25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Albemarle County, VA, Confirms PHI Stolen in June Ransomware Attack
Dec19

Albemarle County, VA, Confirms PHI Stolen in June Ransomware Attack

Officials in Albemarle County, Virginia, have confirmed that sensitive data, including protected health information (PHI), was compromised in a June 2025 ransomware attack. The attack commenced on June 10, 2025, and was detected the following day when staff were unable to access certain files on the network. State and federal law enforcement were notified, and third-party cybersecurity experts were engaged to assist with the investigation and determine the scope of the data breach. On July 15, 2025, the investigation confirmed that the PHI of members of its self-insured health plan was compromised in the attack. The compromised PHI varied from individual to individual and may have included names, email addresses, home addresses, phone numbers, dates of birth, Social Security numbers, employee/user ID numbers, healthcare ID numbers, account/patient ID numbers, health information, dates of services, billing and claims information, medical provider names, invoice numbers for the medical care received, and health insurance information. In addition, the data of current and former...

Read More
HIPAA Training for Mental Health Centers
Dec19

HIPAA Training for Mental Health Centers

HIPAA training for mental health centers not only fulfills mandatory requirements to train workforce members on the HIPAA privacy and security standards, but it also provides a foundation for more stringent confidentiality standards when required by Part 2, state laws, and/or licensing authorities. Mental health centers handle information that, if improperly disclosed, can cause serious harm to patients. For this reason, most states have enacted laws or have licensing requirements that have more stringent confidentiality standards than HIPAA. In some cases, state confidentiality standards are more stringent than those required for SUD patient records by 42 CFR Part 2. It may also be the case that some state laws are conditional on the type of mental health service being provided (i.e., apply only to online MAT providers) or the type of information being protected (i.e., minors’ mental health information). Conditions may also apply depending on who patient information is being disclosed to, the purpose of the disclosure, and specific risk factors. Because of the range of state laws,...

Read More
HIPAA Training for Healthcare Providers
Dec19

HIPAA Training for Healthcare Providers

HIPAA training for healthcare providers is most effective when it focuses on the real‑world behaviors that protect patient information—not on abstract summaries of the HIPAA standards. The HIPAA Privacy Rule requires covered entities to train workforce members on the specific policies and procedures the organization has implemented to comply with the Privacy and Breach Notification Rules. The Security Rule also requires a security awareness and training program for all workforce members, regardless of their roles or level of access to PHI. While these requirements can technically be met through basic, “check‑the‑box” training, simply exposing workforce members to policies, definitions, or regulatory language does little to change behavior. Training that is passive, overly theoretical, or disconnected from daily workflows rarely reduces risk because it does not help workforce members recognize threats, make decisions under pressure, or understand the real consequences of non‑compliance. Without practical context, the information is easy to forget—and even easier to ignore. Effective...

Read More
Class Action Data Breach Settlements Agreed with Three Healthcare Providers
Dec18

Class Action Data Breach Settlements Agreed with Three Healthcare Providers

Settlements have been agreed to resolve class action data breach lawsuits against Hypertension Nephrology Associates, Asheville Arthritis and Osteoporosis Center, and Intermountain Planned Parenthood. Hypertension Nephrology Associates Data Breach Settlement Hypertension Nephrology Associates (HNA) in Willow Grove, Pennsylvania, has agreed to pay $625,000 to settle a class action lawsuit stemming from a January 2024 data breach. Unauthorized network access was detected on February 6, 2024, when a ransom note was found. A ransomware actor breached its network and stole the personal and protected health information of 39,491 patients, including health and financial information. HNA notified the affected individuals on May 17, 2024. Plaintiff Patricia Kidwell filed a lawsuit – Kidwell v. Hypertension Nephrology Associates, P.C., – in the Court of Common Pleas of Montgomery County, Pennsylvania, alleging the cyberattack and data breach were due to the defendant’s failure to implement reasonable security protections in violation of the HIPAA Security Rule. The lawsuit...

Read More
Major Data Breach Announced by Richmond Behavioral Health Authority
Dec18

Major Data Breach Announced by Richmond Behavioral Health Authority

Richmond Behavioral Health Authority (RBHA), the public entity responsible for providing mental health, substance abuse, and prevention services in the city of Richmond, Virginia, has recently disclosed a data incident that has affected up to 113,232 individuals. On or around September 30, 2025, RBHA discovered unauthorized access to its computer systems. An investigation was launched to determine the nature and scope of the unauthorized activity, and third-party cybersecurity experts were engaged to assist with the investigation and ensure that the network, computer systems, and data were secured. The forensic investigation determined that hackers first accessed its network on September 29, 2025, then deployed ransomware, resulting in file encryption. RBHA said it found no definitive evidence to suggest that there was unauthorized access to patient data; however, since sensitive data may have been accessed, notice is being provided to all individuals potentially affected “out of an abundance of caution.” The review of the exposed files confirmed that they contained personal and...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist