Healthcare Orgs Lack Confidence in Ability to Defend Against an AI-incited Identity Breach

Posted by Steve Alder

Healthcare organizations have embraced AI and are using AI agents to perform a range of functions, including handling IT support desk tickets, automating software workloads, authenticating data exchanges, and performing various security tasks. While there are clear benefits to be gained from using AI agents in healthcare, each new AI agent is a potential entry point for attackers, and a successful compromise could result in a devastating attack.

Each AI agent is given permissions to carry out its functions, and when AI agents are used to perform security functions, those permissions can be significant. Any attack that succeeds in compromising an AI agent will see the attacker gain those same permissions. For instance, an AI identity on a local machine may have access to the password manager, browser sessions, Secure Shell, and encryption keys. An AI agent could disclose admin credentials to an attacker, leading to a crippling attack with significant data theft.

To learn about AI deployments and integrations and how they are affecting identity security, the cybersecurity firm Semperis commissioned Censuswide to conduct a survey of 1,100 IT and IT security professionals across several industries, including healthcare. The survey confirmed that AI agents are being extensively deployed, which pose significant risks to identity infrastructure. Three-quarters of healthcare respondents believe that there will be AI-driven attacks on identity infrastructure, 69% believe that AI attackers will use identity systems to target their infrastructure, but only one-quarter of respondents think that they would be able to fully recover if an AI agent exposed administrative credentials.

On average, more than one-third of the healthcare workforce has at least one AI agent installed on a local machine that has permissions to access Secure Shell and encryption keys, and one in three healthcare respondents said they are using AI agents to handle security-related tasks, with 60% of respondents anticipating deploying AI agents for security tasks in the next 12 months.

According to Semperis, AI agents should be treated as non-human identities (NHIs) in the identity fabric; however, only 66% of respondents said AI identities were registered, authenticated, and authorized within the organization, and of those that do, almost half (48%) register, authenticate, and authorize them separately from human identities. While organizations may be applying security best practices such as the principle of least privilege for human identities, that is not always the case with AI identities, which are often overpermissioned.

“AI support agents are often overpermissioned in ways that may have unintended consequences — such as ‘helpfully’ reconfiguring security settings or granting access that can lock entire teams out of their identity systems or punch holes in corporate VPNs,” explained Semperis. As deployment of AI agents increases, so does the risk. Since AI agents often have the ability to do anything, it is vital to implement disciplined controls. While sufficient controls may not yet have been implemented, 90% of respondents said AI identity governance is a top security priority for the organization.

Semperis stresses that security controls need to be implemented to reduce risk, such as applying the principle of least privilege to AI identities, designating identity infrastructure, implementing backup and recovery controls, and segregating agent and human trust boundaries where appropriate. Organizations need to work on the assumption that AI identities will eventually be compromised, so they must therefore need to plan for that eventuality and ensure that they have the policies and procedures in place to allow them to rapidly respond and make a quick and full recovery.

“What’s striking isn’t just how quickly AI is being integrated into identity systems but how unprepared many organizations are to recover when things go wrong,” explained Grace Cassy, Partner, Ten Eleven Ventures. “Introducing AI at the identity layer offers operational advantages, but it must be accompanied by guardrails, observability, and recovery readiness. It’s a new dimension of an old question, really: Are you resilient enough to respond in the event of critical disruption?”

The Semperis State of Identity Security in the AI Era Report can be downloaded here.

The post Healthcare Orgs Lack Confidence in Ability to Defend Against an AI-incited Identity Breach appeared first on The HIPAA Journal.

Lakeview Health Systems Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

A settlement has been negotiated to resolve a class action lawsuit against Lakeview Health Systems LLC. The lawsuit stemmed from a January 2024 cyberattack that exposed the personal and protected health information of 10,772 individuals. Hackers breached its network and accessed and potentially obtained files containing names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, patient IDs, diagnoses, treatment information, prescription information, and health insurance information.

Shortly after being notified about the breach, some of the affected individuals filed lawsuits against Lakeview Health, alleging negligence for failing to adequately protect sensitive data stored on its network. The plaintiffs claimed the data breach could have been and should have been prevented. Lakeview Health maintains that there was no wrongdoing and is no liability.

The lawsuits made similar claims and were consolidated – Skov et al., v. Lakeview Health Systems, L.L.C – in the Circuit Court of Duval County, Florida. The lawsuit is pending; however, the defendants and the plaintiffs agreed to settle the lawsuit to avoid the costs, risks, disruptions, and uncertainties from continuing with the litigation.

The defendant has agreed to pay attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $2,000 per class member and reimbursement of up to $5,000 in extraordinary losses. A claim may also be submitted for up to 4 hours of lost time at $20 per hour, and one year of credit monitoring services. If none of those options are claimed, class members may claim a one-time cash payment of $50.

The deadline for objection and exclusion is July 23, 2026. Claims must be submitted by August 24, 2026, and the final fairness hearing has been scheduled for October 8, 2026.

The post Lakeview Health Systems Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Connecticut Medicaid Portal Breach Affects 22,500 Hartford HealthCare Patients

Posted by Steve Alder

The personal and protected health information of approximately 22,500 Hartford HealthCare patients has been exposed in a security incident. Data breaches have also been announced by the New York City cosmetic surgery practice of Ira L. Savetsky, MD, and the mobility and rehabilitation product provider ERMI, LLC.

Hartford HealthCare

The Connecticut Department of Social Services and Gainwell Technologies, a vendor that provides fiscal agent and account administration services for the Connecticut Medicaid program (HUSKY), have identified unauthorized access to certain payment accounts on the HUSKY provider portal website.

Suspicious activity was identified on March 25, 2026, and the forensic investigation confirmed unauthorized access to a small number of Hartford HealthCare’s payment accounts on the website. The accounts were accessed on March 4, 2026, using the compromised credentials of Hartford Healthcare employees. Immediate action was taken to prevent further unauthorized access, and assisted by third-party cybersecurity experts, the incident was determined to have been contained and further unauthorized access blocked; however, the threat actor had downloaded files containing the data of approximately 22,500 individuals.

The review of those files revealed they contained information such as full names, ID numbers associated with Hartford HealthCare accounts or Medicaid claims, dates of medical services, information about services received and how they were billed, payment information including amounts paid, and information about applicable non-Medicaid health insurance, including policy and group number. Social Security numbers were not stored in the system, and were not obtained in the attack.

This appears to have been a financially motivated attack, and the primary purpose does not appear to have been patient data theft; however, patient information was compromised and, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services. DSS and Gainwell Technologies began sending notification letters to the affected Hartford HealthCare patients on May 22, 2026.

Ira L. Savetsky, MD

The New York City cosmetic surgery practice of Ira L. Savetsky, MD, has experienced a breach of its email environment. The security incident was detected in January 2026, and the forensic investigation confirmed that a single employee’s email account had been accessed by an unauthorized third party. The first instance of unauthorized access occurred in November 2024, and access to the account remained possible until January 2026. Over that 14-month period, information in the account may have been viewed or copied. The account was reviewed and found to contain patient information such as scheduling information and correspondents related to patient care, along with first and last names, birth dates, telephone numbers, driver’s license numbers, medical records, health information, health insurance information, and photographs.

Notification letters started to be mailed to the affected individuals on May 21, 2026. Complimentary credit monitoring and identity theft protection services do not appear to have been offered. The incident has been reported to regulators, but it is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

ERMI LLC

ERMI LLC, an Atlanta, GA-based provider of mobility and rehabilitation products, has identified a cybersecurity incident that exposed sensitive data. Unauthorized access to certain employee email accounts was identified on or around August 14, 2025. The accounts were secured, and an investigation was launched to determine the nature and scope of the unauthorized activity.

The forensic investigation confirmed unauthorized access to a limited number of employee email accounts between February 15, 2025, and August 14, 2025. The review of the accounts was completed on or around April 17, 2026. Individual notification letters are being sent to the affected individuals, which detail the exact types of data exposed in the incident. As a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit score, and credit report services. The number of affected individuals has yet to be publicly disclosed.

The post Connecticut Medicaid Portal Breach Affects 22,500 Hartford HealthCare Patients appeared first on The HIPAA Journal.