What is the HIPAA Security Rule?

The HIPAA Security Rule establishes national standards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) through administrative, physical, and technical safeguards.

What is considered a HIPAA violation in cybersecurity?

A HIPAA violation occurs when PHI or ePHI is impermissibly used or disclosed or insufficiently safeguarded. Common causes include weak access controls, missing risk analyses, unencrypted devices, improper workforce training, and delayed breach reporting.

What are administrative, physical, and technical safeguards?

Administrative safeguards are policies, procedures, and training. Physical safeguards protect facilities and devices. Technical safeguards include access controls, audit logging, transmission security, and encryption.

Is a HIPAA risk assessment required annually?

HIPAA requires a regular and thorough risk analysis but does not mandate a specific frequency. Many organizations perform it annually and whenever significant changes occur, such as new systems, vendors, or workflows.

What should a HIPAA risk assessment include?

It should identify where ePHI resides, evaluate threats and vulnerabilities, assess likelihood and impact, review current controls, document risk levels, and define prioritized remediation steps and timelines.

What is the role of encryption in HIPAA compliance?

Encryption is an addressable implementation specification. If reasonable and appropriate, it should be implemented for data at rest and in transit. If not implemented, the decision must be documented and an equivalent alternative safeguard applied.

What is a Business Associate under HIPAA?

A Business Associate is any person or organization, other than a workforce member of a covered entity, that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Examples include cloud providers, IT support, billing services, and certain consultants. A Business Associate Agreement (BAA) is required before PHI access.

Do business associates need to be HIPAA compliant?

Yes. Business associates must implement appropriate safeguards for PHI, comply with applicable HIPAA requirements, enter into a BAA, report incidents and breaches, and ensure their subcontractors that handle PHI also comply.

What happens if a business associate causes a breach?

Both the covered entity and the business associate have obligations. The business associate must investigate, mitigate, and notify the covered entity. Breach notifications to individuals, HHS, and in some cases the media may be required based on the incident size and circumstances.

How do I secure remote access to ePHI?

Use VPN or zero-trust access, require multi-factor authentication, enforce least-privilege access, encrypt devices, manage endpoints and patches, disable local data storage when possible, and monitor logs for suspicious activity.

Can employees use personal devices under HIPAA?

Yes, if governed by a BYOD policy that enforces device encryption, screen locks, remote wipe, mobile device management, separation of work data, and prohibits storing ePHI in unsecured apps or locations.

What is considered a HIPAA data breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy, such as ransomware, lost or stolen devices, misdirected emails, or unauthorized access, unless a documented risk assessment shows a low probability of compromise.

How soon must a HIPAA breach be reported?

Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery. Reporting to HHS depends on the number of affected individuals; large breaches (500 or more) require more immediate reporting and, in some cases, media notice.

What are the penalties for HIPAA violations?

HIPAA penalties vary by tier based on level of culpability, with per-violation amounts and annual caps per violation type. Enforcement may include corrective action plans, settlement amounts, and monitoring. Actual amounts depend on the facts and current HHS guidance.

Can my practice be audited for HIPAA compliance?

Yes. HHS’s Office for Civil Rights conducts audits and investigations, particularly after breaches or complaints. Maintaining documentation, training records, and current risk analyses helps demonstrate compliance readiness.

What documentation is required to prove HIPAA compliance?

Keep current risk analyses, remediation plans, security and privacy policies, workforce training logs, incident response procedures, business associate agreements, access audit logs, and evidence of ongoing monitoring and evaluations.

Telehealth & Supply-Chain Briefings: Hello Cake + MedicSolution

Sep 25

Written By L Trotter II

TL;DR

Two September 2025 health tech breaches, Hello Cake (telehealth) and MedicSolution (supply chain), highlighted the cost of cloud misconfigurations. Third-party risks now account for 40% of healthcare breaches, yet incident response remains a challenge across the space. For growth-stage health tech startups, these events are a wake-up call: your IR playbook must be tested, your vendors audited, and your compliance posture aligned with HIPAA. The question isn’t if you’ll face a breach, but if you’ll be ready!

👉 Download the HIPAA EXP Audit Guide to test your readiness.

Hello Cake Incident Brief

What Happened

On September 21, 2025, Hello Cake, a telehealth and prescription provider, published updated notices and state breach filings confirming a misconfigured cloud resource exposing files. Reports suggest unauthorized access may have occurred earlier in the year.

Data Types Reported

Names, dates of birth, addresses
In some notices: Social Security numbers and highly sensitive PII

Operational & Patient Risk (what to assume now)

Medical identity fraud
Targeted phishing campaigns using stolen info
Extortion by threatening to make stolen info public
Treat this as a High-priority if you have integrations or share data with Hello Cake

0–72 Hour Incident Response Checklist

Block unknown traffic to/from Hello Cake systems until remediation is confirmed
Rotate API keys, service accounts, and administrative passwords
Review your network and integration logs for abnormal events such as GET/DELETE events, large object downloads, after hour access, etc.
Configure outbound network connection rules to stop PHI exports to unvetted endpoints

Compliance & Legal

Confirm BAA incident response clauses, request breach report, and remediation plan
Prepare breach notification notices for HHS and patients.
Contact your legal team for PR and potential implications

👉 Curious where you stand? Book a 15-minute vCISO consultation to review your vendor security strategy.

MedicSolution Incident Brief

What Happened

In mid-September 2025, the KillSec ransomware group claimed responsibility for a breach at MedicSolution, a Brazilian healthcare software provider. Threat actors allege exfiltration of patient/provider data via a misconfigured cloud bucket. Extortion postings are active; forensics are ongoing.

Potential Data Impact

Patient and provider records
Clinical data sets (field lists not yet confirmed)

Downstream Risk

Because MedicSolution services multiple hospitals and clinics, this is a supply-chain event. This vendor breach can cascade across entire healthcare networks.

0–72 Hour Response Checklist

Inventory MedicSolution integrations
Review log events for MedicSolution linked systems
Rotate all service account and administrative credentials and tokens
Review outbound connections to/from MedicSolution IPs

Legal & Vendor Steps

Request forensic reports and breach impact
Invoke contractual incident clauses and indemnity agreements

👉 Download the HIPAA EXP Guide to validate your third-party risk controls.

Your Rapid Response Playbook

If you’re scaling and touching PHI even indirectly, follow these five must-dos today:

Conduct HIPAA Risk & Gap Assessment
Lock down access: least privilege + key rotations
Monitor anomalies: outbound data comms, IAM failures, API irregularities
Validate vendor security: request evidence on top of SOC 2 Reports
Tabletop incident response exercises: include execs, legal, comms, and ops

What Growth-Stage Health Tech Orgs. Should Do Next

Map vendors + BAAs (update annually)
Audit tracking technologies for PHI exposure
Run phishing simulations & year-round training
Enforce data lifecycle management (retention, deletion, destruction)
Tie compliance to business outcomes (RTO/RPO, partner due diligence)

Health tech startups aren’t immune, they’re targets. Incident readiness is a growth strategy.

👉 Download the HIPAA EXP Audit Guide to uncover blind spots before attackers do.

FAQ

Are telehealth vendors like Hello Cake considered business associates?

Yes. If they process PHI, HIPAA rules apply and BAAs must be in place.

What’s the first step after discovering vendor exposure?

Review your BAAs, request breach update reports, review your logs for anomalies, block vendor integrations until the issue has been resolved.

Do I need to notify regulators if data access isn’t confirmed?

If there’s a reasonable belief PHI was exposed, HIPAA requires notification.

How do I prevent S3/bucket misconfiguration risks?

Enforce least privilege, rotate IAM keys, make buckets private, and use automated misconfiguration detection tools.

Let’s Talk

Do you think cloud misconfigurations are negligence or lack of expertise?

Share your thoughts!

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com

Telehealth & Supply-Chain Briefings: Hello Cake + MedicSolution

TL;DR

Hello Cake Incident Brief

What Happened

Data Types Reported

Operational & Patient Risk (what to assume now)

0–72 Hour Incident Response Checklist

Compliance & Legal

MedicSolution Incident Brief

What Happened

Potential Data Impact

Downstream Risk

0–72 Hour Response Checklist

Legal & Vendor Steps

Your Rapid Response Playbook

What Growth-Stage Health Tech Orgs. Should Do Next

FAQ

Are telehealth vendors like Hello Cake considered business associates?

What’s the first step after discovering vendor exposure?

Do I need to notify regulators if data access isn’t confirmed?

How do I prevent S3/bucket misconfiguration risks?

Let’s Talk

5 ways to signal trust to providers before product demos.

Connect with us on LinkedIn