Methodist Homes of Alabama and Northwest Florida is notifying residents and employees of its second data breach in seven months.

I wonder what #HHSOCR will do when they investigate.

https://databreaches.net/2026/01/08/methodist-homes-of-alabama-and-northwest-florida-is-notifying-residents-and-employees-of-its-second-data-breach-in-seven-months/

#HIPAA #SecurityRule #RiskAssessment #cybersecurity #healthsec

HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan

[It's an insider wrongdoing case from 2018 that we never heard about at the time]

https://databreaches.net/2025/05/29/hhs-ocr-settles-hipaa-security-rule-investigation-baycare-health-system-for-800k-and-corrective-action-plan/

#HIPAA #SecurityRule #InsiderThreat #HHS #HHSOCR #BayCare

The Office of Civil Rights in the Department of Health and Human Services (HHS/OCR) used to do a fairly good job of protecting patient's sensitive information. They did this by enforcing the HIPAA security rules and penalties for non-compliance included fines, mandatory compliance programs, and CEO liability.

No longer.

HHS/OCR has now been weaponized to enforce anti-DEI initiatives of the current administration. Here is the recent headline from HHS/OCR:

"OCR Investigates a Major Medical School in California for Reportedly Prioritizing Discriminatory Race-Based Criteria over Academic Merit"

Right. What nonsense. Welcome aboard - your pilot is Dangerous and your Co-pilot is Stupid. Have a good flight.

This will not be good.

#HIPAA #HHS #HHSOCR

Breach notifications needed to be made faster in 2024. Instead, they were made more slowly.

Some findings from #Bluesight 2025 Breach Barometer report plus additional observations and my frustration with #HHSOCR for not enforcing the notification requirements in #HIPAA and #HITECH.

https://databreaches.net/2025/03/13/breach-notifications-needed-to-be-made-faster-in-2024-instead-they-were-made-more-slowly/

#databreach

So... apart from the fact that I don't think they should have dropped charges against this doctor, is HHS going to investigate why the hospital gave access to patient data to a former employee/resident who no longer worked there and was never these patients' doctor?

US Justice Department drops case against Texas doctor charged with leaking transgender care data:
https://www.wfaa.com/article/news/local/us-justice-department-drops-case-against-doctor-charged-with-leaking-transgender-care-data/287-3e8a394d-41fb-41bf-bf72-fd012b87851b

#HealthSec #HIPAA #SecurityRule #databreach #privacy #confidentiality #insiderthreat #HHS #HHSOCR

HHS OCR settles charges that Inmediata Health Group was exposing patient protected health info online for 3 years due to a webpage error.

Inmediata previously settled a class action lawsuit stemming from the 2016-2019 leak. They also settled a lawsuit by 33 state attorneys general last year. The HHS OCR settlement was for $250k monetary penalty; no corrective action plan was needed since the states' settlement already included a corrective action plan.

Direct link to the resolution agreement:

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/inmediata-health-group-ra-cap/index.html

Press release: https://www.hhs.gov/about/news/2024/12/10/hhs-office-civil-rights-settles-health-care-clearinghouse-inmediata-health-group-hipaa-impermissible-disclosure.html

Inmediata even had trouble with their incident response, as noted on my blog at the time: https://databreaches.net/2019/04/30/in-the-process-of-notifying-patients-of-a-web-exposure-breach-inmediata-experiences-a-mail-exposure-breach/

#HIPAA #HHSOCR #SecurityRule #Exposure #Databreach #dataleak #healthsec #Infosecurity

#HHSOCR announced a $1.19M monetary penalty for Gulf Coast Pain Consultants stemming from a 2019 #databreach. Now we find out that the "third party" that accessed the data was a former contractor.

The covered entity got hit with a fine for failure to:

• conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
• implement procedures to regularly review records of activity in information systems;
• implement procedures to terminate former workforce members’ access to ePHI; and
• implement procedures for establishing and modifying workforce members’ access to information systems.

https://databreaches.net/2024/12/03/hhs-office-for-civil-rights-imposes-a-1-19-million-penalty-against-gulf-coast-pain-consultants-for-hipaa-security-rule-violations/

#HIPAA #HealthSec #SecurityRule #InsiderThreat #Access

Still in the dark: A “500 marker” on HHS's public breach tool is updated, but too many still aren’t. Is HHS doing anything about this??

Spoiler alert: They don't seem to be.

https://databreaches.net/2024/11/08/still-in-the-dark-a-500-marker-is-updated-but-too-many-still-arent-is-hhs-doing-anything-about-this/

#HIPAA #HITECH #HealthSec #HHSOCR #HHS #OCR #Transparency #Accountability #Enforcement #databreach #cybersecurity #infosec

HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for $250,000 - September 26, 2024

https://www.hhs.gov/about/news/2024/09/26/hhs-office-civil-rights-settles-ransomware-cybersecurity-investigation-under-hipaa-security-rule-250-000.html

This stemmed from a March 2017 #ransomware attack and #databreach affecting Cascade Eye & Skin Centers in WA. #HHSOCR became aware of it in May 2017.

Why did it take 7+ years to resolve this?

And btw, I never knew about this breach and even now, cannot find any major media coverage or disclosure of it at the time. And it never showed up on HHS's public breach tool during all this time. Why didn't it show up if it affected 291,000?

This is HHSOCR's 4th ransomware-related investigation under the #HIPAA Security Rule.

@brett @campuscodi

HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million:

https://www.hhs.gov/about/news/2024/02/06/hhs-office-civil-rights-settles-malicious-insider-cybersecurity-investigation.html

Another #HIPAA #SecurityRule #enforcement action but this was from an #insider wrongdoing #databreach that police notified the center about in 2015. The theft occurred in 2013. Why is #HHSOCR first settling this NOW?

#IDtheft #fraud