For many years, the plaintiffs’ bar has been very active in bringing class action litigation against public companies immediately after the announcement of adverse news concerning a company, which many times triggers a decline in the company’s stock price. Since at least the Yahoo data breach in 2013 (which led to a settled SEC enforcement action and a recently-settled class action lawsuit), plaintiffs’ lawyers have been increasingly drawn to using data breach problems to allege misconduct or fraud by corporate officials charged with keeping the securities markets apprised of all material information about a public company. Continue Reading Federal Court Dismisses Federal Securities Class Action Based on Data Breach
A Colorado Hospital reached an $111,400 settlement with the Office for Civil Rights (“OCR”) for failing to terminate a former employee’s access to electronic protected health information. OCR’s investigation uncovered that the hospital impermissibly disclosed electronic protected health information of over 500 individuals to the former employee because it failed to terminate that employee’s access. Additionally, OCR found that the hospital impermissibly disclosed information to Google Calendar, without a business associate agreement. There are two main takeaways here. Continue Reading Another HIPAA Breach, Another 6-Figure HIPAA Settlement
In the age of the data breach, lawyers and law firms have a lot in common with comic book superheroes: they are locked in a relentless battle against a cunning, ever-changing threat. This past week, Foley & Lardner experienced a “cyber event,” adding its name to the list of cyber attack victims which, according to Bloomberg Law, includes DLA Piper, Cravath, Swaine & Moore, Weil, Gotshal & Manges, over one third of small and medium-sized firms, and just under one quarter of large firms. Because of this growing and serious threat to the legal profession, the ABA published Formal Opinion 483 to direct attorneys and law firms on how they should handle data breaches before, during, and after an event. In short, lawyers are not expected to be as bulletproof as Superman, but they must take proactive steps to protect sensitive client data and they must disclose material data breaches. Continue Reading The ABA Says Lawyers Have Obligations Before and After a Data Breach
More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date. Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach. Continue Reading Anthem Agrees to Pay Largest HIPAA Settlement at $16M for Massive Breach
According to Verizon’s 2018 Data Breach Investigations Report, phishing or other forms of social engineering cause 93% of all data breaches. In order for phishing or social engineering attacks to be successful, the attacker needs a target to take the bait. Your employees often are the targets, aka the fish that bite. Therefore, in conjunction with the implementation of IT security measures, training your employees is of paramount importance to preventing these types of cybersecurity attacks. Employers must make employees aware of the risks associated with clicking on a link in a phishing email, downloading an attachment from an unknown sender or responding to requests for credential/login information or other data. Continue Reading The Importance of Training
The California Attorney General’s office reported today that Uber will pay $148 million to resolve claims related to a 2016 data breach that Uber concealed. In addition to failing to report the breach, Uber paid the hackers $100,000 as part of the cover-up. The breach involved the information of 57 million customers and drivers. According to reports, the $148 million will be shared with other states participating in the nationwide investigation. This 2016 breach and a 2014 breach involving a failure to employ reasonable security practices already caught the attention of the Federal Trade Commission (FTC). Uber agreed to resolve those claims earlier this year. Also related to the 2014 breach, Uber caught a break when a judge tossed a class action suit for lack of standing in May.
On September 18, 2018, Connecticut’s governor released an annual report on the cybersecurity sophistication and readiness of the state’s electric, natural gas and major water companies. The four participating utility companies were Aquarion, Avangrid, Connecticut Water and Eversource. Continue Reading Report on Cyber Readiness of Connecticut Utility Companies
The much-anticipated Ponemon Institute 2018 Cost of Data Breach Study: Global Overview is out and, not surprisingly, the cost of a data breach continues to rise. In this country, the cost is up $8 per record, going from $225 per record last year to $233 per record this year. A more alarming jump, however, is the cost of a data breach in the health care sector, which is up to $408 per record from $340 just one year ago. In terms of controlling costs, the study provides solid evidence that swift response and incident response planning save money. Continue Reading Data Breach Costs Up; Planning and Swift Response Save Money
HIPAA has teeth. On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA. In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR. Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital
Malware-infected servers of a Baltimore hospital system, LifeBridge, may have affected more than half a million patient records. LifeBridge reports in a statement on its website that it discovered malware on the servers that host electronic medical records as well as patient registration and billing systems. The provider’s investigation determined that an unauthorized person accessed the server of its physician practice over a year and a half ago on September 27, 2016. Accessed information may include patients’ names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and social security numbers. LifeBridge sent letters to potentially affected patients and is offering one year of credit monitoring to individuals whose social security numbers may have been accessed.
While it appears that LifeBridge reported the breach to the state AG, as of the date of this post, this breach is not listed on OCR’s list of breaches affecting 500 or more patients (lovingly referred to as the OCR “Wall of Shame”).