HIPAA Breaches Aren’t Just a “Big Company” Problem: What ABA Businesses Need to Learn from the WellNow Settlement

Posted 14 hours ago      Author: 3 Pie Squared Marketing Team

News of a huge HIPAA settlement might make ABA business owners think, “That could never happen to me.” But the WellNow Urgent Care data breach is the perfect case study for why every ABA practice—big or small—needs to take the basics seriously.

What Happened?

On or around April 25, 2023, WellNow’s third-party billing vendor, Practicefirst, suffered a ransomware attack. Files were encrypted and the protected health information (PHI) of potentially tens of thousands of patients was compromised—names, addresses, Social Security numbers, dates of birth, medical and insurance info, and more. In response, a class action lawsuit was filed. The settlement...

has received preliminary court approval, and the final hearing is set for August 15, 2025. Payments to affected individuals will be made within 75 days of final approval, and anyone wanting to opt out or file a claim must do so by July 11, 2025. You can find full details on the settlement website:https://wellnowdatasecuritysettlement.com/

The Real Lesson for ABA Practice Owners

The specifics might sound technical, but the risks are painfully ordinary:

  • A routine vendor relationship.
  • Malware/ransomware attack—often triggered by a single click on a phishing email.
  • Missing, outdated, or incomplete Business Associate Agreements (BAAs).
  • No ironclad system for checking the security and HIPAA-readiness of every vendor who handles client data.

You don’t need to be a giant chain to get caught in this trap. If you’re an ABA business owner, every EHR, billing company, scheduling tool, or cloud service you use is a potential vulnerability. And regulators, courts, and your clients expect you to have those BAAs and security checks in place, every single time.

What Does This Mean for ABA Businesses?

  • Legal and Financial Exposure: Fines, lawsuits, and settlements don’t just happen to giant companies. Even a small breach can put an ABA startup out of business.
  • Reputation at Risk: One breach can damage years of trust with families and school partners—especially when your whole mission is about helping vulnerable kids.
  • Everyday Actions Matter: The “little stuff”—making sure you actually have a current BAA, not clicking on a sketchy email link, updating your HIPAA manual, and confirming that staff (and vendors) are trained—often makes the biggest difference.

What Should You Do Right Now?

  1. Audit Your Vendor List: Who has access to your client or billing data? Does every one of them have a signed, current BAA on file?
  2. Review Your HIPAA Policy Manual: If you’re still using a generic download from years ago, it’s time to upgrade to something ABA-specific and current.
  3. Train (and Retrain) Your Staff: Everyone on your team—including your BCBAs, billing people, and techs—needs to know how to spot phishing, use secure communications, and handle PHI safely.
  4. Partner with True Experts: We’re now working with a HIPAA consultant who understands the realities of ABA and healthcare. Even better, 3 Pie Squared clients get an exclusive 10% discount for any consulting engagement.

How We Can Help (and Why You Don’t Have to Do This Alone)

Staying on top of HIPAA is tough, but you don’t have to figure it out by yourself. We now offer dedicated HIPAA Consultation services—whether you need help setting up Microsoft 365 or Google Workspace for HIPAA compliance, want a thorough risk assessment, or need advice on vendor management and BAAs.

Our ABA-specific HIPAA Policy Manual is built for today’s practice. It includes:

  • A full risk assessment template
  • A BAA template you can use with any vendor
  • Comprehensive staff training modules
  • State privacy law summaries, so you’re covered beyond just federal requirements

If you want expert guidance (and to take advantage of our new 10% discount for all 3 Pie Squared customers), you can book a HIPAA consult with our partner anytime. Book here: https://3piesquared.com/stephen-booking-page

Find out more about the HIPAA Policy Manual here: https://3piesquared.com/productDetails/hipaa_policy_manual

Sources