Greetings from Hale Consulting Solutions!
This week’s Hale Insights newsletter summarises the most notable privacy, security and legal developments from October 7–13, 2025. Our goal is to provide concise updates on data breaches, enforcement actions and emerging threats so your organization can stay ahead of risks. Please review the incidents below and incorporate the recommended action items into your compliance program.
Breach & Incident Notices
SimonMed Imaging breach notice
What happened: SimonMed Imaging, a large radiology provider, began mailing notifications to 1.27 million patients affected by a January 2025 Medusa ransomware attack. The breach notice confirms that names, addresses, dates of birth, medical record numbers and insurance details were stolen.
Why it matters: The scale of this incident underscores the continuing risk posed by third‑party and ransomware attacks on healthcare providers. Even months‑old events can surface new details, prompting additional notifications and potential lawsuits.
Action items:
- Review vendor access and enforce multi‑factor authentication and endpoint monitoring.
- Offer credit‑monitoring to affected individuals and ensure breach‑notification plans address delayed confirmations of data theft.
Doctors Imaging Group & associated breaches
What happened: Doctors Imaging Group in Florida reported that hackers copied files from its network, exposing names, Social Security numbers and financial account details of 171,862 patients. Rectangle Health (NY) notified 2,095 individuals after unauthorized access to its Salesforce platform, and Care N’ Care (TX) disclosed a hacking incident affecting 32,452 residents with stolen medical and insurance data.
Why it matters: These cases highlight how both providers and business associates remain lucrative targets and that Salesforce and other SaaS platforms can be exploited when misconfigured or unpatched.
Action items:
- Audit cloud and SaaS environments for unauthorized access and implement monitoring.
- Provide identity‑theft protection and reinforce vendor‑management requirements.
Harris Health insider breach
What happened: Harris Health in Texas is notifying more than 5,000 patients that a former employee accessed records from 2011 to 2021. Data included demographic information, clinical details and Social Security numbers.
Why it matters: Ten years of undetected insider access shows the importance of continuous audit logging and timely review. The four‑year delay in notifications, due to a law‑enforcement request, also raises questions about balancing investigations with patient rights.
Action items:
- Assign unique logins and regularly audit access logs.
- Provide refresher training to employees and deploy tools that flag anomalous access.
Privacy & Legal Updates
Nurse fired for pregnancy disclosure
What happened: A Waverly Health Center nurse in Iowa was fired and denied unemployment benefits for telling a family member that a 17‑year‑old patient was pregnant, despite the patient’s request for confidentiality. The disclosure violated HIPAA’s Privacy Rule and hospital policy.
Why it matters: The case underscores that minors can exercise privacy rights and that ignorance of HIPAA requirements is not a defense.
Action items:
- Reinforce training on patient authorizations and minors’ rights.
- Establish clear escalation paths when relatives request information.
Skagit Regional Health pixel settlement
What happened: Skagit Regional Health in Washington agreed to settle a class‑action lawsuit alleging its use of Meta Pixel and other tracking tools transmitted protected health information to third parties without consent. The provider denies wrongdoing but will pay class‑administration costs and $20 to each class member; patients who used its portal from May 2021 to Sept 2025 must file claims by Nov 3.
Why it matters: Regulators and plaintiffs are scrutinizing website analytics and ad‑tracking tools. Hospitals must ensure that any scripts on patient portals do not disclose identifiable health information.
Action items:
- Audit your organization’s web tracking technologies and remove tools that transmit PHI without authorization.
- Update privacy notices to reflect any data‑sharing practices and seek explicit consent.
Cybersecurity Alerts
Oracle E‑Business zero‑day exploited by Cl0p
What happened: The Cl0p ransomware group is mass exploiting CVE‑2025‑61882, a zero‑day remote‑code‑execution vulnerability in Oracle E‑Business Suite’s BI Publisher integration. The flaw has a CVSS 9.8 severity score and has been exploited since at least Aug 9; Oracle released a patch on Oct 4.
Why it matters: Exploitation allows unauthenticated attackers to run code on affected systems. Healthcare organizations that use Oracle E‑Business should assume compromise if unpatched.
Action items:
- Apply Oracle’s patch and ensure you are on a supported version.
- Monitor for indicators of compromise and remove internet exposure.
GoAnywhere MFT zero‑day exploited by Medusa
What happened: The Storm‑1175 threat group is exploiting CVE‑2025‑10035, a deserialization flaw in Fortra’s GoAnywhere MFT (versions 7.8.3 and earlier), to deploy Medusa ransomware. Successful attacks allow command injection and remote‑code execution. CISA requires federal agencies to patch by Oct 20.
Why it matters: This vulnerability has been exploited since early September; patching alone may be insufficient if the system has already been compromised.
Action items:
- Upgrade to GoAnywhere MFT version 7.8.4 or the 7.6.3 sustain release and restrict public access.
- After patching, investigate audit logs for anomalous activity and look for persistence mechanisms.
Closing
The incidents and enforcement actions highlighted this week emphasize the need for vigilance across the healthcare sector. Phishing, insider misuse, misconfigured website tracking and unpatched software remain top risks. By enhancing security controls, tightening vendor and web‑tracking practices, and educating staff, organizations can reduce the likelihood of breaches and regulatory penalties.
