Good Morning Everyone,
Leadership changes and record-breaking breaches headline this week’s roundup. OCR’s incoming Director Paula Stannard signals a tougher HIPAA enforcement posture just as the FTC’s overhauled COPPA Rule enters a three-week countdown. Meanwhile, the numbers keep climbing: a six-year OCR probe cost Children’s Hospital Colorado more than half-a-million dollars, ransomware gangs leaked nearly a terabyte from Kettering Health, and third-party lapses at ALN Medical Management and dental-marketing vendor Gargle pushed exposed-record totals well past the two-million mark. Taken together, the stories underscore an uncomfortable truth—security gaps at vendors and “non-clinical” platforms can become your compliance crisis overnight. Full details below:
Regulatory Updates
Paula M. Stannard tapped to lead HHS Office for Civil Rights
Long-time health-law veteran Paula Stannard is returning to Washington as OCR Director after stints as Montana DPHHS chief counsel and senior HHS adviser in two prior administrations. Observers expect a sharper enforcement tempo: Stannard now oversees HIPAA privacy, security, and breach-notification rules plus the Department’s civil-rights and conscience mandates. Her résumé—spanning private practice, state leadership, and federal policy—signals an emphasis on both technical compliance (risk analyses, breach reporting) and equal-access investigations. Covered entities should be ready for deeper document requests and shorter response windows when audits resume. Learn more at HHS
Three-week sprint to the FTC’s revamped COPPA Rule
The FTC’s first Children’s Online Privacy Protection Act overhaul since 2013 takes effect on June 23, 2025. Key changes: a flat ban on indefinite data retention, stricter limits on sharing kids’ information with ad-tech partners, and explicit parental-consent requirements before using children’s data to train AI models. Operators get until April 22, 2026 to meet most obligations, but data-minimization and breach-response tweaks will be enforceable on day one. Inventory children’s data flows now, shorten retention schedules, and update vendor contracts to avoid five-figure daily penalties. Learn more at Data Protection Report
Enforcement Actions
Children’s Hospital Colorado accepts $548 K penalty after six-year OCR probe
What began with a 2017 email breach of 3,300 pediatric records ended last fall when Children’s Hospital Colorado opted to pay a $548,265 civil monetary penalty rather than sign an expansive corrective-action plan. OCR said lapses included incomplete risk analyses, five years without HIPAA training for 3,500 nursing students, and three additional phishing-related breaches in 2020 affecting 10,840 patients. Hospital leaders called OCR’s demands “unwarranted” and warned the fine diverts funds from patient care, but conceded that battling the CAP would cost even more. The case shows OCR’s willingness to levy daily fines—even after gaps are fixed—and that “recognized security practices” discounts are no guarantee without airtight. Learn more at Compliance Cosmos
Data Breach Notices
Kettering Health still reeling from 941-GB Interlock data leak
The Ohio health-system’s May 20 ransomware incident has entered a more volatile phase: the Interlock gang began dumping stolen files this week after claiming 941 GB of patient, employee, and business records. Core EHR components came back online June 3, but ancillary systems and third-party portals remain disrupted. Kettering is now triaging potential identity-theft exposures and faces class-action inquiries. The episode highlights the peril of prolonged outages and double-extortion tactics. Learn more at The HIPAA Journal
Cumberland County Hospital breach impacts 36,659 Kentuckians
A review revealed unauthorized network access that lingered from February 21 to April 3, 2025 before detection at the 49-bed critical-access hospital. Exposed data may include names, Social Security numbers, and clinical details. Federal filings and plaintiff-law-firm notices suggest litigation is imminent. Smaller rural providers—often with lean IT budgets—remain prime targets for attackers using credential stuffing or unpatched VPN appliances. Learn more at HIPAA Journal
ALN Medical Management breach balloons to 1.8 M+ records after year-long review
Revenue-cycle vendor ALN Medical Management has raised its March 2024 cyber-incident tally from a placeholder 501 records to 1,823,844 affected individuals after forensic work revealed hackers exfiltrated data from a third-party hosting provider. Compromised files span the alphabet of identifiers—names, SSNs, driver’s-license and government IDs, financial and insurance details, and clinical information—across at least four client groups in MD, NE, CA, and NY. Notification letters only began in late March 2025, triggering multi-state attorney-general filings and a wave of class-action suits alleging lax security and breach of contract. ALN’s parent, Health Prime International, now faces demands for damages and injunctive relief to harden defenses and accelerate breach reporting. Learn more at HIPAA Journal
Dental-marketing leak exposes 2.7 M patient profiles, 8.8 M appointment records
Cybernews researchers found an unsecured MongoDB database—apparently tied to dental-marketing firm Gargle—that left 2.7 million patient profiles and 8.8 million appointment entries open to the internet until March 26, 2025. The trove included full contact details, chart IDs, billing notes, and scheduling metadata, creating prime material for identity theft, insurance fraud, and tailored phishing. Although Gargle secured the server after disclosure, it has yet to issue public notices, highlighting the ongoing compliance blind spot around marketing vendors that handle PHI. Dental and other specialty practices relying on third-party web-booking tools should confirm that cloud databases are locked down and covered by business-associate agreements mandating multifactor access and routine penetration tests. Learn more at Cybernews
Closing Thoughts
OCR’s new leadership, an imminent COPPA deadline, and headline-grabbing data spills all point in the same direction: continuous risk management and third-party oversight are no longer optional. Refresh enterprise-wide risk analyses before audits resume, inventory where children’s data may sit ahead of June 23, and validate that every vendor—especially marketing and billing partners—enforces MFA, tight access controls, and rapid breach-notification clauses. Modern threats evolve daily; our controls and contracts must evolve just as quickly.
Stay sharp, stay secure, and thank you for all you do!
