
Good morning everyone,
As June draws to a close, compliance teams across the health sector are balancing an onslaught of regulatory developments and threat intelligence. The past seven days saw the New York legislature pass a trail‑blazing health data privacy bill that would require unprecedented consent before processing health‑related inference data; significant updates to AI governance guidance; and a series of cybersecurity advisories targeting widely used tools and devices. At the same time, several healthcare organizations disclosed breaches involving highly sensitive data, underlining the need for timely notification and robust vendor oversight.
Below you’ll find a digest of the week’s most consequential updates organized by category. Each story is paired with recommendations to help compliance, privacy, security and vendor‑management teams navigate emerging risks.
Regulatory & Legal Updates
New York Health Information Privacy Act (NYHIPA) advances
What happened: Early in June the New York State Senate and Assembly passed the New York Health Information Privacy Act (S‑9269), a sector‑specific health privacy bill that, if signed by Governor Hochul, will become the most expansive non‑HIPAA health data law in the country. Unlike comprehensive privacy statutes, NYHIPA targets health information collected or inferred outside clinical settings. “Regulated health information” (RHI) is broadly defined: any data reasonably linkable to an individual and connected to past, present or future physical or mental health, including reproductive and sexual health, gender‑affirming care, biometric or genetic data, and health‑related inferences derived through algorithms. Processing RHI that is not strictly necessary requires explicit authorization that must be separate, plain‑language, 12‑point font, and cannot be bundled with other consents. The bill grants the state attorney general authority to seek injunctions, restitution and penalties up to $15,000 per violation with a six‑year look‑back period. NYHIPA exempts HIPAA‑covered entities, 42 C.F.R. Part 2 programs and FDA‑regulated activities.
Why it matters: NYHIPA’s expansive definition of RHI and the requirement to obtain standalone consent for non‑essential processing means many digital health and marketing activities—not previously subject to HIPAA—would need to overhaul data collection, tracking technology and consent flows. Companies that infer health status from analytics (for example, identifying pregnant individuals or chronic‑disease patients) would be regulated even if they never collect direct health information. Civil penalties calculated per consumer and per processing event could quickly become existential. Even organizations based outside New York should watch this closely; New York’s market size will likely drive de facto national standards. The bill also reflects the accelerating patchwork of state‑level health privacy laws.
Recommended actions:
- Inventory all data flows that could involve health‑related inferences or consumer health data; map persistent identifiers (cookies, device IDs, IP addresses) that could link to health status.
- Separate health‑related consent from general privacy notices; design authorization forms that meet NYHIPA’s plain‑language, font size and stand‑alone requirements.
- Stop selling or sharing health‑linked data; review ad‑tech contracts and data‑broker relationships, and restructure or terminate any that involve RHI.
- Monitor Governor Hochul’s decision and begin building compliance programs that can be scaled nationally; integrate NYHIPA requirements into vendor and marketing reviews.
HSCC issues AI Cybersecurity Governance Implementation Guide
What happened: The Health Sector Coordinating Council (HSCC) published an 87‑page guidance document to help healthcare organizations implement safe and responsible artificial intelligence. The guidance recommends establishing an AI cybersecurity governance committee that includes program leads, clinicians, IT/security teams, legal counsel and patient advocates. It outlines principles covering clinical safety, privacy controls, supply‑chain risk, model drift, adversarial attacks and incident response. HSCC stresses that AI governance must be integrated with existing organizational governance, risk management and quality programs rather than siloed as a separate initiative.
Why it matters: AI is rapidly being adopted for clinical decision support, patient engagement and administrative tasks. Without robust governance, AI models can introduce bias, data leakage or operational disruptions. The HSCC guide offers a roadmap tailored to healthcare organizations, addressing regulatory obligations such as HIPAA, Part 2 confidentiality, and emerging state privacy laws. It emphasizes lifecycle management—assessing risks from procurement through retirement—and calls for transparency and stakeholder engagement.
Recommended actions:
- Form a cross‑functional AI governance committee with clear roles and escalation pathways.
- Develop policies to evaluate AI models for safety, privacy and security before deployment and continuously monitor performance for drift or bias.
- Integrate AI risk management into existing HIPAA security risk analyses and vendor management processes.
- Educate staff on responsible AI use and document decisions to demonstrate compliance during audits or investigations.
Breach & Incident Notices
Colorado Health Network and Kentucky Mountain Health Alliance data breaches
What happened: Colorado Health Network (CHN), a nonprofit serving individuals with HIV/AIDS, disclosed that an unauthorized third party accessed and removed files from its systems. The files contained names plus Social Security numbers, driver’s license or passport numbers, financial account or payment card details, health insurance information (Medicaid/Medicare) and extensive medical data including diagnosis codes and prescriptions. CHN began mailing notification letters on June 18, 2026 and offered complimentary credit‑monitoring and identity‑theft protection. A dark‑web group, Cephalus ransomware, had previously claimed to exfiltrate more than 900 GB of data in August 2025, and at least 257 Texas residents were affected.
Kentucky Mountain Health Alliance (KMHA), a nonprofit providing primary and specialty care to the homeless, similarly disclosed that unauthorized actors accessed and copied files containing names, Social Security numbers, driver’s licenses, passport numbers, financial account and insurance information, and medical data. Notification letters were sent on June 12, 2026, and the organization is offering 24 months of credit monitoring.
Why it matters: Both incidents involve highly sensitive health and financial data of vulnerable populations. They illustrate the risk of ransomware gangs targeting community health organizations with limited resources. CHN’s breach appears to have occurred months earlier yet still is not listed on the HHS OCR breach portal, raising questions about reporting timeliness and compliance with HIPAA’s 60‑day notification rule. KMHA’s notice was buried deep on its website, contrary to HIPAA requirements for prominent posting. These breaches reinforce the need for risk assessments, incident response plans and transparent communication.
Recommended actions:
- Conduct forensic investigations to determine the date and scope of intrusions; document all findings for OCR inquiries.
- Ensure that breach notifications occur within HIPAA’s 60‑day window and include prominent website notices and media outreach when more than 500 residents of a state are affected.
- Offer victims robust identity‑protection services and maintain call centers to handle questions; monitor for potential misuse of HIV‑related or reproductive health information which is particularly sensitive.
- Strengthen endpoint detection and network segmentation to prevent unauthorized lateral movement; evaluate ransomware preparedness and data‑backup strategies.
Southern Illinois OB‑GYN Associates breach
What happened: Southern Illinois OB‑GYN Associates discovered suspicious activity on November 24, 2025. Third‑party investigators concluded on January 28, 2026 that an unauthorized actor accessed and potentially downloaded files containing patient names, dates of birth, Social Security numbers, driver’s license numbers, demographic information, health insurance details and medical information. A file review concluded on April 28, 2026, but notification letters were not mailed until late May and early June. The practice reported the breach to Massachusetts on June 5, 2026 and is offering credit monitoring to affected individuals. Commentary notes that the delay likely exceeded HIPAA’s 60‑day notification requirement and may have placed reproductive‑health information at risk.
Why it matters: The timeline reveals a six‑month gap between detection and notification. Regulators may view this as non‑compliance with HIPAA’s breach notification rule. OB‑GYN practices handle particularly sensitive data, including reproductive health information protected by state laws and new HHS rules. Delay undermines patients’ ability to monitor for identity theft or misuse.
Recommended actions:
- Review incident response plans to ensure investigation and notification processes meet regulatory timelines; incorporate deadlines into contracts with forensic vendors.
- Train staff to promptly identify and report suspicious activities; maintain logs and evidence for regulators.
- Encrypt sensitive data at rest and in transit and implement strict access controls to reduce risk of exfiltration.
- Coordinate with counsel to determine whether state or federal reproductive health privacy laws impose additional obligations.
Vendor & Supply Chain Risk
FortiBleed campaign compromises 30,000–75,000 Fortinet firewalls
What happened: Arctic Wolf Labs and other researchers reported that threat actors launched an active credential‑compromise campaign—dubbed FortiBleed—against Fortinet FortiGate firewalls. Attackers are extracting configuration files from internet‑facing FortiGate devices and cracking stored password hashes, leading to verified working administrator credentials for 30,000–75,000 devices across 194 countries. The dataset, organized by country and sector, reportedly includes at least 30,791 confirmed login credentials. Fortinet introduced PBKDF2‑based hashing in FortiOS 7.2.11 and 7.4.8, but passwords remain stored with older SHA‑256 hashes until administrators log in after upgrades.
Why it matters: FortiGate firewalls are widely used in healthcare organizations and vendor networks. Compromised credentials could allow adversaries to bypass VPNs and network segmentation, exfiltrate sensitive data or pivot into clinical systems. The campaign highlights how legacy password‑storage mechanisms and weak credential hygiene create systemic supply‑chain risks. Even organizations running patched firmware may be vulnerable if administrators have not logged in post‑upgrade.
Recommended actions:
- Immediately reset all administrative and VPN credentials on Fortinet devices; enforce multi‑factor authentication for all management accounts.
- Restrict management interface access to trusted internal networks; disable internet‑facing management ports.
- Require administrators to log into firewalls after firmware updates to trigger PBKDF2 hashing and enable settings that remove legacy SHA‑256 hashes.
- Monitor for unauthorized logins and review firewall configurations for signs of tampering; incorporate firewall credential rotation into vendor‑management checklists.
Fortinet FortiSandbox critical OS command‑injection vulnerability (CVE‑2026‑25089)
What happened: Fortinet’s Product Security Incident Response Team (PSIRT) disclosed CVE‑2026‑25089, a critical OS command‑injection vulnerability affecting FortiSandbox versions 4.4.0–4.4.8 and 5.0.0–5.0.5 (including cloud deployments). The flaw allows unauthenticated remote attackers to send crafted HTTP requests to the ‘start VNC’ web‑interface feature, execute arbitrary system commands and potentially gain full system compromise. Fortinet released patches on June 9, but researchers warn that exploitation is likely because the attack requires no authentication and many installations are exposed. Though FortiSandbox has a small market share (~0.06 %), deployments are often in high‑value sectors—including healthcare and critical infrastructure—where a compromise could undermine malware detonation and broader security operations.
Why it matters: Exploitation of FortiSandbox could give attackers footholds inside detection environments used to inspect malware, allowing them to pivot deeper into networks and manipulate analysis results. Healthcare organizations relying on FortiSandbox for file detonation and threat analysis should prioritize remediation. Unauthenticated RCE vulnerabilities present high risks in supply chains and may be added to CISA’s Known Exploited Vulnerabilities catalog, requiring federal agencies to patch within days.
Recommended actions:
- Inventory all FortiSandbox instances (on‑premises, cloud and PaaS) and determine if versions fall within the affected ranges.
- Apply Fortinet’s patches immediately (upgrade to version 4.4.9 or later for 4.x and ensure cloud deployments are updated).
- Remove public access to the FortiSandbox web UI; restrict administrative interfaces to internal networks or VPNs.
- Deploy temporary web‑application‑firewall rules to block malicious requests and monitor logs for suspicious access patterns.
- After patching, re‑analyze previously detonated samples and review verdicts for evasion, as malicious code may have been missed during compromise.
Cybersecurity & Threat Intelligence
CISA adds high‑impact vulnerabilities to KEV catalog
What happened: The Cybersecurity and Infrastructure Security Agency (CISA) added several vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, setting a remediation deadline of June 23, 2026 for federal agencies. Notable additions include:
- Arista EOS (CVE‑2026‑7473) – A network stack flaw that can cause mis‑routing and allow security policy bypass.
- Google Chrome V8 (CVE‑2026‑11645) – An out‑of‑bounds access vulnerability in the V8 engine enabling remote code execution or denial‑of‑service.
- Cisco Catalyst SD‑WAN Manager (CVE‑2026‑20245) – An authenticated local attacker could run arbitrary commands as root in the CLI; no patch was available when listed.
- BerriAI LiteLLM, Check Point Security Gateway and LiteLLM vulnerabilities (not fully enumerated) also appear in the KEV list.
Why it matters: Inclusion in the KEV catalog signals active exploitation in the wild and triggers binding operational directives for federal agencies. Healthcare entities often use Arista switches, Chrome browsers and Cisco SD‑WAN devices; failing to patch could lead to service disruptions, data exfiltration or lateral movement. Even vulnerabilities requiring authenticated attackers are attractive when combined with credential theft (e.g., FortiBleed).
Recommended actions:
- Assess whether your organization uses affected products; subscribe to vendor security advisories and CISA alerts.
- Apply vendor patches or mitigations before the KEV deadlines; for unpatched vulnerabilities (e.g., Cisco SD‑WAN), implement compensating controls such as limiting access and monitoring logs.
- Ensure browsers are updated to the latest stable release to remediate V8 engine flaws.
- Document remediation steps for audit trails and report status to leadership; incorporate KEV items into vulnerability management dashboards.
Curl maintainers patch 25‑year‑old bug and multiple memory/logic flaws
What happened: Developers of the ubiquitous curl tool released patches for 18 vulnerabilities, including a 25‑year‑old bug (CVE‑2026‑8932) discovered in .netrc credential handling. Other issues include double‑free errors in SASL authentication (CVE‑2026‑8925) and multi‑TLS connection reuse leading to authentication bypass (CVE‑2026‑8926). The vulnerabilities allow credential confusion, remote code execution or use‑after‑free conditions on systems where curl is used for file transfers, APIs or updates. Curl is installed on more than 30 billion devices worldwide.
Why it matters: Curl is embedded in countless healthcare applications, operating systems, medical devices and vendor software. Exploitation could facilitate supply‑chain attacks, credential theft or arbitrary code execution. Because some vulnerabilities stem from edge‑case logic and remain present for decades, many healthcare organizations may be unaware that internal scripts or vendor products rely on vulnerable versions.
Recommended actions:
- Inventory all systems (servers, IoT devices, vendor software) that include curl or libcurl; coordinate with vendors to confirm patch status.
- Upgrade to the latest patched release (8.1.x or later) and disable
.netrccredential files where possible. - Review scripts or applications that reuse TLS connections or handle SASL authentication; apply updates to avoid double‑free or authentication‑bypass issues.
- Incorporate curl into software bill of materials (SBOM) and vulnerability scanning to identify future exposures.
Privacy, AI & Digital Health Updates
AI governance and digital health compliance – key takeaways from AHIMA webinar
What happened: At AHIMA’s June 7 webinar, leaders from Massachusetts General Brigham and McDermott Will & Emery shared strategies for AI governance in healthcare. Key insights include: establishing governance before deploying AI; engaging multifunctional teams to provide oversight; and defining policies that align AI initiatives with organizational goals. The panel stressed that AI governance should not be created in isolation but must integrate with existing privacy, security and compliance frameworks.
Why it matters: As healthcare organizations deploy generative AI tools and machine‑learning models, they must ensure transparency, accountability and compliance with HIPAA, NYHIPA and other emerging laws. The AHIMA discussion complements the HSCC guidance, reinforcing the importance of risk assessments, stakeholder engagement and clear definitions of permissible AI use.
Recommended actions:
- Create AI inventories and risk registers to track all deployed and proposed AI solutions.
- Develop cross‑functional governance structures that include privacy, security, clinical, legal and patient advocacy perspectives.
- Establish policies requiring problem definitions and risk‑benefit analyses before implementing AI tools.
- Monitor state and federal AI policy developments and update governance frameworks accordingly.
Closing Thoughts
This week’s developments underscore the accelerating pace of privacy legislation, the growing complexity of cybersecurity threats, and the need for proactive governance. New York’s Health Information Privacy Act signals that states are moving beyond HIPAA to regulate the vast digital health ecosystem. Compliance teams should treat the coming months as a runway to inventory data practices, separate consent flows, and engage vendors and marketing teams about new restrictions. At the same time, the HSCC’s AI guidance and AHIMA’s webinar show that responsible AI governance requires broad participation and integration with existing risk‑management processes.
On the security front, the FortiBleed campaign and FortiSandbox vulnerability highlight the continuing challenges of vendor risk and credential management. Organizations must not assume that firmware upgrades alone provide protection—administrative actions like forced logins and credential rotation remain critical. CISA’s KEV updates and the long‑standing curl vulnerabilities remind us that even widely used tools require constant vigilance. Conducting thorough vulnerability management, patching promptly, and maintaining clear incident‑response plans will remain key defenses. Ultimately, staying ahead of evolving threats while complying with a patchwork of laws demands cross‑disciplinary collaboration, strong documentation and continuous improvement.
