This document summarizes two recent announcements from the Department of Health and Human Services highlighting the need for state and local governments to regularly review their policies and procedures for protecting patient health information. An audit found serious cybersecurity lapses in 10 state Medicaid systems, including lack of security plans, encryption of laptops, and disaster recovery testing. Additionally, Skagit County, Washington agreed to a $215,000 settlement for exposing patient information on a public server in violation of privacy and security rules. Both announcements emphasize the importance of risk assessments, administrative and technical safeguards, and compliance with health information privacy laws.