25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

VisionWorks Agrees to $100K Data Breach Settlement with Maryland AG

Visionworks LLC has agreed to settle with the Maryland Associate General for exposing the Protected Health Information (PHI) of approximately 72,000 Marylanders. The company will pay a fine of $100,000 to the state for data security failures that lead to the breach. Two Data Breaches Reported in Quick Succession   The company discovered two separate data breaches – reported in November and December of last year – that exposed the PHI of 122,627 individuals. The first incident was classified as a lost server, which contained 74,944 records, with the second reported as a network server theft, exposing 47,683 records. The servers are most likely now in landfill; however the incident did potentially expose names, addresses, dates of birth and purchasing histories. The company was reportedly in the process of upgrading to encrypted servers; however old servers were unsecured in the company’s stores; a breach of the HIPAA Security Rule, which requires physical safeguards to be put in place to keep PHI secured. It is believed that the servers were mistakenly disposed of, and...

Read More

Mass Violations of Patient Privacy at Virginia Clinic

Instances of employees snooping on patient medical records are frequently uncovered; however few cases have involved snooping on such a large scale as the privacy breach recently discovered at the Roanoke, Va. Carilion Clinic. The not-for-profit healthcare provider recently discovered fourteen members of staff had accessed a patient’s medical records without having any clinical reason for doing so. Mass Privacy Violations Uncovered By Access Log Audit There have been cases of doctors snooping on fellow physicians’ records, and numerous instances of healthcare workers stealing data with intent to defraud, but it is rare for snooping to occur on such a widespread scale and involve so many employees. Previous cases of mass privacy violations have involved celebrities or other high profile individuals, and this appears to be the case at the Roanoke clinic. According to Carilion spokesperson, Chris Turnbull, “If a big story pops up, we regularly monitor employee access into the medical records system.” The monitoring of access is possible because every time a patient’s records are...

Read More

CareFirst Blue Cross Blue Shield Breach Lawsuit Filed

Earlier this year, CareFirst Inc., discovered one of its customer databases had been accessed by hackers, exposing the Protected Health Information (PHI) of approximately 1.1 million individuals. Some of the victims have now added their names to a new lawsuit against the insurer, with the plaintiffs seeking damages of $5 million, plus legal costs, for the damage, harm and losses caused as a result of the data breach. CareFirst, operating under Blue Cross Blue Shield, suffered a cyberattack in 2014, although it was not identified until May 20, 2015. Names, dates of birth, insurance information and email addresses were exposed, but critically, no financial information or Social Security numbers. CareFirst determined hackers first gained access to the data in June 2014; however it was only when a third party security company, Mandiant, conducted a security audit that the data breach was identified. CareFirst had elected not to encrypt its database, and it is alleged that the decision not to implement this security measure, and others, constituted negligence on the part of the insurer....

Read More
HIPAA Breach Notice Issued After Colorado Medicaid Mailing Error
Aug18

HIPAA Breach Notice Issued After Colorado Medicaid Mailing Error

The Colorado Department of Health Care Policy and Financing issued a HIPAA breach notice yesterday, announcing the potential exposure of confidential records relating to 1,622 households. A limited amount of Protected Health Information (PHI) was inadvertently disclosed to Medicaid recipients after a recent mailing error. The mailing took place between May 25, and July 5, 2015; but due to a technical error, letters were sent to incorrect recipients. The error was noticed by a resident who had received correspondence with details of a different person, and the matter was reported to county workers on July 1, according to the breach notice; four days before the mailing was stopped and the problem corrected. After an investigation into the breach was conducted, the department determined that patient names, Medicaid numbers, state ID numbers, family member names, employer names, income from the employer, Advanced Tax Credit amounts, and approval status for Medicaid and Child Health Plan services were potentially disclosed. In less than 50 cases, the person’s date of birth was also...

Read More

Class-Action for Advanced Data Processing Breach Denied

An Advanced Data Processing breach lawsuit was recently filed in a Florida court, with the case taking just 24 hours to be tossed by the judge. In this case, the judge ruled that the move to certify the class was premature, and the case was denied, even though the plaintiff alleges to have suffered identity theft as a direct result of the data breach. In the lawsuit, the plaintiffs allege that in 2012, the healthcare clearinghouse suffered a data breach that exposed the Protected Health Information (PHI) for several months. The data stolen is alleged to have been used to steal identities and fraudulently obtain funds from the IRS. The suit also claims there was a delay in issuing breach notification letters to victims, some of whom were not notified of the theft of their data for three years. The data breach affected 27 agencies in 17 states, and in total 10,000 individuals had their data stolen and potentially sold to an identity theft ring. One plaintiff, Yehonatan Weinberg, claimed to have visited a Californian hospital in 2012, yet received a breach notification letter in April...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist