Apr 222018

Sue Dunleavy reports:

The sensitive health data of Australians is subject to a data breach every two days and the organisations and governments that fail to protect it are facing no financial penalties.

As outrage builds over Facebook’s failure to protect privacy, a News Corp investigation has uncovered health data that shows if Australians have a sexually transmitted disease, mental illness, HIV or an abortion, even whether they’ve used a prostitute, is not properly protected.

A new mandatory notification scheme that requires businesses to report to the Office of the Australian Information Commissioner when there is a data breach shows in the first 37 days of the new regime a data breach occurred every two days in the health sector.

Read more on Daily Telegraph.

Apr 192018

Matt Burgess reports:

“Do not pretend that I do not exist, do not ignore me or break the deadlines,” was the message from one unknown hacker to a British company targeted in February 2018. The person stole a “very large quantity of data”.

Both the hacker and the hacked company are the subject of a High Court injunction. The legal ruling from judge Matthew Nicklin, has been taken out to stop the company being named and prohibits hacked data from being stolen.

The case gives an insight into one hacker’s demands to a company and how it responded. It is the latest in a number of injunctions being taken out by companies that are looking to protect information that has been stolen from their servers.

Read more on Wired (UK).

OK, I don’t see how this is going to stop the hackers from dumping data if they don’t get paid. Maybe some web hosts will honor/comply with an injunction and remove data, but there are just too many ways/places to dump data for this to really make a serious dent in the problem.   And what would stop a U.S. journalist from reporting on the breach, naming the company, and discussing any stolen data???

Apr 182018

David Kitchen writes:

If you work at a typical company, employee actions and inadvertent disclosures present the greatest threat to the security of your data. Therefore, providing proper training and technical safeguards is one of the most important means to enhance your company’s security profile.

In BakerHostetler’s newly-released 2018 Data Security Incident Response Report, we assisted our clients with over 560 incidents, more than a third of which stemmed from phishing incidents in which an employee was tricked by an email message into providing access credentials to an unauthorized party, visiting a phony website, downloading an infected document or clicking on a link that installed malware. Other sizeable incident types also involved employee errors: 17 percent of incidents were inadvertent disclosures and 11 percent were due to stolen or lost devices.

Because people are fallible, training is not enough. Technological safety nets are needed.

Read more on BakerHostetler Data Privacy Monitor.

Apr 182018

Elliot Golding and Jennifer Tharp of Squire Patton Boggs write:

Overview of Recent Settlement Actions

Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement.  Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected.  Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices.  This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance.

Read more on The National Law Review.

Apr 172018

The FastHealth breach is confusing the heck out of patients and employees. I’m getting inquiries from folks who are understandably suspicious because they never heard of the firm or can’t figure out how their details got caught up in this all. Others see news reports and realize that an entity has no connection to them, so they can’t figure out what’s going on at all.  And yet others see numbers on HHS’s breach tool and have no idea whether that number represents one entity’s patients or more than one entity or all…. (Hint:  I’ll bet you a pot of coffee that it’s definitely not all or even most).

Case in point from today’s news from Michigan:

Community members may have received a letter from FastHealth Interactive Healthcare notifying them of a security incident. War Memorial Hospital has received inquiries from staff and community members regarding the legitimacy of the letter. FastHealth provides website programming and hosting for hundreds of hospitals and other healthcare organizations. Fasthealth provided these services for WMH from January 2009 through August of 2013.

FastHealth cannot notify patients or employees unless the entity with whom they have a contract has that as part of their contract. Would it likely be infinitely less confusing to patients and employees if the covered entities themselves notified their current and former patients and/or employees? I have no doubt it would. But there’s nothing that requires that by law.

Do we need to change the regulations so that a business associate or third party must disclose the names of all of their covered entities that are impacted by a breach?  I can imagine there would be a lot of resistance to that idea, but if the purpose of notification is to help mitigate harm from breaches, then wouldn’t a less confusing approach be in order?