The HIPAA Journal

MARCH 28, 2025

The email account was secured the same day, and the forensic investigation confirmed the account was compromised from December 2 to December 4, 2024. This breach also involved a compromised email account and was detected by Restorix on May 30, 2024. Restorix sent notification letters to the affected patients on December 18, 2024.

Business Associate 71

Business Associate HIPAA Insurance Certification 71

The HIPAA Journal

APRIL 18, 2025

On August 6, 2024, a member of staff at SSM Healths St. The post Cybersecurity Firm CEO Charged with Installing Malware on a Hospital Computer appeared first on The HIPAA Journal. The CEO of an Edmond, OK-based cybersecurity firm has been accused of intentionally installing malware at an Oklahoma City hospital.

Hospital 90

Hospital HIPAA 90

The HIPAA Journal

MARCH 11, 2025

Suspicious activity was identified within its computer systems on April 11, 2024. The invitations were circulated on September 3, 2024, October 3, 2024, November 7, 2024, and/or December 30, 2024. The post Cyberattack on Sunflower Medical Group Affects 221,000 Patients appeared first on The HIPAA Journal.

Medication 82

Medication Appointments HIPAA Insurance 82

The HIPAA Journal

MARCH 19, 2025

On or around July 6, 2024, an unauthorized third party accessed the network and viewed or acquired individuals protected health information.The affected data was reviewed, and that process was completed on March 6, 2025. Suspicious activity was identified in a single computer on November 20, 2024.

HIPAA 91

HIPAA Insurance 91

The HIPAA Journal

MARCH 26, 2025

The Sunflower Medical Group data breach occurred on December 15, 2024, but was not discovered for more than three weeks. The post Sunflower Medical Group Sued Over 221,000-Record Data Breach appeared first on The HIPAA Journal. Sunflower Medical Group is a private multi-specialty medical practice with four locations in Kansas.

Medication 76

Medication HIPAA Insurance 76

The HIPAA Journal

APRIL 18, 2025

doing business as Vitruvian Health in Georgia and Tennessee, and Erlanger Health in Tennessee, have been affected by a cyberattack on its debt collection vendor, Nationwide Recovery Service.Suspicious activity was identified within the Nationwide Recovery Service network on July 11, 2024.

HIPAA 57

HIPAA Hospital Documentation Insurance 57

The HIPAA Journal

MAY 1, 2024

On May 1, 2024, the 2024 Verizon Data Breach Investigations Report ( DBIR ) was released, which this year involved an analysis of a record number of security incidents (30,458), and more than double the number of confirmed data breaches as last year (10,626). Top causes of non-erro, non-misuse data breaches.

Follow-Up 107

Follow-Up Transfers HIPAA Medication 107

The HIPAA Journal

MARCH 11, 2025

Hillcrest Convalescent Center Hillcrest Convalescent Center in Durham, North Carolina has notified 106,194 individuals about a data security incident identified on June 27, 2024. Notification letters were mailed to all affected individuals on March 3, 2024. The Hillcrest incident involved the data of 106,194 individuals.

HIPAA 69

HIPAA Insurance Medication 69

The HIPAA Journal

MARCH 18, 2025

In April 2024, Kentucky joined the growing number of states that have adopted comprehensive consumer privacy and data protection laws. The Kentucky Consumer Data Protection Act was signed into law on April 4, 2024, and is due to take effect on January 1, 2026. 8 164.514(e).

HIPAA 74

HIPAA Documentation 74

The HIPAA Journal

MARCH 19, 2025

Access TeleCare, Texas The Dallas, TX-based acute and specialty telemedicine provider Access TeleCare identified unauthorized access to an employees email account on January 8, 2024. On or around November 18, 2024, suspicious activity was identified in an employee email account.

HIPAA 75

HIPAA Documentation Insurance Medication 75

The HIPAA Journal

NOVEMBER 7, 2024

The use of ransomware in cyberattacks decreased slightly in the first half of the year; however, the severity of ransomware attacks increased according to the 2024 Cyber Claims Report: Mid-Year Update from cyber insurance and security service provider Coalition.

Follow-Up 97

Follow-Up Insurance Transfers HIPAA 97

The HIPAA Journal

MARCH 20, 2025

The HIPAA Journal has compiled healthcare data breach statistics from October 2009, when the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) started publishing summaries of healthcare data breaches on its website. CO Business Associate 14,782,887 Hacking/IT Incident 4 2024 Kaiser Foundation Health Plan, Inc.

Business Associate 111

Business Associate HIPAA Unit Organization and Environment Hospital 111

The HIPAA Journal

JULY 8, 2024

Palomar Health Medical Group has warned patients that they may have been affected by an April 2024 cyberattack, and DaVita has learned that tracking tools on its website and mobile app may have sent user data to third-party vendors. DaVita Notifies Patients About Tracking Technology Privacy Incident DaVita Inc.,

Medication 128

Medication HIPAA Tests Medical History 128

Sensible Medicine

MARCH 25, 2025

In 2024, the NIH Office of Strategic Coordination launched the Replication to Enhance Research Impact Initiative. For example, the Feinstein Institute for Medical Research settled HIPAA violations for $3.9 When data are used, most analyses are not reproducible.

Collaboration 218

Collaboration HIPAA Follow-Up Medication 218

The HIPAA Journal

MARCH 24, 2025

OrthoMinds, an Alpharetta, Georgia-based provider of orthodontic practice management software, has recently announced a November 2024 security incident that potentially resulted in unauthorized access to patients protected health information.

HIPAA 51

HIPAA Insurance Medication 51

The HIPAA Journal

MARCH 21, 2025

Tennessee implemented a very similar law in 2024, and a handful of states have implemented data breach safe harbor laws to limit the costs arising from data breaches. The shield law does not offer protection against regulatory lawsuits, such as those seeking penalties for HIPAA violations.

HIPAA 54

HIPAA Billing 54

The HIPAA Journal

APRIL 26, 2024

This is the largest healthcare data breach to be reported so far in 2024 and the largest confirmed healthcare data breach to date involving website tracking technologies. Notifications are expected to be issued in May 2024. Million Individuals appeared first on HIPAA Journal. Kaiser Permanente Health Plan Inc. is notifying 13.4

HIPAA 120

HIPAA Hospital Insurance 120

The HIPAA Journal

OCTOBER 28, 2024

Last week, the Department of Health and Human Services (HHS) and the National Institute for Standards and Technology (NIST) hosted the Safeguarding Health Information: Building Assurance Through HIPAA Security 2024 conference after a 5-year absence. It is one of the most common reasons for individuals filing complaints with OCR.

HIPAA 101

HIPAA Medication 101

The HIPAA Journal

FEBRUARY 4, 2024

The Office for Civil Rights imposed 13 financial penalties on HIPAA-regulated entities, including two financial penalties of more than $1 million. State Attorneys General have also been actively enforcing HIPAA compliance, with 15 investigations leading to financial penalties, including a $49.5 million settlement with Blackbaud.

HIPAA 120

HIPAA 120

The HIPAA Journal

MARCH 20, 2025

In late October 2024, an unidentified individual stole the mobile phone of a Roswell Park employee. The intrusion was detected on January 13, 2025, and the investigation confirmed that an unauthorized third party had access to its network between December 8, 2024, and January 11, 2025. Topy America Topy America Inc.,

Hospice 81

Hospice HIPAA Medical History Diagnostics 81

The HIPAA Journal

JULY 4, 2024

Gaia Software has disclosed details of a February 2024 cyberattack, Pinnacle Orthopaedics & Sports Medicine Specialists are investigating an April 2024 cyberattack, and OB GYN Specialists of Lima have discovered the improper disposal of patient data.

HIPAA 120

HIPAA Documentation Billing Insurance 120

The HIPAA Journal

MAY 6, 2024

On February 16, 2024, Continuum announced on its website that it was investigating the incident while the investigation was ongoing. The file review was completed on March 8, 2024, when it was confirmed that the exposed data included patients’ names and Social Security numbers.

Medication 120

Medication HIPAA Tests Follow-Up 120

The HIPAA Journal

APRIL 30, 2024

On January 22, 2024, DRS identified suspicious activity within its network. On March 8, 2024, after a time-consuming and detailed review of the files, DRS confirmed that they contained the personal and protected health information of current and former patients of its healthcare clients.

Business Associate 106

Business Associate HIPAA Follow-Up Hospital 106

The HIPAA Journal

MARCH 28, 2025

of all data breaches in 2024 originated from third-party compromises, up 6.5% In 2023, 75% of third-party breaches involved technology products; however, in 2024, threat actors diversified, with only 46.75% of breaches involving technology products. According to a recent report from SecurityScorecard, at least 35.5%

Transfers 57

Transfers Follow-Up HIPAA 57

The HIPAA Journal

OCTOBER 31, 2024

Mystic Valley Elder Services, a Malden, Massachusetts-based non-profit agency providing home and community-based care to elders and adults living with disabilities, has started issuing individual notifications about a cyberattack and data breach that was identified on April 5, 2024.

Hospital 116

Hospital Business Associate HIPAA Insurance 116

The HIPAA Journal

MARCH 26, 2025

Microsoft launched its Cybersecurity for Rural Hospitals Program in June 2024 to help address the problem. The post Almost One-Third of Rural Hospitals Benefiting from Microsofts Cybersecurity for Rural Hospitals Program appeared first on The HIPAA Journal.

Hospital 80

Hospital Collaboration Best Practices HIPAA 80

The HIPAA Journal

MARCH 10, 2025

CareFirst BlueCross BlueShield has filed a lawsuit against Change Healthcare in response to the February 2024 ransomware attack that caused extensive disruption to Change Healthcares services.CareFirst BlueCross BlueShield provides health plans to 3.5 million individuals and groups in Maryland and the Washington D.C.

HIPAA 76

HIPAA Billing 76

The HIPAA Journal

JULY 9, 2024

The review of the affected files was not completed until June 13, 2024. Call 4 Health Issues Notifications About March 2024 Cyberattack Call 4 Health, Inc., Unauthorized network access was detected on May 6, 2024, and immediate action was taken to prevent further unauthorized access.

Triage 123

Triage HIPAA Documentation Billing 123

The HIPAA Journal

JULY 3, 2024

Suspicious network activity was identified on March 27, 2024, and third-party cybersecurity specialists were engaged to investigate the activity. The group says it has given the hospital until July 8, 2024, to pay the ransom demand and will leak the stolen data if payment is not made.

Hospital 126

Hospital HIPAA Insurance Medication 126

Valant

JULY 29, 2024

Altered mental status, unspecified (R41.82) is a billable ICD-10 diagnostic code under HIPAA regulations from October 1, 2020, to September 30, 2021. ICD-10 Code for Altered Mental Status In this blog post, Valant discusses the ICD-10 code for Altered Mental Status. Check out the 2023 ICD-10 updates here. Clinicians should only use the R41.82

Diagnostics 97

Diagnostics Insurance HIPAA Medication 97

The HIPAA Journal

JULY 5, 2024

The breach was detected on March 25, 2024, and immediate action was taken to prevent further unauthorized access. An investigation was launched which determined that between November 2, 2023, and March 29, 2024, the vendor accessed and downloaded information from a Kairos database.

HIPAA 122

HIPAA Insurance Medication 122

The HIPAA Journal

JULY 5, 2024

Providence Mission Heritage Endocrinology In May 2024, Providence Mission Heritage Endocrinology in Mission Viejo, CA, discovered an insider breach that involved unauthorized access to clinical records. The first instance occurred on December 15, 2020, and it continued until May 15, 2024.

HIPAA 120

HIPAA Patient Records Insurance Hospital 120

The HIPAA Journal

APRIL 25, 2024

The Lebanon, TN-based eye clinic chain said it detected unauthorized access to its network on March 25, 2024. OPMT said, “Even though it is not specifically required by HIPAA, we will offer identity theft protection services to all affected individuals; we feel that this is an important precaution to protect our patients.”

HIPAA 112

HIPAA Insurance 112

The HIPAA Journal

JULY 3, 2024

A Seattle, WA, plastic surgery practice has been ordered to pay a financial penalty of $5 million to the Office of the Washington Attorney General to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), Washington Consumer Protection Act (CPA), and the federal Consumer Review Fairness Act (CRFA).

HIPAA 117

HIPAA Insurance 117

The HIPAA Journal

MAY 2, 2024

Any individual who wishes to object to or be excluded from the settlement must do so by June 18, 2024, and all claims must be submitted by the same date. The settlement has received preliminary approval from the court and the final settlement hearing is scheduled for August 22, 2024.

Follow-Up 111

Follow-Up HIPAA Best Practices Documentation 111

The HIPAA Journal

APRIL 23, 2024

According to the notification letters mailed to the affected individuals in April 2024, a cyberattack was detected on June 6, 2023, when its network was disrupted. It took more than 10 months (April 10, 2024) to determine the types of information involved and the number of individuals affected.

HIPAA 111

HIPAA Insurance Medication 111

The HIPAA Journal

MARCH 28, 2025

The forensic investigation confirmed unauthorized network access between November 24, 2024, and January 20, 2025, during which time the threat actor viewed or copied information from its network. The post Healthcare Data Breaches Reported in Georgia, Washington & New Hampshire appeared first on The HIPAA Journal.

Appointments 54

Appointments HIPAA Insurance Medication 54