Good Morning Everyone,
This week’s newsletter highlights key developments that a healthcare compliance team should know. From escalating breach notifications and new cybersecurity vulnerabilities to major settlements and enforcement actions, the past seven days have provided important lessons for managing HIPAA and related privacy obligations. To help you digest the latest news, we’ve grouped updates into thematic sections below.
Industry Trends
Ransomware and hacking remain the primary cause of healthcare breaches
Recent reports show that almost all individuals affected by major HIPAA breaches in 2025 were victims of hacking or other IT incidents. This week’s headlines underline the trend: Highlands Oncology Group disclosed that the Medusa ransomware gang accessed its systems from January to June, ultimately affecting 113,575 patients. Mt. Baker Imaging and Northwest Radiologists announced that a network intrusion in January exposed sensitive data, including Social Security numbers and medical record numbers, for 348,118 Washington residents. Vendors and small practices were hit too—Mid Florida Primary Care (a family practice) discovered that an intruder accessed its network last year, compromising names, Social Security numbers and treatment information, while an email hack at Northwest Denture Center exposed personal and medical details for 12,209 patients. These examples illustrate that criminals often find the “unlocked back door” by targeting smaller entities or business associates.
Takeaway: treat vendor and small-practice security assessments as part of your own risk analysis and require documented controls.
Health‑care breaches remain costly and slow to detect
IBM’s latest “Cost of a Data Breach” report notes that the average healthcare breach costs $7.42 million and takes nearly 279 days to detect and contain. While AI and automation can help shorten detection times, adversaries also use AI to craft sophisticated phishing emails and malware.
Takeaway: invest in automated anomaly detection, but establish governance to manage AI responsibly.
Legal settlements underscore financial exposure
Lawsuits continue to result in significant payouts. HCA Healthcare’s settlement over a 2023 breach affecting 11.27 million patients is expected to exceed $9 million. East Carolina Health agreed to pay $250 000 after unauthorized access to electronic files. This week, Eisenhower Health settled a lawsuit over the use of Meta Pixel on its website: without admitting wrongdoing, the hospital will pay $875 000, remove the tracking code for two years and create a web‑governance committee to vet analytics tools.
Takeaway: web analytics and tracking scripts can inadvertently disclose health information; audit your websites, update consent banners and adopt a governance process for third‑party code.
Breach and Incident Announcements
DermCare Management cyberattack
A February cyberattack on DermCare, a practice‑management company, compromised patient information—including Social Security numbers, medical data and insurance details—for multiple dermatology clinics across Florida and Arizona. The incident follows a series of other dermatology breaches, underscoring the vulnerability of specialist practices. If your practice relies on a management company, ensure that the Business Associate Agreement mandates prompt breach notification and strong cybersecurity.
Mental‑health providers targeted
Eleos Wellness reported unauthorized network activity on June 11 that exposed names, addresses, Social Security numbers and insurance details. Colorado’s Clinica Family Health contained a March intrusion but has yet to determine whether data were exfiltrated. Think Big Health Care Solutions learned on June 20 that an employee email account containing names, Social Security numbers and bank account details had been accessed. Minnesota Epilepsy Group found that intruders accessed names, addresses, EEG summaries and insurance data in late February.
Takeaway: mental‑health data are highly sensitive; use multi‑factor authentication on email, restrict sensitive data from inboxes and segment networks so that a single compromise doesn’t expose entire systems.
Self Regional Healthcare breach investigation
Law firm Federman & Sherwood is investigating a network‑server breach at Self Regional Healthcare in South Carolina, reported to HHS on July 17 and affecting 26,696 individuals. The breach’s scope remains unknown, but the announcement signals that class‑action litigation may follow.
Takeaway: maintain up‑to‑date breach‑response documentation and be ready to offer credit monitoring and identity‑theft services.
Change Healthcare update
DataBreaches.net reports that Change Healthcare’s February 2024 ransomware incident may have impacted 192.7 million individuals; more than 99 % of providers delegated notification duties to Change. Providers that opted out of the delegation only recently began notifying patients.
Takeaway: clearly delineate notification responsibilities in Business Associate Agreements and maintain your own list of potentially affected patients.
Ransomware via SharePoint vulnerabilities
Researchers at Palo Alto Networks identified a ransomware family called “4L4MD4R” exploiting new Microsoft SharePoint vulnerabilities; attackers used PowerShell scripts to disable Windows Defender.
Takeaway: apply security patches promptly and monitor for suspicious PowerShell activity.
Regulatory and Policy Updates
Interoperability Framework launched
On Aug 1, CMS and the Office of the National Coordinator for Health IT unveiled a voluntary interoperability framework. More than 60 tech companies—including Amazon, Apple, Google and OpenAI—pledged to implement common data‑exchange standards for health‑information networks and electronic records. The initiative, part of the “Make Health Tech Great Again” plan, aims to let patients transfer records easily using QR codes and AI assistants. OCR warns that consumer apps not covered by HIPAA might have weaker privacy protections. Pros: improved data exchange and patient empowerment; AI may speed record retrieval. Cons: voluntary nature may lead to uneven adoption; non‑covered apps could misuse data.
Takeaway: vet any patient‑facing apps you plan to integrate and review vendor privacy policies.
Senate HELP Committee hearing
Lawmakers discussed the Health Care Cybersecurity and Resiliency Act of 2024, which would offer grants to providers hit by cyberattacks and encourage a unified federal privacy law. Witnesses cited challenges faced by rural hospitals and asked for flexibility in breach reporting. Pros: potential funding for defensive upgrades; streamlined national privacy rules. Cons: increased oversight and uncertain eligibility criteria.
Takeaway: monitor the bill’s progress, consider how grant funding could support your cybersecurity budget and prepare for possible new compliance mandates.
Enforcement Actions and Settlements
OCR vs. Deer Oaks Behavioral Health
After unauthorized disclosures due to a coding error and a ransomware attack, the Office for Civil Rights found that Deer Oaks failed to conduct an accurate risk analysis. The provider agreed to a $225 000 settlement and a corrective action plan requiring annual risk assessments and HIPAA training.
Lesson: think of risk analysis like a yearly car inspection—ignore a wobble and you may end up in a crash. Regular assessments help uncover vulnerabilities before attackers do.
East Carolina Health class action
EC Health agreed to a $250 000 settlement after unauthorized students and clinicians accessed patient files between July 2022 and Jan 2024. Patients may claim reimbursement for expenses or receive a $100 cash payment; a final fairness hearing is scheduled for Sept 15, 2025.
Lesson: even inadvertent internal access can result in lawsuits; implement least‑privilege access controls and audit logs in teaching environments.
HCA Healthcare settlement
HCA Healthcare reached a settlement estimated at over $9 million after a 2023 breach exposed contact and appointment information for 11.27 million patients. Affected individuals can seek reimbursement for losses up to $5,000.
Lesson: large breaches carry large price tags; invest in encryption and strong access controls to reduce litigation risk.
Eisenhower Health Meta‑Pixel case
A class‑action lawsuit alleged that Eisenhower Health’s use of Meta Pixel and other tracking tools sent sensitive patient data to third parties. Without admitting fault, the hospital agreed to pay $875 000 and remove tracking scripts for two years.
Lesson: website analytics can be a hidden liability; audit your sites for third‑party code and implement consent notices.
Emerging Threats and Best Practices
Secure email and cloud accounts: Many breaches start with compromised email accounts. Implement multi‑factor authentication, restrict sensitive PHI in email and use data‑loss prevention tools.
Patch promptly: Exploits like 4L4MD4R show how unpatched systems become easy targets. Maintain an up‑to‑date vulnerability management process.
Test your incident‑response plan: Delayed notifications increase liability. Conduct tabletop exercises, keep contact information for OCR and law enforcement current, and prepare template notification letters.
Strengthen vendor management: Breaches at business associates, like DermCare, highlight the need for robust contracts and monitoring. Require vendors to carry cyber insurance, undergo audits and report incidents quickly.
Final Thoughts
This week’s developments reinforce that cybersecurity is a continuous process, not a one‑time project. Ransomware gangs are relentless, regulators expect thorough risk assessments and business associates remain a weak link. At the same time, policy efforts such as the new interoperability framework aim to make it easier to share data, requiring careful scrutiny of non‑HIPAA‑covered apps.
Key takeaways: prioritize risk analyses and patch management; vet your vendors and web‑tracking scripts; implement multi‑factor authentication and AI‑driven monitoring with strong governance; document breach responses; and watch for new legislation that could reshape privacy obligations. Continuous vigilance—like regularly checking the locks and alarm system on your home—remains your best defense against regulatory penalties and cyber threats.
