Good Morning Everyone,
This week’s newsletter highlights several new data breach announcements, updated federal guidance and an interesting regulatory misrepresentation issue affecting crisis pregnancy centers. Each item underscores why HIPAA compliance isn’t just a regulatory box‑check but a constant commitment to safeguarding patient trust.
Industry Trends
Oracle Health/Cerner breach: numbers climb and warnings issued
Oracle Health (formerly Cerner) is still assessing the damage from the hacking incident disclosed earlier this year. Based on breach notifications from several states, at least 14 485 individuals have been confirmed as affected (6 562 in Massachusetts, 4 082 in Texas, 2 989 in South Carolina, 802 in Washington and an unknown number in California). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security alert noting that attackers stole credentials such as usernames, passwords, authentication tokens and encryption keys. CISA warns that these “keys” could be misused like a burglar using a copied house key: once inside, attackers can move laterally through networks and embed themselves in automation tools. Recommended mitigations include resetting passwords across enterprise servers, searching code for embedded credentials and deploying phishing‑resistant multi‑factor authentication.
New breach announcements highlight third‑party and email risks –
Doctors’ Memorial Hospital (Florida) – The hospital learned that Nationwide Recovery Service’s network was breached between July 5 and July 11 2024, but wasn’t informed until February 7 2025. Stolen files included names, dates of birth, Social Security numbers and medical information; more than 543 000 individuals may ultimately be affected.
Sabine County Hospital (Texas) – An employee’s email account was compromised on February 12 2025, exposing clinical data, insurance information and payment details for an unknown number of patients. The attackers’ goal was a fake invoice payment – a reminder that phishing attempts are becoming more sophisticated.
Compass Counseling Services (Florida) – A November 2024 intrusion into the counseling service’s systems exposed a wide variety of data, from Social Security numbers and account credentials to medical histories. The organization is reviewing internal controls to strengthen privacy.
Precision Endodontics (North Carolina) – A June 2025 email compromise allowed phishing messages to be sent from a practice account. Only names and email addresses were exposed, but the incident emphasizes the importance of email hygiene.
Langdon & Company cyberattack (North Carolina) – The accounting firm, a business associate of Easterseals, detected unauthorized network access from April 21‑28 2024. After a year‑long review, 46 061 individuals were notified in August 2025. Exfiltrated data may include addresses, birthdates, tax IDs, Social Security numbers, financial data and medical information. The firm is offering credit monitoring and promises to destroy unnecessary information.
Michigan Medicine mailing error – A research study mailing on June 27 2025 used postcards instead of sealed envelopes, inadvertently exposing protected health information. Although only 1 015 patients were affected, the incident underscores the need for privacy reviews in seemingly benign processes.
Regional medical practice breaches – Integrated Orthopedics of Arizona reported that hackers accessed its email system around April 7 2025; stolen data included medical record numbers, diagnosis and treatment information and, for a subset, Social Security numbers. Glens Falls Hospital in New York confirmed that legacy servers, used by Oracle Health/Cerner, exposed patient records with names, Social Security numbers and test results. South Coast Pediatrics (California) notified 7 000 patients of a June 2025 cyberattack that compromised names, medical record numbers and treatment codes. All three providers are offering credit monitoring and strengthening security controls.
Regulatory Updates
New HIPAA Privacy Rule guidance on value‑based care
On 12 August 2025 the Office for Civil Rights (OCR) published updated FAQs. The new guidance clarifies that the HIPAA Privacy Rule allows disclosures of protected health information (PHI) to participants in value‑based care arrangements (such as accountable care organizations) for treatment purposes. The FAQs emphasize that when PHI is shared among organizations coordinating care, it counts as treatment, so normal patient‑authorization requirements do not apply. OCR also updated an FAQ on the types of personal health information patients can request.
Misleading HIPAA claims by crisis pregnancy centers (CPCs)
A joint effort by the Campaign for Accountability and the Electronic Frontier Foundation has pressured CPCs to stop claiming they are bound by HIPAA. Most CPCs are not licensed providers and therefore are not regulated by HIPAA, yet many websites displayed “notice of privacy practices” implying HIPAA compliance. Investigators filed complaints with several states; of 21 centers flagged in their complaints, six removed HIPAA references entirely and one partially corrected its messaging. Advocates warn that suggesting HIPAA protections when none exist is a deceptive business practice.
Legal & Enforcement Actions
Oracle Health lawsuit and mitigation guidance
While the full scope of the Oracle/Cerner breach remains unknown, at least one class‑action lawsuit alleges Oracle failed to secure legacy servers, leading to the theft of names, Social Security numbers, test results and other PHI. Oracle maintains that only obsolete servers were compromised and that its Oracle Cloud environment was unaffected. CISA’s alert recommends organizations change passwords, remove hard‑coded credentials from code/templates and implement multi‑factor authentication.
No new OCR penalties this week
Unlike prior weeks, OCR did not announce any new fines or settlements during this period, though its July 2025 settlement with Syracuse ASC still serves as a cautionary tale. In that case, failure to conduct a thorough risk analysis and delays in notifying patients after a ransomware attack led to a $250 000 settlement and a corrective action plan requiring regular risk analyses and workforce training.
Closing Thoughts
Recent events show how cyberattacks on vendors (Oracle) or service providers (Nationwide Recovery Service, Langdon & Company) can cascade into large‑scale healthcare breaches. Even routine administrative actions like mailing research postcards can expose PHI if not reviewed for privacy compliance. Regulators are simultaneously clarifying HIPAA’s flexibility—such as endorsing PHI sharing for value‑based care—while warning against entities falsely cloaking themselves under HIPAA’s protections.
Key takeaways:
Identify and control third‑party risk: Many of this week’s breaches originated with business associates or vendors. Covered entities should ensure that service providers adhere to robust security practices and should have breach‑notification obligations clearly defined.
Secure email and watch for phishing: Several incidents stemmed from compromised email accounts. Enforce multi‑factor authentication, conduct phishing‑awareness training and monitor for suspicious email activity.
Review data‑handling workflows: Seemingly simple tasks, like sending postcards, can inadvertently expose PHI. Apply a privacy lens to all communications and ensure employees know when PHI must be protected.
Be transparent and accurate about HIPAA status: Organizations not covered by HIPAA should avoid implying that HIPAA protections apply. Misrepresentation can mislead patients and invite regulatory scrutiny.
Stay current with guidance: OCR’s new FAQ clarifies that PHI sharing within value‑based care networks counts as treatment. Keep up to date with guidance to ensure disclosures are compliant.
Let’s remain proactive and vigilant as we continue protecting patient data in an evolving threat landscape.
