Henderson & Walton Women’s Center Settles Class Action Data Breach Lawsuit
Henderson & Walton Women’s Center, a Birmingham, AL-based provider of women’s healthcare services, has agreed to settle a class action lawsuit stemming from a 2022 data breach that exposed the personal and protected health information of 34,306 individuals. The forensic investigation confirmed that an unauthorized third party had access to an employee’s email account between February 11, 2022, and February 14, 2022, and potentially obtained information such as names, dates of birth, driver’s license or state ID numbers, and medical and treatment information. Plaintiff Kim Townsel filed a lawsuit – Townsel v. Henderson & Walton Women’s Center, P.C. – against Henderson & Walton Women’s Center in the Circuit Court for Jefferson County, Alabama, over the data breach, alleging a failure to properly secure and safeguard the sensitive and confidential information of patients through the use of encryption and other cybersecurity measures. The lawsuit alleged that the failure amounted to negligence. In addition to the negligence and negligence per se claims, the...
HSCC Issues Guidance on Cyber Governance Frameworks for Secure AI Implementation
The Health Sector Coordinating Council (HSCC) AI cybersecurity governance task force has published new guidance for healthcare CISOs and other leaders to help them establish cybersecurity governance frameworks for secure AI implementation. Adoption of AI-based technologies in healthcare is progressing at a pace, with AI tools increasingly embedded into critical healthcare functions; however, these tools introduce new and often poorly understood cyber risks into already complex ecosystems. AI-specific cyber risks, such as data poisoning, model drift, and bias, can threaten successful implementation and HIPAA compliance, and the tools can create vulnerabilities that can be exploited by threat actors in attacks that impact patient privacy, safety, and care. Healthcare organizations should implement a strong governance structure that integrates cybersecurity principles into the full AI product lifecycle, from assessment, design, development, deployment, and decommissioning of AI systems. The guidance can be used to implement a cybersecurity governance framework for identifying and...
Episource 2025 Cyberattack Affected 6.7 Million Individuals
Episource, a provider of medical coding, risk adjustment services, and software solutions, experienced a cyberattack in early 2025, in which files containing patient data were exfiltrated from its network. In June 2025, the forensic investigation had progressed, and it was confirmed that 5.4 million individuals had been affected. The investigation has since revealed the data breach was more extensive, involving unauthorized access to the electronic protected health information of 6,725,572 individuals, according to updated figures provided to the HHS’ Office for Civil Rights. With more than 6.7 million affected individuals, the data breach currently ranks as the third-largest healthcare data breach of 2025, behind the 13.9 million-record data breach at Aflac and the 62.2 million-record data breach at Conduent Business Services, and ranks as the 16th-largest healthcare data breach of all time. The threat group behind the incident remains unknown. In August last year, U.S. Senate Health, Education, Labor, and Pensions (HELP) Committee Chairman, Sen. Bill Cassidy, M.D. (R-LA),...
Clinical Managers and Directors and Ongoing HIPAA Compliance Programs in Small Practices
Article Summary Clinical oversight places the Clinical Manager inside the daily clinical workflow rather than the policy library. Access controls and the minimum necessary standard require system permissions that match current clinical job duties. Training clinical staff on HIPAA requirements covers bedside verbal disclosures and PHI handling on mobile devices. Incident reporting and sanctions depend on a clear internal reporting path and consistent enforcement across every role. Coordinating with the HIPAA Security Risk Analysis supplies clinical input the analysis cannot capture on its own. Keeping the program current as clinical operations change flags training and access gaps before they accumulate. Responding to an investigation involving clinical staff depends on documentation the practice can produce during review. Clinical Managers Maintain HIPAA Compliance A Clinical Manager or Director maintains ongoing HIPAA compliance in a small practice by controlling clinical staff access to protected health information, enforcing the minimum necessary standard in daily patient care...
Building a HIPAA Compliance Program as a Practice Administrator in a Small Practice
Article Contents If you are the Practice Administrator handling HIPAA compliance, here is what to focus on: Designate compliance ownership. Start with a Security Risk Analysis. Turn the analysis into written policies. Train staff on policies and security. Obtain required vendor agreements. Review the program at least annually. Keep investigation-ready documentation. Who Owns HIPAA Compliance in a Small Practice Small practices carry the same federal compliance obligations as large health systems, but rarely employ dedicated compliance staff to manage them. Most often, this responsibility falls on the Practice Administrator, layered on top of scheduling, billing oversight, vendor management, and day-to-day staff supervision. The thing is though, that ownership needs to be explicit. According to HIPAA, the responsibility is not assumed, but rather a designation. Now, HIPAA does allow the responsibility to be split: one person handling privacy and another handling security – but in most small practices, it tends to fall on one person for all of it. Whatever the arrangement, it...



