25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Delta Dental of Virginia Data Breach Affects 146,000 Individuals
Nov24

Delta Dental of Virginia Data Breach Affects 146,000 Individuals

Delta Dental of Virginia has notified almost 146,000 members about a security incident that may have exposed their protected health information, and Saint Mary’s Home of Erie in Pennsylvania is investigating a network security incident that exposed residents’ sensitive information. Delta Dental of Virginia Delta Dental of Virginia, the largest dental benefits carrier in the Commonwealth of Virginia, has notified 145,918* individuals about an April 2025 security incident that exposed some of their personal and protected health information. Suspicious activity was identified within an employee’s email account on April 23, 2025. Independent cybersecurity experts were engaged to investigate the activity, and unauthorized access to the email account was confirmed. The account was first accessed by an unauthorized third party on March 21, 2025, and access remained possible until the account was secured on April 23, 2025. During that time, certain emails and attachments within the account may have been viewed or acquired. The account was reviewed, and notification letters started to...

Read More
HSCC Updates Model Contract Language Framework for HDOs & MDMs
Nov24

HSCC Updates Model Contract Language Framework for HDOs & MDMs

The Health Sector Coordinating Council (HSCC) has published updated Model Contract Language for MedTech Cybersecurity to help healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) address the challenge of ensuring the cybersecurity of medical devices. Medical devices can introduce cybersecurity risks that must be managed and reduced to a reasonable and appropriate level to comply with the HIPAA Security Rule. The devices must also meet the safety and effectiveness requirements of the Food and Drug Administration (FDA), which include cybersecurity for the entire life cycle of the devices. The cybersecurity of medical devices is a shared responsibility between the HDO and the MDM; however, historically, cybersecurity accountability has been inconsistently reconciled in the purchase contract negotiation process due to factors such as uneven MDM capabilities and investment in cybersecurity controls, and varying cybersecurity expectations among HDOs. If there are ambiguities in cybersecurity responsibilities due to the contract language – or a failure to...

Read More
Critical Flaw in Oracle Identity Manager Under Active Exploitation
Nov24

Critical Flaw in Oracle Identity Manager Under Active Exploitation

A critical vulnerability in Oracle Identity Manager is under active exploitation, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA has instructed all federal civilian executive branch agencies to ensure the vulnerability is patched by December 12, 2025, and strongly recommends that all users apply the available patches as soon as possible. The remote code execution vulnerability can be easily exploited by an unauthenticated remote attacker via HTTP.  Successful exploitation would allow an attacker to execute arbitrary code on vulnerable systems, leading to a full takeover of Oracle Identity Manager. The vulnerability is tracked as CVE-2025-61757 and has a CVSS severity score of 9.8 out of 10.  The vulnerability is due to missing authentication for a critical function in the REST WebServices component of Oracle Fusion Middleware. The vulnerability can be exploited to trick a security filter into treating protected endpoints as publicly accessible, allowing access to a script that can be abused to run malicious code. The vulnerability was identified...

Read More
Critical Vulnerability Identified in Emerson Appleton UPSMON-PRO
Nov24

Critical Vulnerability Identified in Emerson Appleton UPSMON-PRO

A critical vulnerability has been identified in Emerson Appleton UPSMON-PRO, monitoring and power management software for uninterruptible power supplies. The software is used by healthcare and public health sector organizations to ensure power is maintained for essential equipment. The vulnerability was identified by security researcher Kimiya, working with the Trend Micro Zero Day Initiative, who reported the issue to the Cybersecurity and Infrastructure Security Agency (CISA). The stack-based buffer overflow vulnerability is tracked as CVE-2024-3871 and has been assigned a CVSS v3.1 base score of 9.3 (CVSS v4 9.8). The vulnerability can be exploited by sending a specially crafted UDP packet to the default UDP port 2601, which can cause an overflow of the buffer stack, overwriting critical memory locations. Successful exploitation of the vulnerability could allow an unauthorized individual to execute arbitrary code with SYSTEM privileges if the UPSMONProService service communication is not properly validated. The vulnerability affects Appleton UPSMON-PRO versions 2.6 and earlier....

Read More

HIPAA Compliance for Community Health Centers

There is an argument there should be a different level of HIPAA compliance for community health centers, due to community health centers having fewer resources available to them than other Covered Entities. Unfortunately, due to the complexity of the Health Insurance Portability and Accountability Act (HIPAA), introducing different levels of HIPAA compliance for community health centers would be logistically complex and lead to demands for other “special interest groups” to be taken into account. A list of “special interest groups” could be extensive. Should charity-funded hospices, for example, have the same level of HIPAA compliance as privately-owned, for-profit medical centers? It may not seem fair, but the answer is “Yes”. This is because a breach of Protected Health Information (PHI) from any source is still a breach of PHI, and the potential consequences of a breach (identity theft, insurance fraud, etc.) will be no different, regardless of how, where or when the breach occurred. The Purpose of HIPAA Compliance for Community Health Centers The purpose of HIPAA compliance for...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist