Report Reveals Elevenfold Increase in Data-only Extortion Attacks
There has been a sharp increase in data-only extortion incidents, with ransomware gangs increasingly opting not to encrypt files, instead simply breaching networks, exfiltrating sensitive data, and demanding a ransom payment to prevent the data from being leaked or sold. Ransomware started to become popular with threat actors in the early to mid-2010s. Attacks involved breaching networks and using robust encryption to prevent data access. The emergence of untraceable cryptocurrencies helped fuel an explosion in ransomware attacks. In the mid-2010s, encryption alone proved to be sufficient, with the majority of victims opting to pay to recover their data. By 2020, double extortionbecame more prevalent, where data is stolen prior to file encryption. A ransom payment is required to obtain the decryption keys and prevent the publication or sale of stolen data. Double extortion fast became the norm, with the majority of ransomware attacks involving data theft and extortion. The rapid rise in ransomware attacks forced organizations to address their data backup policies. While attacks may...
Three Healthcare Providers Affected by Ransomware Attacks
Issaqueena Pediatric Dentistry in South Carolina, Enhabit Home Health & Hospice in Texas, and AltaMed Health Services in California have announced that patient data has potentially been compromised in ransomware attacks. Issaqueena Pediatric Dentistry, South Carolina Issaqueena Pediatric Dentistry in Seneca, South Carolina, has recently reported a hacking incident to the HHS’ Office for Civil Rights that involved unauthorized access to personally identifiable information and protected health information. The incident is still being investigated, so the number of affected individuals has yet to be confirmed. The OCR breach portal currently lists the incident as affecting at least 501 individuals. In a substitute breach notice on its website, Issaqueena Pediatric Dentistry confirmed that an unauthorized third party gained access to certain files on its system between November 9 and November 11, 2025. Issaqueena Pediatric Dentistry discovered the intrusion on November 11, 2025, when ransomware was used to encrypt files. Its incident response protocols were activated, steps were...
Norton Healthcare Settles Class Action Ransomware Lawsuit for $11 Million
A class action lawsuit against Norton Healthcare over a 2023 ransomware attack has been settled for $11 million. The settlement has received preliminary approval from the court and provides medical monitoring services, reimbursement of out-of-pocket losses, compensation for lost time, and cash payments for the class members. Norton Healthcare is a nonprofit Kentucky-based health system with eight hospitals and hundreds of other care facilities in and around Louisville, Kentucky, and southern Indiana. On or around May 9, 2023, Norton Healthcare discovered that hackers had gained access to its network. The forensic investigation confirmed that a threat actor had access to certain network storage devices between May 7 and May 9, 2025, and obtained sensitive data relating to current and former patients, employees, and their dependents and beneficiaries. The ALPHV/BlackCat ransomware group claimed responsibility for the attack and leaked approximately 4.7 terabytes of data on its dark web data leak site. Data compromised in the incident included names, contact information, dates of...
HIPAA Privacy Rule Training for Business Associates
HIPAA Privacy Rule training for business associates should explain how employees may use, disclose, access, protect, amend, restrict, and report protected health information when performing services for or on behalf of a HIPAA covered entity. Business associate employees may not be directly covered by the HIPAA Privacy Rule workforce training requirements in the same way as covered entity employees, but HIPAA Privacy Rule training still applies when their duties involve protected health information, business associate agreement obligations, subcontractor relationships, patient rights, breach reporting, or internal policies that implement HIPAA requirements. Training also helps employees understand how HIPAA Privacy Rule limits interact with HIPAA Security Rule safeguards when protected health information is created, received, maintained, or transmitted by the business associate. The HIPAA training requirement for Business Associates has become more important with the increased OCR focus on HIPAA Business Associates. Why HIPAA Privacy Rule Training Applies to Business Associate...
March 1, 2026: Small Healthcare Data Breach HIPAA Reporting Deadline
Healthcare data breaches discovered in calendar year 2025 that affected fewer than 500 individuals must be reported to the HHS’ Office for Civil Rights by March 1, 2026. The HIPAA Breach Notification Rule requires data breaches affecting 500 or more individuals to be reported to OCR within 60 days of the discovery of a data breach. Individuals must also be notified within 60 days, and a notice must be submitted to prominent media outlets where the affected individuals are located if 500 or more individuals are affected in a state or jurisdiction. The breach notification requirements for small breaches are different. The affected individuals must still be notified within 60 days of the discovery of a data breach; however, a media notice is not required. OCR must still be notified about small healthcare data breaches, but HIPAA-regulated entities can delay submitting notifications to OCR. All small healthcare data breaches must be reported to OCR within 60 days of the end of the calendar year when the breach was discovered. Each small data breach must be reported separately via the...



