Take the Guesswork out of HIPAA Compliance for Small Practices
Removing guesswork from HIPAA compliance means replacing assumptions about what a practice has covered with a documented process that maps directly to the requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Small practices frequently operate on inherited assumptions: a predecessor set up a policy years ago, a staff member attended a training session at some point, or a binder was purchased and filled out once. None of those assumptions can be verified on demand, and an inability to verify is treated the same as noncompliance during a regulatory review. A defined process removes that ambiguity by producing evidence rather than relying on memory or informal practice. The Uncertainty Small Practices Face Under HIPAA Owners and office managers at small practices commonly cannot answer basic questions about their own compliance status without checking multiple sources or guessing. Common uncertainty includes whether the Security Risk Analysis on file reflects the practice’s current systems, whether every staff member has...
Security Researcher Identifies Quintet of Bugs in Toolkit Used in DICOM Medical Imaging Software
A quintet of vulnerabilities has been identified in a DICOM toolkit – OFFIS DCMTK – that is extensively used in medical imaging software. DICOM (Digital Imaging and Communications in Medicine) is the universal technical standard used to store, transmit, print, and display medical imaging data and is used by virtually all medical imaging devices. Since the toolkit is used in many medical imaging software solutions, the vulnerabilities are significant. Successful exploitation of the vulnerabilities could expose patient information, disrupt DICOM storage or worklist services, exhaust service memory, crash imaging services, or cause DCMTK-based clients to write files outside the intended output directory. The vulnerabilities were identified by independent security researcher Abhinav Agarwal, who reported them to the U.S. Cybersecurity and Infrastructure Agency (CISA) and the vendor in May 2026. Agarwal identified the vulnerabilities using standard subscriptions to Claude and ChatGPT, then manually reviewed and confirmed the findings. One of the vulnerabilities is rated critical with a...
HIPAA Compliance Made Easy for Small Practices
HIPAA compliance for a small practice means meeting the requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule through a documented, current program rather than a single training session or a policy binder assembled once and left unchanged. Small practices are held to the same regulatory standard as hospitals and health systems, and the Department of Health and Human Services Office for Civil Rights does not scale its expectations down based on staff count or patient volume. A practice that has never been investigated is not necessarily compliant, it has simply not yet been tested. The path to a program that holds up under scrutiny is more structured than most owners and office managers assume, and it does not require becoming a regulatory expert to get there. What HIPAA Compliance Requires From a Small Practice A covered entity under HIPAA must maintain administrative, physical, and technical safeguards for protected health information under the Security Rule, apply use and disclosure standards for that information under the Privacy...
Medtronic Notifies 3.8M Individuals About April 2026 Cyberattack
Medtronic has started issuing notifications to individuals affected by an April 2026 cyberattack. The ShinyHunters threat group claimed responsibility for the cyberattack and alleges that more than 9 million records containing personally identifiable information (PII) were stolen. Medtronic explained in the notification letters that it learned about the intrusion on April 15, 2026, when suspicious activity was identified within certain corporate IT systems. Assisted by leading third-party cybersecurity experts, Medtronic confirmed unauthorized access to certain IT systems from April 13 to April 19, 2026. The medical devices manufactured by Medtronic collect patient data. The review of that data confirmed that names, contact information, dates of birth, Social Security numbers, and health-related information may have been impacted. At the time of issuing the notification letters, Medtronic said it was unaware of any release of the stolen data on the public Internet. Medtronic confirmed that it takes privacy and security seriously and had implemented many safeguards to protect its...
DOJ’s Using Advanced Data Analytics and AI Tools to Combat Healthcare Fraud Before Payment
The U.S. government has announced record-breaking Medicaid fraud charges as part of its 2026 National Health Care Fraud Takedown, with the enforcement action resulting in charges for 455 defendants, including more than 90 doctors and other licensed medical professionals, in connection with more than $6.5 billion in healthcare fraud and opioid abuse claims. The enforcement action involved a whole-government approach, including U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG), HHS Centers for Medicare and Medicaid Services (CMS), and Drug Enforcement Administration (DEA), with cases in 56 federal districts, 45 U.S. states and territories, and 50 state Medicaid Fraud Control Units participated, more than ever before. There was also unprecedented international cooperation over the two-week takedown. The DOJ seized more than $182 million in cash, luxury vehicles, jewelry, and other assets. “We are aggressively scaling our offensive against anyone using health care as a front to steal from the American people,” said Assistant Attorney General Colin M....



