Good Morning Everyone,
Wearables may be the buzz on Capitol Hill, but this week’s headlines remind us that shiny technology alone won’t keep patients—and their data—safe. A House subcommittee heard glowing testimony on digital health while a reconciliation bill threatens to drop insurance for 16 million Americans. At the same time, states are racing past HIPAA with sweeping privacy statutes, and ransomware continues its march: California now ranks #2 for breach volume, vendor Episource lost 5.4 million records, and McLaren’s 10-month post-incident forensics have finally revealed 743 K more victims. The common thread? Legal exposure is widening just as attackers aim deeper into the supply chain. Dive into the details below and take stock of how your own programs measure up.
Regulatory Updates
Hill hearing on wearables overshadowed by looming coverage cuts
Capitol Hill’s first digital-health hearing of 2025—grandly titled “Health at Your Fingertips”—featured executives from WHOOP, CoachCare and Epic extolling wearables, remote-patient-monitoring (RPM) and app interoperability as tools to detect disease early and trim hospital costs. HHS Secretary Robert F. Kennedy Jr. even pledged an agency campaign to put “every American in a wearable within four years.” Yet the upbeat tech talk quickly collided with election-year politics: Democrats hammered the panel for focusing on gadgets while the reconciliation bill racing through the Senate could strip Medicaid or ACA coverage from an estimated 16 million people by July 4, the deadline President Trump set for passage. Georgetown policy scholar Sabrina Corlette warned lawmakers that patients can’t benefit from data-driven care if they lose insurance, sparring with GOP members who defended tighter eligibility rules. Bipartisan enthusiasm survived on two fronts—telehealth expansion and privacy safeguards—as lawmakers pressed vendors on HIPAA gaps, period-tracking risks and expanded RPM reimbursement bills. The exchange underscores that digital-health adoption will hinge as much on insurance stability and privacy reform as on technical innovation. Learn more at Fierce Healthcare
Beyond HIPAA: states redraw the health-data rulebook
Smartphones, wearables and adtech now churn out volumes of “consumer health data” that sit entirely outside HIPAA—and states are rushing to close the gap. California’s CPRA, Washington’s groundbreaking My Health My Data Act and New York’s S.929 all impose strict opt-in consent, broad definitions of health information (including location and behavioral data), and, crucially, private rights of action that invite litigation. The stakes are on display in Maxwell v. Amazon, where plaintiffs say an embedded SDK quietly hoovered location pings to infer visits to mental-health or reproductive-care sites—alleged violations of Washington’s law as well as federal wiretap statutes. Compliance headaches multiply for multi-state providers and digital-health startups: each statute sets unique notice, deletion and geofencing rules, and FTC enforcement under the Health Breach Notification Rule is running in parallel. Organizations can’t wait for a federal fix—mapping data flows, pruning collection, tightening vendor contracts and rewriting consent screens in plain language are now baseline defenses against a rapidly expanding patchwork of state privacy mandates. Learn more at Clark Hill
Data Breach Notices
California climbs to #2 in breach rankings — 22.6 M records exposed
California has vaulted to second place in the nation for healthcare data breaches after a sweeping review of HHS-OCR filings by hosting provider KnownHost found 22.6 million Golden State patient records exposed between February 2023 and April 2025. Across the country breaches exploded from 149 events in 2023 to 444 in 2024—a 198 percent surge that pushed the cumulative tally to a staggering 328 million records, almost matching the U.S. population. In California alone, 46 reportable incidents drove the total upward, including a standout case in which a health-system’s marketing pixels quietly funneled data on 13.4 million patients to Google, Bing, and X. The study shows that 675 of the 807 breaches nationwide stemmed from external hacking or other IT intrusions, but another 110 were pinned on unauthorized access or disclosure, underscoring that insider missteps remain a potent threat. With breaches logged on 201 separate days in 2024 alone, California covered entities and business associates should prioritize pixel audits, vendor vetting, end-to-end encryption, and mandatory security-awareness training before regulators—and plaintiffs’. Learn more at The Business Journal
Episource ransomware breach exposes 5.4 M records
Healthcare services vendor Episource has disclosed that a February ransomware intrusion siphoned sensitive data on roughly 5.4 million people—making it 2025’s second-largest health-sector breach behind only Yale New Haven Health’s 5.6 million-record incident. For weeks the firm traced “unusual activity” before confirming a cybercriminal had exfiltrated contact details, insurance information, medical record numbers, diagnoses, test results, treatment data and, in some cases, Social Security numbers and birth dates. While Episource says it has seen no evidence of misuse, the scope is wide: the risk-adjustment and coding provider serves scores of payers and health systems, and is now coordinating notifications with affected clients. San Diego-based Sharp Healthcare, for example, has already filed companion breach reports covering more than 26 000 patients. The episode underscores a brutal trend—hack-and-exfiltration attacks on third-party vendors can threaten millions downstream, as Change Healthcare’s 190 million-record catastrophe showed last year. Covered entities should re-check vendor ransomware defenses, insist on immutable backups and test incident-response playbooks before the next supply-chain breach hits. Learn more at Healthcare Dive
McLaren Health Care’s 2024 ransomware fallout reaches 743 K patients
Ten months after a stealth Inc. Ransom attack encrypted its network, Michigan-based McLaren Health Care is mailing notices to 743,131 patients confirming that hackers roamed its systems from July 17 to August 3 2024 and exfiltrated names, Social Security and driver-license numbers, insurance details and clinical data. The nonprofit detected the intrusion on August 5 2024, spent three weeks on paper charts, and fully restored its EHR by late August; yet forensic review of the trove wasn’t finished until May 5 2025, triggering letters sent June 20 and a year of free credit monitoring. McLaren’s statement avoids the word “ransomware” and makes no mention of the Inc. Ransom gang—fueling speculation the demand was paid—but it marks the second massive breach for the system after a 2023 ALPHV/BlackCat incident that hit 2.1 million records. The reprise underscores two hard lessons: repeat offenders draw extra regulator scrutiny, and protracted file-review timelines can stretch well beyond HIPAA’s 60-day clock if data mapping and segmentation aren’t airtight. Learn more at HIPAA Journal
Closing Thoughts
Digital-health optimism, fast-moving state privacy laws, and ever-larger ransomware breaches are converging into a perfect storm of risk—so map and minimize the data you collect, stress-test vendor defenses (including immutable backups), refresh plain-language consent flows, and keep a sharp eye on state rule-making, because private rights of action and supply-chain attacks now define the new normal for healthcare security and compliance.
Stay secure and have a productive week!
