25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

PHI of 38,000 Patients Stolen in Ransomware Attack on Reproductive Biology Associates

The Georgia fertility clinic Reproductive Biology Associates has announced it suffered a ransomware attack in April in which files containing the personal and protected health information of approximately 38,000 patients were exfiltrated by the attackers. The attackers gained access to a file server containing embryology data on April 7, 2021, and ransomware was used to encrypt files on April 16, 2021. The files contained the PHI of patients of Reproductive Biology Associates and its affiliate My Egg Bank North America, which included full names, addresses, Social Security numbers, laboratory test results, and information related to the handling of human tissue. The investigation into the attack concluded on June 7, 2021. While it has not been officially confirmed whether the ransom was paid, Reproductive Biology Associates said the attackers have deleted all data stolen in the attack and all encrypted data have now been recovered. Reproductive Biology Associates has been monitoring online and dark web sites for signs of misuse or misappropriation of the stolen data and will...

Read More
1 Billion-Record Database of Searches of CVS Website Exposed Online
Jun23

1 Billion-Record Database of Searches of CVS Website Exposed Online

A database belonging to CVS Pharmacy that included approximately 1 billion search records has been exposed online. The database included information about searches performed by visitors to CVS.com and CVSHealth.com, typically for information about medications an COVID-19 vaccines. It is common for databases such as these to be maintained by companies. The search information can be used for analytics, customer management, marketing, and other purposes to improve the services provided to customers. These searches can sometimes be tied to an individual by their IP address, or in this case by the searcher’s email address. The colossal database was discovered by security researcher Jeremiah Fowler. Fowler found that the email addresses of some visitors to the websites was also included in the database. Due to the size of the database, it was not possible to perform searches of all data but searching a sample of data in the database confirmed many email addresses were present. It is not clear why email addresses were recorded. Fowler suggests it could have been people mistakenly...

Read More

Prominence Health Plan Data Breach Impacts up to 45,000 Individuals

The Nevada health insurer Prominence Health Plan has announced it suffered a security breach on November 30, 2020 in which hackers potentially obtained the protected health information of some of its plan members. The data breach was discovered on April 22, 2021 and steps were immediately taken to prevent further unauthorized access, including changing the credentials used by the attacker to gain access to its network. While Prominence Health Plan has not confirmed whether this was a ransomware attack, all affected plan member data has been restored from backups. The incident involved audio recordings of phone calls to the Prominence call center along with PDF files that included provider claim forms and letters to patients advising them about claim approvals and denials. The audio files typically included full names, dates of birth, and member ID numbers, while the PDF files contained a member’s name, date of birth, sex, member ID number, mailing address, and claim code. The files included PHI of individuals who had been members between 2010 and 2020. Approximately 45,000...

Read More

San Juan Regional Medical Center Data Breach Affects 68,792 Patients

San Juan Regional Medical Center has recently notified tens of thousands of its patients about a security breach that occurred in the fall of 2020. The Farmington, NM medical center discovered its network had been accessed by an unauthorized individual on September 8, 2020. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the nature and extent of the breach. The forensic investigation revealed the attacker exfiltrated files between September 7th and 8th, with a manual review of those files confirming they contained the protected health information of its patients. The types of information in the files varied from patient to patient and included names in combination with one or more of the following data elements: Dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, diagnoses, treatment information, medical record numbers, and patient account numbers. While data theft was confirmed, no evidence has been found to indicate any of the...

Read More

Bipartisan Group of Senators Introduce Draft Federal Data Breach Notification Bill

A bipartisan group of senators has introduced a federal data breach notification bill – the Cyber Incident Notification Act of 2021 – that requires all federal agencies, contractors, and businesses that have oversight over critical infrastructure to report significant cyber threats to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery. The draft bill was introduced by Senators Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME) but has yet to be formally introduced in the Senate. The bill seeks to address many of the issues that have been identified following recent cyberattacks that have impacted critical infrastructure, such as the SolarWinds Orion supply chain attack and the ransomware attacks on JBS and Colonial Pipeline. The purpose of the new bill is to ensure timely federal government awareness of cyber intrusions that pose a threat to national security, which will enable the development of a common operating picture of national-level cyber threats. Entities discovering cyber threats will be required to provide...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist