Good Morning Everyone,
This week’s newsletter captures new developments in health‑care privacy and cybersecurity from the last seven days. Major breaches continue to be reported, regulators are reorganising enforcement priorities, and class‑action settlements underscore the cost of non‑compliance. A summary of the most important news follows.
Industry Trends
Absolute Dental breach grows to 1.23 million
Nevada‑based Absolute Dental finished its investigation into a February 2025 cyberattack and told regulators that 1,223,635 people were affected — far more than the placeholder figure of 501 previously reported. Attackers gained access via a malicious version of a legitimate software tool through a managed‑services provider’s account. Exposed data include names, contact details, Social Security numbers, driver’s licence/passport numbers and health‑insurance or medical record information. Credit‑monitoring services are being offered.
UI Community HomeCare hack hits 211k patients
University of Iowa Health Care and UI Community HomeCare discovered a hack on 3 July 2025. A cybercriminal briefly accessed their network and exfiltrated files, but electronic medical records were not breached. About 211,000 individuals may have had names, addresses, phone numbers, birth dates, provider names, medical record numbers, visit details, insurance information and Social Security numbers accessed. Notification letters have been mailed, and the organisations have strengthened security monitoring.
Healthcare Services Group reports major breach
Bensalem, PA‑based Healthcare Services Group (HSG) told the Maine attorney general that 624,496 individuals were affected by a breach discovered in October 2024 but only quantified in June 2025. An unauthorised party accessed HSG’s network between 27 Sept and 3 Oct 2024 and exfiltrated files containing names, dates of birth, Social Security numbers, financial account details and driver’s‑licence/state ID numbers. Notification letters began going out on 25 Aug 2025, and free credit‑monitoring and identity‑theft protection are being offered.
Smaller provider breaches
Family Counseling Services (NY) discovered that an unauthorised party accessed email accounts between 14 Jan and 4 Feb 2025. Exposed data may include names and combinations of dates of birth, Social Security numbers, driver’s‑licence numbers, bank‑account numbers, medical information and health‑insurance details. Affected individuals will receive credit monitoring.
Cancer Care Center of North Florida reported two incidents involving a phishing attack (13–16 Dec 2024) and a hacking incident (31 Mar–10 Apr 2025) tied to Integrated Oncology Network. About 1,789 patients were affected; data potentially exposed include names, addresses, dates of birth, financial‑account information, diagnoses, lab results, medications, insurance details and treatment dates.
Black Hills Regional Eye Institute (SD) discovered that a cyberattack between 4 and 8 Jan 2025 exposed names, birth dates, Social Security numbers, driver’s‑licence numbers, diagnoses, medical history, medical record numbers and insurance information. Free credit monitoring is being provided.
Children’s Center of Hamden (CT) determined that unauthorised network access on 28 Dec 2024 compromised the personal data and Social Security numbers of 5,213 people.
Vital Imaging breach: Vital Imaging Medical Diagnostic Centers (Florida) discovered a hacking incident on 13 Feb 2025. Up to 260,000 individuals may have had names, dates of birth, contact information and medical/insurance details accessed. Notifications will be mailed once the investigation concludes.
Montefiore data‑theft prosecution: A former business clerk at Montefiore Medical Center and his partner pleaded guilty to accessing more than 4,000 patient records without authorisation and using the information to obtain almost $1 million in fraudulent pandemic relief. The case underscores the importance of monitoring insider access and enforcing HIPAA’s minimum‑necessary principle.
Aflac cyberattack scrutiny: Senators Bill Cassidy and Maggie Hassan wrote to Aflac’s CEO seeking details about a June 12 2025 cyberattack. They asked about the number of individuals affected, the types of data involved and notification procedures. Aflac said it contained the intrusion with help from cybersecurity experts; exposed data may include names, claims information, health data and Social Security numbers. Security researchers suspect the Scattered Spider threat group targeted insurers in a data‑theft campaign.
International perspective: Dutch medical laboratory Clinical Diagnostics revealed that a breach affecting its cervical‑cancer screening program is larger than initially reported — approximately 850,000 patients’ names, genders, dates of birth, citizen‑service numbers and test results were exposed. Letters are being sent to those affected, and law firms are considering class‑action lawsuits.
Regulatory Updates
SUD Part 2 enforcement delegated to OCR
On Aug 27, 2025, HHS Secretary Robert F. Kennedy Jr. delegated authority to the Office for Civil Rights to administer and enforce the Confidentiality of Substance Use Disorder (SUD) records in 42 CFR Part 2. The final rule, effective Feb 16 2026, aligns Part 2 with HIPAA by allowing a single consent for disclosures, permitting redisclosure for treatment, payment and operations, and harmonizing breach notification and notice‑of‑privacy practices. OCR will be able to investigate complaints and impose civil monetary penalties but may face resource constraints due to staffing cuts.
Illinois bans AI‑driven therapy chatbots
The Wellness and Oversight for Psychological Resources Act, effective Aug 1 2025, prohibits using artificial‑intelligence tools to provide mental‑health therapy or make therapeutic decisions. Licensed professionals must review any AI‑generated treatment recommendations, and AI is limited to administrative or supplemental tasks. Violations may incur civil penalties up to US$10,000 per occurrence. The law responds to concerns about AI‑powered therapy chatbots and underscores that patient consent and human oversight remain essential.
Enforcement & Legal Actions
Specialty Networks settlement
Specialty Networks will create a US$2.6 million fund to resolve litigation over a December 2023 data breach affecting 395,866 individuals. Class members may claim up to $5,000 for documented losses or receive a flat $100; they can also obtain up to three years of credit monitoring. Claims are due Oct 13 2025, with a final approval hearing on Nov 13 2025.
Mount Sinai class‑action settlement
Mount Sinai Health System agreed to pay $5.3 million to resolve a lawsuit alleging it shared patient data with Facebook via the Meta Pixel and Conversions API. The proposed class covers 1,314,147 MyChart users. Payments for class members and credit‑monitoring services will be funded from the settlement; claims are due Oct 14 2025 and the final approval hearing is set for Oct 24 2025.
Why it matters
These settlements highlight the financial and reputational risks associated with web‑tracking technologies and the disclosure of protected health information to third parties. Healthcare entities should audit any marketing or analytics tools embedded on patient portals and ensure they do not transmit HIPAA‑protected data.
Closing Thoughts
The past week illustrates the continuing onslaught of cyberattacks and insider threats in the healthcare sector. Large breaches at Absolute Dental, UI Community HomeCare and HSG expose millions of patients’ personal and health information, while smaller providers and third‑party vendors remain attractive targets. Regulatory changes—such as the delegation of SUD Part 2 enforcement to OCR and state restrictions on AI‑driven therapy—signal a tightening privacy landscape. Meanwhile, class‑action settlements remind us that privacy violations carry significant financial penalties.
Recommended actions:
- Reinforce third‑party risk management: Many breaches originate via vendors or managed‑service providers. Conduct thorough risk assessments, require multi‑factor authentication and audit vendor security practices.
- Monitor and limit insider access: The Montefiore case shows how insiders can misuse data. Implement strict least‑privilege policies and monitor audit logs for unusual access.
- Review AI and tracking technologies: Ensure any AI tools, analytics scripts or marketing pixels used in digital platforms comply with HIPAA and applicable state laws. Obtain patient consent and provide human oversight.
- Prepare for OCR’s expanded authority: Substance‑use‑disorder providers should review their policies in light of the upcoming 42 CFR Part 2 changes and be ready for potential OCR investigations.
Staying informed and proactive remains the best defense against evolving threats. Have a secure week!
