惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Troy Hunt's Blog
P
Proofpoint News Feed
V
Vulnerabilities – Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
K
Kaspersky official blog
Cyberwarzone
Cyberwarzone
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
S
Securelist
L
Lohrmann on Cybersecurity
Security Latest
Security Latest
T
Threatpost
H
Heimdal Security Blog
W
WeLiveSecurity
A
Arctic Wolf
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY
IT之家
IT之家
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
TaoSecurity Blog
TaoSecurity Blog
A
About on SuperTechFans
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
N
News and Events Feed by Topic
Hacker News - Newest:
Hacker News - Newest: "LLM"
Last Week in AI
Last Week in AI
T
The Blog of Author Tim Ferriss
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Azure Blog
Microsoft Azure Blog
Hugging Face - Blog
Hugging Face - Blog
Google DeepMind News
Google DeepMind News
量子位
Stack Overflow Blog
Stack Overflow Blog
Know Your Adversary
Know Your Adversary
B
Blog RSS Feed
阮一峰的网络日志
阮一峰的网络日志
WordPress大学
WordPress大学
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
AI
AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 司徒正美
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
Vercel News
Vercel News
C
Cyber Attacks, Cyber Crime and Cyber Security
Latest news
Latest news
D
Darknet – Hacking Tools, Hacker News & Cyber Security
大猫的无限游戏
大猫的无限游戏
Forbes - Security
Forbes - Security

Privacy & Cybersecurity Law Blog

New Hampshire Amends the NHDPA to Prohibit the Sale of Children’s Personal Data Canada’s Proposed Social Media Ban for Children and Chatbot Regulation: Bill C-34’s Impact on Platforms European Commission Unveils Cybersecurity and AI Action Plan European Commission Refers Four Member States to CJEU Over NIS2 Transposition Delays EDPB Opens Public Consultation on New Personal Data Breach Notification Template European Commission Advances New Proposal to Expand Cloud Capacity and AI Infrastructure U.S. Supreme Court FTC Ruling Prompts Fresh Scrutiny of EU-U.S. Data Privacy Framework China Issues New Measures for Network Data Security Risk Assessment China Issues Regulations on Internet Content Multi-Channel Network Distribution Services China’s First Regulatory Framework for Virtual Companions Soon to Take Effect UK Data Protection Complaints Obligations Take Effect Vermont Enacts Significant Amendments to Data Broker Legislation Vermont Becomes 23rd State with Comprehensive Consumer Privacy Law Louisiana Enacts Comprehensive Consumer Privacy Law Connecticut Signs Comprehensive AI Bill into Law China CAC Issues Guidance on Conducting Audits Technology Companies Should Prepare for FTC Enforcement of Take It Down Act HHS Reorganizes Office for Civil Rights Oregon Prohibition on Public Body Disclosures to Data Brokers for Federal Immigration Purposes Now In Effect Connecticut Privacy Law Updates: Data Broker Rules, Geolocation Sale Ban, Surveillance Pricing Restrictions, and Genetic Data Regulations NYDFS Warns of Cybersecurity Risks from Frontier AI Models UK and Australia Announce Memorandum of Understanding on AI Security FTC Announces Settlements With Three Marketing Firms Over Allegations of Deceptive Statements About Active Listening AI-Powered Services Cybersecurity Authorities Issue Joint Guidance on the Adoption of Agentic AI Systems Colorado AI Act Amended and Effective Date Delayed European Commission Releases Draft Guidelines on High-Risk AI Under the EU AI Act Texas AG Announces Lawsuit Against Netflix for Alleged Misrepresentations Regarding User Data UK ICO Recommends Targeted Changes to PECR Rules for Online Advertising California AG Announces Record $12.75M Settlement with GM over CCPA Data Minimization and Purpose Limitation Violations Illinois Department of Human Rights Issues Regulations Governing the Use of AI in Employment Decisions Delta Dental Agrees to $2.25 Million Settlement with NYDFS Over MOVEit Data Breach Response Maryland Enacts First-of-its-Kind Ban on Surveillance Pricing for Grocery Sales UK ICO Publishes Guidance on Storage and Access Technologies CIPL Report Discusses Significant Alignment between GDPR and Global CBPR CalPrivacy Announces the Agenda for its April 30–May 1 Board Meeting CalPrivacy Requests Preliminary Comments on Notices & Disclosures, Employee Data COPPA Rule Amendment Compliance Deadline Approaches House Republicans Introduce Comprehensive Federal Privacy Bill: “SECURE Data Act” Kentucky Classifies Smart TV Data as Sensitive Alabama Becomes 21st State With Comprehensive Consumer Privacy Law CalPrivacy Director Expects CCPA Compliance Audits in 2026 Virginia Bans Sale of Geolocation Data New Jersey Enacts New Restrictions on Health Care Facilities’ Use of Patient Data Washington State Enacts Law Regulating AI Companion Chatbots with Private Right of Action Guardrails for Legal AI: What California’s SB 574 Would Require of Attorneys and Arbitrators
HHS’ Office for Civil Rights Settles HIPAA Investigation of Health Care Software Company
2026-04-09 · via Privacy & Cybersecurity Law Blog

HHS’ Office for Civil Rights Settles HIPAA Investigation of Health Care Software Company

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with MMG Fusion, LLC (“MMG”), a Maryland-based health care software company, to resolve the company’s alleged noncompliance with the HIPAA Privacy, Security and Breach Notification Rules.

According to OCR’s announcement, MMG operates as a business associate that receives protected health information (“PHI”) from covered entities and provides software used to communicate directly with patients. The investigation was initiated in March 2023 following a complaint regarding an unreported security incident and the appearance of PHI on the dark web.

OCR’s investigation determined that in December 2020, an unauthorized actor infiltrated MMG’s systems and accessed PHI, including names, phone numbers, mailing addresses, email addresses, dates of birth and appointment information, affecting approximately 15 million individuals.

OCR concluded that MMG: (i) impermissibly disclosed PHI; (ii) failed to conduct an accurate and thorough risk analysis to assess risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI ; and (iii) failed to timely notify covered entities of the breach, as required under the HIPAA Breach Notification Rule.

Settlement Terms and Corrective Action Plan

Under HHS’s resolution agreement, MMG agreed to:

  • conduct and complete an accurate and thorough HIPAA risk analysis;
  • develop and implement a risk management plan to address identified risks and vulnerabilities;
  • develop, maintain and revise written policies and procedures to comply with the HIPAA Privacy and Security Rules;
  • provide workforce training on HIPAA Privacy and Security Rule requirements; and
  • conduct a breach risk assessment of the December 2020 incident and provide affected covered entities with appropriate breach notification information.

OCR will monitor MMG’s compliance with the corrective action plan for three years. MMG also agreed to pay $10,000 to OCR, with the agency noting that it considered MMG’s financial condition in determining the settlement amount.