Aug 23–29, 2025 Developments in Healthcare Information Security

Big policy shift: OCR can now enforce 42 CFR Part 2 (SUD privacy)

On Aug 27 the Federal Register published HHS’s formal delegation giving the Office for Civil Rights (OCR) authority to administer and enforce Part 2 (Confidentiality of Substance Use Disorder Records). Practically, that puts Part 2 privacy violations (including breach duties) on a similar enforcement footing to HIPAA—expect investigations, resolution agreements and CMPs routed through OCR. Update your incident response playbooks and BA/“lawful holder” inventories to account for Part 2 breach notification and complaint handling. (Federal Register, GovInfo, Holland & Knight)

Capitol Hill pressure on UnitedHealth over Change Healthcare loans

On Aug 28, Senators Ron Wyden and Elizabeth Warren demanded details on how UnitedHealth is collecting billions in emergency advances it extended to providers after the 2024 Change Healthcare ransomware outage. Reports allege aggressive repayment tactics, including offsetting remittances. The senators set a Sept 12 deadline for UHG’s response. For context, HHS says Change’s incident ultimately affected ~192.7 million individuals. If you’re a provider still reconciling claims flow from that event, ensure finance, compliance, and counsel align on any offsets and related notification obligations. (Reuters, The Wall Street Journal, HHS.gov)

Critical infrastructure risk of the week: Citrix/NetScaler zero-day under exploitation

Citrix (Cloud Software Group) released patches Aug 26 for CVE-2025-7775 (CVSS 9.2, pre-auth RCE/DoS) plus CVE-2025-7776 and CVE-2025-8424 in NetScaler ADC/Gateway. Exploitation has been observed in the wild; there are no mitigations beyond upgrading to fixed firmware builds. Many health systems expose NetScaler for VPN/ICA/AAA—prioritize patching, especially where IPv6-bound LB services are configured. Health-ISAC and national CERTs amplified urgency this week. (Citrix Support, Canadian Centre for Cyber Security, Tech Radar, American Hospital Association)

Fresh breach notices highlight persistent vendor and rural-hospital risk

• Woodlawn Hospital (Indiana) disclosed on Aug 25 that files were copied from its network (unauthorized access between June 25–30). Review shows operational data impacted; notifications are underway. Smaller and rural hospitals remain disproportionately strained by incident costs and downtime. (Woodlawn Hospital)
• Healthcare Services Group, Inc. (HSGI)—a large support-services vendor to facilities nationwide—surfaced widely in consumer press this week with notices referencing a 2024 intrusion affecting ~624k people and including SSNs and financial data. Even when the intrusion window is historic, late-breaking confirmations and letters create current patient-facing risk. Validate third-party monitoring and indemnity clauses. (Tech Radar, Tom's Guide)

Enforcement drumbeat continues (carry-over but operationally live now)

OCR’s Aug 18 settlement with BST & Co. CPAs (a HIPAA business associate) over a ransomware incident included a $175k payment and a two-year CAP centered on risk analysis deficiencies. OCR’s “risk analysis enforcement” push remains active; expect audits to probe whether risk analyses are accurate, thorough, and kept current—especially for ransomware TTPs and third-party dependencies. (HHS.gov, Bank Info Security, JD Supra)

Medical-device/AI compliance keeps evolving (context you’ll feel now)

Although issued earlier this month, the FDA’s final guidance (Aug 18) on Predetermined Change Control Plans (PCCPs) for AI-enabled devices is driving immediate workstreams at providers and manufacturers (procurement language, SBOM governance, change-management assurances). Security teams should partner with biomed and supply-chain to ensure PCCP changes map to your validation and security-review process. (FDA.gov)

The numbers—tracking exposure and trend lines

HIPAA Journal updated breach statistics through July 31, noting continued high incident volumes year-to-date and refreshed visuals on attack vectors. Use these to benchmark your board reporting and tabletop scenarios (e.g., ransomware dwell times, email compromise prevalence). (HIPAA Journal)

What this means for your next 30 days

• Immediate patching: Validate NetScaler exposure and upgrade paths; verify IPv6 service bindings and AAA/Gateway configurations against Citrix’s bulletin. Document compensating controls if maintenance windows lag.
• Policy & process updates: Incorporate Part 2 enforcement into IR/Breach SOPs, train privacy and HIM teams, and ensure BA agreements/lawful holder inventories capture SUD record flows.
• Revenue-cycle vigilance: If you received Change-related advances, align legal/RCM on offsets, ensure traceability, and prepare for potential inquiries or disclosures tied to repayment disputes.
• Risk analysis hardening: Re-baseline your enterprise risk analysis against current ransomware techniques and third-party exposure—OCR is looking closely.