HIPAA Blog

400 Large Breaches so far in 2025: HHS has announced that during the first six months of 2025, there were 400 "large" breaches (...

Deer Oaks , a HIPAA covered healthcare provider that provides behavioral health services primarily to residents in nursing homes and other f...

Finally!! Biden Administration's HIPAA Abortion Stupidity Negated: As I previously wrote about at length, the asinine Biden Administrat...

Happy Memorial Day! Sorry I've not posted in forever, and when I do it's few and far between, but it has been a very busy spring and...

Kettering Health (Ohio) Ransomware Event: Kettering Health, which operates 9 hospitals and a handful of other sites in and around Dayton, O...

Email As a Data Breach Vector:  Almost 200 healthcare organizations suffered a cyberbreach involving their email systems over the last year...

Information-blocking news: EMR company must allow client's BAs to access PHI:  I must admit I haven't been following this at all, bu...

PE-owned healthcare entities need to improve cybersecurity: I hate to say it, but at this point cybersecurity protections are more importan...

Warby Parker Pays $1.5 to Settle HIPAA Violation I wasn't involved in this matter , so I don't have inside information and I'm j...

Change Healthcare's Breach Victim Count Reaches 190,000,000.   US population is about 340 million, which means the breach affected about...

Texas Health and Human Services Commission Suffers HIPAA Breach: If you haven't figured it out yet, anyone with health data is potential...

PHI Deletion Nets $337,750 Fine: This is a bit of an odd one: a Florida HIPAA business associate, USR Holdings, discovered that an unauthori...

9th Ransomware Case: Virtual Private Network Solutions:   HHS has entered into a settlement agreement with a HIPAA business associate who wa...

OCR's January 2025 "Dear Colleague" letter (slightly off-topic): As you know, the Office for Civil Rights is the HIPAA enforce...

HHS Issues 8th Fine Related to Ransomware:   Elgon Information Systems has agreed to an $80,000 settlement with OCR in relation to a ransomw...

Recent OCR Enforcement Actions:  I've been pretty lazy on the blogging front lately, and let a bunch of items stack up, particularly no...

Biden Administration Proposes New Cybersecurity Requirements for Healthcare Organizations: Encryption and network compliance checks are inc...

Ascension breach affects 5.6 million: Ascension Health's May 2024 ransomware incident may have c ompromised PHI of 5.6 million people ,...

  OCR and Abortion: If you're wondering if OCR is going to try to jump into enforcement actions of the soon-to-be-implemented (and likel...

The Blinding, Amazing Stupidity of Xavier Becerra's HHS.   OK, there are plenty examples of this, but the one I'm wrestling with rig...

Ransomware is the Biggest HIPAA Issue Facing the Healthcare Industry: According to a survey recently conducted by Sophos , 67% of all healt...

Recent Ransomware settlement:  OK, I've sort of fallen down on the job here keeping the HIPAABlog updated, but I'm going to try to d...

Providence Medical Institute Ransomware Fine: Providence Medical Institute has been fined $240,000 by OCR for HIPAA violations in connecti...

Offshore Outsourcing of Tech Services Can Be Problematic: A few weeks ago, HHS removed two Obamacare enrollment companies from accessing th...

Great Write-Up on OCR's 3rd Ransomware Settlement: Theresa Defino of Report on Patient Privacy has an excellent article on the recently...

Baim Institute for Clinical Research Suffers Ransomware event and Data Disclosure: According to this analysis by Safety Detectives , Baim ...

OneBlood Blood Donation Center Hit by Ransomware Attack: The blood donation and distribution organization, which supports 350 hospitals acro...

2024 Will Be Big:   I have a feeling 2024 will be a record year for data breaches, both in number of breaches overall and the size of the b...

  Change Healthcare Updates its Breach Notice. They added a timeline , apparently, and are going to finally start sending notices to affecte...

If you're using MOVEit, you should PATCHit first: Lots of folks in the healthcare industry use MOVEit for file transfers; about a year a...

Geisinger data breach impacted 1.2 million people: This breach is interesting because it's a disgruntled former employee of a vendor wh...

OCR settles ransomware and cybersecurity investigation involving Heritage Valley Health for $950,000: This is the 3rd settlement of a ranso...

New Social Engineering Schemes Target Healthcare: The FBI and HHS are warning healthcare industry participants warning healthcare industry ...

Federal Court Blocks HHS Rule Prohibiting Use of Web Tracking Technologies Such as Google Pixel :  As you probably know, HHS has issued guid...

CentroMed: Lightning Strikes Twice: It's a dumb aphorism that "lightning never strikes twice."  Lightning is always more likel...

HHS, ARPA-H announce UPGRADE program to automate cybersecurity for healthcare entities: The Advanced Research Projects Agency for Health (a ...

AHA and H-ISAC Issue Black Basta Warning: The American Hospital Association and the Health Information Sharing and Analysis Center (H-ISAC)...

Ascension Hit With Ransomware Attack: The story is still breaking, but Ascension Health was the victim of a cyberattack that affected its E...

Size Matters: Just how big is the Change Healthcare breach?  Over 100 million Americans may be affected.   I rode in a 150-mile bike ride b...

United Healthcare: It's been a bad spring for UHC: their pharmacy order and clearinghouse subsidiary Change Healthcare suffered one of t...

Tracking Technologies: In the latest news on the use of website tracking technologies such as Google Pixel, Monument Health has entered into...

Another "Right of Access" Settlement:  OCR has entered into its 47th settlement with a HIPAA covered entity or business associat...

Do Healthcare Organizations Cheap Out on Cybersecurity Spending?   That's the question Modern Healthcare asks (subscription required). ...

Ransomware Hits Healthcare Harder: If you've been living under a rock, you may not know this, but healthcare is the hardest-hit industry...

HHS steps in: HHS has s tarted its own investigation into the Change hack; expect a record-setting fine.  I'll predict at least $25 mi...

Change Cyberattack: I guess everyone's finally going to le arn what a "health care clearinghouse" is. They've always bee...

HHS Statement on Change Healthcare Cyberattack: In HIPAA-adjacent news, . . .   Unless you've been buried in a snowbank somewhere, you...

LaFourche Medical Group pays $480,000 to settle ransomware attack affecting 35.000 patients: An emergency and occupational medicine practice...

[Note: This should have been posted early January -- I just noticed it was still in Draft] HHS announces data blocking penalties: The infor...

Second OCR Ransomware Incident Settlement Announced: OCR has e ntered into a settlement agreement relating to a ransomware incident, this t...