There is no doubt that social media has its benefits, especially for medical practices that have come to use it for marketing and advertising.  However, risks are lurking.  On October 2, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) entered into a $10,000 settlement with a dental practice (the “Practice”) for disclosing protected health information of a patient when responding to a review on a Yelp page.

Continue Reading

Think your business is too small to risk a cyber security threat? Do you have:

  • A point-of-sale cash register?
  • A credit card authorization system?
  • An email account?
  • Old software?
  • Any computer connected to the internet, ever?

We’ll explain the ways you never dreamed that you were at risk.
Continue Reading

Privacy and cybersecurity is at the forefront of everyone’s mind these days and, in 2018, the Office for Civil Rights (“OCR”) settled ten cases and prevailed in another before an Administrative Law Judge to the tune of $28,700,000. This is a new record for OCR, besting 2016 by over $5,000,000. The latest settlement clocked in at $3,000,000, owed by a health system in California that experienced two breaches of electronic protected health information (“ePHI”), which affected 62,500 individuals.  The first breach involved a security configuration where persons could access files with ePHI without a username or password, thereby making ePHI available to anyone with access to the health system’s server.  The second breach involved a server misconfiguration, exposing the health system’s ePHI over the internet, including social security numbers and treatment information.
Continue Reading

In this third installation of our weekly series during National Cybersecurity Awareness Month, we examine the importance of vendor due diligence as part of an overall cybersecurity strategy.   To do that, we are re-posting the 3-minute video we created earlier this year on the risks vendors pose and simple steps to reduce those risks.

According to Verizon’s 2018 Data Breach Investigations Report, phishing or other forms of social engineering cause 93% of all data breaches.  In order for phishing or social engineering attacks to be successful, the attacker needs a target to take the bait.  Your employees often are the targets, aka the fish that bite.  Therefore, in conjunction with the implementation of IT security measures, training your employees is of paramount importance to preventing these types of cybersecurity attacks.  Employers must make employees aware of the risks associated with clicking on a link in a phishing email, downloading an attachment from an unknown sender or responding to requests for credential/login information or other data. 
Continue Reading

In recognition of National Cybersecurity Awareness Month, each Friday this October, we will highlight a different step that organizations can take to increase awareness of potential cyber threats, reduce the risk of a cyber attack or minimize damage from an attack.  All four steps are solutions that all organizations, regardless of size or budget, can implement. Specifically, over the course of the month we will examine information security plans, training, vendor due diligence and data retention and destruction, as tools organizations can use to arm themselves to both prevent and in the event of a cyber attack. 
Continue Reading

The Department of Homeland Security (“DHS”) released its cybersecurity strategy on May 15, 2018.  The 35-page document sets forth a plan for managing cybersecurity risks through public and private sector collaboration.  By 2023, DHS seeks to have “improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit

On May 3, 2018, Governor Malloy announced the release of the State of Connecticut’s Cybersecurity Action Plan, which builds on the State’s Cybersecurity Strategy launched in July 2017.  Developed by Connecticut’s Chief Cybersecurity Risk Officer Arthur House and Chief Information Officer Mark Raymond, the Action Plan applies the seven principles set forth in the Cybersecurity Strategy –  leadership, literacy, preparation, response, recovery, communication, and verification – to individuals, organizations, government agencies, and businesses.
Continue Reading