FTC issues Final Order and data security lessons in LabMD case

August 16, 2016August 17, 2016 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement, HIPAA, Privacy & Security data breach, Federal Law Resources, Federal Trade Commission, FTC Act Section 5, LabMD, NIST, P2P file-sharing networks, privacy and security of protected health information

On July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ). The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act. It issued an Opinion and Final Order requiring LabMD to “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”

This fight began in 2013 when the FTC first filed a Complaint contending that LabMD failed to reasonably protect data maintained on its computer network. Two alleged security incidents form the basis of the Complaint. In the first incident, Tiversa, trying to solicit LabMD’s business, discovered that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network and informed LabMD. In the second incident, dozens of day sheets and a small number of Continue reading →

Corporate Counsel magazine quotes Wyatt attorneys on changes to Tennessee data breach law

April 20, 2016 WyattLLP Cyber Security and Cyber Crime, Data Privacy & Security, Privacy & Security Corporate Counsel magazine, data breach, data privacy and data security, encryption, Tennessee

Kathie McDonald-McClure and Matt San Roman, members of Wyatt’s Data Privacy & Security Service Team, were recently interviewed for Corporate Counsel magazine. The article, “Tennessee Enacted the Toughest Data Breach Law Yet,” addresses the new amendment to the Tennessee Identity Theft Deterrence Act of 1999. The amendment, among other changes, may eliminate the “encryption safe harbor” rule (pending a legislative fix to other language that may keep it in). Other states may follow suit if cybercriminals demonstrate ways around popular encryption methods.

Please note that the full text of the article is only available to subscribers. To read our prior blog posts discussing the Tennessee amendment in more detail, click here and here.

Federal Government Report Summarizes Health Care Privacy Compliance Efforts

July 29, 2014July 31, 2014 Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law breach, compliance report, data breach, OCR, Office for Civil Rights, Privacy & Security, report to Congress, U.S. Department of Health and Human Services

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.

Continue reading →

Federal Government Report on Data Breaches in Health Care

July 21, 2014July 22, 2014 Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law data breach, healthcare breach reports, Privacy and security of electronic data, privacy and security of personal health information, U.S. Department of Health & Human Services Office for Civil Rights

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

• “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report), and
• “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both reports (as well as previous annual reports) may be accessed here. This post discusses the Breach Report, and a separate article will be posted later addressing the Compliance Report.

The Breach Report offers valuable insight into OCR’s priorities with respect to healthcare data breaches and gives an excellent summary of many recent settlements. OCR (the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules) has prepared this Breach Report describing the numbers and types of healthcare data breaches occurring for calendar years 2011 and 2012. The Breach Report is compiled from breach reports that HIPAA requires be provided to OCR by covered healthcare providers, health plans, healthcare clearinghouses and their business associates. The raw data upon which these reports is based is available here. OCR also provides some cumulative data on breaches reported since the breach notification law went into effect on September 23, 2009. OCR then slices and dices this data in a variety of different and useful ways, sorting it by: cause, location of affected protected health information (PHI), types of entities involved, number of individuals affected, remediation steps taken, etc. Continue reading →

Puerto Rico Imposes Massive Fine for Insurer’s Data Breach

February 24, 2014March 12, 2014 Erin Brisbay McMahon Federal Law Resources, Health Information Technology Breach Notification, data breach, Health Information Technology, HIPAA breach, privacy and security of protected health information, security of protected health information

The Puerto Rico Health Insurance Administration has fined Triple-S Salud Inc. (TSS) $6.8 million for failure to safeguard Medicare beneficiary numbers. This far exceeds any fine imposed by or settlement reached by the United States Office of Civil Rights to date for HIPAA data breaches. How did the fine reach such a staggering amount? What lessons can be learned? Continue reading →