The past week has seen a flurry of privacy‑ and security‑related activity relevant to HIPAA compliance.  Below is a curated roundup of important developments for compliance teams. Each item includes why it matters and recommended actions for healthcare organizations and their business associates.

Privacy & Legal Updates

HHS Part 2 Confidentiality Rules Compliance Date Apporaching

The compliance date for the U.S. Department of Health & Human Services (HHS) finalized rules aligning the confidentiality of 42 C.F.R. Part 2 (substance‑use disorder records) with HIPAA/HITECH published in 2024 is fast approaching.  Patients will be able to give a single, blanket consent for SUD record disclosures for treatment, payment and healthcare operations rather than having to authorize each release, and HIPAA‑covered entities may re‑disclose Part 2 data consistent with the HIPAA Privacy Rule.  The rule allows de‑identified SUD data to be used for public‑health purposes, creates new protections for counseling notes, removes the requirement to segregate Part 2 records in EHRs and brings breach‑notification and enforcement under OCR’s purview with civil penalties for violations.

Why it matters: Substance‑use programs must update their policies to incorporate HIPAA‑like standards, while covered entities that receive SUD data should revise notice of privacy practices, consent forms and information‑sharing workflows.  Compliance is required by Feb. 16, 2026.

Action items:

• Inventory and label SUD information within EHRs to ensure it is tracked properly.  Update consent forms to provide clear blanket consent options and allow revocation.
• Train staff on new Part 2 disclosure rights and the prohibition against using SUD data in legal proceedings without patient consent.
• Review and update breach‑notification and enforcement procedures to incorporate Part 2 obligations.

Court Rules Pixel Use Isn’t Wiretapping but Warns of PHI Risks

In Cole v. Quest Diagnostics, the U.S. Court of Appeals for the Third Circuit dismissed claims that Quest’s use of Meta’s tracking pixel violated California’s wiretapping and medical‑privacy statutes.  The court held that a browser sending URLs and metadata to Facebook is not “eavesdropping” under California law and noted that because the pixel did not transmit medical test results or diagnoses (only the fact that a results page was accessed), it did not constitute disclosure of medical information.  The opinion cautioned that pixel trackers can be lawful when used properly but websites should not embed sensitive data in URLs or allow trackers to collect PHI.

Why it matters: This decision limits the scope of wiretapping claims but does not eliminate liability for improper tracking; plaintiffs continue to file suits when trackers capture PHI.  Healthcare organizations must minimize the risk of inadvertent disclosures.

Action items:

• Audit all tracking technologies on websites and patient portals.  Ensure pixels and analytics scripts do not collect or transmit PHI, including appointment details, diagnoses or patient identifiers.
• Avoid encoding sensitive information in URLs or page titles that may be captured by referrer headers.
• Provide clear notices and obtain valid authorization before using tracking tools on portals.

OCR Gains Enforcement Authority for Part 2

The Office for Civil Rights (OCR) at HHS is now formally authorized to enforce the final Part 2 rules, including investigating complaints and issuing penalties.  Previously, enforcement resided with the Substance Abuse and Mental Health Services Administration.  OCR’s Notice delegates authority to impose civil money penalties and enter into resolution agreements and corrective action plans.

Why it matters: OCR’s involvement signals more rigorous oversight of SUD privacy.  Entities handling SUD data should expect enforcement similar to HIPAA investigations.

Action items:

• Conduct a gap analysis of current compliance with Part 2 and HIPAA.  Make sure SUD confidentiality is integrated into the organization’s HIPAA compliance program.
• Prepare documentation and training materials to demonstrate compliance during a potential OCR audit.

Outdated Technology Presents Patient‑Safety and Compliance Risks

A survey by Presidio found that 98 % of frontline healthcare workers experience patient‑care or safety problems due to outdated technology; 23 % use unapproved workarounds (shadow IT) when systems fail, and 95 % say patient care suffers when technology goes down.  Respondents reported poor data sharing between systems, multiple workarounds and reliance on legacy applications.  Roughly 37 % of U.S. organizations still use outdated systems, and respondents called for investment in AI‑driven solutions to reduce clinician burnout and improve efficiency.

Why it matters: Legacy systems can lead to delays, errors and unauthorized workarounds that jeopardize patient safety and privacy.  Regulatory obligations require robust IT infrastructure, encryption and access controls.

Action items:

• Inventory all critical systems and identify those using unsupported software or hardware.  Prioritize updates, patching and migration to supported platforms.
• Implement multi‑factor authentication and strong access controls across all applications.
• Evaluate opportunities to integrate AI tools for scheduling, documentation and decision support, ensuring that such solutions comply with privacy and security rules.

Breach & Incident Notices

Goshen and Hancock Health Settle Pixel‑Tracking Lawsuits

Goshen Health System and Hancock Health in Indiana have agreed to settle class‑action suits alleging their use of Meta Pixel and similar tracking technologies on patient portals transmitted visitors’ PHI to Meta and other third parties.  The class includes individuals who logged into the portals between January 1, 2020 and December 31, 2023.  Each class member is eligible for a $25 cash payment and a year of Privacy Shield Pro (dark‑web monitoring and VPN).  Final fairness hearings are scheduled for December 16 and December 18, 2025, and claim deadlines are November 29 and December 1, 2025.

Why it matters: Settlements over pixels underscore regulators’ focus on website tracking.  Plaintiffs claim these technologies disclose PHI to advertisers without authorization, and more health systems are facing similar suits.

Action items:

• Inventory all third‑party scripts, pixels and tags on public websites and patient portals.  Immediately disable any that are not essential or that transmit PHI.
• Review marketing agreements and business associate contracts to ensure tracking‑technology vendors are contractually bound to protect PHI.
• Provide updated privacy notices explaining what data is collected and allow patients to opt out of tracking.

CarePro Health Services Data‑Breach Settlement

CarePro Health Services will pay $1.3 million to settle claims arising from a 2023 cyberattack that exposed unencrypted patient data, including names, contact information, dates of birth, Social Security numbers, driver’s license numbers and financial/medical information.  Plaintiffs alleged CarePro failed to implement reasonable security measures.  The settlement offers class members reimbursement for documented losses up to $5,000, a projected $100 cash payment per claimant and two years of credit‑ and identity‑monitoring services; claims and opt‑out deadline December 3, 2025, with a final fairness hearing scheduled for January 23, 2025 (the litigation documents suggest the hearing will be held in 2026).

Why it matters: The case illustrates the high cost of breaches involving unencrypted data.  Plaintiffs point to insufficient network segmentation and delayed breach notification.

Action items:

• Encrypt sensitive data at rest and in transit.  Regularly audit firewall, backup and network‑segmentation configurations.
• Develop and test an incident‑response plan to ensure prompt detection and notification of breaches.
• Provide employees with ongoing security awareness training to reduce the risk of credential compromise.

Geisinger & Nuance Settle Insider Breach Lawsuit

Geisinger Health and its vendor Nuance Communications reached a $5 million settlement over a February 2023 insider breach.  A former Nuance employee, terminated one day earlier, accessed patient data belonging to more than one million individuals, including names, dates of birth, addresses, medical record numbers, race and gender.  Law enforcement requested a notification delay due to an investigation.  If approved, the settlement will reimburse out‑of‑pocket losses up to a specified cap and provide monitoring services; the final approval hearing is scheduled for March 16, 2026.

Why it matters: This incident underscores the risks of insider threats, particularly when vendors retain access after termination.  It also demonstrates courts’ willingness to approve sizable settlements for vendor‑related breaches.

Action items:

• Implement immediate deprovisioning procedures when employees or contractors are terminated or change roles.
• Require vendors to follow similar offboarding procedures and include contractual language permitting audits of access logs.
• Maintain robust monitoring of privileged accounts to detect unusual activity.

Liberty Hospital Data‑Incident Settlement

Liberty Hospital in Missouri will pay $1.5 million to resolve claims stemming from a December 19, 2023 data‑incident when a threat actor accessed its computer network and potentially exposed patient and personnel information.  The proposed settlement provides class members with either reimbursement up to $500 for documented losses or an estimated $150 cash payment.  The breach may have exposed names, addresses, dates of birth, medical records and treatment information, diagnoses, Social Security numbers, phone numbers, health‑insurance details and email addresses.  Claims must be filed by January 12, 2026, with a final approval hearing on January 20, 2026.

Why it matters: Attackers are targeting hospitals of all sizes, and settlements now routinely include cash payments as well as reimbursements.  Liberty Hospital and its insurer face significant reputational and financial costs.

Action items:

• Conduct tabletop exercises to test incident‑response readiness, including communication with law enforcement and regulators.
• Evaluate cyber‑insurance coverage and ensure policies are aligned with your organization’s exposure.
• Implement continuous monitoring to detect lateral movement and unauthorized access within the network.

VITAS Hospice Services Vendor Breach

VITAS Hospice Services, part of the Vitas Health network, reported that a third‑party vendor account was compromised between September 21 and October 27, 2025, allowing attackers to infiltrate VITAS systems and download a range of personal and health information.  The breach, discovered on October 24, affects at least 5,633 individuals in Texas.  Exposed data varies by person but may include names, email addresses, Social Security numbers, passport IDs, bank account and debit card numbers, driver’s license numbers, medical IDs, health insurance details, diagnoses and provider identifiers.  VITAS disclosed the incident to state attorneys general and is offering 24 months of credit and identity‑protection services, including dark‑web monitoring and up to $1 million in identity‑theft insurance.

Why it matters: Third‑party vendor breaches continue to be a major source of exposure.  The breadth of data exposed (financial, personal and medical) increases the risk of identity theft and medical fraud.

Action items:

• Review vendor security assessments and ensure third‑party agreements include robust cybersecurity and breach‑notification requirements.
• Require vendors to use multi‑factor authentication, network segmentation and continuous monitoring.
• Encourage affected individuals to enroll in offered monitoring services and monitor accounts for suspicious activity.

Marshfield Clinic Health System Email Compromise

Marshfield Clinic Health System disclosed that in late August unauthorized individuals gained access to several employee email accounts, exposing patient information.  The incident occurred between August 26 and August 27 and allowed outsiders to view emails containing personal and medical data.  Information that may have been exposed includes names, addresses, phone numbers, dates of birth, insurance ID numbers, medical record numbers, treatment or diagnosis information, lab results and medications.  Marshfield Clinic discovered the unauthorized access on August 27 and launched an internal investigation while notifying impacted patients

Why it matters: Email compromises remain a common attack vector.  Even short‑lived access can expose sensitive health information and trigger breach‑notification obligations.

Action items:

• Enforce multi‑factor authentication on all email and cloud accounts.
• Train employees to recognize and report phishing attempts.  Encourage the use of strong, unique passwords and periodic password rotations.
• Configure email systems to detect and block suspicious login attempts and to limit the retention of PHI in mailboxes.

HCIactive Breach and Class Action Investigation

Healthcare Interactive, Inc. (HCIactive) reported that between July 8 and July 12, 2025 an unauthorized actor copied files from its network.  The breach, discovered on July 22, may have exposed names, addresses, dates of birth, Social Security numbers, phone numbers and email addresses, along with health insurance enrollment and claims information, diagnoses, lab results, prescriptions and medical record numbers.  Attorneys are investigating potential class actions on behalf of affected individuals.

Why it matters: The breach highlights the risk associated with technology vendors that store comprehensive health and insurance data.  Class actions could create new legal precedent on vendor liability.

Action items:

• Ensure vendor contracts mandate compliance with HIPAA and include indemnification clauses for data breaches.
• Validate that vendors conduct regular penetration tests and maintain incident‑response plans.
• Provide clear communication to patients about third‑party data handling and breach protocols.

Cybersecurity Alerts & Trends

Key Themes from Recent Incidents

Vendor and Third‑Party Risks: Breaches at VITAS and HCIactive and the settlements involving Nuance and Liberty Hospital illustrate the systemic risk posed by third‑party service providers and subcontractors.  Ensure due diligence and continuous monitoring of vendors.

Pixel & Tracking Technology: Settlements with Goshen, Hancock, and numerous lawsuits reflect heightened scrutiny of tracking technologies.  Even though some courts have limited claims (e.g., Cole v. Quest Diagnostics), regulators continue to view unapproved tracking of PHI as a privacy violation.  Organizations should evaluate whether analytics tools transmit any PHI and, if so, disable or modify them accordingly.

Legacy IT and Email Security: Presidio’s survey underscores that outdated technology not only impacts productivity but also increases compliance risk, leading employees to use shadow IT.  The Marshfield Clinic breach exemplifies the continued threat of phishing and email compromise.

Final Thoughts

This past week demonstrated that HIPAA compliance is evolving on multiple fronts: regulators are realigning substance‑use disorder rules with HIPAA, courts are clarifying the limits of privacy statutes, and breach settlements continue to be costly.  Compliance teams should stay vigilant by auditing third‑party relationships, tracking technologies and legacy IT environments, while strengthening incident‑response and employee‑training programs.  Proactive investments in modern technology, security controls and transparent communication can mitigate risk and reduce the likelihood of regulatory penalties and litigation.

‍