25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Report Reveals Elevenfold Increase in Data-only Extortion Attacks
Feb19

Report Reveals Elevenfold Increase in Data-only Extortion Attacks

There has been a sharp increase in data-only extortion incidents, with ransomware gangs increasingly opting not to encrypt files, instead simply breaching networks, exfiltrating sensitive data, and demanding a ransom payment to prevent the data from being leaked or sold. Ransomware started to become popular with threat actors in the early to mid-2010s. Attacks involved breaching networks and using robust encryption to prevent data access. The emergence of untraceable cryptocurrencies helped fuel an explosion in ransomware attacks. In the mid-2010s, encryption alone proved to be sufficient, with the majority of victims opting to pay to recover their data. By 2020, double extortionbecame more prevalent, where data is stolen prior to file encryption. A ransom payment is required to obtain the decryption keys and prevent the publication or sale of stolen data. Double extortion fast became the norm, with the majority of ransomware attacks involving data theft and extortion. The rapid rise in ransomware attacks forced organizations to address their data backup policies. While attacks may...

Read More
Three Healthcare Providers Affected by Ransomware Attacks
Feb19

Three Healthcare Providers Affected by Ransomware Attacks

Issaqueena Pediatric Dentistry in South Carolina, Enhabit Home Health & Hospice in Texas, and AltaMed Health Services in California have announced that patient data has potentially been compromised in ransomware attacks. Issaqueena Pediatric Dentistry, South Carolina Issaqueena Pediatric Dentistry in Seneca, South Carolina, has recently reported a hacking incident to the HHS’ Office for Civil Rights that involved unauthorized access to personally identifiable information and protected health information. The incident is still being investigated, so the number of affected individuals has yet to be confirmed. The OCR breach portal currently lists the incident as affecting at least 501 individuals. In a substitute breach notice on its website, Issaqueena Pediatric Dentistry confirmed that an unauthorized third party gained access to certain files on its system between November 9 and November 11, 2025. Issaqueena Pediatric Dentistry discovered the intrusion on November 11, 2025, when ransomware was used to encrypt files. Its incident response protocols were activated, steps were...

Read More
Norton Healthcare Settles Class Action Ransomware Lawsuit for $11 Million
Feb19

Norton Healthcare Settles Class Action Ransomware Lawsuit for $11 Million

A class action lawsuit against Norton Healthcare over a 2023 ransomware attack has been settled for $11 million. The settlement has received preliminary approval from the court and provides medical monitoring services, reimbursement of out-of-pocket losses, compensation for lost time, and cash payments for the class members. Norton Healthcare is a nonprofit Kentucky-based health system with eight hospitals and hundreds of other care facilities in and around Louisville, Kentucky, and southern Indiana. On or around May 9, 2023, Norton Healthcare discovered that hackers had gained access to its network. The forensic investigation confirmed that a threat actor had access to certain network storage devices between May 7 and May 9, 2025, and obtained sensitive data relating to current and former patients, employees, and their dependents and beneficiaries. The ALPHV/BlackCat ransomware group claimed responsibility for the attack and leaked approximately 4.7 terabytes of data on its dark web data leak site. Data compromised in the incident included names, contact information, dates of...

Read More
HIPAA Privacy Rule Training for Business Associates
Feb18

HIPAA Privacy Rule Training for Business Associates

HIPAA Privacy Rule training for business associates should explain how employees may use, disclose, access, protect, amend, restrict, and report protected health information when performing services for or on behalf of a HIPAA covered entity. Business associate employees may not be directly covered by the HIPAA Privacy Rule workforce training requirements in the same way as covered entity employees, but HIPAA Privacy Rule training still applies when their duties involve protected health information, business associate agreement obligations, subcontractor relationships, patient rights, breach reporting, or internal policies that implement HIPAA requirements. Training also helps employees understand how HIPAA Privacy Rule limits interact with HIPAA Security Rule safeguards when protected health information is created, received, maintained, or transmitted by the business associate.  The HIPAA training requirement for Business Associates has become more important with the increased OCR focus on HIPAA Business Associates. Why HIPAA Privacy Rule Training Applies to Business Associate...

Read More
March 1, 2026: Small Healthcare Data Breach HIPAA Reporting Deadline
Feb18

March 1, 2026: Small Healthcare Data Breach HIPAA Reporting Deadline

Healthcare data breaches discovered in calendar year 2025 that affected fewer than 500 individuals must be reported to the HHS’ Office for Civil Rights by March 1, 2026. The HIPAA Breach Notification Rule requires data breaches affecting 500 or more individuals to be reported to OCR within 60 days of the discovery of a data breach. Individuals must also be notified within 60 days, and a notice must be submitted to prominent media outlets where the affected individuals are located if 500 or more individuals are affected in a state or jurisdiction. The breach notification requirements for small breaches are different. The affected individuals must still be notified within 60 days of the discovery of a data breach; however, a media notice is not required. OCR must still be notified about small healthcare data breaches, but HIPAA-regulated entities can delay submitting notifications to OCR. All small healthcare data breaches must be reported to OCR within 60 days of the end of the calendar year when the breach was discovered. Each small data breach must be reported separately via the...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist