McLaren Health Care Pays $14 Million to Settle Litigation Over Ransomware Attacks
McLaren Health Care has agreed to pay $14 million to settle class action litigation stemming from two ransomware attacks in 2023 and 2024 that affected more than 2.8 million patients and employees. McLaren Health Care is a Grand Rapids, Michigan-based integrated healthcare delivery system that operates 12 hospitals and many healthcare facilities in Michigan, Indiana, and Ohio, and also a health plan. Over the space of a year, McLaren Health Care experienced two ransomware attacks. The first attack was conducted by the ALPHV/BlackCat ransomware group, which had access to its computer network from July 28, 2023, to August 23, 2023. The second attack was conducted by the Inc Ransom ransomware group, which accessed its network between July 17, 2024, and August 3, 2024. The ALPHV/BlackCat ransomware attack affected 2,103,881 individuals, and the Inc Ransom ransomware attack affected 743,131 individuals. Data compromised in the attacks included names, Social Security numbers, information about past, present, or future physical, mental, or behavioral health or conditions, the provision of...
Jefferson-Blount-St. Clair Mental Health Authority Data Breach Affects 30,000 Patients
Jefferson-Blount-St. Clair Mental Health Authority in Alabama, Cottage Hospital in New Hampshire, WindRose Health Network in Indiana, and Iroquois Memorial Hospital in Illinois have announced that patient data has been exposed in hacking incidents. Jefferson-Blount-St. Clair Mental Health Authority, Alabama Jefferson-Blount-St. Clair (JBS) Mental Health Authority in Alabama has notified more than 30,000 individuals that some of their personal and protected health information was exposed and potentially acquired in a ransomware attack. Suspicious activity was identified within its computer network on or around November 25, 2026. The investigation confirmed that hackers gained access to its network on November 25, 2026, and potentially viewed or acquired information relating to individuals who were patients or employees between 2011 and 2025. The file review has recently concluded and confirmed that the exposed data included names, Social Security numbers, health insurance information, dates of birth, and medical information, which may have included diagnoses, physician information,...
HIPAA Compliant Email: Best Practice To Avoid Violations & Breaches
This practical guide to HIPAA compliant email services explains how to achieve best practice compliance by avoiding the common misunderstandings and implementation errors that cause the preventable email violations that lead to breaches and fines. It has become increasingly clear that many aspects of HIPAA compliant email are either not understood or badly implemented, leaving a large number of healthcare organizations of all sizes wrongly believing their email is both secure and HIPAA compliant. Unfortunately, many easily preventable issues only come to light after it is too late and a breach has taken place. The Office for Civil Rights receives around 60,000 notifications of data breaches each year, of which many are wrongful disclosures of Protected Health Information (PHI) attributable to email violations. What Is Required For HIPAA Email Compliance? From an organizational perspective, when looking into HIPAA email compliance services there are three areas that should be considered, each of which is covered in more detail below: 1. HIPAA Compliance: What is required for...
Failure to Provide a Medical Screening Examination Results in HHS-OIG Penalty
Two hospitals have entered into settlement agreements with the Department of Health and Human Services (HHS) Office of Inspector General (OIG) to resolve alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA). EMTALA requires Medicare-participating hospitals with emergency departments to provide a medical screening examination and stabilizing treatment for any patient, regardless of the patient’s ability to pay. Patients must not be transferred unless they have first been provided with stabilizing treatment, unless the patient requests a transfer in writing, the benefits outweigh the risks, and if the receiving hospital agrees to accept the patient. Transfers are also permitted if the hospital does not have the capabilities to stabilize the patient, in which case, the patient can be transferred to a hospital with specialized capabilities. Cordell Memorial Hospital in Oklahoma was investigated by HHS-OIG after an alleged failure to provide a medical screening examination to a pregnant patient in active labor, who presented at the hospital on January 27,...
HIPAA Training for Physical Therapists
Physical therapists must receive documented HIPAA training that covers the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, is provided during onboarding and refreshed annually as an industry best practice, and is reinforced through security awareness training so protected health information is used, disclosed, safeguarded, and reported in a manner consistent with HIPAA requirements and organizational policies. Physical therapy services routinely involve protected health information in evaluations, plan of care documentation, progress notes, referrals, prior authorizations, billing records, and communications with physicians, payers, and care coordinators. Training must account for these routine touchpoints where privacy, security, and incident reporting obligations arise. HIPAA training should be provided to physical therapists during onboarding within a reasonable period after the start of work or access authorization and aligned with the point at which access to systems and records is granted. Training completion should be tracked before independent...



