25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Steve Alder

Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches
Jun26

Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches

Data breaches have been announced by Minnesota Epilepsy Group, Campbell University, and the City of Middletown, Ohio. Minnesota Epilepsy Group Minnesota Epilepsy Group, the largest epilepsy center in the Midwest, has started notifying 80,061 current and former patients about a recent cybersecurity incident that may have resulted in unauthorized access to the protected health information of current and former patients. Suspicious network activity was identified on April 7, 2026, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had accessed its network at various times between March 16, 2026, and April 10, 2026. The parts of the network that were accessed contained files that included patient data. The file review concluded on May 18, 2026, and determined that the exposed information included names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance information. The types of information exposed varied from patient to patient....

Read More
HIPAA Security Rule Training for Business Associates
Jun25

HIPAA Security Rule Training for Business Associates

HIPAA Business Associates that create, receive, maintain, or transmit electronic Protected Health Information on behalf of HIPAA-covered entities are directly subject to the HIPAA Security Rule and must provide security awareness training to their entire workforce, not only to staff who work on healthcare-specific accounts or handle patient data as part of their primary function. The HIPAA Security Rule at 45 CFR 164.308(a)(5) requires covered entities and business associates to “implement a security awareness and training program for all members of its workforce (including management).” The direct applicability of the HIPAA Security Rule to business associates was established by the HITECH Act and confirmed in the 2013 Omnibus Rule, which means the training obligation runs to the business associate as an independently regulated entity rather than solely as a contractual requirement imposed through a HIPAA Business Associate Agreement. A business associate that relies on its covered entity client’s training program to satisfy its own workforce training requirement...

Read More
Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit
Jun25

Bradford Health Services; Bradford Health Partners Settle Data Breach Lawsuit

Bradford Health Services, LLC, and Bradford Health Partners, LLC, were sued over a December 2023 cybersecurity incident that exposed the personal and protected health information of current and former patients. The lawsuit states 32,425 individuals were affected by the incident. The data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 28,543 individuals. The unauthorized access was detected on December 8, 2023, and the file review determined that names, dates of birth, driver’s license numbers, medical information, including diagnosis and treatment information, health insurance information, financial account numbers, passport numbers, payment card numbers, plus a means of access to the account, and/or Social Security numbers had been compromised. The data review was not completed until May 2025, and notification letters started to be mailed later that month – 18 months after the breach was first identified. The Hunters International threat group claimed responsibility for the attack and stated that more than 760 GBs of data...

Read More
Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness
Jun25

Healthcare Report Highlights Growing Vendor Risk and Lack of Cyberattack Readiness

Cybersecurity risk is growing, and healthcare organizations are struggling to defend a rapidly increasing attack surface. AI tools are being implemented without the secure infrastructure to support them. Most healthcare practices have meaningful gaps in cyberattack recovery readiness, face ongoing and regular third-party vendor disruptions, and there is growing concern that a cyberattack will result in a patient fatality. The current state of cybersecurity in healthcare is far from rosy. These were some of the findings from the 2026 Healthcare IT Landscape Report from Omega Systems, a leading provider of managed IT and security services to the healthcare and financial services industries. The report is based on a survey of 200 healthcare business leaders in the United States, including CEOs, CISOs, CIOs, CFOs, and COOs, at healthcare organizations with between 50 and 600 employees. The healthcare organizations represented in the report include medical practices, clinics, ambulatory care centers, specialty services, and long-term care facilities. In 2025, when the study was last...

Read More
Hillcrest Convalescent Center Settles Class Action Data Breach Litigation
Jun24

Hillcrest Convalescent Center Settles Class Action Data Breach Litigation

Hillcrest Convalescent Center, a short-term inpatient rehabilitation and skilled nursing facility in Durham, North Carolina, has agreed to settle class action litigation over a June 2024 cyberattack. Hackers breached its network, resulting in unauthorized access to and the potential theft of patients’ personal and protected health information. The hackers had access to information such as names, addresses, dates of birth, financial account numbers, driver’s license numbers, Social Security numbers, medical treatment information, and health insurance information. The incident affected more than 106,000 individuals, who were notified by mail in March 2025. The data breach sparked several class action lawsuits, which were consolidated as they had overlapping claims. The consolidated lawsuit – In re Hillcrest Convalescent Center, Inc. Data Breach Litigation – is pending in the Superior Court of Durham County, North Carolina. Hillcrest Convalescent Center denies the allegations of wrongdoing and liability and, in September 2025, filed a motion to dismiss the consolidated...

Read More
x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist