Yahoo agreed to pay shareholders $80 million to settle a federal securities class action suit, as detailed in the parties’ March 2, 2018 proposed settlement agreement filed with the court. In that suit, the shareholders claimed that Yahoo failed to disclose a number of data breaches affecting more than 3 billion users, which caused Yahoo’s

On Monday, February 5, 2018, the Massachusetts Attorney General’s Office (AGO) sent an e-mail blast regarding their new online form for businesses needing to report breaches under Chapter 93H of the Massachusetts General Laws. As of February 1, 2018, the AGO has a new online form that businesses may use for reporting such breaches in

Yesterday, OCR announced its $3.5 million settlement with Fresenius Medical Care Holdings (“Fresenius”) to resolve alleged HIPAA violations.  While the large settlement figure alone is eye-catching, the underlying facts require the complete attention of HIPAA covered entities.  OCR is sending a message about HIPAA Security Rule compliance.

Five Fresenius entities in five different states suffered five completely separate but relatively common breaches.  Each breach involved stolen or missing equipment.  No one breach involved records of more than 500 patients.  In fact, combined, the total number of patients impacted was 521.  As a reminder, the $5.5 million settlement this time last year with Memorial Health Care System involved the records of 115,143 individuals.
Continue Reading $3.5 M OCR Settlement for Five Breaches Affecting Fewer Than 500 Patients Each

In August, the United States Court of Appeals for the DC Circuit revived a class action lawsuit, holding that the threat of harm from a data breach is enough to satisfy the “injury in fact” standing requirement. Attias v. Carefirst, Inc., 865 F.3d 620 (DC Cir. 2017). The defendant, a group of health care insurers, filed a Petition for Writ of Certiorari to the United States Supreme Court on October 30 of last year. While the Supreme Court is deciding whether to grant the pending Petition, it is worthwhile to briefly review the standing question in the context of protecting your business from liability.
Continue Reading Can’t This Just Be Over? Standing In Cybersecurity Claims

Based on the decision in a recent Connecticut Supreme Court case, patients may now sue physicians for breaching confidentiality. Previously, Connecticut did not recognize breach of confidentiality as a cause of action. The unauthorized disclosure at the heart of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. involved a provider’s response to a subpoena. Subpoena compliance has long been an area of confusion for providers. After Byrne, not only must providers pay special attention when responding to subpoenas but now they must also worry about broader breach of confidentiality claims by patients.
Continue Reading Connecticut Recognizes New Cause of Action for Breach of Patient/Physician Confidentiality

After a data breach at VTech revealed practices that allegedly violated the FTC Act and the Children’s Online Privacy Protection Act (COPPA), VTech settled for $650,000 and agreed to implement a comprehensive data security program subject to audit for the next 20 years.  VTech makes children’s electronic learning products.  The FTC complaint alleged that VTech’s

W-2 phishing season is just a few weeks away.  For the past several tax seasons, cyber criminals have duped hundreds of payroll departments into providing W-2 information on their employees, which results in the filing of fraudulent tax returns and other identity theft issues.  These attacks are incredibly disruptive to employees, extremely expensive for employers and are completely avoidable with some training. 
Continue Reading ‘Tis the Season: W-2 Phishing Scams Likely to Resurface After the New Year

At the end of last week, three U.S. Democratic Senators, including Connecticut’s Richard Blumenthal, proposed the 44-page Data Security and Breach Notification Act (“Proposed Act”).  The Proposed Act would preempt the laws of the 48 states that currently have data breach notification laws and the Federal Trade Commission (“FTC”) would have enforcement authority.  State Attorneys General would be permitted to pursue violations of the Proposed Act as civil actions in federal court if the FTC has not already initiated an action. The Proposed Act also provides for sizable civil penalties up to $5 million and criminal penalties including imprisonment for up to 5 years for willful failure to notify those impacted.  
Continue Reading National Data Breach Notification Law Proposed

According to Reuters, late on Friday, the Department of Homeland Security (“DHS”) and the FBI issued a warning in a report, sent to firms at risk of an attack, that critical infrastructure industries may have been targeted in cyber-attacks as far back as May. The identified industries include nuclear, energy, aviation, water, critical manufacturing industries and government entities. The report indicates that hackers successfully compromised data at some of these targets. Further, the government believes that the attacks are ongoing.
Continue Reading Feds Warn of Critical Infrastructure Attacks as CT Releases Report on Utility Company Cyber-Readiness