Yesterday, DHHS’s Office for Civil Rights (OCR) announced a $100,000 settlement with a dissolved medical records moving and storage company in Illinois.  This is another example of OCR bringing enforcement actions against a business associate under HIPAA.  OCR investigated a complaint that the business associate brought medical records to a shredding and recycling facility in exchange for cash.  According to OCR, it confirmed that the business associate violated the HIPAA Privacy Rule when it left the medical records of approximately 2,150 people at the shredding and recycling facility.  Due to other legal troubles, a court had already forced the business associate to liquidate its assets and appointed a receiver to pay its debts.  The receiver agreed to pay the $100,000 settlement and to ensure that the storage and disposal of the remaining medical records would be in compliance with HIPAA.

Read a copy of the Resolution Agreement here.

On Monday, February 5, 2018, the Massachusetts Attorney General’s Office (AGO) sent an e-mail blast regarding their new online form for businesses needing to report breaches under Chapter 93H of the Massachusetts General Laws. As of February 1, 2018, the AGO has a new online form that businesses may use for reporting such breaches in lieu of sending a paper letter or e-mail to the AGO; however the AGO still allows both those reporting methods. Using the new online form also allows the business notifying the AGO of the breach to attach additional documents to the notification, e.g. a sample of the breach notice sent to affected Massachusetts residents. While the AGO does not require businesses to use the new online form, it believes that the new form will be more useful and efficient. The new online form can be accessed from the AGO’s website here.  Additionally, in the coming weeks Massachusetts expects to launch a breach notification database, allowing persons to search breaches reported by businesses, when such breaches occurred and how many residents the breach affected.

It is worth noting that the United States Health and Human Services Office of Civil Rights has a similar database for HIPAA breaches that affected over five hundred persons.  The Health Care community colloquially dubbed that database the “Wall of Shame.” We will wait and see if the Massachusetts database receives any nickname.

Yesterday, OCR announced its $3.5 million settlement with Fresenius Medical Care Holdings (“Fresenius”) to resolve alleged HIPAA violations.  While the large settlement figure alone is eye-catching, the underlying facts require the complete attention of HIPAA covered entities.  OCR is sending a message about HIPAA Security Rule compliance.

Five Fresenius entities in five different states suffered five completely separate but relatively common breaches.  Each breach involved stolen or missing equipment.  No one breach involved records of more than 500 patients.  In fact, combined, the total number of patients impacted was 521.  As a reminder, the $5.5 million settlement this time last year with Memorial Health Care System involved the records of 115,143 individuals. Continue Reading $3.5 M OCR Settlement for Five Breaches Affecting Fewer Than 500 Patients Each

In August, the United States Court of Appeals for the DC Circuit revived a class action lawsuit, holding that the threat of harm from a data breach is enough to satisfy the “injury in fact” standing requirement. Attias v. Carefirst, Inc., 865 F.3d 620 (DC Cir. 2017). The defendant, a group of health care insurers, filed a Petition for Writ of Certiorari to the United States Supreme Court on October 30 of last year. While the Supreme Court is deciding whether to grant the pending Petition, it is worthwhile to briefly review the standing question in the context of protecting your business from liability. Continue Reading Can’t This Just Be Over? Standing In Cybersecurity Claims

Based on the decision in a recent Connecticut Supreme Court case, patients may now sue physicians for breaching confidentiality. Previously, Connecticut did not recognize breach of confidentiality as a cause of action. The unauthorized disclosure at the heart of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. involved a provider’s response to a subpoena. Subpoena compliance has long been an area of confusion for providers. After Byrne, not only must providers pay special attention when responding to subpoenas but now they must also worry about broader breach of confidentiality claims by patients. Continue Reading Connecticut Recognizes New Cause of Action for Breach of Patient/Physician Confidentiality

After a data breach at VTech revealed practices that allegedly violated the FTC Act and the Children’s Online Privacy Protection Act (COPPA), VTech settled for $650,000 and agreed to implement a comprehensive data security program subject to audit for the next 20 years.  VTech makes children’s electronic learning products.  The FTC complaint alleged that VTech’s privacy policy promised that it would encrypt most transmitted information but it did not.  Further, the FTC claimed that VTech failed to comply with COPPA rules regarding the protection of information of children under 13.  This settlement illustrates that the FTC is not letting businesses off the hook for lax information security programs and highlights the importance of accurate privacy policies.  Know what rules apply to your business and be sure that the promises you make to your customers with respect to privacy are accurate.  More information on the FTC settlement can be found here.

In the first week of the New Year, we learned that most computer processor chips sold over the past 10 years are vulnerable to side-channel attacks.  These vulnerabilities, dubbed Spectre and Meltdown, could grant a hacker access to sensitive information, such as passwords and other personal information.  Unlike software vulnerabilities seen in the likes of the WannaCry attacks, according to the US Computer Emergency Readiness Team (US-CERT), Spectre and Meltdown may require more than patches for protection since the vulnerability is in the chip itself.  In the short term, however, installing patches or updates may still be the best bet.  Chip manufactures are working to push out updates.  US-CERT warns that the updates may diminish performance by up to 30% and recommends close performance monitoring.   See the US-CERT page for information on patch availability and recommendations.  In addition to patching, companies should monitor systems closely for suspicious activity and data leaks and should immediately implement the company incident response plan if there are any signs or indications that data has been improperly accesses or removed.

W-2 phishing season is just a few weeks away.  For the past several tax seasons, cyber criminals have duped hundreds of payroll departments into providing W-2 information on their employees, which results in the filing of fraudulent tax returns and other identity theft issues.  These attacks are incredibly disruptive to employees, extremely expensive for employers and are completely avoidable with some training.  Continue Reading ‘Tis the Season: W-2 Phishing Scams Likely to Resurface After the New Year

On November 8, 2017, the Ninth Circuit concluded that the First Amendment did not protect the anonymity of Glassdoor.com users from a grand jury subpoena.  Glassdoor operates the website Glassdoor.com, which permits employees to post anonymous reviews about their employers.  An Arizona grand jury is investigating a government contractor that administers two VA healthcare programs for fraud and misuse of government funds.  Eight Glassdoor.com users posted anonymous comments about the government contractor indicating that the users may have some information relating to the crimes under investigation.  For example, one comment reads that the contractor “manipulate[s] the system to make money unethically off of veterans/VA.”  Although there are 125 reviews of the contractor, the grand jury subpoena sought only information on the eight individuals whose reviews “referenced potentially fraudulent conduct.” Continue Reading No First Amendment Privacy Protection from Grand Jury Subpoena for Identity of Anonymous Reviewers on Glassdoor.com