Data Breach

Subscribe to Data Breach

Although the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) may yet announce one or two year-end settlements, it appears that 2019 will be known more for the implementation of changes in HIPAA enforcement policy than for any of the particular matters that OCR resolved.  Last April, OCR announced that

Following on the heels of a few relatively small HIPAA settlements, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that it has imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for its failure to meet HIPAA privacy and security requirements.  The OCR announcement and accompanying

Last Friday we blogged on the Saks data breach class action, and in the process mentioned a trend among federal courts to reject fear of future identity theft claims in retail breach cases.  As we  explained, because retail breaches rarely involve theft of social security numbers, date of birth, healthcare information or other data that can be used to commit identity theft, courts have typically found that plaintiffs in such cases lack standing to pursue their claims in federal court.
Continue Reading

For years, plaintiffs in data breach class actions have argued that the threshold for Article III standing is low – and increasingly courts are accepting that argument. The Saks data breach class action, pending in the Southern District of New York, is the latest example of a federal court finding that Article III standing exists even where the plaintiff’s asserted injuries are very minimal.
Continue Reading

The Office of Civil Rights of the Department of Health and Human Services (OCR) announced that it has entered into a settlement with a business associate that provides electronic medical records services to health care providers.  The resolution agreement requires Medical Informatics Engineering, Inc. (MIE) to pay $100,000 and adhere to a corrective action plan. 

After a quiet winter, the Department of Health and Human Services’ Office for Civil Rights (OCR) revived with the spring, issuing a set of frequently asked questions and two recent announcements.

The FAQs address the situation where an individual requests a covered entity to disclose protected health information (“PHI”) to an app. The covered entity

As tax season winds on, the W-2 form scam has emerged as one of the most dangerous and common phishing email schemes during this time of year.

W-2s are information-rich documents containing an employee’s name, Social Security number, address, salary, and other personal information. Each year, cyber criminals target these documents in order to sell the sensitive information contained therein and to submit fraudulent tax returns in hopes of defrauding the IRS.
Continue Reading

On February 7, 2019, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services published the resolution agreement for its final HIPAA settlement of 2018.  The resolution agreement cited two breach notifications that OCR received from the parent of several hospitals in California.  In 2013, the provider notified OCR of a breach that occurred when one of its contractors removed electronic security protections from a server.  This breach affected more than 50,000 individuals.  In 2015, the provider submitted notice of a second breach, this one resulting from an employee’s activation of the wrong website, affecting more than 11,000 individuals.
Continue Reading

As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.

Owning the Mega-Breach

2018 was the year in which data breaches in mergers and acquisitions became the iceberg in full view. This fuller realization of cyber risk in transactions, though, actually has its origin in September 2016 – when Yahoo and Marriott were in the midst of deals that would involve some of the largest data breaches on record.
Continue Reading