25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

PHI of 40,000 Individuals Exposed in Email Account Breaches

Three healthcare providers have recently reported security breaches involving the email accounts of employees, resulting in the exposure and potential theft of the protected health information of more than 40,000 individuals. Saltzer Health Saltzer Health in Idaho identified a breach of its email environment on June 1, 2021. Steps were promptly taken to prevent further unauthorized access, with the subsequent investigation confirming an unauthorized individual had accessed the account between May 25, 2021, and June 1, 2021. It was not possible to tell if any patient information was accessed or exfiltrated, but a comprehensive review of the account by third-party specialists confirmed it contained the protected health information of 15,650 patients. The review was completed on September 21, 2021, and confirmed the email account contained the following types of information: Names, contact information, medical record numbers, patient identification numbers, driver’s license/state identification numbers, medical histories, diagnoses, treatment information, physician information,...

Read More
New Mexico Hospital Hit with Class Action Lawsuit over 2020 Data Breach
Dec07

New Mexico Hospital Hit with Class Action Lawsuit over 2020 Data Breach

San Juan Regional Medical Center in Farmington, New Mexico is facing a class action lawsuit over a data breach that was announced in June 2021. The breach investigation confirmed an unauthorized individual gained access to its network and exfiltrated files containing sensitive patient data between September 7, 2020, and September 8, 2020. The data breach was initially reported to the HHS’ Office for Civil Rights as affecting 500 individuals, with San Juan Regional Medical Center saying at the time that at least 500 individuals had been affected. When the total number of individuals affected by a security breach is not known, breaches can be reported to OCR and the breach report updated when further information is known. The breach investigation later confirmed that the protected health information (PHI) of 68,792 individuals had potentially been stolen in the attack. While data theft was confirmed, the hospital has not uncovered any evidence to suggest any patient’s PHI has been misused and individuals whose Social Security number was compromised have been offered complimentary...

Read More
Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access
Dec06

Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act. New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties. The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to...

Read More

Biomanufacturing Sector Warned of High Risk of Tardigrade Malware Attacks

A highly sophisticated malware capable of aggressively spreading within networks is being used in targeted attacks on the biomanufacturing sector. The malware has been named Tardigrade by security researchers and initial research suggests it may be a variant of SmokeLoader – A commonly used malware loader and backdoor, although SmokeLoader and Tardigrade malware are quite distinct. The sophisticated nature of the malware coupled with the targeted attacks on vaccine manufacturers and their partners strongly suggest the malware was developed and is being used by an Advanced Persisted Threat (APT) actor. The malware was first detected being used in attacks on the biomanufacturing sector in the spring of 2021 when an infection was discovered at a large U.S. biomanufacturing facility. The malware was identified again in an attack on a biomanufacturing firm in October 2021 and it is believed to have been used in attacks on several firms in the sector. In contrast to SmokeLoader, which requires instructions to be sent to the malware from its command-and-control infrastructure, Tardigrade...

Read More
APT Actors Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells
Dec03

APT Actors Exploiting Zoho ManageEngine ServiceDesk Plus to Deliver Webshells

An APT actor that was targeting a vulnerability in the enterprise password management and single sign-on solution Zoho ManageEngine ADSelfService Plus has started exploiting another critical vulnerability in a different Zoho product, the IT helpdesk and asset management solution Zoho ManageEngine ServiceDesk Plus. The APT group had been exploiting a critical vulnerability in ManageEngine ADSelfService Plus tracked as CVE-2021-40539, which affects Zoho ManageEngine ADSelfService Plus version 6113 and prior, and is a REST API authentication bypass that can be exploited to allow remote code execution. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on December 2, 2021, about a different vulnerability being exploited by the APT actor. The vulnerability, CVE-2021-44077, affects all versions of Zoho ManageEngine ServiceDesk Plus (on-premises) prior to version 11306. The vulnerability is related to RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Successful exploitation of the...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist