DOJ Reveals Largest Coordinated Healthcare Fraud Effort in Agency History

The U.S. Department of Justice (DOJ) has announced its largest-ever coordinated healthcare fraud takedown, charging 324 individuals, including 96 doctors, nurses, and other licensed medical professionals, across the country. The alleged schemes involved nearly $14.6 billion in fraudulent claims to federal healthcare programs such as Medicare and Medicaid, with actual estimated losses of around $2.9 billion.

There are approximately 66,000,000 Medicare beneficiaries, and 80 million on Medicaid or Children’s Health Insurance Program (CHIP). There are another 20 million people on the exchanges that could be affected by this fraud.

The DOJ, working alongside the Department of Health and Human Services (HHS) and other federal agencies, successfully blocked most of these fraudulent payments, preventing billions in losses. Authorities also seized over $245 million in cash, luxury items, and other assets connected to the schemes. The DOJ stated, “We’ve moved from ‘pay-and-chase’ to ‘stop-and-catch’—CMS and HHS‑OIG teams swiftly identified fraud, suspended payments, and seized tens of millions.”

A major portion of the fraud — known as Operation Gold Rush — centered on a transnational network involving Eastern European and Russian groups. These criminals allegedly used stolen identities of over 1 million Americans and acquired more than 30 U.S.-based medical supply companies to submit massive false claims for items such as urinary catheters and glucose monitors. In total, these companies alone tried to bill Medicare for more than 1 billion unnecessary devices.

This sweeping operation highlights both the scale of organized healthcare fraud and the government’s commitment to protecting taxpayer funds and patient identities. Officials emphasized ongoing efforts to strengthen oversight, including using advanced data analytics and AI tools to detect and stop fraud more effectively in the future.

Christopher Delgado is the acting deputy assistant director for the FBI’s Criminal Investigative Division that handles healthcare fraud. Here is an excerpt from the announcement that was made. “Possible health care fraud is not a victimless crime. Every dollar stolen from deceitful billing or unnecessary procedures is a dollar taken away from patients who truly need care and taxpayers who fund these critical programs”.

“Schemes like what was mentioned above drive medical costs up and strain federal healthcare budgets and ultimately impact every American who relies on Medicare, Medicaid, and other public and private insurance programs”.

“It’s also not just about financial losses. It’s about Patients being exposed to unnecessary procedures, false diagnosis and delayed care. That kind of exploitation isn’t just unethical, it’s dangerous and has no place in our healthcare system. Services that are wasteful and should not be offered to the American people because they could hurt them”.

Centers for Medicare and Medicaid Services (CMS) just launched a new model called WISeR (Wasteful and Inappropriate Service Reduction). The WISeR Model will help protect American taxpayers by leveraging enhanced technologies, such as Artificial Intelligence (AI) and Machine Learning (ML), along with human clinical review, to ensure timely and appropriate Medicare payment for select items and services. The voluntary model will encourage care navigation, encouraging safe and evidence-supported best practices for treating people with Medicare. WISeR will run for six performance years from January 1, 2026 to December 31, 2031. The application period opened on June 27, 2025. 

They are asking that anyone that suspects waste, fraud, or abuse of our healthcare system to report this by calling 1-800 HHS TIPS or go to their website:

https://oig.hhs.gov/fraud

The content provided reflects the most up-to-date information available at the time of writing and should not be considered legal advice.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

What You Should Do After National Watchdog Warns of Data Breach Affecting 184 Million Passwords

A leading national consumer watchdog group has sounded the alarm on a massive data breach, warning that as many as 184 million passwords may have been compromised. If confirmed, this breach would be one of the largest in recent history, potentially exposing sensitive login credentials and personal data for millions of users. Whether your data was directly affected or not, now is the time to take swift and smart action.


What We Know About the Breach

While details are still emerging, the watchdog group has reported that the breach involves leaked password databases that may have been collected through previous hacks, phishing schemes, or compromised third-party services. The data has reportedly surfaced on dark web forums and hacking communities, increasing the risk of identity theft, credential stuffing attacks, and financial fraud.


What You Should Do Immediately

1. Change Your Passwords—Starting with the Most Sensitive Accounts

Focus first on accounts that hold financial or sensitive information:

  • Bank accounts
  • Email accounts
  • Healthcare portals
  • Social media accounts linked to other logins

Use a strong, unique password for each account. Avoid reusing passwords across multiple sites.

2. Enable Multi-Factor Authentication (MFA)

MFA adds a second layer of security by requiring you to enter a verification code from your phone or authentication app. This can stop attackers even if they have your password.

3. Use a Password Manager

A password manager can help generate and securely store unique, complex passwords for all your accounts. This helps eliminate the temptation to reuse passwords and improves overall security.

4. Check If Your Passwords Were Compromised

Use a reputable service like:

  • HaveIBeenPwned.com
  • Your password manager’s breach monitoring tool
    These tools can alert you if your email or credentials have been found in leaked data.

5. Monitor Your Accounts for Suspicious Activity

Regularly review your bank statements, credit card transactions, and email account access logs. If anything seems unusual, contact the relevant provider immediately.

6. Beware of Phishing Emails

After a major breach, phishing attempts tend to rise. Be cautious with emails that ask you to “verify your account,” click on suspicious links, or download unexpected attachments.


What Businesses Should Do

  • Implement mandatory password resets.
  • Audit your security protocols and consider third-party penetration testing.
  • Educate your employees on how to spot phishing and secure their accounts.

Final Thoughts

Cybersecurity experts have long warned that massive credential breaches are not a matter of if, but when. With the watchdog group raising this new alert, every consumer and organization should treat this as a wake-up call. The good news is that with the right precautions, you can minimize the damage and protect your digital life going forward.

Stay alert. Stay secure. And take action now—before someone else takes control of your data.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

Understanding HIPAA Resolution Agreements and Compliance Obligations

A Resolution Agreement is a formal settlement between the U.S. Department of Health and Human Services (HHS) and a HIPAA-covered entity or business associate. Under the agreement, the organization agrees to take specific corrective actions and submit regular compliance reports to HHS, typically over a three-year period. During this time, HHS monitors the organization’s adherence to these requirements.

If a covered entity fails to demonstrate compliance or complete corrective actions satisfactorily—whether through informal resolution or a resolution agreement—civil money penalties (CMPs), commonly referred to as HIPAA fines, may be imposed.


Common Requirements in a Resolution Agreement

Some typical obligations in a resolution agreement include:

  • Payment: The covered entity must pay the agreed-upon settlement amount within 30 days of the agreement’s effective date.
  • Policy Review: Within 30 days, the entity must review and, if needed, revise its policies related to patient access to protected health information (PHI), including methods for calculating fees.
  • Training: Within 60 days, training materials must be developed and provided to staff on patients’ rights to access their PHI.
  • Access Log Reporting: Every 90 days, starting within 90 days of HHS approval of policies, the entity must submit a log of PHI access requests, including key details such as dates, formats, and costs.
  • Implementation Report: Within 120 days of HHS’s approval of the policies, a written implementation status report must be submitted.
  • Annual Reporting: Each year of the compliance term (e.g., three years) is considered a “Reporting Period.” The entity must submit an annual report to HHS within 60 days of the end of each period.

Additional Enforcement Authorities

In addition to HHS and the Office for Civil Rights (OCR), other agencies may impose penalties:

  • State Attorneys General: For example, Florida’s Consumer Protection Division enforces the Florida Deceptive and Unfair Trade Practices Act and has recovered over $10 billion since 2011.
  • Federal Agencies: The Department of Justice (DOJ), Office of Inspector General (OIG), and Federal Trade Commission (FTC) can also pursue penalties for fraud, privacy violations, or deceptive practices.

Helpful Links:


Corrective Action Plans (CAPs)

Most resolution agreements include a Corrective Action Plan (CAP) monitored by OCR, typically for two years. CAPs require the entity to take defined steps to address HIPAA compliance deficiencies, including:

  • Conducting a comprehensive risk analysis of potential threats to ePHI.
  • Implementing a risk management plan based on identified vulnerabilities.
  • Updating and maintaining written HIPAA policies and procedures.
  • Providing tailored HIPAA training to workforce members.

OCR Recommendations for Preventing Cyber Threats

To reduce cybersecurity risks, OCR recommends that HIPAA-covered entities and business associates:

  • Identify how ePHI flows through their systems.
  • Integrate risk analysis and management into daily operations.
  • Implement and review audit controls regularly.
  • Use authentication mechanisms to ensure only authorized access to PHI.
  • Encrypt ePHI in transit and at rest when appropriate.
  • Learn from past security incidents to strengthen future protections.
  • Provide HIPAA training for all staff.

By proactively implementing these measures, organizations can better protect patient data and avoid costly penalties, enforcement actions, and reputational damage.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

HIPAA Settlement of $25K with New York Neurology Practice Over Ransomware Attack

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has reached a settlement with Comprehensive Neurology, a small neurology practice based in New York, following a potential violation of the HIPAA Security Rule. The investigation stemmed from a ransomware attack that compromised the electronic protected health information (ePHI) of patients.

OCR’s investigation revealed potential failures by the practice to implement adequate security measures required under the HIPAA Security Rule, such as conducting a thorough risk analysis and maintaining appropriate safeguards to protect ePHI. The breach impacted sensitive health data and underscored vulnerabilities in the practice’s cybersecurity defenses.

Ransomware and hacking remain the leading cyber threats to electronic health information in the healthcare sector. Ransomware, a form of malicious software (malware), is designed to block access to a user’s data—typically by encrypting it—until a ransom is paid. This settlement represents the 12th enforcement action related to ransomware and the 8th action under OCR’s ongoing Risk Analysis Initiative.

As part of the settlement, Comprehensive Neurology agreed to pay a monetary fine of $25K and implement a corrective action plan that will be monitored for two years to strengthen its HIPAA compliance program, including risk assessments, updated security policies, and staff training.

This case highlights the importance of proactive cybersecurity measures for all healthcare providers, regardless of size, and reinforces OCR’s commitment to protecting patient data in the face of increasing cyber threats like ransomware.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

Another Phishing Attack results in a $600,000 settlement

PIH Health, Inc. (PIH), a California health care network, has agreed to pay the OCR $600,000. The violations stem from an email phishing attack that exposed unsecured electronic protected health information (ePHI).

The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.

“Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”

Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:

  • Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
  • Training its workforce members who have access to PHI on its HIPAA policies and procedures.

Phishing attacks continue to pose a significant threat to the healthcare industry, exploiting human error to gain unauthorized access to sensitive patient data. These attacks typically involve deceptive emails or messages that trick staff into revealing login credentials, clicking malicious links, or downloading malware.

Due to the high value of protected health information (PHI) on the black market, healthcare organizations are prime targets for cybercriminals. Successful phishing breaches can lead to widespread data exposure, operational disruption, regulatory penalties, and loss of patient trust.

In recent years, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has intensified enforcement actions against healthcare entities that fail to implement adequate phishing defenses, such as employee training, risk assessments, and email security tools. As phishing tactics grow more sophisticated, healthcare organizations must prioritize a layered cybersecurity approach to protect against these persistent threats.

Securing email accounts is critically important, especially in sectors like healthcare, where sensitive information is routinely exchanged. Email is often the gateway to an organization’s internal systems and can serve as a direct path for cybercriminals to access protected health information (PHI), financial data, and other confidential content. Unsecured email accounts are particularly vulnerable to phishing attacks, credential theft, and unauthorized access, all of which can lead to data breaches, regulatory fines, and reputational damage.

What to do to prevent a Breach?

Implementing strong passwords, multi-factor authentication (MFA), encryption, and regular staff training are essential steps in safeguarding email communications. By fortifying email security, organizations not only reduce the risk of cyberattacks but also demonstrate a proactive commitment to protecting patients, and organizational data.

OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

  • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
  • Integrate risk analysis and risk management into business processes regularly.
  • Ensure audit controls are in place to record and examine information system activity.
  • Implement regular review of information system activity.
  • Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI to guard against unauthorized access to ePHI.
  • Incorporate lessons learned from incidents into the overall security management process.
  • Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.

HIPAA updates for 2025 and beyond

What you need to know

In 2025 and beyond there are many HIPAA updates that are occurring in the healthcare arena. Staff education and patient privacy are front and center of the OCR. You can be fined for HIPAA violations and be required to implement a corrective action plan that will be monitored by OCR for three years. There are significant changes to the HIPAA privacy rule and the security rule.

  • Notice of Privacy Practices must be updated to include Health Information Exchanges (HIEs).
  • Reproductive healthcare and how you protect privacy (this may change).
  • Substance Abuse and Mental Health Services Administration updates.
  • A Patient’s right of access may be reduced to 15 days, and immediate in some cases. Patient right of access has been a major problem with complaints resulting in fines from $3,500 to over $250K.
  • New patient authorization attestation requirements.
  • The posting of estimated fee schedules may be required.
  • Information blocking guidelines, this includes a patient’s request for their records in the format of their choice.
  • Non-discrimination notices with specific terminology (in 15 languages) on websites and in offices.
  • Language assistance notice (and staff training on the tools utilized).
  • Conscience rights notice.
  • Website accessibility requirements. The ADA requires that people with disabilities have equal access to information. An inaccessible website, mobile app, or kiosk can exclude people just as much as steps at an entrance to a physical location.

The updated HIPAA training requirements for 2025 bring several significant changes. The most notable is the emphasis on cybersecurity.

Cybersecurity awareness is a critical component, and employees must be trained in recognizing and responding to potential cyber threats. This includes:

  • understanding how to identify phishing attempts,
  • using strong passwords, and
  • implementing multi-factor authentication.

Data security proposed changes:

Healthcare providers and their business associates (BAs) may be required to implement enhanced administrative, physical, and technical safeguards for electronic protected health information (ePHI). This includes requiring written procedures for restoring electronic information systems and data within 72 hours. Adding specific compliance time periods for many of the existing requirements. Providers could be required to conduct a compliance audit at least every 12 months and to verify BAs that they have implemented the technical safeguards required under the HIPAA Security Rule. Keep in mind, all entities involved with ePHI must comply with the HIPAA security rule including subcontractors of BAs, this enhancement refers to reviewing/auditing every year.

Healthcare providers may be required to conduct more frequent and thorough risk assessments of their IT infrastructure. The requirement of maintaining an asset inventory and a network map, that illustrates the movement of ePHI throughout the organization’s environment. This is already a requirement under the HIPAA security rule, but the proposed rule will require this to be updated on an ongoing basis, or at least once a year. Also, reviewing their Security Incident Response Plans and documenting how employees are to report suspected or known security incidents and how the entity will respond.

Medical practices would need to utilize anti-malware/ anti-virus systems including remote users. Require vulnerability scanning every 6 months, and penetration testing once a year.

Healthcare providers would need to update legacy systems, since outdated legacy systems are seen as a significant vulnerability. Under the proposed updates, entities may face stricter obligations to retire or upgrade unsupported software. 

ePHI would require higher levels of encryption both at rest and in transit and multi-factor authentication (MFA) will need to be utilized, along with continuous network monitoring to detect threats in real time. 

Keep in mind, cyber-security is essential for patient privacy and safety.

The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) is working with the Trump Administration to initiate a one-year consultative process with leaders of the healthcare sector to negotiate sound cybersecurity practices that all healthcare stakeholders can be held accountable to.

HSCC Cybersecurity Working Group Executive Director Greg Garcia said “The healthcare industry is now targeted by more cyber-attacks than any other industry sector. If our healthcare owners and operators are to keep up with the evolution of healthcare delivery, technology innovation, and adversarial cyber threats across our vastly interconnected ecosystem, we need our government as a partner in this mission.”

Those involved in cyber-security in the healthcare space understand the need for greater protection but also believe there are many moving parts that need to be coordinated in order to be effective.

Although these proposed changes are being negotiated, the best practice is for all entities involved with patient data to conduct a system wide risk analysis and review how data flows in and out of your network. Once this has been determined, you can address cyber-security for your particular network. This is not a one size that fits all. This is where you need a partner that specializes in data security and not an average IT company. This sounds like a lot of work, but not when you have the right partners in place.

Summary

Our HIPAA Keeper online compliance system has everything needed for HIPAA compliance documentation. Plus, we work with business partners that are HIPAA compliant as well. So, whatever your need is, we have you covered!

“Simplifying HIPAA through Automation, Education, and Support”

Feel free to share this blog with your colleagues. We want to educate as many practices as we can since HIPAA violations can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

New Scams and Hackers

In today’s digital age, scams and hackers have become increasingly sophisticated, targeting individuals and businesses alike with tactics that are harder to detect and easier to fall for. From phishing emails and fake websites to ransomware attacks and identity theft, the threats are constantly evolving. As our reliance on technology grows, so does the importance of understanding how these cybercriminals operate and what steps we can take to protect ourselves. This article dives into the world of online scams and hackers, uncovering their methods, motivations, and most importantly, how to stay one step ahead.

Facebook Scammer

One of the recent disruptors is when your Facebook account is hi-hacked, and you are locked out of your account, and you can’t remove the post. This has happened to more than one of my friends. This is what it sounds like:

They state they need to sell personal items for a family member due to the family member going to a care facility or having a medical condition. They list SEVERAL valuable items at very low cost, and ask for a “REFUNDABLE” deposit, to hold until they “return” and you have a chance to inspect the item. They state they will be out of town for a couple of weeks and are sad to have to clear out the home of this beloved person. They restrict comments, so you can’t warn anyone about this scam. They ask interested people to contact them through messenger, whereas they will give you a Zelle account. Keep in mind, this transaction CANNOT be reversed, and you are at the mercy of a scammer to return your deposit, which they WILL NOT. Think about this, the people who are “purchasing” these items think they are buying from YOU.

For those who are looking to buy from Facebook (or any other online platform) always remember, if a price is too good to be true, it probably is! NEVER Zelle or Venmo anyone you do not know, or for something like this. Insist on going to look at the items in person BEFORE any transaction is made. If they refuse, it is a scam.

Since the major data breach of 4 billion people, this information has been sold on the dark web. This information includes EVERYTHING needed to impersonate another person. We already sent this warning out last year, but feel the need to repeat…

  • Change passwords
  • Change answers to security questions
  • Enable multi-factor authentication on every account that offers this

Make sure your cell phone or email account that is used for the second authentication is secured with multi-factor authentication. Otherwise, if they hack this account, they will receive the “second” authentication instead of you!

Bank / Credit Card Scams

Scammers can spoof your banks phone number. When they call, they will say there has been a suspicious amount charged to your account. They will have your card number, your address, everything EXCEPT the code on the back of your card. If they ask you to verify give them the number to verify, they are a scammer.

If you receive a text message from your “bank”, referring to the same situation or to verify your account. Do not click on any links in the text message or email, call your bank with the number you have, or log in from your browser.

Never say “Yes”

When a person calls you and asks – can you hear me, never say yes. They may be recording you so they can make false purchases. Instead, reply “Why are you asking”.  If they ask is this Sally Smith, ask them, “why are you asking”.  This happened to me a couple weeks ago, they said: We are offering a free subscription for your type of Industry, would you like a free subscription, I asked, what kind of industry are you offering. They said we have many different industries. I replied, BUT you said you had a subscription in MY industry. They hung up!

Jury Duty / Arrest Warrant

These scammers threaten you with arrest if you do not pay the “fee” for missing jury duty or an outstanding ticket. They typically ask for a gift card, but with all the new scammers using Zelle, I am sure that will be next.

Investment Scams

With all the talk about Crypto being the next big thing, scammers are trying to capitalize on this. These scams usually start off by someone on social media offering to show you how to invest in cryptocurrencies. Again, if something sounds too good to be true, it probably is. Such as, guaranteed big returns, no risk, and the request for money to be wired or using a Zelle type system.

Renewal / Update Payment Scams

We see many of these emails and text messages targeting consumers from commonly used stores and banks. They use their store/ bank logo and add some sort of subscription ID or the last 4 digits of a credit card. Check your own renewal date and the credit card information. They are betting you won’t check and just click. When you click on the link within the email/text, it could be a virus or a fake URL to gain your login credentials. They also include the “unsubscribe” at the bottom, trying to make this look real. Sometimes the link is really connected to the store, other times, it will take you to a “fake” site and ask for your login credentials.

Job Posting Scams

This is common during the holidays when people are looking for some extra money, but this can happen at any time. They post jobs on social media sites or sometimes they will contact you via email or a text message. The message usually starts off with referring to an ad you answered. They may use a fake company or impersonate a well-known firm. These scammers offer great pay or state the compensation will be much more lucrative than it really is.  Sometimes they offer free gifts if you are a mystery shopper. Keep in mind, there are legitimate companies offering jobs, however, never pay for upfront training, interviews, lists of job opening, or mystery shopping opportunities.

Also, never accept a deposit from a company when they ask you send back a portion of it.

Remember, legitimate companies do not ask for money from potential employees or salespeople.

What can you do?

If you receive a scam, report it to the FTC (Federal Trade Commission). Although they will not update you on the progress of your report, they share this information with law enforcement to help with investigations. Together, we can help stop this criminal activity and warn others!

https://reportfraud.ftc.gov

Feel free to share this with others. The world wide web (WWW) is the new wild wild west!

Stay safe and alert out there.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

Other related articles:

UPDATE on Online Tracking Technology

The Health Insurance Portability and Accountability Act (HIPAA) has long served as a cornerstone in protecting the privacy and security of individuals’ health information. As digital technology continues to evolve, so do the ways in which health data can be collected, shared, and potentially exposed. Recently, there have been significant updates concerning the use of online tracking technologies—such as cookies, web beacons, and pixels—particularly when used by HIPAA-covered entities and their business associates. These updates clarify how existing HIPAA regulations apply in the digital landscape, emphasizing the need for transparency, patient consent, and robust safeguards when handling protected health information (PHI) online.

These updates may be good news for healthcare

A federal judge in Texas ruled that the use of third-party online tracking technologies on hospitals’ public-facing web pages was unlawful. District Judge Mark Pittman in Texas sided with the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources and United Regional Health Care System in his ruling that found the Department of Health and Human Services overstepped its authority with the 2022 guidance.

The lawsuit specifically argues that HHS expanded HIPAA’s definition of “individually identifiable health information” beyond its statutory authority. Also, it calls for the portion of OCR’s guidance addressing unauthenticated web pages to be invalidated.

This past March, HHS updated its guidance on the use of third-party web trackers to exclude certain types of website visits from meeting its criteria for protected health information (PHI) disclosures. The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in his ruling.

Keep in mind, this milestone verdict comes from hospitals and larger entities rather than small to medium sized practices. Whereas, they have more financial strength.

HHS / OCR back tracks and updates guidance

​On March 18, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released updated guidance on the use of online tracking technologies by HIPAA-covered entities and their business associates. This update clarifies how HIPAA applies to tools like cookies, pixels, and web beacons used on websites and mobile apps.​

Key Points from the Updated Guidance:

  1. Definition of PHI in Online Tracking: OCR emphasizes that individually identifiable health information (IIHI) collected through tracking technologies is considered protected health information (PHI) under HIPAA. This includes data such as IP addresses, device identifiers, and browsing behavior when linked to an individual’s health care or payment for health care. Even if the individual does not have an existing relationship with the entity, such information is still regarded as PHI.
  2. Use on Authenticated and Unauthenticated Webpages: The guidance distinguishes between authenticated webpages (requiring user login) and unauthenticated webpages. For authenticated pages, any tracking technology that collects PHI must comply with HIPAA regulations. For unauthenticated pages, if the information collected can be linked to an individual’s health care or payment, it is also considered PHI.
  3. Business Associate Agreements (BAAs): Disclosing PHI to third-party tracking technology vendors without a valid HIPAA authorization or a business associate agreement (BAA) is considered a HIPAA violation. Entities must ensure that any sharing of PHI complies with HIPAA’s Privacy Rule requirements.
  4. Enforcement and Compliance: OCR has indicated that it will prioritize compliance with the HIPAA Security Rule in investigations related to online tracking technologies. Covered entities are advised to conduct thorough risk assessments, train staff, and implement appropriate technical safeguards to ensure compliance.

This updated guidance underscores the importance of safeguarding PHI in the digital realm. HIPAA-regulated entities must carefully assess their use of online tracking technologies, ensuring compliance with privacy regulations to protect patient information.

Google Analytics

Removing Protected Health Information (PHI) from Google Analytics is a critical step for HIPAA-covered entities to ensure compliance with privacy regulations. Since Google Analytics is not a HIPAA-compliant service and does not sign Business Associate Agreements (BAAs), any transmission of PHI through its platform constitutes a HIPAA violation. To avoid this, organizations must take proactive measures to prevent PHI—such as names, IP addresses, medical conditions, appointment details, or any data that can be tied to an individual’s health—from being captured by tracking scripts. This often involves disabling data collection on sensitive pages, using robust filtering techniques to scrub URLs of identifiable information, and configuring analytics tools to anonymize IP addresses and exclude user-specific identifiers.

By auditing their tracking implementations and employing privacy-centric alternatives, healthcare organizations can maintain valuable analytics insights without compromising patient privacy.

Analytics Alternatives

There are some Google Analytics alternatives, but not all of them give prices. When searching for these services, be very careful. Nefarious characters are going to try and trick you into offering a too good to be true service. Criminals are looking for new ways to gain access to patient data.

Let us know if you would like us to review any particular service or if you have any questions. We are here to help!

Feel free to share this article with your colleagues. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you on every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

Spotting scams, you need to look closely!

Most people in healthcare have been affected by the Change healthcare cyberattack. Scams have hit a new level, and you must be more diligent than ever before. Scams can be spotted, but you must look closely. A scam can quickly turn into a data breach. I recently conducted a HIPAA security officer training and reminded them of some of the threats that destroy your computer systems, both at work and at home. I watched “The Beekeeper” movie over the weekend. This made me change our Security Notification for this month. If you like action packed, good guy gets even, this is a great movie. This movie is about an email scam and revenge. If you are a Jason Statham fan, you will like this movie!

Here is the scenario:

Your computer gets a huge alert and says your computer is locked, you have been hacked, your email, bank accounts, passwords, etc. were compromised. They will give you a phone number to the “help desk”. You call the number, they “help” themselves and empty your bank account. Don’t call the number they give you, look it up yourself. DO NOT use a customer service or help desk number from a Sponsored Ad. Some scammers will pay for an ad to get to the top of Google. Most times you just need to reboot to clear the screen. DON’T click on anything in the warning. It is best to contact your IT company first. If you are home and can’t get in touch with someone, you may need to use Ctrl, Alt, Delete to shut your computer down. Then run a virus scan when you boot back up. Whatever you do, do not pay anyone, anything until you verify the validity of the situation!

Scams in text messages:

There are many versions to an email like this, they also come in text messages, and voice mails. Scams are hitting new levels every day. Some want you to click on a link, others want you to call the number they provide. Never click on a link, or call the number listed in the text, until you verify the text is valid.

Other email scams:

We have been saying for years, DO NOT CLINK ON LINKS. When you receive an email from your bank, IRS, post office, FedEx, etc. Look closely at the “from” email address. Many times, you can spot the fake address. It could be something as simple as a “.” In the URL address. Also, who it is addressed to, sometimes it is someone else. They do this so you will reply to let them know they have the wrong person. Again, this is a tactic from scammers to see if you will answer. If there is a link, they want you to click on, hover over it instead. It may take you to a completely different site. This could infect your computer or look like where you are supposed to go, only to lure you into entering your login credentials.

Phone call scams:

Scammers can spoof legitimate agencies like the power company, IRS, and even the police department. Never pay for any “immediate” requirements. This includes the threat of your power being shut off, IRS payment due, or paying a penalty for missing jury duty. These are just SOME of the examples these criminals are using.

Online marketplaces:

Scammers also target people who post things for sale on sites like Craigslist or Facebook Marketplace. They also prey on people who post looking for help finding their lost pet.

These scammers contact you and say they want to buy the item you’re selling — or that they found your pet. However, before they commit to buying, or returning your pet, they typically say they’ve heard about fake online listings and want to verify that you’re a real person. Or they might say they want to verify that you’re the pet’s true owner.

They send you a text message with a Google Voice verification code and ask you for that code. If you give them the verification code, they’ll try to use it to create a Google Voice number linked to your phone number. (Google Voice gives you a phone number that you can use to make calls or send text messages from a web browser or a mobile device.) The scammer might use that number to rip off other people and conceal their identity.

Sometimes these scammers are after a Google Voice verification code and other information about you. If they get enough of your information, they could pretend to be you to access your accounts or open new accounts in your name.

If you gave someone a Google Voice verification code follow these steps from Google to reclaim your number.

No matter what the story is, don’t share your Google Voice verification code — or any verification code — with someone if you didn’t contact them first. That’s a scam, every time. Report it at ReportFraud.ftc.gov.

What can you do?

When you receive an email, text, or phone call, you should call your bank or the company to advise them of what happened. If they are doing this to you, they are doing this to MANY others. Also, you can report this to the Federal Trade Commission (FTC). The FTC does not resolve individual reports, but your report will be entered in the FTC’s Consumer Sentinel database and will be available to federal, state, and local law enforcement across the country.

If someone has clicked a link or opened an attachment that downloaded harmful software:

  • Contact your IT department to update your computer’s security software.
  • They will run a scan and delete anything it identifies as a problem.

If you think a scammer has your information, like your Social Security, credit card, or bank account number:

  • Go to identitytheft.gov for steps you can take based on what kind of information was lost or exposed.

If you gave your username and password to a scammer:

  • Change your password right away. If you use the same password for other accounts or sites, change it there, too.

If someone calls and offers to “help” you recover money you have already lost:

  • Don’t give them money or personal information. You are probably dealing with a fake refund scam.

Scammers are getting bolder and more brazen. It is up to us to stay diligent and to stay safe.

Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

Preventing a Data Breach

Preventing a data breach can feel like a daunting task. However, a well-educated staff is your first line of defense. Although nothing is failsafe, there are many things you can do within your practice to prevent a data breach. We covered this last year, but I thought it might be time for a reminder with the latest breach from Change Healthcare.

Hacking/IT incidents remain the largest category comprising of 77% of the reported breaches. Network servers continued as the largest category by location for breaches involving 500 or more individuals at 58% of reported large breaches.

If you would like to review the list of breaches, click here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Many of these start from an unsuspecting employee that clicks on link or shares information before it has been verified. Most attacks begin from a phishing email, text, or a visit to a website. Once this occurs, then many times you are infected with a virus, malware, or ransomware. When this happens, your systems may be frozen, and a DOS (denial of service) begins. Let’s review how to prevent a data breach:

Emails:

What does a fake email may look like? First, they are going to look “real” until you take a closer look. Pay attention to the “from” email address. This is the most common place to start. Most email addresses will have a name you are familiar with, but the URL will be different. For example: sally@email.bankofamerica.com. So, look for anything that is “slightly” different. Then, if they want to click on a link, hover over the link to see if it is really for what they are proposing. I received an email from my “bank” asking me to “Finish the Do-To-List”. I knew I hadn’t started any such list and I hovered over the link. It was to a completely different website. I reviewed the message details and looked up the IP address, it was from Spain. My bank is not in Spain! If you would like to learn more about reading your message details, reply to this email.

Text Messages:

Text messages are somewhat the same. Look at the top of the message and review who it is from. Most of these will either be from a phone number or an email address that is not from the actual company. NEVER click on any link or call the number in the message. If you receive a message about a purchase and it states you must click to decline, DON’T! Call your bank or credit card company to verify. You must be very diligent with these messages; they try to spoof your bank or card company’s email address by adding something like this: stop@fraud.bankofamerica.com.

Websites:

Websites can be infected with malware, a virus, or redirect the information you enter. Again, it is very important to look at the URL closely before entering any credentials. When visiting unknown sites, you take the risk of being infected. This is difficult to comprehend since we all like to “surf” the web. Many recipe sites have been known to have malware since people do not maintain security on older sites. If you are going to surf, you MUST have very good anti-virus / anti malware software. I am currently using Bitdefender Total Security. When I try to go to a website and the credentials of the site do not match, my software will NOT let me go to the site unless I enter my password for my software. Your IT vendor may utilize something like this. Websites that have not been maintained or have been hacked can present all kinds of problems. Preventing a data breach means that staff members should NOT use their work computers for surfing!

Man-in-the-middle:

Another type of threat is when information is intercepted without a person knowledge, this is commonly referred to as the “man in the middle”. When a person uses a public wi-fi system, a nefarious character can spoof a legitimate connection and steal information. Depending on the type of activity, a virus or malware could be placed on the device and brought back into the office. This could in turn infect your network.

Zero-day attacks:

Then, there are zero-day exploits that happen when hackers uncover a vulnerability in a system and attack. These are usually widespread and can be all over the world. Developers must work fast to create a patch to correct this deficiency. In the meantime, your systems could be down or destroyed. This is why it is critical to maintain a backup that is not connected to your network.

Ransomware attacks are a real problem and not just for healthcare but for everyone. It has gone up 70% in just one year. Think about losing everything on your business network or your home computer. It happens, so all these recommendations are for your personal use as well.

The Office for Civil Rights (OCR) released their breach report to Congress, below are a few highlights.

The “OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer. “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”

The HHS 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received. Some highlights include:

  • OCR received 30,435 new complaints alleging violations of the HIPAA Rules
  • OCR resolved 32,250 complaints alleging violations of the HIPAA Rules
  • OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one complaint investigation with a civil money penalty in the amount of $100,000
  • OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and monetary payments totaling $2,425,640.

Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC