What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

Inside NYBCe, US HealthConnect & MedicSolution Breaches: Key Lessons for Health Tech Founders

Sep 11

Written By L Trotter II

TL;DR

Three major health tech breaches in 2025 NYBCe, US HealthConnect, and MedicSolution exposed serious vulnerabilities in operational readiness, third-party risk, and PHI security. If you're a growth-stage health tech startup, the time to audit your HIPAA compliance posture is now. This article breaks down the breaches and what you must do next.

The NYBCe Breach: Operational Fallout From Ransomware

In late January 2025, New York Blood Center Enterprises (NYBCe) detected suspicious activity on its network. What followed was confirmed ransomware, stolen data, and a delayed notification window that extended until early September.

What was exposed

Names, health info, test results
Social Security numbers, driver’s license data
Financial account information (for some staff)

Why it matters to you

NYBCe’s breach disrupted blood drives and operations reminding us that security is also an operations issue.

If your organization doesn’t have a incident response plan that includes comms, legal, ops, and leadership, you're vulnerable far beyond the data loss.

✅ Insight

You can outsource IT but you can’t outsource response. Make sure your incident playbook is real, battle-tested, and aligned with your RTOs.

Data Exposed

Personally identifiable information (PII)
Social Security numbers
Potentially Protected Health Information (PHI)

US HealthConnect’s core business is marketing and education. And yet they hold sensitive data. Sound familiar? Your CRM, web analytics tools, or lead forms might be handling PHI without safeguards or a valid BAA.

✅ Insight

Evaluate your martech stack. If PHI touches your pixels, you likely fall under HIPAA, even if you think you’re not. Tracking Technologies have special requirements under the law.

The MedicSolution Breach: A Supply Chain Time Bomb

Brazil-based MedicSolution, a healthcare software vendor used by hospitals and clinics, became the victim of a KillSec ransomware attack in September 2025. Threat actors claimed to exfiltrate sensitive records and publicly posted extortion demands.

What’s different here?

The attack didn’t hit a provider directly.
The risk came from the software vendor that hospitals and clinics relied on.
Root cause pointed to misconfigured cloud storage (S3 bucket).

Takeaway for CIOs

If you’re a vendor or you use one, you’re part of someone else’s risk equation. Third-parties accounted for 41.2% of healthcare breaches in 2024.

✅ Insight

When was the last time you conducted a HIPAA Assessment? Do you have Business Associate Agreements for every vendor touching PHI that you manage? Have you validated their controls in the past 12 months?

What Growth Stage Health Tech Orgs Must Do Now

If you’re growing fast and touching patient data (directly or indirectly), here’s your action plan:

Conduct HIPAA Risk Assessments: Look for technical, administrative, and physical risks as changes occur in your infrastructure
Conduct a HIPAA Gap Assessment: Know where you stand today to figure out where you need to go. This should be done annually
Map Vendors Touching PHI: Require signed BAAs and annual control validation. Dig deeper than compliance reports (e.g., SOC 2)
Test Incident Response Plans: Include comms, leadership, ops, and legal, not just IT
Train Your Workforce: Simulate phishing campaigns, provide security awareness training, breach report channels, and ENFORCE it. Training should be throughout the year.
Secure Patient Data: Develop retention policies, access controls, and deletion protocols
Audit Tracking Technologies: Evaluate your ads, web trackers, analytics tools for PHI

✅ Insight

Don’t just “comply.” Align your security posture with your business mission. That’s what regulators and partners want to see, and what enterprise health systems will expect.

Health Tech Isn’t Immune, They’re Targets

These breaches are a wake-up call. Ransomware, cloud misconfigurations, and third-party risks are reoccurring mishaps for scaling health tech organizations. Don’t wait until you have to make that awkward call to your customer about a breach you're a part of.

✅ Get Started Now

Discover the advanced security controls that help prevent the breaches above. Download the HIPAA EXP Audit Guide

If you prefer to invest in vCISO advice you can trust, Book a Call

Frequently Asked Questions (FAQs)

What makes health tech companies a big target for breaches?

Lack of dedicated security teams, fast growth, and increasing data exposure make them vulnerable to exploitation.

Are marketing tools covered by HIPAA?

Yes, if those tools collect or process PHI (even indirectly), you’re responsible for ensuring HIPAA compliance.

What’s the first thing I should do to be HIPAA-ready?

Start with a HIPAA Compliance Gap Assessment. It helps uncover blind spots and gives you a roadmap.

If a vendor causes a breach, am I still liable?

Yes. HIPAA requires covered entities and business associates to ensure downstream compliance. No BAA? You’re on the hook.

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com

Inside NYBCe, US HealthConnect & MedicSolution Breaches: Key Lessons for Health Tech Founders

TL;DR

The NYBCe Breach: Operational Fallout From Ransomware

What was exposed

Why it matters to you

✅ Insight

Data Exposed

✅ Insight

The MedicSolution Breach: A Supply Chain Time Bomb

What’s different here?

Takeaway for CIOs

✅ Insight

What Growth Stage Health Tech Orgs Must Do Now

✅ Insight

Health Tech Isn’t Immune, They’re Targets

✅ Get Started Now

Frequently Asked Questions (FAQs)

What makes health tech companies a big target for breaches?

Are marketing tools covered by HIPAA?

What’s the first thing I should do to be HIPAA-ready?

If a vendor causes a breach, am I still liable?

What to avoid when deploying AI in healthcare.

Connect with us on LinkedIn