Endue Software Agrees to $870,000 Data Breach Settlement
Endue Software has agreed to pay $870,000 to settle a class action lawsuit that was filed in response to a cyberattack and data breach that affected more than 118,000 individuals. Endue Software is a software-as-a-service company that provides an infusion management platform to healthcare providers for managing infusion operations. On February 17, 2025, suspicious activity was identified within its systems. The forensic investigation confirmed unauthorized access for a short period on February 17, 2025, during which time files containing patient information were copied. Data compromised in the incident included full names, addresses, dates of birth, Social Security numbers, and medical record numbers. The affected individuals were notified on April 11, 2025. Multiple class action lawsuits were filed in response to the data breach, which were consolidated – Pauley, et al. v. Endue Inc. d/b/a Endue Software – in the United States District Court for the District of Maine. The consolidated lawsuit alleged that the data breach occurred as a result of the failure to implement...
Up to 1.8 Million Individuals Affected by NYC Health + Hospitals Data Breach
The HIPAA Journal reported on a data breach affecting patients of NYC Health + Hospitals Corporation in late March (see below), after the New York healthcare provider disclosed details of the breach. Hackers had access to its network for 11 weeks, with the investigation suggesting that initial access was gained via a security breach at one of its vendors. At the time of reporting, it was unclear how many individuals had been affected. NYC Health + Hospitals is the largest public health system in the United States, and serves more than 1 million New Yorkers, mostly uninsured patients under state benefits programs such as Medicaid. The Department of Health and Human Services Office for Civil Rights (OCR) breach portal has been updated to show that the personal and protected health information of approximately 1.8 million current and former patients and employees was compromised in the incident, making this one of the largest healthcare data breaches to be announced so far this year. The affected employees and patients have been offered complimentary credit monitoring and identity...
Erie Family Health Centers Data Breach Affects 570,000 Individuals
Erie Family Health Centers, a Chicago, IL-based network of health centers providing primary medical, dental, and behavioral healthcare services to individuals regardless of their ability to pay, has experienced a major data breach affecting up to 570,000 individuals. Suspicious activity indicative of unauthorized access was identified within its computer network on January 27, 2026. Immediate action was taken to secure its network, and third-party digital forensics experts were engaged to investigate the incident and determine the nature and scope of the activity. They confirmed that an unauthorized third party first accessed its network on December 10, 2025, and retained access until its network was secured on January 27, 2026. The exposed files were reviewed and confirmed to contain personal and protected health information. The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: address, phone number, email address, date of birth, Social Security number, driver’s license/state ID number,...
HIPAA Training for Call Center Staff
HIPAA training for call center staff is role-based staff training that explains how agents, supervisors, quality reviewers, schedulers, billing support staff, and outsourced contact center personnel must verify callers, limit uses and disclosures of protected health information, follow the HIPAA Privacy Rule, apply the HIPAA Security Rule during phone and digital communications, report incidents under the HIPAA Breach Notification Rule, and document compliant handling of patient information during routine service interactions. HIPAA Exposure in Call Center Work Call center staff handle protected health information in fast-moving conversations. A single call can involve identity verification, appointment details, insurance information, billing questions, prescription references, test results, portal support, provider messages, transportation details, or complaints about care. Each interaction can create a privacy risk if staff disclose information to the wrong person, document the wrong account, speak where others can hear, or send follow-up information through an unapproved...
The Impact of Proposed Changes to the HIPAA Security Rule for Business Associates
A final rule updating the HIPAA Security Rule is due for release as early as May 2026. According to HHS/OCR, the modifications to the Security Rule will improve cybersecurity in the health care sector by strengthening requirements to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats. In Spring 2025, OCR released a timetable suggesting a May 2026 release, although the final rule will likely be delayed. If OCR opts to release a final rule implementing all changes proposed in its January 2026 Notice of Proposed Rulemaking (NPRM), it will have a major impact on HIPAA-covered entities and their business associates. For more than two decades, the HIPAA Security Rule has set a baseline for cybersecurity to safeguard electronic protected health information (ePHI). Prior to its release in 2003, there were no standards for cybersecurity, although at the time, adoption of electronic health records was far from widespread. The standards of the HIPAA Security Rule have helped to ensure that ePHI, and the systems used...



