HIPAA Pulse moved to hipaapulse.com. This page is HIPAA Response — what to do about each story.
See responsesPatient Protect · HIPAA Response
Live58
Total incidents tracked
1,532
Active responses
61
Update cadence
Hourly
HIPAA Responseis the technical-enablement layer of HIPAA Pulse’s reporting. Every breach the publication covers, every OCR enforcement action, every regulatory development — paired with the controls, configurations, and platform actions your practice needs to do something about it.
Patient Protect Synopsis
```json { "summary": "This briefing highlights a significant rise in data breaches, with over 400,000 individuals impacted across multiple incidents, underscoring the persistent threat of cyberattacks. Healthcare organizations are also grappling with critical vulnerabilities in content management systems like Drupal and Ghost CMS, demanding immediate patching to prevent further exploitation. Simultaneously, the
By Patient Protect Research · Synthesized from HIPAA Pulse coverage · AI-assisted, editor reviewed
The Response Desk
May 25
Radiology Associates of Richmond disclosed a data breach affecting 266,000 individuals after threat actors exfiltrated files containing names and protected health information from its systems.
Radiology Associates of Richmond disclosed a second data breach in under two years, with the latest incident affecting 266,000 patients and reported to Maine's Attorney General in May 2026.
Verizon's 2026 Data Breach Investigations Report finds healthcare facing a sharper threat from social engineering while ransomware and third-party vendor compromises continue to drive significant breach volume across the sector.
A healthcare software vendor serving the congressional physician's office was breached in early March, exposing prescription data — but lawmakers were not notified until more than two months after the intrusion.
A federal jury in Michigan convicted a home health care agency owner and nurse of running a $1.6 million Medicare fraud scheme built on stolen patient records from 2018 to 2021.
OpenLoop Health, a telehealth platform serving independent practices and health systems, disclosed a January 2025 breach that exposed personal data belonging to roughly 716,000 individuals.
Thousands of DICOM medical imaging servers belonging to hundreds of healthcare entities have been left exposed to the public internet with little or no authentication, putting patient data at direct risk.
CISA released new guidance urging critical infrastructure operators, including healthcare organizations, to invest in isolation and recovery capabilities to sustain operations during nation-state cyberattacks.
Dutch EHR vendor ChipSoft disclosed that stolen patient data was allegedly destroyed following a ransomware attack by the Embargo group, after the company confirmed some negotiations had taken place.
Missouri's Department of Commerce and Insurance is escalating its investigation into Conduent Business Services after the national insurance-processing vendor allegedly failed to cooperate with regulators over a breach potentially affecting millions of consumers.
The DOJ launched a new West Coast Health Care Fraud Strike Force, uniting federal prosecutors across Arizona, Nevada, and Northern California to pursue fraud schemes tied to digital health companies.
A CMS-built Medicare provider directory inadvertently exposed the Social Security numbers of healthcare providers in a backend database, The Washington Post reported.
A Maryland pharmacist faces federal indictment on two counts of unauthorized computer access and one count of aggravated identity theft tied to alleged intrusions at the University of Maryland Medical Center.
Russian national Artem Revensky, operating as "Digit" within the Sector16 hacking group, pleaded guilty to cyberattacks targeting critical infrastructure across Ukraine, the United States, and other countries.
A newly identified phishing kit called Bluekit automates domain registration and includes an AI assistant to help threat actors launch credential-harvesting campaigns with reduced technical skill.
Ambient AI scribes promise to cut clinician documentation time, but their use inside exam rooms raises unresolved questions under HIPAA, state privacy law, and informed-consent doctrine.
A federal class action filed in Michigan accuses Thomson Reuters of publicly exposing plaintiffs' Social Security numbers through one of its search engine products.
Central Maine Healthcare is eliminating 38 IT positions as the Lewiston-based health system completes a transition to a new electronic medical record platform that includes a patient portal component.
New York's financial regulator secured a $2.25 million settlement with Delta Dental over the 2023 MOVEit zero-day breach that exposed data on more than 7 million patients nationwide.
A California federal judge allowed data breach claims against Bain Capital to proceed over a breach at its subsidiary PowerSchool, marking the first time a private equity firm has faced direct liability for a portfolio company's cybersecurity failure.
A Python-based backdoor framework called Deep#Door has been identified deploying persistent Windows implants designed for espionage and operational disruption, posing elevated risk to unpatched healthcare endpoints.
Archive
Every article previously published — searchable, with permanent URLs preserved.
By practice type
Five fast-growing segments where HIPAA-applicability is genuinely contested. Each page covers exactly when HIPAA applies, where the gray zones live, the state consumer-health law overlay (Washington MHMDA, Nevada CHPA, Connecticut DPA, California CMIA), and the operational checklist for compliant operation.
When membership-based primary care still triggers covered-entity status — and the 5-step path to clean operation.
Open
The most state-law-exposed segment in healthcare. WA MHMDA, NV CHPA, pharmacy BAA cascade, multi-state notification matrix.
Open
DEA EPCS for testosterone, compounding pharmacy BAAs, specialty hormone labs — the four-dimensional compliance matrix.
Open
Prominent-patient threat model. Compartmentalized access controls under §164.502(b) and heightened breach response.
Open
Hybrid-entity strategy under §164.105. Photo storage compliance and the medical-component analysis most operators skip.
Open
Biweekly briefing
HIPAA Pulse’s editorial digest paired with Patient Protect’s response notes — what happened, why it matters, what to do.
No spam. Unsubscribe anytime.
