25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

FDA Issues Recall Notice for GE HealthCare Centricity Universal Viewer
Mar20

FDA Issues Recall Notice for GE HealthCare Centricity Universal Viewer

A class 2 recall has been issued by the U.S. Food and Drug Administration (FDA) for certain GE HealthCare Centricity medical imaging products due to a vulnerability that could potentially be exploited by an unauthorized individual to manipulate data or impact system availability. Centricity Universal Viewer is a device that displays medical images such as mammograms and data from various imaging sources. The vulnerability affects the following Centricity Universal Viewer software versions: Versions 5.0 SP6 through UV 5.0 SP7.1 Versions 6.0 through 6.0 Sp10.4.1 Versions 7.0 through 7.0 Sp2.0.1 The recall was issued as the vulnerability may cause temporary or medically reversible adverse health consequences, but where the probability of serious adverse health consequences is remote. The vulnerability is due to user login credentials being exposed on the local client workstation. As such, an unauthorized individual could obtain the credentials and potentially impact system availability and/or manipulate data; however, the potential for exploitation is limited, as direct physical...

Read More
Final Rule Implementing HIPAA Security Rule Updates Edges Closer
Mar20

Final Rule Implementing HIPAA Security Rule Updates Edges Closer

The HIPAA Security Rule update proposed by OCR in the final days of the Biden administration is only two months away from a final rule, should OCR stick to the proposed timescale for release. OCR has yet to confirm when a final rule will be released or if the proposed rule will actually progress to a final rule. OCR issued its Notice of Proposed Rulemaking (NPRM) on December 27, 2024, to strengthen cybersecurity protections for electronic protected health information (ePHI). The proposed update, the first significant update to the HIPAA Security Rule in more than two decades, introduced significant new security requirements to ensure the confidentiality, integrity, and availability of ePHI, taking into account changes to business practices and technology since the original rule was enacted. Several months earlier, in January 2024, OCR published its voluntary Health Care and Public Health Cybersecurity Performance Goals (HPH CPGs) – two sets of voluntary goals (essential and enhanced) that HPH sector organizations were encouraged to adopt to improve resilience to cyber threats, and...

Read More
CISA Advises U.S. Organizations to Harden Microsoft Intune Following Stryker Data Wiping Attack
Mar19

CISA Advises U.S. Organizations to Harden Microsoft Intune Following Stryker Data Wiping Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging U.S. organizations to strengthen administrative controls for the Intune endpoint management tool, following the Iran-linked cyberattack on the medical technology company Stryker. The Stryker cyberattack was conducted by a threat actor called Handala – a hacktivist group with links to Iran’s Ministry of Intelligence and Security. Handala claimed to have exfiltrated 50 terabytes of data in the attack, before wiping data. Handala has claimed that it managed to delete 12 Petabytes of data in the attack from 200,000 devices. Wiper malware was not required, as Handala used the built-in wipe command in the Intune cloud-based endpoint management tool to wipe Windows devices, including mobile phones and laptops.  According to Bleeping Computer, a source familiar with the incident claimed that Handala compromised an administrator account and created a new Global Administrator account, which was used to wipe the data. At the time of writing, the military action against Iran is continuing, and Iran has issued threats of...

Read More
Trinity Health & UPMC Notify Patients About Potential Unauthorized Data Access via HIE
Mar18

Trinity Health & UPMC Notify Patients About Potential Unauthorized Data Access via HIE

Trinity Health and the University of Pittsburgh Medical Center are notifying patients about potential unauthorized access to patient data by third parties via a Health Information Exchange (HIE). Trinity Health, a not-for-profit Michigan-based Catholic health system that operates more than 92 hospitals in 22 states, has informed state attorneys general that some of its patients may have had their protected health information accessed without authorization. Trinity Health participates in automated electronic data exchanges with Health Information Exchanges (HIEs), which ensure that patient data can be easily accessed by other healthcare providers for treatment purposes, regardless of where the provider is located. On January 13, 2026, Trinity Health was informed by its HIE partner that there had potentially been unauthorized access to the protected health information of certain Trinity Health patients. The incident involves an HIE member called Health Gorilla, which provides an interoperability platform and manages data access requests for client companies. Health Gorilla grants...

Read More
GuardDog Telehealth Admits Improper Access to Medical Records
Mar18

GuardDog Telehealth Admits Improper Access to Medical Records

A telehealth company has admitted to improperly accessing patients’ medical records. GuardDog Telehealth purported to require access to patients’ medical records for treatment purposes; however, the records were accessed in order to provide data to law firms for potential lawsuits. GuardDog Telehealth obtained access to patients’ medical records through a Health Information Exchange (HIE) network, using Health Gorilla’s interoperability platform to access the records. Health Gorilla is a Qualified Health Information Network (QHIN) under the Trusted Exchange Framework and Common Agreement (TEFCA), through which many companies access patients’ medical records. The network supports patient care and ensures efficient care coordination between healthcare providers. Epic Systems, the health IT consultancy firm OCHIN, and three healthcare providers filed a lawsuit against Health Gorilla and others, alleging they were allowing “sham” medical practices to access health information exchanges through their interoperability platforms. After gaining access, the sham...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist