Good Morning Everyone,
Privacy mandates and cybersecurity realities converged this week. On Capitol Hill, the revived “My Body, My Data” Act would lock down reproductive-health information, while OCR’s Risk Analysis Initiative is already producing nine settlements for missing or incomplete security risk assessments. Add a $600 K phishing settlement, a class action against Google over tracking pixels on hospital sites, and fresh breach notices—from a five-year insider at Jackson Health to a 4 TB “mega-ransomware” haul in Dubai—and the message is clear: regulators, litigators, and threat actors are all closing in on weak spots that hide in plain sight. Full details below:
Regulatory Updates
“My Body, My Data” Act re-introduced
Rep. Sara Jacobs (D-CA), together with Sens. Mazie Hirono (D-HI) and Ron Wyden (D-OR), has revived her 2022 bill that would sharply curtail how apps, advertisers, and data brokers handle reproductive-health information. The measure would bar companies from collecting, keeping, or sharing fertility- or abortion-related data unless it is strictly necessary to deliver a service the consumer requested, while obliging firms to honor deletion requests and craft easy-to-read privacy notices. Civil penalties would reach $10,000 per violation, putting period-tracker and location-data vendors directly in regulators’ sights. Privacy advocates such as EFF are already rallying support, warning that post-Dobbs legal subpoenas could weaponize unprotected health metadata. Learn more at Congress.gov
OCR’s “Risk Analysis Initiative” keeps risk assessments front-and-center
A deep-dive from ArentFox Schiff tallies nine settlements since late 2024—ranging from $10 K to $350 K and touching covered entities and business associates alike—where the common thread was a missing or incomplete enterprise-wide security risk analysis. OCR launched the initiative last October with a $90 K settlement against an Oklahoma ambulance service hit by ransomware and has since expanded the net to misconfigurations (wellness-plan server exposed to web crawlers) and unauthorized PACS access at a radiology group. Acting leadership has re-affirmed the effort, noting a 264 % jump in ransomware-related breaches since 2018, and warns that proof of a current, thorough risk analysis will be an early ask in every investigation. Bottom line: treat the SRA as a living document—map all ePHI stores, score vulnerabilities, and refresh after every major change. Learn more at JDSupra
Enforcement Actions
$600 K phishing-attack settlement sets the tone
HHS OCR’s April 23 resolution with PIH Health, Inc. marks its sixth monetary penalty of 2025 and underscores that basic email security remains an enforcement priority. Investigators found that a 2019 phishing campaign compromised 45 employee inboxes and 189,763 patient records—and that PIH waited past HIPAA’s 60-day clock to notify victims. Beyond the cash payment, a two-year corrective-action plan requires a fresh, enterprise-wide risk analysis, tighter MFA, and workforce retraining. Expect OCR to keep spotlighting timely breach reporting and phishing preparedness in upcoming audits. Learn more at HHS
Google tracking-tech lawsuit survives dismissal
U.S. District Judge Vince Chhabria refused to toss most claims in Doe v. Google LLC, a consolidated class action alleging Google’s Analytics code, pixels, SDKs, and cookies on hospital and clinic sites siphoned highly sensitive visit data—down to abortion-procedure selections on a Planned Parenthood page—and linked it to IP addresses for ad targeting. The court said it is “reasonable to infer” Google can re-identify IP-tied health interactions, allowing pre-2023 claims under the federal Wiretap Act, CIPA, CMIA, the California Constitution, and common-law privacy theories to proceed. Only breach-of-contract allegations and post-guidance data-collection claims were trimmed, after Google updated its help pages in 2023 instructing providers not to transmit PHI. The ruling underscores that healthcare sites using commercial tracking scripts remain litigation magnets unless they fully block or rigorously de-identify traffic data. Learn more at HIPAA Journal
Harvard Pilgrim $16.5 M class-action fund opens
Victims of the insurer’s 2023 ransomware event can now file claims for up to $2,500 in out-of-pocket costs or opt for a $150 flat payment; extraordinary losses may reach $35,000. The settlement also offers three years of credit monitoring, with a claim deadline of Aug 25, 2025 and a final-approval hearing on July 28. Covered entities should note that plaintiffs cited inadequate segmentation and delayed breach notification—two failure points that regulators likewise scrutinize. Learn more at Top Class Actions
Data Breach Notices
Five-year insider snooping at Jackson Health.
Miami-based Jackson Health System disclosed that a single employee quietly accessed more than 2,000 patient charts between July 2020 and May 2025 to promote a side business. Although Social Security numbers were spared, clinical data, addresses, and medical-record numbers were viewed. The worker was fired and the case referred to law enforcement; notification letters and free credit monitoring are under way. The episode illustrates why continuous audit-log reviews and role-based access controls are essential—long-running “low and slow” breaches remain a favorite OCR audit topic. Learn more at Miami Herald
American Hospital Dubai faces “mega-ransomware” extortion
The new Gunra gang claims to have exfiltrated 4 TB—about 450 million data points—from the 254-bed facility, threatening public release if ransom demands go unmet. Early samples show a mix of financial and treatment data; core patient systems remain partially offline. With UAE regulators scrutinizing breach responses under the 2023 Health-Data Law, observers warn that double-extortion crews are testing regional hospitals’ incident-response maturity. Learn more at CyberNews
Emerging Trends
AHA issues fresh alert on “Play” ransomware
A June 4 joint advisory from the FBI, CISA, and Australian Cyber Security Centre details Play’s updated tactics: exploiting FortiOS, SimpleHelp RMM, and Exchange flaws; exfiltrating data before encryption; and omitting an initial ransom amount to obscure negotiations. The American Hospital Association warns that the group tallied roughly 900 victims by May and remains one of the most active health-sector threats. Recommended mitigations include segmented backups, patching of the new CVE-2024-57727, and rehearsed incident-response playbooks. Learn more at AHA
Closing Thoughts
OCR’s intensified Risk Analysis Initiative, fresh litigation over Google’s hospital-site trackers, and the week’s ransomware and insider-snooping disclosures all send the same signal: risk assessments and vendor scrutiny must be continuous, not quarterly chores. Update your enterprise-wide SRA before auditors come calling, purge or de-identify any tracking code on patient pages, and confirm that every partner—from web analytics to cloud backups—enforces MFA, least-privilege access, and rapid breach-notification terms. Threat actors iterate daily; our safeguards and contracts have to iterate faster.
