More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date. Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach. Continue Reading Anthem Agrees to Pay Largest HIPAA Settlement at $16M for Massive Breach
Dena M. Castricone, CIPP/US is the chair of the Privacy and Cybersecurity group and a member of the Long Term Care and Health Care groups. She also serves as Chair of the firm’s Women Expanding Business initiative and co-chair of the firm’s Pro Bono Committee. Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.
As the Chair of the Privacy and Cybersecurity group and a Certified Information Privacy Professional (CIPP/US), Dena provides the full complement of data breach coaching services to business and health care clients including breach notification to individuals and various government entities. Related to data breaches, she also counsels clients on the creation of information security, incident response plans and other proactive measures. Additionally, Dena advises clients on compliance with state, federal and international privacy laws including the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) as well as many others. Dena has written extensively on privacy and cybersecurity issues and she is the Co-Editor of Privacy and Cybersecurity Perspectives. Read More
In the first installation of our weekly series during National Cybersecurity Awareness Month, we examine information security plans (ISP) as part of an overall cybersecurity strategy. Regardless of the size or function of an organization, having an ISP is a critical planning and risk management tool and, depending on the business, it may be required by law. An ISP details the categories of data collected, the ways that data is processed or used, and the measures in place to protect it. An ISP should address different categories of data maintained by the organization, including employee data and customer data as well as sensitive business information like trade secrets. Continue Reading The Importance of Information Security Plans
In recognition of National Cybersecurity Awareness Month, each Friday this October, we will highlight a different step that organizations can take to increase awareness of potential cyber threats, reduce the risk of a cyber attack or minimize damage from an attack. All four steps are solutions that all organizations, regardless of size or budget, can implement. Specifically, over the course of the month we will examine information security plans, training, vendor due diligence and data retention and destruction, as tools organizations can use to arm themselves to both prevent and in the event of a cyber attack. Continue Reading October is National Cybersecurity Awareness Month!
Just days before the EU Commission reassesses the EU-US Privacy Shield program in light of the EU Parliament’s recent adequacy criticisms, the Federal Trade Commission (FTC) announced settlements with four companies allegedly falsely claiming participation in the program. One of the issues the EU Parliament cited this summer with the EU-US Privacy Shield program was lack of US oversight and enforcement. Continue Reading More FTC Privacy Shield Settlements, But Will It Be Enough For The EU?
The California Attorney General’s office reported today that Uber will pay $148 million to resolve claims related to a 2016 data breach that Uber concealed. In addition to failing to report the breach, Uber paid the hackers $100,000 as part of the cover-up. The breach involved the information of 57 million customers and drivers. According to reports, the $148 million will be shared with other states participating in the nationwide investigation. This 2016 breach and a 2014 breach involving a failure to employ reasonable security practices already caught the attention of the Federal Trade Commission (FTC). Uber agreed to resolve those claims earlier this year. Also related to the 2014 breach, Uber caught a break when a judge tossed a class action suit for lack of standing in May.
On September 23, 2018, California’s governor signed into law the first round of revisions to the California Consumer Privacy Act (CCPA), the most sweeping privacy legislation in this country. California enacted the CCPA in June and it takes effect on January 1, 2020. Inspired by the European Union’s General Data Protection Regulation, the California legislature initially drafted the CCPA in haste to avoid a ballot initiative containing more onerous provisions for businesses. Not surprisingly, the hurried and voluminous legislation contained a number of issues that ranged from drafting errors to significant enforcement and compliance hurdles. Accordingly, as expected, at the end of August, the legislature passed S.B. 1121, which contained several revisions to address some but not all of those issues, including a possible enforcement delay of up to six months. Continue Reading California Governor Approves Revisions to Consumer Privacy Act
On September 20, the Department of Health and Human Services Office for Civil Rights (OCR) announced separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH) with penalties totaling $999,000. In each instance, a news story about ABC News filming a medical documentary (a Boston Globe article on BMC and BWH and a posting on MGH’s website) prompted OCR to conduct “a compliance review.” In all three separate investigations, OCR found deficiencies. While the BMC settlement agreement does not provide any details on the specifically alleged improper conduct, the BWH and MGH agreements note that both hospitals took measures to protect patient information but nonetheless OCR found the efforts to be inadequate. In those agreements, OCR implies that BWH and MGH obtained at least some written authorizations but disclosed information to the film crews before obtaining those authorizations. Continue Reading Boston-Area Hospitals Pay Nearly $1M in Penalties for Permitting Filming of “Boston Med”
On September 18, 2018, Connecticut’s governor released an annual report on the cybersecurity sophistication and readiness of the state’s electric, natural gas and major water companies. The four participating utility companies were Aquarion, Avangrid, Connecticut Water and Eversource. Continue Reading Report on Cyber Readiness of Connecticut Utility Companies
In recognition of the vulnerability of mobile devices and the daily use of those devices in health care, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) released a practice guide earlier this month entitled Securing Electronic Health Records on Mobile Devices (NIST Special Publication 1800-1). NIST and NCCoE specifically examined physician use of a mobile device (i.e. smart phone or tablet) to send a referral or an electronic prescription. Using open-source tools and commercially available technologies, NIST and NCCoE offer technical guidance on how to ensure that such mobile device use complies with the HIPAA Security Rule and is in line with NIST best practices. The 260-page practice guide has something for everyone ‒ high-level summaries for business leaders and technical guidance for information security and technology teams.
On August 3, 2018, the Governor in Ohio signed into law the Data Protection Act, which provides businesses with an affirmative defense to data breach claims if the business was in compliance with reasonable security measures at the time of the breach. Specifically, a business would have to show that it creates, maintains and complies with “a written cybersecurity program . . . that reasonably conforms to an industry recognized cybersecurity framework.” Acceptable standards include the NIST framework and compliance with PCI requirements. For businesses subject to regulatory standards, evidence of compliance with those regulatory standards, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach Bliley (GLBA), will also provide protection. Many believe that this legislation will encourage businesses in Ohio to allocate more resources for cybersecurity and data protection programs.