Cybersecurity & Privacy Archives - HIT Leaders and News

Cybersecurity

Cybersecurity: The Vendor Risk Reckoning

The breach at TriZetto Provider Solutions, a Cognizant business, should not be treated as another familiar HIPAA headline. A filing with the Maine Attorney General’s office indicates that 3,429,351 people were affected, while industry reporting tied to the same disclosure said the unauthorized access began on November 19, 2024, and the compromised data was not fully understood until late November 2025. In any sector, that kind of dwell time would be serious

Photo 133406131 / Cybersecurity © Stevanovicigor | Dreamstime.com

Breach Remediation Is Not Security

A $2.8 million class action settlement can look like accountability. In practice, it often functions more like a pricing mechanism which is an attempt to put a predictable dollar value on a breach that delivered unpredictable harm. The proposed settlement tied to a July 2024 incident involving Gryphon Healthcare follows a now-familiar pattern: modest cash payments for many claimants, higher reimbursement for documented losses, and a bundle of identity and medical monitoring services offered as a standardized remedy, as laid out in the case administrator’s settlement FAQ.

ID 187020383 © Josepalbert13 | Dreamstime.com

When Provider Numbers Become Passwords

A one-year-and-a-day federal sentence rarely changes the trajectory of Medicaid fraud on its own. The bigger signal comes from the mechanics of the scheme. In a February 10, 2026 announcement from the U.S. Attorney’s Office for the District of Connecticut, a licensed substance use counselor admitted to billing the Medicaid program for psychotherapy sessions that were not provided, then attempted to withstand scrutiny by producing false clinical documentation during an audit. The facts are local. The vulnerabilities are national.

Photo 152431104 © Leowolfert | Dreamstime.com

Third-Party Risk Without Third Chances

The $2.87 million settlement between Houston-based revenue cycle vendor Gryphon Healthcare and nearly 400,000 patients affected by a 2024 data breach sends a clear and urgent message to healthcare executives: liability is no longer confined within organizational walls. The breach, which stemmed from unauthorized access via an external IT service provider, underscores a hardening regulatory, legal, and operational reality as healthcare organizations are increasingly held accountable not only for their own security practices, but also for the security posture of their partners.

What Every Healthcare Organization Should Know About FIPS Validation

Healthcare’s digital transformation has created unprecedented opportunity—and unprecedented risk. The U.S. Government’s Administration for Strategic Preparedness and Response (ASPR) paints a dire picture when it comes to healthcare and public health cybersecurity. It reports that the Healthcare and Public Health (HPH) sector continues to experience increasingly sophisticated cyberattacks that exploit complex, interconnected IT systems at hospitals and healthcare facilities.

Cyber Settlements Are Not Security Strategies

Veradigm’s recent agreement to pay $10.5 million to settle litigation over its 2024 data breach may resolve legal exposure—but it does not resolve the deeper credibility crisis now facing health IT vendors. As more than two million patients contend with the long-term fallout of exposed medical and financial information, the episode underscores a persistent structural risk: the widening gap between contractual data responsibility and cybersecurity execution in third-party health tech infrastructure.

Healthcare’s Third-Party Reckoning Begins at the Contract Table

The lawsuit fallout from the TriZetto data breach has accelerated a reckoning long overdue in healthcare IT governance: vendor partnerships are not cybersecurity strategies. As Cognizant Technology Solutions now faces multiple U.S. class-action suits over its handling of a 2020 breach affecting its TriZetto Provider Solutions platform, the liability spotlight is shifting upstream. In a sector increasingly dependent on outsourced infrastructure, cloud-based platforms, and revenue cycle management automation, enterprise buyers can no longer separate procurement from risk management.

$500K Fine for Capital Region Healthcare Center Patient Data Breach

The $500,000 penalty issued to OrthopedicsNY signals a strategic shift in how state regulators are treating healthcare cybersecurity negligence. The case, driven by the New York Attorney General’s investigation, underscores a rising intolerance for technical complacency in an environment where cyberattacks are not just common but systemic.

Three Health Data Breach Settlements Signal New Norm for Post-Breach Accountability

In an unsettling sign of healthcare’s continued vulnerability to cybercrime, three separate class action settlements were reached in December 2025 following major data breaches at Hypertension Nephrology Associates, Asheville Arthritis and Osteoporosis Center, and Intermountain Planned Parenthood. Collectively impacting more than 150,000 patients, these cases reflect not only the growing scope of patient data exposure, but also an emerging legal pattern: negotiated settlements in lieu of drawn-out litigation, with providers neither admitting wrongdoing nor facing regulatory penalties beyond civil resolution.

Breach Notices Expose the Real Cybersecurity Gap

Two recent breach disclosures from Revere Health and Health Management Systems of America underline an uncomfortable reality in healthcare cybersecurity. The industry is not losing data because attackers are uniquely inventive. The industry is losing time, clarity, and control because too many organizations still cannot answer basic operational questions fast enough, which systems touched protected health information, which vendors sat in the path, and which controls were actually enforced.

Delayed Breach Disclosures Are Quietly Eroding Healthcare’s Cyber Trust

As breach fatigue sets in across the healthcare sector, a quieter and more corrosive threat is emerging, not just the frequency of cyberattacks, but the time it takes for patients and providers to learn about them.

Small Breach, Big Implications: What the Synergy Incident Reveals About PHI Risk

When a data breach affects just over 1,200 individuals, it rarely registers as a national headline. But in healthcare, the size of an incident is not a proxy for its strategic significance. The recent breach at Synergy Advanced Healthcare, a single-location provider in Connecticut, underscores a persistent and underexamined risk: that smaller, community-based healthcare entities remain structurally vulnerable to the same cybersecurity threats that plague large systems without the safeguards, budgets, or oversight to match.

Centralized Risk Is a National Liability in Healthcare Data Security

The largest data breach in history, an April 2024 compromise of 2.9 billion records from the U.S.-based data broker National Public Data, did not merely set a new record for exposure. It exposed a systemic blind spot in how healthcare and affiliated sectors assess risk. This was not an isolated cybersecurity lapse. It was the predictable outcome of unchecked aggregation, opaque data markets, and insufficient oversight of non-provider entities that now sit at the center of the healthcare data economy.

Pennsylvania AG Responds to Data Breach Exposing Social Security and Medical Records

The recent breach of Pennsylvania’s state systems, exposing personal identifiers and protected health information, has re-ignited urgent questions around data stewardship in the public sector.

Legal Fallout from the Change Healthcare Breach Signals a New Era of Accountability

The decision by a Nebraska state court to allow the attorney general’s data breach lawsuit against Change Healthcare, UnitedHealth Group, and Optum to proceed is more than a procedural milestone.