OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced four financial penalties to resolve potential HIPAA violations discovered during investigations of ransomware-related data breaches. The ransomware attacks resulted in the exposure of the electronic protected health information (ePHI) of 427,000 individuals, and $1,165,000 in financial penalties were imposed to resolve the HIPAA violations. In each case, the HIPAA-regulated entity agreed to pay a lower penalty to settle the alleged violations informally and agreed to adopt a corrective action plan to address the noncompliance issues identified by OCR’s investigators. Including these four settlements, OCR has resolved six investigations with financial penalties in 2026, collecting $1,278,000 in penalties. Financially motivated cyber actors target the healthcare and public health sector, often using ransomware to encrypt files to prevent access to critical data. Threat actors know that healthcare organizations store large volumes of sensitive data and rely on access to the data to...
Healthcare AI Firm Sued Over Alleged Unlawful Disclosures of Genetic Data
Tempus AI, a publicly traded healthcare artificial intelligence company, is facing multiple class action lawsuits over the alleged unauthorized collection and disclosure of genetic testing results, which were derived from genetic testing by Ambry Genetics Corporation (Ambry Genetics). Ambry Genetics offers comprehensive genetic testing services, including screening and diagnosis of inherited and non-inherited diseases. Tempus AI was founded in 2015 and builds tech solutions around clinical care and research products. In February 2025, Tempus AI acquired Ambry Genetics for $600 million, and as a condition of the acquisition, Ambry Genetics was required to disclose its vast database of genetic data to Tempus AI. The database contained the genetic information of hundreds of thousands of individuals. Tempus AI used Ambry Genetics’ genetic database to train its AI models. Tempus AI had signed agreements with more than 70 companies, including large and mid-sized pharmaceutical firms such as AstraZeneca, Bristol Myers Squibb, Pfizer, and GlaxoSmithKline, and biotechnology firms such...
Absolute Dental Settles Class Action Data Breach Lawsuit for $3.3M
A class action lawsuit filed against Absolute Dental Group, LLC, and Judge Consulting, Inc., over a 2025 data breach has been settled for $3,300,000. Absolute Dental is a Nevada-based dental care provider, and Judge Consulting is a provider of technology consulting, staffing solutions, and corporate training services. Absolute Dental contracted with Judge Consulting as its managed services provider and was responsible for the daily management and operations of Absolute Dental’s IT systems. Absolute Dental identified suspicious activity within its network on February 26, 2025, and the forensic investigation confirmed that an unauthorized third party accessed its network between February 19, 2025, and March 5, 2025. Access was gained through an account associated with Judge Consulting. The hackers had access to names, contact information, Social Security numbers, driver’s license numbers, health information, health insurance information, financial information, and other sensitive data. The data breach was one of the largest of the year, affecting 1,223,635 individuals. Several...
OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism
A proposal to allow the Office of Personnel Management (OPM) to collect the personally identifiable health information of federal employees and retuirees has attracted strong criticism due to privacy and security risks, and the potential for HIPAA violations and data misuse. Per the December 12, 2025, notice about the information collection request (ICR) – Federal Employees Health Benefits (FEHB) and Postal Service Health Benefits (PSHB) Programs Service Use and Cost Data – OPM requires insurance carriers to submit FEHB and PSHB program claims data to OPM. Under the proposal, insurance carriers are required to make monthly submissions of claims-level data, including the protected health information of current and former federal workers, including personal identifiers. According to OPM, the data will “enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans.” While there are clear benefits to be gained from collecting and analyzing the data, such as lowering costs and improving care quality, the proposal has...
Minidoka Memorial Hospital Recovering from Easter Cyberattack
Minidoka Memorial Hospital was the victim of a cyberattack on Easter morning, and two further healthcare providers have confirmed they have been affected by the data breach at business associate Doctor Alliance: A Path of Care Home Health and Hospice and Team Select Holdings. Minidoka Memorial Hospital, Idaho Minidoka Memorial Hospital in Rupert, Idaho, has confirmed media reports of a cybersecurity incident. On April 17, 2026, Minidoka Memorial Hospital issued a statement on its Facebook page confirming that it experienced a cyber incident on Easter morning that temporarily impacted some of its computer systems. While the incident did not prevent the hospital from providing care to patients, certain emergency patients were transferred to Intermountain Health Cassia Regional Hospital due to the inability to access certain medical imaging systems. Full access to those systems was restored on April 19, 2026. Minidoka Memorial Hospital said it was not necessary to postpone scheduled appointments, and patients with new health concerns continued to be treated, with the hospital...



