Samwise Healthcare IT Newsletter
Thursday, April 23, 2026
Covenant Health Data Breach Grows to 478,000 Patients
Covenant Health, the Andover, Massachusetts-based health system, updated victim notifications from a May 2025 cyberattack, now reporting that 478,188 individuals were affected — including 284,529 Maine residents — nearly double earlier estimates. The hacking incident occurred on May 18, 2025, and the expanded scope reflects ongoing forensic analysis that frequently reveals broader impact weeks or months after initial discovery. Affected individuals are receiving updated breach notification letters. The incident is among the latest in a pattern of post-breach notification updates in which healthcare organizations discover the true scope of compromised data long after remediation begins. Covenant Health has not publicly disclosed the specific data types exposed per affected individual.
Sources: Healthcare IT News
Federal Democrats Oppose OPM Plan to Collect Identifiable Health Data on 10 Million Government Workers
The U.S. Office of Personnel Management proposed requiring federal health benefit carriers to submit identifiable medical claims, pharmacy records, encounter data, and provider information for more than 10 million federal and postal workers, retirees, and their dependents. House Democrats on the Oversight Committee pushed back in an April 17 letter, citing privacy and security risks and concerns the Trump administration could use the data to target civil servants. CVS Health and five other organizations questioned OPM’s legal authority to retain beneficiary-level claims data in a centralized warehouse during public comment. Approximately 65 insurers provide coverage under the Federal Employees Health Benefits program.
Sources: GovInfoSecurity
HSCC Publishes 109-Page Guide to Help Health Organizations Manage AI Vendor Cyber Risk
The Health Sector Coordinating Council released a 109-page guidance document to help healthcare organizations manage cybersecurity risks from third-party artificial intelligence tools. The guide addresses AI supply-chain risk from procurement through decommissioning, with targeted sections for CISOs, compliance teams, legal staff, and AI governance leaders. It draws on the NIST AI Risk Management Framework and HHS-backed Health Industry Cybersecurity Practices, offering contract language, business associate agreement tips, and training curricula. The guidance arrives as health systems increasingly rely on AI-embedded EHR modules, remote patient monitoring tools, and clinical decision support systems whose security and data governance practices are difficult for buyers to independently verify.
Sources: GovInfoSecurity
House Passes Bill Extending Medicare Telehealth Waivers Two Years, Hospital-at-Home Five Years
The U.S. House of Representatives passed a Department of Health and Human Services spending bill extending Medicare telehealth flexibilities through December 31, 2027, and hospital-at-home waivers through September 30, 2030. The telehealth provisions remove Medicare’s geographic requirements, expand eligible practitioner types, preserve audio-only visits, and mandate HHS guidance for limited-English-proficiency patients. The hospital-at-home extension allows qualifying hospitals to deliver acute inpatient-level care in patients’ homes for five additional years. The bill now advances to the Senate. The extensions preserve care delivery models adopted during the COVID-19 pandemic that providers and patient advocates have lobbied Congress to make permanent.
Sources: Healthcare IT News
Trump Administration Undecided on Whether to Finalize Major HIPAA Security Rule Overhaul
The Trump administration has not determined whether to finalize or withdraw a sweeping HIPAA Security Rule modernization proposed by the Biden administration, according to April 2026 reporting. The overhaul — the first significant update to the rule in decades — would mandate encryption of protected health information at rest and in transit, require multifactor authentication, demand vulnerability scans every six months, and require critical patches within 15 days. HHS estimated first-year compliance costs at approximately $9 billion. More than 100 provider groups have urged HHS to withdraw the proposal, citing implementation burden, while cybersecurity advocates argue the outdated rule creates systemic risk across the healthcare sector.
Sources: GovInfoSecurity
Epic Health Systems Begin Sharing Patient Records with Social Security Administration via TEFCA
Thirteen hospitals and 374 clinics using Epic electronic health records are now exchanging patient medical records instantly with the U.S. Social Security Administration through the Trusted Exchange Framework and Common Agreement, accelerating disability benefit determinations. Secure electronic exchange has historically helped SSA complete benefit determinations up to 50 percent faster than paper-based processes, and one benefit was approved within a single business day of submission. More than 1,000 hospitals and 22,000 clinics participate in TEFCA overall. The SSA connection expands the network’s utility beyond clinical care coordination into government benefit administration, representing a significant milestone for federal health data interoperability.
Sources: Healthcare IT News
HHS Restores ONC as Standalone Health IT Policy Office, Drops ASTP Dual Title
The U.S. Department of Health and Human Services reversed a 2024 reorganization effective March 31, reinstating the Office of the National Coordinator for Health Information Technology as a standalone office separate from the Office of the Assistant Secretary for Technology Policy. Under the prior structure, the ONC director simultaneously held the ASTP title and a broader technology portfolio. National Coordinator Dr. Thomas Keane said the realignment lets ONC focus more intently on standards, certification, and policy, while enterprise technology and infrastructure responsibilities return to HHS’s Office of the Chief Information Officer. The change affects agency direction for EHR interoperability, AI governance, and information-blocking enforcement.
Sources: Healthcare IT News
AI Scribes Cut Daily EHR Documentation Time by Up to 16 Minutes, Study Finds
A study of clinicians using ambient AI documentation tools found that adoption reduced daily EHR use by approximately 13 minutes and cut documentation time by 16 minutes, according to April 2026 research reported by Healthcare IT News. Primary care physicians, advanced practice providers, and frequent users — those deploying AI scribes in at least half of encounters — saw the most pronounced gains. Female clinicians also benefited above average. The findings strengthen a growing evidence base for AI scribe adoption as a tool to reduce clinician burden. Researchers cautioned that even top-performing AI scribes carry hallucination rates of 1 to 3 percent, a risk with direct clinical consequences.
Sources: Healthcare IT News
Curated by JD · samwise.agency