HHS Confirms Active Enforcement of Information Blocking Rules
At a Thursday hearing, the Senate Health, Education, Labor and Pensions (HELP) Committee heard testimony from Thomas Keane, M.D., M.B.A., Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology (ASTP/ONC) on the HHS’s efforts to make improvements in health and care through the access, exchange, and use of data. “My top priority is fostering greater data liquidity in the U.S. health care system so that patients and their clinicians are in the driver’s seat. I see how modern data standards, combined with artificial intelligence (AI), can make health care more affordable, accessible, and can support improved health outcomes,” explained Keane. It has been a decade since the 21st Century Cures Act was enacted in 2016. Key provisions of the act have been implemented, such as the establishment of the Trusted Exchange Framework and Common Agreement (TEFCA) for nationwide health information exchange across health information networks. TEFCA Exchange began in earnest in January 2024, and 11 Qualified Health Information Networks have now signed up...
Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its second enforcement action of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). MMG Fusion LLC, a Maryland-based company that provides software solutions to oral healthcare providers, has agreed to settle the alleged violations and pay a financial penalty. The case is significant, as it involves an unreported data breach that affected 15 million individuals. An unauthorized actor gained access to MMG’s internal network on December 21, 2020, and accessed patients’ protected health information, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. The threat actor exfiltrated data from MMG’s network and subsequently posted that information on the dark web. A data breach of that magnitude would have attracted considerable media attention; however, it slipped under the radar as the breach was not reported to OCR, and the affected covered entities were not...
$2.35 Million Settlement Agreed to Resolve Cornerstone Specialty Hospitals Data Breach Lawsuit
Cornerstone Healthcare Group Management Services, doing business as Cornerstone Specialty Hospitals (Cornerstone), has agreed to settle class action litigation stemming from a December 2023 cyberattack and data breach. A threat actor gained access to the Cornerstone network on or around December 19, 2023, and potentially accessed and copied patient information. Data potentially compromised in the incident included names, dates of birth, Social Security numbers, federal or state ID numbers, financial account information, credit or debit card information, digital signatures, email addresses and passwords, usernames and passwords, passport numbers, medical/health information, health insurance information, and other protected health information. Initially, the data breach was reported to the HHS’ Office for Civil Rights using a placeholder estimate of at least 501 affected individuals. The total was later updated to 484,957 individuals. A lawsuit – Mireles v. Cornerstone Healthcare Group Management Services LLC d/b/a/ Cornerstone Specialty Hospitals – was filed in the Court of...
PIH Health Notifies 2.95M Patients About 2024 Hacking Incident
PIH Health, a healthcare provider serving patients in Orange County and the San Gabriel Valley in California, has started notifying patients affected by a December 2024 ransomware attack. The attack disrupted systems used by Downey Hospital, Good Samaritan Hospital, Whittier Hospital, as well as urgent care clinics, home health, hospice services, and physicians’ offices. The ransomware attack was detected on December 1, 2024, and the forensic investigation confirmed that the threat actor had access to its network between November 14, 2024, and December 23, 2024. As detailed in our December 16, 2024, coverage below, the threat actor claimed to have exfiltrated around 2 terabytes of data in the attack, and claimed the data included around 17 million patient records. A ransom demand was issued, and some of the stolen data was leaked online. PIH Health learned of the hacker’s claims but said at the time that it was unable to verify the authenticity of the ransom note or the data theft claims. PIH Health has been reviewing the exposed data with the help of third-party specialists,...
HIPAA Certification for Medical Couriers
HIPAA certification for medical couriers is an industry-standard training credential that demonstrates a driver understands how to handle protected health information safely and professionally, and has become a widely expected requirement by courier companies, healthcare clients, and insurers alike. If you are seeking work as a medical delivery driver, you have probably seen job ads asking for HIPAA certification for medical couriers. It is one of the most common requirements in the industry, yet it is also one that can confuse jobseekers who are unaware of what medical courier certification is or how to get HIPAA certified for a medical courier job. This guide explains what HIPAA certification for couriers is, why so many companies require it, how to get certified, and why choosing a verifiable HIPAA certification course matters. What Is HIPAA Certification for Medical Couriers? HIPAA certification for medical couriers is a training certificate that shows you understand how to handle Protected Health Information (PHI) safely and correctly while performing courier work. It is not a...



