Privacy & Legal Updates

Stakeholders urge HHS to withdraw proposed HIPAA Security Rule

More than 100 healthcare organizations – including the College of Healthcare Information Management Executives (CHIME), the American Medical Association and leading hospital systems – sent a Dec 8 letter to U.S. Health & Human Services (HHS) Secretary Robert F. Kennedy Jr. asking that the agency withdraw its proposed HIPAA Security Rule update.  The group said the proposal fails to accommodate the technology complexity of modern health‑care delivery, imposes “one‑size‑fits‑all” cybersecurity requirements and carries unreasonable implementation timelines and substantial costs.  They emphasized support for strengthening HIPAA cybersecurity but argued that the current proposal could divert resources from patient care and even force rural and smaller providers to close.  The letter urges HHS to work collaboratively with regulated entities to develop flexible, risk‑based standards.

Why it matters – If adopted without revision, the proposed rule could require major investments in technology, training and auditing that many smaller providers might not be able to afford.  The call for withdrawal signals that covered entities want practical, risk‑based security requirements rather than prescriptive checklists.

Action items – Compliance teams should monitor HHS’s response and prepare to participate in any collaborative policy development.  Begin assessing current controls against frameworks such as NIST CSF and HHS 405(d), and document cybersecurity gaps that may become relevant under a future rule.

HHS signals stepped‑up information‑blocking enforcement

In a Dec 13 interview, attorney Nan Halstead of Reed Smith noted that the Department of Health and Human Services is preparing to actively enforce the information‑blocking provisions of the 21st Century Cures Act.  Halstead said regulators have taken years to define enforcement pathways and that the first wave of actions will likely target practices that delay or obstruct patient access to electronic health information.  Many providers, health‑IT developers and networks may unknowingly engage in information‑blocking by creating delays, unnecessary fees or technical barriers.  Halstead advised organizations to align data‑sharing practices with regulatory exceptions and to maintain thorough documentation.

Why it matters – Information‑blocking rules apply to healthcare providers, health information networks and certified EHR developers.  With enforcement on the horizon, routine decisions – such as delaying release of records or refusing to exchange data with unaffiliated providers – could draw penalties if they do not fit specific exceptions.  Halstead’s comments highlight the need for proactive readiness.

Action items – Review existing policies for handling patient record requests and data sharing.  Train staff to identify information‑blocking risks and document the rationale for any denials.  Ensure that privacy and security teams coordinate with legal and compliance to apply narrow regulatory exceptions appropriately.

Breach & Incident Notices

Revere Health breach (Utah)

Revere Health, Utah’s largest independent multispecialty physician group, disclosed that an unauthorized third party accessed a third‑party payment platform on August 11, 2025.  The system contained names, dates of birth, addresses, medical record numbers, insurance details, partial Social Security numbers and, for some patients, financial account information.  Up to 10,800 patients may have been affected.  Revere Health said it worked with the payment vendor to secure the system and offered complimentary credit monitoring and identity‑theft protection to impacted individuals.

Why it matters – Breaches at third‑party vendors remain a major threat.  Even though Revere Health did not find evidence of misuse, compromised data could be leveraged for identity theft or fraud.  Vendor due‑diligence and contract provisions requiring robust security controls are essential.

Action items – Review contracts with payment processors and other vendors to ensure they are required to maintain HIPAA‑compliant security controls and to notify your organization promptly of incidents.  Perform risk assessments on systems handling billing or financial data and consider tokenization to reduce exposure.

Health Management Systems of America (HMSA) email breach (Michigan)

Detroit‑based Health Management Systems of America (HMSA) discovered that an employee’s email account was compromised after responding to a spear‑phishing message.  The unauthorized party accessed the account and downloaded certain emails; the breach went undetected from December 9, 2024, until it was uncovered a year later.  HMSA engaged a digital‑forensics firm, but the types of data involved and the number of affected individuals are still being determined.

Why it matters – Extended email compromises can expose large volumes of protected health information (PHI), financial details and communications.  Spear‑phishing remains a leading method for gaining initial access to healthcare systems.  A year‑long breach underscores the need for continuous monitoring and rapid incident response.

Action items – Implement multifactor authentication (MFA) on all email accounts, deploy advanced spam‑filtering and anomaly detection, and conduct regular phishing‑awareness training.  Ensure that email logs and access audits are reviewed consistently so that suspicious activity is detected quickly.

MedStar Health data incident (Maryland)

MedStar Health notified patients on December 3, 2025 that it had discovered unauthorized access to its systems.  Investigators found that between September 12 and 16, 2025 an outside party gained access to systems containing patient information.  Compromised files included names, dates of birth, Social Security numbers and potentially diagnosis, medication, test result and treatment details.  MedStar mailed notification letters and is offering complimentary identity‑monitoring services to individuals whose Social Security or driver’s license numbers were involved.

Why it matters – This incident demonstrates how cyberattacks can remain undetected for weeks and involve highly sensitive clinical data.  The inclusion of diagnostic and treatment information increases the risk of medical identity theft and could trigger HIPAA right‑of‑access issues if records become inaccessible.

Action items – Ensure that intrusion‑detection systems cover both clinical and administrative networks, and that alerts are triaged promptly.  Provide clear guidance to patients about monitoring their credit and healthcare bills for suspicious activity, and ensure call centers are prepared to answer questions.

North Atlantic States Carpenters Health Benefits Fund & Millcreek Pediatrics

North Atlantic States Carpenters Health Benefits Fund (NASCBF) disclosed that on August 18, 2025, it detected suspicious network activity.  Investigation revealed unauthorized access or acquisition of files containing sensitive member data, including names, dates of birth, Social Security numbers, financial account information, login credentials, tax information, military IDs, diagnoses, medical histories and other personal identifiers.  The breach was reported to the Office for Civil Rights (OCR) with a placeholder of 501 individuals, but the actual number may be higher when file review concludes.

Millcreek Pediatrics reported that unauthorized network access occurred between February 17 and 25, 2025, affecting 14,095 individuals.  Compromised data included full names, birth dates, medical record numbers, patient IDs, driver’s license numbers, dates of service, insurance claims and clinical/treatment information.  Some individuals also had Social Security numbers exposed.  Notification letters were sent starting November 21, 2025, and credit‑monitoring services were offered to those with SSNs involved.

Why it matters – These breaches highlight the breadth of information that can be compromised—from financial and military IDs to clinical notes.  NASCBF’s data includes particularly sensitive categories such as tax information and biometric identifiers, amplifying the potential harm.  The Millcreek incident shows that pediatric practices are also at risk and must protect minors’ records.

Action items – Conduct vendor‑risk assessments and ensure that employee credentialing and access controls are appropriate for sensitive funds data.  For pediatric providers, review policies regarding parental access and ensure that minors’ data is encrypted at rest and in transit.

Davies, McFarland & Carroll; Awakenings Center; Adventist HealthCare

Davies, McFarland & Carroll (DMC) experienced a network intrusion between May 19 and May 22, 2025.  The breach exposed sensitive data of 54,712 individuals and may have involved files viewed or acquired by an unauthorized actor.  Notifications began November 24, 2025, and affected individuals were offered single‑bureau credit monitoring and credit‑report services for 12 months.

Awakenings Center (Loving and Living Center) discovered unauthorized access to its electronic medical record system around September 10, 2025, potentially affecting up to 17,800 patients.  Exposed data included name, age, date of birth, gender, relationship and employment status, city and zip code.  No financial information was involved, and the center said it is improving security controls.

Adventist HealthCare reported that on or around November 13, 2025 it discovered that paper records containing patient names, health records and treatment information were missing.  The breach affected about 1,300 patients, and the organization released few details beyond the loss of paper documents.

Why it matters – Business associates such as law firms are prime targets because they handle large volumes of PHI without necessarily maintaining healthcare‑grade security controls.  Unauthorized access to therapy records, as at Awakenings Center, could expose sensitive personal details.  Even paper records pose risks when physical security lapses occur.

Action items – Verify that business associates have adequate security programs and that contracts permit audits and require timely breach notification.  Therapy practices should review access controls on EMR systems and encrypt sensitive fields where possible.  Organizations handling paper records must maintain secure storage, implement chain‑of‑custody procedures and train staff on physical security.

Cybersecurity Alerts & Trends

Oracle E‑Business Suite zero‑day exploited by Cl0p ransomware

Barts Health NHS Trust in the United Kingdom disclosed that the Cl0p ransomware gang exploited a zero‑day vulnerability (CVE‑2025‑61882) in Oracle E‑Business Suite (EBS) to access one of its databases.  Attackers stole financial and administrative files, including invoices containing patient names, addresses and payment details, along with data about former employees and accounting records.  The breach occurred in August 2025 but was only discovered after Cl0p published the files on its dark‑web leak site in November.  While Barts said core clinical systems were unaffected, the incident shows how attackers target back‑office systems to obtain sensitive information.

Why it matters – Although this incident occurred in the UK, the Oracle EBS zero‑day is used globally, and U.S. healthcare organizations running Oracle ERP could be targeted.  Ransomware groups continue to exploit enterprise software flaws rather than encrypting front‑facing clinical systems.  The breach underscores the need to patch quickly and segment financial systems from patient‑care networks.

Action items – Identify whether your organization uses Oracle E‑Business Suite and ensure that CVE‑2025‑61882 has been patched.  Segment ERP systems from clinical networks and monitor for unusual access to invoice or accounting databases.  Update incident‑response playbooks to include extortion‑only attacks where data is stolen but systems are not encrypted.

Critical authentication‑bypass vulnerability in Cal.com scheduling platform

Researchers disclosed a critical authentication‑bypass flaw (CVE‑2025‑66489) in Cal.com, an open‑source scheduling platform used by many healthcare providers.  In vulnerable versions, attackers could bypass password and time‑based one‑time password (TOTP) checks by submitting any non‑empty TOTP value, allowing them to log in as any user.  The vulnerability affected versions up to 5.9.7 and was patched in version 5.9.8.

Why it matters – Scheduling tools often integrate with electronic health record (EHR) systems and patient portals.  An unauthenticated login could expose appointment schedules, patient details and potentially enable lateral movement into EHR systems.  Healthcare entities using Cal.com must update promptly.

Action items – Identify any instances of Cal.com in use internally or by third‑party vendors.  Upgrade to version 5.9.8 or later and review logs for signs of unauthorized access.  Consider implementing additional monitoring and MFA even after patching.

Email compromises remain a top vector for healthcare breaches

Paubox’s State of Healthcare Email Security report highlights that more than 150 email‑related breaches were reported to HHS in 2025, affecting nearly 2.2 million individuals.  The largest incident involved United Seating & Mobility and impacted almost 500,000 people.  Between January 2024 and January 2025, 180 healthcare organizations reported email‑related breaches, and the first half of 2025 alone saw 107 incidents affecting more than 1.6 million people.

These statistics illustrate that phishing and email account compromises remain a leading cause of HIPAA reportable breaches.  Attackers often access inboxes containing PHI or use compromised accounts for business‑email compromise scams.

Action items – Implement strong spam filters and domain‑based message authentication (DMARC).  Require MFA for all email accounts and provide ongoing phishing‑awareness training.  Restrict email forwarding rules and regularly audit mailbox permissions.

Closing Thoughts

The past week underscores that healthcare data breaches continue to arise from both external attacks and internal weaknesses.  Provider organizations and business associates reported incidents involving compromised payment platforms, spear‑phished email accounts, legacy EMR systems and even lost paper records.  Attackers are also exploiting zero‑day vulnerabilities in widely used enterprise software and third‑party tools.

Several trends emerge:

1. Vendor and third‑party risk is a recurring theme.  Breaches at payment processors, law firms and scheduling platforms demonstrate that covered entities must extend their security programs beyond internal networks.  Contracts should require vendors to maintain strong security controls and provide prompt breach notification.
2. Phishing and email compromise remain major entry points.  The statistics on email‑related breaches and the year‑long HMSA email intrusion show the importance of MFA and ongoing staff training.
3. Regulatory scrutiny is increasing.  The pushback against the proposed HIPAA Security Rule illustrates that policymakers and industry groups are debating how to balance cybersecurity requirements with practicality.  Meanwhile, HHS is preparing to enforce information‑blocking rules.  Compliance teams must stay current on evolving requirements and be ready to adjust policies.
4. Zero‑day exploitation and supply‑chain attacks are rising.  The Oracle EBS and Cal.com vulnerabilities show that attackers target weaknesses in widely deployed platforms.  Patch management and network segmentation are critical to limit exposure.

For compliance professionals, now is the time to:

• Conduct a holistic risk assessment that includes vendors, email systems and back‑office software.
• Review incident response plans to ensure they cover data‑exfiltration events (without encryption) and loss of paper records.
• Strengthen employee training on phishing, data handling and physical security.
• Stay engaged with HHS rulemaking and be prepared to participate in collaborative efforts to modernize the HIPAA Security Rule.

By proactively addressing these areas, organizations can reduce the likelihood of breaches and demonstrate due diligence to regulators and patients.

‍