25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Deadline for Reporting 2019 Healthcare Data Breaches of Fewer than 500 Records

The HIPAA Breach Notification Rule requires data breaches of 500 or more records to be reported to the Secretary of the Department of Health and Human Services no later than 60 days after the discovery of a breach. Breaches of fewer than 500 records can be reported to the Secretary at any time, but no later than 60 days from the end of the calendar year in which the data breach was experienced – 45 C.F.R. § 164.408. That means smaller healthcare data breaches must usually be reported to the HHS no later than March 1 each year, but this year is a leap year so there is an extra day in February. That means the deadline for reporting smaller breaches is one day earlier. All breaches that have affected fewer than 500 individuals must therefore be reported to OCR no later than February 29, 2020. All breaches must be submitted to the Secretary of the HHS via the Office for Civil Rights breach portal. Each data breach must be reported separately and full information about each breach should be submitted. If several small data breaches have been experienced in the 2020 calendar year,...

Read More

PHI Exposed Due to Sunshine Behavioral Health Group Amazon AWS S3 Bucket Misconfiguration

Portland, OR-based Sunshine Behavioral Health Group, a network of drug an alcohol addiction treatment facilities in California, Colorado, and Texas, has experienced a breach of sensitive patient information. An Amazon AWS S3 bucket was misconfigured which allowed files containing patient billing information to be accessed over the internet. An individual discovered the breach and reported it to Dissent at the DataBreaches website. Dissent verified the data and contacted Sunshine Behavioral Health on September 4, 2019 to report the breach and ensure the S3 bucket was secured. Dissent reports that the exposed S3 bucket contained approximately 93,000 files, although that did not correspond to 90,000 patients. A notification about the data breach was sent by ID Experts to the Vermont Attorney General which explains the error was identified on September 4, 2019. The report states that steps were taken to prevent the records from being accessed by unauthorized individuals and further actions were taken on November 14, 2019 to remove the records from general internet access. On December...

Read More

Slew of Email Security Breaches Reported by Healthcare Organizations

A further 5 healthcare data breaches of 500 or more records have recently been reported by HIPAA-covered entities and their business associates. Email Account Breach Reported by Shields Health Solutions Shields Health Solutions, a Stoughton, MA-based provider of specialty pharmacy services to hospitals and other covered entities, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed/copied protected health information. Suspicious activity was detected in the email account of an employee on October 24, 2019. Assisted by a cybersecurity firm, Shields Health Solutions determined an unauthorized individual accessed the account between October 22 and October 24, 2019. The breach was confined to a single email account. The email account contained messages and attachments that included patient names, dates of birth, medical record numbers, provider names, clinical information, prescription information, insurer names, and limited claims information. No evidence was uncovered that suggests patient information was accessed or...

Read More

Draft Cyber Supply Chain Risk Management Guidance Published by NIST

The National Institute of Standards and Technology (NIST) has published a new draft guidance document on cyber supply chain risk management to help organizations implement an effective cyber supply risk management program. Organizations now rely on other organizations to provide critical products and services, yet they often lack visibility into their supply ecosystems. Using third parties for products and services brings many benefits, but also introduces risks. Vulnerabilities in supply chains can be exploited by threat actors and attacks on supply chains are on the rise. In the second half of 2018, the Operation ShadowHammer supply chain attack saw the software update utility of ASUS compromised. Up to 500,000 users of the ASUS Live Update utility were impacted before the cyberattack was discovered. The DragonFly threat group, aka Energetic Bear, compromised the update site used by several industrial control system (ICS) software producers and added a backdoor to ICS software. Three ICS software producers are known to have been compromised, resulting in companies in the energy...

Read More
Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach
Feb07

Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach

Oregon’s Medicaid coordinated-care organization, Health Share of Oregon, is notifying approximately 654,000 current and former members that some of their protected health information (PHI) was stored on a laptop computer stolen from its transportation vendor, GridWorks. GridWorks was contracted to manage Health Share’s Ride to Care program, through which Health Share provided non-emergent transportation for its members. Health Share’s HIPAA compliance policies require business associates to use encryption on all portable devices containing patient information but, for reasons unknown, the GridWorks laptop was not encrypted. PHI stored on the laptop computer included names, addresses, contact telephone numbers, birth dates, Health Share ID numbers, Medicaid numbers, and Social Security numbers. The laptop was stolen in a burglary at GridWorks’ office in November 2019. GridWorks notified Health Share about the laptop theft on January 2, 2020. Health Share started sending notification letters on February 5 to all individuals whose PHI was stored on the laptop. Affected individuals...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist