Northwell Health & Northbay Healthcare Settle Litigation Over Website Pixel Use
Northwell Health & Northbay Healthcare were sued over the use of tracking tools on their websites, which are alleged to have illegally disclosed sensitive data to unauthorized third parties. Both healthcare providers have agreed to settle the lawsuits. Northwell Health Data Breach Settlement Northwell Health has agreed to settle litigation over its use of tracking software on its website. According to the lawsuit, tracking tools such as Meta Pixel and Google Analytics code were added to its website and were configured in a manner that resulted in protected health information being transmitted to third parties, without the consent of website visitors. The lawsuit – Kaplan v. Northwell Health, Inc. – was filed in the New York State Supreme Court, Kings County, and alleged that information about website users’ past, present, or future health conditions, including the type and date of a medical appointment, was collected and transmitted to third parties. That information could be tied to individuals via identifiers such as the their Facebook ID and IP address. The...
HIPAA Security Rule
The HIPAA Security Rule contains the security standards for the protection of electronic Protected Health Information (ePHI) that apply when a HIPAA covered entity or business associate creates, receives, transmits, or maintains ePHI in connection with an activity or function regulated by the HIPAA Administrative Simplification Regulations. Rather than being a one-size-fits-all set of security standards, the HIPAA Security Rule allows a degree of flexibility with regard to what standards are implemented and how they are applied. It is also important to be aware that because ePHI is a subset of Protected Health Information, the HIPAA Privacy Rule still governs how ePHI can be used and disclosed. Details of these variables are published in the General Requirements of the HIPAA Security Rule. Thereafter, the main standards and implementation specifications are listed in the Administrative, Physical, and Technical Safeguards, while other security-related HIPAA compliance standards appear in the Organizational and Documentation Requirements. General Security Requirements The General...
Comstar to Pay State AGs $515,000 to Settle Alleged HIPAA Violations
Comstar, a Massachusetts-based ambulance billing and collections company, has been investigated by the Massachusetts Attorney General and found to have violated the Health Insurance Portability and Accountability Act (HIPAA) and the Massachusetts Data Security Regulations. Comstar will pay a $515,000 penalty to resolve the alleged violations. Comstar was investigated over a March 2022 cyberattack and data breach. A cyber threat actor breached its network, exfiltrated files, and used ransomware to encrypt data on its network. While the attack was detected on March 26, 2022, the ransomware group gained access to its network on March 19, 2026. The forensic investigation confirmed that protected health information (PHI) had been stolen, including names, Social Security numbers, driver’s license numbers, financial information, and medical assessment information. The PHI of 585,621 individuals was compromised in the ransomware attack, including 326,426 Massachusetts residents and 22,829 Connecticut residents. The Rowley, Massachusetts-based company faced an investigation by the...
HHS Applies Inflation Increase to Penalties for HIPAA Violations
The HHS’ Office for Civil Rights has increased the penalties for HIPAA violations with immediate effect. As of January 28, 2026, the penalties have been increased in line with inflation, as mandated by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. Annual adjustments to the penalty amounts are necessary to maintain the deterrent effect of financial penalties. When the HITECH Act was introduced, the penalties for HIPAA violations were set as follows: Tier 1: Minimum fine of $100 per violation up to $50,000 Tier 2: Minimum fine of $1,000 per violation up to $50,000 Tier 3: Minimum fine of $10,000 per violation up to $50,000 Tier 4: Minimum fine of $50,000 per violation up to $1,500,000 The penalties were capped at $1,500,000 for violations of an identical provision in a calendar year, and all penalties are subject to annual increases in line with inflation. OCR, like all other Executive Departments and Agencies, is required to apply annual increases to its penalty amounts. Each year, the Office of Management and Budget (OMB) issues a Memorandum that...
HIPAA Training for IT Professionals
HIPAA training for IT professionals is required for IT workforce members who support systems that create, receive, maintain, or transmit protected health information (PHI), because HIPAA compliance depends on administrative, physical, and technical safeguards being implemented and followed consistently. Why HIPAA Training is Necessary for IT Professionals IT professionals influence how PHI is protected more directly than most job functions because they design, configure, administer, and monitor the systems that store and move electronic protected health information (ePHI). Even when an IT role is not clinical, IT staff may access logs, databases, backups, ticketing systems, and troubleshooting data that contain PHI. HIPAA training helps IT teams understand the privacy and security expectations that apply to their work, the consequences of misconfiguration or improper access, and the operational behaviors that reduce the risk of unauthorized access, improper disclosure, or data loss. HIPAA training for IT should connect the HIPAA Privacy Rule and the HIPAA Security Rule to real...



