Theresa Defino reports: Covered entities (CEs) and business associates (BAs) might be forgiven if the most recent HHS Office for Civil Rights (OCR) HIPAA enforcement action evoked little more than a yawn. Yes, the $175,000 payment isn’t a particularly large amount, and the sole alleged violation is a retread. Actually, it’s the 10th in OCR’s...

Source

John Blacksmith reports: Verily, owned by Alphabet, is facing a lawsuit filed by an ex-employee who alleges the misuse of the personally identifiable health information of over 25,000 patients, and the failure of the company to submit HIPAA breach reports, as per the Health Insurance Portability and Accountability Act (HIPAA) requirement. Verily, previously known as...

Source

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Assistant Secretary for Technology Policy (ASTP) are pleased to announce the release of version 3.6 of the Security Risk Assessment (SRA) Tool. To help you make the most of these updates, ASTP and OCR are hosting live webinars on September...

Source

Nick Palmieri of Baker Botts writes: Healthcare providers wrestling with the legal fallout of cyber-attacks just received a fresh reminder from the District of Arizona: traditional tort and contract theories remain difficult to sustain after a breach, but consumer-fraud statutes can keep a case alive. In Johnson v. Yuma Regional Medical Center, fourteen patients sued the...

Source

The Change Healthcare data breach affecting more than 190 million patients, stands as the largest single breach ever affecting patients. Threat actors known as BlackCat (aka AlphV)  had reportedly used a set of stolen credentials to remotely access the company’s systems that weren’t protected by multifactor authentication.  Confronted with a massive breach, UnitedHealth decided to...

On August 1, Highlands Oncology Group in Arkansas notified the Maine Attorney General’s Office of a ransomware attack it discovered on June 2, when certain files and systems were inaccessible. Investigation into the incident revealed that there had been unauthorized access at times between January 21, 2025, and June 2, 2025. On June 19, the...

Marianne Kolbasuk McGee reports: California and 19 other states’ attorneys general are suing the Trump administration to stop the U.S. Department of Health and Human Services’ from allegedly disclosing Medicaid beneficiaries’ personal health information to the Department of Homeland Security and its Immigration and Customs Enforcement agency. California Attorney General Rob Bonta on Tuesday announced the lawsuit...

Kelsey Bellew // Maybe you don’t know what Direct Object References mean, if you Google it, you’d get this: This description uses the words “direct”, “object” and “reference” to describe a […]

The post Let’s Talk About Direct Object References appeared first on Black Hills Information Security, Inc..