Welcome to this week’s Hale Insights. Each Monday, we distill the most pressing HIPAA compliance news and cybersecurity developments from the previous seven days so you don’t have to.  Our goal is to deliver actionable insights that help you protect patients’ data, meet regulatory obligations and anticipate emerging threats.

Privacy & Legal Updates

Telemedicine flexibilities extended through 2026

What happened:  On January 2, 2026, the U.S. Department of Health and Human Services (HHS) and the Drug Enforcement Administration (DEA) announced a fourth temporary extension of telemedicine flexibilities that allow clinicians to prescribe controlled medications without an in‑person visit.  The extension runs from January 1 through December 31, 2026.  Officials explained that the flexibilities have become a “lifeline” for millions of Americans; more than 7 million prescriptions were issued via telemedicine in 2024.  Without this action, there would have been a sudden return to pre‑pandemic restrictions—sometimes called the “telemedicine cliff”—that could have disrupted care.  The extension gives regulators additional time to finalize permanent rules, including a proposed Special Registration for Telemedicine, while maintaining existing requirements for legitimate medical purpose and licensure.

Why it matters:  Many patients—especially seniors, people living in rural areas and those receiving mental‑health or substance‑use‑disorder treatment—rely on telehealth to access medications.  This extension ensures continuity of care and signals that federal regulators intend to retain telehealth prescribing while refining guardrails.  Compliance teams should continue monitoring state and federal telemedicine policies and prepare for permanent rules.

Action items:

• Confirm that prescribing practices meet current federal and state requirements for telehealth, including identity verification and documentation.
• Educate providers about the temporary nature of the extension and the need to watch for future DEA rules establishing special telemedicine registrations.
• Evaluate telehealth platforms for security and HIPAA compliance, ensuring privacy of telemedicine visits and prescription data.

New York governor vetoes the NY Health Information Privacy Act

What happened:  In late December 2025 New York Governor Kathy Hochul vetoed the New York Health Information Privacy Act (NY HIPA), a bill designed to give consumers broader privacy protections for health‑related data not covered by HIPAA.  The bill would have applied to non‑traditional entities—including employers, financial institutions and data brokers—and would have required organizations to maintain public data‑retention schedules and dispose of information accordingly.  Supporters argued the bill would strengthen protections, but opponents warned that its breadth would create confusion and compliance burdens.  Hochul’s veto memo cited the law’s broad scope and potential uncertainty about what information would be regulated.  Because two‑thirds of both legislative houses would be needed to override the veto, adoption is unlikely.

Why it matters:  The veto prevents a major expansion of state‑level health privacy rules that would have imposed data‑retention schedules, consent requirements and deletion obligations beyond HIPAA.  However, momentum toward targeted health‑privacy legislation continues: states such as Virginia, California, Washington, Nevada, Connecticut, Maryland and Texas have adopted sector‑specific laws in recent years.  Compliance officers should anticipate similar proposals in other jurisdictions and assess whether current practices would satisfy more stringent state requirements.

Action items:

• Track state legislatures for new health‑privacy bills and be prepared to adjust data‑handling practices accordingly.
• Evaluate whether your organization has clear data‑retention schedules and deletion procedures, even when not legally mandated.
• Review contracts and vendor agreements to ensure they address state‑specific privacy obligations and consumer rights.

Breach & Incident Notices

AllerVie Health confirms ransomware attack

What happened:  Allergy‑specialty provider AllerVie Health confirmed that it suffered a ransomware attack.  According to the company’s breach notice, unusual network activity was discovered on November 2, 2025, and investigators later determined that unauthorized actors accessed systems from October 24 to November 3, 2025.  The ANUBIS ransomware group is suspected.  Exposed data include names, Social Security numbers, driver’s‑license or state ID numbers and other personally identifiable information.  AllerVie notified state attorneys general and began mailing breach notices on December 23 and 26, 2025.  The organization reset system credentials, engaged forensic experts and is offering credit‑monitoring and identity‑protection services through Cyberscout.  Its official letter notes that passwords were reset, law enforcement was notified and individuals have been offered complimentary credit‑monitoring and identity‑protection services.

Why it matters:  Ransomware attacks remain a top threat to healthcare organizations.  This incident highlights how attackers can dwell in networks for more than a week before discovery and underscores the value of proactive monitoring and rapid response.  The breach also demonstrates the growing trend of double‑extortion (data theft plus encryption) used by groups like ANUBIS.

Action items:

• Evaluate whether your organization’s intrusion‑detection tools and logging would promptly detect unauthorized access.
• Confirm that backups are offline and that incident‑response plans address ransomware scenarios, including communication with law enforcement.
• Provide employees with ongoing phishing training, and enforce multi‑factor authentication (MFA) on all remote‑access systems.

Aultman Health System/Cerner vendor breach

What happened:  Ohio‑based Aultman Health System announced that its third‑party electronic health‑record (EHR) vendor, Cerner (now Oracle Health), experienced a security incident on legacy systems.  Investigators determined that an unauthorized third party gained access to patient data as early as January 22 2025.  Law‑enforcement officials instructed Cerner to delay notifying hospitals and patients, which postponed disclosure until late 2025.  Exposed information may include names, Social Security numbers, medical record numbers, treating doctors, diagnoses, medications, test results, images and details about care and treatment.  Cerner is offering two years of identity‑protection and three‑bureau credit‑monitoring services through Experian, and affected individuals are being notified directly.

Why it matters:  The incident underscores the risks inherent in third‑party EHR vendors and legacy systems.  A breach that went undetected for months—and then was kept under wraps at law‑enforcement request—places providers in a difficult position when communicating with patients.  It also demonstrates the importance of vendor‑risk management and the need to decommission or isolate legacy systems.

Action items:

• Conduct due diligence on all EHR and cloud vendors, ensuring contracts require timely breach notification and strong security controls.
• Inventory and segment legacy systems; migrate data to supported platforms or retire those systems.
• Review insurance policies and contracts to determine coverage for vendor‑caused breaches.

Hope Cooperative email compromise

What happened:  Sacramento‑based mental‑health provider TLCS, Inc. d/b/a Hope Cooperative detected suspicious activity involving an employee email account on February 3 2025.  A forensic investigation determined that the account was accessed without authorization between January 15 and February 3, 2025.  The compromised mailbox contained a wide range of personal and health information—names, Social Security numbers, addresses, dates of birth, driver’s‑license numbers, financial information and detailed medical and insurance data‍.  After confirming the breach, Hope Cooperative secured the account, engaged cybersecurity specialists and implemented additional security measures.  It is notifying individuals directly and has set up a call center for assistance.

Why it matters:  Employee email accounts often store large volumes of sensitive data.  This incident highlights the danger of phishing or credential theft and the potential for weeks of unauthorized access before detection.  The breadth of information exposed—ranging from financial‑account details to mental‑health diagnoses—creates significant identity‑theft and privacy risks.

Action items:

• Require MFA for all email accounts and prohibit employees from storing PHI in unsecured mailboxes.
• Implement anomaly‑detection tools that flag unusual email logins or bulk downloads.
• Conduct regular phishing‑awareness training and simulate attacks to test employee readiness.
• Develop clear policies for secure communication and storage of PHI.

Manage My Health (New Zealand) cyber breach update

What happened:  Manage My Health (MMH), a New Zealand patient‑portal service, discovered a cyber‑security incident on December 30 2025.  In a January 5 2026 update, the company apologized for the anxiety caused and acknowledged that it could have communicated better.  MMH explained that it has been working with Health New Zealand, the police and other agencies to secure systems and verify information before notifying practices and patients.  The update noted that the company obtained High Court injunction orders to prevent third parties from accessing or disseminating any stolen data.  Direct communications with general practices began on January 5; each practice will receive a confidential list of affected patients through a secure portal, and general practitioners will be given guidance on supporting patient inquiries.  Notification to patients will start once practices are prepared, and a dedicated helpline will be established for affected individuals.  MMH emphasized that under New Zealand’s Privacy Act 2020 and Health Information Privacy Code, notification obligations sit with the agency that holds the data, requiring coordination among multiple data controllers.  An independent forensic investigation continues.

Why it matters:  Though MMH operates outside the United States, many healthcare organizations use international service providers.  The case underscores the importance of cross‑jurisdictional compliance and rapid communication after a breach.  The company’s use of court injunctions to prevent dissemination of stolen data is noteworthy and may serve as a template for future incidents.  It also illustrates the complexities of notifying affected individuals when multiple entities control the data.

Action items:

• If your organization contracts with international vendors or operates overseas, ensure breach‑response plans align with local privacy laws (e.g., New Zealand’s Privacy Act 2020).
• Work with legal counsel to consider injunctive relief against data‑leak sites in severe breaches.
• Develop coordinated notification procedures when multiple data controllers are involved in a platform or portal.
• Provide clear, timely communications to both providers and patients to maintain trust during incident response.

Cybersecurity Alerts & Trends

Third‑party and vendor vulnerabilities – The Aultman/Cerner breach and the MMH incident illustrate how vulnerabilities in third‑party systems or legacy platforms can compromise PHI even when healthcare providers’ own networks are secure.  Conduct formal vendor‑risk assessments, ensure contracts require security controls and timely breach notifications, and prioritize decommissioning or isolating legacy systems.

Ransomware and double‑extortion – The ransomware attack on AllerVie Health underscores the continuing prevalence of ransomware in healthcare.  Threat actors like ANUBIS employ double‑extortion tactics—stealing data and threatening public release unless a ransom is paid.  Maintaining offline backups, implementing MFA and practicing incident‑response drills remain critical.

Delayed notifications and law‑enforcement involvement – The Aultman/Cerner and MMH cases show that law‑enforcement investigations can delay public disclosure of breaches.  Compliance teams should plan for these scenarios, balancing investigative needs with timely communication to patients.

Email account compromises – Hope Cooperative’s breach highlights how a single compromised mailbox can expose extensive PII and PHI.  Enforce MFA on email, restrict PHI in email, and deploy anomaly‑detection tools to flag suspicious access.

Evolving regulatory landscape – Federal agencies are extending telemedicine flexibilities while states consider expanding health‑data privacy laws.  The New York governor’s veto of NY HIPA and similar initiatives in other states demonstrate the importance of monitoring legislative activity and preparing for divergent state requirements.

Closing Thoughts

The past week’s news reinforces that privacy and security risks are both diverse and persistent—ranging from ransomware to vendor breaches and evolving legal frameworks.  For compliance teams, the key takeaways include:

1. Strengthen vendor‑risk management – Evaluate third‑party and legacy systems for security controls, contractual obligations and timely breach notification requirements.
2. Enhance incident‑response and communication plans – Develop plans that address ransomware, vendor breaches and email compromises.  Practice tabletop exercises and ensure coordination with law enforcement and regulatory bodies.
3. Improve access controls and monitoring – Adopt MFA, role‑based access and anomaly‑detection tools for sensitive systems, including email and portals.
4. Prioritize staff training and awareness – Provide regular phishing and privacy training, and emphasize secure handling of PHI across email, portals and physical records.
5. Stay ahead of regulatory changes – Monitor federal telemedicine policies and state‑level privacy legislation.  Prepare internal policies and data‑retention schedules that meet or exceed pending requirements.

By staying informed and proactively addressing these issues, healthcare organizations can strengthen their compliance programs, protect patient data and maintain the trust of the communities they serve.