Audit of Utah Department of Health and Human Services Identifies Critical Privacy & Security Weaknesses
An audit of the Utah Department of Health and Human Services (DHHS) by the Office of the Utah State Auditor has identified privacy and security weaknesses that are putting the health information privacy of state residents at risk, especially children.
The audit was conducted in response to a complaint by a DHHS whistleblower employee who alleged that the DHHS had not implemented adequate incident response procedures and had insufficient monitoring mechanisms for detecting and managing privacy incidents. According to the complainant, the deficiencies have resulted in under-reporting of incidents and unmitigated exposure of sensitive data, especially the data of children.
The audit was led by Tina M. Cannon, State Auditor; Nora Kurzova, State Privacy Auditor; and Mark Meyer, Assistant State Privacy Auditor, and involved a review of applicable laws related to incident response and data protection, a privacy risk assessment of the most significant data processing activities as they relate to children, an evaluation of incident response documentation and internal privacy and cybersecurity monitoring controls, and interviews with certain DHHS employees, including members of its Information Privacy and Security (IPS) team.
The audit was limited in scope and focused on two systems. SAFE and eChart. SAFE is the Comprehensive Child Welfare Information System (CCWIS) for the State of Utah, Division of Child and Family Services (DCFS), which is used to support child welfare case management, including child abuse and neglect cases. Currently, the system contains around 6 million records relating to more than 2 million individuals. eChart is the central repository of records related to patients with mental health needs. The system is maintained by the Utah State Hospital (USH) and currently includes records relating to more than 10,500 individuals.
The audit uncovered several privacy and security weaknesses, including weaknesses in oversight, awareness, and internal controls, which allow privacy violations to go undetected and unaddressed for extended periods. The auditors identified systemic issues in both the SAFE and eChart systems related to access controls, records dissemination, and monitoring across systems and teams handling sensitive records, including mental health and child welfare.
Inadequate access controls meant sensitive records in both systems could be accessed without enforcing or adequately monitoring role-based and least privileged access. Records could be accessed for individuals outside a user’s workload, without requiring any justification for the access. Broad access to records had been given to individuals other than DHHS social workers, including the Utah Office of Guardian ad Litem, Utah Psychotropic Oversight Panel (UPOP), and the office of the Attorney General. In the eChart system, there were similar access control issues. For instance, users of the eChart system are expected to determine for themselves what range of viewing access is appropriate, and there were no restrictions on accessing the records of individuals outside a user’s caseload. The lack of protection was given a critical risk rating.
While logs are created of user access, there was no automated system for monitoring those logs. Each month, the division’s privacy officer reviewed access logs through a manual sampling process. There was no system in place for providing real-time alerts about suspicious medical record access. Data retention periods were unnecessarily long, creating an accumulating long-term exposure risk. For instance, some records in the SAFE system had a retention period of 100 years, when the typical retention period is only 7-10 years.
There have been documented cases of intentional breaches occurring, as well as staff members accessing and disclosing records to the wrong person. There were reports of individuals posting sensitive data online, and staff members capturing unauthorized photos of patients or facilities. From the interviews, the auditors discovered that there was no well-known or secure mechanism to support anonymous reports of inappropriate access to medical records. As a result, staff and stakeholders could not raise concerns about potential wrongdoing or privacy and security issues without fear of retaliation from agency leadership or coworkers.
The auditors pointed out that a single compromised account could expose an entire data repository, putting individuals at risk of identity theft and fraud. Since children’s data is highly valuable to cybercriminals, and identity theft using children’s data can go undetected for years, robust access controls are vital. The privacy of minors, patients, and other vulnerable groups at risk was put at risk due to the lack of authentication and access controls; there was under-detection of privacy incidents and breaches due to inadequate monitoring; overretention of data created an unnecessary risk; and broad, unchecked access heightens the threat of identity
theft.
While privacy and security weaknesses were identified, no evidence was found to suggest any successful hacking incidents involving either the SAFE or eChart systems. The Office of the State Auditor made several recommendations for improving privacy and security, and the DHHS is in various stages of implementing those recommendations.
The post Audit of Utah Department of Health and Human Services Identifies Critical Privacy & Security Weaknesses appeared first on The HIPAA Journal.
UMMC Shuts Clinics While it Grapples with Ransomware Attack – The HIPAA Journal
UMMC Shuts Clinics While it Grapples with Ransomware Attack The HIPAA Journal
UMMC Shuts Clinics While it Grapples with Ransomware Attack
University of Mississippi Medical Center (UMMC) has temporarily closed most of its clinics following a ransomware attack, and scheduled appointments and surgeries have been cancelled and will be rebooked once the attack has been remediated. Mississippi MED-COM, the network that coordinates hospital transfers across the state, has also been affected by the ransomware attack, but had redundancies in place, and patients continue to be routed to hospitals in the state without disruption.
The attack was detected in the early hours of Thursday, February 19, 2026, and has impacted the UMMC network and many of its IT systems, including its EPIC electronic medical record system. According to LouAnn Woodward, vice chancellor for health affairs and dean of the School of Medicine, all clinics will remain closed on Friday, February 20, 2026, as a result of the attack, with the exception of its kidney dialysis clinic at Jackson Medical Mall, which remains open with appointments proceeding as scheduled. Without access to key systems, including its electronic medical record system, information is being recorded with pen and paper for patients in its care. In-person classes for students are continuing as scheduled.
Woodward confirmed that care continues to be provided to hospital patients, and all clinical equipment and operations remain functional. While there have been temporary clinic closures, the emergency department remains open and is accepting patients. Law enforcement has been alerted, and UMMC is coordinating with the Department of Homeland Security and the U.S. Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation is providing assistance.
Since the attack was only detected yesterday, it is too early to tell to what extent, if any, patient data has been compromised, or how long the recovery will take. “ At this point in the incident it’s too early for us to communicate what we do and don’t know, but we are in the process of surging resources, both locally and nationally, into this incident to make sure that we are standing alongside with UMMC and their vendors,” said FBI Special Agent in Charge Robert A. Eikhoff, who was present at the UMMC presser announcing the attack. UMMC has confirmed it has made contact with the group behind the attack, but the name of the group has not been disclosed, and UMMC has not stated whether it is considering paying the ransom.
The post UMMC Shuts Clinics While it Grapples with Ransomware Attack appeared first on The HIPAA Journal.
HIPAA PHI Redaction Automated: How Multi-Agent AI Replaces Manual De-identification in Healthcare – Substack
Granite Wellness Centers & Pediatric Home Service Settle Class Action Data Breach Lawsuits
Granite Wellness Centers in California and Pediatric Home Service in Minnesota have both settled lawsuits stemming from cyberattacks that exposed sensitive patient data.
Granite Wellness Centers Data Breach Settlement
Granite Wellness Centers, a network of drug addiction treatment centers in Northern California, has agreed to settle class action litigation over a January 2021 ransomware attack and data breach that affected up to 15,600 individuals. The attack was detected on or around January 5, 2021, and the forensic investigation confirmed that the ransomware actor acquired files containing sensitive patient data, including names, dates of birth, home addresses, dates of care, treatment information, treatment providers, health information, health insurance information, driver’s license numbers, medical histories, Social Security numbers, and bank account numbers.
The affected individuals were notified on or around March 5, 2021, and the first class action lawsuit was filed on June 14, 2023. An amended complaint was filed in September 2023 – Bente, et al. v. Granite Wellness Centers – in the Superior Court of the State of California, County of Placer. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and declaratory judgment. Granite Wellness Centers maintains that there was no wrongdoing and denies claims that the exposure of data caused any harm to individuals. Following mediation, all parties agreed to settle the litigation to avoid the cost and risk of a trial, with no admission of wrongdoing or liability by the defendant.
Granite Wellness Centers has agreed to establish a $725,000 settlement fund to cover all costs associated with the litigation, including attorneys’ fees (up to 33.33% of the fund), litigation expenses (up to $20,000), service awards for the class representatives (up to $2,000 per class representative), and class member benefits. There are three types of payments available to class members. A claim may be submitted for a pro rata cash payment, estimated to be approximately $750 per class member, but may be higher or lower depending on the number of claims submitted. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and California residents at the time of the data breach may submit a claim for an additional statutory $100 cash payment.
The deadline for opting out and objecting is March 28, 2026. The deadline for submitting a claim is April 27, 2026, and the final fairness hearing has been scheduled for April 28, 2026.
Pediatric Home Service Data Breach Settlement
Pediatric Home Respiratory Services (Pediatric Home Service), a Roseville, MN-based independent children’s home healthcare provider, has agreed to settle litigation stemming from a November 2024 cyberattack and data breach. The lawsuit claims that 43,634 individuals were affected by the data breach. The HHS’ Office for Civil Rights was informed that the protected health information of 41,792 patients was exposed in the incident. The Pediatric Home Service cyberattack was detected on November 7, 2024, and the forensic investigation confirmed that an unauthorized third party accessed its network between November 1, 2024, and November 7, 2024. The affected individuals were notified on January 8, 2025.
Two class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – In re Pediatric Home Respiratory Services, LLC d/b/a Pediatric Home Service Litigation –in the District Court for Ramsey County, Minnesota. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, violation of the Minnesota Health Records Act, breach of fiduciary duty, declaratory judgment, and unjust enrichment. Pediatric Home Service denies all claims and contentions in the lawsuit and maintains there was no wrongdoing. Pediatric Home Service sought to have the lawsuit dismissed for lack of standing and failure to state a claim. The plaintiffs opposed the motion, and following mediation, a settlement was agreed to resolve the litigation.
There are two cash payment options, one of which can be selected by all class members. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $1,500 per class member. Alternatively, a one-time cash payment of $50 may be claimed. In addition, a claim may be submitted for a 12- month membership to one of three credit monitoring options: CyEx Medical Shield Complete, CyEx Identity Defense Total, or CyEx Minor Defense Pro (for minors). The deadline for objecting to the settlement and exclusion is April 8, 2026. The claims deadline is April 23, 2026, and the final fairness hearing has been scheduled for May 8, 2026.
The post Granite Wellness Centers & Pediatric Home Service Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.
Cyberattacks Announced by WIRX Pharmacy and Emanuel Medical Center
WIRX Pharmacy in Pennsylvania has experienced a security incident that exposed the protected health information of more than 20,000 current and former patients. Emanuel Medical Center in California has started notifying patients about a May 2025 cyberattack that exposed patient data.
WIRX Pharmacy, Pennsylvania
WIRX Pharmacy in Fort Washington, Pennsylvania, has notified 20,104 individuals about a December 2025 cybersecurity incident that may have resulted in unauthorized access and/or theft of protected health information. Suspicious activity was identified within its network environment on or around December 7, 2025. Systems were secured, and an investigation was launched, which confirmed unauthorized access to certain data on its systems between December 6, 2025, and December 7, 2025.
A review of the exposed files confirmed that personal and protected health information were present in files on the compromised parts of its network. The affected data varies from individual to individual and may include names in combination with one or more of the following: clinical information (diagnosis/conditions, medications, and other treatment information), demographic information (Social Security number, address, date of birth, and other identifiers), and financial account or claims information.
WIRX Pharmacy said it is reviewing its security policies and procedures and will take steps to harden security to prevent similar incidents in the future. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their financial accounts and free credit reports.
Emanuel Medical Center, California
Emanuel Medical Center, a 209-bed acute care hospital located in Turlock, California, has started notifying current and former patients about a May 2025 security incident. Suspicious network activity was identified on May 22, 2025, and third-party cybersecurity experts were engaged to investigate the activity. They confirmed unauthorized access to its network between May 21 and May 24, 2025, and that files containing personal and protected health information were present on the affected systems.
The review of those files has recently been completed, and notification letters started to be mailed to the affected individuals on February 17, 2026. Data compromised in the incident varies from individual to individual and may include names, dates of birth, contact information, government identification numbers (including Social Security numbers and driver’s license numbers), health insurance information, patient identification numbers, dates of service, provider names, diagnoses, treatment information, prescriptions, medical histories, and lab reports.
Third-party cybersecurity experts have evaluated security and assisted with strengthening system security. The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and free credit reports for suspicious activity. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
The post Cyberattacks Announced by WIRX Pharmacy and Emanuel Medical Center appeared first on The HIPAA Journal.
Top of the World Treatment Center Settles Alleged Risk Analysis HIPAA Violation – The HIPAA Journal
Top of the World Treatment Center Settles Alleged Risk Analysis HIPAA Violation
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve an alleged violation of the HIPAA Rules. Top of the World Treatment Center, a Milan, Illinois-based addiction treatment provider, has agreed to pay a $103,000 financial penalty to settle an allegation that it violated the risk analysis requirement of the HIPAA Security Rule.
The number of data breaches reported to OCR involving hacking increased by 239% between 2018 and 2023, and hacking incidents have continued to be reported in high numbers since. In an effort to improve healthcare cybersecurity and reduce the number of successful hacking incidents, OCR launched an enforcement initiative targeting noncompliance with a specific requirement of the HIPAA Security Rule – the risk analysis. The risk analysis is one of the most important HIPAA requirements for improving security.
The enforcement initiative is intended to make it harder for hackers to succeed by ensuring that the vulnerabilities they exploit to gain access to healthcare networks are identified and addressed in a timely manner. OCR’s HIPAA compliance audits and data breach investigations consistently uncovered risk analysis failures, including failures to conduct a risk analysis and incomplete risk analyses. If healthcare organizations do not conduct a comprehensive, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), risks and vulnerabilities will remain and can potentially be exploited by hackers.
Including the latest penalty, OCR has resolved 11 investigations of ePHI breaches with settlements or civil monetary penalties for alleged violations of the risk analysis provision of the HIPAA Security Rule. “In a time where health care providers and other HIPAA-regulated entities are facing unprecedented cybersecurity threats, compliance with the HIPAA Risk Analysis provision is more essential than ever,” said OCR Director Paula M. Stannard. “Covered entities and business associates cannot protect electronic protected health information if they haven’t identified potential risks and vulnerabilities to that health information.”
The incident that prompted OCR’s investigation of Top of the World Treatment Center was a phishing incident. An employee was tricked by a phishing email into disclosing their credentials, which allowed a hacker to access a single business email account for several hours on November 17, 2022. The email account was reviewed and found to contain the ePHI of 1,980 individuals, including their names, Social Security numbers, diagnosis information, treatment information, and health insurance information.
OCR investigated and could not be provided with evidence to confirm that a HIPAA-compliant risk analysis had been conducted prior to the data breach, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Under the current enforcement initiative, financial penalties will be imposed for risk analysis failures. OCR notified Top of the World Treatment Center of its intention to impose a financial penalty to address the alleged violation, and offered to settle the alleged violation informally. Settlements involve a reduced financial penalty, although the HIPAA-regulated entity must adopt a corrective action plan.
Top of the World Treatment Center is required to conduct a comprehensive, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Based on the risk analysis, a risk management plan must be developed and implemented to reduce all identified risks and vulnerabilities to a low and acceptable level. After the initial risk analysis, Top of the World Treatment Center must conduct an accurate and thorough risk analysis at least annually, and subject risks to a HIPAA-compliant risk management process.
Further, policies and procedures must be developed, implemented, and maintained to comply with the HIPAA Rules, specifically covering risk analyses, risk management, information system activity reviews, and breach notifications. The new policies must be distributed to the workforce, training materials must be developed (and approved by OCR), and HIPAA training must be provided to the workforce.
The post Top of the World Treatment Center Settles Alleged Risk Analysis HIPAA Violation appeared first on The HIPAA Journal.