25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Data Breaches Announced by Victory Disability & Madison Healthcare Services
Dec16

Data Breaches Announced by Victory Disability & Madison Healthcare Services

Data breaches have been announced by the Pennsylvania law firm Victory Disability and the Minnesota healthcare provider Madison Healthcare Services. Victory Disability, Pennsylvania Victory Disability, a Pennsylvania law firm specializing in assisting veterans with Social Security and disability claims, has issued notifications about a security incident it became aware of in November 2025, when an unknown party claimed to have breached its network and obtained sensitive data. An investigation was launched to determine the validity of the claims, with assistance provided by third-party digital forensics specialists. The investigation confirmed that an unauthorized third party had access to a portion of its network environment from October 27, 2025, to November 12, 2025, and files containing sensitive data were exposed and may have been obtained. The files were reviewed and found to include names, addresses, telephone numbers, email addresses, and Social Security numbers, and for certain individuals, dates of birth, diagnoses, treatment information, lab results, and medications. The...

Read More
What is the OIG Stark Law?
Dec16

What is the OIG Stark Law?

The OIG Stark Law in healthcare is the section of the Social Security Act that prohibits physicians from referring Medicare and Medicaid patients to a non-exempted “designated health service” when the physician or an immediate family member has a financial interest in the service. The Law is named after Congressman Fortney “Pete” Stark who introduced the original “Ethics in Patient Referrals” bill in 1988. The background to the OIG Stark Law is that, in 1972, Congress added an Anti-Kickback Statute to the Social Security Act in order to combat fraud and abuse in the Medicare and Medicaid programs. The Statute prohibits anyone from “knowingly and willfully receiving or paying anything of value to influence the referral of federal health care program business [to a particular healthcare provider]”. The penalties for violating the Anti-Kickback Statute are up to five years in prison, criminal fines of up to $25,000, civil monetary penalties of up to $50,000, and – since 1977 – being included on the HHS OIG Exclusions List. Under the Civil Monetary Penalties Law, physicians who pay or...

Read More
Cerebral & RAYUS Radiology Settle Pixel Lawsuits
Dec16

Cerebral & RAYUS Radiology Settle Pixel Lawsuits

Settlements have received preliminary approval to resolve litigation against the mental health telehealth company Cerebral and the diagnostic imaging company RAYUS Radiology over their use of website tracking tools. The lawsuits alleged the unlawful disclosure of personal and protected health information to Meta, Google, and other third parties without users’ knowledge or consent. Cerebral Pixel Settlement Cerebral Inc., a provider of subscription-based online mental healthcare, has agreed to pay $500,000 to settle a 2023 class action complaint over its use of web analytics technologies such as pixels. The lawsuit – Doe I and Doe II v. Cerebral, Inc. – alleged that the tools disclosed Cerebral account holders’ personally identifiable and protected health information to third parties. Cerebral denies all wrongdoing and liability and disagrees with the claims asserted in the class action complaint, while class counsel and the class representatives believe that their claims have merit. All parties have considered the strengths and weaknesses of the case from both sides and...

Read More
Patch Released for Medium-severity Grassroots DICOM Vulnerability
Dec16

Patch Released for Medium-severity Grassroots DICOM Vulnerability

A medium-severity vulnerability has been identified in the Grassroots DICOM open source library for DICOM medical image files.  The vulnerability can be exploited in a low complexity attack and could allow an attacker to craft a malicious DICOM file. Should that file be opened, it could crash the application and trigger a denial-of-service condition. The out-of-bounds write vulnerability is present in the Grassroots DICOM library (GDCM) and is triggered during the parsing of a malformed DICOM file containing encapsulated PixelData fragments. The vulnerability results in out-of-bounds memory access, causing a segmentation fault. The vulnerability is due to an unsigned integer underflow in buffer indexing, and can be exploited via file input, only requiring a specially crafted malicious DICOM file to be opened to trigger a crash. The vulnerability is tracked as CVE-2025-11266 and has been assigned a CVSS v3.1 base score of 6.6 and a CVSS v4 score of 6.8. The vulnerability was identified by cybersecurity analyst Morgen Malinoski, who reported the vulnerability to the U.S....

Read More
What is HIPAA Enforcement Discretion?
Dec15

What is HIPAA Enforcement Discretion?

HIPAA enforcement discretion is one of several options available to the Secretary for Health and Human Services (HHS) during public health emergencies to ensure that healthcare services continue to be available to affected individuals, and that healthcare providers can continue providing a service – even when it is not possible for healthcare providers to comply with all applicable healthcare regulations. Under §1135 of the Social Security Act, the HHS Secretary has the authority to issue a Notice of Enforcement Discretion if the President declares an emergency or disaster and the Secretary declares the event a public health emergency.   A Notice of Enforcement Discretion allows the Secretary to waive multiple federal healthcare requirements in the emergency area for the duration of the emergency period identified in the public health emergency declaration.  For example, the Secretary may waive Medicare and Medicaid conditions of participation, allow licensed healthcare professionals to practice across state lines, or permit the transfer of patients who have not yet been...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist