Hello everyone,
Several notable privacy and security events emerged over the past week. The points below summarise the top developments affecting HIPAA‑covered entities and business associates.
Data‑breach notices
Teamsters Union 25 HSIP breach
The multi‑employer health plan discovered unauthorised activity in its network on August 1 and completed its review by August 18. Notices are now being sent to members whose names, Social Security numbers, member IDs, health information and insurance details may have been copied.
Woodlawn Hospital incident
Indiana‑based Woodlawn Hospital disclosed that hackers accessed and copied files from its network between June 25 – 30, 2025. The compromised files could contain names, addresses, dates of birth, Social Security numbers, driver’s‑licence or state‑ID numbers, health‑insurance details and certain medical information. Affected individuals will be notified once the review concludes.
Tufts Medicine report
On August 26 the Massachusetts health system reported a breach to state regulators. While details are limited, the notification states that Social Security numbers, financial‑account information and driver’s licences may have been exposed.
Greater Pittsburgh Orthopaedic Associates ransomware claim
Ransomware gang RansomHouse claimed on August 20 to have stolen data from the Pittsburgh surgical practice. Attorneys are investigating the alleged breach and seeking input from current and former patients.
Regulatory updates
Florida proposes strict breach‑reporting rules
The Florida Agency for Health Care Administration has drafted rules requiring licensed providers to report any information‑technology incident—not just breaches of protected health information—to the agency within 24 hours. Providers would also have to maintain a written continuity plan that includes on‑site and off‑site data backups and verifies that backed‑up systems can be restored. The proposed rules apply broadly to hospitals, nursing homes, ambulatory surgery centres and other facilities and will be discussed at a public meeting on September 17.
OCR clarifies HIPAA disclosures and access rights
The U.S. Office for Civil Rights published new guidance explaining that covered entities may disclose protected health information to another provider involved in a value‑based care arrangement without first obtaining patient authorisation. An updated FAQ also confirms that consent forms for treatment are among the records individuals are entitled to access under the HIPAA Privacy Rule.
Litigation and enforcement
Verdict against Meta under California privacy law
A federal jury found that Meta unlawfully collected sensitive health data via the Flo menstrual‑tracking app, violating the California Invasion of Privacy Act. Meta argues that its tools merely provide code and that app developers agreed not to transmit sensitive information.
Telecom fines upheld
The D.C. Circuit Court of Appeals upheld $92 million in Federal Communications Commission fines against T‑Mobile and Sprint for selling customers’ location data. The court noted that the carriers voluntarily paid the fines and therefore waived their right to a jury trial.
Breach‑notification rules affirmed
The Sixth Circuit upheld the FCC’s 2024 data‑breach notification rules for telecommunications carriers. The rules expand the definition of breach to include inadvertent access or disclosure of personal information and require notification of law enforcement and the FCC when a breach affects more than 500 individuals.
Closing thoughts
Across the United States, regulators and courts continue to emphasise prompt breach reporting, comprehensive incident‑response planning and transparent use of tracking technologies. For compliance teams, the takeaways from this week’s news are to:
- Review vendor contracts and incident‑response plans to ensure notices go out quickly after any security incident.
- Develop and test business‑continuity plans that include verifiable backups and restoration procedures.
- Monitor state‑level regulatory proposals—such as Florida’s AHCA rules—to anticipate new obligations.
- Keep abreast of privacy‑related litigation involving health‑tracking technologies and third‑party analytics.
Have a secure week!
