Photo of Daniel J. Kagan

Dan is an active member of the Privacy and Cybersecurity Practice Group. He is also in the Health Care and Long Term Care Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management and reimbursement issues. Read More

The conversation surrounding the data we put online continues to heat up.  Bloomberg reports that in 2015, Twitter sold access to randomly selected tweets to Aleksandr Kogan, the individual who created the personality quiz that Cambridge Analytica then used to harvest Facebook user data.  Working under his own commercial enterprise, Global Science Research, Mr. Kogan gained access to a random sampling of five months of Twitter posts, covering the dates of December 2014 to April 2015.  As of the date of this blog post, Twitter has not provided any further details other than confirming that it provided access to this public data information through its application programming interface, known as API, and that Global Science Research paid for this access.  While at this stage, not much is known about Global Science Research’s purpose for accessing this data, it becomes yet another example of a social media company sharing its users’ information, this time for a price.  In our interconnected world, it will be interesting to see if social media users begin to retreat from sharing information online or whether such practice is already too entrenched in our day to day life to experience a shift.

In the wake of the Facebook and Cambridge Analytica scandal, another social media company, Grindr, a gay dating app, has come under scrutiny for its sharing of sensitive personal information with third parties.  In particular, Norwegian research outfit SINTEF, after analyzing Grindr’s traffic, alleges that Grindr shares its users’ disclosed HIV status and last tested date , GPS location and other demographic profile information with third parties.

Continue Reading Grindr Grinds Users Gears by Reportedly Sharing Users’ HIV Status

Facebook is the subject of a recent media blitz due to the allegations that 50 million people had their information improperly disclosed to Cambridge Analytica, a data research firm that may have played a role in the 2016 election.

The premise of the allegations is that Cambridge Analytica sent out a personality test to roughly 270,000 of Facebook’s users, stating that it would use the test for academic purposes.  However, allegedly, Cambridge Analytica collected the personal information not only of those who replied to the survey, but also of all of those individuals’ Facebook “friends.”  By doing so, the 270,000 users extrapolated to 50 million users. Continue Reading Facebook In Hot Water With Latest Privacy Missteps

On February 16, 2018, the U.S. Supreme Court denied certiorari to review CareFirst’s appeal of the U.S. Court of Appeals, D.C. Circuit’s decision in Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017).  The D.C. Circuit held that the threat of harm from a data breach is enough to satisfy the “injury in fact” standing requirement.    Other circuit courts of appeal have reached the opposite conclusion.  Unfortunately, the U.S. Supreme Court will not be addressing that circuit split this session.  See our previous entry on the CareFirst case.

On Monday, February 5, 2018, the Massachusetts Attorney General’s Office (AGO) sent an e-mail blast regarding their new online form for businesses needing to report breaches under Chapter 93H of the Massachusetts General Laws. As of February 1, 2018, the AGO has a new online form that businesses may use for reporting such breaches in lieu of sending a paper letter or e-mail to the AGO; however the AGO still allows both those reporting methods. Using the new online form also allows the business notifying the AGO of the breach to attach additional documents to the notification, e.g. a sample of the breach notice sent to affected Massachusetts residents. While the AGO does not require businesses to use the new online form, it believes that the new form will be more useful and efficient. The new online form can be accessed from the AGO’s website here.  Additionally, in the coming weeks Massachusetts expects to launch a breach notification database, allowing persons to search breaches reported by businesses, when such breaches occurred and how many residents the breach affected.

It is worth noting that the United States Health and Human Services Office of Civil Rights has a similar database for HIPAA breaches that affected over five hundred persons.  The Health Care community colloquially dubbed that database the “Wall of Shame.” We will wait and see if the Massachusetts database receives any nickname.

Based on the decision in a recent Connecticut Supreme Court case, patients may now sue physicians for breaching confidentiality. Previously, Connecticut did not recognize breach of confidentiality as a cause of action. The unauthorized disclosure at the heart of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. involved a provider’s response to a subpoena. Subpoena compliance has long been an area of confusion for providers. After Byrne, not only must providers pay special attention when responding to subpoenas but now they must also worry about broader breach of confidentiality claims by patients. Continue Reading Connecticut Recognizes New Cause of Action for Breach of Patient/Physician Confidentiality

W-2 phishing season is just a few weeks away.  For the past several tax seasons, cyber criminals have duped hundreds of payroll departments into providing W-2 information on their employees, which results in the filing of fraudulent tax returns and other identity theft issues.  These attacks are incredibly disruptive to employees, extremely expensive for employers and are completely avoidable with some training.  Continue Reading ‘Tis the Season: W-2 Phishing Scams Likely to Resurface After the New Year

Just last week, a Verizon Communications vendor misconfigured a cloud server that caused the information of 6 million Verizon customers to be exposed on-line. When a cyber incident or data breach occurs on your vendor’s watch, regardless of fault, you own the resulting legal obligations and costs. The best tools for managing the risk of using vendors are due diligence and adequate contract provisions. Continue Reading Protecting Data: Vendors May Be Your Weakest Link

Data breaches have become commonplace in every industry. In health care, however, it costs much more to respond to a data breach than in all other industries in this country, according to the results of a recent IBM-sponsored study.1  The report estimates that a health care data breach costs $380 per record on average versus $225 per record in other industries. While the increased cost of a health care record is unavoidable due to the sensitive nature of the information and the fact that it is more valuable to criminals on the dark web, health care providers can take steps to prepare for a data breach, which can reduce the risk of a breach occurring and minimize costs if one occurs. Continue Reading Data Breaches Most Expensive For Health Care Industry But Precautionary Measures Can Keep Costs Down

On Friday, May 12, 2017, a damaging ransomware attack swept across more than one hundred countries and infected tens of thousands of computers. As is becoming all too common, the hackers transmitted the ransomware via a phishing e-mail, and then, once the user clicked the bait, the hackers used a method thought to have been developed by the National Security Agency, and locked businesses out of their systems. The ransomware impacted businesses both large and small, notably including sixteen of Great Britain’s hospitals forcing them to turn patients away, FedEx, the Russian Interior Ministry and a large Spanish telecommunications company. While in the wake of the attack, affected businesses must focus on damage control and clean-up, unaffected businesses should react and take steps to protect themselves ahead of being on the receiving end of the next cyber incident. Accordingly, here are five things that all businesses can do. Continue Reading Five Things You Can Do to Protect Your Business From a Cyber Attack