Hello and welcome to the latest edition of Hale Insights!

We hope this finds you well and thriving as we close out the week ending January26, 2026. In this issue, we spotlight the most pressing updates in HIPAA compliance, cybersecurity, and privacy—covering everything from a significant Minnesota DHS breach to new guidance from the OCR. These developments underscore why staying informed and proactive is essential for protecting patient data and maintaining regulatory peace of mind. Let's dive into the highlights and make sure your organization is prepared for what’s next.

Regulatory & Legal Updates

OCR sharpens focus on risk management and system hardening

What happened – The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) used its January 2026 Cybersecurity Newsletter to expand its risk‑analysis enforcement initiative.  The guidance explains that OCR will expect HIPAA‑regulated entities to move beyond simply identifying risks; entities must demonstrate timely, documented actions to reduce vulnerabilities to electronic protected health information (ePHI).  OCR positions system hardening as an explicit HIPAA Security Rule requirement and defines it as customizing electronic systems to reduce their attack surface through patching known vulnerabilities, disabling unnecessary software and services, and properly configuring security controls.  The newsletter reminds covered entities that medical devices are in scope, emphasizes continuous patch management, and links system hardening to both risk analysis and ongoing risk management.  OCR also highlights that many breaches stem from misconfiguration and unused accounts; reducing unused software and orphaned service accounts is therefore critical.

Why it matters – The update signals a major shift in OCR’s enforcement posture.  Risk management—not just risk identification—will be scrutinized.  Covered entities will need to prove they acted on identified risks and sustained those actions over time.  Failure to document remediation could increase the likelihood of monetary penalties during audits and breach investigations.

Action items –

• Refresh security programs to include asset inventories, patch management, and system‑hardening baselines (e.g., NIST SP 800‑53) tailored to your environment.
• Document risk‑reduction steps taken after assessments and include these records in compliance documentation.
• Review medical device security practices and ensure vendors provide patch and security guidance.

Health systems warn TEFCA about “bad actor” access to patient records

What happened – More than 60 U.S. health systems sent a letter to the Trusted Exchange Framework and Common Agreement (TEFCA) governing body, the Sequoia Project, urging it to tighten security rules.  They noted that current frameworks allow anyone claiming to be a health‑care provider to join the national exchange and request patient records, which could let “bad actors” obtain sensitive health information.  The letter follows Epic Systems’ lawsuit alleging that Health Gorilla and other companies abused interoperability networks to monetize patient data.

Why it matters – TEFCA is expected to become a major conduit for nationwide health‑information exchange.  Weak identity‑verification procedures could expose patient data to fraudulent actors.  Compliance teams should monitor TEFCA governance and participate in discussions to ensure adequate vetting and auditing of participants.

Action items –

• Evaluate policies for sharing records via TEFCA and ensure participation agreements include appropriate vetting.
• Follow developments from the Sequoia Project and Epic’s litigation to understand future changes to interoperability frameworks.

Michigan Attorney General demands faster breach notification after Munson/Cerner incident

What happened – After a cyberattack at Munson Healthcare’s electronic health‑record vendor (Cerner/Oracle Health) compromised patient names, Social Security numbers, medical record numbers, diagnoses and other medical data, Michigan Attorney General (AG) Dana Nessel reissued a consumer alert on January 23, 2026.  Nessel highlighted that state law does not require immediate notification to her office and called for legislation mandating prompt breach reports.  She also advised consumers to use free credit monitoring, enable multifactor authentication, watch for phishing emails and review credit reports.

Why it matters – The Munson incident affected more than 100,000 patients and illustrates the hazards of delayed breach notification.  State attorneys general may push for statutory amendments imposing shorter notification windows, which would affect covered entities and business associates.

Action items –

• Review state‑specific breach notification laws to ensure compliance with evolving requirements.
• Prepare incident response plans that include rapid escalation and notification to regulators and consumers.
• Educate patients about credit monitoring and fraud‑prevention steps recommended by state authorities.

ChristianaCare and Oracle Health face class‑action suit over 2025 breach

What happened – Delaware’s largest health system, ChristianaCare, and its vendor Oracle Health (Cerner) were named in a class‑action lawsuit filed on December 17, 2025.  Plaintiffs allege that the defendants negligently allowed hackers to harvest sensitive patient information and then obscured details of the January 2025 breach by delaying notifications until November.  The suit seeks restitution and an injunction to improve data security.

Why it matters – Legal exposure for delayed breach notifications and vendor‑caused incidents is increasing.  The case underscores the need for robust contracts, due diligence, and oversight of electronic health‑record vendors.  It also foreshadows potential litigation when notification delays are attributed to law‑enforcement requests, as happened here.

Action items –

• Re‑evaluate vendor risk management and include provisions for timely breach reporting, cybersecurity controls, and indemnification.
• Document all communications with law enforcement during breaches to justify any notification delays.
• Track the outcome of this case for precedent on vendor liability.

FTC halts deceptive telemarketing of limited‑benefit health plans

What happened – The Federal Trade Commission (FTC) obtained a temporary restraining order against Top Healthcare Options Insurance Agency and related defendants in Florida.  The complaint alleges that the defendants used websites advertising Affordable Care Act (ACA) coverage to collect consumers’ information and then telemarketed limited‑benefit health plans as if they were comprehensive insurance.  The FTC accuses the companies of violating the Telemarketing Sales Rule and the FTC Act, and seeks refunds and other relief.

Why it matters – Deceptive marketing of insurance products can lead consumers to unknowingly purchase inadequate coverage, which is particularly dangerous when medical care costs are involved.  The case reinforces the need for healthcare organizations and brokers to provide clear and accurate representations of their products.

Action items –

• Review marketing scripts and materials to ensure they accurately describe coverage.
• Train call‑center staff on permissible telemarketing practices under FTC regulations.
• Monitor FTC enforcement actions for guidance on compliance.

Cybersecurity Updates and Breach Notices

Minnesota DHS: User misused over‑privileged access to view 304,000 individuals’ data

What happened – The Minnesota Department of Human Services (DHS) disclosed that an individual affiliated with a licensed service provider used the MnCHOICES assessment system to access the demographic information of approximately 304,000 people.  The data included names, sex, dates of birth, home addresses, Medicaid identification numbers and the last four digits of Social Security numbers.  The unauthorized access persisted for nearly a month before FEI Systems, the state’s vendor, detected unusual activity and notified the DHS, which launched an investigation and began notifying affected individuals.

Why it matters – This incident highlights the dangers of over‑privileged user accounts and insufficient monitoring.  Although the user had legitimate credentials, they viewed more data than necessary.  The MnCHOICES system is managed by FEI Systems, a third‑party vendor that functions as a business associate under HIPAA.  Business associates must report breaches of protected health information to covered entities, and covered entities should ensure their Business Associate Agreements (BAAs) clearly distinguish “unauthorized access” from a reportable “breach” and set expectations for timely notice.  Compliance teams should verify that workforce members have only the minimum access required to perform their duties and that vendors adhere to contractual obligations.

Action items –

• Conduct role‑based access reviews and remove unnecessary privileges in assessment and case‑management systems.
• Implement continuous monitoring and alerting to detect unusual access patterns.
• Provide notification letters and credit‑monitoring services promptly to affected individuals.
• Review Business Associate Agreements (BAAs) with vendors to ensure definitions of “unauthorized access” versus “breach” are explicit and that notification obligations are documented.

Telehealth provider Call‑On‑Doc faces allegations of massive data theft

What happened – A post on a hacking forum claimed that telehealth provider Call‑On‑Doc suffered a breach in December2025 that exfiltrated 1,144,223 patient records.  The purported dataset included patient codes, names, addresses, phone numbers, email addresses, medical conditions, prescriptions and payment information.  Some entries contained sensitive sexually transmitted disease (STD) categories.  The threat actor alleged that data were unencrypted and that the provider did not detect the attack.  As of publication, Call‑On‑Doc had not responded to inquiries or issued notifications.

Why it matters – Telehealth providers hold large volumes of sensitive health and payment data but may operate outside traditional HIPAA‑covered models if they do not process insurance.  However, the FTC’s Health Breach Notification Rule applies to vendors of personal health records and related entities that aren’t covered by HIPAA and requires them to notify affected individuals, the FTC and, in some cases, the media when there is an unauthorized acquisition of unsecured health information.  The FTC has underscored that health apps and similar technologies are covered and has recently taken action against companies that failed to report unauthorized disclosures.  Even if HIPAA does not apply, the FTC and state laws prohibit deceptive claims about security and impose breach‑notification obligations.  The alleged breach underscores the need for encryption, intrusion detection and prompt disclosure.

Action items –

• Verify whether telehealth services are subject to HIPAA or state privacy laws and ensure security controls meet or exceed these requirements.
• Encrypt patient databases and perform regular penetration tests.
• Prepare response plans for potential data‑breach allegations, including public communications and regulatory notifications.

Laurel Health Centers (Pennsylvania) breach exposes PHI and financial data

What happened – Laurel Health Centers (LHC), a provider of medical, dental and chiropractic services, announced a cybersecurity incident in which an unauthorized person accessed its network.  The attacker may have acquired records containing individuals’ names along with dates of birth, Social Security numbers, contact details, medical information (diagnoses, treatments, providers and service dates), insurance details, behavioral‑health information, immunization records and financial information (checking‑account or credit‑card numbers).  Law firm Lynch Carpenter is investigating claims related to the breach.

Why it matters – The breadth of data involved (medical and financial) increases the risk of identity theft and medical fraud.  The investigation by a class‑action law firm suggests potential litigation and regulatory scrutiny.

Action items –

• Determine the number of affected patients and notify them promptly, offering credit‑monitoring services.
• Assess whether payment card industry (PCI) compliance obligations were triggered, given the exposure of financial data.
• Review intrusion‑detection systems and network segmentation to prevent similar unauthorized access.

MACT Health Board, TriCity Family Services, HAP and Zenflow publish breach notifications

What happened – MACT Health Board (California) confirmed that an unauthorized party accessed its network between November 12 and 20, 2025.  Investigators completed the file review on January 9, 2026 and determined that patient information—including names and combinations of diagnoses, test results, medical images, treatment information, doctor names and Social Security numbers—was compromised.  Notification letters began mailing on January 23, 2026, and affected individuals with Social Security numbers were offered complimentary credit‑monitoring and identity‑theft protection services.  The breach has not yet appeared on the HHS breach portal, so the total number of affected patients is unknown.

TriCity Family Services (Illinois) notified 2,511 patients of unauthorized access to its network from November 11, 2024 to May 14, 2025.  Exfiltrated files contained names, dates of birth, presenting health issues, requested treatments, treatment locations and provider names; the electronic medical record system was not accessed.  The mental‑health provider is reviewing policies and will enhance security measures.

Health Alliance Plan (HAP) (Michigan) reported that on October 24, 2025 an employee responded to a phishing email, giving an attacker access to an account with names, addresses, dates of birth, HAP identification numbers and a small number of Social Security numbers.  While investigators could not confirm whether any data were accessed, HAP sent notifications to 1,059 individuals and offered two years of identity‑theft protection services.

Zenflow (California), a medical‑device company, disclosed a security incident that compromised names and Social Security numbers.  Limited details about the timing and scope of the breach have been released, but the company is offering 24 months of credit monitoring to affected individuals.

Why it matters – These incidents span clinics, health plans and medical‑device companies, demonstrating that attackers target organizations of all sizes.  Repeated themes include delayed discovery, long compromise windows and compromised credentials.  Compliance teams should verify that vendors conduct timely investigations and provide robust notifications.

Action items –

• Ensure vendor risk assessments include requirements for rapid detection and disclosure of breaches.
• Offer identity‑theft protection services when Social Security numbers are involved.
• Use phishing‑resistant multifactor authentication to mitigate credential‑phishing attacks.

Munson Healthcare letters highlight vendor breach and regulatory concerns

What happened – On January 23, 2026, Munson Healthcare mailed letters to 100,181 patients, explaining that an unauthorized third party accessed the health‑system’s electronic health records via its vendor Cerner (Oracle Health) a year earlier.  Compromised data included patient names, Social Security numbers and medical records (record numbers, doctors, diagnoses, medicines, test results, images, care and treatment).  Munson attributed the delayed notification to law enforcement requests, while the Michigan AG criticized the delays and urged legislative reforms.

Why it matters – This case highlights the tension between law‑enforcement investigations and the HIPAA requirement to notify affected individuals within 60 days.  It also shows how vendor breaches can propagate to multiple health systems, as Oracle Health indicated that as many as 80 hospitals may be affected.

Action items –

• Review contracts to clarify obligations when law enforcement requests notification delays and to require vendors to provide timely information.
• Implement data‑sharing inventories to identify which patients’ data reside with each vendor and expedite notifications.
• Support legislative efforts that balance investigative needs with consumer protection.

Insurance Office of America phishing breach

What happened – Insurance Office of America (IOA) discovered on June 30, 2025 that a phishing email allowed unauthorized access to its internal systems.  The breach potentially exposed personally identifiable and protected health information, including names and insurance details.  IOA notified customers, launched an investigation and is offering 24 months of free credit monitoring and identity‑protection services.

Why it matters – Phishing remains a leading cause of breaches in the insurance and benefits industry.  IOA’s extended identity‑protection offer reflects the growing expectation that organizations provide long‑term support after incidents.

Action items –

• Conduct regular phishing simulations and refresher training for staff.
• Enforce email security measures such as DMARC, DKIM and SPF to reduce spoofed emails.
• Coordinate with insurers to determine whether cyber insurance covers extended credit monitoring.

Columbia Medical Practice ransomware and Jupiter Medical Center notice

What happened – Columbia Medical Practice in Maryland reported that a November 2025 ransomware attack exfiltrated patient data.  Files contained names, addresses, Social Security numbers and health and insurance information.  Although the practice recovered the encrypted files, it believes up to 3,000 individuals could be affected and is reviewing the files to identify those impacted.  It plans to reinforce technical and administrative safeguards.

In a separate incident, Jupiter Medical Center in Florida began notifying patients about unauthorized access to electronic medical records due to a January 2025 breach involving vendor Cerner/Oracle Health.  Law enforcement initially requested delayed notification.  The center is offering two years of credit monitoring.

Why it matters – These incidents demonstrate the continued threat of ransomware and unauthorized access to patient records via vendors.  They also highlight the need to balance law‑enforcement requests with timely patient notification.

Action items –

• Ensure ransomware resilience through offline backups, endpoint detection and response and network segmentation.
• Maintain incident logs and evidence in case of delayed public disclosure.
• Provide credit monitoring and identity‑theft protection as part of breach‑response protocols.

Conclusion

The past week underscores that HIPAA compliance is becoming more rigorous while cyber threats and legal actions continue to grow.  OCR expects entities to act on identified risks, regulators are pushing for faster notifications and hospitals are demanding stronger interoperability security.  Compliance teams should tighten vendor oversight, harden systems, and be ready for increased litigation and regulatory scrutiny.