Shaun and Katherine Johnson filed the lawsuit against Fairview Health Services after losing access to their daughter’s medical records through the MyChart patient portal when she turned 12 years old. The lawsuit states that the parents require ongoing access to the records to assist in managing their daughter’s healthcare.

The Johnsons’ daughter was diagnosed at age 11 with mosaic Turner syndrome that needs lifelong heart monitoring because of increased cardiovascular risks. The parents state that real-time access to medical information is necessary for effective management of their daughter’s care.

According to the allegations described in the lawsuit, Fairview Health Services follows a policy that ends parental access to the MyChart records of a child upon reaching 12 years old. The policy is dependent on the organization’s interpretation of state legislation. Under that policy, continued access requires a private interview with the child. Full parental access may only be restored if both hospital staff and the child agree to provide that access.

The parents declined to sign the consent form associated with that process. As a result, they were denied access to their daughter’s records through MyChart.

The parents later submitted a request for access to their daughter’s records using an Authorization for Release of Protected Health Information. They received some records in response to that request. The records request took three weeks to process. The parents also alleged that the records provided were incomplete and lacked information needed for management of their daughter’s care.

Shaun Johnson stated that management of a serious medical condition requires timely access to appointments, test results, and other medical information. He alleged that Fairview Health Services required his family to use a delayed and burdensome alternative process instead of allowing access through the MyChart system.

The dispute also led to regulatory complaints. The Center for Individual Rights, a nonprofit public interest law firm based in Washington, D.C., filed a complaint with the Department of Health and Human Services Office for Civil Rights. The complaint alleged that denying parents access to the MyChart portal for children older than 12 violated the HIPAA Privacy Rule.

The Office for Civil Rights responded to the complaint and confirmed in correspondence sent to the Privacy Officer of Fairview Health Services and the Center for Individual Rights that parents are allowed to access the medical records of a minor child under HIPAA law. A second complaint was filed six weeks later after parental access had not been restored. The second complaint remains pending before the Office for Civil Rights.

The Office for Civil Rights later issued a Dear Colleague letter to the medical community. The letter confirmed that healthcare providers generally may not impose additional limitations on parental access to a minor child’s medical records under HIPAA when special circumstances are absent. Those special circumstances do not apply in this case.

Minnesota law provides minors with authority over access to medical records related to substance abuse diagnosis and treatment, physical and sexual abuse, sexually transmitted diseases, and pregnancy. Fairview Health Services provides partial proxy access for parents or legal guardians of children ages 12 to 17. Access to records connected to those categories is excluded from the partial access arrangement.

Under Fairview Health Services’ policy, full proxy access is available only with the child’s consent. The parents objected to the interview process involving their daughter, which prevented them from obtaining timely and complete access to medical records that they believe are necessary to participate effectively in their daughter’s care.

The lawsuit challenges both the legal basis and implementation of the hospital’s policy. The complaint alleges that federal law preempts state law and that Fairview Health Services’ policy is inconsistent with Minnesota law.

The lawsuit seeks a declaratory judgment and a permanent injunction. The requested relief would require recognition that the Minnesota Health Records Act requires unrestricted parental access to the daughter’s medical records.

Caleb Kruckenberg, Litigation Director at the Center for Individual Rights, stated that a hospital cannot use state law to deny parents access to their child’s medical records. He also stated that federal law takes precedence and that parental participation in a minor child’s medical care is a protected right.

The post Parents Sue Minnesota Hospital Over Access to Minor Child’s Medical Records appeared first on Healthcare Industry News.

On March 17, 2026, OpenLoop Health submitted the breach report to the U.S. Department of Health and Human Services Office for Civil Rights. The incident listed on the OCR breach portal indicated that up to 716,000 were affected.

On March 24, 2026, OpenLoop Health Inc published details about the incident after sending the breach report. According to information submitted to the California Attorney General, OpenLoop Health discovered on January 7, 2026, that an unauthorized third party accessed parts of its systems and copied files containing sensitive information.

A forensic investigation determined that unauthorized access to the network occurred between January 7, 2026, and January 8, 2026. Third-party cybersecurity specialists investigated the incident to determine the scope of the breach, and to secure the affected systems against further unauthorized access.

OpenLoop Health stated that the breached data included names, addresses, email addresses, dates of birth, and medical information. Social Security numbers were not accessed or stolen. OpenLoop Health will send notifications by mail, and will inform the recipients about the free credit monitoring and identity theft protection services for affected individuals.

A threat actor using the name Stuckin2019 claimed responsibility for the incident in a hacking forum posting. The individual claimed to have obtained information associated with 1.6 million patients.

OpenLoop Health has not publicly confirmed the reported figure. Information published about the incident stated that threat actor claims can be exaggerated, may include duplicate records, or may be fabricated in part or in full.

Even if Stuckin2019 leaked samples of patient data to prove the data theft, OpenLoop Health has not publicly confirmed the validity of the claims regarding the total number of records allegedly obtained.

Information published by Databreaches.net stated that the forum listing connected to the OpenLoop Health incident remained online for two days before being removed. Databreaches.net also reported that communication with the threat actor through Tox indicated that payment had been received and the data had been deleted.

On March 24, 2026 when OpenLoop Health made the breach public, there was no post yet on the U.S. Department of Health and Human Services Office for Civil Rights breach portal. The incident was posted earlier on March 18, 2026 on the Office of the Texas Attorney General website, with 68,160 affected Texas residents.

A later update stated that the breach is already listed on the Office for Civil Rights breach portal with about 716,000 affected individuals.

The post PHI Exposed Due to OpenLoop Health Data Breach appeared first on Healthcare Industry News.

Scope of the Incident

The hospital confirmed that a hacker gained access to its computer network and information systems. Files containing patient information may have been accessed or acquired during the two-week period of unauthorized access. The impacted data includes names, addresses, telephone numbers, email addresses, Social Security numbers, birth dates, medical record numbers, health plan beneficiary numbers, account numbers, and, full face photo images for certain individuals.

Notification and Response

Notification letters were mailed to affected individuals on March 31, 2026. The hospital’s notice to the Maine Attorney General stated that no complimentary credit monitoring and identity theft protection services is offered. The hospital advised patients to assume their data has been compromised and to consider protective measures such as placing a fraud alert or security freeze with Equifax, TransUnion, or Experian.

The hospital reported that it has not detected misuse of the impacted data and has no indications that misuse will occur. As of April 1, 2026, no threat group has claimed responsibility for the incident.

Security Measures Implemented

In response to the breach, Nacogdoches Memorial Hospital has strengthened its information systems and computer network security. The hospital is enhancing its cyber preparedness through additional employee training and updates to its policies and procedures. Law enforcement has been informed, and the hospital has committed to assisting with any investigation.

Regulatory Considerations

The incident involves protected health information, which is subject to the requirements of the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. Covered Entities and Business Associates are required to implement safeguards to protect patient data and to notify affected individuals and regulators when breaches occur. The hospital’s notification to the Maine Attorney General and its communication with patients reflect compliance with these requirements. The absence of complimentary credit monitoring services was explicitly stated in the hospital’s notice.

The post Over 257,000 Individuals Affected by Nacogdoches Memorial Hospital Data Breach appeared first on Healthcare Industry News.

Legislative Action by Senate HELP Committee

The Senate Health, Education, Labor, and Pensions (HELP) Committee voted 22-1 on the Health Care Cybersecurity and Resiliency Act. The legislation proposes cybersecurity requirements intended to strengthen cybersecurity across the healthcare sector. The bill was first introduced in November 2025 and later reintroduced in December 2025 with minimal changes.

The legislation was proposed by a bipartisan group of senators that includes Senate Health, Education, Labor, and Pensions (HELP) Committee Chair Sen. Bill Cassidy (R-LA), Sen. Mark Warner (D-VA), Sen. Maggie Hassan (D-NH), and Sen. John Cornyn (R-TX). The legislation originates from a bipartisan healthcare cybersecurity working group that was launched in 2023.

Cybersecurity Requirements for HIPAA-Regulated Entities

The Health Care Cybersecurity and Resiliency Act proposes cybersecurity requirements for entities covered under the Health Insurance Portability and Accountability Act (HIPAA). The bill proposes minimum cybersecurity standards that include multifactor authentication, data encryption, penetration testing, and regular security audits.

The legislation also introduces reporting requirements related to cybersecurity incidents. Regulated entities would be required to report the number of individuals affected by a cybersecurity incident. The Department of Health and Human Services (HHS) would publish information regarding corrective actions and recognized security practices applied by regulated entities after a data breach.

Federal Coordination and Incident Response Planning

The legislation proposes increased coordination between the HHS and the Cybersecurity and Infrastructure Security Agency (CISA) in response to cyber threats affecting healthcare organizations. The bill requires the HHS to develop a cybersecurity incident response plan.
The legislation also designates the Administration for Strategic Preparedness and Response as the Sector Risk Management Agency for the healthcare sector.

The HHS would also produce an annual report describing how the agency is complying with requirements in the Consolidated Appropriations Act of 2021 related to the adoption of recognized security practices by HIPAA-regulated entities.

Financial Assistance and Rural Healthcare Guidance

The legislation includes financial assistance for under-resourced healthcare providers that need to improve cybersecurity protections. Eligible recipients include hospitals, cancer centers, rural health clinics, health facilities operated by the Indian Health Service, and academic health centers.

The bill requires the HHS to issue guidance for rural entities and rural health clinics on cybersecurity breach prevention practices, resilience planning, and coordination with federal agencies.

Additional legislative objectives include providing grants and training to healthcare entities to improve cyberattack prevention and response capabilities.

Context of Healthcare Cybersecurity Risks

Cyberattacks on healthcare organizations have increased over the past decade with a noticeable increase in recent years. More than 700 data breaches have been reported to the Department of Health and Human Services Office for Civil Rights in each of the past four years.

Large data breaches occur at approximately twice the volume compared to the levels recorded in 2016, 2017, and 2018. Cyber incidents within the healthcare sector have exposed private medical information and disrupted care operations, including delays in emergency department services and electronic prescribing.

One example referenced in legislative materials involved a cyberattack on Change Healthcare that exposed the data of more than 190 million people and resulted in delays in care and electronic prescribing.

Legislative Status

Advancement through the Senate Health, Education, Labor, and Pensions (HELP) Committee represents a step in the legislative process for the Health Care Cybersecurity and Resiliency Act. Whether the legislation will pass a vote in the House of Representatives and reach the President for signature into law has not been determined.

The post Senate HELP Committee Advances Health Care Cybersecurity and Resiliency Act appeared first on Healthcare Industry News.

Northwell Health Lawsuit Details

Northwell Health settled the lawsuit Kaplan v. Northwell Health, Inc., filed in New York State Supreme Court, Kings County, over its use of tracking codes, such as Google Analytics and Meta Pixel code, on its website that allegedly transmitted protected health information (PHI) to third parties without consent. The lawsuit alleges that such disclosure of patient data violated the Electronic Communications Privacy Act.

According to the lawsuit, data about Northwell Health patients’ past, current, or future medical conditions, which include the type and date of a medical consultation, was obtained and sent to third parties. That details can be linked with individuals through identifiers like their IP address. Third parties reading the data could infer that the person was getting treatment for a certain health condition and consulted with Northwell Health.

Northwell Health Settlement Details

Northwell Health denies denies liability for the allegations in the lawsuit and wanted to have the lawsuit dismissed, but then, all parties talked about settlement. After taking into consideration the probable cost and risk of the lawsuit, the parties reached a settlement decision.

Northwell patients who logged into Northwell’s FollowMyHealth patient portal or booked an appointment using the portal from January 1, 2020 to December 31, 2023 are eligible to receive a $15.00 cash payment and privacy monitoring services for twelve months. All other Northwell patients from January 1, 2020, to July 25, 2024 are eligible to avail the privacy monitoring services for twelve months.

The settlement provides class members the opportunity to submit claim forms by April 20, 2026, to receive benefits. Individuals may exclude themselves or object to the settlement by March 23, 2026, and a final fairness hearing is scheduled for April 21, 2026. Doing nothing means no settlement benefits will be received and it means giving up the rights.

Legal Context and Next Steps

The settlement resolves allegations that the healthcare provider’s use of third-party tracking tools on their websites may have resulted in unauthorized disclosures of sensitive patient information. The Settlement does not mean the defendant or the plaintiff is correct. It just means that a compromise is reached to end the litigation.

The post Northwell Health Settles Website Tracking Lawsuit appeared first on Healthcare Industry News.

The objective of the proposed update is to modify the HIPAA Privacy Rule to reinforce personal rights to access health data, enhance care coordination, and minimize the compliance load on health plans and healthcare providers, while protecting patient privacy. The Biden administration did not seem to prioritize the proposed update by the HHS, the same is true for the Trump administration during the first year. However, on January 14, 2026, OCR Director Paula M. Stannard posted a notice of Tribal consultation about the 2021 Rule in the Federal Register.

Five years have passed since the HIPAA Privacy Rule proposed update was publicized in the Federal Register. Though little is mentioned about the proposed update in the last five years, a final rule seems to be near publication. Before the final rule, on February 6, 2026, a Tribal consultation meeting will be conducted via Zoom following Executive Order 13175 as well as the HHS Tribal Consultation Policy.

The consultation will take up a number of different topics, with OCR hoping to get responses concerning the proposed modifications to reinforce personal rights to health data; the measures suggested to enhance treatment coordination and case administration; the improved flexibilities for sharing patient data during emergency and threatening situations; the support for using telecommunications relay services by individuals and employees who are deaf-blind, deaf, hard of hearing, or have a speech handicap; and the expanded authorization to use and share Armed Forces service personnel PHI for national readiness reasons.

Although the Tribal consultation is an indication of progress toward applying some or all of the proposed modifications in the final rule, there are no signs at this time if the final rule will be publicized. When that happens, HIPAA-covered entities will get enough time to revise their guidelines, procedures, and practices and equip employees with training on the HIPAA Privacy Rule requirements prior to OCR’s enforcement.

Meanwhile, OCR has mentioned that enforcement initiatives will continue to focus on the HIPAA Right of Access requirement of the HIPAA Privacy Law, parental access to the health records of minors, and the risk analysis requirement of the HIPAA Security Law, and an extension of that program to include risk management. OCR likewise pointed out that a new enforcement initiative will be introduced for the privacy of substance use disorder treatment data, following the latest changes to Part 2 rules to align them more with HIPAA.

The post Final Rule Applying Proposed HIPAA Privacy Law Updates May Be Coming Soon appeared first on Healthcare Industry News.

Rhysida said it exfiltrated a 3-terabyte SQL database with approximately 400,000 patients’ data during the ransomware attack. When no ransom is paid, Rhysida tries to sell the compromised information and leaks the unsold information on its dark web data leak page. This was the what happened in this cyberattack. Sunflower Medical Group reviewed the files of 220,968 individual identified to have been affected by the attack, though the lawsuit class size is 255,734 individuals.

Sunflower Medical Group faced multiple class action lawsuits because of the data breach. Because the lawsuits had overlapping allegations, the S.W., et al. v. Sunflower Medical Group, P.A. lawsuit, a consolidation of the lawsuits, was filed in the Circuit Court of Jackson County, Missouri, at Independence. The plaintiffs claimed that Sunflower Medical Group violated the HIPAA Rules because it failed to carry out acceptable and proper security measures as per HIPAA Security Rule requirement. The medical group also did not comply with industry guidelines, did not perform a HIPAA-compliant risk analysis following the attack, and committed other HIPAA Rules violation. The lawsuit stated claims of negligence, negligent training and supervision, breach of implied contract, breach of fiduciary duty of confidentiality, and violation of the Missouri Merchandising Practices Act.

Sunflower Medical Group stated it did no wrong, rejected all claims and allegations in the lawsuit, and maintained no liability. An investigation by the HHS’ Office for Civil Rights into the data breach found that the HIPAA compliance issues did not reach the threshold to deserve a financial penalty. Hence, OCR closed the investigation.

In spite of not agreeing with the claims, Sunflower Medical Group decided to resolve the litigation. All parties agreed to a settlement to steer clear of the costs and risks related to trial and any corresponding appeals. The $1,200,000 settlement fund will pay for the attorneys’ fees and expenditures, settlement management and notification charges, class representatives’ service awards, and the class members’ benefits.

All class members are eligible to get medical data monitoring services for two years, with $1 million medical identity theft insurance coverage and fraud resolution assistance services. Moreover, they can file a claim for a cash payment. The $300,000 cash payments will be reduced pro rata if that claims exceed the cap. Class members may file a claim to reimburse documented, unreimbursed expenses because of the data breach up to $5,000 for each class member, or a one-time $10 cash payment. Additional security measures had been implemented to mitigate the threat of other data breaches.

The last day to file an objection to or exclusion from the settlement is January 26, 2026. Class members may submit claims until March 26, 2026. The schedule of the final fairness hearing is March 6, 2026.

The post Sunflower Medical Group Settles Its Class Action Data Breach Lawsuit for $1.2 Million appeared first on Healthcare Industry News.

The medical group located in Lakeland provides services to about one million individuals every year and has approximately 1,600 team members and 350 medical practitioners. On February 6, 2024, Watson Clinic discovered unauthorized access to its computer network. The forensic investigation verified that the attackers first obtained access to its system on January 26.

The assessment of the compromised data showed that they included the protected health information (PHI) of present and old patients, such as names, birth dates, addresses, government identifiers, driver’s license numbers, Social Security numbers, financial account details, and medical details, such as medical record numbers, diagnoses, treatments, and pre- and/or post-surgical medically necessary pictures.

Watson Clinic acquired the data from third-party file analysis in July 2024, reported the data breach in August 2024, and mailed breach notifications to the impacted persons. After that, plaintiff Charles Viviani submitted the first class action lawsuit in the U.S. District Court for the Middle District of Florida. Plaintiff David Thorpe filed another class action lawsuit in the same court. Both lawsuits were combined as the Viviani v. Watson Clinic, LLP lawsuit. Watson Clinic sent more breach notifications in February 2025 after further investigation into the scope of the incident.

The litigation mentioned claims of breach of fiduciary duty, negligence, breach of implied contract, and violation of the Florida Deceptive and Unfair Trade Practices Act. Watson Clinic rejects all material claims and arguments in the case and charges of liability or wrongdoing. Though Watson Clinic thinks it has a good defense against all allegations, the litigation would probably be prolonged and high-priced, and any lawsuit has built-in problems. As a result, the clinic opted to negotiate the lawsuit. The class lawyer thinks the settlement is ideal for all class members.

Watson Clinic decided to set up a $10,000,000 fund for payment of lawyers’ fees and expenses, settlement management and notification costs, and plaintiffs’ service awards. There are more class members’ benefits than other class action settlements, which include up to $75,000 cash payments for a number of class members, according to the types of digital photos uploaded to the dark web.

Class members whose digital photos were posted on the dark web will be given a check without needing to submit a claim. The payout amounts are stated in the table below. Class members can collect one of the payments below, whichever is higher.

Types of Published Digital Photos and Compensation Amounts

• Full face and open sensitive areas – $75,000
• Partial face and uncovered sensitive parts – $40,000
• No face and open sensitive areas – $10,000
• Whole face and sensitive parts with partial clothing – $10,000
• Part of the face and sensitive parts with partial clothing – $7,500
• No face and incomplete clothes of sensitive parts – $5,000
• Non-sensitive – $100

Besides the one-off cash payments, class members can also claim these benefits:

• Repayment of recorded, unreimbursed ordinary losses $500
• Refund of recorded, unreimbursed extraordinary losses and valid lost time $6,500, which includes about 5 hours of lost time worth $25 an hour
• Residual cash payment $50*

*The residual cash payments are going to be computed pro rata after subtracting the costs and expenditures from the settlement fund, and digital photo breach cash payments and claims for reimbursement of losses were settled. The funds will be split equally among the class members choosing to collect a residual cash payment. The maximum cash payment is $50, although it could be less, subject to the number of legitimate claims.

The last day for objection to and exemption from the settlement deal is January 6, 2025. The due date to file a claim is February 5, 2025, and the date of the final fairness hearing is March 9, 2025. Additional data is available on the settlement webpage: https://watsondatasettlement.com/

The post Watson Clinic to Pay $10 Million for Data Breach Settlement appeared first on Healthcare Industry News.

The patient specifically asked that her pregnancy condition be kept private, but Hulsing advised the member of the family that the patient is expecting a baby. Because of the disclosure, the patient and members of the family submitted complaints to the hospital with regard to the disclosure, starting an investigation. The hospital confirmed that Hulsing had given away highly sensitive data concerning a patient to someone who was not permitted to obtain that information, since the relative was not stated on her agreement form. The hospital decided that protected health information (PHI) had been disclosed to unauthorized people. The disclosure furthermore violated hospital guidelines on work conduct, which leads to dismissal for gross misconduct.

Under HIPAA, patients have the right to ask for the restricted disclosure of their health data, such as disclosures of their health data to members of their family. Although patients below 18 years old are viewed as minors, when a 17-year-old agrees to health treatment under state legislation, the Privacy Rule typically lets the minor observe their own privacy rights.

Hulsing mentioned that she was not aware that revealing the patient’s pregnancy condition to a relative broke the HIPAA Regulations. Hulsing requested unemployment benefits while her case was being evaluated, and she received $4,214 in benefits; nonetheless, Administrative Law Judge Duane Golden decided that Hulsing wasn’t eligible to get unemployment benefits because her behavior constituted employment-associated misconduct, and Hulsing was directed to refund the $4,214 she acquired.

Disclosing patient details to any unauthorized person can have critical effects for the medical specialist and the patient. Seeing that this case plainly shows, insufficient awareness about HIPAA requirements is not a legitimate excuse for a HIPAA violation. In this instance, the patient’s instruction for privacy must have been honored, and the disclosure was done solely with the patient’s permission.

Healthcare specialists must be sure that they know about the HIPAA requirements, and should make sure that they are informed about state and federal rules. Healthcare companies should ensure that they give complete HIPAA training to all staff members to make sure they understand their obligations under HIPAA, and should boost training through yearly refresher training classes to help avert HIPAA violations on the job.

The post Iowa Nurse Terminated for HIPAA Violation with the Disclosure of Patient Pregnancy Status appeared first on Healthcare Industry News.

OSHA issues penalties to dissuade future violations and ensure that organizations develop a secure and healthy work area. To reduce the responsibility on small businesses and to encourage dealing with workplace issues, OSHA has previously enforced a 70% reduction in penalties for small organizations with less than 10 workers.

The current policy, explained in the Penalties and Debt Collection portion of OSHA’s Field Operations Manual, that the penalty cuts for small organizations will include those with around 25 workers. The objective is to make it much easier for small organizations to purchase resources needed to reduce risks and ensure future compliance. The revised policy includes a 15% less penalty for organizations that immediately manage or address a risk, and expands the penalty reduction for organizations without record of serious, intentional, repetitive, or failure-to-alleviate OSH Act violations. Organizations will be allowed to a penalty amount of interestxlu in case they were not checked out by an OSHA State Plan or federal OSHA, or in case they were reviewed in the last 5 years without finding any serious, intentional, or inability-to-ease off violations.

The updated policy was enacted right away on July 14, 2025, and contains inspections started before that time that did not cause a penalty. The last penalty framework applies to penalties put in place before that date. OSHA has the authority not to lessen penalty when they do not assist the goals of the OSH Act.

According to Deputy Secretary of Labor Keith Sonderling, all organizations should be allowed to adhere to rules that help give a secure working area. Small HIPAA-covered entities that are working diligently to adhere to complex government regulations should not face fines like larger companies that have numerous resources. Lower fines on small organizations help assist the business owners that fuel the economic system and provide them with the resources they need to make a safe and healthy place for employees while making them responsible.

The post Small Organizations Enjoy OSH Act Penalty Reduction appeared first on Healthcare Industry News.