Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its second enforcement action of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). MMG Fusion LLC, a Maryland-based company that provides software solutions to oral healthcare providers, has agreed to settle the alleged violations and pay a financial penalty. The case is significant, as it involves an unreported data breach that affected 15 million individuals.

An unauthorized actor gained access to MMG’s internal network on December 21, 2020, and accessed patients’ protected health information, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. The threat actor exfiltrated data from MMG’s network and subsequently posted that information on the dark web.

A data breach of that magnitude would have attracted considerable media attention; however, it slipped under the radar as the breach was not reported to OCR, and the affected covered entities were not notified about the data breach. OCR’s investigation was launched not in response to a breach report, but a complaint about an unreported data breach. OCR received the complaint on January 6, 2023, and initiated an investigation in March 2023.

OCR determined that MMG had failed to comply with multiple provisions of the HIPAA Rules. Prior to the data breach, MMG had not conducted a comprehensive and accurate risk assessment to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by the HIPAA Security Rule.

OCR determined that MMG failed to ensure that ePHI was not used or disclosed for reasons not expressly permitted by the HIPAA Privacy Rule, and MMG failed to issue notifications to the affected covered entity clients that there had been a breach of unsecured protected health information, in violation of the HIPAA Breach Notification Rule. Rather than pursue a civil monetary penalty to resolve the alleged HIPAA violations, OCR agreed to a settlement. MMG has agreed to pay a financial penalty of $10,000 to resolve the alleged HIPAA violations and will adopt a comprehensive corrective action plan.

The corrective action plan requires MMG to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI. An enterprise-wide risk management plan must be developed and implemented to address and mitigate any risks and vulnerabilities identified by the risk analysis. Policies and procedures must be developed to ensure compliance with the HIPAA Rules, and those policies and procedures must be distributed to members of the workforce. MMG must provide training to its workforce and provide OCR with a copy of the training materials used to train its workforce for them to be assessed.

OCR will provide MMG with feedback on the thoroughness and accuracy of its risk assessment, and MMG must incorporate that feedback into its risk assessment and resubmit it to HHS for additional feedback. That process will continue until HHS is satisfied that the risk assessment is comprehensive and accurate. OCR must also be provided with a comprehensive list of all clients affected by the data breach, and once the risk assessment has been approved by OCR, MMG must notify all affected covered entity clients about the data breach, along with the identities of all patients whose ePHI is reasonably believed to have been impacted.

While not stated in the corrective action plan, the requirements of the HIPAA Breach Notification Rule are that each covered entity must determine if breach notifications are required and must ensure that those notifications are issued within 60 days after receiving a breach notice from a business associate. They are permitted to delegate the notification responsibilities to MMG, per the terms of their business associate agreements. The cost of notification for such a colossal data breach would be high, and if that cost is to be borne by MMG, that could explain why the penalty imposed to resolve multiple violations of the HIPAA Rules is so low.

OCR currently has an enforcement initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule and the HIPAA Right of Access of the HIPAA Privacy Rule; however, in 2025, the second-most common reason for a financial penalty behind risk analysis failures was breach notification failures. HIPAA covered entities and their business associates must ensure that timely breach notifications are issued to OCR, the affected individuals, and the media, and in the event of a breach at a business associate, that all affected covered entity clients are notified within 60 days of the discovery of a data breach.

“When a breach occurs, business associates must notify affected covered entities without unreasonable delay and within 60 calendar days of discovery,” said OCR Director Paula M. Stannard. “This timeliness is crucial for a covered entity to meet its own breach notification obligations, such as timely notification to HHS and to individuals. As hacking becomes more ubiquitous, HIPAA Security Rule requirements, such as the need to have an accurate and thorough HIPAA risk analysis, are imperative for strengthening cybersecurity before a breach occurs.”

The post Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals appeared first on The HIPAA Journal.

$2.35 Million Settlement Agreed to Resolve Cornerstone Specialty Hospitals Data Breach Lawsuit

Posted by Steve Alder

Cornerstone Healthcare Group Management Services, doing business as Cornerstone Specialty Hospitals (Cornerstone), has agreed to settle class action litigation stemming from a December 2023 cyberattack and data breach.

A threat actor gained access to the Cornerstone network on or around December 19, 2023, and potentially accessed and copied patient information. Data potentially compromised in the incident included names, dates of birth, Social Security numbers, federal or state ID numbers, financial account information, credit or debit card information, digital signatures, email addresses and passwords, usernames and passwords, passport numbers, medical/health information, health insurance information, and other protected health information. Initially, the data breach was reported to the HHS’ Office for Civil Rights using a placeholder estimate of at least 501 affected individuals. The total was later updated to 484,957 individuals.

A lawsuit – Mireles v. Cornerstone Healthcare Group Management Services LLC d/b/a/ Cornerstone Specialty Hospitals – was filed in the Court of the Western District of Kentucky, Louisville Division, in response to the data breach. The lawsuit alleged that the data breach was a direct result of the defendant’s failure to take necessary and appropriate steps to secure sensitive data on its network, and failed to issue timely notifications, which were mailed on or around July 1, 2024, more than 6 months after the incident occurred.

The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and declaratory relief. Cornerstone denies all claims of fault, wrongdoing, and liability, but agreed to a settlement to avoid further legal costs and the uncertainty of a trial. Class counsel and the class representatives believe the settlement is fair and is in the best interests of the class members.

Cornerstone has agreed to establish a $2,350,000 settlement fund to cover attorneys’ fees and expenses, service awards for the class representatives, and settlement fund taxes and tax expenses. The remainder of the fund will be used to pay for benefits to the class members. Individuals whose Social Security numbers were compromised in the incident may claim two years of three-bureau credit monitoring and identity theft protection services. They may also submit a claim for reimbursement of documented, unreimbursed extraordinary losses due to the data breach, up to a maximum of $10,000 per individual.

All class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach. Claims are capped at $2,500 per individual for ordinary losses. Class members who do not submit a claim for reimbursement of losses, either ordinary or extraordinary losses, may instead claim a pro rata cash payment, which will be paid once costs and claims have been paid. Individuals whose Social Security numbers were exposed will receive a cash payment equal to three times the amount paid to non-SSN subclass members. The data for objection and exclusion is April 8, 2026. The deadline for submitting a claim is May 8, 2026, and the final approval hearing has been scheduled for May 14, 2026.

The post $2.35 Million Settlement Agreed to Resolve Cornerstone Specialty Hospitals Data Breach Lawsuit appeared first on The HIPAA Journal.

Former Nuance Employee Pleads Guilty to Stealing 1.2 Million Patient Records

Posted by Steve Alder

A former employee of Nuance Communications has pleaded guilty to accessing and removing the protected health information of 1.2 million patients of Geisinger Health System after he was terminated. Nuance Communications was a business associate of Geisinger and had access to systems containing protected health information.

Max Vance, 46, of El Cajon, California, was terminated by Nuance for unrelated reasons; however, his access rights were not immediately revoked. Two days after his termination, Vance used his access to copy data from Geisinger’s systems. The breach was detected by Geisinger, which notified Nuance, and Vance’s access rights were terminated. Data copied by Vance included patient names, contact information, birth dates, admission/discharge/transfer codes, medical record numbers, and race/gender information. The copied data did not include financial information, Social Security numbers, or health insurance information.

Law enforcement was notified about the unauthorized access and copying of data, and an investigation was launched. The data breach was identified by Geisinger on November 29, 2023, and Vance was arrested in February 2024. During a search of his property, law enforcement found two unregistered firearms, fake and blank IDs, a machine for creating fake ID cards, and electronic equipment containing the stolen data.

Vance’s trial was scheduled for August 2024 but was postponed by the court on several occasions, and was due to take place on April 20, 2026. Vance agreed to enter a guilty plea to one count of obtaining data from a protected computer without authorization, which carries a maximum jail term of 5 years, up to three years of supervised release, and a fine of up to $250,000.

In court on February 27, 2026, Vance entered a guilty plea, although there are certain provisions attached. The plea agreement will see two charges of making false statements to the FBI dropped, with Vance receiving a sentence of time served, followed by three years of supervised release. Vance has already spent more than two years in jail following his arrest, which is longer than the minimum sentence. Under the plea agreement, Vance has agreed to pay restitution, although there is still disagreement on how much should be paid. Vance wanted to be released prior to sentencing; however, the judge refused, pending a review of the plea agreement.

If the judge does not agree to the provisions of the plea agreement, the guilty plea will be withdrawn, and the case will go to trial. Should that happen, Vance will be tried on all charges, including making false statements to the FBI. A sentencing hearing date has not yet been set.

The post Former Nuance Employee Pleads Guilty to Stealing 1.2 Million Patient Records appeared first on The HIPAA Journal.

PIH Health Notifies Patients About 2024 Hacking Incident

Posted by Steve Alder

PIH Health, a healthcare provider serving patients in Orange County and the San Gabriel Valley in California, has started notifying patients affected by a December 2024 ransomware attack. The attack disrupted systems used by Downey Hospital, Good Samaritan Hospital, Whittier Hospital, as well as urgent care clinics, home health, hospice services, and physicians’ offices.

The ransomware attack was detected on December 1, 2024, and the forensic investigation confirmed that the threat actor had access to its network between November 14, 2024, and December 23, 2024. As detailed in our December 16, 2024, coverage below, the threat actor claimed to have exfiltrated around 2 terabytes of data in the attack, and claimed the data included around 17 million patient records. A ransom demand was issued, and some of the stolen data was leaked online. PIH Health learned of the hacker’s claims but said at the time that it was unable to verify the authenticity of the ransom note or the data theft claims.

PIH Health has been reviewing the exposed data with the help of third-party specialists, and on or around December 16, 2025, more than a year after the attack was detected, PIH Health confirmed that patient information was present in files on the compromised parts of its network, and the files may have been accessed or acquired by the threat actor.

PIH Health said its detailed review of the affected data was time-intensive, hence the time taken to complete the review. After obtaining the full list of affected individuals in December 2025, PIH Health worked to gather contact information to allow notification letters to be mailed. That process was completed on February 25, 2026, and individuals affected by the breach are now learning that their data was compromised in the attack.

PIH Health said the types of data involved vary from individual to individual and, at the time of issuing notification letters, no evidence has been found of any misuse or attempted misuse of the affected information. The breach included personally identifiable information and protected health information such as names, addresses, medical information, health insurance information, Social Security numbers, taxpayer identification numbers, driver’s license numbers, financial account information, and credit/debit card numbers. PIH Health has offered the affected individuals complimentary credit monitoring and identity theft protection services, and has taken steps to minimize the risk of similar incidents occurring in the future.

What has yet to be confirmed is the scale of the data breach. While there has been a claim that 17 million records were stolen, that claim may have been exaggerated, and if the claim is correct, those records may not relate to unique patients. The data breach is not yet showing on the HHS’ Office for Civil Rights website, and the California Attorney General does not publish details about the scale of a data breach. Most of the affected individuals are likely to reside in California, but we have confirmed that the Texas Attorney General has been notified that 8,434 Texas residents were affected.

Last year, the HHS’ Office for Civil Rights announced that it had agreed to a $600,000 settlement with PIH Health to resolve potential HIPAA violations related to a 2020 phishing attack that affected 189,763 individuals. OCR determined that the HIPAA Security Rule had been violated as PIH Health failed to conduct a comprehensive and accurate risk analysis, as well as the HIPAA Breach Notification Rule, as PIH Health failed to issue timely notifications to OCR, the affected individuals, and the media.

December 16, 2024: Hackers Claim to Have Stolen 17 Million Patient Records from PIH Health

The hacking group behind the cyberattack on the Californian healthcare provider PIH Health on December 1, 2024, claims to have exfiltrated a huge amount of sensitive data before encrypting files. If the hackers are to be believed, they exfiltrated 17 million patient records.

Southern California News Group obtained a copy of a ransom note that had allegedly been faxed to PIH Health. The hackers claimed to have exfiltrated around 2 terabytes of sensitive data in the attack. The note states that the stolen data includes 17 million patient records, data for more than 8.1 million “medical episodes” that include patients’ home addresses, cancer patients’ treatment records, private emails including test results and treatments, confidentiality agreements with employees, and around 100 active nondisclosure agreements between PIH Health and other medical organizations. The hackers also provided a link where screenshots of the stolen data had been uploaded.

Southern California News Group said no hacking group had claimed responsibility for the attack. PIH Health was unable to verify the authenticity of the ransom note or the data theft claims. The PIH website notice states, “PIH Health is working with cyber forensic specialists to assess the issue. Impacted individuals will be notified if protected health information is found to be compromised.”

Multiple systems were taken offline as a result of the incident, and phone lines were also disrupted. The phone system used by PIH Health’s Good Samaritan Hospital in Los Angeles was unaffected, and lines from its Whittier and Downey hospitals have been rerouted there. While the attack has caused major disruption to its computer systems, staff are working on downtime procedures, and care continues to be provided to patients, with patient data recorded manually; however, staff members are struggling with the additional workload that this creates, and delays are being experienced by patients.

PIH Health updated its website FAQ about the incident on December 13, 2024, but was still not able to provide a timeline on when its systems are likely to be restored. PIH Health said local police departments have been notified, and the Federal Bureau of Investigation (FBI) has been engaged and is involved in the criminal investigation. PIH Health said it is doing everything possible to rectify the situation.

Hackers have been known to exaggerate the extent of data theft, and even if 17 million records were stolen, there may be duplicate records in the dataset. If it turns out that 17 million current and former patients have been affected, this would be the second-largest data breach of the year, behind the 100-million-record data breach at Change Healthcare in February.

The post PIH Health Notifies Patients About 2024 Hacking Incident appeared first on The HIPAA Journal.

General Physician Pays $2.5 Million to Settle Data Breach Litigation

Posted by Steve Alder

General Physician, P.C., a medical group serving patients in Western New York, has agreed to pay $2.5 million to settle a class action lawsuit over a 2024 data breach.

Suspicious activity was identified within its email environment on June 12, 2024. The forensic investigation confirmed that an unauthorized third party had access to its email system from April 6, 2024, to June 12, 2024. Patient information exposed and potentially stolen in the incident included full names, addresses, Social Security numbers, financial account information, dates of birth, medical history information, mental and physical treatment information, diagnosis information, treating physician names, medical record numbers, and health insurance information. The data breach was initially reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 individuals. The total was later updated to 167,387 individuals.

Several class action lawsuits were filed in response to the data breach, which were consolidated – Newhart v. General Physician, P.C. – in the Supreme Court of the State of New York, County of Erie. The plaintiffs alleged that General Physician was negligent for failing to implement reasonable and appropriate cybersecurity measures to protect sensitive patient data on its network. General Physician maintains that there was no wrongdoing and that there is no liability. All parties explored an early settlement and, following mediation, the material terms of a settlement were agreed. The settlement has now been finalized and has received preliminary approval from the court. The final fairness hearing has been scheduled for June 4, 2025.

Under the terms of the settlement, General Physician has agreed to establish a $2,500,000 settlement fund, which will be used to pay benefits to the class members after attorneys’ fees and expenses, settlement administration costs, and service awards for the class representatives have been deducted. While the OCR breach portal states that the protected health information of up to 167,387 individuals was compromised in the incident, the settlement class consists of approximately 490,210 individuals.

Class members are entitled to claim a two-year membership to a single-bureau credit monitoring and medical data monitoring service. In addition, they may submit a claim for one of two cash payments. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or a claim may be submitted for a pro rata cash payment. The value of the pro rata cash payment will depend on the number of valid claims received. Based on the estimated response rate, the cash payments are expected to be approximately $60. The deadline for objecting to the settlement and opting out is April 27, 2026. Claims must be submitted by May 27, 2026.

The post General Physician Pays $2.5 Million to Settle Data Breach Litigation appeared first on The HIPAA Journal.