Alpine Ear, Nose, & Throat Settles Class Action Data Breach Lawsuit
Alpine Ear, Nose, & Throat, a Fort Collins, Colorado-based healthcare provider with multiple locations in the state of Colorado, has settled a class action lawsuit stemming from a 2024 data breach that was reported to the HHS’ Office for Civil Rights as affecting 65,648 individuals. The security breach was identified on November 26, 2024, and the data breach was announced on January 17, 2025. It took until October 9, 2025, to complete the data mining process, and the affected individuals were notified on January 30, 2026, 14 months after the data breach was first identified. Data compromised in the incident included names, demographic information, dates of birth, medical information, health information, financial account information, credit card numbers, CVC, and expiration dates, and Social Security numbers. Shortly after the data breach was announced, but several months before notification letters were mailed, a class action lawsuit was filed by Plaintiff Deborah Knoll in the District Court of Denver County, Colorado, in response to the data breach. On March 13, 2025, the...
CMS Found to Have Leaked Providers’ SSNs
A database created by the Centers for Medicare and Medicaid Services (CMS) has been exposed online, exposing providers’ Social Security numbers. The database can be downloaded, as it was by reporters at the Washington Post. The CMS created a new directory last year to help seniors find healthcare providers covered by insurance plans. The directory lists doctors and other healthcare providers who accept certain insurance plans, in an effort to improve transparency and access to care. The database created by the CMS to power the provider directory has been found to be leaking some sensitive data. The data that populated the directory was found to contain the Social Security numbers of certain providers, which were linked to their names and other identifying information. The database was publicly accessible for several weeks, and while not immediately visible to individuals who visit the provider directory, it was possible to download the database. The reporters searched the database and identified dozens of Social Security numbers by reviewing just a sample of rows. The CMS has...
Former Maryland Pharmacist Indicted Over 8-Year Cyber Spying Campaign
A former Maryland hospital pharmacist who is alleged to have engaged in a multi-year cyber spying campaign is facing up to 17 years in jail. Matthew Bathula, 41, of Clarksville, is alleged to have engaged in the spying campaign for more than 8 years between July 2016 and September 2024, during which time he intentionally accessed computers without authorization and used a range of cyber intrusion techniques to steal sensitive data, including installing keyloggers and cookie managers, file masquerading, and setting up mailbox rules to avoid detection. According to the indictment, these techniques allowed Bathula to steal a range of sensitive data, including usernames, passwords, cookies, images, videos, and other sensitive data. The data obtained from his actions was used to spy on current and former employees, individuals in a relationship with current and former employees, and other individuals affiliated with his employer. Credentials were obtained for almost 200 victims, which were used to access their social media accounts, as well as Google Photos, Google Nest, iCloud Photos,...
HIPAA Security Risk Assessment
A HIPAA security risk assessment assesses threats to the privacy and security of PHI, the likelihood of a threat occurring, and the potential impact of each threat so it is possible to determine whether existing policies, procedures, and security mechanisms are adequate to reduce risks and vulnerabilities to a reasonable and appropriate level. The requirements for covered entities and business associates to conduct a HIPAA security risk assessment appear twice in the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act. However, it may be necessary for organizations to conduct risk assessments beyond these requirements. The first requirement to conduct a HIPAA security risk assessment appears in the HIPAA Security Rule (45 CFR § 164.308 – Security Management Process). This standard requires covered entities and business associates to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI”. The second requirement appears in the HIPAA Breach...
Delta Dental Fined $2.25 Million Over 2023 MOVEit Transfer Hack
Delta Dental Insurance and Delta Dental of New York (Delta Dental) have agreed to pay a fine of $2.25 million to the New York Department of Financial Services to settle alleged violations of New York cybersecurity regulations. The violations were discovered during an investigation of a 2023 hacking incident that affected almost 7.1 million of its customers. The incident in question occurred over the Memorial Day weekend in 2023 and was detected by Delta Dental on June 1, 2023. A Russian-speaking cybercriminal group called Clop (aka Cl0p) exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer managed file transfer solution, accessed the solution between May 27 and May 30, 2023, and exfiltrated approximately 60,000 files. The group then demanded a ransom to prevent the publication of the stolen files. By July 6, 2023, Delta Dental confirmed that a range of sensitive personal and protected health information had been stolen, including names, addresses, Social Security numbers, driver’s license numbers, financial account information, and health information. Delta...



