The HealthSec Blog

Welcome to the latest edition of Hale Insights.

‍
This week’s newsletter is a curated look at the latest data‑privacy and security events affecting covered entities, business associates and patients.  We summarise the key facts, highlight why each story matters to compliance teams and suggest practical actions to strengthen your program.

Breach & Incident Notices

Archer Health database exposed (~150 K files)

Cyber‑security researcher Jeremiah Fowler discovered an exposed 23.7 GB cloud database containing more than 145 000 patient files, including PDFs, images and screenshots .  The database linked to Archer Health, a California home health and palliative‑care provider.  Fowler’s sample analysis found patient names, contact details, Social Security numbers, patient ID numbers and detailed medical documents such as discharge summaries, diagnoses, treatment information and home‑health certifications.  The database also contained screenshots of dashboards and scheduling systems showing real‑time operations.  Fowler notified the provider, which secured the database within hours and launched an investigation; the duration of exposure and the number of affected patients remain unclear.

Why it matters: Exposed cloud storage remains a leading cause of HIPAA breaches.  Databases often contain rich combinations of personally identifiable information (PII) and protected health information (PHI).  Even when accessed by security researchers, the data can be scraped before the owner notices.

Action items:

• Conduct regular external scanning for exposed cloud resources and test access controls.
• Ensure auditing logs and backup snapshots do not contain screenshots or caches of sensitive dashboards.
• Vendor oversight: confirm that cloud providers and vendors follow least‑privilege access and encryption at rest.

Coos County Family Health Services ransomware incident

Coos County Family Health Services (CCFHS) in Berlin, NH detected suspicious activity in its servers and phone systems on July 9 2025 and later confirmed that an unauthorised third party accessed its systems.  Ransomware group RunSomeWarez claimed responsibility and listed the provider on its data‑leak site.  CCFHS reported that patient data may have been exfiltrated; files contained names, dates of birth, contact information, Social Security numbers, medical information and medical ID numbers.  Affected patients were offered credit‑monitoring and identity‑theft protection services.

Why it matters: Small and rural providers remain attractive targets for ransomware operators.  Attackers may disrupt both IT systems and phone services, delaying care coordination.  Early detection and offline backups are critical.

Action items:

• Verify incident‑response playbooks include phone/VoIP systems and patient‑notification steps.
• Conduct tabletop exercises with leadership; practise decisions around ransom demands, law enforcement reporting and patient communications.
• Review access controls for administrative tools and require multi‑factor authentication (MFA) for all external connections.

Roush Fenway Keselowski Racing employee health plan breach

Auto‑racing organisation Roush Fenway Keselowski Racing reported a May 14 2025 cyberattack that led to unauthorised access to systems containing employee health‑plan data.  Investigators confirmed that files were accessed or copied; exposed data included names, addresses, dates of birth, Social Security numbers, driver’s‑license numbers, passport numbers, financial account information, health‑insurance subscriber numbers and medical information.  Up to 2 160 individuals were affected, and the organisation is offering identity‑monitoring services.

Why it matters: Employers that self‑administer health plans are covered entities under HIPAA and must secure plan‑member data.  Even though the company’s core business is motor sports, its employee‑benefit systems hold sensitive PHI.

Action items:

• Require MFA and robust endpoint detection for systems used to manage employee benefits.
• Limit the data stored in internal systems to the minimum necessary; avoid storing driver’s‑license and passport numbers when not legally required.
• Evaluate cyber‑insurance coverage and confirm employee‑notification obligations under HIPAA and state breach laws.

University of North Carolina School of Medicine phishing attack

The University of North Carolina at Chapel Hill and UNC Hospitals announced that a School of Medicine employee’s email account was compromised after responding to a phishing email that appeared to come from a trusted source.  The breach occurred on July 24 2025 and lasted about 15 hours before remediation.  During this time, attackers may have viewed or stolen PHI including names, dates of birth, diagnosis and treatment information, Social Security numbers, driver’s‑license numbers, financial information and health‑insurance information.  The breach affected 799 individuals at the School of Medicine and 6 377 individuals at UNC Hospitals, and notification letters were mailed on Sept 19 2025.

Why it matters: Phishing remains one of the most effective methods for breaching healthcare systems.  Rapid detection and response limited the exposure window to 15 hours, but credential‑phishing underscores the need for regular staff training and phishing simulations.

Action items:

• Implement phishing‑resistant MFA (e.g., FIDO2 tokens) on email accounts to prevent access even if credentials are stolen.
• Refresh employee phishing training and emphasise verifying sender legitimacy before clicking links.
• Update incident‑response procedures to prioritise email account takeovers and quick password resets.

Arizona Medicaid mailing error

The Arizona Health Care Cost Containment System (AHCCCS) halted a routine mailing on Aug 29 2025 after discovering that letters were sent to the wrong recipients.  Approximately 3 177 members were affected.  The letters included names, AHCCCS identification numbers and health‑plan names but did not contain highly sensitive information such as Social Security numbers.  AHCCCS reviewed its mailing processes and implemented safeguards to prevent similar mis‑mailings.

Why it matters: Even minor mis‑mailings constitute reportable HIPAA breaches if they involve PHI.  Mailing errors can undermine trust and invite scrutiny of privacy practices.

Action items:

• Use address‑verification software and bar‑code scanning to ensure correct matching of letters and envelopes.
• Add manual quality checks for large mailings, especially when vendor mail houses are used.
• Document incident reporting and breach‑analysis decisions for minor disclosures.

OneBlood class‑action settlement following 2024 ransomware attack

Nonprofit blood‑collection organization OneBlood agreed to pay up to US$1 million to settle a class‑action lawsuit over its July 2024 ransomware attack.  From July 14–29 2024 a threat actor gained access to OneBlood’s systems, exfiltrated sensitive data and then deployed ransomware, ultimately affecting 167,400 individuals whose names and Social Security numbers were exposed.  In the lawsuit Newberry et al. v. OneBlood, Inc., plaintiffs alleged the non-profit failed to implement reasonable security measures.  OneBlood denied wrongdoing, but both sides agreed to settle to avoid litigation.  The settlement, preliminarily approved by a Florida court, offers class members a choice between reimbursement of up to $2 500 in documented out‑of‑pocket losses or a $60 cash payment, with a US$1 million cap for legal fees, administration and payments.  Claim forms are due Dec 4 2025 and objections or opt‑outs must be filed by Nov 9 2025.  OneBlood has committed to security improvements and will share a confidential list of enhancements with class counsel.

Why it matters: This case illustrates that data‑breach litigation can persist for more than a year after an incident, leading to costly settlements even when the defendant denies wrongdoing.

Action items:

• Maintain detailed risk assessments and document security controls; plaintiffs often allege “failure to implement reasonable security measures.”
• When responding to ransomware attacks, proactively communicate with donors and plan members about the breach and maintain transparency to mitigate reputational harm.
• Review cyber‑insurance policies to understand coverage for class‑action settlements and legal fees.

Industry & Regulatory Updates

HIPAA reproductive‑health privacy rule appeal dismissed

On Sept 10 2025, the U.S. Court of Appeals for the Fifth Circuit dismissed the appeal filed by cities and doctors seeking to overturn a Texas district‑court order that vacated most of the 2024 HIPAA Privacy Rule provisions protecting reproductive‑health information.  The Fifth Circuit granted the motion of the proposed intervenors (the cities of Columbus and Madison and Doctors for America) to withdraw their appeal; HHS had already opted not to appeal.  As a result, the June 18 2025 district‑court decision vacating the rule stands, and only minor changes to the Notice of Privacy Practices (NPP) remain in effect.  Covered entities must update their NPPs by Feb 16 2026 to describe how they will respond to requests for PHI related to reproductive health care, but the broader reproductive‑health privacy protections are no longer enforceable.

Implications for compliance:

• Do not rely on the vacated reproductive‑health rule for restricting disclosures; existing HIPAA standards apply.
• Update Notice of Privacy Practices to comply with the remaining NPP modifications by Feb 16 2026.
• Monitor HHS communications for future guidance; the agency may issue new proposals to address reproductive‑health privacy.

X12 releases 008060 versions of all HIPAA‑mandated implementation guides

On Sept 22 2025, standards body X12 announced that it has published new 008060 versions of all HIPAA‑mandated 005010 implementation guides.  These guides specify how to format electronic data interchange (EDI) transactions for claims, eligibility, remittances and more.  X12’s announcement emphasises that users should review the updated guides using the Glass viewer and watch for future announcements.  Minor user‑interface enhancements have been added to the Glass tool to improve navigation.

Implications for compliance:

• Begin reviewing the 008060 implementation guides and identify changes that will affect EDI interfaces and clearinghouse connections.
• Coordinate with IT and billing vendors to plan for testing and transition; historically, EDI version changes require long lead times.
• Follow X12 updates and CMS communications for timelines on adopting the 008060 versions (formal compliance deadlines have not yet been announced).

Flo Health, Google & Flurry agree to nearly $60 M privacy settlement

In a case unrelated to HIPAA but illustrative of broader health‑app privacy risks, fertility‑tracking app Flo Health, Google and ad‑tech provider Flurry agreed to a $59.5 million class‑action settlement over allegations that tracking technologies in the Flo app shared users’ sensitive reproductive‑health data without consent.  Under the proposed settlement filed on Sept 19 2025, Google will pay US$48 million, Flo Health US$8 million and Flurry US$3.5 million.  The case covers U.S. users of the Flo app between Nov 1 2016 and Feb 28 2019.  Defendants deny wrongdoing but agreed to the settlement; Flo must display a prominent privacy notice in its app for one year.  A court must still grant preliminary approval.

Implications for compliance:

• Although Flo is not a covered entity, the case underscores regulators’ and courts’ focus on how health‑related apps use trackers and share sensitive data.
• Review your organisation’s mobile apps and websites for third‑party tracking technologies; ensure HIPAA‑regulated data is not sent to marketing platforms without valid authorisation.
• Anticipate increased scrutiny of consumer‑health apps following recent Federal Trade Commission and state enforcement actions.

Compliance & Risk‑Management Insights

• Inventory exposures beyond core clinical systems: The Archer Health case demonstrates that screenshots of dashboards and scheduling tools can inadvertently expose PHI.  Maintain an inventory of all systems and logs that may contain ePHI and ensure they are protected.
• Ransomware prevention and response: Several incidents this week involve ransomware or extortion groups.  Review endpoint security, network segmentation and offline backups.  Establish relationships with incident‑response firms in advance, and rehearse communications with regulators, patients and the media.
• Vendor management and contract language: When using vendors for mailings, data storage or analytics, incorporate contractual requirements for security measures, breach notification and indemnification.  The AHCCCS mis‑mailing highlights the risk of vendor errors.
• Monitor regulatory developments: Although the reproductive‑health privacy rule has been vacated, the Fifth Circuit dismissal leaves open the possibility of future rulemaking.  Continue to track HHS announcements and update privacy practices accordingly.

Closing Thoughts

This week’s news reinforces that HIPAA compliance is dynamic.  Exposed databases, phishing attacks, ransomware and mis‑mailings all reveal different facets of the same challenge: protecting personal and health information in an increasingly complex ecosystem.  The stories above underscore the importance of robust risk analyses, continuous employee training, vigilant vendor oversight and staying attuned to evolving regulatory requirements.

As your trusted partner, Hale Consulting Solutions will continue to monitor developments and provide actionable insights to help you navigate the evolving landscape.