Photo of Dena M. Castricone

Dena M. Castricone, CIPP/US is the chair of the Privacy and Cybersecurity group and a member of the Long Term Care and Health Care groups.  She also serves as Chair of the firm’s Women Expanding Business initiative and co-chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

As the Chair of the Privacy and Cybersecurity group and a Certified Information Privacy Professional (CIPP/US), Dena provides the full complement of data breach coaching services to business and health care clients including breach notification to individuals and various government entities.  Related to data breaches, she also counsels clients on the creation of information security, incident response plans and other proactive measures.  Additionally, Dena advises clients on compliance with state, federal and international privacy laws including the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) as well as many others. Dena has written extensively on privacy and cybersecurity issues and she is the Co-Editor of Privacy and Cybersecurity PerspectivesRead More

The Request for Information on Modifying HIPAA Rules to Improve Coordinated Care is slated for publication in the federal register tomorrow.  The Department of Health and Human Services’ Office for Civil Rights (OCR) issued an advance copy of the RFI yesterday.  Specifically, “OCR seeks information on the provisions of the HIPAA Rules that may present obstacles to, or place unnecessary burdens on, the ability of covered entities and business associates to conduct care coordination and/or case management, or that may inhibit the transformation of the health care system to a value-based health care system.”  The public comment period closes 60 days from December 14, 2018. Continue Reading OCR Issues Anticipated RFI on HIPAA Modifications

On Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with a three-physician allergy practice in Connecticut for HIPAA Privacy Rule violations.  According to OCR’s press release and corrective action plan, a physician responded to a reporter’s questions about the allergy practice turning away a patient with a service animal.  While the allergy practice had HIPAA policies and procedures in place, the involved physician did not adhere to the policies.  Further, once OCR uncovered the issue, it also found that the practice failed to sanction the involved physician in accordance with its policies. Continue Reading Six-Figure OCR Settlement for Three-Physician Practice Failing to Follow Policies

CMS recently sent a proposed request for information (RFI) to the Federal Office of Management and Budget (OMB) for review.  The RFI would seek feedback on whether provisions of HIPAA present barriers or otherwise discourage coordination of care among providers, payors and patients.  The RFI also seeks feedback on whether HIPAA “impede[s] the transformation to value-based health care without providing commensurate privacy or security protections. . . .”  Importantly, the RFI seems to acknowledge some of the most burdensome requirements under HIPAA by requesting feedback on provisions regarding accountings of disclosures and written acknowledgement of receipt of a notice of privacy practices.  The RFI also asks for comments regarding good faith disclosures.  Hopefully, this is a signal that there may be some common sense changes to HIPAA that reduce burdens on covered entities without jeopardizing patients’ privacy.  Stay tuned…

We’re all guilty of it.  We keep things that we don’t need, like that pair of stone-washed jeans from 1992 that you hope will come back into style or your beanie baby collection that you blindly believe might be worth something someday.  While our inability to purge old stuff from our closets may cost us closet space, the repercussions for an organization that hoards data are far more significant.  From a cybersecurity perspective, the more personal information a company maintains, the more information it has to lose.  Consequently, the more information a company loses, the higher the financial and reputational costs.

Continue Reading Less is more: The Role of Data Retention Policies in Cybsesecurtity Preparedness

More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date.  Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach.  Continue Reading Anthem Agrees to Pay Largest HIPAA Settlement at $16M for Massive Breach

In the first installation of our weekly series during National Cybersecurity Awareness Month, we examine information security plans (ISP) as part of an overall cybersecurity strategy.  Regardless of the size or function of an organization, having an ISP is a critical planning and risk management tool and, depending on the business, it may be required by law.  An ISP details the categories of data collected, the ways that data is processed or used, and the measures in place to protect it.  An ISP should address different categories of data maintained by the organization, including employee data and customer data as well as sensitive business information like trade secrets. Continue Reading The Importance of Information Security Plans

In recognition of National Cybersecurity Awareness Month, each Friday this October, we will highlight a different step that organizations can take to increase awareness of potential cyber threats, reduce the risk of a cyber attack or minimize damage from an attack.  All four steps are solutions that all organizations, regardless of size or budget, can implement. Specifically, over the course of the month we will examine information security plans, training, vendor due diligence and data retention and destruction, as tools organizations can use to arm themselves to both prevent and in the event of a cyber attack.  Continue Reading October is National Cybersecurity Awareness Month!

Just days before the EU Commission reassesses the EU-US Privacy Shield program in light of the EU Parliament’s recent adequacy criticisms, the Federal Trade Commission (FTC) announced settlements with four companies allegedly falsely claiming participation in the program.  One of the issues the EU Parliament cited this summer with the EU-US Privacy Shield program was lack of US oversight and enforcement. Continue Reading More FTC Privacy Shield Settlements, But Will It Be Enough For The EU?

The California Attorney General’s office reported today that Uber will pay $148 million to resolve claims related to a 2016 data breach that Uber concealed.  In addition to failing to report the breach, Uber paid the hackers $100,000 as part of the cover-up.  The breach involved the information of 57 million customers and drivers.  According to reports, the $148 million will be shared with other states participating in the nationwide investigation.  This 2016 breach and a 2014 breach involving a failure to employ reasonable security practices already caught the attention of the Federal Trade Commission (FTC).  Uber agreed to resolve those claims earlier this year.  Also related to the 2014 breach, Uber caught a break when a judge tossed a class action suit for lack of standing in May.