This week brought a clear reminder: HIPAA compliance and cybersecurity risk remain firmly in regulators’ crosshairs.

Covered entities face a February 16 deadline to update Notices of Privacy Practices for 42 CFR Part 2 alignment. HHS has increased civil monetary penalties for HIPAA violations. Meanwhile, multiple large vendor-related breaches and class action settlements underscore the continued exposure tied to business associates and third-party platforms.

At the same time, CISA is warning of actively exploited vulnerabilities, reinforcing the need for disciplined patch management and supply chain oversight.

Below is a concise briefing on the most significant developments — and the practical actions compliance and security leaders should be considering now.

🏛️ Regulatory & Legal Updates

Updated Notice of Privacy Practices deadline

What Happened –  Health‑care organizations must update their HIPAA Notice of Privacy Practices (NPP) by Feb 16 2026 to reflect 2024 amendments that align substance‑use disorder records regulated under 42 CFR Part 2 with the HIPAA Privacy Rule.  Law firm posts remind covered entities that the revised NPP must describe how uses or disclosures of Part 2 records are limited, explain that records may be subject to redisclosure once released under the NPP, and state that Part 2 records cannot be used in civil or criminal proceedings without written consent or a court order.  HHS has not provided model language, so organizations need to work with counsel to draft updated notices.  Because Feb 16 is a U.S. federal holiday, employers without websites should distribute revised notices by Feb 12 2026.

Why It Matters –  Failure to update NPPs exposes covered entities to OCR enforcement actions.  The amendments also clarify that Part 2 records may be disclosed for treatment, payment and healthcare operations under a single consent, but patients retain enhanced protections—including prohibitions on court use without consent.

Recommended Actions

• Review current NPPs and identify where additional language is required to explain how Part 2 records are handled.
• Coordinate with legal counsel; model language is not available, so tailor the notice to your organization’s workflows and ensure distribution/posting procedures meet the Feb 16 deadline.
• Educate front‑line staff about the new consent rules for Part 2 records and ensure marketing/fundraising communications include an opt‑out option when they involve Part 2 data.

HIPAA civil monetary penalties adjusted for inflation

What Happened –  The Department of Health and Human Services (HHS) updated civil monetary penalties for HIPAA administrative simplification violations effective Jan 28 2026.  Aon’s Weekly Health Compliance Briefing lists the indexed penalty ranges: Tier 1 (lack of knowledge) minimum $145 and maximum $73,011 per violation; Tier 2 (reasonable cause) minimum $1,461 and maximum $73,011; Tier 3 (willful neglect corrected within 30 days) minimum $14,602 and maximum $73,011; and Tier 4 (willful neglect not corrected) minimum $73,011 with a $2,190,294 annual cap.  Penalties also increased for Medicare Secondary Payer violations and summary of benefits and coverage failures.

Why It Matters –  OCR uses these indexed amounts when assessing fines for HIPAA violations.  Increased penalties underscore the need to maintain robust privacy and security programs, promptly investigate incidents, and document corrective actions.

Recommended Actions

• Update risk assessments and incident response plans to consider the higher potential fines.
• Ensure workforce training emphasizes timely breach reporting and documentation to mitigate willful‑neglect penalties.
• Review Medicare Secondary Payer and summary of benefits and coverage obligations if administering employee health plans.

🔔 Breach & Incident Notices

Texas Attorney General probes Conduent/BCBS Texas breach

What Happened –  Texas Attorney General Ken Paxton opened an investigation into Blue Cross and Blue Shield of Texas (BCBSTX) and its vendor Conduent over a data breach that occurred between Oct 21 2024 and Jan 13 2025.  The breach potentially exposed names, birthdates, addresses, Social Security numbers and medical/insurance information of roughly 4 million Texans, making it one of the largest healthcare breaches.  Paxton’s office is demanding documentation showing the companies’ security measures and compliance; BCBSTX noted that its own systems were not breached but acknowledged that members were affected through Conduent.  Conduent said it took immediate action, notified affected individuals and engaged cybersecurity experts.

Why It Matters –  The investigation reinforces heightened regulatory scrutiny of third‑party breaches and could lead to penalties if inadequate safeguards are found.  It highlights the importance of auditing vendors and ensuring data‑processing agreements clearly allocate security responsibilities.

Recommended Actions

• Inventory all third‑party vendors handling PHI, verify that they use appropriate technical and organizational measures, and document due diligence.
• Ensure business‑associate agreements require timely breach notification and cooperation with investigations.
• Review incident response playbooks to handle vendor breaches and coordinate communications with regulators.

McLaren Health settles class action over dual ransomware attacks

What Happened –  Michigan‑based McLaren Health Care agreed to a $14 million settlement for a class action lawsuit related to two ransomware attacks in August 2023 and July 2024.  The first attack, claimed by the ALPHV/BlackCat group, compromised six terabytes of data and affected 2.5 million individuals; the second attack, claimed by Inc Ransom, impacted more than 740,000 individuals.  Under the settlement, class members can claim reimbursement for documented losses up to $5,000, receive pro‑rata cash payments and obtain one year of credit monitoring.  McLaren will also enhance its security program; the final approval hearing is scheduled for April 21 2026.

Why It Matters –  The settlement underscores the financial and reputational costs of ransomware incidents and reminds organizations that class actions may follow breaches, even when attackers are external criminals.  Settlements often include commitments to improve security controls.

Recommended Actions

• Conduct tabletop exercises addressing ransomware response and ensure downtime procedures are tested.
• Evaluate cyber insurance coverage for class action defense, credit monitoring and indemnification costs.
• Document security improvements made post‑incident; settlements often require evidence of ongoing compliance.

Practice‑management vendor breaches: ApolloMD, MedRevenu, EyeCare Partners

What Happened –

ApolloMD – The Department of Health and Human Services’ breach portal was updated on Feb 11 to show that 626,540 patients were affected by a May 22–23 2025 cyberattack on Georgia‑based practice‑management company ApolloMD.  Hackers accessed files containing names, addresses, dates of birth, provider names, dates of service, diagnoses, treatment details and health insurance information; some Social Security numbers were also exposed.  ApolloMD notified affected individuals in September 2025 and offered credit monitoring.  The Qilin ransomware gang claimed responsibility.

MedRevenu Inland Physicians Hospitalist Services – California vendor MedRevenu disclosed an incident that occurred Dec 12 2024 when unauthorized access to its network exposed files containing names, dates of birth, Social Security numbers, driver’s license numbers, health insurance details, medical information and payment card data.  The BianLian ransomware group claimed the attack; the number of affected individuals is not yet publicly known.  MedRevenu is providing 12 months of credit monitoring.

EyeCare Partners – EyeCare Partners discovered in January 2025 that a threat actor accessed multiple email accounts from Dec 3 2024 through Jan 28 2025, potentially exposing names, contact information, dates of birth, Social Security numbers, driver’s license numbers, health plan information and limited clinical data.  The incident, which affected 17,110 individuals, was reported to state attorneys general in February 2026; affected patients are being offered 24 months of credit monitoring.

Why It Matters –  These incidents show the continued vulnerability of healthcare vendors and service providers.  Breaches at business associates can expose large volumes of PHI and trigger multi‑state reporting obligations.

Recommended Actions

• Conduct due diligence on practice‑management and billing vendors; require them to maintain strong security programs and provide timely breach notifications.
• Ensure vendor contracts specify credit monitoring duration commensurate with the risk (e.g., at least 24 months for Social Security numbers).
• Implement multi‑factor authentication and enhanced email security across all accounts, including vendor‑managed systems.

Sermo (WorldOne) ransomware incident revealed after long investigation

What Happened –  Healthcare professional community Sermo (WorldOne Inc.) notified state attorneys general in February 2026 that sensitive data was compromised during a March 19 – April 10 2024 ransomware attack.  A power outage at a Danish data center was later tied to the attack.  The Black Basta group initially claimed responsibility, and the Medusa ransomware gang later posted stolen files online.  Investigators confirmed that names and Social Security numbers of 2,674 U.S. individuals were exposed, including 67 Massachusetts residents and nine New Hampshire residents.  Consumers were finally notified on Feb 9 2026.

Why It Matters –  The year‑long investigation demonstrates how vendor incidents can take months to uncover fully.  Delayed notifications increase exposure to identity theft and regulatory penalties.

Recommended Actions

• Evaluate incident response agreements with data center and cloud providers to ensure timely detection and disclosure.
• Monitor dark‑web leak sites for evidence of vendor breaches and require third parties to communicate proactively.
• Provide extended credit monitoring for individuals whose Social Security numbers were compromised.
• Revisit all Business Associate Agreements (BAAs) to require notification within 30 days of breach discovery — regardless of investigation status — and prohibit vendors from delaying notice pending forensic review or law enforcement coordination unless legally required.

Local breach spotlight: Munson Healthcare impacted by Cerner (Oracle Health) breach

What Happened –  Traverse City‑based Munson Healthcare informed 120,000 patients that their data may have been compromised in a breach involving electronic‑health‑record vendor Cerner (now Oracle Health).  Cerner detected the unauthorized access in January 2025 but law‑enforcement requests delayed notification.  The breach exposed names, Social Security numbers and medical record information including diagnoses, medications and test results.  Michigan Attorney General Dana Nessel criticized the year‑long delay and urged stronger state laws requiring prompt disclosure.

Why It Matters –  This incident underscores the privacy risks inherent in electronic health record vendors and highlights the importance of transparency when breaches occur.  The attorney general’s call for legislation may lead to stricter state breach‑notification requirements.

Recommended Actions

• Review breach‑notification timelines in vendor contracts and state laws; advocate for prompt disclosure to regulators and patients.
• Audit EHR vendors’ security controls and incident response procedures.
• Offer credit monitoring and identity theft protection to affected individuals; communicate clearly about data types exposed and recommended steps to protect themselves.

Class‑action settlements announced

Northeast Rehabilitation Hospital Network (NRHN) settlement – Following a May 2024 Hunters International ransomware attack, NRHN agreed to a settlement providing up to $5,000 reimbursement for losses or a $75 cash payment per claimant.  Approximately 148,515 individuals were affected, including detailed PHI of 136,724 patients.  Claims must be submitted by Feb 17 2026, with a final fairness hearing on Mar 2 2026.

American Addiction Centers (AAC) settlement – A September 2024 Rhysida ransomware attack exposed data for 423,065 individuals.  AAC denies wrongdoing but established a $2.75 million fund offering two years of credit monitoring, reimbursement up to $5,000 or pro‑rata cash estimated at $50.  Claim deadline: Mar 23 2026; opt‑out deadline: Mar 6 2026; final hearing: Apr 20 2026.

Duly Health and Care (Midwest Physician Administrative Services) pixel settlement – Duly installed the Meta Pixel on its website, allegedly transmitting sensitive data without patient consent.  Duly denies wrongdoing but agreed to a $1.88 million settlement fund; users who logged into the website between July 24 2020 and April 10 2023 are eligible.  Opt‑out deadline: Mar 2 2026; final hearing: Apr 7 2026.

Gryphon Healthcare settlement – Medical billing company Gryphon Healthcare agreed to a $2.8 million settlement for a July 2024 breach.  Affected individuals can claim reimbursement up to $5,000 for out‑of‑pocket losses or a $100 cash payment, plus two years of identity theft protection.  Claim deadline: Apr 16 2026; exclusion/objection deadline: Mar 17 2026; final hearing: Aug 31 2026.

Centrelake Medical Group & Des Moines Orthopaedic Surgeons settlements – New settlements announced Feb 16: California imaging provider Centrelake Medical Group agreed to pay attorneys’ fees and expenses and provide two years of medical and credit monitoring for a February 2019 ransomware attack affecting 197,661 patients.  Claims for ordinary losses are capped at $500 and extraordinary losses at $3,500; California residents may also claim $50; claim deadline June 12 2026; final hearing July 14 2026.  Iowa’s Des Moines Orthopaedic Surgeons settled litigation over a February 2023 breach involving 307,864 patients; the $1 million fund provides three years of credit monitoring, reimbursement for losses up to $400 and compensation for lost time.  Claims deadline Mar 23 2026; final hearing Apr 2 2026.

🔐 Cybersecurity Alerts & Best‑Practice Insights

CISA warns of actively exploited software vulnerabilities

What Happened –  The Cybersecurity and Infrastructure Security Agency (CISA) added several vulnerabilities to its Known Exploited Vulnerabilities (KEV) list on Feb 13 2026, signalling that attackers are actively exploiting them.  These include:

• SolarWinds Web Help Desk (CVE‑2025‑40536) – A security control bypass allowing unauthenticated attackers to access restricted functionality, potentially leading to remote code execution; CISA urges federal agencies to patch within three days.
• Apple vulnerability (CVE‑2026‑20700) – A buffer overflow patched by Apple and exploited in sophisticated attacks.
• Notepad++ (CVE‑2025‑15556) – An update integrity verification flaw in the WinGUp updater; China‑linked hackers exploited it using man‑in‑the‑middle attacks.
• Microsoft Configuration Manager (CVE‑2024‑43468) – An SQL‑injection vulnerability resolved in Oct 2024; proof‑of‑concept code is public.
  CISA requires agencies to apply patches for Apple, Microsoft and Notepad++ flaws within three weeks.

Why It Matters –  Healthcare organizations often use these widely deployed products.  Attackers exploiting unpatched vulnerabilities can gain remote access, deploy ransomware and exfiltrate PHI.  Adding these CVEs to the KEV list means that exploitation has been observed in the wild.

Recommended Actions

• Inventory whether any organization systems or vendor tools use SolarWinds Web Help Desk, Notepad++, Apple products or Microsoft Configuration Manager.  Prioritize patching in accordance with CISA timelines.
• Enable automatic updates where possible and monitor vendors’ security advisories.
• Review software supply chain and ensure patch management processes extend to third‑party service providers.

2026 threat landscape predictions: AI‑driven attacks and supply‑chain risk

What Happened –  Forbes predicts that 2026 will be defined by AI‑powered cyber‑attacks and an aggressive phase of ransomware.  The technology will allow threat actors to craft realistic phishing emails, cloned voices and deepfakes, automating reconnaissance and exploit development.  Ransomware gangs are expected to leverage AI to scan systems and launch attacks with minimal human intervention, with average data‑breach costs due to ransomware already at $7.42 million per incident.  Forbes also warns that identity compromise will remain the dominant cause of breaches, with attackers exploiting session tokens, executive impersonation and machine identity theft.  Supply‑chain cyber risk is expected to accelerate across all sectors, requiring continuous visibility into vendor controls rather than static questionnaires.

Why It Matters –  These predictions align with recent healthcare breaches, many of which originated at vendors.  AI‑driven social engineering could increase the success of phishing schemes against clinical staff, while ransomware attacks could disrupt care delivery and expose PHI.

Recommended Actions

• Invest in AI‑enabled threat detection tools that can identify deepfake audio/video and anomalous behaviours.
• Strengthen identity security through multi‑factor authentication, session‑token management and least‑privilege access.
• Enhance vendor risk management: require continuous security monitoring and adopt frameworks like NIST SP 800‑171 or Cybersecurity Maturity Model Certification (CMMC) as baseline standards.
• Update incident response plans to address emerging attack methods and ensure board‑level oversight of cyber resilience.

Final Thoughts

The past week illustrates that HIPAA compliance is both a regulatory obligation and a strategic imperative.  Looming deadlines for updated Notices of Privacy Practices and increased civil penalties mean covered entities must stay current on rules.  Simultaneously, regulators are scrutinizing third‑party breaches more aggressively.  Several vendors—including practice‑management companies, EHR providers and professional networks—reported or were linked to significant breaches, underscoring the need for robust vendor risk management.  Class‑action settlements across the country remind us that litigation is a costly consequence of inadequate security.  Finally, cybersecurity alerts and industry predictions signal that the threat landscape will continue to evolve rapidly as AI and ransomware mature.  Proactive patching, continuous monitoring of vendors and investment in modern security tools are essential to protect patient data and maintain trust.

‍