A Colorado Hospital reached an $111,400 settlement with the Office for Civil Rights (“OCR”) for failing to terminate a former employee’s access to electronic protected health information.  OCR’s investigation uncovered that the hospital impermissibly disclosed electronic protected health information of over 500 individuals to the former employee because it failed to terminate that employee’s access.  Additionally, OCR found that the hospital impermissibly disclosed information to Google Calendar, without a business associate agreement.  There are two main takeaways here. Continue Reading Another HIPAA Breach, Another 6-Figure HIPAA Settlement

In the age of the data breach, lawyers and law firms have a lot in common with comic book superheroes: they are locked in a relentless battle against a cunning, ever-changing threat. This past week, Foley & Lardner experienced a “cyber event,” adding its name to the list of cyber attack victims which, according to Bloomberg Law, includes DLA Piper, Cravath, Swaine & Moore, Weil, Gotshal & Manges, over one third of small and medium-sized firms, and just under one quarter of large firms. Because of this growing and serious threat to the legal profession, the ABA published Formal Opinion 483 to direct attorneys and law firms on how they should handle data breaches before, during, and after an event. In short, lawyers are not expected to be as bulletproof as Superman, but they must take proactive steps to protect sensitive client data and they must disclose material data breaches. Continue Reading The ABA Says Lawyers Have Obligations Before and After a Data Breach

In the first installation of our weekly series during National Cybersecurity Awareness Month, we examine information security plans (ISP) as part of an overall cybersecurity strategy.  Regardless of the size or function of an organization, having an ISP is a critical planning and risk management tool and, depending on the business, it may be required by law.  An ISP details the categories of data collected, the ways that data is processed or used, and the measures in place to protect it.  An ISP should address different categories of data maintained by the organization, including employee data and customer data as well as sensitive business information like trade secrets. Continue Reading The Importance of Information Security Plans

The California Attorney General’s office reported today that Uber will pay $148 million to resolve claims related to a 2016 data breach that Uber concealed.  In addition to failing to report the breach, Uber paid the hackers $100,000 as part of the cover-up.  The breach involved the information of 57 million customers and drivers.  According to reports, the $148 million will be shared with other states participating in the nationwide investigation.  This 2016 breach and a 2014 breach involving a failure to employ reasonable security practices already caught the attention of the Federal Trade Commission (FTC).  Uber agreed to resolve those claims earlier this year.  Also related to the 2014 breach, Uber caught a break when a judge tossed a class action suit for lack of standing in May.

On September 23, 2018, California’s governor signed into law the first round of revisions to the California Consumer Privacy Act (CCPA), the most sweeping privacy legislation in this country.  California enacted the CCPA in June and it takes effect on January 1, 2020.  Inspired by the European Union’s General Data Protection Regulation, the California legislature initially drafted the CCPA in haste to avoid a ballot initiative containing more onerous provisions for businesses.  Not surprisingly, the hurried and voluminous legislation contained a number of issues that ranged from drafting errors to significant enforcement and compliance hurdles.  Accordingly, as expected, at the end of August, the legislature passed S.B. 1121, which contained several revisions to address some but not all of those issues, including a possible enforcement delay of up to six months. Continue Reading California Governor Approves Revisions to Consumer Privacy Act

On September 18, 2018, Connecticut’s governor released an annual report on the cybersecurity sophistication and readiness of the state’s electric, natural gas and major water companies.  The four participating utility companies were Aquarion, Avangrid, Connecticut Water and Eversource. Continue Reading Report on Cyber Readiness of Connecticut Utility Companies

The much-anticipated Ponemon Institute 2018 Cost of Data Breach Study: Global Overview is out and, not surprisingly, the cost of a data breach continues to rise.  In this country, the cost is up $8 per record, going from $225 per record last year to $233 per record this year.  A more alarming jump, however, is the cost of a data breach in the health care sector, which is up to $408 per record from $340 just one year ago.  In terms of controlling costs, the study provides solid evidence that swift response and incident response planning save money. Continue Reading Data Breach Costs Up; Planning and Swift Response Save Money

You could almost hear the cheers of plaintiffs’ class action lawyers in California last night, as California’s governor signed the most sweeping privacy law this country has seen to date.  Notably, the law gives consumers the right to statutory damages in the event of a breach if the company holding the consumer’s information failed to implement reasonable security measures.  Those statutory damages are not less than $100 and not more than $750 “per consumer per incident or actual damages, whichever is greater.” Continue Reading California Gets Its Very Own GDPR with Statutory Damages

HIPAA has teeth.  On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA.  In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR.  Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital

Malware-infected servers of a Baltimore hospital system, LifeBridge, may have affected more than half a million patient records. LifeBridge reports in a statement on its website that it discovered malware on the servers that host electronic medical records as well as patient registration and billing systems.  The provider’s investigation determined that an unauthorized person accessed the server of its physician practice over a year and a half ago on September 27, 2016.  Accessed information may include patients’ names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and social security numbers.  LifeBridge sent letters to potentially affected patients and is offering one year of credit monitoring to individuals whose social security numbers may have been accessed.

While it appears that LifeBridge reported the breach to the state AG, as of the date of this post, this breach is not listed on OCR’s list of breaches affecting 500 or more patients (lovingly referred to as the OCR “Wall of Shame”).