Delta Dental of Virginia Data Breach Affects 146,000 Individuals
Delta Dental of Virginia has notified almost 146,000 members about a security incident that may have exposed their protected health information, and Saint Mary’s Home of Erie in Pennsylvania is investigating a network security incident that exposed residents’ sensitive information. Delta Dental of Virginia Delta Dental of Virginia, the largest dental benefits carrier in the Commonwealth of Virginia, has notified 145,918* individuals about an April 2025 security incident that exposed some of their personal and protected health information. Suspicious activity was identified within an employee’s email account on April 23, 2025. Independent cybersecurity experts were engaged to investigate the activity, and unauthorized access to the email account was confirmed. The account was first accessed by an unauthorized third party on March 21, 2025, and access remained possible until the account was secured on April 23, 2025. During that time, certain emails and attachments within the account may have been viewed or acquired. The account was reviewed, and notification letters started to...
HSCC Updates Model Contract Language Framework for HDOs & MDMs
The Health Sector Coordinating Council (HSCC) has published updated Model Contract Language for MedTech Cybersecurity to help healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) address the challenge of ensuring the cybersecurity of medical devices. Medical devices can introduce cybersecurity risks that must be managed and reduced to a reasonable and appropriate level to comply with the HIPAA Security Rule. The devices must also meet the safety and effectiveness requirements of the Food and Drug Administration (FDA), which include cybersecurity for the entire life cycle of the devices. The cybersecurity of medical devices is a shared responsibility between the HDO and the MDM; however, historically, cybersecurity accountability has been inconsistently reconciled in the purchase contract negotiation process due to factors such as uneven MDM capabilities and investment in cybersecurity controls, and varying cybersecurity expectations among HDOs. If there are ambiguities in cybersecurity responsibilities due to the contract language – or a failure to...
Critical Flaw in Oracle Identity Manager Under Active Exploitation
A critical vulnerability in Oracle Identity Manager is under active exploitation, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA has instructed all federal civilian executive branch agencies to ensure the vulnerability is patched by December 12, 2025, and strongly recommends that all users apply the available patches as soon as possible. The remote code execution vulnerability can be easily exploited by an unauthenticated remote attacker via HTTP. Successful exploitation would allow an attacker to execute arbitrary code on vulnerable systems, leading to a full takeover of Oracle Identity Manager. The vulnerability is tracked as CVE-2025-61757 and has a CVSS severity score of 9.8 out of 10. The vulnerability is due to missing authentication for a critical function in the REST WebServices component of Oracle Fusion Middleware. The vulnerability can be exploited to trick a security filter into treating protected endpoints as publicly accessible, allowing access to a script that can be abused to run malicious code. The vulnerability was identified...
Critical Vulnerability Identified in Emerson Appleton UPSMON-PRO
A critical vulnerability has been identified in Emerson Appleton UPSMON-PRO, monitoring and power management software for uninterruptible power supplies. The software is used by healthcare and public health sector organizations to ensure power is maintained for essential equipment. The vulnerability was identified by security researcher Kimiya, working with the Trend Micro Zero Day Initiative, who reported the issue to the Cybersecurity and Infrastructure Security Agency (CISA). The stack-based buffer overflow vulnerability is tracked as CVE-2024-3871 and has been assigned a CVSS v3.1 base score of 9.3 (CVSS v4 9.8). The vulnerability can be exploited by sending a specially crafted UDP packet to the default UDP port 2601, which can cause an overflow of the buffer stack, overwriting critical memory locations. Successful exploitation of the vulnerability could allow an unauthorized individual to execute arbitrary code with SYSTEM privileges if the UPSMONProService service communication is not properly validated. The vulnerability affects Appleton UPSMON-PRO versions 2.6 and earlier....
HIPAA Compliance for Community Health Centers
There is an argument there should be a different level of HIPAA compliance for community health centers, due to community health centers having fewer resources available to them than other Covered Entities. Unfortunately, due to the complexity of the Health Insurance Portability and Accountability Act (HIPAA), introducing different levels of HIPAA compliance for community health centers would be logistically complex and lead to demands for other “special interest groups” to be taken into account. A list of “special interest groups” could be extensive. Should charity-funded hospices, for example, have the same level of HIPAA compliance as privately-owned, for-profit medical centers? It may not seem fair, but the answer is “Yes”. This is because a breach of Protected Health Information (PHI) from any source is still a breach of PHI, and the potential consequences of a breach (identity theft, insurance fraud, etc.) will be no different, regardless of how, where or when the breach occurred. The Purpose of HIPAA Compliance for Community Health Centers The purpose of HIPAA compliance for...



