Good Morning Everyone,

The past week (April 7 – 13, 2026) brought significant developments in healthcare privacy, cybersecurity and regulation.  Multiple vendor breaches underscore the fragility of supply chains, while new policies highlight evolving expectations around genetic, biometric and claims data.  Below is our curated summary of the most important news, organized by category:

Regulatory & Legal Updates

OCR settlement with MMG Fusion (risk analysis & timely notification)

What happened: On April 9 2026, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) announced a settlement with MMG Fusion, a healthcare software provider, for failing to perform an accurate risk analysis and delaying breach notification after a December 2020 incident that exposed protected health information (PHI) of approximately 15 million individuals.  The company will pay $10,000 and implement a corrective action plan monitored by OCR for three years.

Why it matters: OCR continues to emphasise that covered entities and business associates must proactively identify and address vulnerabilities.  Delayed breach notifications can lead to penalties even when the monetary settlement is small.

Recommended actions:

• Conduct and document comprehensive risk analyses covering where electronic PHI resides and the vulnerabilities that could lead to compromise.
• Develop a risk management plan to remediate identified issues and re‑evaluate periodically.
• Establish incident‑detection and breach‑notification workflows to meet HIPAA’s reporting timelines.
• Train staff on their roles in detecting and reporting security incidents.

New Jersey restricts collection of immigration & citizenship data

What happened: New Jersey’s A4070 law, enacted March 25 2026, limits healthcare facilities’ collection and disclosure of sensitive identifiers—immigration status, citizenship status, place of birth, Social Security number and individual taxpayer identification number—unless necessary for care, eligibility determinations or legal compliance.  The statute requires patient consent for disclosure and takes effect April 1 2027, with enforcement authority vested in the state Department of Health.

Why it matters: This law expands privacy protections beyond HIPAA, addressing concerns that fear of immigration enforcement deters some patients from seeking care.  Healthcare organizations must revise intake procedures to avoid collecting unnecessary sensitive information.

Recommended actions:

• Evaluate data collection practices to determine whether sensitive identifiers are truly required.
• Update patient consent forms and policies to comply with New Jersey’s consent and disclosure requirements.
• Coordinate with legal counsel to align state‑level obligations with HIPAA and other federal requirements.
• Educate front‑line staff about the new restrictions before the law’s effective date.

OPM proposal for detailed claims data from federal insurers

What happened: A brief notice from the U.S. Office of Personnel Management (OPM) proposes requiring 65 insurers that cover federal employees and retirees to submit monthly reports containing identifiable medical and pharmacy claims data.  Experts warn that the request could violate HIPAA’s minimum‑necessary standard by providing granular information on treatments and prescriptions.  OPM argues it needs the data for oversight but has not stipulated de‑identification; critics fear the data could be misused to discipline employees or otherwise infringe privacy.

Why it matters: If enacted, the proposal would expand government access to PHI and set precedents for other employers or agencies.  Insurers would need to balance compliance obligations with protecting enrollees’ privacy.

Recommended actions:

• Monitor public comments and subsequent iterations of the proposal.
• Seek legal guidance on whether disclosing claims data to OPM is permissible under HIPAA.
• Advocate for privacy safeguards such as de‑identification, data minimization and clear use limitations.
• Communicate with affected employees and retirees about the proposal’s implications and their rights.

Seventh Circuit applies BIPA damages limitation retroactively

What happened: On April 1 2026, the U.S. Court of Appeals for the Seventh Circuit ruled that the 2024 amendment to Illinois’ Biometric Information Privacy Act (BIPA)—which treats repeated collections of the same person’s biometric data as a single violation—applies retroactively.  The decision reduces potential damages in pending biometric privacy class actions by limiting plaintiffs to a single recovery per statutory subsection violated.

Why it matters: Businesses using biometric time clocks or patient‑identification systems in Illinois face lower financial exposure.  The ruling may influence how courts interpret similar state privacy amendments.

Recommended actions:

• Audit biometric data practices and obtain informed consent for collections.
• Update retention and destruction policies to align with BIPA and other state laws.
• Monitor ongoing litigation for further clarification on damages calculations.
• Integrate biometric safeguards into broader HIPAA risk analyses and vendor agreements.

Breach & Incident Notices

Signature Healthcare’s Brockton Hospital ransomware attack

What happened: On April 6 2026, a ransomware attack disrupted operations at Signature Healthcare’s Brockton Hospital in Massachusetts.  Ambulances were diverted and certain services, such as chemotherapy infusions, were postponed while staff reverted to manual processes.  On April 9, the Anubis ransomware group claimed responsibility and said it had exfiltrated 2 TB of sensitive data.  Investigations are ongoing to determine the extent of PHI exposure.

Why it matters: Ransomware caused significant care disruptions and may have exposed large volumes of patient data.  The attack demonstrates that even midsized hospitals remain attractive targets and underscores the importance of incident response planning and vendor oversight.

Recommended actions:

• Drill incident‑response plans covering ambulance diversion, manual charting and communication protocols.
• Harden network segmentation and patching to limit lateral movement by attackers.
• Verify vendor responsibilities in BAAs regarding breach notification and ransom decisions.
• Review cyber‑insurance policies for coverage of ransom payments, response costs and patient notifications.

Heart South Cardiovascular Group (Elliott C Dale, MD) breach

What happened: Heart South Cardiovascular Group, operating as Elliott C Dale, MD, disclosed on April 6 2026 that an unauthorized third party had accessed internal systems beginning November 11 2025.  The intrusion went undetected until February 12 2026, and data belonging to 46 666 individuals later appeared on the dark web.  The attacker’s identity remains unknown.

Why it matters: The breach highlights long dwell times and the growing trend of stolen healthcare data being monetized on underground forums.  Patients whose data appears on the dark web face heightened risk of identity theft and targeted scams.

Recommended actions:

• Deploy continuous monitoring tools and dark‑web scanning services to detect stolen data early.
• Implement attack‑surface management to identify misconfigurations and exposed assets.
• Provide affected patients with clear guidance on monitoring accounts, enabling multi‑factor authentication and responding to phishing attempts.
• Enhance logging and detection capabilities to shorten attackers’ dwell time.

Dutch EHR vendor ChipSoft ransomware attack

What happened: ChipSoft, a Dutch provider of the HiX electronic health record (EHR) platform used by approximately 80 % of hospitals in the Netherlands, suffered a ransomware attack on April 7 2026.  The attack forced parts of its infrastructure offline, and at least 11 hospitals disconnected from the platform as a precaution.  The Netherlands’ healthcare cybersecurity agency Z‑CERT confirmed the incident and is working with ChipSoft to assess the scope.  Reports indicate that connections to ChipSoft’s Zorgportaal, HiX Mobile and Zorgplatform services were disabled, and the vendor has not ruled out data exfiltration.

Why it matters: Though occurring overseas, this attack illustrates how the compromise of a single vendor can disrupt a national healthcare system.  Concentrated EHR vendors create single points of failure; a similar attack on a major U.S. vendor could cripple multiple hospitals simultaneously.

Recommended actions:

• Assess reliance on third‑party vendors and diversify critical systems where possible.
• Ensure vendors adhere to strong authentication, segmentation and incident‑response practices; revisit BAAs and contracts to include security requirements and breach‑notification clauses.
• Test contingency plans for maintaining patient care if core platforms go offline (e.g., manual record‑keeping, alternative communication channels).
• Strengthen backup and disaster‑recovery capabilities independent of any single vendor.

Closing Thoughts

This week’s developments reinforce several enduring themes:

Vendor risk dominates.  Breaches at Brockton Hospital and Heart South resulted from ransomware and unauthorized access, while the ChipSoft incident shows that a single vendor’s compromise can affect entire healthcare networks.  Continuous vendor assessment and diversified architecture are critical.

Policy landscape is evolving.  New Jersey’s data‑collection restrictions and the Seventh Circuit’s BIPA ruling signal expanding and shifting privacy obligations.  Compliance teams must track both federal and state laws and adapt their programs accordingly.

Data‑collection proposals raise privacy concerns. OPM’s claims‑data request illustrates the tension between oversight and privacy protection.  Stakeholders should engage early to ensure that any new reporting obligations include de‑identification and minimize risk of misuse.

Incident detection and response remain paramount.  Long dwell times and dark‑web data exposure in the Heart South breach highlight the need for continuous monitoring and rapid response.

Key takeaways

• Conduct thorough risk analyses and update HIPAA policies in light of emerging state privacy laws and federal proposals.
• Strengthen vendor management by requiring multi‑factor authentication, encryption and detailed breach‑notification clauses.
• Enhance logging, threat detection and dark‑web monitoring to reduce attackers’ dwell time and identify compromised data sooner.
• Educate workforce members on recognizing phishing attempts and reporting incidents promptly.
• Monitor policy developments such as OPM’s data request and proposed regulations to ensure compliance and safeguard patient trust.

Let’s remain proactive and vigilant as we continue protecting patient data in an evolving threat landscape.  By addressing these issues, compliance teams can better safeguard information, reduce regulatory risk and build resilience against evolving threats.