The HealthSec Blog

Good Morning Everyone,

This week’s roundup highlights important events that affect HIPAA compliance and data‑privacy obligations for healthcare organizations.  From a surge in hacking incidents and new state‑level legislation to court rulings and enforcement actions, staying informed helps compliance teams prepare for emerging risks and adjust policies accordingly.  Below is a summary of notable trends, regulatory updates and enforcement actions from the past week.

Industry Trends

H1 2025 breach trends: more incidents, fewer victims

The Identity Theft Resource Center’s mid‑year breach report paints a paradoxical picture of data‑breach risk.  It records 1,732 data compromises in the first half of 2025, an 11 % increase over the same period last year. Yet the number of individuals affected fell sharply to 165 million victims, largely because there have been no “mega‑breaches” on the scale of Change Healthcare’s 2024 incident.  Cyberattacks remain the predominant cause of breaches—77.83 % of reported events—and supply‑chain attacks are rising: 79 incidents targeted third‑party vendors and impacted 690 entities and 78.3 million people.  This dynamic is similar to a thief breaking into many small houses instead of one giant mansion; the total number of burglaries rises, but the average haul per event is smaller.  Compliance teams should not become complacent—breach counts are climbing and adversaries are increasingly using AI‑powered phishing.

Recent breach disclosures and cyber‑incident claims

• Radiology Associates of Richmond Breach (Virginia) – Hacking activity in April 2024 allowed criminals to exfiltrate patient names, dates of birth, Social Security numbers, bank‑account information and other medical data.  The practice notified OCR that 1,419,091 individuals were affected and lawsuits have been filed.
• Zumpano Patricios Law Firm Breach (Florida) – The law firm, acting as a business associate for healthcare clients, discovered a network intrusion on May 6 and found that spreadsheets containing names, health‑plan member IDs, insurance information and limited Social Security numbers were exposed.  About 279,275 individuals were affected. This incident underscores that law firms and other third‑party vendors can introduce significant risk.
• Stormous Ransomware Group Claim – On July 17 the Stormous ransomware group claimed it had stolen personal and health data on 600,000 patients of North Country HealthCare, threatening to sell 100 k records and release the remaining 500 k for free.  North Country HealthCare responded that an investigation found no evidence of a breach, and outside experts believe much of the data posted is fabricated.  The episode highlights the importance of verifying threat claims before disclosing them to patients.
• Life Care Services E‑mail Compromise – Attackers gained access to employee email accounts at multiple senior‑living communities managed by Life Care Services during September 5–11, 2024.  Exposed data included names, Social Security numbers, financial and medical information, and even biometric data; the number of impacted individuals has not been disclosed.  Notifications began July 11 and credit monitoring is being offered.

Takeaways for compliance teams

• Third‑party risk – A substantial portion of breaches involve business associates.  Compliance officers should treat vendor management like a relay race: no matter how fast the first runner (the covered entity) is, one weak handoff can lose the race.  Conduct due‑diligence audits and ensure service agreements impose robust security obligations.
• Supply‑chain attacks – With 79 supply‑chain attacks affecting 78 M people, threat actors are treating connected organizations like dominoes—knock over one vendor and several covered entities may fall.  Mapping data flows and limiting data sharing to the minimum necessary can reduce the blast radius.
• Phishing and social engineering – The Integrated Oncology Network incident shows that sophisticated phishing campaigns can compromise not only email but also cloud file repositories. Regular security‑awareness training and multi‑factor authentication (MFA) for email and cloud services are critical defenses.

Regulatory Updates

Texas enacts comprehensive EHR security law

Texas Governor Greg Abbott signed S.B. 1188 on July 18 to strengthen security and oversight of electronic health records (EHR).  Key provisions include:

• U.S.‑based storage – All electronic medical records for Texas patients must be physically stored in the United States, even when cloud providers or subcontractors are used.  The storage requirement takes effect January 1 2026.  By mandating domestic data centers, Texas hopes to reduce jurisdictional risks and ensure U.S. legal protections apply.
• Access controls – Covered entities must ensure that EHR data is accessible only to personnel who need it to perform their duties and that parents or guardians can access minors’ records unless restricted by law.
• AI use for diagnostics – Healthcare practitioners may use artificial‑intelligence tools for diagnostic purposes only if they inform patients beforehand, the AI tools are within their professional scope and the practitioner reviews AI‑generated records in accordance with Texas Medical Board standards.
• Biological sex and record amendments – The law defines biological sex strictly and requires EHRs to record sex at birth; changes can be made only to correct clerical errors or to document a diagnosed disorder of sexual development.
• Prohibited data – EHRs may not collect or store information about patients’ credit scores or voter‑registration status.
• Penalties – Civil penalties start at $5,000 per negligent violation and climb to $250,000 if violations involve deliberate misuse of PHI for financial gain.  Most provisions take effect September 1 2025.

For compliance teams, Texas’s law serves as a reminder that state legislatures are stepping in to regulate health data.  Organizations operating in multiple states should monitor differing requirements and incorporate them into their HIPAA risk analyses.

Court vacates reproductive‑health privacy rule

On June 18 the Northern District of Texas issued a decision in Purl v. HHS vacating the 2024 HIPAA Reproductive Health Privacy Final Rule nationwide.  The Final Rule had prohibited disclosures of PHI related to reproductive health care without patient consent and required requesters to submit signed attestations; it was intended to limit prosecutions in states restricting abortion.  The court held that the rule unlawfully interfered with mandated child‑abuse reporting and exceeded HHS’s statutory authority by redefining terms such as “person” and “public health,” leading to its vacatur.  Because the decision vacated almost all provisions except those relating to federally assisted substance‑use disorder records, covered entities no longer need to collect reproductive‑health attestations.  However, states like Rhode Island, California and Connecticut have enacted their own reproductive‑health privacy laws that continue to impose disclosure restrictions.

Compliance teams should promptly review and update Notice of Privacy Practices, business‑associate agreements and policies to remove attestation requirements, and monitor state law obligations.

Proposed Security Rule update: annual penetration testing and more

HHS has proposed a significant update to the HIPAA Security Rule aimed at bolstering cybersecurity resilience.  The draft would:

• Mandate annual penetration tests conducted by qualified personnel for all covered entities and business associates.  Pen tests must occur at least every 12 months or more frequently if risk analyses warrant it.
• Require semi‑annual vulnerability scans, implementation of MFA and encryption for all systems storing or transmitting electronic PHI, and documented audits of security controls at least annually.
• Demand up‑to‑date technology asset inventories and network diagrams, ensuring organizations know where their data resides and how it flows.
• Expect recovery procedures within 72 hours following a security incident.

The proposal responds to the persistent growth of healthcare cyberattacks and is intended to shift the industry from a “check‑the‑box” mentality to continuous improvement.  Critics worry that annual pen testing could overwhelm small providers, but regulators argue that baseline security is a cost of doing business in critical infrastructure sectors.

HIPAA flexibilities during Texas disaster

In response to severe storms and flooding in Texas, the HHS Secretary declared a public health emergency and issued a limited waiver of HIPAA sanctions and penalties.  For hospitals that activate their disaster protocols, the waiver temporarily suspends requirements to obtain patient consent to communicate with family members, honor patient directory opt‑out requests, distribute privacy notices and abide by requests for restrictions on PHI.  The waiver lasts 72 hours from the start of a hospital’s disaster protocol or until the emergency ends.  Even without the waiver, the HIPAA Privacy Rule permits PHI sharing for treatment and public health purposes, and hospitals must still apply reasonable safeguards to protect information (source: HHS disaster guidance referenced in CMS announcements).

Enforcement Actions and Settlements

Deer Oaks Behavioral Health settlement

The Office for Civil Rights settled with Deer Oaks Behavioral Health for $225,000 after two incidents: a coding error that inadvertently exposed patient discharge summaries via an online portal and an August 2023 ransomware attack that encrypted and exfiltrated data.  OCR found the provider failed to conduct an accurate and thorough risk analysis, leaving vulnerabilities unaddressed.  Under the corrective action plan, Deer Oaks must perform annual risk analyses, develop risk‑management plans, update policies and train its workforce.  This settlement shows that accidental disclosures and cyberattacks alike can lead to enforcement if an organization lacks a documented risk‑assessment process.

Eisenhower Medical Center (California) Meta‑Pixel lawsuit settlement

Eisenhower Health agreed to a $875,000 settlement to resolve claims that it used Meta Pixel and other tracking tools on its website without adequate notice.  Plaintiffs alleged that the tools transmitted sensitive patient information—including conditions, treatments, provider names and appointment dates—to Meta and Google.  The hospital denied wrongdoing but will discontinue the use of Meta Pixel and similar trackers for at least two years, form a Web Governance Committee and require new disclosures before reinstating analytics software.  The case illustrates the privacy risks of embedding third‑party analytics code and may foreshadow broader litigation around pixel tracking.

Northbay Healthcare breach settlement

Northbay Healthcare in California will pay $3.6 million to settle litigation over a 2024 cyberattack that exposed the data of approximately 569,000 individuals.  Attackers accessed the network from January 11 to April 1 2024 and stole names, dates of birth, Social Security numbers, passport and driver’s‑license numbers, medical and insurance information, biometric data, usernames and passwords, and financial information.  Plaintiffs alleged negligence and violations of California privacy laws.  Although the settlement is awaiting approval, it underscores that litigation costs can be significant even when there is no finding of wrongdoing.

Lessons from recent enforcement actions

• Risk analyses are non‑negotiable – Deer Oaks lacked an adequate risk assessment  Like a captain sailing without charts, failing to map risks makes it almost inevitable that an organization will hit unseen hazards.
• Third‑party tracking tools require caution – The Eisenhower settlement shows that pixels and analytics scripts can send PHI to marketing platforms.  Teams should inventory website scripts, update privacy notices and implement consent banners where required.
• Multifaceted data exfiltration – The Northbay case involved theft of not only medical data but also financial and biometric information.  Comprehensive incident‑response plans should account for such diverse data types and legal obligations.

Closing Thoughts

This week’s events underscore that healthcare cybersecurity and compliance remain in flux.  Breaches are increasing even as victim counts decline, and attackers are exploiting both traditional hacking and social engineering avenues.  State legislatures and courts are reshaping the regulatory landscape, from Texas’s EHR‑security law to the vacatur of the reproductive‑health privacy rule.  Proposed federal security‑rule updates signal an expectation of more proactive defenses, including annual penetration tests and vulnerability scans.  Meanwhile, OCR continues to enforce risk‑analysis and privacy‑rule requirements through settlements and corrective‑action plans.

Compliance teams should view these developments as both warnings and opportunities.  By strengthening vendor oversight, enhancing incident‑response preparedness, updating policies in light of new laws and maintaining ongoing risk assessments, organizations can navigate the evolving landscape and better protect patient trust.

Stay vigilant, and have a secure week!

‍