The past week brought a flurry of regulatory clarifications, enforcement actions and data‑breach announcements that HIPAA compliance professionals should know about.

Regulatory & Legal Updates

Clarifications on updated Notice of Privacy Practices (NPP) – Feb 16 deadline

What happened:  Law firms and professional associations provided additional guidance on the new requirement for HIPAA‑covered entities and group health plans to update their Notices of Privacy Practices (NPPs) by February 16 2026 to account for the final rules under 42 CFR Part 2.  Proskauer notes that the revised NPP must describe the heightened restrictions on substance‑use disorder records – including prohibitions on redisclosure without written consent – and limitations on using such records in legal proceedings.  The American Dental Association (ADA) clarified that reproductive health privacy changes vacated by the courts do not need to appear in the NPP, and the notice should instead explain the distinct consent requirements for Part 2 records.  HHS has not yet issued an updated model NPP, so covered entities must create their own compliant language.

Why it matters:  Covered entities that handle even occasional substance‑use disorder information must revise their NPPs or risk violating HIPAA and Part 2.  The clarifications emphasise that staff must understand the differences between general HIPAA rules and Part 2’s stricter confidentiality provisions and that reproductive health provisions are not part of this update.  Failing to update the NPP or train staff may expose organisations to penalties and patient complaints.

Action items:

• Immediately review current NPP language and insert explanations that Part 2 records have stricter use and redisclosure restrictions.
• Draft and post the revised NPP on public websites and distribute it to patients (or plan participants) by Feb 16 2026.
• Educate employees on the differences between HIPAA and Part 2 and emphasise that reproductive health information does not need to be addressed.

Recognised security practices and the HIPAA Safe Harbor

What happened:  A HIPAA Journal article explained how the HIPAA Safe Harbor law is being integrated into the proposed HIPAA Security Rule update.  The law instructs the U.S. Department of Health & Human Services (HHS) to consider whether a covered entity has adopted “recognized security practices” for at least 12 months when determining penalties after a breach.  Recognised practices may be based on frameworks like NIST or industry best practices.  Crucially, the article notes that simply adopting policies on paper is insufficient – organisations must train personnel and document implementation to demonstrate those practices.

Why it matters:  By implementing and documenting recognised security practices, covered entities may reduce potential civil penalties in the event of a breach investigation.  Evidence of regular security training and adherence to frameworks can provide safe‑harbor protection.  Without demonstrable practices in place for a year, entities cannot rely on this statutory mitigation.

Action items:

• Assess current security programs against recognised frameworks (e.g., NIST CSF) and identify gaps.
• Document security practices and retain evidence of implementation for at least 12 months.
• Provide ongoing cybersecurity training to workforce members; training records help demonstrate that recognised practices are actually followed.

California cracks down on data brokers trading health data

What happened:  The California Privacy Protection Agency announced its first enforcement actions under the California Delete Act and data‑broker law.  The agency accused data broker Datamasters (Rickenbacker Data LLC) of purchasing lists sorted by sensitive health conditions and selling Californians’ personal information for targeted advertising; the company failed to register with the state, leading to a US$45,000 fine and an order to stop selling Californians’ data.  A second action targeted S&P Global for failing to register as a data broker, illustrating that even large corporations must comply.  Both enforcement actions require deletion of Californians’ data when requested and prohibit further sales of sensitive information.

Why it matters:  This is the first time California has used its Delete Act enforcement powers, signalling increased scrutiny of companies that trade in health‑related data.  Organisations nationwide that handle California residents’ data – including healthcare analytics firms and marketing partners – may face similar actions if they do not register and honour deletion requests.

Action items:

• Determine whether your organisation or any vendors qualify as a data broker under the California law and ensure registration.
• Review contracts with marketing or analytics partners to verify they are not selling data lists based on medical conditions without appropriate consents.
• Implement procedures to respond to deletion requests within the required time frame (24 hours under the California law).

Cybersecurity Updates

ServiceNow patches BodySnatcher AI‑agent vulnerability

What happened:  Information Security Media Group’s Breach Roundup reported that ServiceNow has patched a critical vulnerability dubbed BodySnatcher.  The flaw (CVE‑2025‑12420) allowed unauthenticated attackers to impersonate users and abuse agentic AI workflows.  By leveraging only a victim’s email address, an attacker could trigger privileged actions through ServiceNow’s Virtual Agent API and Now Assist AI Agents, bypassing single sign‑on and multifactor authentication in certain configurations.  The vulnerability affected on‑premises deployments running specific versions of these AI modules.

Why it matters:  Many healthcare organizations use ServiceNow for IT service management.  Exploiting this flaw could allow attackers to issue privileged requests, alter tickets or access sensitive data.  AI‑driven workflows are increasingly embedded in help‑desk and patient‑service systems, making it essential to monitor them for new threat vectors.

Action items:

• Verify whether your organisation runs the affected ServiceNow components; apply the vendor’s patches immediately.
• Review Virtual Agent and Now Assist AI Agent configurations to ensure least‑privilege access and robust multifactor authentication.
• Monitor AI‑driven workflows for abuse and establish logging to detect anomalous actions triggered via APIs.

Malicious Chrome extensions hijack Workday and ERP accounts

What happened:  Threat‑intelligence firm Cyware warned that five malicious Chrome extensions are masquerading as legitimate HR and ERP tools (e.g., Workday and NetSuite) to steal user authentication tokens and hijack sessions.  The extensions – DataByCloud Access, Tool Access 11, Software Access and others – exfiltrate cookies to remote servers, block security responses and manipulate browser pages to prevent administrators from noticing the compromise.  Although most have been removed from official stores, they remain available on third‑party download sites.

Why it matters:  Healthcare organisations frequently use Workday and similar platforms for human resources and payroll operations.  Compromise of these accounts could expose employee PII and payroll information, potentially leading to identity theft or payroll fraud.  Attackers may also pivot from compromised HR accounts into healthcare networks.

Action items:

• Audit installed browser extensions across employee devices and remove any unapproved or suspicious extensions, especially those claiming to provide access to ERP platforms.
• Enforce browser‑extension whitelisting and restrict installation of third‑party apps.
• Educate staff about phishing and social‑engineering tactics that may encourage installation of malicious extensions.

Breach & Incident Notices

Consulting Radiologists Ltd. agrees to US$2.2 million settlement for 2024 breach

What happened:  Minnesota Lawyer reported that Consulting Radiologists Ltd. (CRL) has agreed to a US$2.2 million class‑action settlement to resolve claims stemming from a February 2024 cyberattack.  The attack compromised personal and medical information of approximately 583,824 individuals, including 19,346 Social Security numbers.  Plaintiffs alleged CRL failed to implement reasonable cybersecurity measures and delayed notifying patients.  Under the settlement, class members can claim reimbursement for documented losses up to US$5,000, two years of credit‑monitoring services and identity‑theft insurance, and a cash payment estimated at US$125 for those whose SSNs were exposed.

Why it matters:  The settlement underscores courts’ willingness to approve substantial payouts when providers fail to safeguard protected health information (PHI) or timely notify victims.  Organisations should note that delayed breach notification can increase litigation exposure.

Action items:

• Review incident‑response plans to ensure rapid breach detection and timely notification to patients and regulators.
• Evaluate cybersecurity measures (e.g., network segmentation, vulnerability management) to reduce the risk of large‑scale data compromise.
• Monitor class‑action settlement deadlines; claims in the CRL case are due March 2 2026 (final fairness hearing pending).

PharMerica finalises US$5.275 million settlement for 2023 data breach

What happened:  HIPAA Journal reported that pharmacy services provider PharMerica has reached a US$5.275 million settlement following a March 2023 data breach that exposed personal and medical information of about 5.8 million patients and residents.  The settlement, which received preliminary approval on January 12 2026, allows class members to seek reimbursement of out‑of‑pocket losses up to US$10 000, a year of credit‑monitoring and identity‑theft insurance, and an alternative one‑time cash payment.  Claims must be filed by April 27 2026, and a fairness hearing is scheduled for May 12 2026.

Why it matters:  The size of the settlement reflects the scale of the breach and the growing cost of cybersecurity incidents in healthcare.  The case highlights the importance of robust security controls and timely communication during large data breaches.

Action items:

• Ensure incident‑response plans address large‑scale breaches and include provisions for providing credit monitoring and identity‑theft protection when necessary.
• Audit business associates’ security practices; vendor breaches can expose millions of records and lead to class actions.
• Notify affected individuals promptly; failing to do so may increase settlement costs and reputational damage.

Kaiser Permanente settles tracking‑tool privacy lawsuit for US$46 million

What happened:  Media reports indicate that Kaiser Permanente has agreed to a US$46 million settlement to resolve claims that it improperly transmitted members’ personal and health‑related information to third‑party analytics and advertising platforms via tracking tools on its website and mobile app from 2017 through 2024.  The data allegedly included IP addresses, search terms and information about medical conditions.  Up to 13 million members may be eligible to file claims; estimated payouts range from US$20 to US$40 per person.  A court preliminarily approved the settlement in December 2025, and claims must be submitted by March 12 2026.

Why it matters:  This settlement highlights rising litigation risk from web‑tracking technologies that share sensitive data without adequate disclosures or consent.  Regulators and plaintiffs’ attorneys are scrutinising analytics tools embedded in healthcare websites and apps.

Action items:

• Audit your organisation’s use of cookies, pixels and third‑party tracking tools.  Disable or reconfigure any tools that transmit protected health information without valid authorization or business associate agreements.
• Update privacy policies to clearly explain data‑sharing practices and provide opt‑out mechanisms.
• Educate marketing teams about the risks of deploying analytics scripts on patient‑facing portals.

Central Maine Healthcare raises breach count to 145,381 after forensic review

What happened:  After months of investigation, Central Maine Healthcare disclosed that an unauthorized actor had access to its network from March 19 to June 1 2025 and that the breach ultimately affected 145,381 patients and employees – far more than the eight individuals initially reported.  Forensic analysis found that names, dates of birth, treatment information, dates of service, provider names, health insurance information and some Social Security numbers were compromised.  The organisation issued letters to affected individuals in December 2025 and filed an updated notice with the Maine Attorney General on January 12 2026.  The breach had a dwell time of 74 days, highlighting the challenges of detecting intrusions.

Why it matters:  The significant increase in affected individuals illustrates how initial breach reports often underestimate the scope until forensic investigations are completed.  Extended dwell times increase exposure and remediation costs.  Organisations must ensure that state notification deadlines are met while also communicating that numbers may change as investigations proceed.

Action items:

• Strengthen network monitoring and intrusion‑detection systems to reduce dwell time and catch unauthorized access sooner.
• Maintain transparent communication with regulators and patients, updating counts as more information becomes available.
• Apply multi‑factor authentication and least‑privilege access to minimise lateral movement by attackers.

Vendor breach exposes LifeLong Medical Care patients via TriZetto Provider Solutions

What happened:  Law firm Federman & Sherwood reported a data breach involving LifeLong Medical Care, a community health centre whose business associate TriZetto Provider Solutions experienced unauthorized access beginning in November 2024.  The compromised data may include names, Social Security numbers, dates of birth, contact information and medical and health‑insurance details.  The investigation is ongoing, and the law firm is exploring whether vendor oversight and security safeguards were adequate.

Why it matters:  The incident highlights the downstream risk posed by vendors that handle protected health information on behalf of covered entities.  Under HIPAA, covered entities must ensure that business associates implement appropriate safeguards and report breaches promptly.

Action items:

• Review business associate agreements to ensure vendors are obligated to notify you of breaches and maintain robust security measures.
• Conduct periodic audits of high‑risk vendors and require documentation of their security controls.
• Update incident‑response plans to address breaches involving third‑party service providers.

Mid Michigan Medical Billing Service breach triggers class‑action investigation

What happened:  A press release announced that law firm Lynch Carpenter is investigating potential claims against Mid Michigan Medical Billing Service (MMMBS) following a data breach.  The release states that an unauthorized person accessed MMMBS’s network and may have obtained a wide range of personal and medical information, including names, dates of birth, government‑issued IDs, Medicare/Medicaid numbers, diagnosis and treatment information, medical record numbers, health‑insurance details, payment card numbers, provider names, biometric data and Social Security numbers.  Approximately 30,000 individuals were impacted.

Why it matters:  The breadth of information compromised – ranging from medical diagnoses to payment‑card and biometric data – poses serious identity‑theft risks.  The incident serves as a reminder that billing and revenue‑cycle vendors are attractive targets for attackers.

Action items:

• Monitor vendor networks and ensure that critical systems are segmented to reduce the impact of unauthorized access.
• Consider offering credit monitoring and identity‑theft protection to affected individuals, even before litigation forces it.
• Conduct tabletop exercises involving billing systems to prepare for potential ransomware or data‑exfiltration attacks.

Closing Remarks

The week ending January 19 2026 illustrated how quickly the compliance landscape can shift.  Regulatory clarifications (particularly around the February 16 NPP deadline) intersected with evolving threats like AI‑agent exploits and malicious browser extensions.  Compliance teams should take this opportunity to:

• Finalize NPP revisions and train staff on Part 2 confidentiality rules.
• Document recognized security practices to benefit from the HIPAA Safe Harbor.
• Apply available patches for ServiceNow and audit browser extensions to prevent account hijacking.

As always, maintain open communication with leadership and vendors about cybersecurity readiness.  If you have questions or need assistance interpreting these updates, don’t hesitate to reach out.  Hale Insights will return next week with another roundup of developments in HIPAA compliance, cybersecurity and privacy.  Until then, stay vigilant and take time to care for your team.

‍