25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty
Jan18

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals. The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties. Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015. The hackers installed malware on its systems,...

Read More

South Country Health Alliance Breach Impacts 66,874 Plan Members

Owatonna, MN-based Minnesota South Country Health Alliance has discovered an unauthorized individual accessed the email account of an employee that contained the protected health information of 66,874 of its members. The email account breach was detected on September 14, 2020, with the subsequent investigation revealing the account was first accessed by an unauthorized individual on June 25, 2020. The review of the email account was completed on November 5, 2020 and revealed it contained personal and protected health information such as names, addresses, Social Security numbers, Medicare and Medicaid numbers, health insurance information, diagnostic or treatment information, date of death, provider name, and treatment cost information. Notifications were sent to all affected members on December 30, 2020. The delay in issuing notifications was due to the time taken to identify current mailing addresses for affected individuals. The breach investigation did not uncover any evidence to suggest any protected health information in the account was viewed or obtained or has been misused....

Read More

MD Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas MD Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights. The Civil Monetary Penalty was imposed on MD Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen. The Office for Civil Rights investigation concluded that MD Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI. HIPAA penalties are tiered and are based on the level of culpability, with the Office for...

Read More
CISA Warns of Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments
Jan15

CISA Warns of Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that threat actors are exploiting poor cyber hygiene to gain access to enterprise cloud environments. The alert was issued after CISA observed a surge in attacks on organizations that have transitioned to a largely remote workforce in response to the pandemic. While some of the tactics outlined in the report may have been used by the hackers behind the SolarWinds Orion supply chain attack, these tactics have not been tied to any specific threat group and are being used by multiple threat actors to gain access cloud environments and obtain sensitive data. According to the alert, threat actors are using a variety of tactics, techniques, and procedures to attack cloud environments, including brute force attacks to guess weak passwords, phishing attacks, and the exploitation of unpatched vulnerabilities and weaknesses in cloud security practices. Phishing is commonly used to obtain credentials to remotely access cloud resources and applications. The phishing emails typically include hyperlinks to...

Read More

Healthcare Industry Web Application Attacks Have Increased by 51% in the Past Two Months

There has been a significant increase in healthcare industry web application attacks according to new data published by cybersecurity firm Imperva. Imperva Research Labs monitored a 51% increase in web application attacks between November 2020 and December 2020, which coincided with the start of the rollout of COVID-19 vaccines. Imperva SVP Terry Ray said 2020 had been an unprecedented year of cyber activity, with healthcare web application attack volume up 10% year-over-year. On average there were 187 million web application attacks on healthcare targets each month in 2020, with each organization monitored by Imperva experiencing an average of 498 attack a month. The top targets were located in the United States, United Kingdom, Brazil, and Canada. In December, Imperva Research Labs detected significant increases in four types of attacks. The largest increase was seen in protocol manipulation attacks, which increased 76% from the previous month and were the third most common attack type. There was a 68% increase in remote code execution / remote file inclusion attacks, although...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist