During the last week, regulators continued to sharpen their focus on health‑care privacy and security.  OCR activated enforcement for substance‑use disorder (SUD) records, settled a HIPAA security case, and states amended privacy laws to align with HIPAA standards.  Meanwhile, ransomware took a major academic health‑care system offline, a telehealth platform faced a class action over an alleged hack, and multiple third‑party service providers reported breaches.  Newly disclosed vulnerabilities affecting widely used software underscore the need for disciplined patch management and vendor oversight.

🏛️ Regulatory & Legal Updates

OCR launches civil enforcement program for SUD records (42 CFR Part 2)

What happened – HHS’s Office for Civil Rights announced that it will begin enforcing the confidentiality provisions of 42 CFR Part 2—the law governing substance‑use‑disorder records—on Feb 16 2026.  The program implements Section 3221 of the CARES Act and aligns penalties with HIPAA; covered entities must comply with requirements such as updating privacy notices, consent forms, business associate agreements and incident response plans.  OCR’s breach portal now accepts Part 2 breach notifications, and breaches involving both PHI and SUD data must be reported separately.

Why it matters – Regulators can now investigate Part 2 breaches and impose corrective action plans and monetary penalties akin to HIPAA enforcement.  Entities handling SUD data must have privacy notices and consent forms explaining how Part 2 records are used and redisclosed and must integrate these requirements into risk assessments and vendor agreements.

Recommended actions

• Update privacy notices and consent forms to describe limitations on using/disclosing SUD records and the prohibition on court use without consent.
• Revise incident response plans to ensure Part 2 breaches are reported separately through OCR’s breach portal.
• Review and amend business associate agreements to cover SUD data; require vendors to notify you of SUD breaches and cooperate with investigations.
• Train workforce members about Part 2 confidentiality and consent rules.

OCR settlement highlights need for comprehensive security program

What happened – OCR reached a settlement with Top of the World Ranch Treatment Center after a 2023 phishing attack compromised electronic protected health information (ePHI) of 1,980 patients.  The settlement includes a US$103,000 payment and a corrective action plan requiring the provider to conduct a risk analysis, implement risk‑management measures, update policies, and train staff.  OCR reminded all covered entities to identify how ePHI flows through their environment, implement audit controls, use unique authentication, encrypt ePHI, and provide regular security training.

Why it matters – The case shows that relatively small breaches can result in six‑figure penalties when security programs are inadequate.  OCR continues to stress risk analysis and workforce training as foundations for HIPAA compliance.

Recommended actions

• Perform a comprehensive risk analysis covering all systems and data repositories that store or transmit ePHI and SUD information.
• Implement risk‑management measures such as multi‑factor authentication, encryption of data at rest and in transit, and audit logging.
• Update policies and procedures for incident response, access control and device management; test incident response plans regularly.
• Provide annual security training and phishing simulations for all workforce members.

New Jersey narrows data protection obligations for HIPAA‑regulated entities

What happened – New Jersey amended its Data Privacy Act (NJDPA) through Assembly Bill A5017 on Feb 19 2026.  The amendment clarifies that non‑PHI data handled by HIPAA‑covered entities may be exempt from NJDPA requirements if it is secured in accordance with HIPAA’s privacy and security rules.  To qualify, organizations must treat the non‑PHI identically to PHI—using the same administrative, physical and technical safeguards— and limit use/disclosure consistent with HIPAA.

Why it matters – New Jersey joins a handful of states (Colorado, Oregon and Minnesota) adopting data‑level exemptions rather than broad entity‑level exemptions.  Covered entities processing consumer data (e.g., marketing analytics or website cookies) can avoid NJDPA compliance if they apply HIPAA‑compliant protections.

Recommended actions

• Conduct a data inventory to identify non‑PHI data flows (e.g., web analytics, marketing lists) that may fall under NJDPA.
• Apply HIPAA safeguards (access controls, encryption, limited retention) to non‑PHI data to qualify for the exemption.
• Document decisions that certain data qualifies for the exemption; maintain policies demonstrating adherence to HIPAA standards.

🔔 Breach & Incident Notices

Ransomware cripples University of Mississippi Medical Center (UMMC)

What happened – On Feb 19 2026, UMMC took most of its clinics and the EPIC electronic medical record system offline after detecting a ransomware attack.  Appointments and surgeries were cancelled; emergency care continued under downtime protocols using paper charts.  Law enforcement—including the FBI, DHS and CISA—is investigating, but officials have not disclosed the ransomware variant.  UMMC believes the attack was confined to local servers; however, some websites and diversion information remained down, and the hospital received communications from the attackers.  Patient impacts were significant: chemotherapy sessions and other treatments were delayed, and clinicians were forced to divert emergency patients.

Why it matters – This incident illustrates how ransomware can disrupt care delivery at scale.  Extended downtime increases clinical risk and may drive up mortality rates.  The attack also raises questions about whether PHI was exfiltrated; such disclosures could trigger breach‑notification obligations.

Recommended actions

• Test downtime procedures regularly for critical systems; ensure staff can operate on paper when EMRs are unavailable.
• Maintain off‑site backups and implement network segmentation to limit lateral movement.
• Monitor communications from attackers and coordinate with law enforcement; do not engage without legal counsel.
• Notify patients and regulators promptly if an investigation reveals that PHI was accessed.

Telehealth platform OpenLoop faces class‑action lawsuit over alleged hack

What happened – A potential class action filed in the U.S. District Court for the Southern District of Iowa alleges that telehealth infrastructure provider OpenLoop Health was hacked by threat group “stuckin2019” on Jan 7 2026, exposing sensitive data of more than 1.6 million patients.  Plaintiffs claim OpenLoop failed to implement appropriate HIPAA safeguards and did not timely notify victims; they seek monetary damages and lifetime credit monitoring.  OpenLoop acknowledged a security incident but said no financial or Social Security data was compromised.

Why it matters – The suit underscores the liability exposure telehealth platforms face when breaches affect large patient populations.  Even if sensitive financial data is not accessed, failure to meet HIPAA’s security and notification requirements may lead to litigation and reputational harm.

Recommended actions

• Audit telehealth vendors and platforms for compliance with HIPAA’s security rule and incident‑response obligations.
• Ensure breach‑notification timelines align with HIPAA and state laws; verify that vendors can send timely, accurate notifications.
• Require indemnification and breach response commitments in vendor contracts.

North East Medical Services (NEMS) investigates third‑party breach

What happened – Community health‑care provider NEMS disclosed that it detected unauthorized access to the network of its third‑party provider United Layer on Oct 19 2025.  An investigation confirmed that sensitive personal data may have been accessed, but the specific data types were not yet disclosed as of Feb 19 2026.  California law indicates that personal information could include names, Social Security numbers, driver’s license numbers, medical information and health insurance details.  NEMS has begun mailing notification letters and is offering complimentary credit monitoring.

Why it matters – Vendor breaches continue to expose patient data without direct compromise of covered entities’ networks.  The lack of clarity around the data compromised demonstrates the challenges in assessing third‑party incidents.

Recommended actions

• Inventory all vendors and services that handle PHI or personal data; perform due diligence on their security controls.
• Include breach‑notification requirements in contracts (e.g., notification within 30 days of discovery) and ensure vendors retain forensic experts.
• Provide extended credit monitoring when Social Security numbers or financial information may have been exposed.

Conduent breach draws state investigations

What happened – Administrative services provider Conduent Business Services disclosed that attackers had access to its network from Oct 21 2024 through Jan 13 2025, potentially exposing names, Social Security numbers and health‑insurance data of millions of individuals nationwide.  States are investigating: Oregon’s attorney general estimated 10.5 million people affected; New Hampshire cited 11,000 residents; and Texas Attorney General Ken Paxton launched a probe, stating that up to 4 million Texans may be impacted.  A pending class action alleges Conduent failed to implement basic security measures.

Why it matters – This is one of the largest reported health‑care‑related breaches.  It highlights systemic risks associated with outsourcing administrative services and may prompt regulators to examine vendor oversight.  Affected health plans must assess whether they need to notify members and regulators under HIPAA’s breach‑notification rule.

Recommended actions

• Identify whether any of your plan members are included in Conduent’s breach; if so, review Conduent’s notification to ensure it meets HIPAA standards.
• Reassess vendor risk management programs and consider requiring SOC 2 or comparable reports for critical vendors.
• Review cyber insurance for coverage of third‑party breaches and class‑action claims.

Local breach spotlight: PharMerica settles data‑breach lawsuit

What happened – Long‑term‑care pharmacy PharMerica agreed to a US$5.275 million class‑action settlement stemming from a March 2023 data breach.  Eligible class members can claim up to US$10,000 in documented losses or opt for alternative cash; the settlement also includes one year of credit monitoring and identity theft protection.  The deadline for claims is April 27 2026.

Why it matters – The settlement illustrates the growing financial exposure from data breaches.  Even when an attack occurs years earlier, litigation and settlement costs may persist, emphasising the need for robust security and breach response.

Recommended actions

• Track class‑action settlements involving vendors and partners to ensure your organization is aware of potential obligations to notify affected patients.
• Assess cyber insurance policies for coverage of settlement costs, credit monitoring and legal fees.

🔐 Cybersecurity Alerts & Best‑Practice Insights

Critical vulnerability in BeyondTrust remote support exploited in ransomware

What happened – CISA updated its Known Exploited Vulnerabilities (KEV) catalog on Feb 13 2026 to highlight CVE‑2026‑1731, a remote‑code‑execution flaw in BeyondTrust Remote Support and Privileged Remote Access.  The vulnerability allows unauthenticated attackers to bypass security controls and execute code remotely; exploitation began within 24 hours of public proof‑of‑concept code, and ransomware groups have weaponized it.  CISA required federal agencies to patch the flaw by Feb 16 2026.

Why it matters – Many health‑care organizations and vendors use BeyondTrust tools for remote support.  Unpatched systems could permit attackers to obtain privileged access and deploy ransomware.

Recommended actions

• Inventory systems using BeyondTrust Remote Support or Privileged Remote Access; apply vendor‑provided patches immediately.
• Enable multi‑factor authentication and restrict remote access to trusted networks and whitelisted IPs.
• Monitor for indicators of compromise related to CVE‑2026‑1731; coordinate with vendors to ensure patched appliances.

RoundCube webmail vulnerabilities added to KEV

What happened – CISA added two RoundCube Webmail vulnerabilities—CVE‑2025‑49113 (object deserialization leading to remote code execution) and CVE‑2025‑68461 (cross‑site scripting)—to its KEV list on Feb 21 2026.  RoundCube is widely used by hosting providers and enterprises, and threat actors including APT28 and Winter Vivern have exploited these flaws.

Why it matters – Unpatched mail servers could allow attackers to install backdoors or steal credentials, potentially providing lateral movement into healthcare networks.

Recommended actions

• Identify whether your organization or vendors host RoundCube instances; upgrade to patched versions immediately.
• Use web‑application firewalls and intrusion detection systems to monitor for exploit attempts.
• Educate staff to avoid clicking suspicious email links; cross‑site scripting may be leveraged in phishing campaigns.

CISA directive targets end‑of‑support devices and promotes OpenEoX

What happened – In Binding Operational Directive 26‑02, CISA directed federal agencies to identify and replace end‑of‑support “edge devices” (e.g., firewalls, VPNs) that no longer receive security updates.  The directive also encourages adoption of the OpenEoX standard—a machine‑readable format for product lifecycle data that can integrate with software bills of materials (SBOMs)—to improve visibility into when hardware and software reach end‑of‑life.

Why it matters – Unsupported devices pose significant risk in healthcare, where outdated firewalls or VPNs may serve as gateways to clinical networks.  The directive signals a shift toward automated lifecycle management and supply‑chain transparency.

Recommended actions

• Identify all edge devices and software in use; confirm support status and replacement timelines.
• Adopt product‑lifecycle monitoring (e.g., OpenEoX or SBOM tools) to automatically track end‑of‑support dates.
• Engage vendors to ensure they supply machine‑readable lifecycle data; incorporate this requirement into procurement contracts.

🌍 Final Thoughts

This week’s developments highlight that HIPAA compliance and cybersecurity are dynamic obligations, not static checkboxes.  OCR’s new enforcement program for SUD records and its settlement with a small treatment center show that regulators expect covered entities to continuously update policies, perform risk analyses and train staff.  State attorneys general and legislatures are also tightening privacy laws and scrutinizing vendor breaches, as seen with the Conduent investigation and New Jersey’s amendment.  Meanwhile, ransomware attacks and vendor incidents continue to disrupt care and expose patient data, demonstrating that third‑party risk management is a critical component of HIPAA compliance.

The threat environment is accelerating: exploitation of remote‑support and email software vulnerabilities underscores the importance of timely patching, while CISA’s directive on end‑of‑support devices signals a broader push toward supply‑chain transparency.  Compliance and security leaders should strengthen incident response plans, engage vendors on their security posture, and invest in tools that provide continuous visibility into vulnerabilities and product lifecycles.  Doing so will help protect patient data, maintain operational resilience, and meet the evolving expectations of regulators and patients alike.

‍