25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Humana and Cotiviti Facing Class Action Lawsuit over 63,000-Record Data Breach

The Louisville, KY-based health insurance and healthcare provider Humana and its business associate Cotiviti are facing legal action over a data breach discovered in late December 2020. On May 26, 2021, a lawsuit was filed in the U.S. District Court for the Western District of Kentucky over the mishandling of Humana insurance plan members’ medical records. Humana had contracted with Cotiviti to handle medical records requests to send to the HHS’ Centers for Medicare and Medicaid Services (CMS). Cotiviti had subcontracted some of the work to Visionary Medical Systems Inc. According to the lawsuit, an employee of Visionary Medical Systems uploaded the private and confidential medical records of Humana members to a personal Google Drive account in order to provide medical coding training as part of a “personal coding business endeavor.” The medical records were copied to the Google Drive account between October 12 and December 16, 2020, and that account was publicly accessible. The actions of the employee violated HIPAA and the terms of the business associate agreement. Visionary...

Read More

Settlement to Resolve Nebraska Medicine Data Breach Lawsuit Receives Preliminary Approval

In September 2020, Nebraska Medicine and the University of Nebraska Medical Center discovered their systems had been hacked and malware had been downloaded to its network that gave hackers access to the protected health information of up to 219,000 individuals. The attack forced Nebraska Medicine to shut down its systems causing disruption to operations. Hackers first gained access to Nebraska Medicine’s systems on Aug 27, 2020 and had access to its systems and patient data for 24 days. Access was terminated by Nebraska Medicine on Sept. 20, 2020. During that time, the lawsuit alleged patient data was exfiltrated by the attackers. The breach affected patients of Nebraska Medicine, Faith Regional Health Services, Great Plains Health, and Mary Lanning Healthcare. On February 24, 2021, a class action lawsuit was filed against Nebraska Medicine in the Nebraska U.S. District Court by two patients alleging Nebraska Medicine was negligent for failing to maintain an adequate data security system to reduce the risk of cyberattacks and data breaches. The plaintiffs sought damages,...

Read More

Phishing Attack Affects Up to 34,862 Lafourche Medical Group Patients

Lafourche Medical Group, a Louisiana-based urgent care center operator, has notified 34,862 patients about a security breach that potentially involved some of their protected health information. On March 30, 2021, Lafourche Medical Group learned that an external accountant had responded to a phishing email that spoofed one of the owners of Lafourche Medical Group and disclosed login credentials to the attacker. The compromised credentials were used to gain access to the group’s Microsoft 365 environment. A third-party IT company was engaged to assist with the investigation, but found no evidence to suggest its on-premise systems or cloud-based electronic medical record system were compromised; however, the credentials could have been used to view or download data from its Microsoft 365 environment, which contained some patient information. “Due to the size of the email system, we are unable to identify all potential patient information that may have been contained in the system,” explained Lafourche Medical Group in its substitute breach notice. Clinical information was not...

Read More
NIST Publishes Guidance for First Responders on the Use of Biometric Authentication for Mobile Devices
Jun07

NIST Publishes Guidance for First Responders on the Use of Biometric Authentication for Mobile Devices

The National Institute of Standards and Technology (NIST) has published a new report on the use of biometric authentication on mobile devices to allow first responders to gain rapid access to sensitive data, while ensuring that information can only be accessed by authorized individuals. Many public safety organizations (PSOs) are now using mobile devices to access sensitive data from any location, but ensuring access is secure and only authorized individuals can use the devices to view that information has previously relied on the use of passwords. Passwords can be secure; however, passwords need to be complex to resist brute force attempts to guess passwords. Having to type in a long and complex password can hinder access to essential data. Oftentimes, access to sensitive data needs to be provided immediately. It is not practical for first responders to have to type in a password. Any delay, even one that lasts just a few seconds, has potential to exacerbate an emergency. Biometrics offers a more secure authentication option than passwords and could allow access to data much more...

Read More
Vulnerabilities Identified in Hillrom Medical Device Management Products
Jun04

Vulnerabilities Identified in Hillrom Medical Device Management Products

Two medium severity vulnerabilities have been identified in Hillrom medical device management tools which could result in the leakage of sensitive data, corruption of data, and remote code execution. An out-of-bounds write vulnerability – tracked as CVE-2021-27410 – could allow an attacker to cause memory corruption which would allow the remote execution of arbitrary code. While remote code execution is possible, exploiting the flaw is highly complex. The flaw has been assigned a CVSS v3 severity score of 5.9 out of 10. The second flaw is an out-of-bounds read issue that could result in information leakage and arbitrary code execution if combined with the out-of-bounds write vulnerability. The flaw is tracked as CVE-2021-27408 and has been assigned a CVSS severity score of 5.9. The flaws affected the following Hillrom Welch Allyn medical device management tools: Welch Allyn Service Tool: versions prior to v1.10 Welch Allyn Connex Device Integration Suite – Network Connectivity Engine (NCE): versions prior to v5.3 Welch Allyn Software Development Kit (SDK): versions prior to v3.2...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist