HHS-OIG Report Highlights Key HHS Cybersecurity Challenges

Posted by Steve Alder

The U.S. Department of Health and Human Services Office of Inspector General has published its annual report on the Top Management and Performance Challenges Facing HHS to help the department improve the effectiveness and efficiency of its programs. The report highlights some of the cybersecurity challenges faced by HHS, including a lack of standardized governance and controls, which complicates HHS’s preparedness efforts to prevent and respond to cybersecurity threats.

The HHS is a large department with disparate organizational approaches to cybersecurity across its various divisions and programs. While the department has taken steps to consolidate cybersecurity functions and improve cybersecurity, HHS-OIG says overall progress is often still dependent on each division and program. In addition, the HHS has an army of contractors, grantees, and other external entities that number in the thousands. Cybersecurity solutions must be implemented within the HHS, but also by each contractor, grantee, and external entity. That makes cybersecurity improvements especially challenging, and the ability of the HHS to mitigate cybersecurity threats is often dependent on those entities implementing cybersecurity solutions specific to their operations. “Protecting technology and data requires broader efforts beyond implementing technical fixes, such as establishing clear expectations; modernizing program rules; and conducting effective oversight of the Department’s contractors, grantees, and other external entities,” HHS-OIG said.

The healthcare sector remains a key target for cyber actors. Ransomware attacks continue in volume, as financially motivated threat actors encrypt and steal data to use as leverage to obtain ransom payments. Cyberattacks are growing in sophistication and are continually evolving, and the HHS must be able to respond quickly, alert the sector about vulnerabilities under exploitation, and help prepare the sector for evolving threats.

The HHS plays a key role in improving cybersecurity across the sector and responding to threats, yet the diffuse nature of HHS cybersecurity authorities and responsibilities is complicating HHS’s response efforts. The HHS has limited resources for improving cybersecurity across the healthcare and public health sector, such as the sector’s reliance on legacy technology and workforce challenges. Further, privacy and security are governed by HIPAA, which is more than two decades old. HHS-OIG warned that the HIPAA Privacy Rule and the HIPAA Security Rule may not be sufficient to address contemporary privacy concerns and the increasing cybersecurity risks to electronic protected health information. As such, HHS-OIG said the HHS must adapt as privacy and security needs evolve.

Further regulation could help in this regard; however, the HHS has been slow to enact updates to the HIPAA Rules. A Privacy Rule update was proposed by HHS under the previous Trump administration in late 2020, yet a final rule has still not been published more than five years after the update was first proposed. The update is still on the HHS’s agenda, but there has been no indication when a final rule will be published. An extensive update to modernize the HIPAA Security Rule to strengthen cybersecurity across the sector was proposed in the final days of the Biden administration. While there is an urgent need to improve cybersecurity across the sector, it is currently unclear if the HHS, under the Trump administration, plans on implementing the proposed rule.

HHS-OIG said the HHS has taken action to address the challenges it highlights in the report, but there are considerable opportunities for further progress, and until the HIPAA Rules are updated, HHS must continue to work within the statutory authorities established by HIPAA in 1996, the HIPAA Privacy Rule in 2000, and the HIPAA Security Rule in 2003.

The post HHS-OIG Report Highlights Key HHS Cybersecurity Challenges appeared first on The HIPAA Journal.

Numotion Agrees to Pay $4 Million to Settle Litigation Stemming from 2024 Data Breaches

Posted by Steve Alder

The mobility equipment provider United Seating and Mobility, doing business as Numotion, has agreed to settle class action litigation stemming from two data security incidents in 2024 that involved unauthorized access to the protected health information of hundreds of thousands of its customers.

The first incident was detected by Numotion on March 2, 2024. The forensic investigation confirmed that an unauthorized third party gained access to its systems, which, according to the lawsuit, contained the personal and protected health information of 685,264* current and former customers and employees. The ransomware group had access to its network between February 29, 2024, and March 2, 2024, and potentially obtained names, dates of birth, equipment order details, supporting medical documentation, medical insurance information, and, for certain individuals, Social Security numbers.

The second data security incident was a phishing incident, discovered on September 29, 2024, involving unauthorized access to email accounts. The data review confirmed that the personal and protected health information of 494,326 individuals* was present in the compromised accounts, including names, dates of birth, product information, payment and financial account information, health insurance information, medical information, and limited Social Security numbers.

Multiple class action lawsuits were filed in response to each data breach, which were consolidated into two separate actions. In March 2025, the parties in each of the two consolidated actions explored the early resolution of both lawsuits in a single settlement. Following a full day of mediation and arms-length negotiations, the material terms of a settlement were agreed upon, and over the following weeks, a settlement was finalized with no admission of liability or wrongdoing by the defendant. That settlement has now received preliminary approval from the court.

Under the terms of the settlement, Numotion has agreed to establish a $4,000,000 settlement fund to cover attorneys’ fees and expenses (up to $1,333,333.33), settlement administration costs, service awards for the class representatives, and benefits for the class members. There are two possible cash payments. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $15,000 per class member, plus a pro rata cash payment. The cash payments will be paid pro rata if the costs and other benefits do not exhaust the settlement fund.

All class members will receive two years of complimentary credit monitoring services without submitting a claim, and the subclass of individuals who had their Social Security numbers exposed may submit a claim for two years of medical monitoring services. The deadline for opting out of and objection to the settlement is March 3, 2026, and claims must be submitted by March 18, 2026. The final approval hearing was scheduled for April 2, 2026.

*The HHS’ Office for Civil Rights was informed that the first incident involved the protected health information of up to 602,265 individuals, and the second data breach involved the protected health information of up to 529,004 individuals.

The post Numotion Agrees to Pay $4 Million to Settle Litigation Stemming from 2024 Data Breaches appeared first on The HIPAA Journal.