Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations

 Posted by at 8:12 am  Commentaries and Analyses, Health Data, Of Note, U.S.
Jun 192018
 

A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.

MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”

The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html

SOURCE: HHS

Previous coverage of the incidents referenced in this case can be found on DataBreaches.net here

New Charges in Huge C.I.A. Breach Known as Vault 7

 Posted by at 8:47 pm  Government Sector, Of Note, U.S.
Jun 182018
 

There’s a huge update in a significant case noted last month on this blog. Adam Goldman reports:

Federal prosecutors have charged a former software engineer at the center of a huge C.I.A. breach with stealing classified information, theft of government property and lying to the F.B.I.

The engineer, Joshua A. Schulte, 29, of New York, had been the main suspect in one of the worst losses of classified documents in the spy agency’s history.

Read more on the New York Times.

Changes to Louisiana’s Data Breach Notification Law Go Into Effect August 1

 Posted by at 7:59 pm  Breach Laws, Of Note, State/Local, U.S.
Jun 182018
 

Joseph J. Lazzarotti, Jason C. Gavejian, and Maya Atrakchi of Jackson Lewis write that changes to Louisiana’s data breach notification law (Act 382) go into effect on August 1 of this year. Those changes include expansion of the definition of personal information, requirements that notification be made no later than 60 days from discovery of a breach, and requirements for reasonable security and data disposal.

Read more about these changes on The National Law Review.

Andhra Pradesh Tracked You As You Bought Viagra, Then Put Your Name and Phone Number on the Internet for the World to See

 Posted by at 8:45 am  Exposure, Health Data, Non-U.S., Of Note
Jun 182018
 

Gopal Sathe reports:

Bengaluru — If you are the gentleman who bought Suhagra 50, a generic version of Viagra, and some Vomiford anti-nausea drops, on June 13 from a government-run Anna Sanjivini store in Anantpur in Rayalseema, your name, phone number and purchases, were listed on an Andhra Pradesh government website — until HuffPost alerted the authorities.

The link has since been taken down (you’re welcome).

Read more on Huffington Post (IN).

Authorities shut down Dark Web marketplace “Black Hand”

 Posted by at 8:10 am  Non-U.S., Of Note
Jun 182018
 

Carolina reports:

In a joint operation, French police, the National Directorate of Intelligence and Customs Investigations (DNRED) have shut down one of the largest illegal dark web marketplaces “Black Hand” known for selling drugs, weapons, databases, stolen banking data and fake documents.

According to a statement from the Minister of Public Action and Accounts, Mr. Gérald Darmanin on Saturday, authorities also arrested Black Hand’s main administrator and several other people.

Read more on HackRead.  The full press release (in French) is reproduced below.

Does anyone know if this operation was in any way related or had any impact on the arrest of members of Rex Mundi?

304GraldDARMANINf%A
 Older Entries