HCS Logo
HCS Logo
HomeServicesAboutBlogContact
Book a free consultation

The HealthSec Blog

Stay up-to-date on the latest news, insights, and best practices in healthcare cybersecurity, HIPAA compliance, project management, and more.

  • Home
  • Blog
  • Blog Details
Hale Insights - May 2, 2025
Calendar Icon
May 6, 2025

Hale Insights - May 2, 2025

Good Morning Everyone,

National-level rulemaking, federal enforcement, and an unexpected website-tracking exposure all converged this week to remind us that “de-identified” no longer means “risk-free.” The Department of Justice has folded anonymized data into a new security regime carrying criminal penalties; OCR has penalized a small neurology practice for skipping a basic risk analysis; and Covered California is investigating how LinkedIn tags captured pregnancy and domestic-abuse answers from insurance-shopper forms. Each story underscores the same theme: technical and contractual controls must keep pace with regulators, threat actors, and marketing tech alike. Dive into the details below:

Regulatory Updates

DOJ Final Rule Pulls De-Identified Data into National-Security Net

The U.S. Department of Justice’s new Data Security Program (DSP)—effective April 8—treats anonymized, pseudonymized, and de-identified information the same as identifiable data when it is part of “bulk U.S. sensitive personal data.” Licensing or otherwise giving a country of concern (or its affiliates) access to such data—or to an AI model capable of reproducing it—can now trigger civil and criminal penalties. Contracts must be revisited to confirm CISA-level safeguards, country-of-concern restrictions, and robust risk-management clauses. Because the rule rejects HIPAA-style de-identification as outdated, data licensors, brokers, and AI developers that once relied on de-identification safe harbors should brace for increased DOJ/FTC scrutiny and tighter diligence in cross-border deals. Learn more at Baker Donelson

Enforcement Actions

Comprehensive Neurology Pays $25,000 After Ransomware Breach

The Office for Civil Rights (OCR) has reached a $25,000 settlement with Comprehensive Neurology, PC—a small New York practice—after a 2020 ransomware attack encrypted its entire network and exposed the electronic protected health information (ePHI) of 6,800 patients. OCR determined the practice failed to perform the “accurate and thorough” risk analysis required by the HIPAA Security Rule, leaving critical vulnerabilities unaddressed. Under a two-year corrective action plan, Comprehensive must complete a full risk assessment, create a risk-management program, update security policies, and retrain its workforce. This marks OCR’s 12th ransomware enforcement action—and the 8th under its Risk Analysis Initiative—highlighting that even the smallest providers face significant penalties if foundational security practices are neglected. Learn more at HHS

Data Breach Notices

Covered California Shared Sensitive Enrollment Details with LinkedIn Trackers

A CalMatters/Markup investigation found that the state’s health-insurance marketplace, Covered California, had more than 60 third-party trackers on coveredca.com—far above the state-site average of three—including a LinkedIn Insight Tag that captured visitors’ answers about pregnancy, domestic-abuse status, blindness, prescription-drug use, gender identity, ethnicity, and even selected doctors and hospitals.‍ The data flow appears to have run from February 2024 to early April 2025, when the tag was pulled amid a vendor transition. Covered California says all advertising tags are now disabled and it has launched a site-wide privacy review. Privacy advocates warn the inadvertent disclosure of such granular health information to a for-profit platform is “concerning and invasive,” underscoring growing regulatory scrutiny of pixel-based tracking and the need for strict tag-governance on public health sites. Learn more at CalMatters

Closing Thoughts

This week’s stories drive home one point: de-identification, risk analysis, and ad-tech governance are now mission-critical. Review AI and data-licensing contracts in light of DOJ’s new rule, make sure your ransomware risk analysis is current, and audit every pixel or tag that can leak sensitive health details—small oversights now carry big regulatory and reputational costs.

Stay informed and stay secure!

‍

Tags:
compliance
cybersecurity
data breach
healthcare
HIPAA
risk assessment
Sidebar Shape Image
Search
Sidebar Shape Image
Categories
Newsletter
Project Management
Business Transformation
Healthcare Cybersecurity
HIPAA Compliance
Sidebar Shape Image
Recent Post
Blog image
Calendar Icon
May 14, 2025
Hale Insights - May 9, 2025
Blog image
Calendar Icon
May 6, 2025
Hale Insights - May 2, 2025
Blog image
Calendar Icon
April 30, 2025
Hale Insights - April 25, 2025
Sidebar Shape Image
Tags
digital transformation
project management
kaizen
agile
customer experience
AI
risk assessment
healthcare
compliance
cybersecurity
data breach
HIPAA
HCS Logo

Contact us today to discover how our tailored consulting solutions can help your healthcare organization achieve compliance and drive operational excellence.

LinkedIn LogoYouTube Logo
Links
  • Services
  • About
  • Blog
  • Contact
Support
  • Resources
  • FAQ
  • Privacy Policy
  • Terms and Conditions
Contact
+17025469134
support@haleconsultingsolutions.com

© 2023-2025  by Hale Consulting Solutions LLC