HIPAA Enforcement News

Proliance Surgeons has agreed to a $4,450,000 settlement to resolve consolidated class action litigation stemming from a February 2023 ransomware attack and data breach affecting 437,392 individuals. The settlement was filed in the Superior Court of the State of Washington in and for King County under the case name In re: Proliance Surgeons Data Breach … Read more

Aflac Incorporated has reported a data breach that compromised the protected health information of at least 13.9 million individuals. Incident Overview Health insurance company Aflac Incorporated updated its data breach report indicating that at least 13.9 million individuals’ protected health information were affected. The initial data breach report had a place holder of 500 affected … Read more

The healthcare technology provider, Veradigm Inc. (earlier known as Allscripts), agreed to settle a class action litigation that was filed because of a 2024 data breach that affected sensitive patient data. The HIPAA-covered organization based in Illinois offers software programs to healthcare companies, such as electronic medical record software program and practice management software. In … Read more

Penalties for HIPAA Regulation Violations in 2026 In 2019, HIPAA had changes associated with enforcement action. OCR published a Notice of Enforcement Discretion following the reinterpretation of HITECH Act requirements involving penalties for HIPAA non-compliance. The HITECH Act required higher penalties for HIPAA Rules non-compliance. Back then, the HHS viewed the terms of the HITECH … Read more

Memorial Hospital and Manor located in Bainbridge, Georgia, suffered a ransomware attack and data breach in November 2024. As a result, class action lawsuits were filed against the hospital. On November 2, 2024, the rural hospital discovered the ransomware attack and prevented access to its EMR system, website, and email account. The following day, the … Read more

Willis-Knighton Medical Center agreed to settle a class action lawsuit, which was prompted by the use of tracking codes on its website. Willis-Knighton Medical Center dealt with multiple lawsuits, which claimed that the health system permitted unauthorized transfers of personally identifiable, private data to third parties like Facebook and Google. The lawsuits were consolidated as … Read more

Reid Hospital & Health Care Services, Inc., also known as Reid Health, in Richmond, Indiana, has made the decision to settle the class action lawsuit linked to the claimed usage of Meta Pixel and other tracking codes on its website. Based on the Jane Doe v. Reid Health litigation, registered in Wayne County Superior Court, … Read more

Healthplex, a notable dental health insurance program provider in New York, consented to settle with the New York Department of Financial Services (NYDFS) regarding alleged NYDFS Cybersecurity Regulation violations. Healthplex is going to pay $2 million as a financial penalty and implement measures to enhance its cybersecurity. The Cybersecurity Regulation was introduced in 2017 and … Read more

On July 8, 2025, HHS Secretary Robert F. Kennedy Jr. mentioned the declaration of a Public Health Emergency in Texas due to severe storms, flooding, and straight-line winds starting July 2, 2025. The HHS Secretary also reported a limited waiver of HIPAA sanctions and penalties for HIPAA-covered hospitals in some Texas locations under the PHE … Read more

Google LLC in California is facing a lawsuit with allegations that the tech company illegally obtained personal health information (PHI) through tracking codes installed on healthcare organizations’ websites. Google filed a motion to dismiss, but the court rejected the request, and so most of the claims were permitted to move forward. Google’s tracking technology consists … Read more

The City of Oakland, located in California, has decided to resolve a lawsuit due to a ransomware attack and data security breach that impacted over 13,000 present and past employees. The City discovered the attack in February 2023, and sent breach notification letters to the impacted employees at the beginning of March 2023. The Play … Read more

INFINITT Healthcare discovered three vulnerabilities in its INFINITT PACS. There was a high-severity vulnerability with publicly accessible exploits. CISA’s alert states that a threat actor can exploit the vulnerabilities even in a low-level attack. Vulnerability CVE-2025-27721 is a high-severity vulnerability. An unauthorized user who successfully exploits the vulnerability would be able to access the system … Read more

Columbus Regional Healthcare has decided to pay $1,175,000 to settle litigation associated with a data breach in May 2023. The breach was discovered on May 21, 2023, and based on forensic investigation, hackers got access to areas of its system from May 19, 2023 to May 21, 2024, which included systems containing the personal data … Read more

Virtual mental health service provider Brightline is to pay $7 million to settle a lawsuit associated with a hacking incident involving the Clop threat group in 2023 that led to the stealing of the protected health information (PHI) of about 1 million people. The Clop threat group stole data from 130 companies in January 2023 … Read more

Hapy Bear Surgery Center is facing a class action lawsuit over a December 2023 ransomware attack but it settled for a sum of money that is undisclosed. The pediatric dental clinic in Tulare, California discovered the cyberattack on or about December 27, 2024, and reported on March 19, 2024 the potential access or theft of … Read more

On December 16, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published a draft of the revised National Cyber Incident Response Plan (NCIRP) in the Federal Register. Feedback on the draft is needed and will be accepted on or before January 15, 2025. First published in 2016, the NCIRP is a national strategic plan for … Read more

Oak Valley Hospital faced a lawsuit due to a security incident 2023 wherein patient data was accessed without authorization. The hospital discovered the breach on July 18, 2023, but the attackers initially acquired access to its system 3 months earlier on April 21, 2023. Data likely stolen contained names, medical insurance details, Social Security numbers, … Read more

Final approval for a $1.85 million settlement of a class action data breach lawsuit against East River Medical Imaging is due on October 22, 2024. Individuals affected by the breach of this New York radiology group can submit a claim until October 22, 2024, 2:30 PM EDT. East River Medical Imaging detected a security breach … Read more

St. Croix Regional Medical Center in Wisconsin has proposed to pay $225,000 to resolve a lawsuit filed by people claiming they were charged excessive fees for accessing their medical records. The lawsuit, Stadler v. St. Croix Regional Medical Center Inc., alleges that the medical center charged patients and authorized individuals, such as attorneys, more than … Read more

Prospect Medical Holdings is facing a lawsuit associated with a 2023 Rhysida ransomware attack that held up to a motion to dismiss, although a few of the claims were dropped. At the beginning of August 2023, Prospect Medical Holdings discovered unauthorized access to its network. The investigation revealed that an unauthorized third party had accessed … Read more

The H1 Data Breach Analysis recently published by the Identity Theft Resource Center revealed that the number of victims of data breaches significantly increased for the first half of 2024. The number of publicly reported breaches (1,571) with over 1 billion victims is higher by 14% from the first half of 2023. The size of … Read more