CISA Instructs Federal Agencies to Adopt Risk-Based Approach for Vulnerability Remediation

Posted by Steve Alder

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive (BOD  26-04) establishing new deadlines for vulnerability remediation for federal civilian agencies. Defenders have long been struggling to keep on top of patching due to the frequency with which new vulnerabilities are identified, the pace of which has increased dramatically due to artificial intelligence.

According to the Verizon 2025 Data Breach Investigations Report, organizations were only able to fully remediate around 38% of vulnerabilities in CISA’s Known Exploited Vulnerability (KEV) Catalog in 2024. The 2026 DBIR report shows that the percentage of fully remediated vulnerabilities in 2025 fell to 26%, with a median resolution time of 43 days. Artificial intelligence has massively increased the pace of vulnerability discovery, defenders are becoming overwhelmed, and critical vulnerabilities are remaining unpatched for longer periods, increasing the window of opportunity for exploitation. CISA’s solution is to patch smarter, not harder.

CISA has released a new risk-based vulnerability remediation framework to help vendors assess vulnerabilities and prioritize patching effectively, concentrating their efforts on mitigating vulnerabilities in the most at-risk assets and addressing vulnerabilities that carry the greatest risk of exploitation.

CISA has determined that the greatest risk is associated with vulnerabilities with four characteristics:

  1. Public exposure via the internet
  2. The ability to fully automate exploitation
  3. If the vulnerability gives an attacker full control of a system, and
  4. Evidence of real-world exploitation (KEV inclusion)

Based on this framework, any vulnerability that meets all four criteria must be mitigated in the shortest possible timeframe – no more than 3 days. If the vulnerability is publicly exposed, is in the KEV, is automatable, and gives an attacker partial control of a system, the vulnerability must be remediated within 3 days. If the vulnerability gives an attacker full control of a system, following remediation within 3 days, a forensic triage is required to determine if the vulnerability has already been exploited.

New timelines have been provided for mitigating lower risk vulnerabilities of two weeks or two months, with the lowest severity vulnerabilities not requiring remediation until the next system upgrade. An analysis at one large civilian agency found that only 1% of vulnerabilities fell into the 3-day category, while 60% of vulnerabilities could be deferred unitl the next system upgrade. By following the new framework, organizations will be able to ensure that the most critical vulnerabilities are addressed first.

The new framework prioritizes mitigation of vulnerabilities at the network edge. While vulnerabilities in the network core may be high risk and under active exploitation, CISA generally does not observe threat actors compromising core networks through product vulnerabilities; they use living off the land (LOTL) techniques, which CISA says are best addressed through other means, such as system hardening, network segmentation, and implementing phishing-resistant multi-factor authentication.

The post CISA Instructs Federal Agencies to Adopt Risk-Based Approach for Vulnerability Remediation appeared first on The HIPAA Journal.

Labcorp Agrees to $35M Settlement to Resolve AMCA Data Breach Litigation

Posted by Steve Alder

A $35,000,000 settlement has been agreed to resolve a long-running class action lawsuit against Labcorp over a 2018 cybersecurity incident at American Medical Collection Agency. Laboratory Corporation of America Holdings (Labcorp), a provider of diagnostic testing services, had contracted with a company called Retrieval-Masters Creditor’s Bureau, Inc., which does business as American Medical Collection Agency (AMCA), to collect outstanding payments for Labcorp’s services.

On May 14, 2019, AMCA notified Labcorp about a cybersecurity incident that resulted in unauthorized access to Labcorp patients’ protected health information. Hackers had access to AMCA’s systems between August 2018 and March 2019, and potentially viewed or obtained some of their protected health information. The data breach affected multiple AMCA clients and resulted in the exposure of the protected health information of more than 25 million individuals, including the data of 10,251,784 Labcorp patients.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated into a single action – In Re: American Medical Collection Agency, Inc. Customer Data Security Breach Litigation – In the U.S. District Court for the District of New Jersey. The lawsuit asserted several claims, including negligence and breach of contract, all of which were denied by Labcorp, which maintains that there was no wrongdoing and that any alleged injury or damage was not caused by the security incident or any act or omission by Labcorp.

After six years of hard-fought litigation, all parties agreed to a settlement, in recognition that the outcome and final result through a trial and related appeals would involve substantial additional risk and uncertainty, discovery, and extensive time and expense. The $35,000,000 settlement resolves the Labcorp track of the litigation, with the settlement class consisting of all individuals whose information was transmitted by Labcorp to AMCA and was contained in AMCA’s systems at the time of the data breach. The settlement fund will be used to pay attorneys’ fees and expenses, notice and administration costs, and service awards for the 21 class representatives. The remainder of the settlement fund will be used to pay claims for reimbursement of losses, claims for alternative cash payments, and the cost of medical and healthcare information monitoring services.

All class members are eligible to claim a two-year membership to the CyEx Medical Shield Pro medical and healthcare information monitoring service. A claim may also be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Class members not wishing to submit such a claim may instead claim an alternative cash payment. The cash payments are estimated to be $50 per class member, but may be increased or decreased depending on the number of claims filed.

Individuals who do nothing will lose the opportunity to sue Labcorp over the data breach in the future. Benefits will only be paid to individuals who submit a claim.  The deadline for objection to the settlement and exclusion is July 27, 2026. The deadline for submitting a claim is September 3, 2026, and the final fairness hearing has been scheduled for September 3, 2026. Further information can be found on the settlement website: https://www.amcadatabreachsettlement83395.com/

The post Labcorp Agrees to $35M Settlement to Resolve AMCA Data Breach Litigation appeared first on The HIPAA Journal.

PHI Compromised in Cyber Incidents at Medenet; United Medical Doctors; Stewart Home & School

Posted by Steve Alder

Cybersecurity incidents involving unauthorized access to protected health information have been announced by the revenue cycle management company Medenet, the California medical group United Medical Doctors, and the Kentucky residential school, Stewart Home & School.

Medenet Inc.

Medenet Inc., a Florida-based medical billing, EMR software, and revenue cycle management service provider to physician practices, has started issuing notifications about a cyberattack identified on December 26, 2025. Assisted by third party cybersecurity experts, Medenet determined that personal and protected health information was likely compromised in the incident, including medical records and Social Security numbers.

Medenet said it is unaware of any misuse of the impacted data; however, as a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services. The data breach has yet to be added to the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

United Medical Doctors

United Medical Doctors, a Murrieta, California-based multi-specialty medical and surgical group, has discovered unauthorized access to its computer systems. Suspicious activity was identified within its computer systems on March 26, 2026, and the forensic investigation determined that a threat actor had access to its systems for around three and a half months, between December 12, 2025, and March 31, 2026. During that time, files containing patient information may have been viewed or acquired.

The May 20, 2026, substitute breach notice states that the types of information compromised in the incident have yet to be determined, and the number of affected individuals has yet to be publicly disclosed.

Stewart Home & School

Stewart Home & School (formerly Stewart Home School), a residential school in Franklin County, Kentucky, has recently announced that it was the victim of a criminal cyberattack on its computer network. The attack occurred in the early hours of August 4, 2025, with the threat actor gaining access to its network using stolen credentials.

Those credentials allowed the threat actor to access two of its internal electronic drives. Data on those drives was accessed and exfiltrated, then ransomware was used to encrypt the data. Stewart Home & School said the nature of the attack and the design of its electronic network meant it has taken a significant amount of time to determine the types of data involved and the individuals affected.

The data analysis has recently concluded, and confirmed that 3,677 individuals potentially had data stolen in the incident, including personal information and protected health information. That information included names, demographic information such as phone numbers, email addresses, addresses, and Social Security numbers, financial information, and protected health information such as health insurance information, diagnoses, medical conditions, test results, and medications, and education-related information, including evaluation and testing information.

The affected individuals were notified about the incident in April 2026 and have been offered 24 months of complimentary credit monitoring and identity theft protection services. The Sinobi ransomware group claimed responsibility for the attack.

The post PHI Compromised in Cyber Incidents at Medenet; United Medical Doctors; Stewart Home & School appeared first on The HIPAA Journal.

Florida Law Firm Data Breach Affects 65,000 Individuals

Posted by Steve Alder

A cyberattack at the law firm GrayRobinson has affected 65,000 individuals. Data breaches have also been announced by C2N Diagnostics in Missouri and Virta Health in Colorado.

GrayRobinson

The Orlando, Florida-based law firm GrayRobinson, P.A., has notified the Maine Attorney General about a data breach affecting 65,113 individuals, including 52 Maine residents. Among those individuals, 54,131 people had their protected health information exposed in the incident. In its substitute data breach notice, GrayRobinson explained that unauthorized access to its network was detected on or around March 24, 2025. Immediate steps were taken to secure its network, and assisted by third-party cybersecurity specialists, the incident was investigated to determine the extent to which sensitive information had been compromised.

The investigation confirmed that its network was accessed by an unauthorized third party between March 5, 2025, and March 24, 2025, and during that time, files containing personal and protected health information were exfiltrated from its network.  The data was reviewed, and on April 13, 2026, the file review concluded and determined that full names, dates of birth, Social Security numbers, driver’s license numbers, state and government ID numbers, financial account information, medical information, and health insurance information were involved.

GrayRobinson said it had taken many precautions to protect against unauthorized access to its systems and data, and continually evaluates and modifies its practices and internal controls to enhance security and ensure the privacy of sensitive information. Complimentary credit monitoring and identity theft protection services have been made available. Notification letters started to be sent to the affected individuals on April 24, 2026.

C2N Diagnostics, Missouri

C2N Diagnostics, a St. Louis, MO-based specialty diagnostics company providing lab services and products related to brain health, has disclosed a cybersecurity incident that was identified on March 6, 2026. C2N Diagnostics said it was targeted by a cybercriminal actor who gained access to a small number of stored employee communications, some of which contained personal information.

The data was reviewed and found to include names, dates of birth, contact information, health information, blood test analysis results, health insurance information, and Social Security numbers. The affected individuals have been notified by mail and offered complimentary credit monitoring and identity theft protection services for at least 12 months as a precaution against data misuse. At the time of issuing notification letters, C2N Diagnostics was unaware of any misuse of the exposed data. C2N Diagnostics reported the breach to the HHS’ Office for Civil Rights on April 27, 2026, as affecting 2,027 individuals.

Virta Health

Virta Health Corp & Virta Medical PC, a Denver, CO-based provider of digital health services to help individuals manage type 2 diabetes, prediabetes, and obesity, has identified unauthorized access to one of its data repositories. The unauthorized access was identified on March 24, 2026, and the investigation confirmed that it had been compromised between March 19, 2026, and March 22, 2026.

The data repository was separate from its current production platform and contained personal information, the details of which were not disclosed in its data breach notice. Virta Health said its investigation confirmed that data had been exposed, and “could not rule out the possibility that an unknown actor may have accessed [personal information].” The Lapsus$ threat group claimed responsibility for the attack and added Virta Health to its data leak site on March 23, 2026, one day prior to the breach being detected. It is unclear if the ransom was paid or how many individuals were affected by the incident.

The post Florida Law Firm Data Breach Affects 65,000 Individuals appeared first on The HIPAA Journal.