Albemarle County, VA, Confirms PHI Stolen in June Ransomware Attack
Officials in Albemarle County, Virginia, have confirmed that sensitive data, including protected health information (PHI), was compromised in a June 2025 ransomware attack. The attack commenced on June 10, 2025, and was detected the following day when staff were unable to access certain files on the network. State and federal law enforcement were notified, and third-party cybersecurity experts were engaged to assist with the investigation and determine the scope of the data breach. On July 15, 2025, the investigation confirmed that the PHI of members of its self-insured health plan was compromised in the attack. The compromised PHI varied from individual to individual and may have included names, email addresses, home addresses, phone numbers, dates of birth, Social Security numbers, employee/user ID numbers, healthcare ID numbers, account/patient ID numbers, health information, dates of services, billing and claims information, medical provider names, invoice numbers for the medical care received, and health insurance information. In addition, the data of current and former...
HIPAA Training for Mental Health Centers
HIPAA training for mental health centers not only fulfills mandatory requirements to train workforce members on the HIPAA privacy and security standards, but it also provides a foundation for more stringent confidentiality standards when required by Part 2, state laws, and/or licensing authorities. Mental health centers handle information that, if improperly disclosed, can cause serious harm to patients. For this reason, most states have enacted laws or have licensing requirements that have more stringent confidentiality standards than HIPAA. In some cases, state confidentiality standards are more stringent than those required for SUD patient records by 42 CFR Part 2. It may also be the case that some state laws are conditional on the type of mental health service being provided (i.e., apply only to online MAT providers) or the type of information being protected (i.e., minors’ mental health information). Conditions may also apply depending on who patient information is being disclosed to, the purpose of the disclosure, and specific risk factors. Because of the range of state laws,...
HIPAA Training for Healthcare Providers
HIPAA training for healthcare providers is most effective when it focuses on the real‑world behaviors that protect patient information—not on abstract summaries of the HIPAA standards. The HIPAA Privacy Rule requires covered entities to train workforce members on the specific policies and procedures the organization has implemented to comply with the Privacy and Breach Notification Rules. The Security Rule also requires a security awareness and training program for all workforce members, regardless of their roles or level of access to PHI. While these requirements can technically be met through basic, “check‑the‑box” training, simply exposing workforce members to policies, definitions, or regulatory language does little to change behavior. Training that is passive, overly theoretical, or disconnected from daily workflows rarely reduces risk because it does not help workforce members recognize threats, make decisions under pressure, or understand the real consequences of non‑compliance. Without practical context, the information is easy to forget—and even easier to ignore. Effective...
Class Action Data Breach Settlements Agreed with Three Healthcare Providers
Settlements have been agreed to resolve class action data breach lawsuits against Hypertension Nephrology Associates, Asheville Arthritis and Osteoporosis Center, and Intermountain Planned Parenthood. Hypertension Nephrology Associates Data Breach Settlement Hypertension Nephrology Associates (HNA) in Willow Grove, Pennsylvania, has agreed to pay $625,000 to settle a class action lawsuit stemming from a January 2024 data breach. Unauthorized network access was detected on February 6, 2024, when a ransom note was found. A ransomware actor breached its network and stole the personal and protected health information of 39,491 patients, including health and financial information. HNA notified the affected individuals on May 17, 2024. Plaintiff Patricia Kidwell filed a lawsuit – Kidwell v. Hypertension Nephrology Associates, P.C., – in the Court of Common Pleas of Montgomery County, Pennsylvania, alleging the cyberattack and data breach were due to the defendant’s failure to implement reasonable security protections in violation of the HIPAA Security Rule. The lawsuit...
Major Data Breach Announced by Richmond Behavioral Health Authority
Richmond Behavioral Health Authority (RBHA), the public entity responsible for providing mental health, substance abuse, and prevention services in the city of Richmond, Virginia, has recently disclosed a data incident that has affected up to 113,232 individuals. On or around September 30, 2025, RBHA discovered unauthorized access to its computer systems. An investigation was launched to determine the nature and scope of the unauthorized activity, and third-party cybersecurity experts were engaged to assist with the investigation and ensure that the network, computer systems, and data were secured. The forensic investigation determined that hackers first accessed its network on September 29, 2025, then deployed ransomware, resulting in file encryption. RBHA said it found no definitive evidence to suggest that there was unauthorized access to patient data; however, since sensitive data may have been accessed, notice is being provided to all individuals potentially affected “out of an abundance of caution.” The review of the exposed files confirmed that they contained personal and...



