2026 Compliance Training — Built for Mental & Behavioral Health

Behavioral Health Practices Are Facing Multi-Million Dollar Lawsuits. Yours Doesn’t Have to Be One of Them.

Arisa Health. Seven Counties Services. Behavioral Health Resources. Mental health organizations across the US are being targeted by ransomware, hit with OCR fines, and dragged into class action litigation. The 2026 HIPAA + Cybersecurity Training Bundle gives every member of your team the training — and the documentation — to protect your clients, your accreditation, and your organization.

Self-paced — fits around your clinical schedule
Certificates of completion included
Accredited training — 2.6 CEUs for licensed clinicians
Built for mental and behavioral health of every size

Get Your Training Now

See the Behavioral Health Lawsuits ↓

Behavioral health team reviewing compliance training in a warm clinical office

$1.9M

Arisa Health Settlement

375K

Patients Exposed — One Breach

#1

Healthcare Is the Top Ransomware Target

$1.9M

Arisa Health — 2024

Arisa Health agreed to a $1.9 million settlement after a March 2024 cyberattack exposed the protected health information of more than 375,000 behavioral health patients.

375K

Patients — One Breach

A single behavioral health cyberattack exposed Social Security numbers, substance abuse records, diagnoses, and crisis notes for hundreds of thousands of patients.

#1

Most Targeted Sector

Healthcare is the FBI’s #1 most targeted sector for ransomware in 2025 — 460 attacks and 182 breaches recorded. Behavioral health is disproportionately represented.

$7.42M

Avg. Healthcare Breach Cost

The average cost of a healthcare data breach in 2025 reached $7.42 million — settlements, OCR fines, legal fees, and reputational damage compound fast.

The Risk Is Real

Every Mental & Behavioral Health Provider Is a HIPAA-Covered Entity. Most Don’t Train Like It.

There is a persistent misconception in behavioral health that HIPAA is a hospital regulation — that the data protection rules written to safeguard protected health information concern large hospital systems, not therapy practices, addiction treatment centers, or outpatient behavioral health clinics. That belief is now costing mental health organizations millions of dollars, and it is wrong.

Your organization handles uniquely sensitive Protected Health Information every single day. Mental health diagnoses, therapy session notes, substance abuse treatment records, psychiatric evaluations, medications, and crisis intervention records — every piece of this data is legally protected under HIPAA and, in many states, under significantly stricter state privacy laws. The moment a patient file is created, your HIPAA obligations are active and legally enforceable.

Mental health records carry a higher sensitivity classification than general medical records. Cybercriminals know this. So do class action attorneys. Behavioral health data is more valuable on dark web markets precisely because it contains the type of deeply personal information patients most want kept private — diagnoses, treatment histories, substance abuse records, crisis notes. That sensitivity is what makes your organization a priority target.

Accreditation bodies — CARF, The Joint Commission, and international accreditors — actively require documented evidence of workforce training. When an accreditation surveyor or an OCR investigator asks whether your staff were trained, your certificates of completion are the answer that ends the conversation. If you cannot produce them, the conversation becomes far more expensive.

Why Now

Behavioral Health Is Under Legal Attack

These are not hypothetical risks. In the past three years, mental and behavioral health organizations across the United States have faced ransomware attacks, mass data exposures, and class action lawsuits that have cost them millions. These organizations looked exactly like yours before their breach.

The cases below are not outliers. They are the pattern — and the pattern is accelerating.

Arisa Health — Arkansas Behavioral Health

$1.9M Settlement

A March 2024 cyberattack breached Arisa Health’s network and exposed the protected health information of more than 375,000 patients — including Social Security numbers, substance abuse program completion records, medical histories, and diagnoses. Hackers had access for nearly three weeks before detection. A class action lawsuit followed.

2024 Cyberattack · Settled 2025

Seven Counties Services — Kentucky Mental Health

$1M Settlement

A 2024 data breach at this Kentucky mental health and therapy services provider exposed the private information of 132,609 individuals, including Social Security numbers, clinical diagnoses, medical histories, and dates of service. Settlement received preliminary court approval in December 2025.

2024 Breach · Settled 2025–2026

Behavioral Health Resources — Washington State

$1.1M Settlement

A November 2024 cyberattack on this Washington state mental health center exposed the PHI of 50,083 patients. Multiple class action lawsuits were filed and consolidated. The settlement fund of $1.1 million was established — plaintiffs alleged the provider failed to implement reasonable cybersecurity measures.

2024 Breach · Settled 2025

Therapeutic Health Services — Seattle

$790K Settlement

A February 2024 hacking incident — attributed to the Hunters International threat group — exposed the PHI of more than 14,000 patients at this addiction treatment and mental health counseling provider. Four class action lawsuits were filed and consolidated. Settlement agreed in 2025.

2024 Ransomware · Settled 2025

Fraser Child & Family Center — Minnesota

$750K Settlement

A 2024 data breach at this autism, behavioral health, mental health, and disability services provider in Minnesota resulted in class action litigation settled for $750,000. Fraser serves some of the most vulnerable patient populations — the breach triggered significant legal and reputational exposure.

2024 Breach · Settled 2025

Green Ridge Behavioral Health — Maryland

$40K OCR Fine

OCR fined this Maryland outpatient mental health practice $40,000 after a ransomware attack encrypted patient files and exposed the PHI of 14,000 patients. OCR found failures in risk analysis, security measures, and monitoring — and imposed a 3-year corrective action plan. No breach is too small for OCR attention.

Ransomware · OCR Enforcement 2024

In 2025, healthcare was the #1 most targeted sector for ransomware attacks — with 460 ransomware attacks and 182 data breaches recorded. Deer Oaks Behavioral Health paid $225,000 to OCR in July 2025 after multiple breaches exposed 171,871 patients. Class action attorneys are monitoring breach notifications daily. The question is not whether your organization is a target. It is whether your team is trained — and whether you can prove it.

The Solution

Introducing the 2026 HIPAA + Cybersecurity Training Bundle for Mental & Behavioral Health

Two Accredited Courses. Built for Healthcare. Designed for the Unique Privacy Demands of Behavioral Health.

ComplianceJunction has brought together two of the most comprehensive, healthcare-specific online training courses available in 2026 into a single, powerful bundle for mental and behavioral health organizations of every size — from solo therapy practices to multi-site behavioral health systems.

This is not generic compliance training with a mental health label on the cover. Both courses were written from the ground up for the specific realities of clinical practice — the workflows, the risks, the regulations, and the responsibilities unique to the healthcare environment. Your licensed clinicians, case managers, front-desk coordinators, billing staff, and administrative team will all find training that speaks directly to their role and their daily responsibilities.

Every staff member who completes both courses receives two certificates of completion — and licensed clinicians earn 2.6 CEUs. When an OCR investigator, a CARF surveyor, or a class action attorney asks for your training records, those certificates are the answer that ends the conversation.

The Bundle

Two Courses. Complete Coverage for Your Staff.

Two mental health clinicians discussing patient compliance in a quiet therapy clinic corridor

Course 1 — Updated for 2026

Accredited HIPAA Compliance Training for Organizations

3 hrs 30 mins

19 Modules

Self-Paced

Certificate Included

2.6 CEUs

Most HIPAA training is built around legal text. This course is built around real people doing real clinical work. Written specifically for healthcare professionals, it goes beyond regulatory definitions to help your entire behavioral health team develop a genuine compliance mindset — one that protects patients and your organization every day. Your therapists, psychiatrists, case managers, intake coordinators, and billing staff will find training that connects HIPAA rules to the situations they actually face.

Across 19 detailed modules, your staff will learn what Protected Health Information actually is in the context of behavioral health practice, their legal obligations, how to apply HIPAA rules in real-world clinical situations, and how to recognise and report security incidents before they become class action lawsuits.

19 Modules including:

Introduction to HIPAAThe Main HIPAA RulesPHI in Behavioral HealthPatient RightsSubstance Abuse Records (42 CFR Part 2)HIPAA & Social MediaThreats to Patient DataProtecting Electronic PHIConsequences of Violations2026 HIPAA Updates+ 9 More Modules

Behavioral health front-desk coordinator at her workstation in a warm therapy clinic reception

Course 2 — Healthcare-Exclusive

Comprehensive Cybersecurity Training for Healthcare Professionals

3 hrs

15 Modules

Self-Paced

Certificate Included

This is what makes this bundle different from every other compliance training on the market. Unlike generic IT security training bolted onto a healthcare label, this programme was written exclusively for healthcare professionals — addressing the specific threats, vulnerabilities, and compliance requirements of the medical environment, including behavioral health.

The Arisa Health attack lasted nearly three weeks before detection. The Behavioral Health Resources breach exposed 50,000 patients. Your intake team, therapists, and billing coordinators are on the front line of these attacks every single day. This course gives them the knowledge to recognise and stop threats before they become settlements.

Across 15 specialist modules, your team will learn why healthcare is ransomware’s number one target, how to identify phishing and social engineering, and how to handle devices, passwords, email, and social media safely in a clinical setting.

15 Modules including:

Cybersecurity FundamentalsWhy Healthcare Is TargetedSocial EngineeringPassword SecuritySafe Email & MessagingPHI in Emails & DocsHIPAA Technical SafeguardsReporting IncidentsReal-World Case StudiesRansomware Defense+ 5 More Modules

Senior behavioral health clinic director training a younger case manager in a warm therapy office

Why the Bundle Works

Why HIPAA Training Alone Is No Longer Enough for Behavioral Health

For years, annual HIPAA training was the checkbox behavioral health organizations needed to tick. Complete the course, file the certificates, move on. The threat landscape your organization operates in today is fundamentally different.

The Arisa Health breach didn’t happen because staff didn’t know the HIPAA Privacy Rule. It happened because an attacker found an opening — and stayed undetected for nearly three weeks. Every major behavioral health data breach of the past three years was a cybersecurity event, not a compliance education event. Mental health records are among the most sensitive data on the dark web — that is exactly why behavioral health providers are being targeted at an accelerating rate.

Know the Rules

HIPAA training ensures every member of your behavioral health team understands their legal obligations, how to handle patient data, and their responsibilities under the law — including the stricter protections around mental health and substance abuse records.

Stop the Attacks

Cybersecurity training equips your team to identify and block the ransomware, phishing, and social engineering attacks that have already hit Arisa Health, Seven Counties Services, and Behavioral Health Resources — organizations exactly like yours.

Prove Compliance

Two certificates per staff member means documented, defensible evidence for OCR audits, CARF and Joint Commission surveys, malpractice insurers, and — if it comes to it — class action defence counsel. The certificate is the answer.

The Bundle

Everything Included

2026 HIPAA Compliance Training

19 modules, 3.5 hours, updated for 2026 regulatory changes and the latest OCR enforcement actions.

Healthcare Cybersecurity Training

15 modules, 3 hours, written exclusively for healthcare — not repurposed from generic IT training.

Two Certificates of Completion

Per staff member — documented evidence for OCR audits, accreditation surveys, and insurer requests.

2.6 CEUs for Licensed Clinicians

Accredited continuing education units — a critical differentiator for your therapists, counselors, and social workers.

Real-World Case Studies

Including behavioral health breach events — real stories that connect training to the exact threats your organization faces.

Interactive Knowledge Checks

Reinforcing key learning throughout both courses to ensure genuine understanding, not passive watching.

Fully Self-Paced

Staff complete training around their clinical schedule — no fixed timetable, no disruption to patient sessions.

Admin Reporting Dashboard

Real-time visibility on staff completion across your entire organization — audit-ready at any moment.

Who This Is For

Built for Behavioral Health Organizations Like Yours

Every member of your team who interacts with patient information carries HIPAA obligations. That includes everyone below.

Practice Owners & Executive Directors

You carry personal and organizational liability for your practice’s HIPAA compliance. Documented workforce training is your first and most important line of defence in any investigation.

Licensed Therapists, Counselors & Social Workers

Clinicians handle PHI in every session. They need training that connects their daily clinical work to HIPAA requirements — and earns them the 2.6 CEUs their licensure requires.

Psychiatrists & Prescribers

Prescribers manage medication records, electronic prescriptions, and diagnosis codes — all protected under HIPAA. Targeted training ensures their documentation practices meet regulatory requirements.

Intake Coordinators & Front Desk Staff

Your intake team is the most frequent target for social engineering and phishing attacks. Practical, specific training for the people who answer your phones and first handle patient information.

Case Managers & Support Staff

Case managers coordinate care across multiple systems and providers, handling PHI at every step. Training ensures they understand their obligations and recognise security threats in their workflow.

Billing, Finance & Administrative Teams

Billing teams process PHI tied to diagnoses, insurance claims, and financial records — often outside the direct clinical environment. They carry significant compliance exposure and need targeted training.

Trusted by Mental & Behavioral Health Organizations

What Mental Health Leaders Are Saying

Privacy is key to everything that we do at J Flowers Health Institute. We require the highest data privacy standards in our daily operations between our team members and patients. The HIPAA compliance and cyber security training we provide to our teams with ComplianceJunction creates enormous value for our organization. All new hires in our organization must do this training plus all staff must do the annual refresher course with ComplianceJunction.

Robin French

Vice President of Provider and Client Experience | J. Flowers Health Institute

ComplianceJunction has been so helpful in implementing a HIPAA training program for our staff. As business owners, we have access to track our employee participation and progress in the training. It was important to our staff to receive CEUs for this training, and when we proposed the idea to ComplianceJunction they were on it! We are grateful for the collaboration in tailoring the training and the opportunity to continue to work with ComplianceJunction as our training provider.

Kara Lacey, LMFT

Co-Founder & Therapist | River Wards Wellness Collective

The value in what ComplianceJunction has brought to WBC Counseling is so far reaching for us. They provide up-to-date, current HIPAA trainings that prove to be a great resource for our staff. The trainings are an excellent source that garner not only a well put together educational means to instruct our staff, but through them, we are able to maintain our company’s compliancy requirements with our international accreditation status.

Tyrone Staples

Business Operations Manager | WBC Counseling

Accredited. Trusted. Built for 2026.

ComplianceJunction training is accredited and recognised for healthcare compliance. Both courses are updated to reflect 2026 regulatory requirements, including the latest HIPAA Privacy Rule changes and proposed Security Rule updates. Certificates of completion are issued on successful course completion and serve as documented evidence of workforce training for OCR audit purposes, accreditation surveys, and malpractice insurer requirements.

✓ Accredited Training

✓ 2026 Updated Content

✓ 2.6 CEUs for Clinicians

✓ Certificates on Completion

✓ OCR Audit-Ready

✓ Healthcare-Specific

✓ Trusted by Behavioral Health

FAQs

Frequently Asked Questions

Is my behavioral health practice really at risk? We’re a small organization.

Yes — and smaller organizations are often more vulnerable, not less. Green Ridge Behavioral Health was a single outpatient practice when it received its OCR fine for a ransomware attack. Seven Counties Services had 132,609 patient records exposed. Behavioral Health Resources lost 50,083 patient records. Class action attorneys are monitoring healthcare breach notifications daily, and behavioral health providers of every size are on their radar. The training cost is measured in hundreds of dollars. The settlement cost is measured in millions.

What patient data in my behavioral health organization is Protected Health Information?

A very broad range of information qualifies as PHI: patient names and contact details, therapy session notes, psychiatric diagnoses and evaluations, medication lists and prescriptions, substance abuse treatment records, crisis intervention records, dates of service, health insurance details, Social Security numbers, and any financial information tied to a health claim. Mental health and substance abuse records carry an especially high sensitivity classification. If it connects to an identifiable patient and relates to their health, treatment, or payment for care, it is PHI — and your full HIPAA obligations apply.

Do licensed clinicians earn CEUs for completing this training?

Yes. Our HIPAA training is accredited for 2.6 Continuing Education Units (CEUs). As Kara Lacey at River Wards Wellness Collective specifically noted: “It was important to our staff to receive CEUs for this training, and when we proposed the idea to ComplianceJunction they were on it!” For licensed therapists, counselors, social workers, and other licensed clinicians, this is a meaningful differentiator — your team meets their compliance obligations and their licensure renewal requirements in the same training programme.

How long does the training take, and can staff complete it around their clinical schedule?

The HIPAA course takes approximately 3 hours 30 minutes. The Cybersecurity course takes approximately 3 hours. Both are entirely self-paced — your team can complete modules in sessions that fit around their patient schedule. There are no fixed start times and no group sessions required. Staff at River Wards Wellness Collective and J. Flowers Health Institute have successfully integrated ComplianceJunction training across their full clinical and administrative teams without disrupting operations.

How does this help with our CARF or Joint Commission accreditation?

CARF, The Joint Commission, and other behavioral health accreditors require documented evidence of workforce compliance training. ComplianceJunction certificates of completion, combined with real-time reporting from your admin dashboard, provide precisely the documented record that accreditation surveyors look for. Tyrone Staples at WBC Counseling noted that ComplianceJunction helps them “maintain our company’s compliancy requirements with our international accreditation status.” Your certificates are your accreditation evidence.

Can we enrol our whole team, including staff across multiple locations?

Yes. The bundle is designed to be scalable for organizations of any size — from a sole practitioner with a small support team to a multi-site behavioral health system with hundreds of staff. J. Flowers Health Institute requires all new hires and all existing staff to complete ComplianceJunction training annually. As Robin French noted: “All new hires in our organization must do this training plus all staff must do the annual refresher course.” Contact us to discuss volume enrolment options for your team.

Why do we need cybersecurity training as well as HIPAA training?

Because the breaches that triggered the $1.9M Arisa Health settlement, the $1.1M Behavioral Health Resources settlement, and the $790K Therapeutic Health Services settlement were cybersecurity events — not HIPAA policy failures. Ransomware, phishing emails, compromised credentials, and social engineering attacks are how attackers get into behavioral health systems. HIPAA training teaches your team the rules they must follow. Cybersecurity training teaches them to recognise and stop the specific attacks being used against behavioral health providers right now. You need both — because the lawsuits happen when the attacks succeed.

Enrol Today

Don’t Be the Next Behavioral Health Organization in a Class Action Settlement.

Arisa Health didn’t plan to pay $1.9 million. Behavioral Health Resources didn’t budget for a class action. Seven Counties Services is settling a breach that started with a three-week window of undetected access.

The difference between an organization that weathers an OCR investigation and one that ends up in a class action often comes down to one question: can you demonstrate that your staff were trained?

Two accredited courses. 2.6 CEUs. Self-paced. Certificates included. Everything your behavioral health organization needs to face 2026 with confidence.