Welcome to this week’s edition of Hale Insights! As the healthcare landscape continues to shift, staying informed is key to safeguarding your patients and organization.This edition spotlights the latest regulatory moves, noteworthy legal actions and cybersecurity incidents from the past seven days.

For each story we explain what happened, why it matters and what you can do next so you can proactively manage compliance and risk.

Regulatory & Legal Updates

HIPAA enforcement accelerates despite unfinished rules

What happened: Federal regulators entered 2026 with major updates to the HIPAA Privacy and Security Rules still unfinished. Despite this, enforcement activity from the HHS Office for Civil Rights (OCR) shows continued scrutiny of patient‑access practices, information‑blocking complaints and modern risk‑management expectations that go beyond existing rule text.

Covered entities and health plans must update their Notice of Privacy Practices by February 16, 2026 to reflect new protections for substance‑use‑disorder records. A coalition of healthcare organizations recently asked HHS Secretary Robert F. Kennedy Jr. to pause the proposed Security Rule overhaul, citing financial strain and operational burden.

Why it matters: Even without finalized rulemaking, OCR is using guidance, corrective action plans and enforcement discretion to set expectations.
Patient‑access delays, improper fees and weak security controls can trigger investigations. The NPP‑update deadline carries real penalties if missed, and industry pushback illustrates tension between cybersecurity mandates and resource constraints.

Action items:

• Review patient‑access workflows and eliminate delays or overcharging.
• Update your Notice of Privacy Practices by Feb 16 to reflect Part 2 protections.
• Align security controls with proposed rule concepts (e.g., access control, system monitoring, incident preparedness) rather than waiting for formal adoption.
• Monitor OCR guidance and enforcement actions to understand changing expectations.

HHS adjusts HIPAA civil penalties for inflation

What happened: The U.S. Department of Health and Human Services published its annual inflation adjustment effective Jan 28 2026. The minimum penalty for HIPAA violations increased to $145 per violation, while penalties for willful neglect not corrected within 30 days can reach $73,011. The maximum annual penalty cap rose to $2,190,294.

Why it matters: Inflation adjustments raise the financial stakes of non‑compliance. Even minor violations now carry higher fines, and willful neglect can expose organizations to millions in penalties.

Action items:

• Conduct comprehensive risk analyses to identify and remediate gaps.
• Ensure corrective action occurs within 30 days of discovering a violation to avoid the highest penalty tier.
• Budget for potential enforcement costs and engage leadership on the increased risks.

Settlement highlights vendor breach liabilities (Comstar)

What happened: Ambulance billing company Comstar reached a settlement with the attorneys general of Massachusetts and Connecticut over a March 2022 ransomware breach. The attack exposed names, addresses, Social Security numbers and medical information of more than 69,000 patients. Comstar agreed to pay $415,000 to Massachusetts and $100,000 to Connecticut and to implement anti‑phishing software, multifactor authentication, intrusion detection, asset inventories, encryption and annual third‑party security assessments.

Why it matters: State regulators are increasingly enforcing HIPAA standards through state consumer‑protection laws. Comstar’s failure to conduct a comprehensive risk analysis and maintain a written information security program contributed to the penalties.

Action items:

• Require vendors handling protected health information to conduct documented risk analyses and maintain written security programs.
• Implement phishing‑resistant authentication and intrusion detection.
• Ensure third‑party audits and remediation plans are part of vendor contracts.

BCBS of Montana disputes state authority to investigate breach

What happened: Following a 2025 breach affecting up to 462,000 members, Blue Cross Blue Shield of Montana (BCBSMT) and vendor Conduent filed a lawsuit arguing that Montana’s new law requiring breach reporting to the state auditor does not apply to incidents predating Oct 1 2025. DataBreaches.net notes that BCBSMT has not demonstrated compliance with HIPAA’s requirement to report large breaches to HHS.

Why it matters: The case highlights tension between state and federal jurisdiction over breach investigations. Covered entities cannot rely on litigation to delay reporting; HIPAA requires notification to HHS within 60 days of discovering a breach.

Action items:

• Track effective dates of state data‑breach laws and apply them proactively.
• Report breaches to HHS even when state authority is contested.
• Coordinate with legal counsel to navigate overlapping state and federal obligations.

New state privacy laws and amendments effective Jan 1 2026

What happened: Several U.S. states enacted or amended comprehensive privacy laws effective Jan 1 2026.

• Indiana and Kentucky’s new laws apply to entities processing data of 100,000 consumers, while Rhode Island’s law applies to organizations processing 35,000 consumers’ data or 10,000 consumers with 20 % revenue from data sales.
• California’s Delete Act and automated decision‑making technology regulations impose a 30‑day breach‑notification requirement and risk‑assessment obligations.
• Colorado eliminated its cure period and requires universal opt‑out signals, while Connecticut lowered its applicability threshold to 35,000 and adds risk assessments for high‑risk processing.
• Amendments in Oregon and Utah expand consumer rights and shorten response timelines.

Why it matters: Healthcare organizations operating across states must comply with multiple privacy regimes in addition to HIPAA. These laws often impose shorter breach‑notification timelines, require risk assessments and expand consumer rights, increasing the compliance burden.

Action items:

• Inventory personal‑data flows across state lines and determine applicability of new laws.
• Update breach‑notification procedures to meet the shortest applicable timeline (e.g., 30 days).
• Implement universal opt‑out mechanisms and perform documented risk assessments for high‑risk processing.
• Train staff on state‑specific requirements and coordinate with legal counsel.

A wave of breach and tracking‑pixel settlements

What happened: Plaintiffs have filed class‑action lawsuits against healthcare providers that used website tracking tools or experienced data breaches.
Northwell Health and Northbay Healthcare agreed to settlements offering cash payments (e.g., $15 for portal users), 12 months of privacy‑monitoring services and deadlines for claims in March and April 2026. Additional settlements were reached with Alabama Cardiovascular Group, Carolina Arthritis Associates, Regional Obstetrical Consultants, Rocky Mountain Gastroenterology, Affiliated Dermatologists & Dermatologic Surgeons and U.S. Dermatology Partners. Settlement funds range from $600,000 to $2.225 million, with claims deadlines in February 2026 and reimbursement allowances up to $5,000 or pro‑rata cash.

Why it matters: These settlements underscore the growing legal risks from third‑party tracking technologies and cyber incidents. Plaintiffs are successfully arguing that using pixels and analytics tools can constitute unauthorized disclosure of protected health information, leading to costly settlements.

Action items:

• Audit all websites and digital tools for tracking pixels or third‑party scripts that could collect health information.
• Remove or replace non‑compliant technologies.
• Enhance breach‑response plans to communicate with affected individuals quickly and transparently.
• Review cyber liability insurance to ensure coverage for class‑action settlements.

Cybersecurity & Breach Notices

AI‑powered insurance platform breach exposes 3.1 million records

What happened: Healthcare Interactive (HCIactive), an AI‑powered insurance and benefits platform, disclosed that an unauthorized actor accessed and copied files containing names, Social Security numbers, health‑insurance enrollment data, medical record numbers, diagnoses, lab results and claims information affecting 3.1 million individuals. The breach occurred in July 2025 but was reported to the Oregon attorney general in January 2026; HCIactive is offering credit monitoring and says it has updated security measures.

Why it matters: The incident highlights the scale of risk posed by vendors that aggregate sensitive health and insurance data, and the delay between breach discovery and notification. AI‑driven platforms may process large datasets, increasing potential impact if compromised.

Action items:

• Conduct third‑party risk assessments for vendors providing AI‑powered services.
• Include contractual requirements for prompt breach notification and clear remediation steps.
• Monitor vendor security posture and audit data‑handling practices, especially where AI models are involved.

TriZetto Provider Solutions breach impacts eligibility data

What happened: TriZetto Provider Solutions (TPS), a vendor that provides insurance eligibility verification, discovered suspicious activity in October 2025 and later determined that unauthorized actors accessed historical eligibility reports from November 2024. The breach exposed names, addresses, dates of birth, Social Security numbers, insurer and member numbers and provider names for over 700,000 individuals. Oregon healthcare providers—including Deschutes County, La Pine Community Health Center and Best Care Treatment Services—are notifying approximately 1,300, 1,200 and 1,650 patients respectively and offering credit monitoring.

Why it matters: The year‑long gap between data theft and discovery, combined with widespread use of the vendor, means many covered entities must now notify affected individuals. The incident underscores the need for continuous vendor monitoring and the risk of inherited liability from third‑party breaches.

Action items:

• Review contracts with clearinghouses and eligibility‑verification vendors to ensure timely breach notification and security requirements.
• Monitor vendor security alerts and perform independent audits where feasible.
• Develop a plan to quickly notify affected patients when vendor incidents occur.

Recent ransomware and exploitation incidents

Mitchell County Department of Social Services: In October 2025 the county’s Department of Social Services suffered a ransomware attack, with files exfiltrated. Officials reported the incident to the HHS and are reviewing policies and augmenting their safeguards.

360 Dental: The Oregon dental practice detected a ransomware attack on Nov 16 2025. Attackers accessed dental records and a limited number of Social Security numbers; the practice is rebuilding servers and enhancing security.

GiaCare: The healthcare staffing company identified exploitation of a vulnerability in the Gladinet CentreStack file‑sharing platform on Dec 6 2025, resulting in unauthorized access to names, Social Security numbers and driver’s license numbers. The company is offering credit monitoring.

Why it matters: These events illustrate continued targeting of healthcare organizations by ransomware groups and opportunistic exploiters. Even small practices and staffing agencies are at risk, and vulnerabilities in third‑party software can expose sensitive data.

Action items:

• Ensure off‑site backups and tested restoration procedures to recover from ransomware.
• Patch and update third‑party software promptly and monitor for vulnerabilities.
• Implement endpoint detection and response (EDR) solutions and multifactor authentication to reduce attack surface.
• Provide regular security awareness training to staff.

Conclusion

This past week made one thing clear: compliance expectations are tightening even as regulatory clarity remains incomplete. OCR is signaling that how organizations manage risk matters just as much as whether policies exist, while regulators and plaintiffs alike continue to scrutinize breach response timelines, vendor oversight, and real-world security practices.

For compliance teams, the path forward is proactive—not reactive. Now is the time to validate that risk analyses translate into documented remediation, that vendors are held to measurable security and notification standards, and that upcoming deadlines (especially the February 16 NPP updates) are not treated as routine paperwork exercises.

As always, staying informed is only the first step. Turning insight into action is what ultimately protects patients, organizations, and leadership.

We’ll continue monitoring these developments closely and sharing practical guidance to help you stay ahead. Wishing you a secure, compliant, and well-prepared week ahead.