CMS recently sent a proposed request for information (RFI) to the Federal Office of Management and Budget (OMB) for review. The RFI would seek feedback on whether provisions of HIPAA present barriers or otherwise discourage coordination of care among providers, payors and patients. The RFI also seeks feedback on whether HIPAA “impede[s] the transformation to value-based health care without providing commensurate privacy or security protections. . . .” Importantly, the RFI seems to acknowledge some of the most burdensome requirements under HIPAA by requesting feedback on provisions regarding accountings of disclosures and written acknowledgement of receipt of a notice of privacy practices. The RFI also asks for comments regarding good faith disclosures. Hopefully, this is a signal that there may be some common sense changes to HIPAA that reduce burdens on covered entities without jeopardizing patients’ privacy. Stay tuned…
In the age of the data breach, lawyers and law firms have a lot in common with comic book superheroes: they are locked in a relentless battle against a cunning, ever-changing threat. This past week, Foley & Lardner experienced a “cyber event,” adding its name to the list of cyber attack victims which, according to Bloomberg Law, includes DLA Piper, Cravath, Swaine & Moore, Weil, Gotshal & Manges, over one third of small and medium-sized firms, and just under one quarter of large firms. Because of this growing and serious threat to the legal profession, the ABA published Formal Opinion 483 to direct attorneys and law firms on how they should handle data breaches before, during, and after an event. In short, lawyers are not expected to be as bulletproof as Superman, but they must take proactive steps to protect sensitive client data and they must disclose material data breaches. Continue Reading The ABA Says Lawyers Have Obligations Before and After a Data Breach
We’re all guilty of it. We keep things that we don’t need, like that pair of stone-washed jeans from 1992 that you hope will come back into style or your beanie baby collection that you blindly believe might be worth something someday. While our inability to purge old stuff from our closets may cost us closet space, the repercussions for an organization that hoards data are far more significant. From a cybersecurity perspective, the more personal information a company maintains, the more information it has to lose. Consequently, the more information a company loses, the higher the financial and reputational costs.
In this third installation of our weekly series during National Cybersecurity Awareness Month, we examine the importance of vendor due diligence as part of an overall cybersecurity strategy. To do that, we are re-posting the 3-minute video we created earlier this year on the risks vendors pose and simple steps to reduce those risks.
More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date. Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach. Continue Reading Anthem Agrees to Pay Largest HIPAA Settlement at $16M for Massive Breach
According to Verizon’s 2018 Data Breach Investigations Report, phishing or other forms of social engineering cause 93% of all data breaches. In order for phishing or social engineering attacks to be successful, the attacker needs a target to take the bait. Your employees often are the targets, aka the fish that bite. Therefore, in conjunction with the implementation of IT security measures, training your employees is of paramount importance to preventing these types of cybersecurity attacks. Employers must make employees aware of the risks associated with clicking on a link in a phishing email, downloading an attachment from an unknown sender or responding to requests for credential/login information or other data. Continue Reading The Importance of Training
In the first installation of our weekly series during National Cybersecurity Awareness Month, we examine information security plans (ISP) as part of an overall cybersecurity strategy. Regardless of the size or function of an organization, having an ISP is a critical planning and risk management tool and, depending on the business, it may be required by law. An ISP details the categories of data collected, the ways that data is processed or used, and the measures in place to protect it. An ISP should address different categories of data maintained by the organization, including employee data and customer data as well as sensitive business information like trade secrets. Continue Reading The Importance of Information Security Plans
In recognition of National Cybersecurity Awareness Month, each Friday this October, we will highlight a different step that organizations can take to increase awareness of potential cyber threats, reduce the risk of a cyber attack or minimize damage from an attack. All four steps are solutions that all organizations, regardless of size or budget, can implement. Specifically, over the course of the month we will examine information security plans, training, vendor due diligence and data retention and destruction, as tools organizations can use to arm themselves to both prevent and in the event of a cyber attack. Continue Reading October is National Cybersecurity Awareness Month!
Just days before the EU Commission reassesses the EU-US Privacy Shield program in light of the EU Parliament’s recent adequacy criticisms, the Federal Trade Commission (FTC) announced settlements with four companies allegedly falsely claiming participation in the program. One of the issues the EU Parliament cited this summer with the EU-US Privacy Shield program was lack of US oversight and enforcement. Continue Reading More FTC Privacy Shield Settlements, But Will It Be Enough For The EU?
The California Attorney General’s office reported today that Uber will pay $148 million to resolve claims related to a 2016 data breach that Uber concealed. In addition to failing to report the breach, Uber paid the hackers $100,000 as part of the cover-up. The breach involved the information of 57 million customers and drivers. According to reports, the $148 million will be shared with other states participating in the nationwide investigation. This 2016 breach and a 2014 breach involving a failure to employ reasonable security practices already caught the attention of the Federal Trade Commission (FTC). Uber agreed to resolve those claims earlier this year. Also related to the 2014 breach, Uber caught a break when a judge tossed a class action suit for lack of standing in May.