PIH Health, a health care entity located in California, suffered a data breach in June 2019 when 45 employee email accounts were compromised in a targeted phishing campaign. The accounts contained the protected health...more
Becker’s Hospital Review reports that the Department of Government Efficiency (DOGE) “has access to sensitive information in 19 HHS databases and systems,” according to a court filing obtained by Wired. HHS provided the...more
4/25/2025
/ Data Collection ,
Data Privacy ,
Data Security ,
Department of Government Efficiency (DOGE) ,
Department of Health and Human Services (HHS) ,
Disclosure Requirements ,
Employees ,
Federal Contractors ,
Government Agencies ,
Personal Data ,
Personal Information ,
PHI
The Office for Civil Rights of the Department of Health and Human Services (OCR) was busy negotiating and settling enforcement actions in November and early December. Since October 31, 2024, the OCR has settled five separate...more
12/12/2024
/ Data Breach ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Security Rule ,
HIPAA Violations ,
OCR ,
PHI ,
Right of Access ,
Settlement
The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently issued its Final Rule to modify HIPAA “to support reproductive health care privacy.” The Final Rule is in response to Executive...more
On November 13, 2023, Governor Kathy Hochul released proposed cybersecurity regulations applicable to all hospitals located within the state of New York. The Governor has included $500 million in grant funding in her FY24...more
11/17/2023
/ Cybersecurity ,
Data Protection ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
New York ,
Patient Privacy Rights ,
PHI ,
Proposed Regulation ,
Regulatory Agenda ,
Regulatory Reform
New York Attorney General Letitia James announced on March 27, 2023 that she had levied a fine against law firm Heidell, Pittoni, Murphy & Bach LLP for failing to secure personal and health information of clients exposing the...more
3/30/2023
/ Cybersecurity ,
Data Breach ,
Data Management ,
Data Protection ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Fines ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Legal Representatives ,
New York ,
PHI ,
State Attorneys General
HIPAA requires that covered entities notify the Office for Civil Rights (OCR) of any breaches of unsecured protected health information that affects less than 500 individuals in a calendar year within 60 days following the...more
2/24/2023
/ Data Breach ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
HIPAA Breach Notification Rule ,
OCR ,
PHI ,
Regulatory Requirements ,
Reporting Requirements ,
Statutory Deadlines
The Federal Trade Commission (FTC) announced on February 1, 2023 that it has settled, for $1.5M, its first enforcement action under its Health Breach Notification Rule against GoodRx Holdings, Inc., a telehealth and...more
2/3/2023
/ Data Management ,
Data Privacy ,
Data-Sharing ,
Enforcement Actions ,
Federal Breach Notification Standard ,
Federal Trade Commission (FTC) ,
Healthcare ,
PHI ,
Prescription Drugs ,
Settlement Agreements ,
Targeted Digital Advertising ,
Telehealth
On August 23, 2022, the Office for Civil Rights (OCR) issued a press release announcing that it had settled with New England Dermatology, P.C. (NED) for $300,640 “over the improper disposal of protected health information.” ...more
According to the 2022 State of Ransomware Report issued recently by Sophos, it surveyed 5,600 IT professionals from 31 countries, including professionals in the health care sector. Those professionals in the health care...more
6/29/2022
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Electronic Medical Records ,
Hackers ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
Identity Theft ,
Information Technology ,
PHI ,
Popular ,
Ransomware ,
Risk Mitigation ,
Vulnerability Assessments
CYBERSECURITY -
Okta Notifies Customers of LAPSUS$ Attack -
Okta, which markets itself as a “leading provider of identity” in the health care, public sector, energy, financial services, technology, travel and hospitality,...more
3/25/2022
/ Cyber Attacks ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Drones ,
FBI ,
NIST ,
PHI ,
Popular ,
State Data Breach Notification Statutes
In general, both state and federal laws apply to health information or protected health information that is in the possession of hospitals, health systems, and medical providers.
HIPAA requires that covered entities...more
HIPAA requires covered entities and business associates to report to the Office for Civil Rights (OCR) all breaches of unsecured protected health information when the incident involves fewer than 500 individuals no later than...more
2/11/2022
/ Cyber Attacks ,
Electronic Medical Records ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
Information Technology ,
OCR ,
Personally Identifiable Information ,
PHI ,
Regulatory Requirements ,
Reporting Requirements
One of the challenging things about HIPAA (Health Insurance Portability and Accountability Act) enforcement is the fact that both the Office for Civil Rights and State AGs have jurisdiction to assess fines and penalties for...more
12/23/2021
/ Data Breach ,
Data Privacy ,
Data Protection ,
Electronic Protected Health Information (ePHI) ,
Email ,
Fines ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
HIPAA Violations ,
OCR ,
Penalties ,
PHI ,
Phishing Scams ,
Policies and Procedures ,
State Attorneys General
Queen Creek Medical Center (QCMC), also known as Desert Wells Family Medicine, located in Arizona, has notified up to 35,000 patients of a data breach following a ransomware attack that corrupted its medical records system,...more
9/17/2021
/ Cyber Attacks ,
Cyber Crimes ,
Cybersecurity ,
Data Breach ,
Data Security ,
Electronic Medical Records ,
Hackers ,
Health Care Providers ,
Information Technology ,
PHI ,
Popular ,
Ransomware
The Office for Civil Rights (OCR) this week announced a settlement with Peachstate Health Management LLC (aka AEON Clinical Laboratories) following a compliance review that uncovered alleged violations of HIPAA....more
The Center for Internet Security (CIS) announced last week that it has launched the Malicious Domain Blocking and Reporting (MDBR) service to assist U.S.-based private hospitals with ransomware and cyber-attacks for free....more
2/26/2021
/ Cyber Attacks ,
Cyber Crimes ,
Cybersecurity ,
Data Breach ,
Hackers ,
Health Care Providers ,
Hospitals ,
Information Technology ,
Personally Identifiable Information ,
PHI ,
Ransomware
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the...more
1/21/2021
/ Cyber Attacks ,
Cyber Crimes ,
Data Breach ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
Information Technology ,
Malware ,
OCR ,
Personally Identifiable Information ,
PHI
The Department of Health and Human Services’ (HHS) Division of Critical Infrastructure Protection (CIP) issued a health care and public health sector notification this week entitled “Ransomware Activity Targeting the...more
The Office for Civil Rights (OCR) issued a press release on November 12, 2020, announcing that it had settled its eleventh enforcement action in its HIPAA Right-of-Access Initiative. The settlement with Dr. Rajendra Bhayani,...more
New Jersey Attorney General (AG) Gurbir S. Grewal announced on November 2, 2020, that his office has settled with ShopRite’s parent company, Wakefern Food Corp. (Wakefern) and two of its supermarket entities for $235,000 for...more
On October 8, 2020, New Jersey Attorney General Gurbir Grewal (AG) announced that his office has entered into a multi-state settlement agreement with Community Health Systems, Inc. (CHS) stemming from an investigation of a...more
10/16/2020
/ Cyber Attacks ,
Electronic Medical Records ,
Hackers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
Information Technology ,
OCR ,
Personally Identifiable Information ,
PHI ,
Popular ,
Settlement Agreements
Regulatory bodies are upping the ante when it comes to settling with companies that have suffered data breaches. In addition to the below settlements, see also the settlement between the OCR and Dignity Health....more
10/16/2020
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Management ,
Data Protection ,
Electronic Medical Records ,
Hackers ,
Health Care Providers ,
Health Information Technologies ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
OCC ,
Personally Identifiable Information ,
PHI
Premera Blue Cross (Premera) has agreed to settle with the Office for Civil Rights (OCR) for $6.85 million over allegations of violations of HIPAA after an investigation of a data breach that occurred in 2014 affecting 10.4...more
10/9/2020
/ Corporate Counsel ,
Cybersecurity ,
Data Breach ,
Data Security ,
Health Insurance ,
HIPAA Breach ,
OCR ,
Personally Identifiable Information ,
PHI ,
Premera Blue Cross ,
Settlement Agreements
CYBERSECURITY -
OFAC Issues Advisory on Sanctions for Facilitating Ransomware Payments -
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory “to...more
10/5/2020
/ Building Inspectors ,
Business Continuity Plans ,
California Consumer Privacy Act (CCPA) ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Drones ,
Economic Sanctions ,
Financial Institutions ,
Fraud ,
Hackers ,
HIPAA Breach ,
Identity Theft ,
OCR ,
Office of Foreign Assets Control (OFAC) ,
PHI ,
Ransomware ,
Regulatory Agenda ,
Unemployment Benefits