25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Endue Software Agrees to $870,000 Data Breach Settlement
May19

Endue Software Agrees to $870,000 Data Breach Settlement

Endue Software has agreed to pay $870,000 to settle a class action lawsuit that was filed in response to a cyberattack and data breach that affected more than 118,000 individuals. Endue Software is a software-as-a-service company that provides an infusion management platform to healthcare providers for managing infusion operations. On February 17, 2025, suspicious activity was identified within its systems. The forensic investigation confirmed unauthorized access for a short period on February 17, 2025, during which time files containing patient information were copied. Data compromised in the incident included full names, addresses, dates of birth, Social Security numbers, and medical record numbers. The affected individuals were notified on April 11, 2025. Multiple class action lawsuits were filed in response to the data breach, which were consolidated – Pauley, et al. v. Endue Inc. d/b/a Endue Software – in the United States District Court for the District of Maine. The consolidated lawsuit alleged that the data breach occurred as a result of the failure to implement...

Read More
Up to 1.8 Million Individuals Affected by NYC Health + Hospitals Data Breach
May19

Up to 1.8 Million Individuals Affected by NYC Health + Hospitals Data Breach

The HIPAA Journal reported on a data breach affecting patients of NYC Health + Hospitals Corporation in late March (see below), after the New York healthcare provider disclosed details of the breach. Hackers had access to its network for 11 weeks, with the investigation suggesting that initial access was gained via a security breach at one of its vendors. At the time of reporting, it was unclear how many individuals had been affected. NYC Health + Hospitals is the largest public health system in the United States, and serves more than 1 million New Yorkers, mostly uninsured patients under state benefits programs such as Medicaid. The Department of Health and Human Services Office for Civil Rights (OCR) breach portal has been updated to show that the personal and protected health information of approximately 1.8 million current and former patients and employees was compromised in the incident, making this one of the largest healthcare data breaches to be announced so far this year. The affected employees and patients have been offered complimentary credit monitoring and identity...

Read More
Erie Family Health Centers Data Breach Affects 570,000 Individuals
May19

Erie Family Health Centers Data Breach Affects 570,000 Individuals

Erie Family Health Centers, a Chicago, IL-based network of health centers providing primary medical, dental, and behavioral healthcare services to individuals regardless of their ability to pay, has experienced a major data breach affecting up to 570,000 individuals. Suspicious activity indicative of unauthorized access was identified within its computer network on January 27, 2026. Immediate action was taken to secure its network, and third-party digital forensics experts were engaged to investigate the incident and determine the nature and scope of the activity. They confirmed that an unauthorized third party first accessed its network on December 10, 2025, and retained access until its network was secured on January 27, 2026. The exposed files were reviewed and confirmed to contain personal and protected health information. The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: address, phone number, email address, date of birth, Social Security number, driver’s license/state ID number,...

Read More
HIPAA Training for Call Center Staff
May18

HIPAA Training for Call Center Staff

HIPAA training for call center staff is role-based staff training that explains how agents, supervisors, quality reviewers, schedulers, billing support staff, and outsourced contact center personnel must verify callers, limit uses and disclosures of protected health information, follow the HIPAA Privacy Rule, apply the HIPAA Security Rule during phone and digital communications, report incidents under the HIPAA Breach Notification Rule, and document compliant handling of patient information during routine service interactions. HIPAA Exposure in Call Center Work Call center staff handle protected health information in fast-moving conversations. A single call can involve identity verification, appointment details, insurance information, billing questions, prescription references, test results, portal support, provider messages, transportation details, or complaints about care. Each interaction can create a privacy risk if staff disclose information to the wrong person, document the wrong account, speak where others can hear, or send follow-up information through an unapproved...

Read More
The Impact of Proposed Changes to the HIPAA Security Rule for Business Associates
May18

The Impact of Proposed Changes to the HIPAA Security Rule for Business Associates

A final rule updating the HIPAA Security Rule is due for release as early as May 2026. According to HHS/OCR, the modifications to the Security Rule will improve cybersecurity in the health care sector by strengthening requirements to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats. In Spring 2025, OCR released a timetable suggesting a May 2026 release, although the final rule will likely be delayed. If OCR opts to release a final rule implementing all changes proposed in its January 2026 Notice of Proposed Rulemaking (NPRM), it will have a major impact on HIPAA-covered entities and their business associates. For more than two decades, the HIPAA Security Rule has set a baseline for cybersecurity to safeguard electronic protected health information (ePHI). Prior to its release in 2003, there were no standards for cybersecurity, although at the time, adoption of electronic health records was far from widespread. The standards of the HIPAA Security Rule have helped to ensure that ePHI, and the systems used...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist