Good Morning Everyone,
This week’s roundup highlights critical developments impacting cybersecurity and data privacy within the healthcare sector. With rising concerns surrounding hacking incidents, important regulatory actions, and significant settlements, staying informed on best practices and compliance measures is more crucial than ever. Dive into the details below:
Industry Trends
Hacking Incidents Lead Health Data Breach Trends in 2025
Midway through 2025, health data breaches continue to be primarily driven by hacking incidents, including ransomware attacks. According to the U.S. Department of Health and Human Services, there have been 345 major HIPAA breaches reported so far this year, affecting nearly 29.9 million people. Hacking and IT incidents constitute the majority, with 258 cases impacting around 28.8 million individuals—representing 97% of those affected. Yale New Haven Health reported the largest breach, affecting 5.5 million patients, while Episource experienced a significant ransomware attack affecting 5.4 million people. Incidents involving third-party business associates accounted for 37% of the breaches but impacted over half of the affected individuals. Experts emphasize that healthcare entities should enforce stringent cybersecurity measures, especially when working with third-party vendors, to minimize the risk and scope of future breaches. Learn more at BankInfo Security
Regulatory Updates
HIPAA Waiver Issued for Texas Public Health Emergency
In response to severe storms, straight-line winds, and flooding in Kerr County, Texas, a limited waiver of HIPAA sanctions and penalties has been issued following a Major Disaster Declaration signed by President Donald J. Trump and a public health emergency declaration by Secretary Robert F. Kennedy, Jr. This waiver allows hospitals in the emergency area that have implemented a disaster protocol to temporarily forgo certain HIPAA Privacy Rule requirements, including obtaining patient consent to speak with family members, honoring patient directory opt-out requests, distributing privacy notices, and accommodating requests for privacy restrictions and confidential communications. This waiver is valid for up to 72 hours after implementation of the hospital’s disaster protocol or until the emergency declaration ends, whichever occurs first. Importantly, even without the waiver, the HIPAA Privacy Rule permits patient information sharing to facilitate treatment, support public health activities, notify family and friends involved in a patient's care, and mitigate imminent dangers. Hospitals are encouraged to continue applying reasonable safeguards to protect patient information throughout the emergency. Learn more at HHS.gov
Senate HELP Committee Debates Cybersecurity and Data Privacy
The Senate Health, Education, Labor and Pensions (HELP) committee recently debated cybersecurity and consumer health data privacy concerns, focusing on vulnerabilities affecting healthcare organizations. Chaired by Senator Bill Cassidy, the hearing addressed the need for stronger cybersecurity policies, particularly Cassidy's proposed Health Care Cybersecurity and Resiliency Act of 2024, aimed at providing grants for cyberattack victims and enhancing federal coordination during incidents. Discussions also highlighted cybersecurity issues faced by rural hospitals, exacerbated by financial constraints and Medicaid cuts under recent legislation. Witnesses and senators emphasized the urgent need for federal support, including leniency in breach reporting, deadline extensions, advanced payment assistance, and liability reduction. There was also advocacy for a unified federal privacy law to replace the current state-level patchwork, reducing complexity and promoting consistent data protection nationwide. Learn more at Fierce Healthcare
Enforcement Actions
OCR Settles HIPAA Violations with Deer Oaks Behavioral Health
Deer Oaks Behavioral Health, a provider of psychological and psychiatric services, has agreed to pay $225,000 to settle potential violations of HIPAA Privacy and Security Rules. The Office for Civil Rights (OCR) initiated its investigation after two incidents—one involving unauthorized disclosures of electronic protected health information (ePHI) due to a coding error in an online patient portal, and another following a ransomware attack affecting approximately 172,000 individuals. OCR’s investigation determined that Deer Oaks failed to conduct an accurate and thorough risk analysis, leaving significant vulnerabilities unaddressed. As part of the settlement, Deer Oaks is required to implement a comprehensive corrective action plan, including annual risk analyses, development of risk management plans, regular updating of HIPAA compliance policies, and annual workforce training. This enforcement underscores OCR's commitment to ensuring healthcare organizations maintain robust cybersecurity measures and adhere strictly to HIPAA regulations to protect patient data. Learn more at HHS.gov
East Carolina Health Settles Data Leak Lawsuit for $250,000
East Carolina Health (EC Health) has agreed to a $250,000 settlement to resolve a class action lawsuit arising from a 2023 data breach affecting 19,085 individuals. The breach, originating at East Carolina University’s Brody School of Medicine, resulted from inadvertent access to electronic files containing patients’ protected health information (PHI) by unauthorized ECU students, employees, and clinicians between July 2022 and January 2024. The exposed data included names, health insurance details, and diagnostic and clinical information. The lawsuit alleged negligence, breach of implied contract, unjust enrichment, and violations of North Carolina’s Identity Theft Protection Act and Unfair Trade Practices Act. EC Health denies wrongdoing but agreed to the settlement to avoid ongoing litigation costs and uncertainty. Affected individuals can claim either documented expense reimbursements up to $100 or a flat cash payment of $100, subject to adjustment based on claim volume. The final fairness hearing is scheduled for September 15, 2025. Learn more at HIPAA Journal
Closing Thoughts
With significant breaches, evolving regulatory landscapes, and ongoing legal actions, healthcare organizations face increasing scrutiny regarding their cybersecurity and data privacy practices. Prioritizing robust risk assessments, proactive cybersecurity measures, and compliance with regulatory updates remains essential. Let's stay ahead by continuously reviewing and strengthening our defenses
.jpg)