ Office for Civil Rights that affected the protected health information (PHI) of 5,556,702 people. New Haven Health, based in Connecticut, found suspicious system activity on March 8, 2025, and announced the breach on its website after three days. Later, Yale New Haven Health stated that hackers gained access to its system on March 8, 2025, and extracted files that contained patient data.

Although the hackers did not access its electronic medical record system, the stolen records included patient data, such as names, telephone numbers, addresses, emails, birth dates, race/ethnicity details, medical record numbers, patient types, and Social Security numbers. With over 5.5 million affected people, this data breach became the biggest healthcare data breach of 2025.

Yale New Haven Health announced the cyberattack immediately, reported the breach to OCR within the allowed time frame, and issued the breach notification letters promptly. The health system agreed to resolve the litigation it faced immediately. Data breach lawsuits could take several months or years to settle, but in this instance, the court judge approved the settlement to resolve the lawsuit in only 7 months. In March 2025, the first lawsuit associated with the data breach was filed, and then 17 more complaints were filed. In June 2025, the lawsuits were combined into one action, In Re: Yale New Haven Health Services Corp. Data Breach, and filed in the U.S. District Court for the District of Connecticut.

The plaintiffs claimed in the combined lawsuit that Yale New Haven Health put in place reasonable and proper cybersecurity steps to safeguard the data kept on its system. If there were adequate safety measures in effect, the data breach might have been avoided. The litigation stated claims of breach of implied contract, negligence, negligence per se, unjust enrichment, declaratory judgment, and breach of fiduciary duty.

In July, Yale New Haven Health rejected all claims in the legal action and submitted a motion to dismiss the case. In August, the plaintiffs submitted their opposition. In late August, all parties joined in mediation, and agreed to the terms of a settlement. The particulars of the settlement have already been completed and accepted by the court. The terms of the settlement required Yale New Haven Health to create an $18,000,000 settlement fund to pay all expenditures related to the litigation, such as Attorneys’ fees and costs, lead plaintiffs’ service awards, and settlement management costs. The rest of the settlement fund will go to the class members’ benefits. The lawyers are seeking 33% of the settlement, and each plaintiff will likely get $2,500 service award.

Each class member could submit a claim to reimburse documented, unreimbursed losses because of the data breach up to $5,000. Alternatively, class members can claim a cash payment of roughly $100 each class member. The cash payments may be adjusted pro rata according to the number of legitimate claims submitted. Aside from those benefits, class members could also receive a free medical data monitoring service membership for two years. Yale New Haven Health likewise consented to put in place security improvements. The schedule of the final approval hearing is March 3, 2026.

The Resilience Mid-Year Risk Report reveals that attacks decrease year-over-year, but successful attacks are becoming more costly to mitigate. In the first half of 2025, Resilience, a cyber risk management firm, reported a 53% decrease in cyber insurance claims, indicating that companies are becoming more effective at preventing attacks. Nevertheless, when ransomware attacks are successful, they’ve resulted in greater financial damage, with deficits increasing 17% year-over-year. Although ransomware was only 9.6% of claims in the first half of 2025, ransomware attacks were responsible for 91% of sustained losses.

The average losses due to a successful ransomware attack are about $1.18 million. Resilience’s clients in the healthcare sector sustained $1.3 million of losses in 2024. In H1 2025, several healthcare companies received extortion demands of up to $4 million. Although it is too premature to say to what extent claims will be in 2025, Resilience mentioned there are signs that the average incurred losses due to healthcare ransomware attacks may be $2 million, above the $1.6 million in 2023 and $705,000 in 2024.

Interlock is a very active ransomware group in 2025, attacking even healthcare providers. In a troublesome development, Interlock is noticed stealing cyber insurance plans and utilizing them to demand higher ransom payments. In two attacks, the threat actor used the cyber insurance policy of the victim as leverage in negotiation. In one incident, the threat actor demanded a ransom amount that is a bit short of the policy payout limit.

Resilience states that cyberattacks are growing more sophisticated, and AI is being used in phishing and social engineering campaigns. Social engineering and phishing attacks were connected to 88% of sustained losses in H1, 2025. With the use of AI in phishing campaigns, it has become more difficult to identify and block attacks. The success rate of conventional phishing and social engineering attempts is 12%, in comparison to 54% when attackers use AI. Resilience discloses that 1.8 billion records were compromised in H1, 2025, mainly due to Social engineering and phishing, together with the accidental disclosure of sensitive information as a result of errors made employing tracking solutions.

Being HIPAA Compliant Might Not Adequately Minimize Risk

Resilience mentioned one case of a healthcare company that had spent a lot on cybersecurity yet still suffered an attack. The investigation showed that although sensible actions were made regarding cybersecurity, there were trade-offs because of financial limitations. Those tradeoffs resulted in vulnerabilities that were eventually exploited. In spite of spending on cybersecurity, the company’s risk analysis was not up-to-date. Although the company at first tested its endpoint protection’s effectiveness, it was not tested regularly after implementation.

Vendor risk management mostly comprised inspections of security policy documents, instead of active monitoring, which just happened for some vendors. Incident response strategies and disaster recovery practices did not regularly satisfy the organization’s recovery goals; however, the problem was not resolved because of minimal resources and competing concerns. Gaps were discovered in its backup processes, since the threat actor could encrypt medical images that were overlooked in backups. That offered the threat actor a substantial advantage in ransom deals. The company discovered that its supposed security posture had little similarity to its true protective capabilities.

Cybersecurity Recommendations for Healthcare Organizations
Resilience remarked that the security gaps tend to be a result of emphasizing HIPAA compliance. The dilemma is that HIPAA merely sets primary criteria for security, with the HIPAA Security Rule being over 20 years old. Focusing on compliance might help prevent regulatory fines, yet may not efficiently lower risks or sufficiently secure against modern threats.

According to its evaluation of the present threat situation, Resilience proposes the following priorities to healthcare organizations to enhance their cybersecurity position and reduce the damage of a successful cyberattack.

1. Employ a detailed backup strategy with a specific focus on imaging files, directories, and system settings
2. Conduct frequent tests to confirm recovery functions and timeframes within real-looking attack situations
3. Prioritize and secure your cyber insurance policy
4. Equip employees with training programs on proper data handling procedures, phishing, and social engineering attacks
5. Be sure to conduct steady tracking of vendors’ security postures
6. Follow systems that convert cyber risks into financial terms to allow leadership to make educated investment choices dependent on real risk reduction potential instead of compliance
7. Enforce and routinely check your incident response plan, such as patient safety concerns and regulatory advisory requirements

The Department of Health and Human Services (HHS) launched an action to deal with healthcare organizations that take part in information blocking. HHS Secretary Robert F. Kennedy Jr. instructed the HHS to add more resources on the implementation of the 21st Century Cures Act’s health data information blocking provision. The 21st Century Cures Act of 2016 specified penalties, called disincentives, for healthcare entities that get involved in information blocking practices. Information blocking refers to “any practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information.”

Developers of certified health IT, Health Information Networks (HINs), and Health Information Exchanges (HIEs) that engage in information blocking will be issued a disincentive, which is up to $1 million in civil monetary penalty. The effectivity of this provision began on September 1, 2023. HHS can terminate the certifications of products under the ONC Health IT Certification Program and be blocked from the Certification Program.

In 2023, the HHS proposed a rule to impose a range of disincentives for healthcare entities confirmed by the HHS Office of Inspector General (HHS-OIG) to have practiced information blocking. The disincentives were implemented starting on July 31, 2024, except for the penalties on ACO participants, which started to take effect on January 1, 2025.

The disincentives are described below:

Hospitals or critical access hospitals (CAHs) will be denied eligibility as meaningful electronic health record (EHR) users in a pertinent EHR reporting period, which results in the loss of 75% of the yearly market basket increase, and a decline in Medicare payments to CAHs to 100% of reasonable costs instead of 101%. The disincentive amount will depend on the Medicare payments of the hospital. HHS formerly computed a median disincentive amount of $394,353.

Eligible clinicians who practice information blocking will lose their certification as meaningful users of certified EHR technology for a specified period, resulting in a zero score for Medicare’s Merit-based Incentive Payment System (MIPS) payments to doctors.
Providers or vendors that are members of the Accountable Care Organization (ACO) would not be eligible to join the Medicare Shared Savings Program for a minimum of one year.

A press release on September 3, 2025 indicated that HHS will be taking serious action on information blocking, wherein patients’ care is limited because of the blocking of access, exchange, and use of ePHI. The HHS stated information blocking wasn’t prioritized by the Biden administration; however, it is one of President Trump and Secretary Kennedy’s priorities.

Patients should have unblocked access to their protected health information as confirmed by legislation. It is the legal duty of providers and certain health IT entities to ensure that information is accessible where and when it’s necessary. HHS-OIG will use all its authorities to investigate and penalize violators to honor its commitment to enforce the law and protect patients’ access to health data.

Giving individuals the ability to control their health data is a crucial element in the Make America Healthy Again promise by Secretary Kennedy. It means individuals should have quick access to their electronic health information, whether through zero-cost access from their healthcare companies or their selected health applications. Access to health data enables patients to keep track of their chronic medical conditions, follow treatment plans, monitor progress in wellness and disease management plans, and discover flaws in their health records.

Dr. Tom Keane, Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology, stated that they have started reviewing information blocking reports on developers of health IT certified under the ONC Health IT Certification Program. The HHS is urging patients who have encountered or noticed information blocking to file a report via the ASTP/ONC Report Information Blocking Portal.

HCA Healthcare Inc. decided to resolve a class action lawsuit associated with a data breach in July 2023 that was reported to OCR as impacting 11,270,000 individuals. The impacted patients got medical care at HCA hospitals and physicians’ clinics in 20 U.S. states.

Hackers targeted HCA Healthcare and stole a database after accessing an external storage location used for automating email formatting. The stolen database contained 27.7 million files, including names, contact data, birth dates, and appointment data. The hackers posted a sale of the stolen database after not receiving a ransom payment.

HIPAA-covered HCA Healthcare reported the data breach to OCR on or about July 10, 2024. After a couple of days, the first class action lawsuit against HCA Healthcare was filed. Because of the data breach, HCA Healthcare is facing a total of 27 putative class action lawsuits, which claim negligence for insufficient cybersecurity measures and for not properly securing patient data. The consolidated lawsuit, In re HCA Healthcare, Inc. Data Security Litigation, is filed in the U.S. District Court for the Middle District of Tennessee.

The response of HCA Healthcare to the lawsuit is a denial of all claims and contentions; nevertheless, it agreed to settle the litigation without admitting liability or wrongdoing. Although the total settlement amount is not announced, the plaintiffs’ lawyers may claim approximately $3.1 million in fees. Lawyers generally get a third of the settlement amount, which implies the settlement fund is over $9 million. Fifteen class representatives will each get a service award of around $5,000 each.

Class members’ claims will be paid after deducting the attorneys’ fees, legal costs, settlement management fees, and service awards from the settlement fund. Class members could get fraud consultation, identity theft restoration, and credit monitoring service for one year, including an identity theft insurance policy worth $1 million. Each class member could likewise file a claim for compensation of documented, unreimbursed expenses reasonably linked to the data breach up to $5,000. HCA Healthcare additionally stated that it will follow, implement, and maintain security requirements for two years to avoid similar incidents.

The last day to file an objection to or exemption from the settlement is August 25, 2025. Claims should be filed on or before September 25, 2025. The schedule of the final fairness hearing is October 27, 2025.

Around 103,000 Medicare beneficiaries received notification about the compromise of some of their personal data and/or PHI during a data incident. The HHS Centers for Medicare and Medicaid Services (CMS) recently got notified about the creation of Medicare.gov accounts using the names of individuals without their knowledge. CMS investigated the incident and confirmed that an unidentified threat actor used the personal data acquired from unknown resources to create fake Medicare.gov accounts.

The CMS mentioned its Medicare call center began getting phone calls on May 2, 2025, from Medicare beneficiaries because they received confirmation letters about the creation of an account in their name, which they didn’t personally create.

CMS’ investigation showed that malicious actors had created fake Medicare.gov accounts for roughly 103,000 beneficiaries using legit beneficiary data, including their birth date, Medicare beneficiary identifier (MBI), start date of coverage, and zip code. The fraudulent accounts were created from 2023 to 2025. The data employed to create the accounts was probably acquired from a third-party data breach.

After creating the accounts, the threat actor can obtain more information, such as mailing address, provider details, diagnosis codes, dates of service, services received, and premium plan information. The CMS’s investigation did not find any report of data misuse thus far. However, as a safety measure, CMS gave the impacted beneficiaries a new MBI and deleted the fraudulent accounts. CMA also sent new Medicare cards with the new MBIs to the impacted beneficiaries.

CMS took additional safety steps because of the breach, such as blocking the creation of Medicare.gov accounts using foreign IP addresses. Claims data of the impacted individuals will be closely monitored by CMS. The impacted Medicare beneficiaries are urged to check their Explanation of Benefits statements and Medicare Summary Notices and file a report in case of strange charges or services.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) reported its issuance of a financial penalty to BayCare Health System. This Florida healthcare system agreed to pay an $800,000 financial penalty to resolve its HIPAA violation case and follow a corrective action plan. OCR BayCare Health’s compliance for two years. Generally, OCR investigates reported data breaches involving at least 500 individuals to evaluate HIPAA compliance. In this case, OCR started the investigation in October 2018 after receiving a patient complaint regarding unauthorized access to her printed and electronic health records (EHR) while visiting BayCare Health’s St. Joseph Hospital in Tampa, Florida. After her treatment, the woman reported that an unknown person contacted her and showed pictures of her medical documents. She likewise saw a video scrolling through her EHR on a computer screen.

OCR’s investigation confirmed that a malicious insider accessed her protected health information (PHI). Access to the electronic medical record system requires credentials to view patient records. OCR traced the unauthorized access to a non-clinical ex-staff member of a doctor’s practice. That person was given access to electronic health records for continuing patient care.

OCR determined that BayCare Health failed in implementing HIPAA Privacy Rule guidelines and procedures on granting access to electronic protected health information (ePHI), including the restriction of ePHI access to the minimum required data. BayCare Health also failed in properly managing risks by not applying enough security procedures to lower risks and vulnerabilities to an acceptable level. BayCare Health failed to implement guidelines and procedures for the regular monitoring of activity logs in data systems.

When BayCare Health received notifications regarding the results of the investigation, OCR allowed the covered entity to resolve the alleged HIPAA violations informally. BayCare Health agreed to a settlement without admitting wrongdoing or liability. In addition to paying a financial penalty, the covered entity needed to follow a corrective action plan. This plan requires conducting a complete and proper risk analysis, creating and implementing a risk management plan to minimize risks and vulnerabilities to ePHI to an acceptable level, and ensuring HIPAA compliance. The workforce should be updated with new HIPAA policies and procedures and receive HIPAA training.

With the increase of hacking incidents and ransomware attacks, HIPAA-covered entities must ensure that employees and any entity with access to electronic medical records are restricted to accessing only the health data they need to accomplish their tasks. Permitting unrestricted access to ePHI attracts the attention of malicious insiders that could lead to the compromise of PHI.

On April 9, 2025, Blue Shield of California announced a website tracking-related privacy breach affecting user information being shared with Google Ads. The medical insurance plan company reported the breach to the HHS’ Office for Civil Rights (OCR), impacting around 4.7 million people. This incident is the second-biggest healthcare data breach ever reported in 2024, following Yale New Haven Health System’s 5.5 million-record data breach.

Blue Shield of California mentioned that, like other health plans, it installed Google Analytics to monitor visitors’ activities while using some Blue Shield web pages. Google Analytics is widely employed by website owners to get details about their website traffic. It records information, for example, how they arrived at a website and the web pages they looked at. The data may be used to enhance the site and user experience.

On February 11, 2025, Blue Shield of California discovered that Google Analytics was set up in a way that led to sharing member data with Google Ads for nearly 3 years. From April 2021 to January 2024, the result of this wrong setup is the collection of members’ protected health information (PHI), which is used to personalize the ads seen by the members online via the Google Ads platform.

The types of information possibly exposed and employed for serving personalized ads differed from person to person, depending on their use of Blue Shield webpages. The exposed data probably contained patient names, names of insurance plans, type and group number, gender, city, zip code, family size, Blue Shield given identifiers for members’ online accounts, medical claim service date and provider, and patient financial accountability. If site visitors utilized the “Find a Doctor” function, the search input and resulting data like location, name and type of plan, name and type of provider could likewise have been exposed.

Blue Shield of California stressed that threat actors did not access user data, and the data obtained from website visitors would just have been utilized for sending targeted ads. Blue Shield of California mentioned that the connections between Google Ads and Google Analytics
was ended in January 2024, and after that, there are no indications that more data was disclosed to Google Ads. When the problem was known, Blue Shield of California started a complete analysis of its websites and safety practices to ensure that third-party tracking codes are not sharing users’ information. Given that the usage of PHI for marketing with no permission is not allowable under HIPAA, the occurrence is considered a reportable data breach.

Virginia Governor Glenn Youngkin recently signed S.B. 354, upgrading the Virginia Consumer Protection Act to stop the collection, disclosure, selling, or passing on of reproductive or sexual health data without the consumers’ permission. The change will be effective on July 1, 2025.

The Virginia Consumer Protection Act is a detailed consumer privacy legislation controlling consumer dealings for goods and services offered for personal, household, or family use. The legislation protects the rights of Virginia residents concerning the collection of personal data by businesses. Personal data pertains to any data associated or reasonably linked to a Virginia citizen, not including publicly accessible data, protected health information (PHI) covered by HIPAA, medical records, patient identifying data, and other data associated with other federal laws compliance. The Virginia Consumer Protection Act became effective on January 1, 2023,

With the Virginia Consumer Protection Act, consumers can validate if a controller is handling their personal information; correct errors in their personal information; ask that personal data be removed, get copies of the personal information kept by a controller and choose not to allow the processing of personal information for targeted marketing, selling personal information, and profiling.

With a private right of action as stipulated in the Virginia Consumer Protection Act, consumers can file a claim for $500 cash or actual losses, whichever is higher, including reasonable legal fees and costs. In case of willful violation, damages could triple or increase to $1,000, whichever is higher. The State Attorney General or an attorney for a county or city could investigate the incident and take legal action against organizations violating the Act on behalf of consumers.

“Reproductive or sexual health information” has a broad definition and consists of any “data associated with the past, present, or future of an individual’s reproductive or sexual health” that a consumer transacts under the Act. This doesn’t cover HIPAA-protected data – reproductive or sexual health data kept by a HIPAA-covered entity – or data associated with the therapy of substance use disorder.

The following are covered by the definition of “Reproductive or sexual health information”

• Attempts to research or get reproductive or sexual health data, services, or products
• Use or order of birth control pills, contraceptives, or other drugs associated with reproductive health, such as abortifacients
• Health condition diagnoses, sexually transmitted diseases, maternity, menstruation, ovulation, whether or not an individual is sexually active, or able to conceive, or engages in sex without protection.
• Reproductive or sexual health therapies or surgical procedures, such as pregnancy terminations
• Physical functions, vital signs, physical measurements, or symptoms associated with menstruation or being pregnant, such as cramps, basal temperature, hormone levels, or bodily discharge

Any data included in the list of covered definitions of the types of information that is taken or extrapolated from non-medical-connected data, like proxy, derivative, deduced, arising, or algorithmic information.
The Virginia Consumer Protection Act forbids any vendor from getting, exposing, selling, or distributing” personally identifiable reproductive or sexual health data associated with any “consumer transaction” without consumer permission. Authorization is necessary even when the collection of that information is necessary to deliver goods or services asked for by the consumer.

The Supreme Court has turned down a case concerning the immunity of the Federally Qualified Health Center (FQHC) from liability associated with the exposure of personally identifiable information (PII) of patients due to a data breach. Sandhills Medical Foundation is an FQHC that provides healthcare services to patients in Chesterfield, Lancaster, Kershaw, and Sumter Counties in South Carolina. Netgain Technologies, Sandhills’ vendor, offers electronic storage for its scheduling, payment, and reporting systems. On January 8, 2021, the vendor informed Sandhills about a November 15, 2020 ransomware attack. The ransomware group accessed its systems using compromised credentials and stole sensitive information. The threat group deployed ransomware on December 3, 2020.

Sandhills confirmed that the breach affected the data of 39,602 individuals. Protected Health Information (PHI) was not compromised, but the attackers may have determined diagnoses and medical conditions. The data stolen during the attack included names, birth dates, residential addresses, email addresses, Social Security numbers, and driver’s license numbers. One of the impacted persons, Joann Ford, filed a lawsuit in response to the data breach on behalf of herself and other similarly situated persons. Ford got healthcare services at Sandhills in 2018 but stopped going to Sandhills prior to the November ransomware attack. Her PII was included in the data stolen during the attack. The attacker used her PII later to commit fraud and get a loan.

Sandhills had the lawsuit taken to federal court to determine if it is entitled to federal immunity shielding it from legal responsibility. Ford furnished her information to Sandhills as a condition for getting her treatment. Sandhills exhibited that her PII was stolen because of performing medical, dental, surgical, or similar functions. As per 42 U.S.C. § 233(a), the Federal Tort Claims Act (FTCA) was applied to the case, and so the District Court confirmed that Sandhills was immune and the United States became the substitute defendant in place of Sandhills.

The United States submitted a motion to dismiss the case for insufficient subject matter jurisdiction saying the appellant did not use up all her administrative solutions with the Department of Health and Human Services prior to taking legal action, as mandated by the FTCA. Although the appellant conceded, she held on to the argument that Sandhills wasn’t immune under § 233(a) because her PII was given to the vendor, not concerning a medical, dental, surgical, or similar function.

The District Court approved the motion to dismiss, but Ford appealed the decision. The decision of the United States Court of Appeals for the Fourth Circuit is that § 233(a) is not applicable to the claims, since Sandhills wasn’t doing a similar function at the time the hacker stole the PII of the appellant. The District Court’s judgment was released in March 2024, remanding the case for further proceedings.

The Appellate court stated that if [§ 233(a)] is used on any action taken by a patient to be given healthcare, it would keep Sandhills from any claims in spite of their lacking connection with their treatment. In a scenario where the Appellant supplied her PII and billing details to Sandhills but did not come for her appointment, the Appellant would have sustained the same damage she claims here from the data breach without getting treatment. This week, the Supreme Court posted the legal action as Certiorari Denied, turning down the case.

According to the 2024 Annual Data Breach Report from the Identity Theft Resource Center (ITRC), data compromises decreased by 1% in 2024, that 44 less than 2023’s record-breaking total. Victims of data compromises increased by 312%, from 419 million (2023) to 1,728,519,397 (2024). 80% of data compromises in 2024 were due to cyberattacks. Cyberattacks accounted for 93% of breach notifications. The rest of the breach notifications were due to system and human error, physical attacks, and supply chain attacks.

The huge rise in victim notifications was mostly because of several mega data breaches. 2024 had 6 data breach reports involving over 100 million records. Although the Change Healthcare data breach was the biggest healthcare data breach ever, affecting 190 million healthcare records, it just placed third in 2024 because of two major data breaches. The Advance Auto Parts Inc. breach was the second biggest affecting 380 million consumers but the Ticketmaster Entertainment data breach was the first affecting 560 million individuals. The other three 100 million+ data breaches were the DemandScience by Pure Incubation data breach affecting 121.8 million, the AT&T data breach affecting 110 million, and the MC2 Data data breach affecting 100 million. These six breaches affected roughly 85% of all breach victims in 2024.

2024 was a notably bad year in terms of the number of breached U.S. healthcare records, though the number of healthcare data breach reports dropped by 3.5%. Presently, the OCR breach portal lists 721 data breaches for 2024, and 747 data breaches for 2023. The number of breached records increased because of the Change Healthcare data breach. There were 168 million breached records in 2023 and 247 million breached records in 2024.

ITRC’s statistics for healthcare does not include a lot of data breaches that occur at business associates of healthcare providers, which were under other categorizations. The ITRC information indicates a drop in healthcare data breaches. In 2023, there were 811 compromises with 60 million victims, while in 2024, there were 536 compromises with 47 million victims. In 2023, the healthcare sector had the most number of compromises but became number two in 2024 following financial services. Healthcare was number 10 when it comes to number of breached records. Throughout all industries, ITRC monitored 3,158 compromises in 2024, which include 288 unknown compromises, 2 data leaks, 18 data exposures, and 2,850 data breaches.

Many data breaches could have been avoided by adhering to cybersecurity guidelines just like in the following data breaches in 2024. In the data breaches at Advanced Auto Parts, Ticketmaster, AT&T, and Change Healthcare, hackers used compromised credentials to acquire access to their systems without multifactor authentication. Those 4 data breaches resulted in over 1.24 billion preventable record exposures because of lacking multifactor authentication. ITRC additionally discovered 29 cyberattacks in 2024 that were the consequence of credential stuffing, which were also preventable with multifactor authentication. If approved, the HIPAA Security Rule proposed update will require multifactor authentication in healthcare to secure protected health information.

The trend with breached organizations is not including important details in their data breach notifications. Breach victims are usually provided minimal details concerning the nature of the breach. The ITRC report states that the issue is not limited to healthcare. In 2023, 45% of breach notices lacked actionable details regarding the main reason for the data breach. In 2024, 65% of breach notices was missing actionable details concerning the main cause of the data breach. Without enough information, breach victims cannot precisely determine the level of risk.

The United States has not implemented a government data privacy legislation yet, even if there is bipartisan support for this type of legislation. A complete government data privacy legislation was proposed, yet it did not get approved in 2024. Therefore, individual states need to enforce rules to secure the privacy of state locals and be sure breach notifications are sent after an incident.

It is good that more states are implementing privacy laws. 40% of states currently have detailed data privacy regulations. The following states all have detailed privacy regulations by 2025: Delaware, Iowa, Minnesota, Maryland, Nebraska, New Jersey, New Hampshire, and Tennessee. The following states will likely pass privacy regulations in 2025: Michigan, Ohio, Oklahoma, and Pennsylvania.

The White House has approved the proposed HIPAA Security Rule update by the U.S. Department of Health and Human Services. A Notice of Proposed Rulemaking (NMPR) draft was published and will be included in the Federal Register by January 6, 2025. The HHS wants feedback from HIPAA-covered entities, healthcare sector stakeholders, and the community about the proposed rule. The comment will be accepted 60 days after the NMPR is published in the Federal Register.

This is the first major HIPAA Security Rule change in about ten years after the HHS Healthcare and Public Health Sector Cybersecurity Performance Goals were published in January 2023. The voluntary goals aim to urge healthcare providers to improve cybersecurity. However, the voluntary goals would be insufficient to get the behavioral improvements required throughout the industry to improve cybersecurity.

The objective of the original HIPAA Security Law was to make healthcare providers enforce security guidelines, procedures, and safety measures to protect the integrity, confidentiality, and availability of electronic health data. The Security Rule was created in a way that would stay applicable for years without the need for regular revisions to take into account technological developments. The Security Law was likewise created to be adaptable to make sure it was relevant to companies of various types and sizes. Therefore, the HIPAA Security Law doesn’t indicate the technologies that ought to be utilized to protect ePHI, and most of the implementation requirements in the original Security Rule are addressable instead of required components.

Since the enactment of the HIPAA Security Rule, there have been significant improvements in technology and cybersecurity. Now, it is necessary to enhance cybersecurity because of the substantial rise in cyberattacks in the HPH sector. The proposed HIPAA Security Rule upgrade addresses present and potential cybersecurity threats. Updates to present cybersecurity procedures must reflect developments in technology and cybersecurity, and make sure that physicians, health plans, and other healthcare providers satisfy their responsibilities to secure patients’ protected health information (PHI).

The proposed HIPAA Security Rule update has 393 pages that specify the measures that should be put in place by HIPAA-regulated entities and their business associates to reinforce cybersecurity protection for individuals’ PHI. In the last 5 years, reports of big data breaches involving 500 and up records increased by 102%, and the number of people affected by data breaches increased by 1002%. The increase in data breach victims is because hacking incidents increased by 89% and ransomware attacks increased by 102% since 2019. 2023 had 167 million people impacted by healthcare data breaches, while over 180 million people had been impacted by healthcare data breaches as of 30 November 2024.

The proposed rule tackles areas of HIPAA Security Rule noncompliance and modifications to the environment where medical care is given. The most recent cybersecurity guidelines, recommendations, techniques, and processes enhance protections against internal and external threats, and court judgments that have impacted the observance of the HIPAA Security Law.

Important Requirements of the Proposed HIPAA Security Law Update

The proposed HIPAA Security Law update changes definitions and enforcement requirements to address developments in technology and terminology and minimizes the difference between essential and addressable enforcement requirements. All Security Rule guidelines, procedures, strategies, and analyses should be recorded by HIPAA-covered entities, including the update’s specific compliance schedules for current Security Rule specifications.

The improvement and changes of a technology asset inventory and network map show the flow of ePHI across the covered entity’s electronic data systems continuously every 12 months and when there is a change to the covered entity’s operations or environment that may impact ePHI.

Conducting risk analysis with greater specificity means including an assessment of the technology asset inventory and network map, the recognition of all anticipated risks to the integrity, availability, and confidentiality of ePHI, the recognition of possible vulnerabilities and conditions relevant to the covered entity’s electronic data systems, and an evaluation of the risk level for every known threat and vulnerability, depending on the likelihood that every known threat will take advantage of the vulnerabilities.

HIPAA-covered entities need to undergo yearly audits of HIPAA compliance.

HIPAA-covered entities must prepare backup planning and security incident response that include procedures for re-establishing electronic data systems and data in 72 hours; procedures for employees to report potential or identified security incidents; and procedures for testing and changing incident response plans.

Improved security procedures with restricted exceptions, HIPAA-covered entities need to employ these security procedures:

• ePHI at rest and in transit must be encrypted
• Network segmentation
• Multi-factor authentication
• Vulnerability scanning two times a year
• Penetration tests every year
• Anti-malware protection
• Removal of external software programs from pertinent electronic data systems
• Deactivate network ports according to the covered entity’s risk analysis.
• Individual technical settings for backup and restoration of ePHI and electronic data systems.
• Evaluate and test the efficiency of some security measures every year

Certain covered entities must be notified within 24 hours when an employee’s access to ePHI or electronic data systems is modified or terminated. Covered entities must be notified without undue delay by business associates upon the implementation of contingency plans and not later than one day after the implementation.

Business associates and contractors must present yearly confirmation of their technical safety measures as verified by a subject matter expert in compliance with the Security Rule.

Before President Trump’s inauguration, the proposed Security Rule update will be included in the Federal Register; nevertheless, it is the Trump-Vance administration who will decide to move ahead with the Security Rule update. There is strong support for greater cybersecurity requirements for the healthcare industry though. According to Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger, the projected cost of implementing the Security Rule update is $9 billion for the first year and $6 billion for the next four years.

OnePoint Patient Care, based in Tempe, AZ, reported a data breach to the HHS’ Office for Civil Rights (OCR) on October 14, 2024, due to hacking that affected the protected health information (PHI) of 795,916 people. The same incident was reported to the Maine Attorney General on November 22, 2024, but the number of affected people was 1,741,152, including 99 Maine residents. OnePoint began mailing notification letters to the impacted persons on November 26, 2024.

No additional information about the data breach was included in the notification letter to the Maine Attorney General. The same information was given as the published post in its October 25, 2024 announcement since no further information regarding the cause of the breach has been discovered. The ransomware-as-a-service group Inc Ransom group, which uses double extortion tactics, stated that it was behind the attack. INC Ransom attacks networks, discovers sensitive information, extracts that information, and proceeds with file encryption. INC Ransom requires the payment of a ransom to release the decryption keys and to stop the exposure of the stolen information.

Though the attackers issued a ransom demand, OnePoint did not pay the ransom to recover files, and so OnePoint Patient Care was put on the group’s data leak website making the stolen information downloadable. The INC Ransom data leak site indicates that the OnePoint Patient Care post had 14,246 views by November 28, 2024. However, the number of times the information was downloaded is unknown.

OnePoint Patient Care mentioned in the notification letters that no actual or attempted data misuse has been identified; however, misuse of the stolen data is very likely. Therefore,  all impacted persons should use the credit monitoring and identity theft services offered and be watchful against data misuse.

The October 25, 2024 post by OnePoint Patient Care mentioned that it detected suspicious activity within its computer system on August 8, 2024. It immediately took action to limit the breach and stop continuing unauthorized systems access.

Third-party cybersecurity specialists investigated the breach and confirmed on August 15, 2024 that the attackers accessed its systems from August 6 to August 8, 2024, and exfiltrated files without authorization. Some files included customer data such as names, medical record numbers, diagnoses, prescription details, and addresses. The Social Security numbers of some customers were also compromised.

The affected people received notification about the potential exposure of their PHI and were told to keep track of their credit reports, statements of account, and benefit statements for fraudulent transactions. Those whose Social Security numbers were compromised received free credit monitoring and identity theft protection services. OnePoint Patient Care expressed its commitment to protecting the privacy and security of personal information and is enforcing safety measures to prevent the same breaches down the road.

The Advanced Research Projects Agency for Health (ARPA-H), a Department of Health and Human Services (HHS) agency, has started a new cybersecurity program that attempts to improve and systemize cybersecurity at U.S. hospitals to continue providing patient care.

ARPA-H’s goal is to facilitate better health results by aiding the creation of high-impact solutions to society’s most difficult health issues like cybersecurity. Healthcare cyberattacks upset critical systems and adversely affect patient care, possibly even contributing to the shutdown of healthcare services. To help deal with the issue, ARPA-H has introduced the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) Program. Over $50 million is invested into developing software programs to help IT groups in hospitals better secure their systems, including protected health information, against cyberattacks.

Hospitals have many internet-connected devices that must be kept completely patched and updated. Updating software programs to resolve vulnerabilities requires disconnecting devices online, which is usually troublesome. Therefore, whenever patches are made available to correct known vulnerabilities, patch applications may take months. Actively supported internet-connected devices stay vulnerable for over a year and older hospital devices stay vulnerable for much longer. The UPGRADE Program seeks to improve and make cybersecurity automatic by creating software programs that can be utilized to check for vulnerabilities in hospital environments that hackers can exploit, and immediately create and release mitigations to avoid vulnerability exploitation; nevertheless, modeling hospitals is a problem because every hospital carries a unique number and variety of devices.

It is difficult to address all the problems of the software systems employed in a particular healthcare center, and this restriction allows hospitals and clinics to be exposed to ransomware attacks, stated UPGRADE Program Manager Andrew Carney. The UPGRADE program seeks to minimize the effort required to safeguard hospital equipment and ensure that devices are secure and working allowing healthcare providers to concentrate on patient care.

For the UPGRADE program to succeed, ARPA-H will need the expertise of the IT team, cybersecurity specialists, healthcare companies, medical device suppliers and vendors, and others to create a customized, scalable software collection for enhancing cyber resilience. The software program will study types of digital hospital conditions to determine software vulnerabilities. Upon identification of vulnerabilities, the program will automatically get or create a patch, which will be tried in the model setting so that it can be used with little disruption to hospital devices. The goal is to lessen the period that devices are vulnerable from a few months to a few days.

With the UPGRADE program, ARPA-H is in search of recommendations from expert teams on four technical zones: the development of a vulnerability mitigation software system, the creation of high-precision hospital equipment, the techniques for auto-discovery of vulnerabilities, and the auto-creation of custom protection. ARPA-H expects several awards with its upcoming solicitation.

According to HHS Deputy Secretary Andrea Palm, this UPGRADE program is another example of HHS’ continuing dedication to enhancing cyber resiliency throughout the health care system. ARPA-H’s UPGRADE can help improve HHS’ Healthcare Sector Cybersecurity Strategy ensuring that all hospital devices, big or small, can work safely and adjust to the changing environment.