Good Morning Everyone,
This week’s headlines revolve around three connected fault lines: massive data migrations, neglected risk analyses, and a fresh wave of record-setting breaches. Rite Aid’s bankruptcy auction is about to hand 100 million prescriptions to a rival pharmacy—an object lesson in how HIPAA, FTC orders, and state laws follow the data wherever it goes. Meanwhile, the Office for Civil Rights has already issued ten settlements in five months (up to $3 million each) after finding that neither small practices nor national suppliers bothered to run a basic enterprise-wide risk analysis. Add April’s 12.9-million-record breach surge, and the message is crystal-clear: regulators and attackers are both zeroing in on fundamental security hygiene. Details—and practical implications for our programs—are below:
Industry Trends
Rite Aid bankruptcy puts 100 M prescriptions in play
Rite Aid’s fast-tracked bankruptcy sale will transfer some 100 million active prescriptions—including detailed histories of conditions, therapies, and payer data—to whichever rival (CVS, Walgreens, Albertsons, or another bidder) prevails at the May 21 auction, but regulators have made clear the transaction itself is no safe harbor: HIPAA still mandates strong encryption in transit and at rest, a formal risk assessment, and chain-of-custody documentation, while the FTC’s 2023 consent order against Rite Aid obligates the debtor—and, by extension, any purchaser—to maintain a “robust information-security program” throughout. Failure to vet and log how servers are wiped, media are shipped, or cloud workloads are merged could trigger parallel enforcement under state consumer-privacy laws and expose both parties to breach-notification penalties if data leak during integration. Learn more at Bloomberg Law
Enforcement Actions
OCR levies ten settlements over missing risk analyses
In just the first five months of 2025, OCR has inked 10 HIPAA resolution agreements—fines ranging from $25 K to $3 M—against entities as varied as a small neurology practice, a Guam public hospital, and a national medical‐supply firm, all tied to breaches where ransomware, phishing, or unsecured servers exposed ePHI. Every case cited the same root cause: the organization never performed an “accurate and thorough” enterprise-wide risk analysis. The settlements impose multi-year corrective-action plans that mandate fresh risk assessments, risk-management roadmaps, workforce retraining, and regular updates to security policies—making clear that OCR views risk‐analysis failures as low-hanging enforcement fruit in 2025. Learn more at Ogletree Deakins
Data Breaches
April breach tally tops 12.9 M records
OCR logged 66 healthcare breaches in April—a 17.9 % jump month-over-month—with two mega-incidents pushing the impacted headcount up 371 %: Yale New Haven’s 5.6 M-record hack and Blue Shield of California’s 4.7 M-record Google Analytics misconfiguration. Hacking drove 71 % of events and 99 % of exposed ePHI, while 18 email compromises and cascading vendor hits (Nationwide Recovery Services, Oracle Health/Cerner) kept third-party risk front-and-center. California (11 breaches, 5.2 M records) and Connecticut (5.6 M records from just two events) led the state charts, underscoring the need for robust MFA, script audits, and vendor due diligence amid OCR’s tightening posture. Learn more at HIPAA Journal
Closing Thoughts
In short, this week’s stories point to one imperative: treat basic security hygiene as a real-time discipline, not a checklist. Before any large dataset changes hands—think Rite Aid’s 100 million prescriptions—lock down encryption, chain-of-custody logging, and BAAs as rigorously as you would in an incident response. Keep your enterprise-wide risk analysis alive and current, because OCR’s 2025 settlements show that a stale assessment is now a seven-figure liability. And finally, harden your vendor ecosystem—MFA everywhere, script audits, and tighter security clauses—so someone else’s breach doesn’t become tomorrow’s headline for your organization.
