Is Microsoft Teams HIPAA-Compliant? – BBN Times
Final action on HIPAA Security Rule modifications now projected for July 2027 – JD Supra
All About Women’s Care Data Breach Affects Up to 12,000 Patients – The HIPAA Journal
All About Women’s Care Data Breach Affects Up to 12,000 Patients
All About Women’s Care in Colorado has notified 12,000 patients that their data has been compromised in a data breach, and Mid-South Pulmonary Sleep Specialists in Tennessee is assessing the impact of a November 2025 ransomware attack.
All About Women’s Care, Colorado
All About Women’s Care, an Englewood, CO-based obstetrics and gynecology practice, has identified unauthorized access to its IT environment. Suspicious activity was identified involving an employee VPN account. Third-party cybersecurity experts were engaged to investigate the activity and confirmed that an unauthorized actor obtained the credentials for the VPN account and used them to access its network environment. Files were copied in the attack, the review of which was completed on June 5, 2026.
The file review confirmed that the impacted data included names, dates of birth, Social Security numbers, driver’s license numbers, other ID numbers, clinical/treatment information, lab results, prescription information, provider information, medical documents, ultrasound images, copies of identification documents (such as passports), and health insurance information.
The practice is working with cybersecurity professionals to enhance security and prevent similar incidents in the future, and policies and procedures related to data privacy and security are being reviewed. The data breach was recently reported to the HHS’ Office for Civil Rights as affecting up to 12,000 patients.
Mid-South Pulmonary Sleep Specialists, Tennessee
Mid-South Pulmonary Sleep Specialists, a Memphis, Tennessee-based pulmonary and sleep medicine practice, has started notifying certain patients about a cybersecurity incident that exposed their personal and protected health information.
Suspicious activity was identified within its computer network on November 2, 2025. The network was secured, and assisted by third-party cybersecurity experts, the practice confirmed unauthorized network access and the exposure and potential theft of patient data. The data review was completed on May 18, 2026, and revealed that a wide range of data was exposed in the incident. The types varied from individual to individual, and may have included names in combination with one or more of the following: address, date of birth, date of service, driver’s license or state ID number, financial account information, health insurance information, medical diagnosis information, medical history, medical provider name, medical record number, medical treatment information, Medicare/Medicaid number, mental or physical condition, other patient identifier, patient account number, prescription information, and/or Social Security number.
Regulators have been notified, but the incident is not yet shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected. The website breach notice does not state the nature of the attack, or for how long the threat actors had access to its network.
This appears to have been a ransomware attack, as the Anubis ransomware claimed responsibility and added Mid-South Pulmonary Sleep Specialists to its data leak site in late November 2025, along with samples of data allegedly stolen in the attack. Anubis claims that the data stolen includes patient information.
The post All About Women’s Care Data Breach Affects Up to 12,000 Patients appeared first on The HIPAA Journal.
Atrium Health Pays Up to $1.8M to Resolve Pixel Lawsuit
Charlotte-Mecklenburg Hospital Authority, doing business as Atrium Health, has agreed to pay up to $1,800,000 to settle a class action lawsuit stemming from its use of pixels and other tracking technologies on its MyAtriumHealth (formerly called MyCarolinas) patient portal.
North Carolina-based Atrium Health operates a dozen hospitals in North and South Carolina, along with more than 900 care facilities in the two states. Like many health systems, Atrium Health used tracking technologies on its patient portal. These tools have important uses for website operators; however, their use on healthcare websites risks impermissible disclosures of sensitive data.
When these tools are added to authenticated web pages such as patient portals, patients’ protected health information may be disclosed to the third-party providers of the tools, such as Meta (Facebook) and Google. Following an investigation, Atrium Health determined that between January 1, 2015, and July 31, 2019, the protected health information of up to 585,959 patients may have been impermissibly disclosed to third parties as a result of the use of these tools. When reporting the data breach, Atrium Health assumed that all patients who used the portal had their ePHI impermissibly disclosed.
The data potentially compromised included IP addresses and third-party identifiers/cookies. If forms were filled out, that disclosed information may also have included full names, email addresses, phone numbers, city/state/zip code, gender, and any other information entered into the forms.
Multiple class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Julie Roberts, et al. v. The Charlotte-Mecklenburg Hospital Authority – in the Superior Court of Mecklenburg County, North Carolina, naming Julie Roberts, Judith Sigmon, Darielle Hill, and Chrisanna Brown as representatives of a national class.
The plaintiffs alleged that their privacy had been violated by the defendant’s use of these tools, which they claim were added to the patient portal without their knowledge or consent. The lawsuit asserted claims for breach of express contract, breach of implied duty of good faith and fair dealing, breach of implied contract, negligence, breach of fiduciary duty, and unjust enrichment.
Atrium Health denies all wrongdoing and maintains it has not violated any laws and filed a motion to dismiss, which was partially successful; however, the lawsuit was allowed to proceed. The parties ultimately agreed to a settlement to avoid the costs and risks associated with continuing the litigation.
The settlement covers all individuals residing in the United States who had patient portal accounts – MyAtriumHealth or MyCarolinas – between January 1, 2025, and April 10, 2024, with limited exceptions. Atrium Health has agreed to establish a $1,800,000 settlement fund, from which $1,500,000 will be used to cover attorneys’ fees and expenses, administration costs (for Group 1 claims), and payments to individuals who used their accounts between January 1, 2015, and July 31, 2019.
The settlement also includes up to $300,000 to pay for claims from individuals who had a Patient Portal account between January 1, 2015, and April 10, 2024, but did not access their account between January 1, 2015, and July 31, 2019. (Group 2). The remainder of the funds in the Group 1 settlement will be paid pro rata to individuals who submit a claim, and individuals in Group 2 will receive a payment of up to $10 if they submit a claim. The deadline for opting out and objection is August 31, 2026. Claims must be submitted by September 28, 2026, and the final fairness hearing has been scheduled for September 30, 2026.
The post Atrium Health Pays Up to $1.8M to Resolve Pixel Lawsuit appeared first on The HIPAA Journal.
Free Webinar: Making Sense of HIPAA Compliance for Your Small Practice – The HIPAA Journal
Free Webinar: Making Sense of HIPAA Compliance for Your Small Practice

For most small practices, your team is already wearing a lot of hats, and compliance is one that can feel like an impossible task to even know where to start.
But the risks keep growing. Breaches are rising fast, with hackers targeting small medical practices’ sensitive patient data. With major new HIPAA requirements potentially on the horizon as soon as 2027, it’s never been a better time to ensure your practice has built and maintains a HIPAA compliance program with a strong, compliant foundation.
Join Bradley King, Senior Compliance Consultant, as he provides a clear explanation for small medical practices on what they actually need to do when it comes to becoming HIPAA compliant.
You’ll Discover:
The timeline of HIPAA – how we got here and why it matters now
What actually triggers a HIPAA investigation
Current HIPAA enforcement initiatives to watch
What your practice needs to do to become (and stay) compliant
Real examples of investigation letters
WEBINAR DETAILS
Making Sense of HIPAA Compliance for Your Small Practice
Live Webinar | Wednesday, July 22 | 12:00–12:30 PM ET
Click Here Register for the Free Webinar
Speaker: Bradley King, Senior Compliance Consultant, Abyde

Bradley King is a Senior Compliance Consultant at Abyde with several years of experience in HIPAA and OSHA compliance consulting. He has spoken at national conferences and delivered continuing education webinars on HIPAA and OSHA compliance best practices, and has worked directly with thousands of practices, from solo, owner-operator practices to multi-location, multistate healthcare organizations, on building and maintaining compliance programs. Abyde is a leader in the compliance software industry, streamlining HIPAA & OSHA requirements for thousands of practices across the United States.
The post Free Webinar: Making Sense of HIPAA Compliance for Your Small Practice appeared first on The HIPAA Journal.