HIPAA Pulse moved to hipaapulse.com. This page is HIPAA Response — what to do about each story.
See responsesPatient Protect · HIPAA Response
Live66
Total incidents tracked
1,453
Active responses
56
Update cadence
Hourly
HIPAA Responseis the technical-enablement layer of HIPAA Pulse’s reporting. Every breach the publication covers, every OCR enforcement action, every regulatory development — paired with the controls, configurations, and platform actions your practice needs to do something about it.
Patient Protect Synopsis
This briefing highlights a continued wave of data breaches, with several incidents involving insider threats, misconfigured systems, and sophisticated cybercriminal operations targeting healthcare adjacent organizations. Significant legal precedents are being set regarding vendor liability in data breaches, increasing scrutiny on third-party risk management. The rapid adoption of AI in healthcare, while offering efficiency benefits, presents new challenges in terms of data privacy, patient expectations, and cybersecurity, necessitating careful implementation and ethical considerations.
By Patient Protect Research · Synthesized from HIPAA Pulse coverage · AI-assisted, editor reviewed
The ruling in J.M. v. Illuminate Education, Inc. indicates a growing legal precedent where edtech and potentially other healthcare vendors can be held liable for data breaches, emphasizing the critical need for robust…
Incidents such as hospital workers inappropriately accessing patient details in the UK and a law firm's repeated exposure of data due to a misconfigured Amazon bucket underscore the persistent risk posed by insider…
Cybercriminals are employing more advanced techniques like vishing for extortion (BlackFile), exploiting zero-day vulnerabilities in critical infrastructure like Cisco SD-WAN, and utilizing cyber-enabled cargo crime…
Healthcare organizations must meticulously vet all vendors and business associates for their security postures, review contracts for data breach liability clauses, and implement continuous monitoring of third-party…
Implement stricter access controls, conduct regular audits of user access logs, and provide ongoing, targeted training to staff on HIPAA compliance, data handling, and the dangers of misconfigured systems to prevent…
Given the rise of sophisticated vishing extortion, zero-day exploits, and cyber-enabled cargo crime, healthcare organizations should regularly update their incident response plans, invest in advanced threat detection…
The Response Desk
May 13
OpenLoop Health, a telehealth platform serving independent practices and health systems, disclosed a January 2025 breach that exposed personal data belonging to roughly 716,000 individuals.
Thousands of DICOM medical imaging servers belonging to hundreds of healthcare entities have been left exposed to the public internet with little or no authentication, putting patient data at direct risk.
CISA released new guidance urging critical infrastructure operators, including healthcare organizations, to invest in isolation and recovery capabilities to sustain operations during nation-state cyberattacks.
Dutch EHR vendor ChipSoft disclosed that stolen patient data was allegedly destroyed following a ransomware attack by the Embargo group, after the company confirmed some negotiations had taken place.
Missouri's Department of Commerce and Insurance is escalating its investigation into Conduent Business Services after the national insurance-processing vendor allegedly failed to cooperate with regulators over a breach potentially affecting millions of consumers.
The DOJ launched a new West Coast Health Care Fraud Strike Force, uniting federal prosecutors across Arizona, Nevada, and Northern California to pursue fraud schemes tied to digital health companies.
A CMS-built Medicare provider directory inadvertently exposed the Social Security numbers of healthcare providers in a backend database, The Washington Post reported.
A Maryland pharmacist faces federal indictment on two counts of unauthorized computer access and one count of aggravated identity theft tied to alleged intrusions at the University of Maryland Medical Center.
Russian national Artem Revensky, operating as "Digit" within the Sector16 hacking group, pleaded guilty to cyberattacks targeting critical infrastructure across Ukraine, the United States, and other countries.
A newly identified phishing kit called Bluekit automates domain registration and includes an AI assistant to help threat actors launch credential-harvesting campaigns with reduced technical skill.
Ambient AI scribes promise to cut clinician documentation time, but their use inside exam rooms raises unresolved questions under HIPAA, state privacy law, and informed-consent doctrine.
A federal class action filed in Michigan accuses Thomson Reuters of publicly exposing plaintiffs' Social Security numbers through one of its search engine products.
Central Maine Healthcare is eliminating 38 IT positions as the Lewiston-based health system completes a transition to a new electronic medical record platform that includes a patient portal component.
New York's financial regulator secured a $2.25 million settlement with Delta Dental over the 2023 MOVEit zero-day breach that exposed data on more than 7 million patients nationwide.
A California federal judge allowed data breach claims against Bain Capital to proceed over a breach at its subsidiary PowerSchool, marking the first time a private equity firm has faced direct liability for a portfolio company's cybersecurity failure.
A Python-based backdoor framework called Deep#Door has been identified deploying persistent Windows implants designed for espionage and operational disruption, posing elevated risk to unpatched healthcare endpoints.
A Kentwood, Michigan, student deployed malware that disrupted Wi-Fi connectivity across the entire public school district, prompting outside experts to intervene and isolate the incident.
Two American cybersecurity professionals were sentenced to federal prison for deploying BlackCat ransomware against multiple victims and splitting ransom proceeds with the ALPHV criminal organization.
A German national was extradited from Colombia to face U.S. federal charges for allegedly creating and operating the Versus Project, a dark-web marketplace tied to drug and cybercrime trafficking.
A ransom note demanding 0.1 BTC appeared publicly on Naturalsciences.org before the site went offline, raising questions about whether the organization paid an anonymous attacker to restore access.
New research finds rural hospitals face compounding cybersecurity and financial vulnerabilities that threaten patient data protection and operational continuity.
Archive
Every article previously published — searchable, with permanent URLs preserved.
By practice type
Five fast-growing segments where HIPAA-applicability is genuinely contested. Each page covers exactly when HIPAA applies, where the gray zones live, the state consumer-health law overlay (Washington MHMDA, Nevada CHPA, Connecticut DPA, California CMIA), and the operational checklist for compliant operation.
When membership-based primary care still triggers covered-entity status — and the 5-step path to clean operation.
Open
The most state-law-exposed segment in healthcare. WA MHMDA, NV CHPA, pharmacy BAA cascade, multi-state notification matrix.
Open
DEA EPCS for testosterone, compounding pharmacy BAAs, specialty hormone labs — the four-dimensional compliance matrix.
Open
Prominent-patient threat model. Compartmentalized access controls under §164.502(b) and heightened breach response.
Open
Hybrid-entity strategy under §164.105. Photo storage compliance and the medical-component analysis most operators skip.
Open
Biweekly briefing
HIPAA Pulse’s editorial digest paired with Patient Protect’s response notes — what happened, why it matters, what to do.
No spam. Unsubscribe anytime.
