25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Planned Parenthood Los Angeles Facing Class Action Lawsuit Over October 2021 Ransomware Attack

Planned Parenthood Los Angeles (PPLA) is facing a class action lawsuit over a ransomware attack that was discovered on October 17, 2021. The cyberattack exposed the protected health information of more than 409,759 patients. In the notification letters sent to affected individuals on November 30, 2021, PPLA explained that its systems were breached on October 9, 2021, and the hackers had access to files containing PHI until October 17, when they were ejected from the network. The files on the affected systems contained names, addresses, birth dates, diagnoses, treatment, and prescription information, and some files were exfiltrated from its network prior to file encryption. PPLA said it has found no evidence to suggest patient data has been misused. A PPLA patient whose PHI was exposed in the data breach has taken legal action over the incident. The lawsuit was filed in the U.S. District Court of Central California and alleges the patient, and class members, have been placed at imminent risk of harm as a result of the theft of their sensitive health data, which included electronic...

Read More
Learnings from a Major Healthcare Ransomware Attack
Dec13

Learnings from a Major Healthcare Ransomware Attack

One of the most serious healthcare ransomware attacks occurred in Ireland earlier this year. The Health Service Executive (HSE), the Republic of Ireland’s national health system, suffered a major attack that resulted in Conti ransomware being deployed and forced its National Healthcare Network to be taken offline. That meant healthcare professionals across the country were prevented from accessing all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems which caused major disruption to healthcare services across the country. Following the attack, the HSE Board commissioned PricewaterhouseCoopers (PWC) to conduct an independent post-incident review into the attack to establish the facts related to technical and operational preparedness and the circumstances that allowed the attackers to gain access to its systems, exfiltrate sensitive data, encrypt files, and extort the HSE. Cybersecurity Failures that are Common in the Healthcare Industry PWC’s recently published report highlights a number of...

Read More

Max-Severity Apache Log4j Zero-day Vulnerability Extensively Exploited in the Wild

A maximum-severity vulnerability has been identified in Apache Log4j, an open-source Java-based logging library used by many thousands of organizations in their enterprise applications and by many cloud services. The vulnerability, dubbed Log4Shell and tracked as CVE-2021-44228, is serious as they come, with some security researchers claiming the flaw is the most serious to be discovered in the past decade due to its ease of exploitation and the sheer number of enterprise applications and cloud services that are affected. The vulnerability can be exploited without authentication to achieve remote code execution and take full control of vulnerable systems. The vulnerability affects Apache Log4j between versions 2.0 to 2.14.1, and has been fixed in version 2.15.0. The advice is to ensure the upgrade is performed immediately as a proof-of-concept exploit for the flaw is in the public domain, extensive scans are being performed for vulnerable systems, and there have been many cases of the flaw being exploited in the wild. Some reports suggest the improper input validation bug has been...

Read More

Ransomware Attack Affects 81,000 Howard University College of Dentistry Patients

Howard University College of Dentistry discovered on September 3, 2021, that unauthorized individuals had gained access to its network and used ransomware to encrypt files. An announcement was made by the university shortly after the attack that it had been forced to cancel online and hybrid classes while its systems were restored, and that a nationally recognized computer forensics firm had been engaged to investigate the incident to determine the extent of the attack and whether sensitive information was accessed or stolen. On September 24, 2021, the university determined that a system that housed patients’ dental records was affected by the attack. No specific evidence of unauthorized access or data exfiltration was found, although dental records were encrypted. The encrypted records related to dental visits between October 5, 2019, and September 3, 2021, and included information such as names, contact information, dates of birth, dental record numbers, health insurance information, dental history information, and for a limited number of patients, Social Security numbers. The...

Read More
High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products
Dec10

High-Severity Authentication Bug Identified in Hillrom Welch Allyn Cardio Products

A high severity vulnerability has been identified in certain Hillrom Welch Allyn Cardio products that allows accounts to be accessed without a password. The vulnerability is an authentication bypass issue that exists when the Hillrom cardiology products have been configured to use single sign-on (SSO). The vulnerability allows the manual entry of all active directory (AD) accounts provisioned within the application, and access will be granted without having to provide the associated password. That means a remote attacker could access the application under the provided AD account and gain all privileges associated with the account. The vulnerability is tracked as CVE-2021-43935 and has been assigned a CVSS v3 base score of 8.1 out of 10. According to Hillrom, the vulnerability affects the following Hillrom Welch Allyn cardiology products: Welch Allyn Q-Stress Cardiac Stress Testing System: Versions 6.0.0 through 6.3.1 Welch Allyn X-Scribe Cardiac Stress Testing System: Versions 5.01 through 6.3.1 Welch Allyn Diagnostic Cardiology Suite: Version 2.1.0 Welch Allyn Vision Express:...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist