OCR Settlement a Message to Providers: Every Day Counts to Notify Affected Persons After a HIPAA Data Breach

The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements typically concern a covered entity’s failure to properly secure protected health information; this marks the first settlement involving a provider’s failure to report a data breach in a timely manner.

Under the HIPAA Breach Notification Rules, covered entities must provide notification of a breach without unreasonable delay and in no case later than 60 days following the discovery of a breach to affected individuals, and, in breaches affecting more than 500 individuals, to OCR and the media.

Presence Health is a not-for-profit health system serving 150 locations in Illinois. Presence Health first discovered that some paper copies of its surgery schedules at one location were missing on October 22, 2013, and these documents contained the protected health information of 836 individuals. The information consisted of the Continue reading

LabMD Appeals; Court Grants Temporary Stay

lab_specimensIn a recent blog post entitled “FTC Issues Final Order and Data Security Lessons in LabMD Case,” we discussed the Federal Trade Commission (“FTC”)’s Final Order in the LabMD case.  The FTC found that LabMD failed to provide reasonable and appropriate security for its customers’ personal information and that this failure caused (or was likely to cause) substantial consumer harm constituting an unfair act in violation of the law.  It  ordered LabMD to implement a number of compliance measures, including creating a comprehensive information security program, undergoing professional routine assessments of that program, providing notice to any possible affected individual and health insurance company, and setting up a toll-free hotline for any affected individual to call.  Although LabMD has closed its doors and has limited resources to comply with the FTC’s Final Order, it appealed the Final Order to the U.S. Court of Appeals for the Eleventh Circuit.  At the same time, it sought a stay from the FTC, which would halt these compliance measures pending the court’s review. The FTC denied the stay, so LabMD then asked the Eleventh Circuit to grant the stay.

On November 10, 2016, the Eleventh Circuit granted LabMD’s motion to stay enforcement of the Final Order pending appeal.  A copy of the court’s Order granting the stay is available here.  When issuing the stay, the court found that there existed a serious legal question as to Continue reading

FTC issues Final Order and data security lessons in LabMD case

After HoursOn July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ).  The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act.  It issued an Opinion and Final Order requiring LabMD to “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”

This fight began in 2013 when the FTC first filed a Complaint contending that LabMD failed to reasonably protect data maintained on its computer network.  Two alleged security incidents form the basis of the Complaint.  In the first incident, Tiversa, trying to solicit LabMD’s business, discovered that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network and informed LabMD.  In the second incident, dozens of day sheets and a small number of Continue reading

Corporate Counsel magazine quotes Wyatt attorneys on changes to Tennessee data breach law

Kathie McDonald-McClure and Matt San Roman, members of Wyatt’s Data Privacy & Security Service Team, were recently interviewed for Corporate Counsel magazine.  The article, “Tennessee Enacted the Toughest Data Breach Law Yet,” addresses the new amendment to the Tennessee Identity Theft Deterrence Act of 1999.   The amendment, among other changes, may eliminate the “encryption safe harbor” rule (pending a legislative fix to other language that may keep it in).  Other states may follow suit if cybercriminals demonstrate ways around popular encryption methods.

Please note that the full text of the article is only available to subscribers.  To read our prior blog posts discussing the Tennessee amendment in more detail, click here and here.

Tennessee’s Data Breach Law Drawing National Attention

flash driveBy Kathie McDonald-McClure

We recently posted an article about Tennessee’s amendment to its data breach notification law.  This amendment has drawn much attention among cyber security professionals and corporate general counsel across the country.  As Jennifer Williams-Alvarez reported in her article for Corporate Counsel magazine, cyber security was a plenary session topic at the 2016 Association of Corporate Counsel (ACC) Mid-Year Meeting in New York City this week.  See “At ACC Event, Experts Say Data Breaches Are Inevitable. So Now What?”, Corporate Counsel (April 14, 2016)(Read more: here).  In fact, an ACC Foundation report on the “State of Cybersecurity”, released in December 2015, said one-third of in-house counsel reported that their companies experienced a data breach and more than one-half reported increased spending in cybersecurity.

Matt San Roman and I spoke with Ms. Williams-Alvarez this morning.  She is working on a follow-up article regarding the amendments (HB2005 and SA0618) to the Tennessee data breach law.  When the article is published, we will provide a link here for those of you who are not currently Corporate Counsel subscribers.  Stay tuned . . .