Hematology Oncology Consultants; Southcoast Health; Cunningham Prosthetic Care Announce Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by Hematology Oncology Consultants in Michigan, Cunningham Prosthetic Care in Maine, and Southcoast Health System in Massachusetts.

Hematology Oncology Consultants

Hematology Oncology Consultants in Michigan have started notifying individuals affected by a September 20, 2025, security incident. Upon detection, immediate action was taken to secure its network and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity. On or around February 12, 2026, Hematology Oncology Consultants confirmed that files containing personal and protected health information were likely exfiltrated from its network.

The review of the affected files was completed on April 7, 2026, and notification letters started to be mailed to the affected individuals on April 24, 2026. Data compromised in the incident includes names, medical records, health insurance information, and Social Security numbers. While not described as a ransomware attack, the Rhysida ransomware group claimed responsibility for the attack. Rhysida threatens to sell or publish the stolen data if the ransom is not paid. The group claims to have sold some of the stolen data and has leaked 40% of the data exfiltrated in the attack. The incident has been reported to regulators, although it is currently unclear how many individuals have been affected.

Cunningham Prosthetic Care

The Saco, Maine-based orthotic and prosthetic service provider Cunningham Prosthetic Care has started notifying patients about a data security incident first identified on October 22, 2025. Suspicious activity was identified within an employee’s email account, and upon investigation, unauthorized access to the account was confirmed as occurring on October 22, 2025. The account was reviewed, and after around 4 months, it was confirmed that the account contained personal and protected health information, including names, health insurance information, diagnostic information, medical treatment information, and medical record numbers. The affected individuals started to be notified by mail on May 1, 2026. The data breach has been reported to the appropriate authorities, but at present, the number of affected individuals has yet to be publicly disclosed.

Southcoast Health

Southcoast Health System, a nonprofit community health system with more than 55 locations in Southeastern Massachusetts and Rhode Island, has identified unauthorized access to a single user account on February 16, 2026. The security incident was identified on the same day, and unauthorized access was immediately blocked. While the incident was detected quickly, it is possible that sensitive data such as names and Social Security numbers were viewed or acquired. As a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring and identity theft protection services. At the time of publication, the number of affected individuals had not been publicly disclosed.

The post Hematology Oncology Consultants; Southcoast Health; Cunningham Prosthetic Care Announce Data Breaches appeared first on The HIPAA Journal.

Why Medical Couriers Are Always Classified as HIPAA Business Associates

Posted by Ian

Other than when they are directly employed by a covered entity, medical couriers are always classified as a HIPAA business associate due to the nature of the work they are contracted to do and their “operational access” to Protected Health Information (PHI), even when access only consists of a visible name, reference number, or address.
Medical couriers play an important role in the healthcare system by transporting specimens, medications, lab results, and other items that support patient care. Because deliveries often involve sealed packages, it could be assumed that medical couriers do not qualify as business associates under the HIPAA conduit exception.
This exception applies to entities that transmit PHI on behalf of a covered entity or business associate without storing it and without having anything more than transient, incidental access to PHI. Examples include the US Postal Service, UPS, FedEx, and Internet Service Providers who simply act as channels through which information flows.

Why the Conduit Exception Does Not Apply to Medical Couriers

Medical couriers, by contrast, are contracted specifically to transport PHI. To fulfil the service they are contracted to provide, medical couriers routinely handle paperwork connected with specimens, read names on labels, sign or verify chain‑of‑custody forms, and confirm pickup and delivery details tied to specific patients.
Their access is not incidental, accidental, or transient, it is operational. Because of this, healthcare organizations, pharmacies, and labs must treat them as HIPAA business associates. That means medical couriers must sign Business Associate Agreements (BAAs) and comply with all applicable HIPAA standards. The same applies when an independent contractor is engaged by a business associate as a subcontractor.

When Access Only Consists of a Visible Name, Number, or Address

When access only consists of a visible name, reference number, or address, the visible information is still classified as PHI because these elements are references to individually identifiable health information being transported within the package. This means a visible name, reference number, or address on the outside of the package is part of the same designated record set as the information inside the package.
This distinction is important because information visible on the outside of the package must be protected with the same care as the information inside the package. It is for this reason that, other than when they are directly employed by a covered entity, medical couriers are always classified as HIPAA business associates, and must train their drivers, dispatchers, and customer service teams on all applicable HIPAA standards.

The post Why Medical Couriers Are Always Classified as HIPAA Business Associates appeared first on The HIPAA Journal.

New Cyber Resilience Readiness Program Developed by Joint Commission; AHA

Posted by Steve Alder

Joint Commission and the American Hospital Association (AHA) have partnered to create a new Cyber Resilience Readiness program for hospitals and health systems to help them sustain safe clinical operations during cyber-related technology outages.

Hacking and ransomware attacks have skyrocketed in recent years. According to the Federal Bureau of Investigation (FBI), healthcare and public health was the most targeted sector in 2025, experiencing 642 hacking incidents, including 460 ransomware attacks and 182 data breaches. Currently, the HHS’ Office for Civil Rights breach portal shows 765 data breaches affecting 500 or more individuals were reported in 2025, the highest number ever reported in a single year. These incidents often result in prolonged periods of digital darkness, where systems are offline, and healthcare organizations are forced to resort to manual processes for recording patient information. During those periods, hospitals and health systems must ensure continuity of care and maintain patient safety, even without access to critical technologies.

To counter the threat to patient safety and care from cyber incidents, extreme weather events, and other natural disasters, Joint Commission and AHA partnered to create a new Cyber Resilience Readiness (CRR) Program for healthcare organizations. The program was developed in partnership with several healthcare organizations and is a first-of-its-kind program to help hospitals and health systems strengthen their ability to sustain safe clinical operations during technology outages caused by cyber events and natural disasters.

While many cybersecurity approaches are focused on rapidly restoring IT systems, the CRR emphasizes real-world operational readiness and patient safety impacts. The CRR was informed by the lessons learned from actual ransomware attacks and other cyber events that have affected hospitals across the United States. “The goal is to help hospitals and health systems move from awareness to readiness, and from readiness to resilience, ultimately enabling organizations to move beyond assessment to practical, operational improvement,” according to Joint Commission and the AHA.

The CRR program is centered on a structured, free-to-complete self-assessment tool for evaluating the current ability to maintain safe care during technology outages, with a focus on maintaining clinical workflows, operational response, leadership coordination, and staff preparedness. The self-assessment tool familiarizes hospitals and health systems with the questions they need to ask and what they need to prepare for. Should they so wish, their assessments can be submitted for expert review for a fee, and they will receive a set of top-line recommendations on how any identified vulnerabilities can be addressed. Joint Commission also plans to develop a new certification pathway to allow organizations to demonstrate strong clinical continuity and cyber resilience capabilities.

“Digital disruption poses a direct and growing threat to patient safety and clinical care,” said Jonathan B. Perlin, MD, PhD, president and CEO of Joint Commission. “As cyber criminals become increasingly sophisticated, advanced, and creative, so too must our efforts to thwart the risks – but we are not talking about cyberattacks alone. It is about how to continue operations under any scenario where technology systems might be down for any period of time. Hospitals and healthcare organizations need practical tools to evaluate and strengthen their approach to withstanding these incidents. The new Cyber Resilience Readiness program is designed to help healthcare organizations focus on what matters most: maintaining safe, quality patient care and clinical operations at all times.”

The post New Cyber Resilience Readiness Program Developed by Joint Commission; AHA appeared first on The HIPAA Journal.

Oglethorpe Settles Data Breach Lawsuit

Posted by Steve Alder

Oglethorpe, a Tampa, FL-based network of mental health and addiction recovery treatment facilities, was sued in response to a June 2025 hacking incident in which the personal and protected health information of 92,000 current and former patients and employees was stolen. The lawsuit has recently been settled and a cash fund of $350,000 will be created to cover benefits for class members.

The hacking incident was discovered in June 2025. The forensic investigation determined that the hacker exfiltrated information such as names, Social Security numbers, driver’s license or state identification numbers, and medical information. The affected individuals started to be notified about the incident on October 31, 2025. Multiple class action lawsuits were filed in response to the data breach, alleging that it could have been prevented had reasonable and appropriate cybersecurity measures been implemented.

The lawsuits were consolidated – Scott, et al. v. Oglethorpe, Inc.– in the Circuit Court for Broward County, Florida, since they had overlapping claims and were based on the same facts. The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, and unjust enrichment, as well as requesting declaratory and injunctive relief. Oglethorpe denies wrongdoing, fault, and liability.

All parties explored the opportunity for early resolution of the lawsuit to avoid unnecessary legal costs and the uncertainty of a trial and related appeals. Following several weeks of arms-length negotiations, a settlement was agreed upon that was acceptable to all parties. Under the terms of the settlement, Oglethorpe has agreed to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. A fund of $350,000 will be created to cover benefits for the class members.

All class members may enroll in one year of medical data monitoring services, which include a $1 million medical identity theft insurance policy. They may also claim one of two cash benefits: A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member, or a claim may be submitted for an alternative one-time cash payment of $75. That cash payment is subject to a pro rata reduction should the claim total exceed $350,000.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for June 22, 2026. Claims must be submitted by August 8, 2026, and individuals wishing to object to the settlement or exclude themselves must do so by June 8, 2026.

The post Oglethorpe Settles Data Breach Lawsuit appeared first on The HIPAA Journal.