Scott Holland reports that a California state appeals court agreed with a hospital that it should not be held liable for employee misbehavior if they had a clear policy in place but the employee knowingly violated it: A state appeals panel has agreed hospitals can’t be sued if one of their employees posts confidential patient...

Doctors Imaging Group is informing customers about a cybersecurity incident nearly a year after it occurred. 

The post Data Breach at Doctors Imaging Group Impacts 171,000 People appeared first on SecurityWeek.

Nada Hassanein reports: Louisiana has issued an arrest warrant for a California doctor for allegedly mailing abortion pills to a Louisiana woman — the latest legal volley in an ongoing fight between states with abortion bans and those that have enacted protections for abortion providers who use telemedicine to send abortion medication over state lines....

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with five health care providers, collectively known as Cadia Healthcare Facilities, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Breach Notification Rules. The Cadia Healthcare Facilities are rehabilitation, skilled...

Heerea Rikhraj reports: Health tech company Verily is facing a lawsuit filed by former employee Ryan Sloan alleging that the company wrongly terminated him after he escalated complaints that the team engaged in practices that violated the Health Insurance Portability and Accountability Act (HIPAA). Sloan was employed as the chief commercial officer for Onduo —...

This is the sixth installment in a blog series documenting EFF’s findings from the Stop Censoring Abortion campaign. You can read additional posts here. Kenyatta Thomas writes: When we started our Stop Censoring Abortion campaign, we heard from activists, advocacy organizations, researchers, and even healthcare providers who had all experienced having abortion-related content removed or suppressed on social media....

James Reddick reports: Google has agreed to pay out $48 million and the menstrual tracking app Flo Health will pay $8 million to resolve a class-action lawsuit alleging the app illegally shared people’s health data. Google previously reached an agreement with the plaintiffs in July just before the case went to trial but the terms...

Hunton Andrews Kurth writes: The U.S. Department of Health and Human Services (“HHS”) recently delegated authority to the HHS Office for Civil Rights (“OCR”) to enforce new privacy rules governing substance use disorder treatment records, which are set to take effect in early 2026. In a Statement of Delegation of Authority, HHS assigned OCR the responsibility...

Conor Duffy of Robinson + Cole writes: On September 10, 2025, the U.S. Court of Appeals for the Fifth Circuit dismissed an appeal of the federal court ruling vacating key provisions of the HIPAA reproductive health care regulations, which appears to signal the end of the Purl case (previously discussed here) and to confirm the end of provisions...

The BianLian ransomware group took credit for the cyberattack on the healthcare organization in January 2025. 

The post Nearly 250,000 Impacted by Data Breach at Medical Associates of Brevard  appeared first on SecurityWeek.

Suzanne Smalley reports: A California federal judge on Monday rejected a bid by Meta to overturn a jury verdict finding the tech giant liable for using a period tracking tool to illegally obtain sensitive reproductive health data from millions of women. In refusing to overturn the decision or greenlight a new trial, U.S. District Judge...

September 3, 2025 The guidance provides a framework for developing privacy impact assessments that will help custodians ensure they are compliant with the law. The Office of the Information and Privacy Commissioner (OIPC) of Alberta has issued a guidance document that will assist custodians under the Health Information Act (HIA) in ensuring they are compliant with HIA when using...

Jeremy Hays, Stephen Riga, and Leah Shepherd of Ogletree Deakins write: Entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including employer-sponsored health plans, have until February 16, 2026, to comply with additional privacy protections for patient records related to substance use disorder. A separate permission is required for disclosing information...

In May 2024, hackers stole names, Social Security numbers, financial information, and protected health information from the hospital’s systems.

The post 160,000 Impacted by Wayne Memorial Hospital Data Breach appeared first on SecurityWeek.

The Healthcare Services Group (HSGI) is alerting more than 600,000 individuals that their personal information was exposed in a security breach last year. [...]

The U.S. Department of Health and Human Services (HHS) today displayed in the Federal Register a delegation of authority from Secretary Robert F. Kennedy, Jr., to the Office for Civil Rights (OCR) to administer and enforce the “Confidentiality of Substance Use Disorder (SUD) Patient Records” regulations at 42 CFR part 2 (“Part 2”), which protect the privacy of...

Kidney dialysis firm DaVita has confirmed that a ransomware gang that breached its network stole the personal and health information of nearly 2.7 million individuals. [...]

Millions of patients who used Mount Sinai’s MyChart portal between October 2020 and October 2023 may now be eligible for compensation following a $5.26 million class-action settlement. The healthcare system was accused of improperly sharing sensitive user data with Facebook—a claim that has drawn national attention and renewed scrutiny around health data privacy in digital...

Ian Lopez reports: A Texas judge’s striking down of abortion protections threatens broader federal health privacy rights and the government’s ability to regulate them, attorneys warn. Judge Matthew Kacsmaryk, a Trump appointee and go-to jurist for conservative litigants, vacated a Biden administration rule that sought to strengthen Health Insurance Portability and Accountability Act protections involving abortion records. The rule...

The Change Healthcare data breach affecting more than 190 million patients, stands as the largest single breach ever affecting patients. Threat actors known as BlackCat (aka AlphV)  had reportedly used a set of stolen credentials to remotely access the company’s systems that weren’t protected by multifactor authentication.  Confronted with a massive breach, UnitedHealth decided to...