HHS Launches New Portal for Reporting Substance Use Disorder Data Breaches The U.S. Department of Health and Human Services (HHS) has introduced a new enforcement program and web portal to strengthen protections for substance use disorder (SUD) patient records under 42 CFR Part 2 regulations. The initiative, launched by HHS’ Office for Civil Rights (OCR), went into effect on February 16, aligning Part 2 requirements more closely with HIPAA and the HITECH Act as mandated by the CARES Act of 2020. The program grants OCR civil enforcement authority, including monetary penalties, resolution agreements, and corrective actions for noncompliance. Covered entities such as federally assisted SUD treatment programs, healthcare providers, and business associates must now report breaches of Part 2 records affecting 500 or more individuals within 60 days of discovery, similar to HIPAA breach reporting rules. Smaller breaches must be reported by March 1 of the following year. A key change is the new breach reporting portal, which allows the public to submit and view reports of Part 2 record compromises. However, experts note confusion around compliance, including consent language requirements and scenarios where Part 2 records overlap with HIPAA-protected health information (PHI). Some breaches may require separate reports under both regulations, adding complexity. While the program aims to improve care coordination and reduce administrative burdens, concerns persist about OCR’s capacity to enforce the new mandates alongside existing HIPAA obligations. Critics question whether the agency has sufficient resources to handle the additional workload, particularly given the nuances of Part 2 compliance. The updated HIPAA breach reporting website now reflects OCR’s expanded authority to investigate both HIPAA and Part 2 breaches, though enforcement priorities will determine which smaller breaches are pursued. The changes mark a significant shift in how SUD patient confidentiality is regulated, with ongoing challenges in implementation.

The U.S. Department of Health and Human Services has documented significant financial losses due to Qilin ransomware attacks, with incidents causing damages ranging from $6 million to $40 million. These attacks primarily targeted healthcare and government agencies, causing severe disruptions and financial strain. The ransomware's sophisticated encryption techniques and evasion tactics have made it a formidable threat, leading to substantial financial and operational impacts.

OCR Ramps Up Enforcement Against Healthcare Business Associates in 2025 In 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) intensified its enforcement actions against healthcare business associates, marking a shift in regulatory focus. According to BakerHostetler’s annual Data Security Incident Response Report, which analyzed over 1,250 incidents across industries, OCR issued 12 enforcement actions down from 23 in 2024 but with a notable emphasis on third-party vendors. Seven of the 12 resolutions targeted business associates, doubling the total number penalized since they first came under OCR’s purview in 2013. The agency also prioritized security risk analysis violations, imposing four penalties in 2025. However, OCR signaled a potential shift in 2026, opting for technical assistance over investigations for breaches affecting fewer than 500 individuals, likely due to staffing constraints and a focus on larger incidents. While federal enforcement may ease, state attorneys general (AGs) filled the gap in 2025, launching independent investigations even after OCR closed cases. Leveraging HIPAA, state privacy laws, and consumer protection statutes, AGs targeted both vendors and providers, particularly when breaches disproportionately impacted local residents. Healthcare breaches remained costly, with vendors accounting for over a third of incidents handled by BakerHostetler. Ransomware attacks persisted as a major threat, with an average demand of $18 million and an average payout of $1.2 million the highest across industries. Recovery took an average of 12.7 days, with forensic investigations costing $40,000. Looking ahead, AI adoption and vendor management challenges are expected to complicate cybersecurity efforts in 2026, as regulatory uncertainty and evolving threats shape the healthcare landscape.

Paubox Report Reveals Critical Gaps in Healthcare Email Security for 2025 Paubox, a leading provider of HIPAA-compliant email security, has released its 2026 Healthcare Email Security Report, analyzing 170 email-related breaches reported to the U.S. Department of Health and Human Services (HHS) in 2025. The findings highlight persistent vulnerabilities in healthcare email security, despite a slight decline in total breaches from 180 in 2024. Key Findings: - Credential theft was the most damaging attack vector, exposing over 630,000 patient records despite accounting for less than 20% of incidents. - 74% of breached organizations lacked effective DMARC policies or used monitor-only mode, allowing spoofed emails to bypass security. - Over half had permissive or missing SPF records, enabling unauthorized server deliveries. - No breached organization enforced MTA-STS, a protocol that encrypts mail server connections to prevent interception. - Microsoft 365 was the primary email platform for 53% of breached organizations, with many failing to properly configure built-in security tools. Additional Risks Identified: - 3 million email addresses may be exposed to man-in-the-middle attacks due to unvalidated or expired server certificates, as Paubox research found encrypted emails routinely delivered to unverified servers. - 41% of breached organizations fell into the highest risk category for authentication and encryption settings, up from 31% in 2024. The report underscores that while breach numbers decreased, security postures weakened, with none of the affected organizations meeting the lowest risk threshold. Paubox recommends automated encryption for all outbound emails and AI-powered inbound threat detection to mitigate risks. The full report is based on HHS breach disclosures from January to December 2025.

In a major cyberattack on the U.S. Department of Health and Human Services, attackers were able to infiltrate network systems and gain unauthorized access to a vast quantity of sensitive personal health information. The breach affected millions of individuals, compromising their private data, medical records, and possibly leading to widespread fraud. The attack also disrupted critical healthcare services, which had cascading effects on patient care and operational efficacy. The incident exposed the necessity for robust cybersecurity measures in the healthcare industry and prompted an urgent reassessment of data protection protocols within the department.

Many schools and universities received benefits for university staff retirement through the Teachers Insurance and Annuity Association of America ("TIAA"). The TIAA portion of the intrusion did not directly target the vendor's computer systems. Pension Benefit Information, TIAA's vendor, informed TIAA that the intrusion had affected PBI. PBI informed HHS that 1,209,825 patients or insurance holders of its HIPAA-covered clients had been impacted, while Milliman Solutions informed the Maine Attorney General's Office that the attack on PBI had affected 1,280,823. At CalPers, Genworth Financial, and Wilton Reassurance, an estimated extra 5 million people have been impacted, according to earlier press reports. Even yet, they do not represent an exhaustive list or an estimate of all the clients of PBI whose consumers were impacted. They took it seriously and took preventive steps to secure it. PIB also offered access to 24 months of complimentary identify monitoring services through Kroll.

A settlement with Manasa Health Centre has been announced by the US Department of Health and Human Services (HHS). The agreement resolves a complaint OCR received in April 2020 stating that Manasa Health Centre had improperly released a patient's protected health information when it responded to the patient's unfavourable online review. Potential HIPAA Privacy Rule (Privacy Rule) violations include improper disclosures of patient-protected health information in response to unfavourable online evaluations, according to an OCR investigation. and failing to follow rules and regulations pertaining to protected health information. Manasa Health Centre agreed to implement a remedial action plan and paid OCR $30,000 in exchange for resolving these possible violations.

A phishing event that affected 10,831 people also affected 7,678 patients, which they reported to HHS on behalf of relevant affiliated nursing facilities. HHS stated in its closing remarks that names, birth and death dates, Social Security numbers, medical record numbers, health insurance information, clinical information, and treatment information were among the protected health information (PHI) that was implicated. CCC strengthened its administrative and technical security measures in response to this intrusion, which improved the protection of its PHI. Free credit monitoring and identity theft recovery services were made available to the affected parties. Additionally, OCR procured confirmation that CCC carried out the aforementioned remedial measures and offered technical support to CCC concerning its security management protocol.