Good morning – here’s what moved the needle this week
In the past week, new developments reminded us that even as we harden our own systems, attackers continue to exploit supply‑chain weaknesses and regulators are sharpening their tools. Healthcare organizations large and small disclosed fresh breaches, regulators released new risk‑assessment guidance and gave the Office for Civil Rights (OCR) new enforcement authority over substance‑use records, and courts and class‑action settlements underscored the cost of non‑compliance. We also saw calls for accountability around software vendors and a novel ransomware supply‑chain incident in Brazil.
Industry trends
Vulnerability remediation still lags in healthcare
Cobalt’s State of Pentesting in Healthcare 2025 found that only 13.3 % of vulnerabilities identified in healthcare pentests were serious, yet the median time to remediate serious flaws was 58 days, ranking healthcare 11th of 13 industries. The half‑life of vulnerabilities – the time to remediate half of discovered flaws – was 244 days, among the worst in any sector. While 94 % of organizations fix business‑critical issues within two weeks, backlogs of “lower priority” vulnerabilities linger. Cobalt urges organizations to demand pentest reports from vendors, integrate pentesting into the development cycle, test AI‑based features proactively and run red‑team exercises.
KillSec ransomware hits a healthcare software vendor
Brazilian news outlet Security Affairs reported that the KillSec ransomware group breached MedicSolution, a software provider for Brazil’s healthcare industry, and threatened to publish sensitive data if negotiations fail. Investigators believe the attack stemmed from an insecure AWS S3 bucket that allowed data exfiltration for months. The stolen 34 GB trove includes medical evaluations, lab results, X‑rays and unredacted patient photographs. KillSec claims to have compromised additional health organizations in the United States, Peru and Colombia, illustrating how supply‑chain breaches can cascade across borders. Brazil’s data‑protection authority (ANPD) recently fined 15 healthcare entities BRL 12 million (≈US$2.4 million) for lacking encryption and breach‑response plans, reminding us that enforcement of data‑protection laws is growing worldwide.
Regulatory updates
New security risk assessment tool released
The U.S. Department of Health & Human Services (HHS) Office for Civil Rights released version 3.6 of its free Security Risk Assessment (SRA) Tool. The update adds a “reviewed by” field to track internal approvals and improves reporting features. OCR continues to focus enforcement on organizations that fail to conduct comprehensive risk analyses, so compliance teams should familiarize themselves with the tool and its outputs.
OCR gains authority over substance‑use‑record confidentiality
On August 25, HHS delegated administration and enforcement of 42 C.F.R. Part 2 (confidentiality of substance‑use‑disorder records) to OCR. A Ropes & Gray alert explains that OCR may now impose civil monetary penalties, enter into resolution agreements and issue subpoenas to investigate Part 2 providers. The delegation aligns Part 2 with HIPAA, requires regulated entities to comply with the 2024 final rule by February 16 2026, and signals the government’s intent to actively enforce confidentiality provisions.
Senator calls for FTC probe of Microsoft’s security practices
Senator Ron Wyden wrote to the Federal Trade Commission urging it to investigate Microsoft for “gross cybersecurity negligence.” Wyden cited a 15 % increase in ransomware attacks in 2024 and argued that Microsoft’s insecure default settings (e.g., legacy RC4 encryption and weak passwords) contributed to large healthcare breaches such as the Ascension hack, which exposed 5.6 million patients’ electronic protected health information (ePHI). He criticized Microsoft’s business model of selling security add‑ons rather than enabling secure defaults, and urged the FTC to hold the company accountable.
Litigation & enforcement
CVS Health faces congressional probe for alleged misuse of patient data
House Republicans accused CVS Health of using patient information to lobby against Louisiana’s House Bill 358, which would limit pharmacy benefit managers from owning pharmacies. Lawmakers allege CVS sent text messages urging patients to oppose the bill and included draft letters with claims (e.g., potential pharmacy closures). The HIPAA Privacy Rule does not authorize the use of patient data for political advocacy; absent patient authorization, such use may violate HIPAA’s marketing rules. CVS has until Sept 18 to respond to legislators’ questions.
Weirton Medical Center agrees to settle ransomware‑attack lawsuit
West Virginia’s Weirton Medical Center, which suffered a January 2024 ransomware attack compromising 26,793 individuals’ data, reached a settlement offering class members either reimbursement for documented losses (up to $5,000) or a $50 cash payment. Class members will also receive one year of three‑bureau credit monitoring and identity theft insurance. Claims must be filed by Nov 5 2025, and a final approval hearing is scheduled for Nov 3 2025.
Adena Health pixel‑tracking lawsuit settles for $17.8 million
CalHIPAA reports that Ohio‑based Adena Health agreed to pay $17.8 million to resolve claims that its use of Meta Pixel and Google Analytics on its MyChart patient portal transmitted patients’ personally identifiable information and protected health information to third parties without consent. The proposed settlement covers about 89,000 class members, who will each receive $21 and one year of credit monitoring. Although Adena denies wrongdoing, the case underscores regulators’ increasing scrutiny of online tracking technologies.
DOJ charges ransomware administrator and offers record reward
The U.S. Department of Justice unsealed charges against Volodymyr Tymoshchuk, a Ukrainian national accused of administering the LockerGaga, MegaCortex and Nefilim ransomware groups. Prosecutors allege he and accomplices infected over 250 U.S. victims between July 2019 and June 2020, demanding ransoms and threatening to leak stolen data. The Department of State is offering up to $10 million for information leading to his arrest and conviction and an additional $1 million for information leading to the conviction of other group members. This is one of the largest rewards ever offered for a cyber‑criminal.
Data‑breach notices
Radiology Associates of San Luis Obispo (Pacific Imaging Management)
Employee email accounts were accessed between Feb 3 and Mar 17 2025, exposing names, birth dates and health information for 13,158 individuals. Notification letters were sent on Sept 10.
North Oaks Health System
Unauthorized access to email accounts discovered June 4 2025 exposed names, birth dates, health insurance information, clinical data and Social Security numbers for 6,243 individuals.
The Children’s Center of Hamden
Hackers accessed or acquired files containing names, birth dates, Social Security numbers, driver’s license/passport data, biometric data and diagnosis/treatment information, affecting 5,213 individuals.
Huron Regional Medical Center
An attack on the South Dakota hospital’s network exposed names, addresses, phone numbers, birth dates, service dates, insurance information and lab results. Notifications began Sept 9; the total number of affected individuals has not been disclosed.
Franklin Dermatology Group (via third‑party vendor)
A breach at debt‑collection vendor Nationwide Recovery Service exposed names, addresses, birth dates, Social Security numbers and health information for 2,457 patients.
Closing thoughts – recommended actions
Leverage the new SRA tool
Review the updated OCR Security Risk Assessment Tool and document who reviews and approves assessments. Use the results to inform your annual risk analysis and remediation plan.
Monitor supply‑chain and third‑party risks
The KillSec incident and third‑party breaches (e.g., Nationwide Recovery Service) show that vendors and software providers can be a weak link. Require vendors to produce penetration‑testing reports, implement robust contract language and monitor compliance.
Audit tracking technologies and marketing practices
Review websites and patient portals for tracking pixels or analytics tools and ensure that any data sharing is covered by HIPAA‑compliant authorizations. Avoid using patient data for political or marketing campaigns without explicit authorization.
Accelerate patching and vulnerability remediation
Cobalt’s report indicates that healthcare organizations are too slow to remediate serious vulnerabilities. Establish timelines for fixing high‑risk issues (e.g., within 30 days) and assign accountability.
Prepare for enhanced enforcement
OCR’s new authority over Part 2 records and its ongoing emphasis on risk analysis and breach notification mean that covered entities must update policies, workforce training and notices of privacy practices. Ensure you have an incident‑response plan that covers both HIPAA and Part 2 requirements.
