Welcome to this week’s Hale Insights newsletter.  Over the past seven days, the healthcare sector has seen a mix of regulatory realignments, major data‑breach disclosures and new research on persistent security challenges.  Our team has reviewed these updates and summarized them below to keep your compliance program informed and proactive.

At a Glance

HHS restructures the Office for Civil Rights (OCR) – The Department of Health and Human Services reorganized OCR into three thematic divisions: Conscience and Religious Freedom, Civil Rights, and Health Information Privacy, Data and Cybersecurity, while retaining an Enforcement Division to handle investigations.  The reorganization underscores an increased focus on cybersecurity and HIPAA enforcement.

Extension of web and mobile accessibility deadlines – HHS issued an interim final rule delaying Section 504 compliance dates for recipients of HHS funding.  Large entities (≥15 employees) now have until May 11, 2027 and smaller entities until May 10, 2028 to make their digital services accessible for people with disabilities.

West Pharmaceutical Services ransomware attack – West Pharmaceutical Services, a major drug‑delivery technology provider, was hit by ransomware on May 4 and shut down parts of its network to contain the attack.  By mid‑May the company was restoring manufacturing and shipping systems and confirmed that data was stolen and encrypted.

NYC Health + Hospitals third‑party breach – A security incident at a vendor led to attackers accessing NYC Health + Hospitals’ network for 11 weeks.  The breach may have exposed personal and protected health information of roughly 1.8 million patients and employees.  Exposed data reportedly included medical records, government IDs, payment information and biometrics.

Emerging phishing campaigns target healthcare – Microsoft reported a large‑scale credential‑theft campaign using polished “code‑of‑conduct” phishing emails.  The campaign targeted more than 35,000 users across 13,000 organizations; 19 % of phishing emails were directed at healthcare and life‑sciences organizations.  Attackers used adversary‑in‑the‑middle tactics to bypass MFA.

Legacy data and EHR credential exposure – Surveys highlight ongoing risk from legacy systems: 62 % of healthcare technology professionals report that archiving legacy data affects patient care.  A separate report found that nearly 74 % of compromised healthcare devices stored electronic health record (EHR) credentials.

Inefficient fax workflows – A survey of healthcare staff indicated that 81 % spend five hours or more each week managing fax‐based prior authorizations, underscoring how outdated processes can increase administrative burden and privacy risks.

Regulatory & Policy Updates

OCR reorganization emphasizes cybersecurity

On May 18, the U.S. Department of Health and Human Services (HHS) announced a major reorganization of its Office for Civil Rights (OCR).  Under the new structure, OCR has three specialized divisions—Conscience and Religious Freedom Division, Civil Rights Division, and Health Information Privacy, Data and Cybersecurity Division—supported by an Enforcement Division.  According to the press release, the changes are designed to “improve OCR’s structure, ensuring that subject‐matter experts continue to lead this important work”.  HHS clarified that complaint intake and breach reporting will continue as before, and no workforce reductions are planned.  This reorganization signals a heightened emphasis on health‑information privacy and cybersecurity within OCR’s enforcement portfolio.

Extended deadlines for web and mobile accessibility

On May 7, HHS issued an interim final rule extending the compliance dates for recipients of HHS funding to ensure their websites and mobile applications are accessible to individuals with disabilities under Section 504 of the Rehabilitation Act.  Entities with 15 or more employees now have until May 11 2027, while smaller entities have until May 10 2028 to meet the accessibility requirements.  The extension responds to concerns from community health centers and hospitals that the previous May 11 2026 deadline was not feasible.  Director Paula Stannard emphasized that the rule provides needed flexibility while maintaining the goal of accessible digital services.

Anticipated HIPAA Security Rule update

Although not finalized during the past week, stakeholders should be aware that OCR’s proposed update to the HIPAA Security Rule (announced earlier this year) is expected to be finalized later in 2026.  The proposal would strengthen requirements around encryption, multi‑factor authentication, risk assessments and incident response, aligning with NIST cybersecurity standards.  Organizations should monitor for publication of the final rule and begin assessing current controls.

Enforcement & Breach Notices

West Pharmaceutical Services ransomware incident

West Pharmaceutical Services, a leading manufacturer of drug‑delivery systems, detected unusual network activity on May 4 and proactively shut down portions of its on‑premise infrastructure.  The attack involved ransomware and malware, prompting the company to isolate systems and hire forensic experts.  The shutdown disrupted enterprise operations globally.  By mid‑May the company reported that it had restored critical manufacturing, receiving and shipping systems, but confirmed that data had been stolen and encrypted.  This event underscores the importance of robust incident response plans, immutable backups and disaster‐recovery strategies.

NYC Health + Hospitals vendor breach

A major breach at NYC Health + Hospitals (NYC H + H), the largest U.S. public health system, came to light via HHS’s breach portal updates.  Investigators determined that attackers exploited a security incident at a third‑party vendor and maintained access to NYC H + H’s network for approximately 11 weeks, potentially compromising the personal and protected health information of more than 1.8 million current and former patients and employees.  The compromised data reportedly included classical personally identifiable information (names, Social Security numbers), medical and insurance information, and biometric data such as fingerprint and palm‑print scans.  OCR and state authorities are investigating.  The incident highlights the criticality of vendor risk management and continuous network monitoring.  Healthcare organizations should review contracts to ensure vendors implement appropriate safeguards and report incidents promptly.

Emerging phishing campaigns target healthcare

Microsoft’s security research team released details of a multi‑stage credential‑theft campaign.  Between April 14 and 16, attackers sent polished “code‑of‑conduct” themed phishing emails that redirected users to attacker‑controlled domains using legitimate email services.  The campaign targeted more than 35,000 users across 13,000 organizations worldwide; nearly 19 % of the phishing emails were sent to healthcare and life‑sciences organizations.  The emails created urgency by accusing recipients of policy violations and used adversary‑in‑the‑middle techniques to steal authentication tokens and bypass multi‑factor authentication.  Microsoft noted that QR‑code‑based phishing is also surging, with a 146 % increase in QR‑code phishing volume during Q1 2026.  Compliance teams should remind workforce members to verify unexpected internal communications and adopt advanced email filtering and user‑awareness programs.

Industry Trends & Research

Legacy data archiving and EHR credential risks

Data management challenges continue to plague healthcare organizations.  A survey by Harmony Healthcare IT reported that 62 % of healthcare technology professionals say legacy data archiving affects their ability to deliver patient care.  Additionally, a report by Flare found that nearly 74 % of compromised healthcare devices contain credentials for electronic health record systems.  Attackers who obtain these credentials can access patient data and may use them to pivot deeper into networks.  Compliance teams should ensure that legacy systems are decommissioned securely and that credentials stored on devices are managed and rotated properly.

Inefficient fax workflows remain pervasive

Despite digital transformation efforts, fax remains entrenched in healthcare workflows, particularly for prior authorizations.  A Retarus survey revealed that 81 % of healthcare staff spend at least five hours per week handling fax authorizations.  This reliance on fax not only hampers productivity but also poses security risks due to misdirected faxes and lack of encryption.  Organizations should evaluate secure, HIPAA‑compliant electronic authorization solutions and update policies to reduce fax dependence.

Best Practices & Recommendations

Revisit risk assessments and third‑party oversight – The NYC H + H incident demonstrates the consequences of vendor vulnerabilities.  Conduct thorough risk assessments of vendors and require timely reporting of incidents.  Include contractual requirements for cybersecurity standards, periodic audits and breach notification.

Enhance phishing defenses and staff awareness – Sophisticated phishing campaigns are targeting healthcare organizations.  Deploy advanced email security tools that detect credential‑harvesting patterns, implement multi‑factor authentication and train staff to verify requests for credential re‑verification or policy violations.

Prepare for HIPAA Security Rule changes – Anticipate upcoming amendments that will require encryption, multi‑factor authentication and more detailed risk management.  Begin assessing gaps and budgeting for necessary technology upgrades.

Modernize legacy systems – Retire or archive legacy applications securely to reduce attack surfaces, and ensure that archived data remains accessible for compliance while not hindering clinical workflows.  Implement strong credential management for all medical devices.

Prioritize accessibility compliance – With new Section 504 deadlines, start planning web and mobile accessibility initiatives now.  Engage user experience and accessibility experts to audit existing digital tools and create remediation plans.

Staying informed about regulatory shifts, evolving threats and industry challenges enables compliance teams to adapt quickly and safeguard patient information.  If you have any questions or need assistance in interpreting these updates, feel free to reach out.

‍