HIPAA Compliance Software
The purpose of HIPAA compliance software is to provide a framework to guide a HIPAA-covered entity or business associate through the process of becoming HIPAA-compliant and support continued compliance with HIPAA. HIPAA compliance software helps administrators, business owners, practice managers, and compliance officers, many of whom manage compliance alongside other responsibilities and without a formal background in healthcare regulation, navigate the nuances of HIPAA and ensure all applicable provisions of the HIPAA Privacy, Security, and Breach Notification Rules are satisfied. The software also proves a company has made a good faith effort to comply with HIPAA by maintaining full documentation of compliance activities. This ensures that if a company is audited by the HHS’ Office for Civil Rights (OCR) or is investigated by OCR or state attorneys general over a data breach, the organization can demonstrate no aspect of HIPAA has been missed, all policies and procedures are in order, members of the workforce have received HIPAA training, and appropriate technical, physical, and...
Okanogan Behavioral Healthcare Settles Class Action Data Breach Lawsuit
Okanogan Behavioral Healthcare, a provider of holistic behavioral health services in Okanogan County, Washington, has agreed to settle a class action lawsuit stemming from a May 2024 data breach that affected 26,429 individuals. A network intrusion was identified on May 15, 2024, and the forensic investigation determined that an unauthorized third party had access to its network from May 13, 2024, to May 15, 2024. Data exposed in the incident included client names, contact information, dates of birth, Social Security numbers, driver’s license numbers, other identification numbers, and medical information, including diagnosis and treatment information, and health insurance information. The affected individuals started to be notified on August 23, 2024. A lawsuit was filed – Doe v. Okanogan Behavioral Healthcare – in the Superior Court of the State of Washington for the County of Okanogan in response to the data breach, alleging that the data breach was due to the failure of the defendant to implement reasonable and appropriate cybersecurity measures, and had they been...
High-Severity Vulnerability Identified in OHIF Viewers DICOM
A high-severity vulnerability has been identified in OHIF (Open Health Imaging Foundation) Viewers DICOM, which could be exploited to steal an authenticated clinician’s token via a crafted link. The Server-Side Request Forgery (SSRF) vulnerability is tracked as CVE-2026-12473 and has a CVSS base score of 8.2 (v3.1) and 8.3 (v4.0). The vulnerability is due to two data sources – DICOMWebProxy and DICOMJSON – shipped in the default configuration fetching an arbitrary URL parameter without validation. A global authentication service in OHIF injects the authenticated user’s OIDC Bearer token into the resulting requests, which could be sent to an attacker-controlled server, allowing the OIDC Bearer token to be obtained. The vulnerability does not impact DICOMweb data sources. The vulnerability affects OHIF DICOM Web Viewer Framework prior to v3.12.0. The vulnerability has been fixed by the maintainer in version 3.12.2, which was released on May 18, 2026. The fix is located at OHIF/Viewers#5985 (master), OHIF/Viewers#5978 (release/3.12). Users are advised to update to the fixed...
Why You Don’t Need to Understand HIPAA to Make Your Small Practice HIPAA Compliant
A small practice owner who cannot define a Security Risk Analysis, has never read the HIPAA Security Rule, and does not know what a Business Associate Agreement must contain can still operate a practice with a complete, documented, provable HIPAA compliance program. The expertise does not have to live in the practitioner’s head. It has to live in the program. A purpose-built compliance program encodes what HIPAA requires and translates a practice owner’s knowledge of their own practice into a complete compliance record. The practitioner does not need to become a compliance expert. They need a structured program built specifically for them. What HIPAA Actually Requires a Small Practice to Have HIPAA’s requirements for a small independent practice are extensive, but they are not open-ended. The HIPAA compliance obligations for a covered entity resolve into four documented outputs that the HHS Office for Civil Rights will look for in any investigation or audit. The first is a current Security Risk Analysis. The Security Rule requires covered entities to conduct an...
Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches
Data security incidents have been announced by the Colorado Health Network and Kentucky Mountain Health Alliance. In both cases, only limited information has been released about the nature of the incidents. Colorado Health Network Colorado Health Network Inc., a nonprofit organization that provides health and support services to individuals with HIV/AIDS across Colorado, has recently disclosed a data security incident. The breach notification does not state when the breach was detected or for how long the threat actors had access to its network, only that an unauthorized third-party accessed and removed files from its systems. The files have been reviewed and found to contain patient names in combination with one or more of the following: Social Security number, driver’s license/state identification card number, passport number, financial account information, debit/credit card information, health insurance information (which may include Medicaid/Medicare information), and medical information. The medical information may include, but is not limited to, diagnosis, diagnosis code,...



