FDA Issues Recall Notice for GE HealthCare Centricity Universal Viewer
A class 2 recall has been issued by the U.S. Food and Drug Administration (FDA) for certain GE HealthCare Centricity medical imaging products due to a vulnerability that could potentially be exploited by an unauthorized individual to manipulate data or impact system availability. Centricity Universal Viewer is a device that displays medical images such as mammograms and data from various imaging sources. The vulnerability affects the following Centricity Universal Viewer software versions: Versions 5.0 SP6 through UV 5.0 SP7.1 Versions 6.0 through 6.0 Sp10.4.1 Versions 7.0 through 7.0 Sp2.0.1 The recall was issued as the vulnerability may cause temporary or medically reversible adverse health consequences, but where the probability of serious adverse health consequences is remote. The vulnerability is due to user login credentials being exposed on the local client workstation. As such, an unauthorized individual could obtain the credentials and potentially impact system availability and/or manipulate data; however, the potential for exploitation is limited, as direct physical...
Final Rule Implementing HIPAA Security Rule Updates Edges Closer
The HIPAA Security Rule update proposed by OCR in the final days of the Biden administration is only two months away from a final rule, should OCR stick to the proposed timescale for release. OCR has yet to confirm when a final rule will be released or if the proposed rule will actually progress to a final rule. OCR issued its Notice of Proposed Rulemaking (NPRM) on December 27, 2024, to strengthen cybersecurity protections for electronic protected health information (ePHI). The proposed update, the first significant update to the HIPAA Security Rule in more than two decades, introduced significant new security requirements to ensure the confidentiality, integrity, and availability of ePHI, taking into account changes to business practices and technology since the original rule was enacted. Several months earlier, in January 2024, OCR published its voluntary Health Care and Public Health Cybersecurity Performance Goals (HPH CPGs) – two sets of voluntary goals (essential and enhanced) that HPH sector organizations were encouraged to adopt to improve resilience to cyber threats, and...
CISA Advises U.S. Organizations to Harden Microsoft Intune Following Stryker Data Wiping Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging U.S. organizations to strengthen administrative controls for the Intune endpoint management tool, following the Iran-linked cyberattack on the medical technology company Stryker. The Stryker cyberattack was conducted by a threat actor called Handala – a hacktivist group with links to Iran’s Ministry of Intelligence and Security. Handala claimed to have exfiltrated 50 terabytes of data in the attack, before wiping data. Handala has claimed that it managed to delete 12 Petabytes of data in the attack from 200,000 devices. Wiper malware was not required, as Handala used the built-in wipe command in the Intune cloud-based endpoint management tool to wipe Windows devices, including mobile phones and laptops. According to Bleeping Computer, a source familiar with the incident claimed that Handala compromised an administrator account and created a new Global Administrator account, which was used to wipe the data. At the time of writing, the military action against Iran is continuing, and Iran has issued threats of...
Trinity Health & UPMC Notify Patients About Potential Unauthorized Data Access via HIE
Trinity Health and the University of Pittsburgh Medical Center are notifying patients about potential unauthorized access to patient data by third parties via a Health Information Exchange (HIE). Trinity Health, a not-for-profit Michigan-based Catholic health system that operates more than 92 hospitals in 22 states, has informed state attorneys general that some of its patients may have had their protected health information accessed without authorization. Trinity Health participates in automated electronic data exchanges with Health Information Exchanges (HIEs), which ensure that patient data can be easily accessed by other healthcare providers for treatment purposes, regardless of where the provider is located. On January 13, 2026, Trinity Health was informed by its HIE partner that there had potentially been unauthorized access to the protected health information of certain Trinity Health patients. The incident involves an HIE member called Health Gorilla, which provides an interoperability platform and manages data access requests for client companies. Health Gorilla grants...
GuardDog Telehealth Admits Improper Access to Medical Records
A telehealth company has admitted to improperly accessing patients’ medical records. GuardDog Telehealth purported to require access to patients’ medical records for treatment purposes; however, the records were accessed in order to provide data to law firms for potential lawsuits. GuardDog Telehealth obtained access to patients’ medical records through a Health Information Exchange (HIE) network, using Health Gorilla’s interoperability platform to access the records. Health Gorilla is a Qualified Health Information Network (QHIN) under the Trusted Exchange Framework and Common Agreement (TEFCA), through which many companies access patients’ medical records. The network supports patient care and ensures efficient care coordination between healthcare providers. Epic Systems, the health IT consultancy firm OCHIN, and three healthcare providers filed a lawsuit against Health Gorilla and others, alleging they were allowing “sham” medical practices to access health information exchanges through their interoperability platforms. After gaining access, the sham...



