No need to hack when it’s leaking: Atrium Health edition:
https://databreaches.net/2025/04/24/no-need-to-hack-when-its-leaking-atrium-health-edition/
No need to hack when it’s leaking: Atrium Health edition:
https://databreaches.net/2025/04/24/no-need-to-hack-when-its-leaking-atrium-health-edition/
16 months after they experienced a ransomware attack, Dameron Hospital notifies those affected:
Great thanks to @adamshostack for getting people together to think about this issue and to make recommendations to #HHS under the #HIPAA Security Rule.
https://shostack.org/blog/security-researcher-comment-on-hipaa-security-rules/
Direct link to comments to HHS by @adamshostack, @dykstra, Fred Jennings, Chloé Messdaghi, and me:
https://downloads.regulations.gov/HHS-OCR-2024-0020-4673/attachment_1.pdf
So... apart from the fact that I don't think they should have dropped charges against this doctor, is HHS going to investigate why the hospital gave access to patient data to a former employee/resident who no longer worked there and was never these patients' doctor?
US Justice Department drops case against Texas doctor charged with leaking transgender care data:
https://www.wfaa.com/article/news/local/us-justice-department-drops-case-against-doctor-charged-with-leaking-transgender-care-data/287-3e8a394d-41fb-41bf-bf72-fd012b87851b
@froge I agree. If this is just the beginning of a new campaign that addresses timely notification too. They have announced the campaign on risk assessment already and have already announced a few settlements over that. But there's been no formal announcement or press release about any campaign specifically targeting timely notification.
I haven't finished up our 2024 gap analyses between discovery of breaches and notifications, but too many do not or cannot comply with the regulation. And then there all the entities that don't even report their breaches at all, and I wonder how we will get HHS OCR to address that unless I send them a massive watchdog complaint that lists about 150 regulated entities that didn't disclose breaches this past year when it appears that they did have reportable breaches.
Anyone else think that the HHS OCR monetary penalty imposed on Solara Medical was too steep? $3M is one of the steepest monetary penalties HHS OCR has imposed.
I'm glad to see enforcement of the timely notification requirement, but so many entities have blown the risk assessment requirement and the 60 day notification regulations so why is Solara being hit with such a stiff penalty?
Westend Dental agrees to pay Indiana $350K and to implement a corrective action plan to settle charges of multiple HIPAA violations.
This is one of THE WORST incident responses I have ever read and I've read a lot of bad ones over the years. But it's not just an incident response disaster. They were routinely violating HIPAA privacy and security rules.
Kudos to the state of Indiana for going after the dental practice and investigating to find out all the problems.
Don't ask me what HHS OCR did, because I don't think they were ever even told about this 2020 ransomware attack.
Read more here, where you will also find the court filings I've uploaded so you can read how bad this one was:
#ransomware #compliance #HIPAA #healthsec #encryption #backup #PrivacyRule #SecurityRule #ransparency #disclosure #notification
HHS OCR settles charges that Inmediata Health Group was exposing patient protected health info online for 3 years due to a webpage error.
Inmediata previously settled a class action lawsuit stemming from the 2016-2019 leak. They also settled a lawsuit by 33 state attorneys general last year. The HHS OCR settlement was for $250k monetary penalty; no corrective action plan was needed since the states' settlement already included a corrective action plan.
Direct link to the resolution agreement:
Inmediata even had trouble with their incident response, as noted on my blog at the time: https://databreaches.net/2019/04/30/in-the-process-of-notifying-patients-of-a-web-exposure-breach-inmediata-experiences-a-mail-exposure-breach/
#HHSOCR announced a $1.19M monetary penalty for Gulf Coast Pain Consultants stemming from a 2019 #databreach. Now we find out that the "third party" that accessed the data was a former contractor.
The covered entity got hit with a fine for failure to:
An announcement from HHS OCR:
"In recognition of National Cybersecurity Awareness Month, OCR has produced a new video this October to provide awareness and education for organizations covered under the HIPAA Rules on ransomware and how compliance with the HIPAA Security Rule can help such organizations combat ransomware.
This video updates the health care industry on the ransomware trends OCR sees in its cybersecurity investigations, OCR guidance and resources, best practices and practical advice on how HIPAA compliance can help HIPAA regulated entities prevent, detect, respond to, and recover from ransomware attacks. Topics include:
The video presentation may be found on OCR’s YouTube channel at: https://www.youtube.com/watch?v=nBKUlAy1OFA
In August 2023, El Centro Del Barrio ("CentroMed") reported a breach that affected 350,000 patients. Now they have reported a second #databreach. This one reportedly affected 400,000 patients.
The first breach was claimed by Karakurt, who does not seem to have ever leaked the data they claimed to have acquired. The second breach hasn't been claimed by any group -- at least, not yet.
So... will about 350,000 patients find their data has been stolen a second time in a year?
Not a good look for #CentroMed
https://databreaches.net/2024/05/21/tx-centromed-discloses-a-second-data-breach-within-one-year/