NEW by me:
Insightin Health discloses its second data security incident in two years:
https://databreaches.net/2026/03/10/insightin-health-discloses-its-second-data-security-incident-in-two-years/
#databreach #healthsec #thirdparty #dataleak #cybersecurity #HIPAA #SecurityRule
I recently asked #HHS #OCR how any personnel and regional cuts would affect their investigation of breaches of the #HIPAA #SecurityRule and #Notification Rule.
They didn't exactly answer my question as to how many investigators have been laid off, but they did outline their priorities for 2026.
You can read their response to my inquiries in my new post at:
https://databreaches.net/2026/01/15/hhs-ocr-comments-on-its-2026-priorities/
#databreach #healthsec #cybersecurity #ransomware #hacking #risk
Methodist Homes of Alabama and Northwest Florida is notifying residents and employees of its second data breach in seven months.
I wonder what #HHSOCR will do when they investigate.
#HIPAA #SecurityRule #RiskAssessment #cybersecurity #healthsec
On January 6, Methodist Homes of Alabama and Northwest Florida ('Methodist Homes') reported that a compromised employee email account had been accessed between
The second part of my interview with Rachel Seeger of North Country Communications is now online. If you know any HIPAA-regulated SMBs struggling with compliance issues or seeking great information and advice, point them to Rachel's consultancy.
HIPAA Compliance and Breach Communications: Helpful Tips for SMBs:
https://databreaches.net/2026/01/06/hipaa-compliance-and-breach-communications-helpful-tips-for-smbs/
or download a copy od the interview:
https://databreaches.net/wp-content/uploads/HIPAA-Compliance-and-Breach-Communications.pdf
Direct link to North Country Communications: https://northcountrycommunications.com/
#HIPAA #compliance #BreachNotification #PrivacyRule #SecurityRule #BusinessAssociates
NEW: Six months after discovering an attack, Northwest Radiologists notifies almost 350,000 Washington State residents
#databreach #incident_management #healthsec #HIPAA #SecurityRule #PrivacyRule
Jackson Health System has disclosed another insider-wrongdoing breach. This one affected about 2000 patients. The employee's motivation was reportedly related to boosting their personal healthcare business.
In their notice, JHS tries to portray themself as a victim. That didn't go over too well with me, as this is not the first time they have had a long-running insider wrongdoing breach.
In 2019, they settled HHS OCR charges after three breaches -- one of which involved insider wrongdoing over 5 years that affected 24k patients. There was no corrective action plan as part of the settlement. Perhaps there should have been?
#databreach #healthsec #insiderthreat #HIPAA #SecurityRule #insiderwrongdoing
HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
[It's an insider wrongdoing case from 2018 that we never heard about at the time]
No need to hack when it’s leaking: Atrium Health edition:
https://databreaches.net/2025/04/24/no-need-to-hack-when-its-leaking-atrium-health-edition/
#healthsec #leak #HIPAA #SecurityRule #databreach #cybersecurity
16 months after they experienced a ransomware attack, Dameron Hospital notifies those affected:
#HIPAA #ransomware #databreach #incidentresponse #SecurityRule #notifications #HHS
Great thanks to @adamshostack for getting people together to think about this issue and to make recommendations to #HHS under the #HIPAA Security Rule.
https://shostack.org/blog/security-researcher-comment-on-hipaa-security-rules/
Direct link to comments to HHS by @adamshostack, @dykstra, Fred Jennings, Chloé Messdaghi, and me:
https://downloads.regulations.gov/HHS-OCR-2024-0020-4673/attachment_1.pdf
Dissent Doe 
