Coverage
Hand-authored analysis of breaches, enforcement actions, and regulatory developments — what happened, what controls would have prevented it, what an independent practice should check on its own systems.
- Industry analysis
EHR migration windows are the most underestimated security event in a practice's decade
South Central Regional Medical Center is consolidating five clinical sites onto a single Epic instance. The case is unremarkable individually and instructive collectively — EHR transitions are a security event the compliance program rarely treats as one.
- Cybersecurity
Phishing-as-a-service now includes an AI assistant, and healthcare email defenses have not caught up
A newly identified phishing kit called Bluekit ships with 40 templates, automated domain registration, and an AI campaign drafter. The economics of credential-theft attacks against small healthcare practices just shifted again.
- Litigation
Private equity liability for portfolio-company breaches just changed, and healthcare is the largest exposed sector
A California federal court allowed claims against Bain Capital to proceed for a breach at its subsidiary PowerSchool — including conduct that predated the acquisition. The ruling reshapes the risk calculus for the most heavily PE-backed sector in American healthcare.
- Enforcement
State financial regulators are becoming the second front of healthcare breach enforcement
NYSDFS extracted $2.25 million from Delta Dental over the 2023 MOVEit breach — the latest sign that state insurance and financial regulators are operating in parallel with HHS OCR, with their own rules and faster timelines.
- Cybersecurity
Why CFAA prosecutions of credentialed clinical staff are rising, and what it means for insider risk
A federal indictment of a Maryland pharmacist on Computer Fraud and Abuse Act charges follows a pattern — prosecutors are increasingly using the CFAA to reach insider misuse cases that HIPAA alone wouldn't.