How many of these didn’t you know about already? Tehillah Niselow reports on five big breaches affecting South Africans:
Don’t recognize some of them? Read the article on FIN24 to start to get caught up.
A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.
MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html
SOURCE: HHS
Previous coverage of the incidents referenced in this case can be found on DataBreaches.net here.
Jason Auslander reports:
The District Attorney’s Office on Friday dismissed its case against the owner of a basalt roofing company accused of hacking into a competitor’s computer files and using the information to undercut and sabotage the competitor’s bids.
Gregg Mackey, owner of Red Eagle Roofing, was first charged with a computer crime felony equal to that of second-degree murder, though the charge was significantly downgraded to a far lesser felony a few months later.
On Friday, prosecutor Don Nottingham dismissed the case completely.
Read more on Post Independent.
There are still charges pending against one employee, who has claimed that this was Mackey’s doing. So Mackey has had charges dismissed, but still seems to be dealing with a lot of reputation injury and future reputation/bad press from this matter. Sometimes the idea of not publishing defendants’ names until later in a case makes sense. Certainly anyone googling Mackey will likely come across media coverage of the original charges, and perhaps even updates like this one. But it’s still not the way you want your name to be indexed by Google.
Judy Greenwald reports:
A federal appeals court has overturned a lower court ruling and reinstated putative class action data breach litigation against the National Board of Examiners in Optometry Inc.
The 4th U.S. Circuit Court of Appeals in Richmond, Virginia, said in Tuesday’s ruling in Rhonda L. Hutton et al. v. National Board of Examiners in Optometry Inc. that plaintiffs had sufficiently established they had suffered injuries as a result of an alleged data breach of the Charlotte, North Carolina-based board.
According to the ruling, optometrists across the United States in July 2016 noticed that Chase Amazon Visa credit card accounts had been fraudulently opened in their names. Opening these accounts required the use of an applicant’s correct Social Security number and date of birth.
Facebook discussions led the plaintiffs to conclude the information had come from a data breach at the optometry board, which has never acknowledged it was the target of a data breach.
Read more on Business Insurance.
So the board never acknowledged any breach? Discovery should be interesting…..
Monique Scotti reports:
The personal, confidential information of over 80,000 individual Canadians held by the Canada Revenue Agency may have been accessed without authorization over the last 21 months, according to government documents made public last week.
But while the number of potential privacy breaches may be eye-popping, the CRA is downplaying the seriousness of most of them.
Read more on Global News.