The Departmental Appeals Board of the Department of Health and Human Services (“Board”) has granted summary judgment against the University of Texas MD Anderson Cancer Center (“Center”) and upheld the imposition of $4.3 million dollars in penalties against the Center for violations of HIPAA’s privacy and security rules.  In this case, the personal medical data of more than 33,000 individuals was exposed through the theft of a laptop and the loss of unencrypted thumb drives.  None of these devices was encrypted, and the laptop was not password protected. Continue Reading Appeals Board Upholds $4.3 Million in HIPAA Penalties Against Hospital

The Commodity Futures Trading Commission (CFTC) has made another foray into data security, announcing today an order settling charges against AMP Global Clearing LLC (AMP) stemming from AMP’s failure to supervise the implementation of its information systems security program. Between June 21, 2016 and April 17, 2017, AMP stored thousands of customer records  in an improperly protected internal network. This fact was discovered after an unknown third-party, with no affiliation to AMP, accessed AMP’s network and copied 97,000 files containing personally identifiable information. The third party then contacted federal authorities, and later AMP.  Although AMP cooperated with the CFTC and worked to fix the issue, the CFTC later brought charges against the company for failing to supervise the implementation of critical provisions of AMP’s information systems security program. Continue Reading CFTC Settles Charges Against AMP Global Clearing for Failing to Supervise Implementation of its Security Program

Lyft recently confirmed that it is investigating whether its employees were accessing its customer database without appropriate authorization to obtain personal information, including rides taken by Facebook CEO Mark Zuckerberg. The investigation was announced less than six months after Uber entered into a Federal Trade Commission (FTC) consent order to resolve allegations of similar behavior by its own employees.

The investigation demonstrates the importance of revisiting internal compliance measures in the wake of legal developments that may be relevant to a particular company or industry. Companies need to maintain comprehensive privacy programs to ensure the confidentiality of the personal information that they collect.  Such programs should include, at a minimum: Continue Reading Lyft Employees Demonstrate Need for Privacy Compliance Management

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) has announced its first settlement of a HIPAA breach in 2018. The settlement arose from five separate breaches by five different entities owned by Fresenius Medical Care, a large provider of kidney dialysis and other medical services. The breaches involved stolen computers, a stolen USB drive, and a missing hard drive, all occurring within a five-month span in 2012. Continue Reading OCR Announces HIPAA Settlement For Data Security Breaches

With the New Year comes new data breach compliance obligations! Two Mid-Atlantic states have cybersecurity related compliance statutes that have – or will soon – take effect. Are you ready?

New Year’s Day ushered into effect the amended Maryland Personal Information Protection Act, which expands the definition of “personal information,” creates a 45-day deadline for providing notice of a breach, allows for substitute service when the breach enables an individual’s e-mail to be accessed, and increases the class of information subject to Maryland’s destruction of records laws. To the customary litany of data elements comprising “personal information,” Maryland has added personal health and health insurance information, biometric data, online account credentials and passport/government ID numbers. The amended data destruction provision now applies to customer and employee/former employee records containing personal information. See our prior alert detailing the amendments here. Continue Reading New 2018 Data Breach Compliance Obligations Begin Going into Effect

2018 is shaping up to be a potentially momentous year for data privacy, with a number of pending cases whose impact could fundamentally alter the scope of future privacy lawsuits and criminal investigations. This post will take a look at some of these cases and their potential impact.

Carpenter v. United States

We’ll start with Carpenter, which is pending in the U.S. Supreme Court and focuses on whether the Fourth Amendment requires the government to secure a search warrant to obtain a criminal defendant’s cell phone records from his or her cellular service provider. Continue Reading Data Privacy Cases to Watch in 2018

Perhaps we have adjusted our expectations. 2015 sent shockwaves through health plan sponsors and health care providers with massive data breaches, such as the one at Anthem Blue Cross Blue Shield, and the rise of ransomware attacks, such as the one that temporarily shut down the information systems at Hollywood Presbyterian Medical Center. 2016 brought a new government audit program that awakened many covered entities and business associates to the need to review their HIPAA compliance measures and their readiness to respond to an audit request.

The 2017 year did not serve up seismic HIPAA events – it mostly provided a continuation of what we have seen in the past. This may be calming, but still leaves plenty to be concerned about. Continue Reading HIPAA Breaches and Enforcement: An Uneasy Calm