The HealthSec Blog

Welcome and overview

Happy Monday! This edition of Hale Insights summarizes the most important news for HIPAA compliance and cybersecurity professionals from the past week.  While the previous Hale Insights (Nov 3) covered the MedImpact ransomware, Conduent breach and other issues, this edition highlights new events that your compliance team should be aware of.  Each entry explains what happened, why it matters to covered entities and business associates, and the steps you can take to reduce risk.

Privacy & Legal updates

Health Information Privacy Reform Act introduced

What happened:  Sen. Bill Cassidy (R‑La.) introduced the Health Information Privacy Reform Act (HIPRA) on Nov. 7.  The bill would extend HIPAA‑like protections to consumer health data collected by fitness apps, wearable devices and telehealth companies that are not currently covered by HIPAA.  It would require the Department of Health & Human Services (HHS) and Federal Trade Commission (FTC) to jointly draft privacy, security and breach‑notification regulations for these entities.  Key provisions include de‑identification standards, prohibitions on discriminatory use of de‑identified data, stronger disclosure requirements, and patient rights to opt out of data sharing.  HIPRA would also direct the FTC to issue guidance on the use of artificial intelligence in consumer health applications.

Why it matters:  Many health‑related services fall outside HIPAA’s “covered entity” definition, leaving consumers exposed.  If enacted, HIPRA would close this gap and create consistent standards across the healthcare ecosystem.  Organizations developing apps, wearables or analytics platforms should start assessing how they collect and share data and prepare for forthcoming rules.

Recommended actions:

• Map data flows for non‑covered products such as wellness apps and connected devices.
• Review privacy notices and consent processes to ensure they clearly describe what data is collected and how it is used.
• Monitor HHS and FTC rule‑making so you can adapt policies when regulations are released.

Neuromusculoskeletal Center of the Cascades settlement

What happened:  A class‑action settlement over a 2023 ransomware attack at Oregon’s Neuromusculoskeletal Center of the Cascades received preliminary court approval on Nov. 5.  The breach exposed names, Social Security numbers, driver’s‑license numbers, medical and health‑insurance information and digital signatures of about 22,796 individuals.  The settlement offers two years of medical‑data monitoring, reimbursement for out‑of‑pocket losses up to $500, compensation for lost time, and up to $2,500 for identity‑theft losses.  Victims may alternatively claim a one‑time $80 payment.

Why it matters:  Courts are increasingly awarding meaningful benefits to breach victims.  Covered entities should note that failure to promptly notify patients and implement adequate controls can lead not only to regulatory fines but also to costly civil settlements.

Recommended actions:

• Review your incident‑response plan to ensure rapid assessment and notification after breaches.
• Consider offering credit‑monitoring and identity‑theft services proactively after major incidents.
• Work with legal counsel to understand potential class‑action exposure and insurance coverage.

Cadia Healthcare settlement reminder

What happened:  The Nov. 10 National Law Review update summarized HHS’s September settlement with Cadia Healthcare Facilities.  OCR found that Cadia posted “success stories” on its website that included names, photographs and health information of 150 patients without valid HIPAA authorizations.  Cadia agreed to pay $182,000 and implement a two‑year corrective action plan requiring policy revisions, workforce training (including marketing staff) and breach notifications.

Why it matters:  Marketing teams are often unaware that patient stories can contain protected health information (PHI).  This case reinforces the need for privacy reviews of all public‑facing materials.

Recommended actions:

• Ensure your marketing, public relations and social‑media staff are trained on HIPAA’s authorization requirements.
• Implement a process for legal or compliance review of any patient testimonials or case stories before they are published.

Breach & incident notices

Central Jersey Medical Center ransomware (Sinobi)

What happened:  The HIPAA Journal reported that Central Jersey Medical Center discovered ransomware on August 25, 2025 and notified patients in early November.  The Sinobi gang claimed to have exfiltrated 930 GB of data.  The breach potentially exposed names, addresses, Social Security numbers, dental records, diagnoses and billing details.  The hospital hired cybersecurity experts, improved its security procedures and has not yet appeared on the HHS breach portal.

Why it matters:  Ransomware gangs continue to steal sensitive data and extort healthcare organizations.  Even after systems are restored, stolen information can lead to fraud or identity theft months later.  Early notification helps patients protect themselves.

Recommended actions:

• Verify that backups are segmented and regularly tested.
• Implement multi‑factor authentication (MFA) and network segmentation to limit lateral movement.
• Develop playbooks for extortion scenarios, including when and how to involve law enforcement.

David A. Nover, P.C. breach and FuturHealth vendor incident

What happened:  The same HIPAA Journal article noted that Pennsylvania ophthalmology practice David A. Nover, P.C. discovered unauthorized access to its network on June 3, 2025.  Affected data included names, dates of birth, Social Security numbers, payment‑card information, medical record numbers and treatment information.  The practice offered credit monitoring to victims.  FuturHealth (a weight‑loss program run by Goglia Nutrition) discovered unauthorized access to its storage environment in October 2024; exposed data was limited to names and subscription information, with no Social Security numbers or payment details.

Why it matters:  Smaller practices and wellness vendors are attractive targets for attackers because they often lack robust controls.  Even if sensitive identifiers are not stolen, unauthorized access can erode patient trust.

Recommended actions:

• Conduct periodic risk assessments to identify vulnerabilities in vendor environments.
• Review contracts to ensure business associates are required to notify you promptly after incidents and to provide breach assistance.
• Offer credit monitoring when payment or identity‑related data are at risk.

Misconfigured Perfectshift database exposes Stanford & Hillsboro staff

What happened:  CyberRisk Alliance’s SC Media revealed that more than 50,000 records belonging to staff and contractors at Stanford Health Care and Hillsboro Medical Center were exposed when Perfectshift, a workforce‑management vendor, left a MongoDB database unsecured.  The database contained payroll details, full names, work email addresses, IP addresses, hashed passwords, browser agents, session cookies and authorization tokens.  Researchers warned that the lack of encryption and access controls could enable social‑engineering or credential‑stuffing attacks.

Why it matters:  Vendor misconfigurations remain a leading cause of healthcare breaches.  Even hashed passwords and session tokens can be leveraged to compromise systems if proper precautions are not taken.

Recommended actions:

• Require vendors to implement strong access controls and regularly audit cloud‑storage configurations.
• Mandate encryption of sensitive data at rest and in transit.
• Reset credentials and tokens promptly when exposures occur.

Heywood Healthcare cyberattack disrupts hospital services

What happened:  On Nov. 5, the nonprofit news site HIPAA Times reported that a cyberattack disrupted services at Heywood Hospital and Athol Hospital in Massachusetts.  Radiology and lab services, email and phone systems, and imaging tools such as CT scans were offline; ambulances were diverted to other facilities.  The cause and scope of the attack were still under investigation, and officials did not confirm whether ransomware or data theft were involved.  Experts cited Paubox’s 2025 mid‑year report noting that half of healthcare organizations list cyberattacks as a leading cause of workflow disruptions and recommend segmentation, MFA and vendor vetting.

Why it matters:  Operational outages can endanger patient care long before data is stolen.  Hospitals must plan for continuity of critical services when systems are down.

Recommended actions:

• Develop contingency plans for diagnostic and communication services, including manual workflows and transfer protocols.
• Conduct regular downtime drills to ensure clinical staff know how to operate without electronic systems.
• Evaluate the cyber‑resilience of third‑party service providers.

University of Pennsylvania data breach

What happened:  Reuters reported on Nov. 3 that the University of Pennsylvania called the FBI after a data breach led to offensive emails being sent to alumni.  The university said the breach affected “select information systems” and that it was working with law enforcement and third‑party experts to address the issue.  The FBI did not immediately comment.

Why it matters:  Universities often operate medical schools and health‑research centers that handle PHI.  Even breaches that start with offensive emails can signal broader compromise.

Recommended actions:

• Ensure alumni and donor systems are segregated from clinical systems.
• Implement email‑security gateways to detect phishing and spoofing.
• Engage law enforcement quickly when criminal activity is suspected.

Cybersecurity alerts

Indictments for BlackCat (ALPHV) ransomware attacks on healthcare organizations

What happened:  On Nov. 4, the HIPAA Journal reported that two U.S. nationals, Ryan Clifford Goldberg (formerly an incident‑response specialist at Sygnia) and Kevin Tyler Martin (a former ransomware negotiator at DigitalMint), were indicted for conspiring to deploy BlackCat/ALPHV ransomware against multiple U.S. companies.  They allegedly breached networks, stole data and demanded cryptocurrency payments while employed by cybersecurity firms.  Targets included a medical device company (which paid $1.274 million of a $10 million demand), a pharmaceutical company, a California doctor’s office, an engineering firm and a drone manufacturer.  The defendants were indicted on Oct. 2, 2025 on charges including conspiracy to extort, interference with interstate commerce and intentional damage to protected computers.  Goldberg is being held as a flight risk; Martin was released on $400,000 bond.

Why it matters:  This case underscores how insiders with cybersecurity expertise can abuse their knowledge.  It also demonstrates law enforcement’s increasing focus on prosecuting ransomware actors, which may deter some attacks.

Recommended actions:

• Enforce strict separation of duties and monitor privileged‑user activity within incident‑response and security‑operations teams.
• Conduct thorough background checks on third‑party negotiators and consultants.
• Report extortion attempts to law enforcement and cooperate with investigations.

Cisco firewall vulnerabilities exploited in new attacks

What happened:  Cisco warned on Nov. 6 that a new attack variant is targeting unpatched Cisco Secure Firewall ASA and FTD devices.  The attacks exploit vulnerabilities CVE‑2025‑20333 and CVE‑2025‑20362 to cause devices to reload, resulting in denial‑of‑service conditions.  These flaws were previously exploited as zero‑days in malware campaigns delivering “RayInitiator” and “LINE VIPER” payloads.  Cisco also noted other vulnerabilities (CVE‑2025‑20354, ‑20358 and ‑20343) and urged organizations to apply patches immediately.

Why it matters:  Firewalls and VPN appliances sit at the perimeter of healthcare networks.  When compromised, they open the door to lateral movement and data theft.

Recommended actions:

• Inventory all Cisco ASA and FTD devices and apply the latest firmware updates.
• Monitor logs for unexpected reboots or connection resets, which may indicate exploitation.
• Implement network segmentation and intrusion‑detection systems to identify unusual traffic patterns.

Qilin ransomware targets Sai Mai Hospital in Thailand

What happened:  Cyber‑intelligence firm RedPacket Security reported that the Qilin (aka Agenda) ransomware group added Thailand’s Sai Mai Hospital to its leak site on Nov. 6.  Details about the attack—such as the method of intrusion, ransom demand or data volume—were not disclosed.

Why it matters:  While details are scarce, the incident illustrates the global reach of ransomware gangs and the possibility of spillover effects on international supply chains (e.g., vendors and research collaborations).

Recommended actions:

• Monitor threat‑intelligence feeds for emerging groups and tactics.
• Review cross‑border data transfer arrangements to ensure partners maintain strong security controls.
• Consider geo‑redundant backups in case of regional service disruptions.

Research & best‑practice insights

EY–KLAS Healthcare Cyber Resilience Survey

What happened:  On Nov. 7, the HIPAA Journal summarized a survey by EY and KLAS of nearly 100 U.S. healthcare executives.  More than 70 % of organizations experienced significant business disruption due to cyberattacks in the past two years; 72 % reported moderate to severe financial impact, 60 % moderate to severe operational impact and 59 % moderate to severe clinical impact.  Phishing remained the most common attack vector (77 %), followed by third‑party breaches (74 %), malware (62 %), data breaches (47 %) and ransomware (45 %).  Executives said cybersecurity should be viewed as a strategic enabler and value creator rather than a compliance cost.

Why it matters:  The survey underscores that cybersecurity incidents are not just IT problems; they affect patient care, revenue and organizational reputation.  Leaders are under pressure to justify budgets and demonstrate the return on security investments.

Recommended actions:

• Elevate cybersecurity in board‑level discussions and tie investments to tangible business outcomes (reduced downtime, preserved clinician productivity, improved patient safety).
• Prioritize phishing‑resistance training and multi‑factor authentication to address the most common attack vectors.
• Strengthen third‑party risk management, particularly for vendors providing remote support or cloud services.

Final thoughts

Data breaches, ransomware and regulatory actions continued to dominate headlines this week.  New legislation such as the Health Information Privacy Reform Act could expand privacy requirements beyond traditional HIPAA‑covered entities, while enforcement and class‑action settlements remind us that compliance failures have real financial consequences.  Cyberattacks disrupted hospital services and exposed sensitive employee data through vendor misconfigurations, and insiders were even indicted for orchestrating ransomware attacks.

Action items for your team:

• Review the security of third‑party vendors and implement contractual requirements for breach notification and security controls.
• Patch critical infrastructure devices, especially firewalls and VPNs, and monitor for unusual reboots.
• Educate staff—including marketing and PR teams—about HIPAA authorization rules and phishing threats.
• Participate in tabletop exercises to rehearse downtime procedures and incident response.

Stay vigilant and ensure that security investments align with patient care and business objectives.  As always, feel free to reach out if you have questions or need help adapting these insights to your organization’s unique risk profile.

‍