Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine

Posted by Steve Alder

Centerwell, a provider of senior healthcare services in 30 U.S. states, has experienced a cyberattack and data breach. Lakeside Pediatric & Adolescent Medicine has recently notified individuals affected by an October 2024 data breach.

Centerwell

Centerwell, a Louisville, Kentucky-based provider of healthcare services to seniors, has recently reported a data breach to the Texas Attorney General that involved unauthorized access to patient information.

The scale of the breach is currently unclear, other than the personal and protected health information of 4,618 Texas residents was compromised in the incident. The breach could be substantially larger, as Centerwell provides senior healthcare services in 30 U.S. states. The Texas Attorney General was informed on March 6, 2026, that data compromised in the incident includes names, addresses, dates of birth, and medical information. At the time of writing, the affected individuals have not been informed by mail, and no known threat group has publicly claimed responsibility for the incident.

This post will be updated when further information about the incident is released.

Lakeside Pediatric & Adolescent Medicine

Lakeside Pediatric & Adolescent Medicine (Lakeside), a Coeur d’Alene, Idaho-based healthcare provider, has started notifying patients about an October 2024 data security incident. Lakeside identified unauthorized access to its computer systems in late 2024. The forensic investigation confirmed that an unauthorized third party accessed its computer systems on November 1, 2024, and on December 15, 2024, Lakeside confirmed that there had been unauthorized access and potential acquisition of files containing patient information.

On January 1, 2025, Lakeside confirmed in a website breach notice that personal and protected health information had been compromised in the incident, although the data review was ongoing at that time. On or around December 26, 2025, Lakeside confirmed the data types involved, although the website notice has not been updated to state what those data types are.

In a breach notice submitted to the Washington Attorney General, Lakeside confirmed that single-bureau credit monitoring and identity theft protection services are being offered to the affected individuals, and that 1,314 Washington residents were affected. The incident has not yet been listed on the HHS’ Office for Civil Rights website, so it is unclear how many individuals in total have been affected.

The post Data Breaches Reported by Centerwell & Lakeside Pediatric & Adolescent Medicine appeared first on The HIPAA Journal.

Texas Governor Instructs State Agencies to Audit Chinese Medical Devices

Posted by Steve Alder

Texas Governor Greg Abbot has ordered all state agencies and state-owned medical facilities to conduct an audit of patient monitoring devices to ensure that they do not have unresolved vulnerabilities that could be exploited to gain access to Texans’ sensitive health information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United States Food and Drug Administration (FDA) have issued warnings about vulnerabilities in patient monitoring devices manufactured in China. Devices have been found to contain a backdoor that can be used by a remote attacker to gain access to sensitive patient data.

There has been a proliferation of Chinese-manufactured medical devices within the U.S. healthcare system. The concern is that these devices have backdoors that can be exploited by state-sponsored hacking groups to obtain the private medical information of Americans. Governor Abbot wants to make sure that the private medical data of Texans cannot be obtained by China. “I will not let Communist China spy on Texans. State-owned medical facilities must ensure there are safeguards in place to protect Texans’ private medical data,” Governor Abbot said in a letter to the Texas Health and Human Services Commission (HHSC), Texas Department of State Health Services (DSHS), and the Texas Cyber Command (TXCC).

Governor Abbot has directed state agencies to take action to ensure that sensitive medical data is protected. HHSC and DSHS have been asked to review all state-owned medical facilities under their jurisdiction and attest that all new purchases of medical devices were procured in compliance with the November 19, 2024, Executive Order GA-48, which requires the hardening of cybersecurity by the state government.

HHSC, DSHS, and public systems of higher education are required to catalog all state-owned medical devices capable of transmitting data via a network, or that can be accessed remotely, and share that inventory with TXCC. Assisted by TXCC, HHSC, DSHS, and public systems of higher education, are required to review their cybersecurity policies related to the protection of personal health information at all state-owned medical facilities under their jurisdiction, and specifically include how policies address FDA and CISA-issued alerts for internet-connected medical devices.

TXCC has been instructed to review whether Contec CMS8000 and Epsimed MN-120 patient monitors, and any other devices used by HHSC, DSHS, and public systems of higher education, have been the subject of an FDA safety notice, and to ensure that any that have are placed on the prohibited technology list.

TXCC is also required to convene appropriate executives at HHSC, DSHS, and public systems of higher education and make recommendations for addressing emergent cybersecurity risks, monitoring of devices, and mitigation strategies. Governor Abbot has committed to proposing legislation in the next session to better protect Texans’ private medical data from hostile foreign actors, such as China.

The post Texas Governor Instructs State Agencies to Audit Chinese Medical Devices appeared first on The HIPAA Journal.

Trump Administration Announces Aggressive Cyber Strategy

Posted by Steve Alder

The Trump administration has announced its long-awaited cybersecurity strategy. While light on detail, the Trump administration has committed to deploying the full suite of defensive and offensive cyber operations available to the U.S. government and will aggressively target transnational cybercrime groups to protect Americans.

For many years, cybercriminals have targeted the United States more than any other country, and cyberattacks have been growing in volume and sophistication. Financially motivated cybercriminals and state-sponsored hacking groups continue to target the U.S. government and private sector firms, with Russia, China, Iran, and North Korea posing the greatest threat to critical infrastructure and national security. In contrast to published strategies from past administrations, none of these countries is named in the policy document.

The document – President Trump’s CYBER STRATEGY for America – announces six policy pillars that underpin the strategy. Each of the six policy pillars is vital for national security; however, the document lacks detail on how the U.S. government will achieve those cybersecurity goals. The strategy includes only 5 pages of text, two of which are introductory pages boasting of the might of the United States, America’s wealth of cybersecurity talent, and its unrivalled technological and economic innovation.

Regarding talent, the U.S. government has lost a considerable amount during President Trump’s second term, including the heads of the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA). Neither agency currently has a Senate-confirmed leader, and CISA has lost around one-third of its workforce under the current administration.

That said, the strategy is welcome news and will guide the efforts of the United States in targeting cybercriminals and nation-state actors. By improving defenses and aggressively targeting cybercriminal gangs, the Trump administration plans to make it much harder for adversaries’ cyber operations to succeed by eroding their capabilities and raising the costs for their aggression.

“By disrupting adversaries’ cyber campaigns and making our networks more defensible and resilient, we will unleash innovation, accelerate economic growth, and secure American technology dominance. We will remove burdensome, ineffective regulations so that our industry partners innovate quickly in emerging technologies. Partners in the private sector must be able to respond and recover quickly to ensure continuity of the American economy,” explained President Trump in the cyber strategy document.

The six pillars outlined in the strategy for guiding the U.S. government are:

  • Shape adversary behavior – Full use of government resources for tackling cybercrime and incentivizing the private sector to help identify and disrupt adversary networks. “We will uproot criminal infrastructure and deny financial exit and safe haven.”
  • Promote common sense regulation – The administration plans to streamline cyber regulations to reduce compliance burdens, address liability, and better align regulators and industry globally.
  • Modernize and secure federal government networks – Accelerating the modernization of federal information systems by implementing cybersecurity best practices, post-quantum cryptography, zero-trust architecture, and cloud transition.
  • Secure critical infrastructure – Harden defenses and information and operational technology supply chains to deny adversaries access and ensure a rapid response and recovery in the event of a successful attack
  • Sustain superiority in critical and emerging technologies – Building secure technologies and supply chains, supporting the security of cryptocurrencies and blockchain technologies, promoting post-quantum cryptography and secure quantum computing, and securing the AI technology stack and promoting innovation in AI security.
  • Build talent and capacity – Ensuring there is investment in America’s cyber workforce, the creation of a pipeline that develops and shares talent, and the elimination of roadblocks that prevent industry, academia, government, and the military from aligning incentives and building a highly skilled cyber workforce.

The cyber strategy is accompanied by a new Executive Order that targets transnational criminal organizations that engage in cybercrime, fraud, and predatory schemes targeting American families, businesses, and critical infrastructure. The Executive Order specifically targets the most prevalent and costly cybercriminal operations, including ransomware attacks, phishing campaigns, financial fraud, sextortion schemes, and impersonation scams.

The Executive Order directs administration officials to conduct a comprehensive review of the operational, technical, diplomatic, and regulatory tools for combatting cybercriminal gangs, establishes a dedicated operational cell within the National Coordination Center (NCC) tasked with creating an action plan that identifies the groups responsible for scam centers and cybercrime and solutions for prevention, investigation, detection, disruption, and dismantling those groups’ operations.

The Attorney General has been instructed to prioritize prosecutions of cyber-enabled fraud and scam schemes, pursuing the most serious, provable offenses, and create a  Victims Restoration Program to ensure that seized and forfeited funds are directed to the victims of cybercrime. The Secretary of the Department of Homeland Security has been tasked with working with state and local partners and providing training, technical assistance, and resilience building against cyber threats.

The reception of the cyber strategy has been largely positive, although the policy has attracted some criticism for failing to state how the U.S. government will achieve its cybersecurity goals.  “The National Cyber Strategy represents an important step in aligning federal cyber policy with the scale and complexity of today’s threats. However, the hard work begins now, and that’s translating the vision into ambitious-yet-achievable operational outcomes. Consequence-based prioritization will be essential to ensure finite federal and private-sector resources are focused on the systems where disruption would have the greatest national impact,” said Matthew Hartman, Chief Strategy Officer at Merlin Group, a network of affiliates that invests in, enables, and scales cyber technology companies. “At the same time, this is an opportunity to clarify how government and industry divide responsibility for defining and delivering shared security and resilience outcomes. If implemented effectively, the strategy can help drive coordinated action across government and strengthen resilience across the infrastructure that underpins the U.S. economy and national security.”

“President Trump’s Cyber Strategy for America puts operational effect ahead of “compliance theater.” From a practitioner’s perspective, the emphasis on modernizing federal systems with zero trust, post‑quantum cryptography, and AI‑enabled defense—while streamlining duplicative regulation—is directionally appropriate,” said Bruce Jenkins, Chief Information Security Officer, Black Duck, an application security solution provider.The real test and historical challenge will be in execution: translating these pillars into clear requirements, faster procurement, and measurable risk reduction across government and the defense industrial base.”

The post Trump Administration Announces Aggressive Cyber Strategy appeared first on The HIPAA Journal.