AI compliance takes more than a checklist  by HIPAA Vault

Too many healthcare organizations still approach AI compliance like a checklist: sign the BAA, update a few policies, and move forward. But the real issue starts earlier—with infrastructure. In the latest HIPAA Insider episode, Adam and Timothy Nobles explain why privacy-preserving technology is about reducing PHI exposure before data ever reaches a model.

What organizations often focus on:

• Signed agreements

• Policy updates

• Encryption at rest and in transit

What stronger AI governance also requires:

• Role-based access controls

• Data minimization

• De-identification strategies

• Segmented environments

• Reduced data movement across systems

Want the full conversation? Listen on Spotify or watch on YouTube.

Quote of the Week
“If you're actually building or buying AI for healthcare, you need more than just a contract — you need architecture.”

→ Explore HIPAA Vault services to build a secure, compliant foundation for healthcare AI and sensitive workloads.

Industry News Roundup

Axios got hacked—and a routine update turned into a malware threat

Axios, one of the most widely used JavaScript libraries for handling HTTP requests, was briefly compromised on npm after attackers reportedly gained access to a maintainer account and published two malicious versions, 1.14.1 and 0.30.4, on March 31, 2026. Instead of tampering with Axios’s visible core functionality, the attackers quietly inserted a rogue dependency, [email protected], which executed during installation and delivered a cross-platform remote access trojan affecting Windows, macOS, and Linux.

That detail is what made the incident especially alarming. Developers did not need to click on a suspicious link or open an infected attachment. In some cases, simply installing what looked like a routine package update was enough to expose a machine or CI/CD pipeline to malware. Because Axios is embedded in countless applications and developer workflows, the compromise immediately raised concerns far beyond one open-source package.

The malicious versions were taken down quickly, but the event still landed as a stark reminder of how fragile the software supply chain can be. The real risk was not just that Axios was compromised, but that trust in a widely used dependency became the attack vector. For developers and security teams, the lesson is simple: even trusted packages can become threats when maintainer access is hijacked.

That’s why this incident matters beyond JavaScript. It shows how modern attacks increasingly target the tools developers rely on every day, turning ordinary updates into opportunities for malware delivery.

→ Read more
Snyk analysis | StepSecurity breakdown | Bloomberg report

Six new breaches, same healthcare problem

Healthcare’s breach problem is not taking a week off. A new roundup highlights six recently disclosed healthcare data breaches affecting organizations in Georgia, New York, North Carolina, Texas, and California, with exposed information ranging from Social Security numbers and financial data to diagnoses, treatment details, insurance information, and billing records.

In several cases, the incidents stemmed from unauthorized network access or compromised email accounts, while some providers said stolen data was later posted online by threat groups.

The takeaway is familiar, but no less urgent: healthcare organizations are still dealing with the same painful mix of sensitive data, long investigation timelines, and expanding cyber risk.

→  Read the full breach roundup

OpenLoop breach could become one of healthcare’s biggest this year

Telehealth provider OpenLoop Health disclosed a data breach after an unauthorized third party accessed its systems between January 7 and January 8, 2026, and copied files containing sensitive information. According to the company’s notice, the exposed data included names, addresses, email addresses, dates of birth, and medical information, though Social Security numbers were not involved. OpenLoop has not yet confirmed the full scale of the incident, but a threat actor claiming responsibility said the breach may have affected 1.6 million patients, which would make it one of the largest healthcare breaches of the year if verified. For now, the case is another reminder that telehealth platforms remain a high-value target—and that even short intrusions can have outsized consequences.

→  Read the full OpenLoop breach report

Before AI touches ePHI, know where the risk lives

Healthcare AI can move fast. Risk moves faster. Before you connect new tools to sensitive workflows, you need to know where ePHI is stored, how it moves, and where the weak spots are hiding. That’s where a HIPAA risk assessment comes in. HIPAA Vault helps healthcare organizations spot vulnerabilities early, strengthen safeguards, and make smarter compliance decisions before small gaps turn into expensive problems.

What a risk assessment helps you do:

• Find vulnerabilities across systems handling ePHI

• Evaluate current safeguards and security gaps

• Understand how data is stored, accessed, and exposed

• Prioritize risks before they become breaches

• Build a stronger compliance strategy for AI and beyond

→ Talk to an expert and Start Your Risk Assessment