The HealthSec Blog

Greetings from Hale Consulting Solutions!

Our compliance team has reviewed the most notable events affecting healthcare privacy, security and HIPAA compliance during the past week (Oct 14–20, 2025).  While no single topic dominated headlines, a series of data breaches, lawsuits and federal directives illustrate the breadth of challenges facing covered entities and business associates.  Please review the incidents below and incorporate the recommended action items into your risk‑management program.

Breach & Incident Notices

Multiple providers warn patients of data breaches and cyberattacks

What happened: In a single announcement, five U.S. providers – Crenshaw Community Hospital (AL), Waveny LifeCare (CT), Aunt Martha’s Health & Wellness (IL), Pulse Urgent Care Center (NY) and MyCardiologist (FL) – notified patients of separate hacks.  Crenshaw experienced a 53 GB data exfiltration by the Payouts King ransomware group that may involve 51,569 patient records.  Waveny disclosed that hackers accessed its systems in September and the incident has disrupted services; Aunt Martha’s learned that a May 2024 cyberattack exposed the data of roughly 613,000 individuals, including sensitive PHI; Pulse discovered on Aug 28 that network intruders stole Social Security numbers, medical information and insurance details for 128,788 patients; and MyCardiologist reported a hacking incident that compromised names, addresses and clinical data of an undisclosed number of patients.

Why it matters: The variety of organizations – a rural hospital, long‑term‑care provider, community health clinic, urgent‑care center and cardiology practice – illustrates that no sector is immune.  Third‑party vendors and inadequate network segmentation were common themes.  The multiple notices also reinforce that ransomware groups continue to target providers to extort payments and steal large data sets.

Action items:

• Conduct tabletop exercises simulating vendor‑related breaches and update incident‑response plans.
• Require multifactor authentication (MFA) and role‑based access for all network services.
• Offer credit monitoring to affected patients and provide transparent communication during investigations.

Mission City Community Network delays breach notice

What happened: Mission City Community Network (MCCN) detected suspicious activity in its systems around June 6 2025 but did not publicly disclose the breach until October 15 – four months later.  The investigation confirmed that an unauthorized party accessed data; types of information compromised were not specified, and MCCN is reviewing records and offering credit monitoring.

Why it matters: HIPAA’s Breach Notification Rule requires covered entities to notify affected individuals and HHS no later than 60 days after discovering a breach.  MCCN’s delay raises compliance concerns and highlights how long dwell times (average detection plus containment now exceeds ten months) can exacerbate risk.  Enforcement actions for delayed notifications can result in heavy fines and corrective‑action plans.

Action items:

• Implement continuous monitoring and anomaly detection to reduce the time between breach discovery and containment.
• Establish clear notification procedures and review them with legal counsel to ensure compliance with the 60‑day rule.
• Maintain documentation of investigative steps to show good faith in the event of an OCR audit.

Allianz Life breach tied to third‑party CRM

What happened: Allianz Life Insurance disclosed that hackers accessed a cloud‑based customer relationship management (CRM) system on July 16 2025, exposing names, addresses, dates of birth and Social Security numbers of about 1.5 million people.  Investigators attribute the attack to the Scattered Spider cybercrime group, which has been linked to similar high‑profile breaches.  Allianz offered two years of identity‑theft protection.

Why it matters: Third‑party platforms remain a major vector for data exposure; nearly 30 % of reported breaches involve vendors.  The stolen data – full identity attributes – can facilitate identity theft, account takeover and fraud.

Action items:

• Inventory all vendor relationships and verify each partner’s security posture through certifications and penetration testing.
• Require vendors to notify your organization promptly of any suspected incident and to sign robust business‑associate agreements that spell out breach responsibilities.
• Monitor for stolen credentials and implement network segmentation to prevent lateral movement from third‑party systems.

Privacy & Legal Updates

Integris Health agrees to $30 million settlement

What happened: Oklahoma‑based Integris Health will pay $30 million to resolve litigation stemming from its Nov 28 2023 data breach that exposed names, Social Security numbers, dates of birth, phone numbers, email addresses and health‑insurance information of roughly 2.4 million people.  The settlement provides up to three years of credit monitoring and reimbursement of out‑of‑pocket losses up to $25,000 per claimant.  A final hearing is scheduled for Dec 16 2025.

Why it matters: The size of the settlement signals increasing financial liability for covered entities even when no wrongdoing is admitted.  It also reflects rising expectations for extended credit monitoring and compensation for victims.

Action items:

• Review cyber‑insurance policies to ensure coverage for class‑action settlements and long‑term monitoring services.
• Perform root‑cause analyses of past incidents and implement remediation measures to reduce litigation risk.
• Communicate transparently with affected individuals about available benefits and deadlines for claims.

EyeMed Vision Care settles 2020 breach lawsuit for $5 million

What happened: EyeMed Vision Care agreed to a $5 million settlement to resolve claims stemming from a July 1 2020 phishing incident that affected about 2.1 million individuals.  Emails in a compromised account contained names, dates of birth, Social Security numbers, vision‑insurance IDs and information on medical conditions.  Class members can receive a $50 payment and reimbursement of out‑of‑pocket losses up to $10,000, while EyeMed commits to enhanced cybersecurity measures and training.

Why it matters: Although the breach occurred years ago, the settlement highlights how long litigation can persist and underscores the value of phishing‑resistant email protection.  Regulators view failure to train staff and secure email accounts as negligence.

Action items:

• Provide recurring phishing‑resilience training and simulate attacks to assess readiness.
• Enforce MFA across email systems and adopt advanced anti‑phishing technology.
• Document cybersecurity improvements and training to demonstrate compliance.

Hospital Sisters Health System pays $7.6 million

What happened: Hospital Sisters Health System (HSHS), operating 13 hospitals in the Midwest, agreed to a $7.6 million settlement to resolve class‑action claims after an August 2023 cyberattack that affected 882,782 individuals.  Class members may claim reimbursement for out‑of‑pocket losses and receive two years of credit and identity monitoring.  HSHS has committed to undisclosed remedial cybersecurity measures and denies wrongdoing.  A final hearing is scheduled for December 4 2025.

Why it matters: Settlements continue to result in relatively modest cash payments to individuals but require expensive security upgrades.  They also highlight regulators’ expectation that organizations proactively remediate vulnerabilities after incidents.

Action items:

• Evaluate existing cybersecurity controls and invest in network segmentation, patch management and incident‑response capabilities.
• Maintain detailed documentation of security improvements to demonstrate compliance to regulators and litigants.
• Communicate with legal counsel regarding potential consolidation of similar lawsuits.

LCMC Health and SSM Health settle tracking‑pixel lawsuits

What happened: Two healthcare systems reached settlements over allegations that tracking technologies on their patient portals transmitted sensitive information to third parties like Facebook and Google.

• LCMC Health (Louisiana) will provide a $15 cash payment and a one‑year subscription to Cyex Privacy Shield Pro to individuals who used its portal between Jan 1 2019 and Nov 30 2022, and will cease using certain tracking tools for two years.  The lawsuit claimed that Meta Pixel captured pages visited and form entries, transmitting data without authorization.  The HHS Office for Civil Rights (OCR) has warned that using pixel‑tracking on authenticated pages likely violates HIPAA unless a business‑associate agreement is in place.
• SSM Health (Midwest) will offer a $31.50 payment and one year of CyEx Privacy Shield Pro to patients who used its MyChart portal between July 6 2020 and Feb 10 2023.  The lawsuit alleged that Meta Pixel and similar tools recorded patient status, conditions, physician names and treatment details.  SSM denies wrongdoing but will stop using certain trackers and has scheduled a final hearing for Nov 21 2025.

Why it matters: These settlements underscore regulators’ heightened scrutiny of third‑party tracking technologies in healthcare.  Courts have partially vacated OCR’s guidance on pixels, but legal boundaries remain uncertain.  Providers must proactively audit web‑tracking scripts and obtain clear authorizations.

Action items:

• Audit all patient‑facing websites and portals for embedded trackers and remove those that transmit PHI without authorization.
• Establish or review business‑associate agreements with analytics providers; if not possible, disable tracking on authenticated pages.
• Update privacy notices to disclose any data‑sharing practices and obtain explicit patient consent where appropriate.

Legislative developments

Data‑privacy bills stalled‍

Senator Ted Cruz (R‑TX) blocked Sen. Ron Wyden’s Protecting Americans from Doxing and Political Violence Act (S.2850), which would have extended privacy protections enjoyed by lawmakers to the general public by limiting data brokers’ ability to sell personal information.  Cruz argued the bill could hinder public awareness of sex‑offender registries, though legal experts noted the proposal explicitly preserved registries.  Without unanimous consent, the bill faces a slower path through the Senate.

Medicare Advantage Prompt Pay Act

Bipartisan legislation introduced by Sens. Catherine Cortez Masto (D‑NV) and Marsha Blackburn (R‑TN) would require Medicare Advantage (MA) plans to pay clean claims within 14 days for in‑network services and 30 days for out‑of‑network claims, with penalties up to $25,000 for late payments.  The bill responds to provider complaints that MA plans pay physicians 10–15 % less than traditional Medicare and take roughly twice as long to reimburse claims.  Hospitals surveyed by the American Hospital Association report over $6.4 billion in delayed or denied MA claims.

Action items:

• Monitor federal privacy legislation; although this week’s bill stalled, future proposals could impose broader restrictions on data brokers and impact marketing practices.
• For billing teams, review MA claim processes and ensure readiness to meet proposed timelines should the Prompt Pay Act become law.

Cybersecurity Alerts

CISA emergency directive on F5 BIG‑IP devices

What happened: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26‑01, ordering federal agencies to inventory and patch all F5 BIG‑IP devices by Oct 22 2025, after a threat actor infiltrated F5’s development environment and exfiltrated source codei.  Agencies must restrict public exposure, decommission unsupported devices and report compliance by Oct 29, and provide complete inventories by Dec 3.

Why it matters: F5 BIG‑IP devices are widely used in healthcare networks for load balancing and application delivery.  Exploitation could allow attackers to harvest credentials, API keys and move laterally across networks, leading to full system compromisei.  The directive highlights the seriousness of supply‑chain compromises and the need for rapid patching.

Action items:

• Identify any F5 BIG‑IP appliances in your environment and apply vendor patches immediately.
• Restrict management interfaces to trusted networks; disable unused services and enforce MFA for device administration.
• Perform proactive threat‑hunting to detect lateral movement and unauthorized access following F5 exploitation.

Business email compromise (BEC) remains a $2.8 billion threat

What happened: According to the FBI’s 2024 Internet Crime Report, business email compromise (BEC) caused $2.8 billion in losses in 2024 and has generated $17.1 billion in losses since 2015.  BEC attacks now employ generative‑AI tools to craft convincing messages that impersonate executives or vendors, rarely containing malware or suspicious links.

Why it matters: Legacy email filters often fail to detect BEC because messages appear benign and come from legitimate domains.  Healthcare organizations handle high‑value transactions (e.g., vendor payments, payroll) and remain attractive targets.  A single compromised payment can lead to substantial financial losses and potential HIPAA violations if PHI is exposed.

Action items:

• Deploy advanced inbound email security solutions that analyze context, tone and sender behavior using AI.
• Educate staff to verify any request for payment changes through a second channel (e.g., phone call) and to be wary of urgent messages.
• Establish strict financial controls requiring multiple approvals for wire transfers and vendor‑payment changes.

Voice phishing attacks target Salesforce users

What happened: Google’s Threat Intelligence Group warned of an adversary cluster, UNC6040, conducting sophisticated voice phishing (vishing) attacks.  Attackers impersonate IT support and convince employees to authorize a malicious “connected app” in Salesforce, which then extracts data.  After data theft, the criminals sometimes demand ransom under a new alias (UNC6240).

Why it matters: The campaign combines social engineering with abuse of SaaS platforms.  Because vishing relies on real‑time human manipulation, even organizations with robust technical controls can fall victim.  Salesforce and similar systems are widely used by healthcare providers for marketing, scheduling and CRM functions.

Action items:

• Train staff to authenticate any IT‑support call by calling back through official channels; discourage approvals of unexpected app requests.
• Restrict the ability to install or approve connected apps to a small group of administrators.
• Enable audit logging in SaaS platforms and monitor for unusual API activity or connected‑app installations.

Closing Remarks

This week’s events illustrate the multifaceted nature of compliance challenges facing healthcare organizations – from ransomware and insider misuse to third‑party tracking, lingering litigation, legislative uncertainty and evolving cyberthreats.  To stay ahead, compliance teams should:

• Prioritize vendor management: Many incidents stem from third‑party systems or business associates.  Strengthen due‑diligence processes, require timely breach notification and ensure BAAs address shared responsibilities.
• Audit web and email technologies: Tracking pixels and unsecured email accounts continue to prompt lawsuits and settlements.  Conduct regular audits to remove unauthorized trackers and deploy advanced email‑security solutions.
• Enhance incident‑response readiness: Delayed notifications, as seen with MCCN, can lead to regulatory penalties.  Establish clear breach‑response procedures and practice them through tabletop exercises.
• Monitor evolving threats and legislation: Keep abreast of CISA directives, software vulnerabilities, social‑engineering tactics and federal privacy legislation.  Adapt compliance strategies as new risks and rules emerge.

By implementing these recommendations and maintaining a culture of vigilance, healthcare organizations can reduce the likelihood of breaches, minimize legal exposure and preserve patient trust.

‍