Free Webinar: AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind

Posted by Steve Alder

Artificial intelligence has tremendous potential in healthcare, and healthcare organizations have embraced AI tools in all areas of their operation; however, there are compliance risks associated with AI when tools engage with health information protected under the Health Insurance Portability and Accountability Act (HIPAA). Incorporating AI tools while complying with all HIPAA Privacy and Security Rule implementation specifications can be challenging, especially when there is limited guidance on how HIPAA applies to AI.

Fortunately, help is at hand. On July 8, 2026, the HIPAA-compliant communication platform provider Paubox is hosting a webinar where healthcare organizations can learn from a diverse panel of experts about AI-related HIPAA compliance challenges and receive invaluable advice on how to keep innovating without leaving HIPAA compliance behind.

During the webinar, attendees will learn about how real-world healthcare teams are developing and implementing AI tools and the challenges they have faced, the specific questions you need to be asking any AI vendor before you sign and handle business associate agreements (BAAs), what responsible use of AI with PHI looks like, and what the future holds, and what you need to do right now.  At the end of the webinar, there will be time allocated for a Q&A with the panel to get answers to your questions.

Speakers:

Heather Phillips, FoXX Health

 Heather Phillips – Advisory Committee Member, FoXX Health
Tim Gutwald - Partner, Elevare Law Tim Gutwald – Partner, Elevare Law
Brittany Sigler - DrPH, Founder & Product Leader, Bright Signal Consulting Brittany Sigler – DrPH, Founder & Product Leader, Bright Signal Consulting
Mike Maseda - Head of Sales & Ops, GenHealth.ai Mike Maseda – Head of Sales & Ops, GenHealth.ai

Webinar Details

AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind

July 8, 2026

1.00 p.m. ET | 12.00 p.m. CT | 11.00 a.m. MT | 10:00 a.m. PT

Click Here to Register for the Webinar

Can’t attend on the day? Register to receive a link to the recording!

This webinar is eligible for 1 self-reported CPE

The post Free Webinar: AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind appeared first on The HIPAA Journal.

Columbus Regional Health; St. Joseph Hospital Settle Pixel Privacy Lawsuits

Posted by Steve Alder

Settlements have been agreed to resolve class action lawsuits against two healthcare providers over their use of website tracking technologies. The lawsuits alleged that the deployment of these tools caused the personal and protected health information of patients to be disclosed to third parties without patients’ knowledge or consent.

Website tracking tools, such as pixels, are installed on websites across the internet for tracking the actions of website users. They can record a range of information about user interactions, such as the pages visited, time spent on each page, how the user navigated to the website, and other information. That information may be sent to the third-party providers of the tools, allowing the user to be tracked as they navigate to other webpages. They may then be served targeted advertisements across the internet based on their actions on a website where the tools were installed. For instance, if an individual visited a page related to obesity, they may be served adverts related to weight loss medications.

Many lawsuits have been filed against healthcare providers over website tracking tools, alleging privacy violations. Two of the latest lawsuits to be settled were filed against Bartholomew County Public Hospital d/b/a Columbus Regional Health and St. Joseph Hospital of Nashua, N.H. In both cases, the defendants maintain that there was no wrongdoing, no laws were violated, and there is no liability; however, settlements were agreed to avoid the cost, distraction, and risks of continuing with the litigation.

Columbus Regional Health Pixel Settlement

Bartholomew County Public Hospital d/b/a Columbus Regional Health is a non-profit regional health system that includes a 225-bed Columbus hospital serving patients in southeastern Indiana. Columbus Regional Health was alleged to have collected and transmitted patient data to Meta (Facebook) via Meta Pixel and other tracking tools on its website without the knowledge or permission of website users. The first lawsuit was filed in May 2023 – Brian Elkins and Annie Elkins v. Bartholomew County Public Hospital d/b/a Columbus Regional Health  – in Marion County Superior Court, with a further three plaintiffs joining the action after filing similar complaints.

The consolidated lawsuit asserted claims for negligence, negligence per se, invasion of privacy—intrusion upon seclusion, invasion of privacy—public disclosure of private facts; breach of implied contract; unjust enrichment; breach of fiduciary duty; and violation of the Indiana Deceptive Consumer Sales Act.

Settlement Terms

Claims may be submitted for a one-time cash payment of $25.50, and class members will be automatically enrolled in a 12-month membership to the CyEx Privacy Shield Pro digital privacy and identity protection service. The defendant has agreed to cover the cost of attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the 5 class representatives. The deadline for opting out and exclusion has passed.

Eligibility: Individuals who resided in Indiana and completed a registration for access to their electronic records or logged into the patient portal between November 1, 2017, and June 30, 2022.

Claims deadline: September 19, 2026

Final approval hearing: July 22, 2026

Further information: https://columbusregionalsettlement.com/

St. Joseph Hospital of Nashua, N.H. Pixel Settlement

St. Joseph Hospital Corporate Services, Inc. is a New Hampshire healthcare corporation that operates the 208-bed St. Joseph Hospital in Nashua. The hospital is alleged to have used tracking technologies on its website that disclosed website users’ sensitive information to Microsoft, without their knowledge or consent. The plaintiffs alleged that the data collected via the tools was used to enhance Microsoft’s advertising technology and serve targeted advertisements to patients based on the information disclosed on the defendant’s website.

The first lawsuit was filed in the Superior Court of Hillsborough County, New Hampshire, which was later amended, due to an inaccuracy in the defendant’s corporate entity – Fiorillo, et al., v. St. Joseph Hospital of Nashua, N.H. The lawsuit asserted claims including negligence, invasion of privacy – intrusion upon seclusion, and unjust enrichment.

Settlement Terms

Claims may be submitted for a one-time cash payment of $50 per class member. The defendant has also agreed to pay attorneys’ fees and expenses, settlement administration and notification costs, and service awards to the class representatives.

Eligibility: Individuals who used the MyChart patient portal associated with St. Joseph Hospital from January 1, 2023, to the present.

Opt out and exclusion deadline: July 30, 2026

Claims deadline: August 14, 2026

Final approval hearing: September 14, 2026

Further information: https://columbusregionalsettlement.com/

The post Columbus Regional Health; St. Joseph Hospital Settle Pixel Privacy Lawsuits appeared first on The HIPAA Journal.

LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches

Posted by Steve Alder

Data breaches have been announced by Lifepoint Health, Southwest Behavioral & Health Services, and Nottingham Village.

Lifepoint Health

Lifepoint Health Inc., a healthcare delivery network that operates more than 60 hospital campuses in 28 U.S. states, more than 30 rehabilitation and behavioral health hospitals, and over 170 acute rehabilitation units, discovered unauthorized activity within its network on February 23, 2026. The forensic investigation traced the activity to a compromised user account. Assisted by third-party cybersecurity experts, Lifepoint Health determined that an unauthorized third party gained limited access to certain internal databases on February 22, 2026. The incident was fully contained within 24 hours.

Lifepoint Health determined that the data breach was limited in scope and was restricted to employees of contracted vendors. Direct employees of the company and patients were not affected. The affected employees had their names, addresses, phone numbers, dates of birth, and Social Security numbers compromised in the incident. Notification letters were sent to those individuals on April 23, 2026, and complimentary credit monitoring and identity theft protection services have been made available.

Southwest Behavioral & Health Services

Southwest Behavioral & Health Services, a Phoenix, AZ-based non-profit behavioral health organization, has identified a breach of its email environment. Suspicious activity was identified within its email environment on April 1, 2026, and the forensic investigation determined that six employee email accounts were compromised.

The review of the affected email accounts was completed on April 30, 2026, and notification letters have now been sent to the 2,316 affected individuals. Southwest Behavioral & Health Services has published a substitute breach notice on its website, but it does not state the types of information exposed in the incident. No evidence has been identified to suggest any misuse of the exposed data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services, and steps have been taken to improve email security to prevent similar incidents in the future.

Nottingham Village

Nottingham Village, a skilled nursing and assisted living facility in Northumberland, Pennsylvania, has notified 5,240 individuals about a security incident that was identified on November 9, 2025. After securing its network, an investigation was launched, and on May 12, 2026, it was confirmed that the exposed data included names, birth dates, Social Security numbers, driver’s license numbers/state government IDs, financial account information, medical information, and health insurance information. Nottingham Village said it continually evaluates and modifies its security practices and will continue to do so in the future.

The post LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches appeared first on The HIPAA Journal.

Xsolis Data Breach Affects 1.4M Individuals

Posted by Steve Alder

Xsolis, a business associate of HIPAA-covered entities that provides AI-powered solutions for improving case and utilization management to achieve more efficient outcomes, has experienced a major data breach as a result of a phishing attack.

According to the data breach notification filed with the California Attorney General, unauthorized activity was identified within the Xsolis environment on January 22, 2026, as a result of a targeted phishing attack. The incident has been contained, unauthorized access has been terminated, no evidence has been found of unauthorized access since January 22, 2026, and Xsolis has found no evidence to suggest any of the exposed data has been misused.

An investigation was launched to determine the nature and scope of the unauthorized activity, which confirmed that patient data had been exposed and may have been copied. Xsolis engaged digital specialists to review the affected data, and that process has now been completed. Xsolis is notifying the affected individuals and has offered them complementary credit monitoring and identity theft protection services through Kroll for 12 months.

The Kroll website notice about the security incident states that an unauthorized third party had access to a limited portion of the Xsolis environment from January 20, 2026, to January 22, 2026. Data exposed in the incident included names, dates of birth, Social Security numbers, health insurance information, and medical treatment information.

The data breach has been reported to the HHS’ Office for Civil Rights as involving unauthorized access to the protected health information of 1,396,519 patients of its healthcare provider clients. A list of the affected clients has not been published; however, VHC Health, a healthcare provider serving patients in Northern Virginia and the Washington D.C. Metro area, has confirmed that it has been affected, as has Rochester Regional Health in New York.

Additional security measures have been implemented to prevent similar incidents in the future, system monitoring has been increased, all passwords for key users have been reset, new protective technologies have been deployed, security awareness training for employees has been accelerated, and credential management processes have been strengthened.

The post Xsolis Data Breach Affects 1.4M Individuals appeared first on The HIPAA Journal.