Is Wix HIPAA Compliant?
When this article was first published in early 2025, Wix was not a HIPAA-compliant service; however, the company has since implemented comprehensive measures to allow its platform to be used by HIPAA-regulated entities, and the company is prepared to sign a business associate agreement with HIPAA-regulated entities. Wix is a service that helps businesses in all industries easily design, build, and host websites. Depending on the type of subscription, customers’ websites can include appointment scheduling software, e-commerce platforms, and loyalty programs. The service scores highly for performance, reliability, and security, and is certified PCI DSS and ISO 27001 compliant. With regard to collecting data from website visitors, Wix enables customers to comply with the California Consumer Privacy Act (CCPA) and other state privacy laws that require an affirmative opt-in before data can be used for marketing purposes. When it comes to collecting Protected Health Information (PHI) from website visitors, HIPAA-regulated entities must ensure that they use a platform that incorporates...
Capital Health Data Breach Litigation Settled for $4.5M
Capital Health has agreed to pay $4.5 million to settle a class action lawsuit stemming from a 2023 ransomware attack. Capital Health operates two hospitals in New Jersey – Capital Health Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell Township – as well as many primary care clinics in New Jersey and Pennsylvania. On or around November 26, 2023, Capital Health identified unauthorized activity within its computer systems. The forensic investigation confirmed that a criminal cyber actor had access to its network between November 11, 2023, and November 26, 2023, and used ransomware to encrypt files. The investigation determined that files containing patient data had been exposed and may have been stolen. The LockBit ransomware group claimed responsibility for the attack and said it exfiltrated 7 TB of data. LockBit threatened to publish the stolen data on January 9, 2024, if the ransom was not paid. It is unclear if any payment was made. Capital Health’s investigation confirmed that the hackers potentially accessed patient data such as names,...
Gryphon Healthcare Agrees to Pay $2.87M to Settle Class Action Data Breach Lawsuit
Gryphon Healthcare, a Houston, TX-based revenue cycle, coding, compliance, consultancy, and management services vendor, faced multiple class action lawsuits over a July 2024 cyberattack involving a partner for which it provides billing services. Gryphon Healthcare learned about the incident in August 2024, and its investigation found that files may have been viewed or obtained. Those files contained the protected health information of 393,358 patients, including names, dates of birth, addresses, Social Security numbers, dates of service, diagnoses, medical treatment information, prescriptions, medical record numbers, and health insurance information. On or around October 11, 2024, Gryphon Healthcare started sending notification letters to the affected individuals, and shortly thereafter, the first class action lawsuit was filed. A further eight lawsuits were subsequently filed, which were consolidated into a single complaint – Morris et al., v. Gryphon Healthcare, LLC – in the District Court for Harris County, Texas. The lawsuit asserted claims of negligence/negligence per...
Why do Hackers Focus on Medical Records?
Hackers focus on medical records because the combination of demographic data, insurance details, clinical information, and financial identifiers creates a dataset that can be misused in multiple ways. Medical records contain a broad range of identifiers. A single file can include a person’s name, address, date of birth, Social Security number, treatment history, prescription details, insurance information, and more. This concentration of Protected Health Information allows attackers to commit several forms of fraud without needing to combine data from multiple sources. The same record can support identity theft, insurance fraud, tax fraud, and the creation of synthetic identities. Because the information is detailed and stable over time, it retains value long after the initial theft. Financial data such as credit card numbers lose value quickly once a breach is detected. Banks can cancel cards, reverse transactions, and block further activity. Medical information does not have an equivalent cancellation mechanism. A diagnosis, a date of birth, or a Social Security number remains...
CISA Issues Guidance for Proactively Defending Against Insider Threats
Insider threats are one of the leading causes of data breaches in healthcare, more so than in many other industry sectors. A 2018 study by Verizon found insider incidents outnumbered incidents involving external parties, with 56% of healthcare data breaches due to insiders and 43% due to external actors. A study by the cybersecurity firm Metomic found that the percentage of healthcare organizations reporting no insider incidents has declined from 34% in 2019 to 24% in 2024. Insider incidents can stem from a lack of knowledge about HIPAA or disregard for patient privacy, such as when healthcare employees snoop on medical records. Negligent insiders can easily expose patient data by failing to follow the organization’s policies and procedures, and malicious insiders steal patient information for financial gain or revenge. Copying patient information to take to a new practice or employer is also common. Due to the high risk of insider threats in healthcare and other critical infrastructure sectors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging critical...



